Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called Silver RAT that’s equipped to bypass security software and stealthily launch hidden applications.
“The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence,” cybersecurity firm Cyfirma said in a report

Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called **Silver RAT** that's equipped to bypass security software and stealthily launch hidden applications.

"The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence," cybersecurity firm Cyfirma said in a report published last week.

The actors, assessed to be of Syrian origin and linked to the development of another RAT known as S500 RAT, also run a Telegram channel offering various services such as the distribution of cracked RATs, leaked databases, carding activities, and the sale of Facebook and X (formerly Twitter) bots.

The social media bots are then utilized by other cyber criminals to promote various illicit services by automatically engaging with and commenting on user content.

In-the-wild detections of Silver RAT v1.0 were first observed in November 2023, although the threat actor's plans to release the trojan were first made official a year before. It was cracked and leaked on Telegram around October 2023.

The C#-based malware boasts of a wide range of features to connect to a command-and-control (C2) server, log keystrokes, destroy system restore points, and even encrypt data using ransomware. There are also indications that an Android version is in the works.

"While generating a payload using Silver RAT's builder, threat actors can select various options with a payload size up to a maximum of 50kb," the company noted. "Once connected, the victim appears on the attacker-controlled Silver RAT panel, which displays the logs from the victim based on the functionalities chosen."

An interesting evasion feature built into Silver RAT is its ability to delay the execution of the payload by a specific time as well as covertly launch apps and take control of the compromised host.

Further analysis of the malware author's online footprint shows that one of the members of the group is likely in their mid-20s and based in Damascus.

"The developer \[...\] appears supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware," Cyfirma said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Syrian Hackers Distributing Stealthy C#-Based Silver RAT to Cybercriminals

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

 AirTags stalking lawsuit alleges Apple&#8217;s negligence in protecting victims 

Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

It’s been nearly two years since Russia’s invasion of Ukraine, and as the grim milestone looms and winter drags on, the two nations are locked in a grueling standoff. In order to “break military parity” with Russia, Ukraine’s top general says that Kyiv needs an inspired military innovation that equals the magnitude of inventing gunpowder to decide the conflict in the process of advancing modern warfare.

If you made some New Year’s resolutions related to digital security (it’s not too late!), check out our rundown of the most significant software updates to install right now, including fixes from Google for nearly 100 Android bugs. It’s close to impossible to be completely anonymous online, but there are steps you can take to dramatically enhance your digital privacy. And if you’ve been considering turning on Apple’s extra-secure Lockdown Mode, it’s not as hard to enable or as onerous to use as you might think.

If you’re just not quite ready to say goodbye to 2023, take a look back at WIRED’s highlights (or lowlights) of the most dangerous people on the internet last year and the worst hacks that upended digital security.

But wait, there's more! Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and abused this access to scrape personal data from a larger subset of users through the company's opt-in social sharing service known as DNA Relatives. By December, the company disclosed that the number of compromised accounts was roughly 14,000 and admitted that personal data from 6.9 million DNA Relatives users had been impacted. Now, facing more than 30 lawsuits over the breach—even after tweaking its terms of service to make legal claims against the company more difficult—the company said in a letter to some individuals that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.” This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” the process of accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Russia’s war—and cyberwar—in Ukraine has for years produced novel hybrids of hacking and physical attacks. Here’s another: Ukrainian officials this week said that they had blocked multiple Ukrainian civilians’ security cameras that had been hacked by the Russian military and used to target recent missile strikes on the capital of Kyiv. Ukraine’s SBU security service says the Russian hackers went so far as to redirect the cameras and stream their footage to YouTube. According to the SBU, that footage then likely aided Russia’s targeting in its bombardment on Tuesday of Kyiv, as well as the Eastern Ukrainian city of Kharkiv, with more than a hundred drones and missiles that killed five Ukrainians and injured well over a hundred. In total, since the start of Russia’s full-scale invasion of Ukraine in February 2022, the SBU says it’s blocked about 10,000 security cameras to prevent them from being hijacked by Russian forces.

