Companies and organizations need to recognize the importance of investing in engineers who possess both the soft and hard skills required to secure open source software effectively.

Source: Yury Zap via Alamy Stock Photo

COMMENTARY

Open source security incidents aren't going away. The reliance on open source software (OSS) increases year-over-year, with more than 95% of all software, including open source, in some capacity. From operating systems to critical libraries to Web applications and more, open source software (OSS) plays a pivotal role in the current technology landscape. However, this widespread reliance introduces significant security risks. As the use of OSS continues to evolve, so does the importance of securing it. This responsibility falls not on individual hobbyist developers, but on the companies and organizations that have the resources to dedicate engineers specifically to open source security. These organizations are the ones that benefit the most from open source and should be the ones who contribute the most back.  

**Essential Skills for Open Source Security Developers**

Securing open source is similar to securing closed source, but many of the skills required are of higher importance for open source, due to various factors. Open source is public and tends to have broader adoption than much closed source software. A closed source tool with a security vulnerability used by a handful of customers is going to have a very different impact than something like OpenSSH having a vulnerability, given its use on millions of servers worldwide. 

I hope this doesn't come as a surprise, but the most important open source skills to have are soft skills. Most software development time is spent doing things other than actually writing code. Here are a few key skills:  

*   Public collaboration: Open source projects are inherently collaborative and involve contributors from around the globe. Effective communication ensures that security practices are understood and implemented correctly. 
    

*   Preventing miscommunication: Many security bugs arise from misunderstandings. Clear documentation and open dialogues can prevent these issues from occurring. 
    

*   Proactive approach: Keeping security at the forefront of daily tasks helps in early detection of potential vulnerabilities. 
    

*   Continuous vigilance: A security-first mindset encourages constant evaluation of code for potential risks. 
    

*   Responsibility: Treating open source projects with the same seriousness as closed source commercial projects ensures higher security standards. 
    

*   Accountability: Developers who feel a sense of ownership are more likely to produce secure and reliable code. 
    

Just because soft skills are more important than hard skills for software development doesn't mean those hard skills are irrelevant. They are still important, and a few of them in particular are of focused importance for open source security. The open source community gets the benefit of a project being public, enabling the community to come together to secure the project with experts in different areas providing their expertise. However, with open source being public, it also exposes projects to malicious actors, like we saw in the XZ compromise, where a bad actor maintainer contributed innocuous-looking, but ultimately malicious, code. This is why software engineers focused on open source security need to be vigilant and experienced to know what to look for when they get contributions from anonymous developers. Here are some of the skills that are important: 

1.  Security Engineering and Threat Modeling 
    

*   Understanding attack vectors: Knowledge of how vulnerabilities are exploited is crucial. 
    

*   Techniques like STRIDE: Familiarity with threat modeling methodologies helps in identifying and mitigating risks. 
    

*   Common vulnerabilities: Awareness of issues like SQL injection, cross-site scripting (XSS), and buffer overflows is essential. 
    

*   Language-specific vulnerabilities: Each programming language has its own set of security concerns. This is especially important for languages and ecosystems that don't have built-in memory safety mechanisms. 
    

*   Ecosystem proficiency: Knowledge of the packaging ecosystem like PyPI, npm, etc., and how software is developed in that ecosystem is important to understand external risks to the project like upstream dependencies. You can write perfectly safe code and include a vulnerable or malicious dependency and ship insecure software. Knowing when to include a dependency and when it's better to write the functionality yourself is very important as well. 
    

*   Build pipelines: Incorporating security checks into continuous integration and deployment processes ensures ongoing security. Open source developers wear multiple hats and need to understand and secure the continuous integration flow. The artificial intelligence (AI) analog would be the training pipeline. 
    

*   Contextual awareness: Understanding how software will be used by consumers helps in identifying potential security flaws. 
    

*   Automated testing: Implementing tools that automatically scan for vulnerabilities can catch issues early. 
    

*   Comprehensive test coverage: Ensuring that all parts of the code are tested reduces the risk of overlooked vulnerabilities. 
    

As the reliance on open source software continues to grow, so does the necessity for open source developers focused on security. This need is becoming even more critical with the rise of open source AI projects. Open source AI introduces new layers of complexity and opacity due to massive datasets and the probabilistic nature of trained models. The sheer volume of data and the intricacies of machine learning algorithms make it challenging to identify vulnerabilities and predict how models might behave in unforeseen circumstances. 

The "black box" aspect of AI models means that even the developers may not fully understand how inputs are being processed to produce outputs. This opacity can be exploited, leading to security breaches such as data poisoning, adversarial attacks, and unintended bias. Therefore, securing open source AI requires specialized skills and a deep understanding of both AI technologies and security principles. 

