Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

The holiday season is here, but software firms are still busy issuing fixes for major security flaws. Microsoft, Google, and enterprise software firm Atlassian have released patches for vulnerabilities already being used in attacks. Cisco also patched a bug deemed so serious, it was given a near-maximum CVSS score of 9.9.

Here’s everything you need to know about the patches released in November.

Google Chrome

Google ended November with a bang after issuing seven security fixes for Chrome, including an emergency patch for an issue already being used in real-life attacks. Tracked as CVE-2023-6345, the already exploited flaw is an integer overflow issue in Skia, an open source 2D graphics library. “Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the browser maker said in an advisory.

Little is known about the fix at the time of writing; however, it was reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group, indicating the exploit could be spyware-related.

The six other flaws fixed by Google and rated as having a high impact include CVE-2023-6348, a type-confusion bug in Spellcheck, and CVE-2023-6351, a use-after-free issue in libavif.

Earlier in the month, Google released fixes for 15 security issues in its widely used browser. Among the bugs fixed by the software giant are three rated as having a high severity. Tracked as CVE-2023-5480, the first is an inappropriate implementation issue in Payments, while the second, CVE-2023-5482, is an insufficient data validation flaw in USB with a CVSS score of 8.8. The third high-severity bug, CVE-2023-5849, is an integer overflow issue in USB.

Mozilla Firefox

Chrome competitor Firefox has fixed 10 vulnerabilities in the browser, six of which are rated as having a high impact. CVE-2023-6204 is an out-of-bound memory access flaw in WebGL2 blitFramebuffer, while CVE-2023-6205 is a use-after-free issue in MessagePort.

Meanwhile, CVE-2023-6206 could allow clickjacking permission prompts using the full-screen transition. “The black fade animation when exiting full screen is roughly the length of the anti-clickjacking delay on permission prompts,” Firefox owner Mozilla said. “It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.”

CVE-2023-6212 and CVE-2023-6212 are Memory safety bugs, both with a CVSS score of 8.8, in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5.

Google Android

Google's November Android Security Bulletin details fixes patched in this month, including eight in the Framework, six of which are elevation of privilege bugs. The worst flaw could lead to local escalation of privilege with no additional execution privileges needed, Google said in an advisory.

Google also fixed seven issues in the System, six of which are rated as having a high severity and one marked as critical. Tracked as CVE-2023-40113, the critical bug could lead to local information disclosure with no additional execution privileges needed.

Google's Pixel devices have already received the November update, along with some additional fixes. The November Android Security Bulletin has also started to roll out to some of Samsung’s Galaxy line.

Microsoft

Microsoft has a Patch Tuesday every month, but November's is worth notice. The update fixes 59 vulnerabilities, two of which are already being exploited in real-life attacks. Tracked as CVE-2023-36033, the first is an elevation of privilege vulnerability in Windows DWM Core Library marked as important, with a CVSS score of 7.8. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.

Meanwhile, CVE-2023-36036 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver with a CVSS score of 7.8. Also fixed in November’s update cycle is the already exploited libWep flaw previously fixed in Chrome and other browsers, which also impacts Microsoft’s Edge, tracked as CVE-2023-4863.

Another notable flaw is CVE-2023-36397, a remote code execution vulnerability in Windows Pragmatic General Multicast marked as critical with a CVSS score of 9.8. “When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” Microsoft said.

Cisco

Enterprise software firm Cisco has issued fixes for 27 security flaws, including one rated as critical with a near maximum CVSS score of 9.9. Tracked as CVE-2023-20048, the vulnerability in the web services interface of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to execute unauthorized configuration commands on a Firepower Threat Defense device managed by the FMC Software.

However, to successfully exploit the vulnerability, an attacker would need valid credentials on the FMC Software, Cisco said.

A further seven of the flaws fixed by Cisco are rated as having a high impact, including CVE-2023-20086—a denial-of-service flaw with a CVSS score of 8.6—and CVE-2023-20063, a code-injection vulnerability with a CVSS score of 8.2.

Atlassian

Atlassian has released a patch to fix a serious flaw already being used in real-life attacks. Tracked as CVE-2023-22518, the improper-authorization vulnerability issue in Confluence Data Center and Server is being used in ransomware attacks. “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware,” it said.

Security outfit Trend Micro reported the Cerber ransomware group is using the flaw in attacks. “This is not the first time that Cerber has targeted Atlassian—in 2021, the malware re-emerged after a period of inactivity and focused on exploiting remote code execution vulnerabilities in Atlassian's GitLab servers,” Trend Micro said.

All versions of Confluence Data Center and Server are affected by the flaw, which allows an unauthenticated attacker to reset Confluence and create an administrator account. “Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity and availability,” Atlassian said.

