The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.
Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called **VajraSpy**.

Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.

"VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said. "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera."

As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.

*   Privee Talk (com.priv.talk)
*   MeetMe (com.meeete.org)
*   Let's Chat (com.letsm.chat)
*   Quick Chat (com.qqc.chat)
*   Rafaqat رفاق (com.rafaqat.news)
*   Chit Chat (com.chit.chat)
*   YohooTalk (com.yoho.talk)
*   TikTalk (com.tik.talk)
*   Hello Chat (com.hello.chat)
*   Nidus (com.nidus.no or com.nionio.org)
*   GlowChat (com.glow.glow)
*   Wave Chat (com.wave.chat)

Rafaqat رفاق is notable for the fact that it's the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.

The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.

This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

It's also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.

Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).

Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another group that has been flagged as operating with Indian interests in mind.

The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or "com.moneyfine.fine") as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.

"These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money," Cyfirma said in an analysis late last month.

It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.

According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.

"Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz," NCRI said.

Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it's "not aware of any successful extortion attempts that occurred while communicating on the Wizz app."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware

By Deeba Ahmed
CloudFlare Servers Were Hacked on Thanksgiving Day Using Auth Tokens Stolen in Okta Breach.
This is a post from HackRead.com Read the original post: Cloudflare Hacked After State Actor Leverages Okta Breach

The aftermath of the 2023 Okta breach continues to unfold, with Cloudflare disclosing the details of its security compromise.

Cloudflare, a globally renowned cloud services provider, experienced a security incident on Thanksgiving Day, 23 November 2023, allowing unauthorized access to their internal Atlassian server. The company confirmed no customer data or systems were affected by the intrusion, which was effectively blocked within 24 hours.

The investigation was concluded recently. According to the company’s blog post published on 2 February 2024, Cloudflare detected the breach on 24 November 2023 and the investigation was launched on 27th November in cooperation with CrowdStrike, called Project Code Red. 

Cloudflare’s systems were accessed by attackers using an access token and three service account credentials were stolen during a previous Okta breach in October 2023. The threat actor gained access to its Atlassian environment using stolen credentials, reportedly seeking information about Cloudflare’s global network’s architecture, security, and management. It is worth noting that Cloudflare’s Atlassian system is responsible for managing internal collaboration tools like Confluence and Jira. 

> _“The threat actor accessed Jira tickets about vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself. The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations.”_
> 
> Cloudflare

Cloudflare discovered that a ‘nation-state attacker’ could be responsible for their server’s breach. However, the company did not share further details on the possible perpetrator. The attacker accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system on 14 November 2023.

Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas stated that on November 22, hackers gained persistent access to their Atlassian server, source code management system, and console server.

They also unsuccessfully attempted to gain access to a data center in São Paulo, Brazil, which was not yet put into production by Cloudflare. As a precautionary measure, every piece of equipment at its Brazil data center was returned to manufacturers to ensure the facility was safe.

As for prevention, response measures from Cloudflare’s staff included rotating all 5,000 unique production credentials, physically segmenting test and staging systems, performing forensic triage on around 4,983 systems, and re-imaging and rebooting global network systems.

According to Cloudflare, this includes all Atlassian servers, including Bitbucket, Jira, and Confluence. Although all remediation efforts were completed by 5th January, Cloudflare is still actively focusing on software hardening, and credential and vulnerability management.

For your information, Okta, an identity and access management services provider, reported a data breach on 23 October 2023, allowing unauthorized access to files, including session tokens, which could be used for hijacking attacks.

The attacker compromised a stolen account between September 28 and October 17, 2023, to view, update, and extract sensitive data by accessing Okta’s support case management system. 

Okta’s chief security officer, David Bradbury, revealed that at least 134 customers were impacted by the breach and some files were HAR files containing session tokens, which could be used for session hijacking attacks.

Many firms have reportedly been targeted with stolen Okta credentials, Cloudflare being one of them. Previously, 1Password, one of Okta’s customers, reportedly was targeted. On September 29, 2023, 1Password detected suspicious activity where a threat actor used a stolen session token to access its Okta administrative portal.