Companies and organizations must recognize the importance of investing in engineers who possess both the soft and hard skills required to secure open source software effectively, especially in the rapidly evolving field of AI. By fostering these skills, we can enhance the security of open source projects, benefiting individual organizations and the global community that relies on them. 

**About the Author**

Co-Founder & Chief Technology Officer, Kusari

Michael Lieberman is co-founder and chief technology officer (CTO) of Kusari, where he helps build transparency and security in the software supply chain. He has extensive engineering and architecture expertise with an emphasis on cloud-native technologies and security and privacy use cases. Prior to Kusari, he held engineering leadership positions with Citi, Mitsubishi UFJ Financial Group (MUFG), and Bridgewater Associates. Michael is an active member of the open source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture white paper. He is also co-chair of the Cloud Native Computing Foundation Financial Services User Group and an OpenSSF TAC and SLSA steering committee member.

Open Source Security Incidents Aren't Going Away

Bitcoin Fog operator sentenced to 12.5 years for laundering $400M in crypto. The dark web’s longest-running mixer processed…

Bitcoin Fog operator sentenced to 12.5 years for laundering $400M in crypto. The dark web’s longest-running mixer processed 1.2M bitcoin tied to illegal activities over 10 years.

Roman Sterlingov, a 36-year-old dual Russian-Swedish national, has been sentenced to 12 years and six months in prison for operating Bitcoin Fog, the longest-running cryptocurrency “mixer” on the **dark web**.

****The Bitcoin Fog Operation****

Between 2011 and 2021, Sterlingov’s Bitcoin Fog processed over 1.2 million Bitcoin transactions, valued at approximately $400 million at the time of the transactions. The majority of these transactions originated from **dark web marketplaces** and were linked to illicit activities such as narcotics trafficking, computer crimes, identity theft, and child sexual abuse material.

Bitcoin Fog’s clearnet site (Screenshot: Hackread.com)

****The Investigation and Prosecution****

Sterlingov’s operation was brought to an end in March 2024, when a jury found him guilty of money laundering conspiracy, money laundering, operating an unlicensed money transmitting business, and money transmission without a license in the District of Columbia.

The investigation, led by the IRS-CI District of Columbia Cyber Crime Unit and the FBI Washington Field Office, involved collaboration with international authorities, including those from Japan, Sweden, Denmark, Romania, and the UK, as well as Europol.

In addition to his prison sentence, Sterlingov has been ordered to pay a forfeiture money judgment of $395,563,025.39 ($395.56 million) and to forfeit seized cryptocurrencies and monetary assets valued at approximately $1.76 million. He will also forfeit his interest in the Bitcoin Fog wallet, which contains approximately 1,345 Bitcoins, currently valued at over $103 million.

“Through his illicit money laundering operation, Sterlingov helped criminals launder proceeds of drug trafficking, computer crime, identity theft, and the sexual exploitation of children,” **said** Principal Deputy Assistant Attorney General Nicole M. Argentieri.

While cybercriminals and money launderers have become increasingly sophisticated at using **advanced anonymization techniques** to conceal their operations, this case also highlights law enforcement’s enhanced capability to track and prosecute cryptocurrency-based money laundering.

1.  **United States Blacklists Tornado Cash**
2.  **Feds Bust Samourai Wallet Over BTC Money Laundering**
3.  **Major Dark Web Marketplace “Nemesis Market” BUSTED**
4.  **Crypto tumbler BestMixer.io seized for money laundering**
5.  **US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group**

Bitcoin Fog Operator Gets 12.5 Years for Longest-Running Bitcoin Laundering

A list of topics we covered in the week of November 4 to November 10 of 2024

November 8, 2024 - The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

November 7, 2024 - Consumer group Which? found privacy issues in connected air fryers. How smart do we want and need our appliances to be?

November 7, 2024 - We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

November 6, 2024 - Consumers are being swamped by Google ads claiming to be eBay's customer service.

November 6, 2024 - Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

 A week in security (November 4 &#8211; November 10) 

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.

The **Federal Bureau of Investigation** (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.

In an alert (PDF) published this week, the FBI said it has seen un uptick in postings on criminal forums regarding the process of emergency data requests (EDRs) and the sale of email credentials stolen from police departments and government agencies.

“Cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” the FBI warned.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about an account at a technology provider — such as the account’s email address, or what Internet addresses a specific cell phone account has used in the past — they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted (eventually, and at least in part) as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

In some cases, a cybercriminal will offer to forge a court-approved subpoena and send that through a hacked police or government email account. But increasingly, thieves are relying on fake EDRs, which allow investigators to attest that people will be bodily harmed or killed unless a request for account data is granted expeditiously.

The trouble is, these EDRs largely bypass any official review and do not require the requester to supply any court-approved documents. Also, it is difficult for a company that receives one of these EDRs to immediately determine whether it is legitimate.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

Perhaps unsurprisingly, compliance with such requests tends to be extremely high. For example, in its most recent transparency report (PDF) **Verizon** said it received more than 127,000 law enforcement demands for customer data in the second half of 2023 — including more than 36,000 EDRs — and that the company provided records in response to approximately 90 percent of requests.

One English-speaking cybercriminal who goes by the nicknames “**Pwnstar**” and “**Pwnipotent**” has been selling fake EDR services on both Russian-language and English cybercrime forums. Their prices range from $1,000 to $3,000 per successful request, and they claim to control “gov emails from over 25 countries,” including Argentina, Bangladesh, Brazil, Bolivia, Dominican Republic, Hungary, India, Kenya, Jordan, Lebanon, Laos, Malaysia, Mexico, Morocco, Nigeria, Oman, Pakistan, Panama, Paraguay, Peru, Philippines, Tunisia, Turkey, United Arab Emirates (UAE), and Vietnam.

“I cannot 100% guarantee every order will go through,” Pwnstar explained. “This is social engineering at the highest level and there will be failed attempts at times. Don’t be discouraged. You can use escrow and I give full refund back if EDR doesn’t go through and you don’t receive your information.”

An ad from Pwnstar for fake EDR services.

A review of EDR vendors across many cybercrime forums shows that some fake EDR vendors sell the ability to send phony police requests to specific social media platforms, including forged court-approved documents. Others simply sell access to hacked government or police email accounts, and leave it up to the buyer to forge any needed documents.

“When you get account, it’s yours, your account, your liability,” reads an ad in October on **BreachForums**. “Unlimited Emergency Data Requests. Once Paid, the Logins are completely Yours. Reset as you please. You would need to Forge Documents to Successfully Emergency Data Request.”

Still other fake EDR service vendors claim to sell hacked or fraudulently created accounts on **Kodex**, a startup that aims to help tech companies do a better job screening out phony law enforcement data requests. Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, with an eye toward making it easier for everyone to spot an unauthorized EDR.

If police or government officials wish to request records regarding Coinbase customers, for example, they must first register an account on Kodexglobal.com. Kodex’s systems then assign that requestor a score or credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

It is not uncommon to see fake EDR vendors claim the ability to send data requests through Kodex, with some even sharing redacted screenshots of police accounts at Kodex.

**Matt Donahue** is the former FBI agent who founded Kodex in 2021. Donahue said just because someone can use a legitimate police department or government email to create a Kodex account doesn’t mean that user will be able to send anything. Donahue said even if one customer gets a fake request, Kodex is able to prevent the same thing from happening to another.

Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed a second-level verification. Kodex reports it has suspended nearly 4,000 law enforcement users in the past year, including:

\-1,521 from the Asia-Pacific region;  
\-1,290 requests from Europe, the Middle East and Asia;  
\-460 from police departments and agencies in the United States;  
\-385 from entities in Latin America, and;  
\-285 from Brazil.

Donahue said 60 technology companies are now routing all law enforcement data requests through Kodex, including an increasing number of financial institutions and cryptocurrency platforms. He said one concern shared by recent prospective customers is that crooks are seeking to use phony law enforcement requests to freeze and in some cases seize funds in specific accounts.

“What’s being conflated \[with EDRs\] is anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include control over data, like an account freeze or preservation request.”

In a hypothetical example, a scammer uses a hacked government email account to request that a service provider place a hold on a specific bank or crypto account that is allegedly subject to a garnishment order, or party to crime that is globally sanctioned, such as terrorist financing or child exploitation.

A few days or weeks later, the same impersonator returns with a request to seize funds in the account, or to divert the funds to a custodial wallet supposedly controlled by government investigators.

“In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a freeze order, that’s a way to establish trust, because \[the first time\] they’re not asking for information. They’re just saying, ‘Hey can you do me a favor?’ And that makes the \[recipient\] feel valued.”

Echoing the FBI’s warning, Donahue said far too many police departments in the United States and other countries have poor account security hygiene, and often do not enforce basic account security precautions — such as requiring phishing-resistant multifactor authentication.

