Debian Linux Security Advisory 5806-1 - A heap-based out-of-bounds write vulnerability was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5806-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 09, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libarchiveCVE ID         : CVE-2024-20696Debian Bug     : 1086155A heap-based out-of-bounds write vulnerability was discovered inlibarchive, a multi-format archive and compression library, which mayresult in the execution of arbitrary code if a specially crafted RARarchive is processed.For the stable distribution (bookworm), this problem has been fixed inversion 3.6.2-1+deb12u2.We recommend that you upgrade your libarchive packages.For the detailed security status of libarchive please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/libarchiveFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcvIfhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Q7lg/8Dq0QdIkhu9rjq/M6C3m87PYV9MUtp23uZASKIgN95uTMLMYT4AON0o6FZyUB8MZcwTsTabt8LdvgxyXBzGBq1TMKqeB44n2LjjI5cn3OZftQnvNQmqmuiJhSUvk2NyjOZ9TEpfwwGhlwcrFL3YFQxTIrWMbuIacxZRcCrnxTphXL4KxbS2+/gkn3nDG5GrYK0CI20PSOsbKz8nQJqMBuCpWGKU61mcDxivdP3nYQSfzexvhMPhKyuK+FCGWbyMbR70FnC3UmyNTVvSi70H28QHgJ8LSooLaZl9hLnHVdAPt0jRGeYR25JV6GPL4Hx1fq42W/nB+mzyb2Lv/rDf8fQUsVvyoLujhxz6dDJtYr8l0Oy3l4Y8YP4sIIWDYP26glQjggcS3uAACiZe2y6B0EOKuaOj64ZEDgZeTeMcCIyAU6SWZmE9vv4r3QrFA/jtsSmQLZQu3Ry2wrPpbwwDxSDXeAMR9970MxTJgpnltJx2kO6urk8d1SNlNUjkiwdTLA1caGh0HbrwlE+d/OUYIiOLZkBmIi815imbP83imk2yrl/yJIBBObDd192ah66BUFp4UBD28XY3R7bGQN/OpMFcGe3Kw2nVt8rsIA/ku3XWJE60611NFElTZl0QIa1j3dHzgjjYFWYVPlLHUD6XV2p0AXl+sQteToqx66e1sj9eM==2Rv1-----END PGP SIGNATURE-----

Debian Security Advisory 5806-1

Debian Linux Security Advisory 5805-1 - It was discovered that the daemon of the GNU Guix functional package manager was susceptible to privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5805-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 08, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : guix  
CVE ID         : not yet available

It was discovered that the daemon of the GNU Guix functional package  
manager was susceptible to privilege escalation. For additional  
information please refer to  
https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/

For the stable distribution (bookworm), this problem has been fixed in  
version 1.4.0-3+deb12u2.

We recommend that you upgrade your guix packages.

For the detailed security status of guix please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/guix

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcuaRAACgkQEMKTtsN8  
TjZa/Q//eoPkJt2H3eEwYAqg8KGN0HD6rJpNNIznSbFIbjBCy/Dojt1YbA/3f7LC  
K4dFp6eQo59drzf2EYVyiBL3a8kXHmAa+HxCY/n//fmBBN/IzkhbXEkAfiCo5wH1  
ICGb3AgNHL2q1+OllyV4PPdwo6YS97/tmUXD3rkr29yX2D8eJ3Iwyf2f9JqBMc7J  
KyBTTYHk9BS0b7XqdkyYJ69WcMNEDa6peCXp11Ebvh6Zk0jo5zoYO8INzNszquKr  
oyI37gEOfrEV2jzWrQCNoHeF5pz9EE5aSXrxSAPOPgkAQ4Y933tVVLoUBMHWCasz  
rTS1rPPAf85V2QqAz5nHk05B4Q3v8WKhd+t0pnpLO87QXLIoas1mUUYPnwzI662i  
aed//ld1LSyDkErVeXWmS5AIW2k/Z7eabmUc23MfSwgdkkBBbZz9T0Ms4VdIKyCZ  
eHv6EwAt6hIXGycwuCLLGUag4q6FMMBFCAuNsBMoLn+8XbIiQImAax/0inlmuqQb  
svuVk5UFp1mycwvSxZhNRm6bI1H4Q1zXFYhAE1VC1CCv9Rw/ZNySHEFRBLpUUcJj  
zdkED2qh8LsigrUfxA7XXE+KIDoFzV865zNRBECxasjnVXSbQiG7R5kHx7kAPHRk  
FWb+efJZbHSFSvvg9pWXRSPqYdCA7Mm+gsouvPyloVNAdo6R6yQ=  
=j+rv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5805-1