1.  **10 Top DDoS Attack Protection and Mitigation Companies**
2.  **Whitehat hacker bypasses SQL injection filter for Cloudflare**
3.  **LAPSUS$ Hackers Hack Microsoft and Okta, Leak Trove of Data**
4.  **Google, Cloudflare, AWS Disclose Largest DDoS Attack in History**
5.  **Cloudflare Launches Android and iOS version of 1.1.1.1 DNS Service**

Cloudflare Hacked After State Actor Leverages Okta Breach

By Waqas
Anonymous Sudan alleges that the cyber attack they conducted has crippled the reservation system and other online assets of the targeted entity.
This is a post from HackRead.com Read the original post: Anonymous Sudan Claims DDOS Attacks on UAE’s Flydubai Airline

Anonymous Sudan claims responsibility for the cyber attack, citing their belief that the UAE is providing support to the Rapid Support Forces (RSF) in Sudan as their motive.

Anonymous Sudan, the pro-Palestinian and Russian hacktivist group, has taken credit for a series of Distributed Denial of Service Attacks (DDoS attacks) on Flydubai, an Emirati government-owned airline in Dubai, United Arab Emirates.

The group’s latest claim closely follows their January 16th, 2024 announcement of targeting Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider based in Dubai, United Arab Emirates (UAE).

It is worth noting that in both cyber attacks, the motives revealed by Anonymous Sudan were the UAE’s apparent support to the Rapid Support Forces (RSF) for communication. Notably, RSF is a paramilitary force formerly operated by the Government of Sudan, accused by the hacktivists of committing war crimes against the Sudanese people.

The alleged cyber attack was announced on February 1, 2024, by the group through its official Telegram channel. Anonymous Sudan typically announces its attacks via Telegram, with no known website utilized by the group thus far.

> _“We have conducted a significant cyber attack on the digital infrastructure of FlyDubai. We have hit the most critical parts of FlyDubai’s digital infrastructure in one. We have confirmed that the network of Flydubai is completely disrupted. Attacks against the UAE will continue as they continue to support the genocidal Rapid Support Forces in Sudan. We therefore claim any damage to the overall health of FlyDubai systems and any collateral damage.”_
> 
> Anonymous Sudan

Despite Flydubai’s official website remaining online, Anonymous Sudan claimed in a subsequent message a few hours later that Flydubai’s infrastructure, including the reservation system, had been severely affected, leaving the airline’s website as the only functional asset.

However, Hackread.com’s attempt to book a ticket on Flydubai’s website proved successful. Here’s what Anonymous Sudan had to say on Telegram:

Anonymous Sudan on Telegram (Screenshot: Hackread.com)

Hackread.com has reached out to Flydubai for a comment, and should the company respond, we will update this article accordingly. Nevertheless, DDoS attacks have emerged as a significant concern for businesses of all scales. According to Kaspersky’s report, the DDoS economy is flourishing on the dark web, with an increasing number of cybercriminals setting their sights on critical infrastructure.

While there are DDoS attack-mitigating companies out there, the first line of defence is to secure your IoT devices from becoming a zombie for botnets utilized in such attacks. Therefore, whether you are an unsuspecting user at home or administering a large corporation, make sure your cybersecurity defences are as strong as possible.

****RELATED ARTICLES****

1.  **ChatGPT Down? OpenAI Blames Outages on DDoS Attacks**
2.  **Google, Cloudflare, and AWS Disclose Largest DDoS Attack**
3.  **Popular Swing VPN Android App Turned Out to be DDoS Botnet**
4.  **DDoS Attacks Soar by 168% on Govt Services, StormWall Warns**
5.  **IoT Botnet DDoS Attacks Threaten Global Telecom Sector, Nokia**

Anonymous Sudan Claims DDOS Attacks on UAE’s Flydubai Airline

Researchers recently discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system.

Thursday, February 1, 2024 14:00

I’d hate to be labeled a “car guy” now mentioning my new electric car in the lede of two newsletters in a row, but I couldn’t resist. 

I’d been reading headlines for years about how electric cars (most notably Tesla) were vulnerable to a range of security vulnerabilities, even some that could allow bad actors to steal the car if they were close enough to the car’s keys. While I don’t own a Tesla, I am now more invested in following the various ways attackers can take advantage of the connectivity of electric cars. 