How are cybercriminals typically gaining access to police and government email accounts? Donahue said it’s still mostly email-based phishing, and credentials that are stolen by opportunistic malware infections and sold on the dark web. But as bad as things are internationally, he said, many law enforcement entities in the United States still have much room for improvement in account security.

“Unfortunately, a lot of this is phishing or malware campaigns,” Donahue said. “A lot of global police agencies don’t have stringent cybersecurity hygiene, but even U.S. dot-gov emails get hacked. Over the last nine months, I’ve reached out to CISA (the Cybersecurity and Infrastructure Security Agency) over a dozen times about .gov email addresses that were compromised and that CISA was unaware of.”

FBI: Spike in Hacked Police Emails, Fake Subpoenas

This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to…

This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to infect Windows systems, steal data, and gain remote control. Learn more about its attack methods, evasion tactics, and the potential impact on users.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a dangerous phishing campaign distributing a new **Remcos RAT** (Remote Access Trojan) variant. This powerful malware, sold commercially online, targets Microsoft Windows users and allows threat actors to remotely control infected computers.

Remcos RAT being sold online (Screenshot via Fortinet)

According to Fortinet’s findings, shared with Hackread.com, this campaign was initiated with a deceptive phishing email disguised as an order notification (OLE Excel document). Upon opening the attached malicious Excel document, the **CVE-2017-0199** vulnerability is exploited to download and execute an HTML Application (HTA) file.

For your information, CVE-2017-0199 is a Remote Code Execution vulnerability that exploits Microsoft Office and WordPad’s parsing of specially crafted files, allowing the **MS Excel program** to display the content.

This HTA file, crafted with multiple layers of obfuscation and its code written in different scripts, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, delivers the primary payload.

It then downloads a malicious executable (dllhost.exe) and executes it via a 32-bit PowerShell process to extract and deploy the Remcos RAT. The malware modifies the system registry to automatically launch itself upon system startup to ensure persistence.

Remcos connects to a C&C server and sends a registration packet containing system, user, network, and version information about the infected system, and receives commands for information gathering, file operations, remote execution, keylogging, screen recording, and webcam capture. 

This new variant employs multiple persistence mechanisms, including advanced anti-analysis techniques like Vectored Exception Handling. This creates a custom exception handler to intercept/handle execution exceptions preventing debugging techniques like single-stepping. 

Since it doesn’t store API names directly, Remcos uses hash values to identify APIs, extracting addresses from the Process Environment Block (PEB) by matching hash values, which makes static analysis more challenging as tools cannot easily identify the functions being called.

It also detects debuggers’ presence by checking debug registers (DR0 to DR7), monitoring API calls commonly used by debuggers, and using the ZwSetInformationThread() API to hide the current thread from debuggers. Furthermore, it uses the ZwQueryInformationProcess() API to detect if a debugger is attached to the process and take evasive actions. 

Process hollowing is another technique it uses for evading detection. Researchers found that the malware suspends a newly created legitimate process (Vaccinerende.exe), injects its code into the memory, and then resumes it, making it a persistent threat. 

Attack flow and one of the malicious emails used in the attack (Screenshot via Fortinet)

“The malicious code adds a new auto-run item to the system registry to maintain persistence and maintain control of the victim’s device when it is restarted,” researchers noted in their **report**.

To protect yourself, avoid clicking on links or attachments in emails unless they are legitimate, **use security software and antivirus software**, keep software updated with the latest patches, and consider Content Disarm and Reconstruction (CDR) service to remove embedded malicious objects from documents before opening them.

1.  **P2Pinfect Botnet Now Targets Servers with Ransomware**
2.  **ValleyRAT Hits Chinese Windows Users in Multi-Stage Attack**
3.  **Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack**
4.  **SteelFox Malware Posing as Popular Software, Steal Browser Data**
5.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**

Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows

Red Hat Security Advisory 2024-8700-03 - Red Hat OpenShift Container Platform release 4.14.40 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8700.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.40 packages and security update  
Advisory ID:        RHSA-2024:8700-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8700  
Issue date:         2024-11-08  
Revision:           03  
CVE Names:          CVE-2024-9675  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.40 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.40. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8697

Security Fix(es):

* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the  
containers/storage library can cause Denial of Service (DoS)  
(CVE-2024-9676)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

CVEs:

CVE-2024-9675

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2317458  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Red Hat Security Advisory 2024-8700-03

wasm3 at commit 139076a contains a memory leak in the Read_utf8 function.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-fmq6-4w57-2w3v: wasm3 uncontrolled memory allocation vulnerability

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods.

After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.

In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.

