Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.

Thursday, November 9, 2023 08:11

*   Spammers are exploiting the "Release scores" feature of Google Forms quizzes to deliver email.
*   The emails originate from Google's own servers and consequently may have an easier time bypassing anti-spam protections and finding the victim's inbox.
*   Volumes of these messages hovered near noise levels but have recently spiked into the hundreds.

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.

A histogram showing the volume of “Score released:” emails for the past two years.

Cisco Talos examined a recent spam campaign in which the Subject headers all contained the text, “Score released:”. During our investigation, we quickly realized these messages were being generated through a feature of Google Forms’ quizzes. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently.

**Google Forms’ quizzes**

In Google Forms, when creating a new form, an author can choose to “Make this a quiz.” Choosing to release grades “Later, after manual review,” enforces the collection of email addresses in the quiz.

An example Google Forms quiz is configured to release grades after manual review.

Elsewhere, under the settings for Responses, choosing “Responder input” allows a spammer to fill in their form using any victim’s email address.

An example form configured to allow responder-controlled values for email addresses.

Once the form is configured in this way, a link to the form can be obtained and accessed by the spammer. The spammer then fills out the form using the victim’s email address and submits it. Whether the question in the quiz is answered does not matter. Afterward, the fake quiz responses generated by the attacker can be viewed.

Quiz responses as seen by the Google Forms quiz owner.

Clicking the “Release scores” dialog in the upper right will prompt the form owner to “Send emails and release” the scores. The message delivered as part of the email can be customized to include any text or URL, and the message will then be delivered by Google using the “From:” address of the Google account that created the quiz. Because the email messages generated using this technique emanate from Google’s servers, they stand a good chance of being delivered to the victim’s inbox. 

**Google Forms quiz spam used in an elaborate cryptocurrency scam**

A recent example of one of these Google Forms quiz score release spam attacks appears below. 

An example of a recent spam campaign utilizing the “Release scores” feature of Google Forms quizzes.

When the victim clicks the “View” button in this email, they are directed to the fake form response generated by the spammer.

Clicking “View” on a “Scores released:” spam directs the victim to the spammer-generated form response.

In this particular form response, the spammer has provided a link “>>> GO TO THE SITE” which points to another Google Form that asks the victim to confirm their email address. At this stage of the attack, when an email address is entered into the second form, the victim is provided a form response containing a link to an external website: go-procoinwhu\[.\]top. 

After the victim “confirms” their email address they are presented with a link to a third party website.

The go-procoinwhu\[.\]top domain was created only just created on October 28, 2023, but it is already seeing a large uptick in the number of DNS queries requesting it.

Clicking the go-procoinwhu\[.\]top link in the Google Form response results in a 302 redirect from Cloudflare, which directs the victim to https://hdlgr\[.\]dudicyqehama\[.\]top/, which is also hosted by Cloudflare. This domain was also recently created (October 25, 2023), and exhibits a very similar DNS traffic pattern in Umbrella Investigate.

When the victim navigates to the dudicyqehama.top website, they are presented with an elaborate scam website that claims that the victim possesses more than 1.3 Bitcoin in their account as a result of “automatic cloud Bitcoin mining,” which the site claims is worth more than $46,000 USD. 

A malicious cryptocurrency-related website claims the victim has over 1.3 BTC. 

Once the victim clicks “Continue,” they are brought into the main website “login page.” The username and password are pre-filled into the login form, so the victim only needs to click the “Sign in” button. 

A fake login form for the scammer's website. The username/password are pre-filled into the form.

Once logged in, it is readily apparent that the website goes to great lengths to appear legitimate. The site even includes a group chat feature near the bottom where you can see various other users discussing cryptocurrency-related topics. As a logged-in user, the victim can even comment. Watching the text scroll by in the chat, it becomes apparent that they are recycling the same comments over and over, and these are not real users.

The scammer's website tries very hard to look legitimate. They even include a fake group chat.

When the victim attempts to claim their Bitcoin from the main site, they are redirected to what looks like a live chat with an agent named “Sophia.”