I’ve bemoaned before about everything being “smart” now, but there’s no escaping it if you want to convert to an electric vehicle. They’re all Wi-Fi connected so drivers can control the charging speed and timing of their cars, monitor public charging stations and communicate with the dealer about any electrical failures. 

A whole new slew of electric car-related vulnerabilities came out last week thanks to the Pwn2Own hacking event in Tokyo as part of the Automotive World conference. Car and charging companies were offering a combined $1 million in bug bounty payments for researchers who could find security vulnerabilities in a range of cars and electric car-related products like home chargers. 

In all, researchers discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system. Other vulnerabilities were discovered in ChargePoint and Juicebox products, two prominent manufacturers of home, travel and commercial electric charging equipment. Although few details are available on the specific vulnerabilities, the Zero Day Initiative said on its blog that one researcher “was able to execute his attack against the ChargePoint Home Flex.” 

Some of these exploits are funny to read about. Imagine an attacker taking the time to hack into a Tesla’s modem so they can turn on a car’s windshield wipers without the driver knowing. Tesla stated after Pwn2Own that none of the vulnerabilities discovered would be more than an annoyance for the driver.  

Certainly, previous vulnerabilities that could allow someone to drive away with your car would be more than an annoyance, but this latest batch of bugs has lower stakes than that.  

I could see a lot of traditionalists who are hesitant to switch to electric cars being hesitant because their 2011 Toyota Corolla doesn’t require the internet to run. That doesn’t mean that owning an electric car or installing a home charger are inherently risky. I would argue that the average IoT device or home router runs a higher risk of exposing your home network to a larger risk surface because they are often overlooked in security.  

As weird as it is to say, just like you patch an IoT device, it’s important to patch the firmware on your vehicle (gas-powered or not) regularly. Still, I’m not sure it’s time to just assume your electric car is going to be hacked like in “Cyberpunk 2077” because these vulnerabilities are out there. 

**The one big thing **

The FBI says it’s shut down the recently emerged Volt Typhoon, a Chinese state-sponsored actor. FBI Director Christopher Wray announced the disruption Wednesday during a hearing with a U.S. House committee. Volt Typhoon was first disclosed in mid-2023 for targeting outdated wireless routers, including some belonging to U.S. critical infrastructure. The hackers had been targeting U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems, Wray said. 

**Why do I care? **

Aging network infrastructure is a problem for all users across the globe. As highlighted by Talos’ report on JaguarTooth last year, unpatched routers or older routers with security vulnerabilities are easy targets for state-sponsored actors, and they can often sit unnoticed on these devices for months or years. Volt Typhoon is particularly notable for its targeting of high-risk sectors and U.S. military bases.  

**So now what? **

The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned router vendors to patch their devices as soon as possible to prevent the exploitation of vulnerabilities Volt Typhoon is known for using. All users should check to make sure their routers, regardless of make, model or age, have the latest firmware installed. We also have several recommendations for everyone to defend their network infrastructure and upgrade to newer hardware. 

**Top security headlines of the week **

**Ads displayed in several different popular mobile apps are part of a mass global surveillance effort,** with the information eventually being sold to national security agencies that can track the physical location, hobbies, and names of users’ family members. The ad-based tool, known as Patternz, strikes deals with smaller ad networks to gather information from users’ devices when they access some apps like Kik messenger and the 9gag online forum. While reporting from 404 Media shows a specific example targeting an Android user, the same methods work on iOS devices. Separately, security researchers also found that many push notifications on iPhones are unknowingly sending user information back to apps, even if the user doesn’t have those apps installed. When triggered, some push notifications will send app analytics and device information to remote servers belonging to other apps like TikTok, Facebook, Instagram and X, formerly known as Twitter. (404 Media, 9to5 Mac) 

**A cyber attack disrupted nearly all the government services of Fulton County, Georgia, this week,** with systems still recovering as of Wednesday afternoon. The attack is notable because Fulton County is where former U.S. President Donald Trump is charged and being tried for his involvement in trying to overturn the results of the 202 presidential election. The cyber attack also targeted the office of the District Attorney who investigated and is charging Trump. The county’s government phone systems were all down, as were access to court filings, tax processing and more. Law enforcement was still investigating the attack as of Wednesday afternoon, though county officials said they had not seen any evidence that personal information of employees or citizens had been stolen. (NBC News, CNN) 