**Google Ads distribution**

Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat’s command and control infrastructure ran from _utd-gochisu\[.\]com_.

Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for ‘notion’. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.

Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (_smart.link_), followed by a cloaking domain (_solomonegbe\[.\]com_), before landing on the decoy site (_notion\[.\]ramchhaya.com_):

Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate _notion.so_ website.

**FakeBat drops LummaC2 stealer**

After extracting the payload, we recognize the classic first stage FakeBat PowerShell:

Security researcher and long time FakeBat enthusiast RussianPanda was kind enough to give us a hand by looking at this installer in closer detail.

After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:

Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:

The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into _MSBuild.exe_ via process hollowing:

The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.

**Conclusion**

While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today’s example shows that threat actors can and will make a comeback whenever the time is right.

Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.

We appreciate and would like to thanks RussianPanda‘s quick analysis on the payload, as well as security researcher Sqiiblydoo for reporting the malicious certificate used to sign the installer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising chain

solomonegbe\[.\]com  
notion\[.\]ramchhaya.com

Malicious Notion installer

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

FakeBat C2

ghf-gopp1rip\[.\]com

1.jar (PaykRunPE)

373cd164bb01f77ad1e37df844010ee5

LummaC2 (decrypted payload)

3e8c406831a0021f76f02c704b68ee60

JwefqUQWCg (encrypted resource)

497dc11a77a4898b6b5e3cc28a586a38

Malicious URLs

furliumalerer\[.\]site/1.jar  
pastebin\[.\]pl/view/raw/a58044c5

LummaC2 Stealer C2s:

rottieud\[.\]sbs  
relalingj\[.\]sbs  
repostebhu\[.\]sbs  
thinkyyokej\[.\]sbs  
tamedgeesy\[.\]sbs  
explainvees\[.\]sbs  
brownieyuz\[.\]sbs  
slippyhost\[.\]cfd  
ducksringjk\[.\]sbs

 Hello again, FakeBat: popular loader returns after months-long hiatus 

### Summary
XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

### Details
This is related to https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf, in which its fix ( https://github.com/hapifhir/org.hl7.fhir.core/issues/1571, https://github.com/hapifhir/org.hl7.fhir.core/pull/1717) was incomplete. 

### References
https://cwe.mitre.org/data/definitions/611.html
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j

GHSA-gr3c-q7xf-47vh: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`

Debian Linux Security Advisory 5804-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that processing maliciously crafted web content may lead to an unexpected process crash. Narendra Bhati discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5804-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
November 07, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-44244 CVE-2024-44296

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-44244

    An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that  
    processing maliciously crafted web content may lead to an  
    unexpected process crash.

CVE-2024-44296

    Narendra Bhati discovered that processing maliciously crafted web  
    content may prevent Content Security Policy from being enforced.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.46.3-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmctQfgACgkQAAyEYu0C  
2AL3Mg/+KPh5Bj+N8lUDa9rOwqVs81RdgLwAO2ejoPCdbdL9bC/u03cOaSYckPZ6  
399gXtnD0Fmkg8VIom+XmROOKhNVik4pfrtMVvGpQrguqUm8GURYjGxtw7+ZG5fD  
3QYsAa7r3RCDoN5d2R5CqFplEiwlrZFDrYPACyoXHoRjNjut168sPmKbXqyZoE/t  
p3+16lvRbnJSIdoa2Nu1b8DFuXzHjpShFUW1LtYI/Nn4Civ+gJhi7YajgaKk5b/x  
BEo5dBgBDsWrMbGaOFj5m0w+RwE6dMSx+a7eUheUXHIXH6UBg6i6/tFTgxWrf8dD  
gm+dR0tH69BJyh1KrQYpgBKG1h0yDGI1huRr82m92RQLk9zV73qGlBMlMNLJoOaI  
5QGgVlyg+T2A+taagg+Q1uIPVIpn3FcETgD1W76+eRjACBe4yp27UiV/+78IOkR0  
WkmHRLXLUmPygbuzbxhRfI43y7NKRjkW1WXW66i7sQZHxiRpniCIUwlGcR9JICxm  
uTgJPVxxGh6HNG3khT/MwOTrCkAJufnOvG4cLrK5G0Kht6ocdZ26Sjqb4tbpxuwN  
0UrusBSXeRT2i7y6r8ZUm5n9e5+bCHvKTz+tTSpCoDYgJchQNTEWqxFyG5Fk7rbD  
oLeDB0ZAeLxGrdUoeVTT+lMCQ8l8DRquST5tP61X9aFofifnR6c=  
=OxJE  
-----END PGP SIGNATURE-----

Tag

#web