Last month, a Russian cyberattack hit the telecom firm Kyivstar, crippling phone service for millions of people across Ukraine and silencing air raid warnings amid missile strikes in one of the most impactful hacking incidents since Russia’s full-scale invasion began. Now, Illia Vitiuk, the cyber chief of Ukraine’s SBU security service, tells Reuters that the hackers accessed Kyivstar’s network as early as March 2023 and laid in wait before they “completely destroyed the core” of the company in December, wiping thousands of its machines. Vitiuk added that the SBU believes the attack was carried out by Russia’s notorious Sandworm hacking group, responsible for most of the high-impact cyberattacks against Ukraine over the last decade, including the NotPetya worm that spread from Ukraine to the rest of the world to cause $10 billion in total damage. In fact, Vitiuk claims that Sandworm attempted to penetrate a Ukrainian telecom a year earlier but the attack was detected and foiled.

This week in creepy headlines: 404 Media’s Joseph Cox discovered that a Google contractor, Telus, has offered parents $50 to upload videos of their children’s faces, apparently for use as machine learning training data. According to a description of the project Telus posted online, the data collected from the videos would include eyelid shape and skin tone. In a statement to 404, Google said that the videos would be used in the company’s experiments in using video clips as age verification and that the videos would not be collected or stored by Telus but rather by Google—which doesn’t quite reduce the creep factor. “As part of our commitment to delivering age-appropriate experiences and to comply with laws and regulations around the world, we’re exploring ways to help our users verify their age,” Google told 404 in a statement. The experiment represents a slightly unnerving example of how companies like Google may not simply harvest data online to hone AI but may, in some cases, even directly pay users—or their parents—for it.

A decade ago, Wickr was on the short list of trusted software for secure communications. The app’s end-to-end encryption, simple interface, and self-destructive messages made it a go-to for hackers, journalists, drug dealers—and, unfortunately, traders in child sexual abuse materials—seeking surveillance-resistant conversations. But after Amazon acquired Wickr in 2021, it announced in early 2023 that it would be shutting down the service at the end of the year, and it appears to have held to that deadline. Luckily for privacy advocates, end-to-end encryption options have grown over the past decade, from iMessage and WhatsApp to Signal.

23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits

By Waqas
In-depth analysis reveals concerning patterns in user data collection, with shopping and food delivery apps at the forefront.
This is a post from HackRead.com Read the original post: Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps, Study

According to Surfshark, a third of data collected by these apps is susceptible to tracking by third-party advertisers or data brokers, posing a significant threat to user privacy.

In the latest study conducted by Surfshark’s Research Hub, an in-depth analysis of 100 popular apps has revealed troubling trends in data privacy practices. The research zeros in on shopping and food delivery apps, shedding light on the unsettling reality that Amazon Shopping and Wish are leading when it comes to collecting user data.

It’s not surprising that Amazon is taking the lead, but unfortunately, it’s for all the wrong reasons. Back in November 2023, Atlas VPN **conducted a study** that uncovered some unsettling facts. Amazon, along with eBay and Afterpay, emerged as the top Android shopping apps when it comes to collecting user data, surpassing all other apps in their data-hungry practices.

****Shopping and Food Delivery Apps: Data Hungry Culprits****

Surfshark’s study indicates that among various app categories, shopping and food delivery apps stand out as the most data-hungry, with Amazon Shopping and Wish taking the lead. An unexpected revelation is that more than a third of data collected by these apps is susceptible to tracking by third-party advertisers or data brokers, posing a significant threat to user privacy.

****User Tracking and Linking: The Alarming Statistics****

According to the company’s **report**, On average, shopping and delivery apps collect a staggering 21 out of 32 possible data points, with a startling 95% linked directly to the user’s identity.

Wish emerges as the most data-hungry app within this category, collecting 24 out of 32 data points, and utilizing over a third of the data to track its users. **DoorDash** and Wish stand out, with 40% of collected data points dedicated to user tracking, including sensitive information like email addresses, precise location, and purchase history.

Amazon, on the other hand, while not engaging in user tracking, emerges as a unique data collector, amassing 25 out of 32 possible data points, all intricately linked to the user’s identity.