When the victim tries to claim their BTC they are directed to a “live” chat with an agent named “Sophia.”

Sophia chats with us for a moment before sending a form to fill out to collect the Bitcoin.

Sophia sends the victim a form to fill out to collect their BTC. 

The form asks the victim to fill in their name, email address and the cashout method the user prefers. 

The victim must fill out a form indicating how they wish to receive the money from the BTC they exchanged for USD.

Once the form has been filled out and submitted, the victim is again redirected back to the chat with Sophia, who proceeds to give us a button to kick off the currency exchange of BTC into USD.

Sophia finishes chatting with the victim and provides a button to facilitate the Currency Exchange.

Now, we can begin to see the end game for this particular scam. The victim is instructed that to claim the almost $48,000 USD, the victim must pay an “exchange fee” of 0.25%, or $64 USD.

To receive the USD from the converted BTC, the victim must pay an exchange fee of 0.25%.

When the victim clicks “Exchange Bitcoin,” they are presented with one last form where the victim is prompted to enter their name, email and phone number. 

A payment form from the scammers. They are asking for $64.

Clicking “Pay” brings up a QR code for the BTC wallet of the spammers. Fortunately, nobody has fallen for this scam and paid the attackers, as the connected Bitcoin wallet was empty as of November 6, 2023.

The BTC wallet the attackers are using to receive the “exchange fee.”

The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money. As is usually the case with scams such as this, when something sounds too good to be true, it often is.

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

Spammers abuse Google Forms’ quiz to deliver scams

Given the increased geopolitical importance of cybersecurity, NIS2 is a logical step in creating more harmonized and stronger defense capabilities across the European Union.

Thursday, November 9, 2023 08:11

NIS2 is a European directive that includes new measures to ensure that organizations operating in the European Union (EU) have a high common level of network and infrastructure security. 

The "directive" outlines the goals all EU member states must achieve. However, each country will implement it in their own law with room for some national specifics to reach these goals. Directives are binding in terms of minimal requirements for what should be implemented.

For example, if the directive imposes fines for organizations who are not in compliance, states can decide to go beyond the minimum fine and impose higher penalties for entities in their jurisdiction. 

NIS2 is a successor of the NIS1 Directive, which is considered the first EU cybersecurity law. Since its implementation in 2018, NIS1 has proven to be essential for the implementation of the EU Cybersecurity Strategy but not sufficient in addressing the challenges posed by the current cybersecurity threat landscape. NIS2 broadens the scope of the legislation by including new sectors and types of organizations which need to comply and introducing higher requirements for their cybersecurity.

Given the increased geopolitical importance of cybersecurity, NIS2 is a logical step in creating more harmonized and stronger defense capabilities across the European Union.

**What is new in NIS2 as compared to NIS1?**

*   Stricter cybersecurity requirements.
*   Broader scope — wider range of sectors and entities affected.
*   Change of identification mechanism – from active identification to self-identification.
*   Added requirements for supply chain cybersecurity.
*   Stronger compliance supervision from the national authorities.
*   Clearly defined administrative fines in case of non-compliance.
*   Establishment of cybersecurity information-sharing arrangements between interested entities, e.g., a platform for the exchange, automatic tools and content.

**Who needs to conform with NIS2?**

If you operate in the European Union in one of the subsectors listed in the Annex of the Directive and your organization is of a certain size or falls under one of the exceptions under Articles 2 & 3, you must conform to NIS2.

**Entities in scope**

NIS2 applies to public or private entities which qualify as or exceed the ceilings for medium-sized enterprise as outlined in Recommendation 2003/361/EC: a “medium” entity is “an enterprise which employs 50 or more persons and whose annual turnover and/or annual balance sheet total does exceed EUR 10 million.”

Regardless of their size, this directive also applies to several exceptions listed under Article 2 of the directive. Member states may also apply this directive to specific entities/institutions. It is therefore important to double-check with national authorities.