SAP

Enterprise software giant SAP has released its November Security Patch Day, fixing three new flaws. Tracked as CVE-2023-31403 and with a CVSS score of 9.6, the most serious issue is an improper access control vulnerability flaw in SAP Business One. As a result of exploiting the issue, a malicious user could read and write to the SMB shared folder, the software giant said.

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

No Iranian bank customers are safe from financially motivated cybercriminals wielding convincing but fake mobile apps.

Source: Stephen Barnes/Finance via Alamy Stock Photo

A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets.

Four months ago, researchers from Sophos detailed a lengthy campaign involving 40 malicious banking apps designed to harvest credentials belonging to unwitting customers. By imitating four of the Islamic Republic's most significant financial institutions — Bank Mellat, Bank Saderat, Resalat Bank, and the Central Bank of Iran — hackers were able to install and hide their copycat apps on victims' phones, harvesting logins, intercepting SMS messages with one-time passcodes, and stealing sensitive financial information, including credit cards.

Apparently, that was just the opening salvo. A new blog post from Zimperium has revealed 245 more apps associated with the same, clearly ongoing campaign, 28 of which had not previously been recorded on VirusTotal.

And this new trove isn't just bigger — it's more diverse, and more sophisticated than the first 40 were, featuring new kinds of targets, and tactics for stealth and persistence.

**285 Fake Banking Apps**

The 245 new apps discovered since the summer extend beyond the bounds of the original 40 by actively targeting four new Iranian banks, with some evidence that they have another four more in their sights.

Besides banks, the attackers have also started probing for data relating to sixteen cryptocurrency platforms, including such popular ones as Metamask, KuCoin, and Coinbase.

To facilitate the targeting of a dozen banks and 16 crypto hubs, the attackers have also added some new tools to their arsenal. For example, one little trick they use to avoid infrastructure takedowns involves a command-and-control server with the lone purpose of distributing phishing links. As the researchers explained, this "allows for the server URL to be hardcoded on the application without the risk of being taken down."

The group's most notable new tactic, however, is how its apps abuse accessibility services. 

"While using the accessibility API, they get a way to programmatically access the UI's elements," explains Nico Chiaraviglio, chief scientist of Zimperium. He explains that attackers can invisibly interact with the device in some of the same ways a user can, to malicious effect. For example, "they can request for dangerous permissions (such as reading SMS) and when the user is prompted to accept the permission, they click on 'Accept' before the user even sees the notification. Or they prevent uninstallation by clicking on 'Cancel' when the user tries to uninstall the app."

Thus far the fake apps have been limited to Android devices. But among the attackers' belongings, the researchers did uncover phishing websites mimicking banking apps' Apple App Store pages, indicating that the campaign may expand to iPhones in the near future.

Long before that happens, the campaign will have touched thousands. "Based on the information obtained from one of their Telegram channels, we know that there are thousands of victims. But we could only access one of the channels used (since one of them is private) and there is no guarantee that they didn't use other channels in the past." 

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector

Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

Google has released an update to Chrome which includes seven security fixes including one for a vulnerability which is known to have already been exploited.

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible.

The easiest way to update Chrome is to set it to update automatically, but you have to make sure to close your browser for the update to finish. You can also end up on an older, vulnerable version if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome** (on Windows) or **Google Chrome > About Google Chrome** (on Mac).

If there is an update available, Chrome will start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Google Chrome is up to date_

After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later.

**The technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the actively expoited zero-day is:

CVE-2023-6345: Integer overflow in Skia. Google notes it is aware that an exploit for CVE-2023-6345 exists in the wild. This vulnerability could lead to a range of risks, from crashes to the execution of arbitrary code.

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, so that interested criminals remain none the wiser.

The fact that the vulnerability is listed with a severity rating of High, indicates that the scope of the flaw is limited to the browser, but this could mean successful exploitation could provide the attacker with information about visited websites and so on.

Skia is an open source 2D graphic library for drawing Text, Geometries, and Images. Skia works across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

That’s why users of other Chromium based browsers and software that uses Skia should keep their eyes open for similar updates.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update now! Chrome fixes actively exploited zero-day vulnerability 

_Published September 25, 2023 | Updated September 29, 2023_

The Chromecast Security Bulletin contains details of security vulnerabilities affecting supported Chromecast with Google TV devices (Chromecast devices). For Chromecast devices, security patch levels of 2023-07-01 or later address all applicable issues in the July 2023 Android Security Bulletin and all issues in this bulletin. To learn how to check a device's security patch level, see Chromecast firmware versions & release notes.