****Food Delivery Apps and Intrusive Data Practices****

Zooming in on food delivery apps, **Uber Eats** takes the lead in tracking the most data points, sharing 12 out of 21 collected data points with third parties. The study also scrutinizes GrubHub and Instacart, uncovering their respective data collection practices.

****App-wide Data Collection Trends****

An astonishing 1523 data points are collected across the 100 apps under scrutiny, averaging 15 unique data points per app. Notably, 90% of these apps collect essential usage, diagnostic, and identifier data crucial for their functionality. Two-thirds of the apps collect user names and coarse location, while almost half track precise location data.

****Facebook, Instagram, AI Generated Art, and Signal****

Facebook and Instagram emerged as the most privacy-invasive apps, collecting all 32 data points defined by Apple. The app with the lowest data collection appetite is AI Generated Art, standing out as the sole app that refrains from gathering any data points. **Signal**, not so surprisingly, stands out in the top 10 most privacy-sensitive list, collecting only one data point (phone number) that is not linked to or used to track the user.

Surfshark

****Recommendations for Users****

Surfshark advises users to scrutinize developers’ reputations and data retention policies before downloading apps. Additionally, paying attention to constant permission requests for access to sensitive information and limiting app access to information only when in use can contribute to enhanced privacy.

The study analyzed 100 apps across 10 categories, selecting them based on search engine results. Three layers of data points were considered: unique data points collected, data linked to the user, and data used to track the user.

Surfshark’s Lead Researcher, Agneska Sablovskaja, emphasizes, “Understanding an app’s privacy policy is crucial for safeguarding digital autonomy.” With this study, Surfshark aims to empower users with knowledge, allowing them to make informed decisions about the apps they choose to incorporate into their digital lives.

1.  **Watchdog Sues Adobe Over Mass Collection of Citizen Data**
2.  **Amazon Still Selling T95 TV Box with Pre-Installed Malware**
3.  **How data collected in gaming can be used to breach user privacy**
4.  **Lithuania wants users to dump Chinese phones citing data collection**
5.  **‘Off-Facebook Activity Tool’ lets users control data collected by websites**

Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps, Study

Being fully anonymous is next to impossible—but you can significantly limit what the internet knows about you by sticking to a few basic rules.

Beyond the web, trackers embedded in your mobile applications can gather data on your activity. On Android, you should turn off personalized ads through Google’s My Ad Center, simply toggling the setting to off. Also, delete your device’s advertising ID by going to **Settings, Privacy**, **Ads** and clicking on the **Delete advertising ID** option. There are also Android apps that will block cross-app trackers, such as DuckDuckGo’s browser app or the University of Oxford–developed TrackerControl. If you use iOS, go to **Settings,** **Privacy & Security, Tracking,** and toggle off **Allow Apps to Request to Track** to stop apps from tracking you across apps and websites.

For some people, a VPN may be useful for stopping their internet service provider from viewing their web traffic. VPNs can, however, see your online activity—in some cases keeping logs of it—and many are problematic. Our is Mullvad’s VPN, which is open source and accepts payments via cash mailed to its offices in Sweden.

Pick the Most Private Option

Every app, website, and service you use is likely to collect some data about you, but some collect more than others. Picking services that purposefully don’t collect information about you or that use end-to-end encryption, which stops companies from seeing the contents of your communications or data transfers, can help limit your exposure to the web. Generally, you want to avoid Big Tech.

For messaging, Signal collects very little information about who uses it, and it’s encrypted by default, meaning it cannot see the contents of the messages you send. For searching, DuckDuckGo, Brave Search, Kagi, Startpage, and Mojeek are our picks of the most privacy friendly search engines. For email, Proton and Tuta (formerly Tutanota) provide free end-to-end encryption options. OnionShare uses the Tor network to allow you to anonymously share files. Proton Drive offers encrypted file storage online, and Apple’s advanced data protection settings allow iCloud storage to be end-to-end encrypted once it is enabled.