**Essential vs. important entities**

NIS2 divides entities into two categories — “essential” and “important” — depending on the expected impact of an incident. Both types must comply with the same security measures, but “essential” organizations will always be proactively supervised by the government, and “important” entities will only be checked after a cybersecurity incident. In other words, the control of essential entities is stricter due to the possible more dire consequences if that organization is found to be non-compliant.

**What measures need to be implemented as per NIS2?**

NIS2 includes a list of 10 key elements that all companies must address in terms of cybersecurity. The exact implementation of these measures should consider state-of-the-art technology and, where applicable, relevant European and international standards at an appropriate and proportionate technical level, and the cost of implementation.

The measures in NIS2 are as follows:

*   Policies on risk analysis and information system security.
*   Incident handling.
*   Business continuity, such as backup management and disaster recovery, and crisis management.
*   Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
*   Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
*   Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
*   Basic cyber hygiene practices and cybersecurity training.
*   Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
*   Human resources security, access control policies and asset management.
*   The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

**Incident reporting obligations**

NIS2 introduces strict incident reporting requirements, which are applicable to essential and important entities:

*   Within 24 hours of becoming aware of the incident, the entity must inform the national authority.
*   Within 72 hours of a more formal incident, and following an initial incident assessment, a second notification must be provided. It should include incident severity, impact and known indicators of compromise (IOCs).
*   Within a month of the formal incident notification, a final report must be submitted.

**Fines**

Essential and important entities face different administrative fines if they were to fail to meet the incident reporting obligations or general security requirements.

For “essential” entities, national laws must implement a certain level of administrative fines, notably a maximum of at least EUR 10,000,000, or 2% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.

For “important” entities, the maximum fine is of at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

**When will NIS2 take effect?**

The NIS2 Directive was published on Dec. 27, 2022, and each EU member state has until Oct. 17, 2024, to transpose the NIS2 Directive into its national legislation. Once the national laws are effective, organizations that are in scope need to comply.

NIS2 requires that entities have documentation and processes to handle incidents. One of the foundational documents for coordinating the response efforts is an Incident Response Plan.

A Cisco Talos Incident Response Retainer offers several services, such as the incident response plan and IR playbook development, which can help customers create the documentation required by NIS2. Moreover, the training and simulation services in the Talos retainer can support customers in putting new and existing processes to the test and improving the team’s overall knowledge in the cyber domain.

Next week, we’ll have more information on creating an incident response plan for your organization that complies with NIS2. We have summarized seven of the most common mistakes when starting to write a brand-new plan or reviewing an existing document, and we will share practical advice on how to avoid them.

What is NIS2, and how can you best prepare for the new cybersecurity requirements in the EU?

When a homeless man attacked a former city official, footage of the onslaught became a rallying cry. Then came another video, and another—and the story turned inside out.

What a Bloody San Francisco Street Brawl Tells Us About the Age of Citizen Surveillance

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239138

On October 3, I joined the Positive Technologies team. There I will work on developing Vulnerability Management practices. I have already worked at PT for 6 years, from June 2009 to October 2015. And now, exactly 8 years later, I’m here again. I feel very pleasant emotions about this and have many plans. 🤩 I am sure that in the PT team I will be able to implement many cool things for the development of Vulnerability Management in Russia and abroad. 🙂

**Vulristics**

As for my open source Vulristics vulnerability prioritization project, I’ve made a few important updates.

**NVD Data Source**

I corrected the NVD data source, because NVD has become much less tolerant in the use of its API. After 5 consecutive requests, the API returns an error:

    
    <html><body><h1>403 Forbidden</h1>
    Request forbidden by administrative rules.
    </body></html>

Request forbidden by administrative rules.

According to the documentation:

> “The public rate limit (without an API key) is 5 requests in a rolling 30 second window; the rate limit with an API key is 50 requests in a rolling 30 second window”.

For Vulristics, I made support for authentication using the NVD API key and sleeps of 0.6 seconds when using the key and 6 seconds without using the key.