All supported Chromecast devices will receive an update to the 2023-07-01 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2023 Android Security Bulletin, Chromecast devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**AMLogic**

   

CVE

References

Severity

Subcomponent

CVE-2022-42536

A-258698524

High

Secure Monitor

CVE-2022-42537

A-258699189

High

Secure Monitor

CVE-2022-42541

A-258698507

High

Secure Monitor

CVE-2022-42538

A-258698938

High

Secure Monitor

CVE-2022-42540

A-258699554

High

Secure Monitor

CVE-2022-42539

A-258699550

High

Secure Monitor

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Chromecast firmware versions & release notes.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Chromecast firmware versions & release notes.

**2\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column.

**Versions**

  

Version

Date

Notes

1.0

September 25, 2023

1.1

September 29, 2023

Added AMLogic CVEs

CVE-2022-42541: Chromecast Security Bulletin—September 2023

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount


In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.  It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.


MOVEit enables your organization to meet strict cybersecurity compliance standards such as PCI-DSS, HIPAA, GDPR, SOC2 and more. Provide a secure environment for your most sensitive files, while easily ensuring the reliability of core business processes.

30-day FREE trial. No credit card required.

Release

**MOVEit 2023.1: Check Out All the New Features in the Latest Release**

**MOVEit Modules**

MOVEit’s flexible architecture makes it easy to choose the exact capabilities that match your organization’s specific needs.

**MOVEit Transfer**

*   **On-premise** solution.
*   Ensure management and control over your business-critical file transfers by consolidating them all on one system.
*   Leverage MOVEit Transfer’s file encryption, security, activity tracking tamper-evident logging, and centralized access controls.
*   Reliably and easily comply with SLAs, internal governance requirements and regulations like PCI, HIPAA, CCPA/CPRA and GDPR.

Explore MOVEit Transfer Free Trial

**MOVEit Cloud**

*   MOVEit Transfer hosted by Progress **as-a-Service in the Cloud**.
*   All the benefits of managed file transfer without the heavy lifting.
*   Operational reliability with clear SLAs and internal governance.
*   Compliant with PCI, HIPAA, CCPA/CPRA and GDPR.

Explore MOVEit Cloud Free Trial

**MOVEit Automation**

*   Works with MOVEit Cloud, MOVEit Transfer, hybrid cloud endpoints (AWS S3, Azure Blob, SharePoint, etc.) or any FTP system.
*   **Provides advanced workflow automation capabilities without the need for scripting.**
*   Securely share sensitive files with full visibility into all file transfer activities, including a tamper-evident audit trail.

Explore MOVEit Automation Free Trial

**Additional Features**

Email and Web Transfer

MOVEit Ad-Hoc makes secure file transfer easily accessible from Microsoft Outlook or a web browser to assure the compliant ad-hoc transfers of sensitive data.

Secure End-User Collaboration

Secure Folder Sharing provides internal and external end users with an easy-to-use, drag-and-drop collaboration capability as an alternative to using email or content collaboration to share sensitive data.

Mobile Managed File Transfer

The free MOVEit Mobile app puts secure and managed file transfer control at your fingertips via your iOS or Android device.

Flexible Deployment

Deployment flexibility means you can meet your exact needs with options ranging from MFT-as-a-Service, to public cloud to on-premises or hybrid cloud solutions.

MOVEit Add-in for Microsoft Outlook

Provides an exceptional user experience that makes sharing secure files intuitive and hassle-free. Deploys centrally with nothing for users to install or maintain.

DMZ Proxy Gateway

MOVEit Gateway is a DMZ proxy server that keeps confidential/sensitive data, authentication, and access information behind the firewall.

**Industries**

**Banking & Finance**

Secure file sharing is the foundation for trust in financial transactions. Use MOVEit to help meet PCI-DSS, GDPR, and ISO 27001 compliance requirements.

Explore

**Government & Public Sector**

MOVEit helps IT teams at almost every federal civilian agency and military branch to securely transfer mission-critical information and assure the performance of their networked infrastructures and applications.

Explore

**Healthcare**

When lives are on the line, IT teams need to deliver virtually zero downtime and assure the secure and confidential movement of patient data.

Explore

**Insurance**

Pushing claims or processing payments, IT teams in a highly regulated industry like insurance need powerful tools that make their lives simpler.

Explore

**Manufacturing**

Gain operational efficiencies and eliminate manual errors while securely delivering important files to customers and partners.

Explore

**Education**

Ensure your school protects and shares personally identifiable information through encryption that protects sensitive files at rest and in transit.

Explore

**Request Pricing**

Get a free price quote from one of our experts.

**Additional Capabilities**

**Multi-Tenancy**

Our Multi-tenancy option enables MOVEit Transfer to simultaneously serve multiple client organizations, or “tenants”, on a domain or username basis.

Download Data Sheet

**High Availability**

MOVEit Transfer has a flexible architecture that can be deployed on one or more systems to address availability, performance or scalability requirements.