If you're using a work laptop or phone, it's also worth keeping in mind that your employer can likely see many, if not all, of the things you do on those devices. If you're searching for a new job or running personal tasks, you likely want to do them on personal devices.

Check What You Post

As much as anything, being more anonymous online is linked to your mentality. Simply put, the less you share about yourself online, the less identifiable you will be. That means being careful about what you post on social media—not sharing information that could identify you, your location, or others around you.

For instance, if you want to create a new social media account that’s not tied to your identity, keep any names or personal information out of the account name. You should also not sign up using your primary phone number, email address, physical address, or any similar information that could be linked back to you. This doesn’t apply just to a new account you’re creating; it should be the wider way you think about all of your online behavior.

How to Be More Anonymous Online

Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

In what seems like yet another attempt to adapt its platform to prepare for new regulations, Facebook has started rolling out a new feature called Link History.

Link History allows users to view and re-visit links they have visited with their Facebook browsing activity.

Obviously Facebook will tell us that the new feature is for its users’ benefit, but we can see several ways in which this benefits Meta even more. The only positive for me is that it could be a handy option for finding that thing that you saw on Facebook that one time, but you can’t quite remember the details. This gets defeated partially by the fact that users that have Link History enabled report they were unable to see the Link History page at all when looking at Facebook on their laptop.

However, as Facebook tracking goes at least this is an option that you have some control over. On most, if not all, popular websites you’ll find Meta’s and other’s tracking pixels. With an ongoing battle against cookies and other trackers, this may be a new way for Facebook to track its user’s behavior.

With Link History, Facebook now has another separate place where it stores details about the websites you visit along with the settings to control that data. Settings that are, deliberately or not, hard to find and easy to misinterpret.

The company itself says:

> “When you allow link history, we may use your information to improve your ads across Meta technologies.”

Translated, this means that they will use the information to provide you with targeted ads.

Recently Meta got sued over coercing users to pay to stop tracking. Organizations concerned about our privacy say that by doing this, Meta has changed the user’s choices from “yes or no” to “pay or okay.”

Research in 2022 showed that in-app browsers inject JavaScript code into third party websites that cause potential security and privacy risks to the user. This resulted in a class-action complaint against Meta in San Francisco’s federal court, alleging the company built a secret workaround to Apple’s safeguards that protect iPhone users from tracking.

So this may be another attempt to follow users around on the web. Unlike on your desktop, clicking a link in Facebook, or Instagram, will open a special browser built into the app, rather than the default browser of the device.

For now, a limited number of Android and iPhone users will see this option appear in the Facebook Mobile Browser. But the company says it will roll out the option globally over time.

**How to turn link history on or off**

Link history is turned on by default so you will have to opt-out if you don’t want it.

1.  Tap any link inside the Facebook app to open Facebook’s Mobile Browser.
2.  Tap the three dots (more actions) in the bottom right, then tap **Go to Settings**.
3.  To turn link history on, tap the slider to on (blue) next to **Allow link history**, then tap **Allow** to confirm.
4.  To turn link history off, tap the slider to off (grey) next to **Allow link history**, then tap **Don’t allow** to confirm. 

**Note**: When you turn link history off, this will immediately clear your link history, and you will no longer be able to see any links you’ve visited. Facebook promises to delete the link history it’s created for you within 90 days.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Facebook introduces another way to track you &#8211; Link History 

By Waqas
Despite Google's proactive removal of these apps, the threat persists through third-party markets, compromising over 327,000 devices globally.
This is a post from HackRead.com Read the original post: New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices

The Xamalicious Backdoor can gain complete control over a targeted Android device without detection by the device’s security solution.

McAfee’s Mobile Research Team has uncovered a widespread Android backdoor threat, dubbed Xamalicious, showing sophisticated tactics to compromise user devices. The malware has exploited the Xamarin framework, employing its capabilities to hide malicious code within the APK file build process, enabling it to operate undetected.

This threat aims to gain accessibility privileges through social engineering, communicating with a command-and-control server to download a second-stage payload injected at runtime.

Once installed, the malware takes full control of the device, enabling various fraudulent actions such as clicking on ads, installing apps, and other financially motivated activities without user consent.

