Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting...

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting replies to the tickets from the hackers themselves.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis. Earlier in October, the Internet Archive suffered from a data breach and DDoS attack.

During that breach the attackers were able to steal a user authentication database containing 31 million records.

While the Wayback Machine is almost fully functional again, in a recent turn of events the attackers have started replying to those users that have opened a support ticket with the Internet Archive.

This is one of the replies a user reported:

> “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.
> 
> As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.
> 
> Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.
> 
> Here’s hoping that they’ll get their shit together now.”

An Application Programming Interface (API) token is like a special pass that allows a computer program or app to access and use services provided by another program or website. It is used as proof that the user or app has permission to access the service.

It appears as if the Internet Archive uses Zendesk to manage its support tickets. Having the Internet Archive’s Zendesk token would certainly explain why the hackers can reply to customer tickets.

Changing a Zendesk API token is not very hard, but it can have unexpected consequences, so it may require some advance planning to minimize potential disruptions. This could be why the Internet Archive may not have gotten round to it yet. But not changing API keys that would grant the attackers access to the organization’s important infrastructure like Zendesk would be a serious omission.

On October 18, 2024, Internet Archive founder Brewster Kahle, posted an update stating the stored data of the Internet Archive is safe and work on resuming services safely is in progress.

> “We’re taking a cautious, deliberate approach to rebuild and strengthen our defenses. Our priority is ensuring the Internet Archive comes online stronger and more secure.”

So far, the Internet Archive has not responded to the new developments, and the motivation for the attacks on the Internet Archive remain unclear. We’ll keep you posted.

 Internet Archive attackers email support users: &#8220;Your data is now in the hands of some random guy&#8221; 

The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry.
"Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords,

The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry.

"Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords, and secrets from the LSASS process," Ido Naor, co-founder and CEO of Israeli cybersecurity company Security Joes, said in a statement shared with The Hacker News.

"During the intrusion, the attackers continuously updated their toolset based on the security team's response. By observing the defenders' actions, they altered their strategies and tools to bypass detection and maintain persistent access to the compromised network."

The multi-stage attack, which targeted one of its clients and lasted nearly nine months this year, exhibits overlaps with an intrusion set tracked by cybersecurity vendor Sophos under the moniker Operation Crimson Palace.

Naor said the company responded to the incident four months ago, adding "these attacks are dependent upon state-sponsored decision makers. This time we suspect with high confidence that APT41 were after financial gain."

The campaign is designed with stealth in mind, leveraging a bevy of tactics to achieve its goals by using a custom toolset that not only bypasses security software installed in the environment, but also harvest critical information and establish covert channels for persistent remote access.

Security Joes described APT41 as both "highly skilled and methodical," calling out its ability to mount espionage attacks as well as poison the supply chain, thereby leading to intellectual property theft and financially motivated intrusions such as ransomware and cryptocurrency mining.

The exact initial access vector used in the attack is presently unknown, but evidence veers towards it being spear-phishing emails, given the absence of active vulnerabilities in internet-facing web applications or a supply chain compromise.

"Once inside the targeted infrastructure, the attackers executed a DCSync attack, aiming to harvest password hashes of service and admin accounts to expand their access," the company said in its report. "With these credentials, they established persistence and maintained control over the network, focusing particularly on administrative and developer accounts."

The attackers are said to have methodically conducted reconnaissance and post-exploitation activities, often tweaking its toolset in response to the steps taken to counter the threat and escalate their privileges with the end goal of downloading and executing additional payloads.

Some of the techniques used to realize their goals include Phantom DLL Hijacking and the use of the legitimate wmic.exe utility, not to mention abusing their access to service accounts with administrator privileges to trigger the execution.

The next-stage is a malicious DLL file named TSVIPSrv.dll that's retrieved over the SMB protocol, following which the payload establishes contact with a hard-coded command-and-control (C2) server.

"If the hardcoded C2 fails, the implant attempts to update its C2 information by scraping GitHub users using the following URL: github\[.\]com/search?o=desc&q=pointers&s=joined&type=Users&."

"The malware parses the HTML returned from the GitHub query, searching for sequences of capitalized words separated only by spaces. It collects eight of those words, then extracts only the capital letters between A and P. This process generates an 8-character string, which encodes the IP address of the new C2 server that will be used in the attack."

The initial contact with the C2 server paves the way for profiling the infected system and fetching more malware to be executed via a socket connection.