**Cozy Bear, a well-known Russian APT, is reportedly behind two recent breaches at Microsoft and Hewlett Packard Enterprise (HPE).** Microsoft, calling the group “Midnight Blizzard” said in a blog post that they detected a state-sponsored attack on their internal systems on Jan. 12, 2024. Microsoft stated that the actor got in by abusing user accounts “to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity.” This was the second time in six months that Microsoft disclosed a state-sponsored actor targeting its internal systems. In the case of Cozy Bear, the hacking group allegedly monitored the email accounts of senior Microsoft executives and members of the company’s cybersecurity teams. Executives from HPE filed a notice with the U.S. Securities and Exchange Commission last week stating that the same actor “gained unauthorized access to HPE’s cloud-based email environment.” HPE said the actor initially gained access through a compromised Microsoft Office 365 email account. (Microsoft, Ars Technica) 

**Can’t get enough Talos? ****Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93   
**MD5:** 5800fc229e3a5f13b32d575fe91b8512   
**Typical Filename:** client32.exe   
**Claimed Product:** NetSupport Remote Control   
**Detection Name:** W32.Riskware:Variant.27dv.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201

The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world

Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.

Later in January, Google released Chrome 121 to the stable channel, fixing 17 security issues, three of which are rated as having a high impact. These include CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The final high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.

Obviously, these updates are important, so check and apply them as soon as you can.

Microsoft

Microsoft’s January Patch Tuesday squashes nearly 50 bugs in its popular software, including 12 remote code execution (RCE) flaws.

No security holes included in this month’s set of updates are known to have been used in attacks, but notable flaws include CVE-2024-20677, a bug in Microsoft Office that could allow attackers to create malicious documents with embedded FBX 3D model files to execute code.

To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint, and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it, Microsoft said.

Meanwhile, CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability rated as critical with a CVSS score of 8.8. In one scenario for this vulnerability, the attacker could convince a victim to connect to an attacker-controlled malicious application, Microsoft said. “Upon connecting, the malicious server could compromise the protocol,” the software giant added.

Mozilla Firefox

Hot on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 security flaws in its latest update. Five of the bugs are rated as having a high severity, including CVE-2024-0741, an out-of-bounds write issue in Angle that could allow an attacker to corrupt memory, leading to an exploitable crash.

An unchecked return value in TLS handshake code tracked as CVE-2024-0743 could also cause an exploitable crash.

CVE-2024-0755 covers memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

Cisco

Enterprise software giant Cisco has patched a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 and with a whopping CVSS score of 9.9, Cisco said an attacker could exploit the vulnerability by sending a crafted message to a listening port of an affected device.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said. “With access to the underlying operating system, the attacker could also establish root access on the affected device,” it warned.

SAP

SAP has issued 10 new security fixes as part of its January Security Patch Day, which includes several issues with a CVSS score of 9.1. CVE-2023-49583 is an escalation-of-privilege issue in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.

Meanwhile, CVE-2023-50422 and CVE-2023-49583 are escalation-of-privilege issues in SAP Edge Integration Cell.

Another notable flaw is CVE-2024-21737, a code injection vulnerability in SAP Application Interface Framework, which has a CVSS score of 8.4. “A vulnerable function module of the application allows an attacker to traverse through various layers and execute OS commands directly,” security firm Onapsis said. “Successful exploits can cause considerable impact on confidentiality, integrity, and availability of the application.”

Apple and Google Just Patched Their First Zero-Day Flaws of the Year

Chrome version 121 suffers from a javascript fork malloc vulnerability that indicates memory corruption upon crash.