To obtain an NVD API key, you need to specify your organization, organization type, and email in the form. After a few seconds, you will receive a one-time link via email, which will give you the key.

I also started using the NVD API v2.0 in Vulristics, which allowed me to get CISA KEV data on vulnerabilities being exploited in the wild. I also take links to exploits from NVD (however, be careful, these links are not always good enough).

**Custom Data Source**

I added a custom data source to Vulristics. This is a small but quite useful improvement. Sometimes you know for sure that there is an exploit for a vulnerability or a sign of exploitation in the wild. But the sources that Vulristics supports do not contain this data. 🤷‍♂️ How to take into account such facts in a Vulristics report?

Vulristics now has a custom data source. It does not make any requests to external sources. It simply reads JSON files from the data/custom\_cve directory. You can add your JSON file for some CVE to this directory. And you can set the parameters in this file that you want to define for this CVE. You don’t have to set all the parameters. You can only set the ones you want. For example, only links to exploits.

Of course, you don’t have to do this manually. You can generate such files using a script based on the data you have. 😉

File example:

    {
      "description": "Remote Code Execution in Chromium",
      "cvss_base_score": 9.2,
      "wild_exploited": true,
      "wild_exploited_sources": [
        {"type": "ransomware_info_source", "text": "RansomwareINFO", "url": "https://www.some-site-about-ransomware-attacks.com/12345"}
      ],
      "public_exploit": true,
      "public_exploit_sources": [
        {"type": "exploit_info_source", "text": "ExploitINFO", "url": "https://www.some-site-about-exploits.com/12345"}
      ],
      "epss": 0.97434,
      "epss_percentile": 0.99924
    }

**Linux Patch Wednesday**

I launched my new project – Linux Patch Wednesday! 🚀🥳 For Microsoft products we have a single day of increased attention – Microsoft Patch Tuesday, and for Linux there is no such day. Everything is too fragmented there and patches are released literally every day. But what’s stopping us from independently generating a list of CVEs fixed during the month and highlighting critical issues? Let’s try!

If Microsoft Patch Tuesday occurs every second Tuesday of the month, then Linux Patch Wednesday will occur **every third Wednesday** of the month!

I analyzed the public OVAL content of 5 Linux distribution vendors and uploaded the resulting monthly Linux Patch Wednesday bullruetins to Github. From March 2007 to November 2023. I invite you to check it out and, if you like it, give it a star. 🙂⭐️

I analyzed first October Linux Patch Wednesday bulletin using Vulristics! 🥳

I’m pleased with the result. The top looks adequate and corresponds to what I highlighted in my Russian-language telegram channel avleonovrus and blog avleonov.ru.

1.  **Memory Corruption** – Chromium (CVE-2023-5217). This is a vulnerability in the libvpx library, which was the most critical in the October Microsoft Patch Tuesday. There is a PoC on Github and signs of exploitation in the wild.
2.  **Elevation of Privilege** **/ Remote Code Execution** – GNU C Library (CVE-2023-4911). This is Qualys Looney Tunables. There has been a PoC for this vulnerability for a long time, but there are no signs of exploitation in the wild yet.
3.  **Denial of Service** – Golang Go (CVE-2023-29409). There is a PoC. Vulristics detected the software as TLS, since there is no hint of Go in the description of the CVE vulnerability. 🤷‍♂️
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Will also be in MSPT.  
    …
5.  **Memory Corruption** – Curl (CVE-2023-38545). Not a very critical vulnerability, but PoCs have appeared for it on Github.

The rest of the vulnerabilities are without exploits or signs of exploitation in the wild.

Full Vulristics report: linux\_patch\_wednesday\_october2023

**Microsoft Patch Tuesday October 2023**

I also released the Vulristics report on October’s Microsoft Patch Tuesday.