Security Joes said that the threat actors went silent for several weeks after their activities were detected, but eventually returned with a revamped approach to execute heavily obfuscated JavaScript code present within a modified version of an XSL file ("texttable.xsl") using the LOLBIN wmic.exe.

"Once the command WMIC.exe MEMORYCHIP GET is launched, it indirectly loads the texttable.xsl file to format the output, forcing the execution of the malicious JavaScript code injected by the attacker," the researchers explained.

The JavaScript, for its part, serves as a downloader that uses the domain time.qnapntp\[.\]com as a C2 server to retrieve a follow-on payload that fingerprints the machine and sends the information back to the server, subject to certain filtering criteria that likely serves to target only those machines that are of interest to the threat actor.

"What really stands out in the code is the deliberate targeting of machines with IP addresses containing the substring '10.20.22,'" the researchers said. "

"This highlights which specific devices are valuable to the attacker, namely those in the subnets 10.20.22\[0-9\].\[0-255\]. By correlating this information with network logs and the IP addresses of the devices where the file was found, we concluded that the attacker was using this filtering mechanism to ensure only devices within the VPN subnet were affected."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain

Paxton Net2 versions prior to 6.07.14023.5015 (SR4) suffers from a bypass vulnerability that allows for unauthorized enabling of the API.

CloudAware Security Advisory

CVE-2024-48939: Unauthorized enabling of API in Paxton Net2 software

========================================================================  
Summary  
========================================================================  
Bypass of Paxton Net2 API license. Possible leaking of PII and access to   
admin functionality.  
No physical access to computer running Paxton Net2 is required.

========================================================================  
Product  
========================================================================  
* Paxton Net2  (version < 6.07.14023.5015 (SR4))

========================================================================  
Detailed description  
========================================================================  
Paxton Net2 software offers an API. This API offers the user access to   
sensitive data such as access logs and other  
user data.[2]  
In order to enable the API a license file is needed. The license file is   
trivial to generate as demonstrated in POC in ref [1].  
This is possible while the signature checks in the Net2 software were   
not functional for the license file.  
Additionally to the license file user credentials are needed to   
authenticate against the API.  
The vendor has fixed this in version 6.07.14023.5015 (SR4) of the Net2   
software.

========================================================================  
Solution  
========================================================================  
Upgrade Paxton Net2 to version 6.07.14023.5015 (SR4)

========================================================================  
Mitigation  
========================================================================  
1) If an upgrade is not an option - as `anyone' can create valid license   
files; ensure that the filesystem of  
computers running Paxton Net2 are not reachable by unauthorised entities.  
2) Evaluate the impact of the disclosure of any configurations rolled   
out prior to these mitigation steps

========================================================================  
Weblinks  
========================================================================  
[1] https://github.com/gitaware/poc_exploit_paxton_license  
[2]   
https://www.paxton-access.com/integrating-with-paxton/how-to-integrate-with-net2/integration-capability-matrix/

========================================================================  
History  
========================================================================  
Feb 26, 2024: Paxton informed about working POC  
Feb 29, 2024: Paxton confirms working POC  
<Sept 2024: Paxton releases software update to fix issue  
Oct 10, 2024: CVE-2024-48939 issued

Paxton Net2 API License Bypass

Helper is an enumerator written in PHP that helps identify directories on webservers that could be targets for things like cross site scripting, local file inclusion, remote shell upload, and remote SQL injection vulnerabilities.

Helper 0.1

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \app\backend\controller\auth\Auth.php.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-7pp4-388x-2xqj: SQL injection in funadmin

Pentest Checklists Are More Important Than Ever
Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization’s attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically

Penetration Testing / API Security

****Pentest Checklists Are More Important Than Ever****

Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization's attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically uncover vulnerabilities in various assets like networks, applications, APIs, and systems. They ensure no critical area is overlooked and guide the testing process, making it more efficient and effective at identifying security weaknesses that could be exploited by attackers. A pentest checklist essentially leaves no stone unturned and is a detailed and comprehensive list of every type of vulnerability in which to simulate an attack against.

Each asset being tested, however, requires a different pentest checklist tailored to its specific characteristics and risks. For example, a checklist for pentesting web applications – which remains one of the top targets by malicious actors - will be quite lengthy but encompasses vulnerabilities that are unique to external-facing apps. These specialized checklists are a litmus test to ensure that security measures are evaluated, assesses for effectiveness, depending on the asset, and make overall testing more targeted and relevant to each environment.