    Searching the web for `javascript fork malloc bomb` returns results,e.g. [here][1]: and [here][2]:We got a javascript fork malloc bomb which crashed Chrome 121 on linuxwith SIGILL and about one in five runs the virtual machine freezes.SIGILL almost always is a sign of memory corruption :)On android it crashes the current tab without explanation.Firefox 121 on linux also crashes the current tab.In all cases except the sporadic freezes, the browser remains functioning,not counting the crashed tab.The javscript code is simply simple:`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`[Online demo][3]: In case someone wants to test it on other browsersor debug.The GNU/linux tests took about 1.5 minutes in a virtual machine with4GB RAM and single core.[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript[3]: https://www.guninski.com/fork1.html

Chrome 121 Javascript Fork Malloc Bomb

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 10 things to do to improve your online privacy 

By Deeba Ahmed
QR Code Phishing has surged by a staggering 587%, with scammers exploiting it to steal login credentials and deploy malware.
This is a post from HackRead.com Read the original post: QR Code Phishing Soars 587%: Users Falling Victim to Social Engineering Scams

Check Point’s Live Cyber Threat Map identified 20,000 instances of QR code phishing and malware attacks within two weeks, highlighting the vulnerability of QR codes to cybercriminals. 

Check Point Software Technologies, a cybersecurity solutions provider, has published new research illustrating a typical QR code attack. In this attack, scammers utilize QR codes to redirect users to a credential harvesting page, adjusting the redirection chain based on the user’s device.

The goal is to install malware and steal credentials. Check Point’s Live Cyber Threat Map identified 20,000 instances of QR code attacks within two weeks, highlighting the vulnerability of QR codes to cyber criminals. 

Hackread.com previously reported that Check Point Research noticed a whopping 587% increase in QR-code-based phishing attacks between August and September 2023. This could be attributed to the lack of QR code protection in email security solutions and the widespread use of scanning QR codes. 

Security vendors worked to develop new protections, but threat actors responded with a new variation of QR code attacks. Recently Bitdefender observed a rise in YouTube stream-jacking campaigns using deepfake videos for cryptocurrency theft. YouTube stream-jacking is a cybercrime where criminals steal accounts using livestream pop-ups, QR codes, and malicious links. 

In October 2023, SlashNext reported a rise in QR-code-based phishing attacks using Quishing and QRLJacking. Quishing involves circulating a QR code with malware download links on various platforms, redirecting users to phishing websites or downloading malware.

It happens because QR codes have several layers of obfuscation, including the QR code itself, a blind redirect to another domain, and an anti-reverse engineering payload. These layers can be used to redirect users to suspicious activities or fake login pages. Hackers can increase their success rate by navigating conditional redirection.

Attacks sending QR codes with conditional redirection, using social engineering techniques and BEC 3.0. Check Point researchers provide multiple examples of how these phishing attempts will look like. In one such instance, users are requested for an annual 401K contribution statement by scanning the QR code. 

“The QR code has a conditional destination point based on browser, device, screen size, and more,” directed to different pages depending on these parameters, Check Point Research noted in their report shared with Hackread.com.

Users’ device type affects the display of links though, as Mac users see one link, while Android users see another. However, the result will be the same. Nevertheless, these attacks highlight the convincing nature of phishing attempts and the importance of multi-layered cybersecurity in preventing the consequences of such attacks.

Typically, default security layers will let go if the first redirect is clean. However, a complete security solution can prevent these attacks by blocking multiple layers. This includes email security, browser security, mobile security, anti-malware, and post-delivery security. These layers work together to block suspicious behaviour, inspect websites, and decode QR code attacks.

Phishing email and tactics employed by scammers in some of the attacks – Click and zoom for better quality (Credit: Check Point)

However, since such attacks are difficult to detect or thwart due to multiple obfuscation layers, security professionals need AI-based security, the ability to decode QR code attacks, and multiple layers of protection. By implementing these best practices, security professionals can substantially prevent phishing attacks and protect their systems.

****_RELATED ARTICLES_****

1.  Trezor Data Breach Exposes Email and Names of 66,000 Users
2.  Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns
3.  Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets
4.  Global malspam targets hotels, spreading Redline and Vidar stealers
5.  New Phishing Scam Hooks META Businesses with Trademark Threats

QR Code Phishing Soars 587%: Users Falling Victim to Social Engineering Scams

**According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?**

The attacker is able to cover and spoof elements of the UI. The modified information is only visual.

Tag

#android