Download Data Sheet

**Desktop Clients**

Choose from a full range of desktop clients to meet your needs, including an easy-to-use MOVEit Client for Windows and MacOS, WS\_FTP, MOVEit EZ and MOVEit Freely

See Desktop Clients

**API**

The MOVEit API offers third-party programs access to a wide variety of MOVEit Cloud and MOVEit Transfer services and administrative capabilities.

Download Data Sheet

**MOVEit Architecture**

Any FTPS ServerAny SFTP ServerAny HTTPS ServerAny ASx Server Mainframe/Unix Server Network Share Any FTPS ServerAny SFTP Server Azure Blob AWS S3 Firewall Firewall Sharepoint Email ServerSMIME Email Server Email Server Internet DMZ Secure Network Web Browser Web Browser Microsoft Outlook Mobile Users Mobile Users Any FTPS ClientAny SFTP ClientAS2 or AS3 ClientOther MOVEit Clients Any FTPS ClientAny SFTP ClientOther MOVEit Clients FTPS, SFTP, HTTPS, ASx FTPS, SFTP, SMB FTPS, SFTP, HTTPS Secure Tunel HTTPS FTPS, SFTP, HTTPS, ASx Any FTPS ServerAny SFTP ServerAny HTTPS ServerAny ASx Server Sharepoint Email ServerSMIME Email Server Azure Blob AWS S3 Internet FTPS, SFTP, HTTPS, ASx DMZ Firewall Firewall Web Browser Mobile Users Any FTPS ClientAny SFTP ClientAS2 or AS3 ClientOther MOVEit Clients HTTPS Mainframe/Unix Server Network Share Any FTPS ServerAny SFTP Server Email Server SECURETUNEL Web Browser MicrosoftOutlook Mobile Users Any FTPS ClientAny SFTP ClientOther MOVEit Clients FTPS, SFTP, HTTPS FTPS, SFTP, SMB Secure Network

**Awards**

**MOVEit Earns Gold Medal in Latest Info-Tech Report**

MOVEit named industry leader in latest Info-Tech report on MFT vendors, placing first in quality and breadth of features.

Read the Report

**Related Resources**

**MOVEit Managed File Transfer FAQs**

**Start Your Free MOVEit Trial**

CVE-2023-6218: MOVEit Secure Managed File Transfer Software | Progress

An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar.
That's according to a new report from Zimperium, which discovered more than 200 malicious apps associated with the malicious operation, with the threat actor also observed carrying out phishing attacks against the targeted financial institutions.

Mobile Security / Malware

An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar.

That's according to a new report from Zimperium, which discovered more than 200 malicious apps associated with the malicious operation, with the threat actor also observed carrying out phishing attacks against the targeted financial institutions.

The campaign first came to light in late July 2023 when Sophos detailed a cluster of 40 credential-harvesting apps targeting customers of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.

The primary goal of the bogus apps is to trick victims into granting them extensive permissions as well as harvest banking login credentials and credit card details by abusing Android's accessibility services.

"The corresponding legitimate versions of the malicious apps are available at Cafe Bazaar, an Iranian Android marketplace, and have millions of downloads," Sophos researcher Pankaj Kohli said at the time.

"The malicious imitations, on the other hand, were available to download from a large number of relatively new domains, some of which the threat actors also employed as C2 servers."

Interestingly, some of these domains have also been observed to serve HTML phishing pages designed to steal credentials from mobile users.

The latest findings from Zimperium illustrate continued evolution of the threat, not only in terms of a broader set of targeted banks and cryptocurrency wallet apps, but also incorporating previously undocumented features that make it more potent.

This includes the use of the accessibility service to grant it additional permissions to intercept SMS messages, prevent uninstallation, and click on user interface elements.

Some variants of the malware have also been found to access a README file within GitHub repositories to extract a Base64-encoded version of the command-and-control (C2) server and phishing URLs.

"This allows attackers to quickly respond to phishing sites being taken down by updating the GitHub repository, ensuring that malicious apps are always getting the latest active phishing site," Zimperium researchers Aazim Yaswant and Vishnu Pratapagiri said.

Another noteworthy tactic is the use of intermediate C2 servers to host text files that contain the encoded strings pointing to the phishing sites.

While the campaign has so far trained its eyes on Android, there is evidence that Apple's iOS operating system is also a potential target based on the fact that the phishing sites verify if the page is opened by an iOS device, and if so, direct the victim to a website mimicking the iOS version of the Bank Saderat Iran app.

It's currently not clear if the iOS campaign is under development stages, or if the apps are distributed through an, as of yet, unidentified source.

The phishing campaigns are no less sophisticated, impersonating the actual websites to exfiltrate credentials, account numbers, device models, and IP addresses to two actor-controlled Telegram channels.

"It is evident that modern malware is becoming more sophisticated, and targets are expanding, so runtime visibility and protection are crucial for mobile applications," the researchers said.