Red Hat Security Advisory 2024-8700-03 - Red Hat OpenShift Container Platform release 4.14.40 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8700.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.40 packages and security update  
Advisory ID:        RHSA-2024:8700-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8700  
Issue date:         2024-11-08  
Revision:           03  
CVE Names:          CVE-2024-9675  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.40 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.40. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8697

Security Fix(es):

* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the  
containers/storage library can cause Denial of Service (DoS)  
(CVE-2024-9676)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

CVEs:

CVE-2024-9675

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2317458  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Red Hat Security Advisory 2024-8700-03

Plus: Hot Topic confirms a customer data breach, Germany arrests a US citizen for allegedly passing military secrets to Chinese intelligence, and more.

Maybe you already heard, but Donald Trump will be president of the United States again. The far-right is celebrating by calling for mass executions. The left is responding with their own election conspiracy theories. Convicted January 6 rioters are banking on a pardon. And women who oppose Trump have frankly had enough.

Ahead of Election Day, WIRED found that an “election integrity” app made by True the Vote, a right-wing group that helped popularize election denialism around the 2020 election, was leaking the emails of its users. In one instance it revealed an election officer in California who appeared to be engaged in illegal voter suppression.

Disinformation and other forms of election interference have been a major issue since Russia’s hack of the Democratic National Committee in the lead-up to the 2016 election. But 2024 appears to have been the worst yet, with US officials warning that Russia had amplified its efforts to unprecedented levels.

In non-election news, Canadian authorities arrested Alexander “Connor” Moucka, who is accused of hacking a slew of Snowflake cloud storage customers earlier this year. Security experts who’ve long followed the exploits of a hacker who went by the handle Waifu—whom authorities say is Moucka—believe him to be “one of the most consequential threat actors of 2024.”

A federal judge in Michigan sentenced Richard Densmore to 30 years in prison after he pleaded guilty to sexually exploiting a child. Densmore was highly active in 764, an online criminal network that the FBI now considers to be a “tier one” terrorism threat.

Finally, in WIRED’s first story published in partnership with 404 Media, reporter (and 404 co-owner) Joseph Cox took a deep dive into the world of infostealer malware—the same kind used in all those Snowflake account breaches Moucka is accused of committing.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Some iPhones that police have in their possession for forensic examination are suddenly rebooting themselves, making it more difficult for investigators to access their contents, reports 404 Media. Police use tools like Cellebrite to essentially hack into phones, but this is typically done when a device is in the so-called After First Unlock (AFU) state. Once they reboot, iPhones are put into Before First Unlock (BFU), which makes them much harder to access with forensic tools.

According to a document obtained by 404, police believed the sudden reboots stemmed from the fact that the devices run iOS 18, Apple’s new mobile operating system. The police suspected that iOS 18 contains a secret feature that allowed the impacted devices, all of which were in airplane mode, to communicate with other nearby iPhones, which sent “a signal to devices to reboot after so much time had transpired since device activity or being off network,” the document reads.

They're half right. 404 reported Friday evening that multiple experts have discovered a new feature in iOS 18 called “inactivity reboot,” which appears to force iPhones to reboot on the fourth day after being locked—no secret signal-sending required. While the feature could help prevent robbers from using stolen iPhones, it's clearly giving the cops a headache, too.

Bad news, kids. The retail chain Hot Topic confirmed this week that it suffered a data breach that exposed the personal information of some 54 million customers. The stolen data includes email addresses for all 54 million people, 25 million “lightly encrypted” credit card numbers, the names, phone numbers, and birthdays of 20 million customers, and even the home addresses of 10 million people. While the hackers behind the breach claimed to have data on far more people than the dataset contains—350 million customers—the exposed data could still be used for identity theft and other malicious activities. Not cool!

Authorities in Germany this week arrested a US citizen for allegedly giving American military secrets to the Chinese government. Identified only as Martin D. due to German privacy laws, prosecutors say he recently “worked for the US armed forces in Germany” and “obtained the information in question during his work with the US armed forces,” according to NBC News. Prosecutors claim that Martin D. “contacted Chinese government agencies and offered to provide them with sensitive US military information for forwarding to a Chinese intelligence service.” Martin D.’s arrest comes just a month after German authorities arrested a woman on suspicion of passing information about arms deliveries to Chinese intelligence.