What is in the TOP:

1.  **Memory Corruption** – Microsoft Edge (CVE-2023-5217). This is a vulnerability in the libvpx library, which is used to play video in VP8 format. As in the recent libwebp case, this vulnerability affects many software products, but primarily web browsers. There is no public exploit yet, but there are signs of exploitation in the wild.
2.  **Elevation of Privilege** – Skype for Business (CVE-2023-41763). In fact, this is an information disclosure vulnerability. An unauthenticated attacker may send a special request to a vulnerable Skype for Business server and this will lead to the disclosure of confidential information. Such information may be used to gain access to internal networks. 🤷‍♂️ There are signs of exploitation in the wild and there are no public exploits yet. Several RCEs have also been released for Skype for Business.
3.  **Information Disclosure** – Microsoft WordPad (CVE-2023-36563). Exploiting this vulnerability could allow the disclosure of NTLM hashes. An attacker must send the user a malicious file and convince him to open it. Or, if an attacker has access to the host, he himself can run a special program on the host with the same result. This looks dangerous. There are signs of exploitation in the wild and there are no public exploits yet.
4.  **Denial of Service** – HTTP/2 protocol (CVE-2023-44487). Microsoft has released fixes for IIS (HTTP.sys), .NET (Kestrel) and Windows against the new effective DDoS attack “HTTP/2 Rapid Reset”. The problem is universal. Amazon, Cloudflare and Google recently reported that they were attacked via “HTTP/2 Rapid Reset”. So there are signs of exploitation in the wild.

There were no more vulnerabilities in Patch Tuesday that showed signs of exploitation in the wild or had a publicly exploit. You can also pay attention to:

🔻 20 Microsoft Message Queuing vulnerabilities, including some **RCEs**.  
🔻 **Remote Code Execution** – Microsoft Exchange (CVE-2023-36778). “Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session”. It doesn’t seem particularly critical, however “Exploitation More Likely.”  
🔻 **Elevation of Privilege** – Windows IIS Server (CVE-2023-36434). This is achieved through simplified password brute-force attack. 🤷‍♂️  
🔻 A pack of **Elevation of Privilege** vulnerabilities in Windows Win32k and Windows Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Full Vulristics report: ms\_patch\_tuesday\_october2023\_report

**Other Vulnerabilities**

And finally, let’s note other important vulnerabilities, which I also wrote about in October in Russian

1\. **Authentication Bypass / Privilege Escalation** – Cisco IOS XE (CVE-2023-20198)

2\. **Authentication** **Bypass** – Confluence (CVE-2023-22515)

3\. VMware vulnerabilities: **Remote code execution** – vCenter Server (CVE-2023-34048) and **Authentication Bypass** – Aria Operations for Logs (CVE-2023-34051).

4\. “Citrix Bleed“: **Information Disclosure** – NetScaler ADC/Citrix ADC and NetScaler Gateway (CVE-2023-4966)

5\. JetBrains: **Remote code execution** – TeamCity (CVE-2023-42793).

6\. Full disclosure for unfixed Squid vulnerabilities.

**VM Vendors news**

From VM vendor news, I would like to highlight the following.

Miercom released a report “Vulnerability Management Competitive Assessment“. They did the research at the request of Tenable, so there couldn’t be much intrigue about who among Tenable, Qualys and Rapid7 would win. 😏 Unlike similar marketing comparisons, Miercom decided not to ask customers of the vendors or compare on high-level features. They compared based on basic functionality, namely the completeness of the detection databases. It’s nice to know that I myself was involved in comparing CVE knowledge bases and identifying blind spots before it became mainstream. 😅

The guys from the Vulners team presented a new version of the automatic metric for assessing the criticality of vulnerabilities – AI Score v2. As the name implies, data processing there is carried out using machine learning, and specifically using the CatBoost library. Relationships between objects (there are more than 3 million objects in Vulners), CVSS Base Score values of ancestor objects, object type, text description of the object, etc. are analyzed. Give it a try, this feature is available for free to all Vulners users.

**PhysTech Lecture**

At the end of the month, I gave a lecture on Vulnerability Management at the Moscow PhysTech university. This is the second time, the first was 5 years ago. This time remotely.