BreachLock recently introduced a comprehensive guide that includes detailed pentest checklists of the primary stages involved in pentesting using various frameworks such as OWASP Top 10 and OWAS ASVS across every asset and all respective associated vulnerabilities for the following:

*   **Network –** A pentest checklist for a Black Box external network testing including information gather, vulnerability scanning and enumeration, generic security findings, and service-based testing.
*   **Web Applications**. A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **APIs –** A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **Mobile -** A pentest checklist for Gray Box testing including static analysis, dynamic analysis, and network analysis.
*   **Wireless** – An abbreviated pentest checklist including identification of wireless network (SSID), unauthorized access to wireless networks, access security controls, and rogue access point detection
*   **Social Engineering**\- Aa abbreviated pentest checklist including phishing attacks, pretexting and impersonation, USB drops, and physical penetration.

This is a summary of why pentest checklists are important including an overview of a general pentest checklist. A complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets, can be accessed here.

****Overview of Pentesting Delivery Models****

Penetration testing has become one of the most effective offensive security measures to identify and assess vulnerabilities across both internal and external attack surfaces. Traditional pentesting methods have certainly evolved and penetration testing services are now widely used to help fortify an organization's security posture.

Pentesting is carried out by certified security experts who simulate real-world attacks to identify vulnerabilities for assessment and mitigation within a specific scope. These tests are based on detailed pentest checklists that are tailored by asset (e.g., web applications, network, APIs, etc.) and act as a guide for the pentest checklist process, ensuring standardized frameworks are used and testing adheres to applicable compliance requirements.

To better understanding pentesting, below are the varied methods used for penetration testing that lie in the delivery model, scalability, and frequency of testing, followed by pentest checklists by asset type.

****Delivery Models****

1.  **Traditional Penetration Testing:** Typically performed manually by a team of certified pentesting experts over a fixed period (often a few days or weeks). The engagement is project-based with a final report delivered upon completion of testing.
    *   **Frequency:** Usually performed on a periodic basis, such as annually or semi-annually, as part of compliance requirements or security audits.
    *   **Scalability:** Limited in scalability due to the manual effort required by human testers and the one-off nature of the engagement.
    *   **Advantage:** Deep analysis, thorough testing tailored to specific security requirements, and direct engagement with pentest experts.
    *   **Challenges:** Fixed time frame and limited scope of assessment, which can leave gaps between tests.
2.  **Penetration Testing as a Service (PTaaS):** PTaaS is a cloud-based model that offers ongoing penetration testing services, often integrated with platforms that provide real-time reporting and collaboration. It combines automated tools with human-led expertise.
    *   **Frequency:** A more proactive approach that allows for continuous or more frequent approach to detecting and updating vulnerabilities as they emerge, .
    *   **Scalability:** Highly scalable, as it leverages automation, cloud infrastructure, and hybrid models (automated testing with human validation), enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Scalable, on-demand accessibility, hybrid efficiency, convenience, provides real-time insights, and allows for ongoing security testing.
3.  **Automated or Continuous Penetration Testing:** Uses automation to continuously monitor and test systems for vulnerabilities and is often integrated with tools that run periodic scans.
    *   **Frequency:** Provides ongoing or continuous assessments rather than periodic tests. Can be used for ongoing pentesting to validate security measure and/or to uncover new vulnerabilities as they emerge.
    *   **Scalability:** Highly scalable, as it leverages automation enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Efficient for frequent testing of repetitive tasks or enterprises in high computing environments, cost-effective, and ideal for covering large attack surfaces and complex IT infrastructures.
    *   **Challenges:** Limited in identifying complex vulnerabilities and unique attack paths that require human intuition.
4.  **Human-led Penetration Testing:** A manual and well-scoped process where certified pentest experts simulate realistic attack scenarios and TTPs, focusing on complex vulnerabilities that automated tools may miss.
    *   **Frequency:** Relies on a human-driven approach whereby certified pentest experts explore potential attack vectors. Frequency is usually project-led and periodic.
    *   **Scalability:** Highly customized to the enterprise's unique environment and assets. However, limited scalability due to the manual effort required by human testers
    *   **Advantage:** In-depth analysis, greater flexibility, and a high success rate in discovering sophisticated vulnerabilities.
    *   **Challenges:** Can be more time-consuming and costly than automated methods.