The development comes a little over a month after Fingerprint demonstrated a method by which malicious Android apps can stealthily access and copy clipboard data by leveraging the SYSTEM\_ALERT\_WINDOW permission to obscure the toast notification that's displayed when a particular app is reading clipboard data.

"It's possible to overdraw a toast either with a different toast or with any other view, completely hiding the original toast can prevent the user from being notified of clipboard actions," Fingerprint said. "Any application with the SYSTEM\_ALERT\_WINDOW permission can read clipboard data without notifying the user."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

200+ Malicious Apps on Iranian Android Store Installed by Millions of Banking Users

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

**Já disponível: a Asana Intelligence se juntou à equipe com um jeito mais inteligente de trabalharSaiba mais**

Asana Home

**Navigation Instructions**Use left and right arrow keys to navigate between columns.Use up and down arrow keys to move between submenu items.Use Escape to close the menu.

*   **Por que a Asana?**
    
    *   Crie planejamentos de projetos, coordene as tarefas e cumpra todos os prazos
    *   Planeje e faça a gestão de campanhas, lançamentos e muito mais
    *   Desenvolva, expanda e agilize os processos para melhorar a eficiência
    *   Melhore a clareza, o foco e o crescimento pessoal
    *   Elabore roteiros, planeje sprints, faça a gestão dos envios e dos lançamentos
    
    **Para o seu fluxo de trabalho**
    
    *   Planeje, monitore e faça a gestão dos projetos da sua equipe do início ao fim
    *   Crie, lance e monitore as suas campanhas de marketing
    *   Projete, revise e entregue trabalhos inspiradores
    *   Acompanhamento de solicitações
        
        Monitore, priorize e processe as solicitações das equipes
    
    *   Colabore e faça a gestão do trabalho de qualquer lugar
    *   Seja mais consciente em relação à forma como administra o seu tempo
    *   Crie com rapidez, entregue com frequência, e monitore tudo de um só lugar
    *   Veja todos os fluxos de trabalho
        
    
    **Modelos**
    
    *   Página inicial dos modelos
        
        Comece com o pé direito usando modelos elaborados para as suas necessidades
    
*   **Principais funcionalidades**
    
    *   Asana Intelligence Novidade
        
        Amplie o impacto da sua equipe com a IA para Asana
    *   Construtor de fluxo de trabalho
        
        Crie processos automatizados para coordenar as equipes
    *   Crie em poucos minutos um atraente diagrama de Gantt
    *   Acompanhe o andamento do trabalho nos quadros Kanban
    
    *   Use um calendário compartilhado para visualizar o trabalho da equipe
    *   Integrações de aplicativos
        
        Descubra como a Asana integra múltiplos aplicativos para apoiar a sua equipe
    *   Acompanhe o progresso de qualquer fluxo de trabalho em tempo real
    *   Estabeleça metas estratégicas e monitore o progresso delas em um único lugar
    
    *   Envie e faça a gestão das solicitações de trabalho em um único lugar
    *   Agilize os processos, reduza os erros e perca menos tempo com as tarefas de rotina
    *   Veja a carga de trabalho dos membros da equipe nos diversos projetos
    *   Veja todas as funcionalidades
        
    
    **Todos os planos**
    
    *   Ideal para usuários individuais e pequenas equipes que desejam gerir as suas tarefas
    *   Ideal para as equipes em crescimento que precisam monitorar o progresso dos seus projetos e cumprir prazos
    *   Ideal para as empresas que precisam gerir um portfólio de trabalhos e metas de diversos departamentos
    *   
    
*   **Aprendizagem**
    
    *   Recursos para a gestão do trabalho
        
        Conheça boas práticas, assista a webinários, obtenha insights
    *   Saiba mais sobre o que há de melhor e mais recente na Asana
    *   Explore diversas dicas, truques e sugestões para obter o máximo da Asana
    *   Inscreva-se em cursos interativos e webinários para aprender a usar a Asana
    *   Blog Nos bastidores da Asana
        
        Descubra as novidades mais recentes da Asana sobre o produto e a empresa
    
    **Conexão**
    
    *   Saiba mais sobre os próximos eventos que ocorrerão perto de você
    *   Conecte-se e aprenda com outros clientes da Asana ao redor do mundo
    *   Precisa de ajuda? Entre em contato com a equipe de Suporte da Asana
    *   Saiba mais sobre os programas dos nossos parceiros
    
    *   Descubra como desenvolver aplicativos na plataforma da Asana
    *   Asana para entidades sem fins lucrativos
        
        Obtenha mais informações e candidate-se ao nosso programa de descontos para organizações sem fins lucrativos.
    *   Asana para instituições de ensino
        
        Obtenha mais informações e candidate-se ao nosso programa de descontos para instituições de ensino.
    