The FBI is investigating whether Chinese state-backed hackers breached the iPhones of senior staff members in either the Kamala Harris or Donald Trump presidential campaigns, Forbes reports. The CEO of security firm iVerify, Rocky Cole, tells Forbes that his company’s software identified strange changes to the settings on the iPhones of campaign staff “in patterns that are not observed on healthy devices.” (Cole declined to identify which campaign’s staff was impacted.) The FBI told Cole that the affected iPhones belonged to known targets of Chinese hacker group Salt Typhoon, which reportedly breached several US telecom networks including AT&T and Verizon.

Auto-Rebooting iPhones Are Causing Chaos for Cops

Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability.
"Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the

Vulnerability / Network Security

Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability.

"Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation."

In the interim, the network security vendor has recommended that users correctly configure the management interface in line with the best practices, and make sure that access to it is possible only via trusted internal IPs to limit the attack surface.

It goes without saying that the management interface should not be exposed to the Internet. Some of the other guidelines to reduce exposure are listed below -

*   Isolate the management interface on a dedicated management VLAN
*   Use jump servers to access the management IP
*   Limit inbound IP addresses to the management interface to approved management devices
*   Only permit secured communication such as SSH, HTTPS
*   Only allow PING for testing connectivity to the interface

The development comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), relates to a case of missing authentication in the Expedition migration tool that could lead to an admin account takeover, and possibly gain access to sensitive data.

While it's currently not known how it's being exploited in the wild, federal agencies have been advised to apply the necessary fixes by November 28, 2024, to secure their networks against the threat.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns

The 36-year-old founder of the Bitcoin Fog cryptocurrency mixer has been sentenced to 12 years and six months in prison for facilitating money laundering activities between 2011 and 2021.
Roman Sterlingov, a dual Russian-Swedish national, pleaded guilty to charges of money laundering and operating an unlicensed money-transmitting business earlier this March.
The U.S. Department of Justice (DoJ)

Cryptocurrency / Cybercrime

The 36-year-old founder of the Bitcoin Fog cryptocurrency mixer has been sentenced to 12 years and six months in prison for facilitating money laundering activities between 2011 and 2021.

Roman Sterlingov, a dual Russian-Swedish national, pleaded guilty to charges of money laundering and operating an unlicensed money-transmitting business earlier this March.

The U.S. Department of Justice (DoJ) described Bitcoin Fog as the darknet's longest-running cryptocurrency mixer, allowing cybercriminals to conceal the source of their cryptocurrency proceeds.

"Over the course of its decade-long operation, Bitcoin Fog gained notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement and processed transactions involving over 1.2 million bitcoin, valued at approximately $400 million at the time the transactions occurred," the DoJ said.

"The bulk of this cryptocurrency came from darknet marketplaces and was tied to illegal narcotics, computer crimes, identity theft, and child sexual abuse material."

In addition to the jail term, Sterlingov has been sentenced to forfeit $395.56 million, as well as seized cryptocurrencies and monetary assets valued at approximately $1.76 million. He has also been ordered to forfeit his interest in the Bitcoin Fog wallet, which currently holds 1,345 bitcoin ($103 million).

"Roman Sterlingov laundered over $400 million in criminal proceeds through Bitcoin Fog, his cryptocurrency 'mixing' service that was open for business to criminals looking to hide dirty money," said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the DoJ's Criminal Division.

"Through his illicit money laundering operation, Sterlingov helped criminals launder proceeds of drug trafficking, computer crime, identity theft, and the sexual exploitation of children."

The development comes a day after the DoJ also sentenced a Nigerian national, a 33-year-old Babatunde Francis Ayeni, to ten years in federal prison for his role in a massive cyber fraud conspiracy that claimed over 400 victims in the U.S., leading to a cumulative loss of nearly $20 million.

Ayeni and other conspirators were "involved in a sophisticated business email compromise scheme targeting real estate transactions in the United States," it said.

"Over 400 people across the United States were victims of the conspiracy. Of these, 231 victims were unable to reverse the wire transactions in time and lost their entire transaction. The collective loss of these 231 victims was $19,599,969.46."

Last week, the DoJ also sentenced Kolade Akinwale Ojelade, a 34-year-old Nigerian man, to more than 26 years in prison for deceiving prospective homeowners and others out of down payments using an adversary-in-the-middle (AitM) email phishing and spoofing attack that caused money transfers to be routed to bank accounts under his control. The fraudulent operation is estimated to have resulted in losses totaling approximately $12 million.