****Pentest Checklists Across Your Attack Surfaces********High-Level Pentest Checklist****

Creating a detailed pentest checklist is essential for performing thorough and effective security assessments. This first checklist is a general but expanded checklist that offers a structure approach to ensure both enterprises and CREST-certified pentest experts cover all critical areas in evaluating cybersecurity defenses.

1.  **Set Clear Objectives and Define Scope**
    *   **Clarify Goals:** Set concise objectives of the pentest engagement, such as identifying weaknesses for specific assets, compliance or security audit, or post-incident reconnaissance.
    *   **Define Scope:** Specify the systems, networks, and applications that will be tested, including the type of testing (e.g., black box, white box, gray box) for each asset.
    *   **Establish Boundaries:** Set parameters to avoid disrupting operations, such as not testing certain assets or limiting tests to outside business hours.
2.  **Assemble Penetration Testing Team**
    *   **Build a Skilled Team:** Include certified professionals with diverse expertise, such as network, application security, or social engineering specialists.
    *   **Check Credentials:** Ensure pentest experts have relevant certifications like CREST, OSCP, OSWE, CEH, or CISSP, along with hands-on experience.
3.  **Obtain Necessary Approvals**
    *   **Get Formal Authorization:** Secure written consent from stakeholders detailing and agreeing upon scope, objectives, and limitations of the test to ensure legal compliance.
    *   **Document Process:** Record all stages of the approval process, including discussions and any agreed-upon conditions. If using a third-party pentesting provider, the scope and process should be documented and signed off on.
4.  **Information Gathering**
    *   **Analyze Targets:** Gather comprehensive information about the infrastructure, including hardware, software, network design, and configurations.
    *   **Use OSINT:** Apply open-source intelligence techniques to gather additional insights into the enterprise's online presence and potential weak points.
5.  **Generating a Pentest Roadmap**
    *   **Attack Surface Management:** Run automated scans using tools such as Nessus or OpenVAS to identify vulnerabilities, focusing on identifying issues without manual input to create a preliminary roadmap for penetration testing.
    *   **Validate Findings:** Results from these scans can be validated to rule out false positives, understand the real context and impact of each potential vulnerability, and categorize by severity to provide a clear roadmap for penetration testing.
6.  **Create a Threat Model**
    *   **Identify Potential Threats:** Review recent attacks and TTPs, consider likely attackers - from random hackers to more targeted - likely attack paths, sophisticated entities, and their motivations.
    *   **Map Attack Vectors:** Prioritize the possible ways an attacker could breach an enterprise based on its environment and the current threat landscape.
7.  **Simulate Attacks**
    *   **Follow a Structure Approach:** Conduct attacks systematically, attempting to exploit weaknesses, bypass controls, and gain higher privileges where possible.
    *   **Adhere to Ethical Standards:** Ensure testing is conducted by certified experts, following standardized frameworks and compliance standards, to minimize risks to systems and data.
8.  **Gather Data and Analyze Results**
    *   **Capture Evidence:** Collect thorough evidence for each attack, such as proof of concepts (POCs) via screenshots, potential attack paths for each domain and associated subdomains and IPs.
    *   **Assess Impact:** Evaluate the consequences or impact of each vulnerability, including potential data breaches, system compromise, and operational disruption and prioritize findings by risk severity and potential impact.
9.  **Prepare and Deliver Reports**
    *   **Document Findings:** Provide a detailed report on each vulnerability and technical descriptions, POCs, risk severity, potential impact, and remediation recommendations.
    *   **Prioritization:** Penetration testing or PTaaS providers will work with enterprises to rank vulnerabilities based on risk and develop a plan for remediation in line with available resources.
10.  **Support Remediation Efforts**
    *   **Actionable Mitigation:** Present clear recommendations on how to mitigate each issue based on severity and impact.
    *   **Retesting:** Verify effectiveness of remediation by conducting follow-up pentest to ensure issues have been resolved.
11.  **Communicate with Stakeholders**
    *   **Present Results:** Share findings by providing story of impact if no action is taken. This is a much more effective strategy then providing a laundry list of vulnerabilities. Summarize key risks and actions for non-technical stakeholders.
    *   **Foster Dialogue:** Engage in discussions to address any concerns or questions about reporting and remediation efforts.