On occasion, I updated my educational presentation. I separated 4 approximately equal parts:

🔹 Security Analysis – vulnerabilities and vulnerability detection  
🔹 Asset Management – getting rid of chaos in infrastructure  
🔹 Vulnerability Management – building a process with a focus on prioritizing vulnerabilities  
🔹 Patch Management – everything related to patching vulnerabilities and relationships with IT

I primarily reworked the Asset Management and Vulnerability Management parts. It seems that I managed to combine the effective safety approach (by Positive Technologies), the guidelines of regulators and my own considerations quite well. This presentation would be good for guest lectures, and it is clear how it could usefully be expanded to 4 separate lectures (or even more). I’m satisfied. 🙂

By the way, PhysTech is under sanctions of the EU, USA, UK, Japan, Switzerland and New Zealand. A decent place. 🙂👍

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Plus: SolarWinds is charged with fraud, New Orleans police face recognition has flaws, and new details about Okta’s October data breach emerge.

As the Israel-Hamas war continues, with Israeli troops moving into the Gaza Strip and encircling Gaza City, one piece of technology is having an outsized impact on how we see and understand the war. Messaging app Telegram, which has a history of lax moderation, has been used by Hamas to share gruesome images and videos. The information has then spread to other social networks and millions more eyeballs. Sources tell WIRED that Telegram has been weaponized to spread horrific propaganda.

Microsoft has had a hard few months when it comes to the company’s own security, with Chinese-backed hackers stealing its cryptographic signing key, continued issues with Microsoft Exchange Servers, and its customers being impacted by failings. The company has now unveiled a plan to deal with the ever-growing range of threats. It’s the Secure Future Initiative, which plans, among multiple elements, to use AI-driven tools, improve its software development, and shorten its response time to vulnerabilities.

Also this week, we’ve looked at the privacy practices of Bluesky, Mastodon, and Meta’s Threads as all of the social media platforms jostle for space in a world where X, formerly known as Twitter, continues to implode. And things aren’t exactly great with this next generation of social media. With November arriving, we now have a detailed breakdown of the security vulnerabilities and patches issued last month. Microsoft, Google, Apple, and enterprise firms Cisco, VMWare, and Citrix all fixed major security flaws in October.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The Flipper Zero is a versatile hacking tool designed for security researchers. The pocket-size pen-testing device can intercept and replay all kinds of wireless signals—including NFC, infrared, RFID, Bluetooth, and Wi-Fi. That means it's possible to read microchips and inspect signals being admitted from devices. Slightly more nefariously, we've found it can easily clone building-entry cards and read credit card details through people's clothes.

Over the last few weeks, the Flipper Zero, which costs around $170, has been gaining some traction for its ability to disrupt iPhones, particularly by sending them into denial of service (DoS) loops. As Ars Technica reported this week, the Flipper Zero, with some custom firmware, is able to send “a constant stream of messages” asking iPhones to connect via Bluetooth devices such as an Apple TV or AirPods. The barrage of notifications, which is sent by a nearby Flipper Zero, can overwhelm an iPhone and make it virtually unusable.

“My phone was getting these pop-ups every few minutes, and then my phone would reboot,” security researcher Jeroen van der Ham told Ars about a DoS attack he experienced while commuting in the Netherlands. He later replicated the attack in a lab environment, while other security researchers have also demonstrated the spamming ability in recent weeks. In van der Ham’s tests, the attack only worked on devices running iOS 17—and at the moment, the only way to prevent the attack is by turning off Bluetooth.

In 2019, hackers linked to Russia’s intelligence service broke into the network of software firm SolarWinds, planting a backdoor and ultimately finding their way into thousands of systems. This week, the US Securities and Exchange Commission charged Tim Brown, the CISO of SolarWinds, and the company with fraud and “internal control failures.” The SEC alleges that Brown and the company overstated SolarWinds’ cybersecurity practices while “understating or failing to disclose known risks.” The SEC claims that SolarWinds knew of “specific deficiencies” in the company’s security practices and made public claims that weren’t reflected in its own internal assessments.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Gurbir S. Grewal, director of the SEC’s Division of Enforcement said in a statement. In response, Sudhakar Ramakrishna, the CEO of SolarWinds, said in a blog post that the allegations are part of a “misguided and improper enforcement action.”