"Mr. Ojelade sent phishing emails to real estate businesses, gained unauthorized access to many of their accounts, and monitored their email traffic to determine when large transactions were about to take place," the DoJ said.

"He then intercepted wire payment instructions, changed the information, and resent the emails via spoofed email addresses that mimicked the original senders’ addresses."

The sentencing also follows the arrest of 130 suspects comprising 113 foreign nationals, mainly of Chinese and Malaysian origin, and 17 Nigerian collaborators by the Nigeria Police Force for their "alleged involvement in high-level cybercrimes, hacking, and activities that threaten national security."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering

wasm3 at commit 139076a contains a memory leak in the Read_utf8 function.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-fmq6-4w57-2w3v: wasm3 uncontrolled memory allocation vulnerability

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods.

After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.

In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.

**Google Ads distribution**

Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat’s command and control infrastructure ran from _utd-gochisu\[.\]com_.

Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for ‘notion’. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.

Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (_smart.link_), followed by a cloaking domain (_solomonegbe\[.\]com_), before landing on the decoy site (_notion\[.\]ramchhaya.com_):

Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate _notion.so_ website.

**FakeBat drops LummaC2 stealer**

After extracting the payload, we recognize the classic first stage FakeBat PowerShell:

Security researcher and long time FakeBat enthusiast RussianPanda was kind enough to give us a hand by looking at this installer in closer detail.

After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:

Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:

The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into _MSBuild.exe_ via process hollowing:

The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.

**Conclusion**

While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today’s example shows that threat actors can and will make a comeback whenever the time is right.

Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.

We appreciate and would like to thanks RussianPanda‘s quick analysis on the payload, as well as security researcher Sqiiblydoo for reporting the malicious certificate used to sign the installer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising chain

solomonegbe\[.\]com  
notion\[.\]ramchhaya.com

Malicious Notion installer

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

FakeBat C2

ghf-gopp1rip\[.\]com

1.jar (PaykRunPE)

373cd164bb01f77ad1e37df844010ee5

LummaC2 (decrypted payload)

3e8c406831a0021f76f02c704b68ee60

JwefqUQWCg (encrypted resource)

497dc11a77a4898b6b5e3cc28a586a38

Malicious URLs

furliumalerer\[.\]site/1.jar  
pastebin\[.\]pl/view/raw/a58044c5

LummaC2 Stealer C2s:

rottieud\[.\]sbs  
relalingj\[.\]sbs  
repostebhu\[.\]sbs  
thinkyyokej\[.\]sbs  
tamedgeesy\[.\]sbs  
explainvees\[.\]sbs  
brownieyuz\[.\]sbs  
slippyhost\[.\]cfd  
ducksringjk\[.\]sbs

 Hello again, FakeBat: popular loader returns after months-long hiatus 

Large language models (LLMs) can help app security firms find and fix software vulnerabilities. Malicious actors are on to them too, but here's why defenders may retain the edge.

Source: vs148 via Shutterstock

Security researchers and attackers are turning to AI models to find vulnerabilities, a technology whose use will likely drive the annual count of software flaws higher, but could eventually result in fewer flaws in public releases, experts say.

On Nov. 1, Google said its Big Sleep large language model (LLM) agent discovered a buffer-underflow vulnerability in the popular database engine, SQLite. The experiment shows both the peril and the promise of AI-powered vulnerability discovery tools: The AI agent searched through the code for variations on a specific vulnerability, but identified the software flaw in time for Google to notify the SQLite project and work with them to fix the issue.

Using AI just for software-defect discovery could result in a surge in vulnerability disclosures, but introducing LLM agents into the development pipeline could reverse the trend and lead to fewer software flaws escaping into the wild, says Tim Willis, head of Google's Project Zero, the company's effort to identify zero-day vulnerabilities.

"While we are at an early stage, we believe that the techniques we develop through this research will become a useful and general part of the toolbox that software developers have at their disposal," he says.

Google is not alone in searching for better ways to find — and fix — vulnerabilities. In August, a group of researchers from Georgia Tech, Samsung Research, and other firms — collectively known as Team Atlanta — used an LLM bug-finding system to automatically find and patch a bug in SQLite. And just last month, cybersecurity firm GreyNoise Intelligence revealed it had used its Sift AI system to analyze honeypot logs leading to the discovery and patching of two zero-day vulnerabilities affecting Internet-connected cameras used in sensitive environments.