****Conclusion****

Pentest checklists serve pentest experts and their organizations by ensuring a consistent, comprehensive, and systematic approach to identifying security vulnerabilities. A pentest checklist leaves no stone unturned and facilitates better communication between pentesters and stakeholders. They provide a clear outline of what will be tested, evaluated, and how the findings will be assessed. This transparency helps enterprises understand their security posture and to make more informed decisions about improvements.

Pentest checklists are not only effective in identifying vulnerabilities but ensure a systematic approach, using the best practices, tools, and frameworks, for penetration testing. They benefit pentesters by providing assurances to their organization and stakeholders that they are taking meaningful steps to protect their assets. Pentest checklists are a security blanket for any organization conducting penetration testing as a Service.

For more detailed pentest checklists, click here for the complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Guide:  The Ultimate Pentest Checklist for Full-Stack Security

Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

A new document shows the Department of Homeland Security is concerned that Chinese investment in lithium batteries to power energy grids will make them a threat to US supply chain security.

Analysts at the US Department of Homeland Security shared an internal report to local agencies in August, warning them about the economic risks of using Chinese utility storage batteries. It warns that the dependence on Chinese batteries could hurt developing a secure supply chain in the US.

The document, first obtained by national security transparency nonprofit Property of the People and seen by WIRED, accuses Chinese companies of “using People’s Republic of China state support to quickly and cheaply enter the emerging US utility battery energy storage industry and create supply chain dependencies on China,” and asks that any suspicious activity be reported.

Specifically, the report alleges three companies—Contemporary Amperex Technology Co. Limited (CATL), Build Your Dreams (BYD), and Ruipu Energy Co. Ltd. (REPT)—have “benefited from the various forms of state support and leveraged this to further business strategies for gaining US market share.”

Currently, CATL and BYD lead the global energy storage battery market by far, with 40 percent and 12 percent market shares, respectively, according to South Korean energy research firm SNE Research. Eight out of the 10 top companies in the industry are from China, so there are few alternatives to turn to when building grid storage.

The report says it builds on previous documents that analyzed Chinese “state-supported firms’ use of noncompetitive tactics in the electric vehicle and battery supply chains.” DHS did not respond to a request for further comment.

In 2022, CATL entered a deal with Primergy Solar to build the largest US solar and storage project in Nevada, which came online this year. Its battery products have also been used by Duke Energy, a North Carolina–based utility company, although the latter dropped CATL as a supplier for marine base electricity storage after concerns around national security were raised by, in part, lawmakers in Washington.

In an emailed statement, Fred Zhang, a CATL spokesperson, rejects the categorization that the firm has relied on state support to gain an edge. “CATL has achieved tremendous growth through continuous innovation, farsighted strategic planning, and a commitment to high-quality products at a reasonable cost,” the statement says.

BYD and REPT did not reply to WIRED’s request for comment.

Following efforts to curb Chinese EV companies’ competitiveness, the US government is now also concerned about how domestic utility companies could become too dependent on Chinese batteries for energy storage.

The US government has in recent years started to catch up in the battery industry. The Inflation Reduction Act and the Bipartisan Infrastructure Bill set out investment tax credits and other economic incentives to build up energy storage capacity in the country. In September it awarded another $3 billion in incentives to projects that boost domestic production of batteries.

These incentives are also the focus of the DHS report, which alleges that Chinese-based firms are targeting US incentives to further grow their market share. “BYD’s public website as of spring 2023 highlighted how US state incentives can make BYD utility storage systems an attractive investment,” the report claims. (WIRED was unable to find the BYD website referenced in the report.)

The CATL spokesperson says the company “does not receive any US federal or state incentives.”

As the US utility grids incorporate more renewable energy sources like solar and wind, it’s essential to build up a battery storage capacity that can store intermittent energy supply for times of heightened demand. And Chinese companies have dominated the global industry of producing lithium batteries for this job. These companies make over 80 percent of the EV battery cells in the world, and they had plans to invest another $2 trillion in 2023 into new production capacities inside and outside the country.

“Chinese original equipment manufacturers currently supply about 90 percent of the energy storage system batteries, actually a larger share than for EVs,” says Vanessa Witte, a senior research analyst at Wood Mackenzie who focuses on US energy storage. “There is a huge oversupply right now, partly due to softening EV demand, along with a number of Tier 2 and Tier 3 OEMs that have started new manufacturing facilities. The excess supply is a big reason the prices are so low.”

These batteries are essential for global energy transition, and Chinese battery companies see them as an opportunity to widen their product markets. They’ve become such an important industry that the Chinese central government emphasized their importance for the first time in its annual government report in March.