****Financial Motivation Unveiled:****

What sets Xamalicious backdoor apart is its direct connection to the notorious ad-fraud app, “Cash Magnet.” This link exposes a financially motivated agenda behind the attacks, as Cash Magnet engages in automated ad clicks, app installations, and other actions to generate fraudulent revenue.

****Ubiquitous Distribution and Persistent Threat:****

According to the McAfee Mobile Research Team’s blog post, approximately 25 malicious apps carrying Xamalicious backdoor have been identified, some of which infiltrated Google Play since mid-2020. Despite Google’s proactive removal of these apps, the threat persists through third-party markets, compromising over 327,000 devices.

The impact of this threat is far-reaching, affecting users across continents. The most significant activities have been observed in the USA, Brazil, Argentina, the UK, Spain, and Germany.

Countries targeted by Xamalicious Backdoor (Screenshot: McAfee Mobile Research Team)

Some of the affected apps that McAfee is urging users to delete are:

*   LetterLink
*   Logo Maker Pro
*   Track Your Sleep
*   Auto Click Repeater
*   Universal Calculator
*   Sound Volume Booster
*   Sound Volume Extender
*   Count Easy Calorie Calculator
*   Step Keeper: Easy Pedometer
*   3D Skin Editor for PE Minecraft
*   Essential Horoscope for Android
*   Astrological Navigator: Daily Horoscope & Tarot
*   NUMEROLOGY: PERSONAL HOROSCOPE & NUMBER PREDICTIONS.

****Dynamic Second-Stage Payload Raises Alarms:****

Once installed, the second-stage payload of the Xamalicious backdoor grants the malware full control over the device. This capability allows the malware to self-update the main APK and execute various activities, from acting as spyware to potentially operating as a banking trojan, all without requiring user interaction.

****Exploitation of Accessibility Services:****

The modus operandi of the Xamalicious backdoor involves tricking users into granting accessibility service permissions. Exploiting vulnerabilities and prompting users to activate these services despite OS warnings manually, the malware gains a foothold on the device.

Malware asking for Invasive permissions (Screenshot: McAfee Mobile Research Team)

****Stealthy Data Collection and Encryption:****

Xamalicious backdoor goes beyond typical malware by collecting extensive device information and communicating with a command-and-control server. The communication is safeguarded through the use of JSON Web Encryption (JWE) tokens. The malware’s DLL contains hardcoded RSA key values, opening the door for potential decryption during analysis.

****Protective Measures for Users:****

If you are using Android devices, it is crucial to protect them from the Xamalicious malware and other emerging Android threats. Users are strongly advised to exercise caution when granting accessibility service permissions, particularly when an app does not have a legitimate need.

Installing reputable security software, such as McAfee Mobile Security, is recommended to mitigate the risks associated with malware infections. Regular updates are crucial to ensure ongoing protection against evolving threats in the mobile landscape. Stay informed, stay protected.

****_RELATED ARTICLES_****

1.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
2.  **Android Malware FjordPhantom Steals Funds Via Virtualization**
3.  **Amazon, eBay and Afterpay as Top Android User Data Collectors**
4.  **New MMRat Android Trojan Uses Fake App Stores for Bank Fraud**
5.  **Android TV Boxes Infected with Backdoors, Hacking Home Networks**

New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.

Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.

Here’s what you need to know about the important updates you might have missed during the month.

Apple iOS

In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.

Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.

The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.

Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.

Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.

Google Android

The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.

CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.

Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.

Google Chrome

Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.

It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.

Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.

Microsoft

Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you would have to click on a specially crafted URL to be compromised.

Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.

It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.

Mozilla Firefox

Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these, CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.

Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

Apache

The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.

Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.

To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.

Atlassian

Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.

Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.

Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.

SAP

Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.

“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.

Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1. “This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.

Google Fixes Nearly 100 Android Security Issues

By Deeba Ahmed
Among others, developers of the infamous Lumma, an infostealer malware, are already using the exploit by employing advanced…
This is a post from HackRead.com Read the original post: Malware Leveraging Google Cookie Exploit via OAuth2 Functionality

Among others, developers of the infamous Lumma, an infostealer malware, are already using the exploit by employing advanced tactics like token manipulation and encryption in targeted attacks.