Overall, companies are gaining more ways to automate vulnerability discovery, and — if they are serious about security — will be able to drive down the number of vulnerabilities in their products by using the tools in development, says Corey Bodzin, chief product officer at GreyNoise Intelligence.

"The exciting thing is we do have technology that allows people who \[care about\] security to be more effective," he says. "Sadly ... there are not many companies where that is ... a primary driver, but even in companies where \[security is\] purely viewed as a cost" can benefit from using these tools.

**Only the First Steps**

Currently, Google's custom approach is still bespoke and requires work to adapt to specific vulnerability-finding tasks. The company's Big Sleep agent does not to look for completely new vulnerabilities, but uses details from a previously discovered vulnerability to look for similar issues. The project has looked at smaller programs with known vulnerabilities as test cases, but the SQLite experiment is the first time they found vulnerabilities in production code, the Google Project Zero and Google DeepMind researchers stated in Google's blog post describing the research.

While specialized fuzzers would likely have found the bug, tuning those tools to perform well is a very manual process, says Google's Willis.

"One promise of \[L\]LM agents is that they might generalize across applications without the need for specialized tuning," he says. "Additionally, we're hopeful that \[L\]LM agents will be able to uncover a different subset of vulnerabilities than those typically found through fuzzing."

The use of AI-based vulnerability discovery tools will be a race between attackers and defenders. Manual code review is a viable way of finding bugs for attackers, who only need a single exploitable vulnerability or short chain of vulnerabilities. But defenders need a scalable way of finding and fixing applications, Willis says. While bug-finding tools can be a force multiplier for both attackers and defenders, the ability to scale up to analyze code will likely be a greater benefit for defenders, Willis says.

"We expect that advances in automated vulnerability discovery, triage, and remediation will disproportionately benefit defenders," he says.

**Focus AI on Finding and Fixing Bugs**

Companies that focus on using AI to generate secure code and fix bugs when found will deliver higher quality code from developers, says Chris Wysopal, co-founder and chief security evangelist at Veracode, an application security firm. He argues that automating bug finding and bug fixing are two completely different problems. Finding vulnerabilities is a very large data problem, whIle fixing bugs usually deals with perhaps a dozen lines of code.

"Once you know the bug is there — if you found it through fuzzing, or through an LLM, or using human code review — and you know what kind of bug it is, fixing it is relatively easy," he says. "So, LLMs favor defenders, because having access to source code and fixing issues is easy. So I'm kind of bullish that we can eliminate whole classes of vulnerabilities, but it's not from finding more, it's from being able to fix more."

Companies that require developers to run automated security tools before code check-in will find themselves on a path to paying down their security debt — the collection of issues that they know about, but have not had time to fix, he says. Currently, about half (46%) of organizations have security debt in the form of persistent critical flaws in applications, according to Veracode's 2024 State of Software Security report.

"The idea that you're committing code that has a problem in it, and it's not fixed, will become the exception, not the rule, like it is today," Wysopal says. "Once you can start to automate this fixing — and we're always getting better at automating finding \[vulnerabilities\] — I think that's how things change."

Yet, the technology will still have to overcome companies' focus on efficiency and productivity over security, says Bob Rudis, vice president of data science and security research at GreyNoise Intelligence. He points to the fixing of the two security vulnerabilities that GreyNoise Intelligence found and responsibly disclosed. The company only fixed the issues in two product models, but not others — despite the fact that the other products likely had similar issues, he says.

Google and GreyNoise Intelligence proved that the technology will work, but whether companies integrate AI into the development pipelines to eliminate bugs is still an open question.

Rudis has doubts.

"I'm sure a handful of organizations are going to deploy it — it's going to make like seven C files a little bit safer across a bunch of organizations, and maybe we'll get like a tick more security for the ones that can actually deploy it properly," he says. "But ultimately, until we actually change the incentive structure around how software vendors build and deploy things, and how consumers actually purchase and deploy and configure things, we are not going to see any benefit."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI &amp; LLMs Show Promise in Squashing Software Bugs

Direct cyberattacks on vehicles are all but unheard of. In theory though, the opportunity is there to cause real damage — data extraction, full system compromise, even gaining access to safety-critical systems.