The battery supply chain has also emerged as one of the top economic and security concerns around China in the eyes of the US government. The Biden administration has so far raised a 25 percent tariff on Chinese-made lithium-ion EV batteries (and even higher for the EVs they power.) The government has also repeatedly sounded alarms about the national security threats of having Chinese-made equipment and parts in domestic infrastructure.

So far, the particular conversations around energy storage batteries have mostly surrounded cybersecurity, worried that the components could contain backdoor access for hacking like those that have been suspected in Chinese-made port cranes. Those concerns are “a bit overstated,” Witte says. “There haven’t been any incidents that would lend one to believe the battery management system is sending data to China or could disrupt our infrastructure.”

There have been several political efforts to restrict the use of Chinese-made batteries in the US. The pentagon will be the first to be banned from buying batteries from six Chinese companies, in an order which will become effective in 2027, but some congressmembers are still asking for CATL and other Chinese companies to be added to trade blacklists, and there’s a bill in Congress that would ban DHS from procuring Chinese batteries.

But the DHS report shows that the government is also looking at whether the dominance of Chinese batteries can be an economic issue.

“It is simplistic to see this as just unfair competition due to Chinese government support, as a lot of what China did, such as creating demand for batteries through EV subsidies, is not unlike what we see in the West today,” says Yayoi Sekine, head of energy storage research at BloombergNEF.

The pricing advantage that Chinese battery companies have are also the results of harsh market competition and a more established battery supply chain in China, she says, and these battery companies are willing to squeeze their own margins in exchange for keeping their market shares. “We think the US government's attempts to support a healthy battery industry domestically has been incredibly generous through the incentives in the Inflation Reduction Act and the Bipartisan Infrastructure Law,” says Sekine, “but it may still be challenging to compete on cost.”

US Government Says Relying on Chinese Lithium Batteries Is Too Risky

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS.…

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS. This botnet, which utilizes Mirai botnet source code and advanced techniques, poses a growing and global threat.

NSFOCUS Global Threat Hunting System has detected a new cybersecurity threat: The Gorilla Botnet. In September 2024, this botnet launched a massive series of distributed denial-of-service attacks (DDoS attacks), targeting over 300,000 targets in over 100 countries.

According to NSFOCUS, a renowned Chinese company specializing in application security, Gorilla Botnet is inspired by the infamous **Mirai botnet** and has become a major concern due to its wide reach and stealth capabilities. Gorilla Botnetleverages a network of compromised IoT devices like an army to launch large-scale DDoS attacks. These attacks flood targeted systems with traffic, crippling their access to users.

What makes Gorilla Botnet particularly dangerous is its use of encryption to obscure key data, ensuring long-term control over compromised devices and supporting various CPU architectures, making it compatible with a wide range of devices.

Gorilla Botnet uses a distributed C&C network to manage its operations and offers a variety of DDoS attack methods, including UDP Flood, ACK Bypass Flood, and VSE Flood. Additionally, it utilizes connectionless protocols like UDP to spoof IP addresses and further hide its origin.  

****Global Reach and Impact****

Since September 2024, when its activity was first detected, Gorilla has wasted no time making its mark. In just a month, the botnet unleashed over 300,000 attack commands, averaging a whopping 20,000 per day.

This series of attacks targeted over 100 countries, including economic powerhouses like:

*   **China**
*   **Canada**
*   **Germany**
*   **United States**

Additionally, critical infrastructure including universities, government websites, telecoms, banks, and gaming platforms, fell victim to these attacks.  

****Advanced Capabilities****

According to NSFOCUS’s **report**, Gorilla Botnet’s sophistication goes beyond its attack methods. The malware incorporates encryption algorithms commonly **used** by the notorious **Keksec** hacking group, making it difficult to detect/analyze.

The botnet also shows a strong focus on persistence. By exploiting vulnerabilities like the Apache Hadoop YARN RPC flaw and installing services that automatically execute on system startup, Gorilla becomes a stubborn opponent to eradicate.   

Organizations should strengthen their cybersecurity to address the growing threat of the Gorilla Botnet. Firewalls help block suspicious traffic, while intrusion detection systems (IDS) can spot unusual activity and alert security teams. Using cloud-based **DDoS protection** can also help reduce high-volume attacks, minimizing downtime for critical systems.

1.  Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
2.   Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
4.  Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
5.  US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks

Tag

#web