    **Leituras em destaque**
    
    *   Apresentamos a Asana Intelligence:  
        a IA se juntou à equipe  
        ,DemonstraçãoAssista agora
        
    *   Promova o impacto dos funcionários: novas ferramentas para capacitar lideranças resilientes,RelatórioLeia mais
        
    *   Anatomia do trabalho: Índice global de 2023,RelatórioLeia mais
        
    
*   Enterprise
*   Preços

*   Fale com Vendas
*   Ver uma demonstração
*   Baixar o aplicativo

Aplicativo móvel

**Asana para iOS**

Aplicativo móvel

**Asana para Android**

Aplicativo móvel

**Asana para iOS**

Aplicativo móvel

**Asana para Android**

**Recursos na ponta dos seus dedos.**

O seu trabalho é sincronizado em tempo real na Web, no celular e nos aplicativos para computador. Planeje o seu dia. Compartilhe as ideias. Mantenha a equipe bem informada à distância. E tudo isso, desde qualquer dispositivo.

*   Minhas tarefas
*   Conversas
*   Caixa de entrada
*   Portfólios
*   Projetos
*   Adição rápida
*   Buscas
*   Metas

Perguntas frequentes

**Ficou com dúvidas? Nós temos as respostas.**

**Como posso baixar o aplicativo móvel da Asana?**

Sim. Faça download da Asana para iPhone e iPad na App Store. Faça download da Asana para celulares Android na Google Play Store. Recomendamos que você acesse as lojas no próprio dispositivo para ter a melhor experiência possível. Faça aqui o download da Asana para instalação em computador nas versões Mac, Windows (64-bit) ou Windows (32-bit).

**A Asana dispõe de um aplicativo instalável para computadores Mac ou Windows?**

**A Asana pode ser baixada sem custo?**

Sim, todos os aplicativos Asana podem ser baixados gratuitamente.

CVE-2023-49314: Baixar o aplicativo Asana para dispositivos móveis e computador • Asana

By Deeba Ahmed
The victim company, Gellyberry Studios, an independent game studio, developed Ethyrial: Echoes of Yore.
This is a post from HackRead.com Read the original post: Ethyrial: Echoes of Yore Hit by Ransomware, Player Accounts Deleted

As of now, no known ransomware gang has claimed responsibility for the cyberattack on Ethyrial: Echoes of Yore developers.

A devastating ransomware attack has wiped out a whopping 17,000 player accounts in the famous indie online MMORPG game Ethyrial: Echoes of Yore. The attack occurred on Friday in which all in-game items and progress got erased. 

Ethyrial: Echoes of Yore is developed by Gellyberry Studios, an independent game studio. It is a free-to-play old-school MMORPG in its early access phase on Steam. The game currently relies on monthly subscriptions and community support.

As per the official announcement from Gellyberry Studios, the attackers targeted the game’s Discord server and encrypted all data stored in the system and the local backup drive. 

“Last Friday morning, our server succumbed to a cryptographic ransomware attack. The attack systematically encrypted all data on the system/local backup drive and demanded a bitcoin ransom in exchange for decryption,” the statement read.

Attackers left a ransom demand, asking for payment in Bitcoin in exchange for data decryption. The developers have refused to pay the ransom, claiming that hackers usually deceive victims after receiving the payment.

Since the attackers compromised the backups as well, the developers had to rebuild the server and create new account and character databases. This will be a painstaking process as they had to reconstruct all the 17,000 impacted accounts manually.

The company stated they are “committed to restoring every item, level, pet, and other lost progress” as soon as the servers are restored. Furthermore, they want to compensate affected players for the issue by gifting them a complimentary premium pet.

The developers have also outlined a thorough security plan to prevent similar attacks in the future. This includes implementing decentralized backups, establishing VPN connections to their server, and introducing a whitelist for authorized IP addresses to access their server.

It is unclear who is responsible for the attack, as no specific group has come forward to claim responsibility. However, given the kind of items stolen, including character progression and virtual items, it seems unlikely that the attacker would sell the data on the Dark Web.

This isn’t the first time a game developer has suffered a ransomware attack. For example, in February 2021, game developer CD PROJEKT RED, the creator of Witcher 3, became a target of HelloKitty ransomware.

Then, in January 2023, League of Legends and Valorant creator Riot Games was threatened to pay a ransom of $10,000,000 to prevent hackers from leaking stolen source code. But unlike other instances, this time it’s the players who have been impacted instead of the company.

****_RELATED ARTICLES_****

1.  **Fake Cyberpunk 2077 Android App Delivering Ransomware**
2.  **How gamers should secure their accounts from cyber attacks**
3.  **Game giant Electronic Arts is the latest victim of massive data breach**
4.  **Android game developer EskyFun exposed 1 million gamers to hackers**
5.  **New BloodyStealer malware steals data from gamers on EA, Epic, Steam**

Ethyrial: Echoes of Yore Hit by Ransomware, Player Accounts Deleted

A WIRED analysis of more than 100 restricted channels shows these communities remain active, and content shared within them often spreads to channels accessible to the public.