CloudSEK’s threat research team has reported a critical exploit affecting Google services, allowing threat actors to generate **Google cookies** continuously while ensuring continuous access to Google services even after a user performs a password reset. In a technical report, CloudSEK shared details of the exploit.

On October 20, 2023, CloudSEK’s AI digital risk platform XVigil discovered that on the Telegram channel, a developer/threat actor PRISMA had released a 0-day solution to address issues with incoming sessions of Google accounts.

AI-Translated Image: Russian to English

The solution offers session persistence, allowing the attacker to bypass security measures and enable cookie generation, gaining unauthorized access even when the account password is changed. The developer expressed openness to cooperation and potential collaboration on this newfound exploit.

Afterwards, **Lumma Infostealer** announced the feature’s integration with an advanced blackboxing approach on November 14, 2023. Rhadamanthys and WhiteSnake also announced similar blackboxing approaches. Lumma updated the exploit to counteract Google’s fraud detection measures on November 24, 2023. Other hackers, such as Stealc, Meduza, RisePro, and Whitesnake, implemented the feature. Hudson Rock posted a video from Darkweb demonstrating a hacker exploiting generated cookies on December 27, 2023.

CloudSEK threat researchers **revealed** that an undocumented Google Oauth endpoint named “MultiLogin” is the root of the exploit. The endpoint responsible for regenerating cookies was revealed through Chromium’s source code, which is an internal mechanism designed for synchronizing Google accounts across services.

The MultiLogin endpoint, as revealed through Chromium’s source code, operates by accepting a vector of account IDs and auth-login tokens, essential for managing simultaneous sessions or switching between user profiles seamlessly.

Chromium codebase examination confirmed that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled. Threat actors employ sophisticated tactics in cyber threats, such as Lumma’s exploitation of the undocumented Google OAuth2 MultiLogin endpoint.

Lumma’s approach entails manipulation of the token:GAIA ID pair, a critical component in **Google’s authentication process**. By applying encryption to this component, Lumma effectively masks the core mechanism of their exploit, hindering other malicious entities from duplicating their method. This strategic move preserves their exploit’s uniqueness in the competitive cybercrime landscape and provides them an edge in the illicit market.

Lumma’s subsequent adaptation involves using SOCKS proxies to circumvent Google’s IP-based restrictions on cookie regeneration, inadvertently exposing some details of the requests and responses, potentially compromising the exploit’s obscurity. Encrypted communication between the malware C2 and the MultiLogin endpoint is less likely to trigger alarms in network security systems, as standard security protocols generally overlook encrypted traffic.

This exploit can continuously regenerate cookies for Google services, demonstrating sophistication in Google’s internal authentication mechanisms and a shift towards stealth-oriented **cyber threats**, emphasizing concealment over effectiveness.

****_RELATED ARTICLES_****

1.  **Scammers Weaponize Google Forms in New BazarCall Attack**
2.  **Google Workspace Vulnerabilities Lead to Network-Wide Breaches**
3.  **Hackers Stole $59 Million of Crypto Via Malicious Google and X Ads**
4.  **Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID**
5.  **Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw**

Malware Leveraging Google Cookie Exploit via OAuth2 Functionality

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
“A notable point about attacks that

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.

South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as **Kimsuky**.

"A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.

Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

The threat actor's espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.

One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.

AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.

"AlphaSeed was developed in Golang and uses chromedp for communications with the \[command-and-control\] server," ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.

There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper.

Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.

The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea's information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.

"The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions," the threat intelligence firm said in a report released earlier this month.

"Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled."

North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.

The prolific and aggressive nature of the attacks points to the different ways the country has resorted to evading international sanctions and illegally profiting from the schemes.

"People tend to think, … how could the quote-unquote 'Hermit Kingdom' possibly be a serious player from a cyber perspective?," CrowdStrike's Adam Meyers was quoted as saying to Politico. "But the reality couldn't be further from the truth."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#android