Source: Marin Tomas via Alamy Stock Photo

Six unpatched vulnerabilities in a Mazda in-vehicle infotainment (IVI) system could be exploited with a simple USB in a moments' time, and one of them has legitimate consequences to vehicle safety.

These days, cars are just computers on wheels, and IVIs are their user interface. The IVI in most Mazda vehicles of recent years — like the Mazda3 and CX-3, 5, and 9 — are built with the Mazda Connect Connectivity Master Unit (CMU), developed by the Michigan-based Visteon Corporation. The CMU is a core hardware component that enables various connectivity services: smartphone integration, a Wi-Fi hotspot, and various remote monitoring and control features.

Recent research through Trend Micro's Zero Day Initiative (ZDI) has surfaced half a dozen vulnerabilities in the Mazda IVI. A few of them enable full system compromise, and access to various sensitive data. One of particular note could enable an attacker to pivot to the vehicle's Controller Area Network (CAN) bus — the central nervous system connecting its various component parts.

None of the vulnerabilities have been assigned a value according to the Common Vulnerability Scoring System (CVSS) yet. All of them remain unpatched as of this writing. On the plus side: They all require that an attacker physically insert a malicious USB into the center console. Such a scenario — carried out by a carjacker, or possibly a valet or dealer — is essentially unheard of in the real world to date.

Dark Reading has reached out to Visteon for further comment on this story.

**6 Mazda IVI Security Bugs**

Three of the vulnerabilities — CVE-2024-8358, CVE-2024-8359, and CVE-2024-8360 — target functions used to locate and extract specific files during software updates. Because the provided file path is not sanitized, an attacker can step in with their own malicious injection, which gets executed at the root level of the system. With a specially crafted command, this one-step hack could facilitate a full system takeover.

Another way to skin this cat would be to take advantage of CVE-2024-8357, affecting the CMU's System on Chip (SoC) running Linux. The SoC's boot process has no authentication in place, so an attacker with the ability to execute code can take advantage to manipulate files, establish persistence through reboots, and establish control over the system even before it boots up.

The Mazda IVI; Source: Trend Micro's ZDI

CVE-2024-8355 might seem at first a bit different from the rest but, in reality, it's caused by the same underlying problem: lack of sanitization of input data.

To establish a connection with an Apple device, the CMU will request the device's serial number. Because it doesn't apply scrutiny to that value, a spoofed device can send specially crafted SQL code instead. The system's DeviceManager will run that code at the root level, enabling all kinds of malicious outcomes: database exposure, arbitrary file creation, etc.

Last, but certainly not least, is CVE-2024-8356, a missing verification during the CMU software update process. This one, however, affects the unit's other processor, the Verification IP Microcontroller Unit (VIP MCU). The VIP MCU is designed to be separate from the SoC for security purposes, because instead of running the operating system, it connects to the vehicle's CAN bus. The CAN bus, in turn, connects the rest of the vehicle: everything from climate control to the engine and airbags. With a tampered firmware image, ZDI demonstrated that one can jump the SoC to manipulate the VIP MCU, and from there reach the CAN bus.

**Serious, But Unlikely Consequences**

"In truth, it's hard to predict what an attacker could do once they have access to a CAN bus," says Dustin Childs, head of threat awareness at ZDI. "Since the CAN bus serves as the nervous system of the vehicle, a threat actor could potentially impact whatever electronic control units (ECUs) or components that interact with the CAN bus." Translation: Attackers can subvert just about any conceivable part of the vehicle.

"The worst case scenario would be an attacker impacting the driving characteristic of the car, rendering it unsafe to operate," he adds.

Still, the threat is immaterial. For all of the exploits demonstrated by researchers, actual criminals still consistently stick to those older tried-and-true methods of compromise: a stolen set of keys; an unfurled clothes hanger slipped artfully in between a window and a door frame; or a rock, a window, and a good baseball toss.

"At this point, there isn't a lot of real-world impact," Childs admits. "However, as cars become more connected, remote exploitation becomes more realistic. In the last Pwn2Own Automotive, the team from Synacktiv exploited the modem of the Tesla Model 3 over-the-air to reach and interact with the onboard systems of the vehicle. It's just a matter of time until a complete, remote vehicle takeover becomes a real possibility."

He adds, "That's why manufacturers should build in security to each component and not rely on the defenses of other modules. A vehicle should have a multilayered protective system that assumes every message may be from a compromised source. The more we get ahead of the problem now, the easier it will be to react to it in the future."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Latest News