In the wake of the October 7 Hamas attacks on Israel, people concerned about online extremism turned their attention to the encrypted messaging app Telegram, where a Hamas-aligned group posted graphic images of the group’s attacks to a channel that now has 1.9 million followers. That content was then shared widely across social media. Following public pressure on Apple and Google several weeks into the Israel-Hamas war, Telegram “restricted” two of the major channels used by Hamas. But it did not, as it may appear to some users, ban them.

A WIRED investigation reveals that rather than ban or delete Hamas channels or those run by right-wing extremist groups, Telegram is hiding them from the users of the two major app stores, but they are still there. Some of the content from restricted channels is being shared broadly in unrestricted ones—despite Telegram’s mechanisms for stopping the sharing of such content. The findings show that while Telegram makes some of its most violative communities difficult to find, the people in restricted channels are still able to spread their messages, experts say, and the channels continue to function as spaces of radicalization.

WIRED and Jeff Allen, cofounder of the tech policy think tank the Integrity Institute, analyzed over 100 restricted channels and thousands of posts over more than two months. Most of these channels include content related to right-wing extremism and other forms of radicalized hate. WIRED’s analysis found that most of these channels remained active even when restricted.

“What they’re doing is making \[channels\] not show up in your search and discoverability, but they’re keeping them on the back end,” says Nicole Stewart, assistant professor of digital media at Texas State University.

Founded by Pavel Durov in 2013, Telegram has long been a favorite platform for extremists. Its channels have no limit on the number of subscribers who can join (groups have a 200,000-person limit), and its approach to content moderation has meant that groups and content that might violate the terms of service on platforms like Facebook, Instagram, and X (formerly Twitter) remain accessible.

WIRED examined 108 restricted channels, including the Hamas-aligned channels Telegram restricted in late October, and 365 unrestricted channels over more than two months. Fifty-four of the public, unrestricted channels included content forwarded from the restricted channels, suggesting that they share overlapping membership. While some restricted channels have only a handful of messages per week, others, like the right-wing channel rlwolf\_9999, have upwards of 1,000.

Most of the channels were restricted during the months WIRED monitored them. However, in examining the Hamas channels that were restricted after the October 7 attacks, WIRED found that while content views dropped significantly—by about 70 percent—they still remained active, with the Hamas military-affiliated channel @qassambrigades continuing to share more than 20 pieces of content per day. Although views on the restricted channel often dipped, WIRED found that content from @qassambrigades was copied and pasted into the unrestricted channel @hpress, a popular news-focused channel that has over half a million subscribers.

“It’s not surprising that in a restricted environment that you’ll start to see that same network-sharing pattern,” says Stewart. “It’s what they do to share their own ideological beliefs and spread the message.”

Experts who study extremist groups on Telegram tell WIRED that the platform typically moderates these groups’ content in response to pressure from governments, law enforcement, or entities like Google and Apple that have the ability to restrict the app’s availability.

“What we seem to know from experience is that when Google and Apple say, ‘Hey, remove this,’ that’s when Telegram comes in and starts removing things,” claims Aleksandra Urman, a researcher at the University of Zurich who has studied Telegram and the far right in Europe. That also speaks about the “power of Google and Apple,” Urman says, because both companies are able to exert influence over Telegram’s moderation decisions.

While Telegram is available for download on Google Play and the Apple App Store, both Google and Apple disallow apps that promote hate speech, terrorism, and violent content. For example, Google’s terms of service say it doesn’t “allow apps with content related to planning, preparing, or glorifying violence against civilians” or “apps that promote violence, or incite hatred against individuals.” Apps that violate these standards can be removed from Google Play or the App Store, significantly limiting their availability. That both app stores offer Telegram for download suggests the app is complying with the companies’ terms of service.

Apple did not respond to a request for comment. Google spokesperson Danielle Cohen tells WIRED, “Play apps that contain or feature UGC \[user-generated content\], including apps which are specialized browsers or clients to direct users to a UGC platform, must implement robust, effective, and ongoing UGC moderation. This includes providing an in-app system for reporting objectionable UGC and users and taking action against that UGC and/or user where appropriate.”

Telegram did not respond to WIRED’s request for comment.

In 2021, Telegram released a version of the app that could be downloaded directly onto Android, which the company billed as having “fewer restrictions.” Downloading the app directly puts it outside the scope of Google Play’s terms of service. Users who have this “sideloaded” version of Telegram can continue to see and post in restricted channels that regular users can’t access.

Cohen, the Google spokesperson, tells WIRED that “Google does not control app distribution on Android,” noting that Android’s open operating system means apps can be downloaded from other Android app stores or directly to users via an app’s website.

Telegram’s terms of service state that users may not “promote violence on publicly viewable Telegram channels, bots, etc.,” but it says nothing about how the platform responds to users who violate these rules. Telegram did not respond to questions about how it assesses whether a channel should be restricted or banned entirely, as it has done to Islamic State-affiliated channels in the past.

In a post on his public Telegram channel on October 13, Durov addressed the pressure to remove Hamas channels and content, saying, “Every day, Telegram’s moderators and AI tools remove millions of obviously harmful content from our public platform.” He also asserted that because Telegram doesn’t algorithmically amplify content, “it’s unlikely that Telegram channels can be used to significantly amplify propaganda.”

While Telegram may not be algorithmically promoting content, it is used to spread hateful ideologies, experts say. “Hate groups and designated terrorist groups who are using the platform as a way to mobilize the troops, basically, they’re functioning as influencers,” says Stewart of Texas State University. Part of that work is sharing and promoting the posts and ideas of other aligned groups and influencers, pushing users deeper into the extremist ecosystem.

When a Telegram user from a restricted channel forwards content to a nonrestricted channel, that content won’t be visible to anyone in the channel who has downloaded the app from Apple’s App Store or Google Play. But a simple copy and paste easily circumvents this feature for text-based messages. WIRED and Allen found over 400 instances where text-based content was copied word for word into both restricted and nonrestricted channels, with users often tagging the restricted channels in the unrestricted ones. The analysis did not include images and videos, which also comprise a considerable amount of the content.

For instance, messages sent to an unrestricted channel called OfficialTheCollective, with more than 4,000 members, included tags to restricted channels like SpecialQForces, a QAnon conspiracy channel, and often encouraged users to join.

One message posted to OfficialTheCollective even instructs users how to get around Google and Apple’s restrictions, saying, “Google and Apple \[are\] censoring the Telegram app downloaded via Google Play and Apple App Store. Use the web browser.” The message includes instructions about how to sideload Telegram, including a link to an instructional video on the video platform Rumble, which is popular with right-wing influencers.

In the unrestricted ExpatsPortugalEngChannel, WIRED found a message referencing a riot by Eritrean migrants in Germany. “Where are all the liberals who wanted these invaders in their country with open arms?” the post reads. “WE need you to go talk to them nicely, go first before the NAZIS take charge since YOU going to need them now.” The text is identical to a post shared in the restricted channel @InTheEndGodAlwaysWins.

In some cases, Telegram will restrict channels based on local laws. This includes Germany, which has strict rules against hate speech and neo-Nazism. Heidi Schulze, a researcher at Ludwig-Maximilians-Universität München, says that she was able to access channels restricted in Germany by using VPNs and Dutch SIM cards, which tricked Telegram into treating her as though she weren’t in Germany at all. Channel restrictions “from Telegram’s perspective might be a smart thing because they’re adhering to the local laws, but they’re not deleting channels,” she claims, as it would allow the platform to retain its claim of protecting freedom of speech.

But Urman, of the University of Zurich, says that restricting the channels can also create a space for more radicalization. “People who are likely to follow these groups even after they are restricted, who really want to see that content and are going to seek out the technical possibilities to do that, are more likely to be more radical,” she says.

Having already been “deplatformed” in some capacity can also mean that content is likely to be more extreme because channel operators are no longer factoring in a fear of content moderation, according to Urman. “These groups, even when they are restricted, are probably conducive to radicalization,” she says. “You’re not going to plan, in most cases, a certain attack out in the open. But now you’re not in the open. You are among your club.”

Rita Katz, executive director and founder of SITE Intelligence Group, a consultancy that monitors terrorist groups online, believes the company’s decision whether to ban a channel likely hinges on laws and enforcement. “The European Union has strong-armed Telegram to take action against ISIS and al Qaeda since 2015, and the company acted even more surgically against the groups’ networks in 2019,” claims Katz. “Telegram began deleting whole channels and accounts, not only of administrators or ISIS- and al Qaeda-connected accounts but also of everyone in those chat groups and channels.”

When a user forwards a message from a restricted channel to a nonrestricted one, a notice will appear to anyone who doesn’t have the “sideloaded” version of the app saying that the message can’t be displayed on that user’s device. WIRED’s analysis of thousands of restricted pieces of content found that only 36 of them appeared with the notice that they were restricted for violating Telegram’s terms of service. This means that a majority of restricted channels and content appear to be an effort to comply with the policies of Google and Apple, which can drop the app from their stores.

“Unless Telegram’s operations are going to be threatened somehow,” claims Stewart, “it’s probably not a priority for them.”

Tag

#android