For years, researchers have shown that face recognition systems, trained on millions of pictures of people, can misidentify women and people of color at disproportionate rates. The systems have led to wrongful arrests. A new investigation from Politico, focusing on a year’s worth of face recognition requests made by police in New Orleans, has found that the technology was almost exclusively used to try to identify Black people. The system also “failed to identify suspects a majority of the time,” the report says. Analysis of 15 requests for the use of face recognition technology found that only one of them was for a white suspect, and in nine cases the technology failed to find a match. Three of the six matches were also incorrect. “The data has pretty much proven that \[anti-face-recognition\] advocates were mostly correct,” one city councilor said.

Identity management company Okta has revealed more details about an intrusion into its systems, which it first disclosed on October 20. The company said the attackers, who had accessed its customer support system, accessed files belonging to 134 customers. (In these instances, customers are individual companies that subscribe to Okta’s services). “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” the company disclosed in a blog post. These session tokens were used to “hijack” the Okta sessions of five separate companies. 1Password, BeyondTrust, and Cloudflare have all previously disclosed they detected suspicious activity, but it is not clear who the two remaining companies are.

This Cheap Hacking Device Can Crash Your iPhone With Pop-Ups

Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called NodeStealer.
"Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of

Online Security / Malware

Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called **NodeStealer**.

"Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords," Bitdefender said in a report published this week.

NodeStealer was first disclosed by Meta in May 2023 as a JavaScript malware designed to facilitate the takeover of Facebook accounts. Since then, the threat actors behind the operation have leveraged a Python-based variant in their attacks.

The malware is part of a burgeoning cybercrime ecosystem in Vietnam, where multiple threat actors are leveraging overlapping methods that primarily involve advertising-as-a-vector on Facebook for propagation.

The latest campaign discovered by the Romanian cybersecurity firm is no different in that malicious ads are used as a conduit to compromise users' Facebook accounts.

"Meta's Ads Manager tool is actively exploited in these campaigns to target male users on Facebook, aged 18 to 65 from Europe, Africa, and the Caribbean," Bitdefender said. "The most impacted demographic is 45+ males."

Besides distributing the malware via Windows executable files disguised as photo albums, the attacks have expanded their targeting to include regular Facebook users. The executables are hosted on legitimate.

The ultimate goal of the attacks is to leverage the stolen cookies to bypass security mechanisms like two-factor authentication and change the passwords, effectively locking victims out of their own accounts.

"Whether stealing money or scamming new victims via hijacked accounts, this type of malicious attack allows cybercrooks to stay under the radar by sneaking past Meta's security defenses," the researchers said.

Earlier this August, HUMAN disclosed another kind of account takeover attack dubbed Capra aimed at betting platforms by using stolen email addresses to determine registered addresses and sign in to the accounts.

The development comes as Cisco Talos detailed several scams that target users of the Roblox gaming platform with phishing links that aim to capture victims' credentials and steal Robux, an in-app currency that can be used to purchase upgrades for their avatars or buy special abilities in experiences.

"'Roblox' users can be targeted by scammers (known as 'beamers' by 'Roblox' players) who attempt to steal valuable items or Robux from other players," security researcher Tiago Pereira said.

"This can sometimes be made easier for the scammers because of "Roblox's" young user base. Nearly half of the game's 65 million users are under the age of 13 who may not be as adept at spotting scams."

It also follows CloudSEK's discovery of a two-year-long data harvesting campaign occurring in the Middle East via a network of about 3,500 fake domains related to real estate properties in the region with the goal of collecting information about buyers and sellers, and peddling the data on underground forums.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads

bcrypt password hashing in Botan before 2.1.0 does not correctly handle passwords with a length between 57 and 72 characters, which makes it easier for attackers to determine the cleartext password.

If you think you have found a security bug in Botan please contact Jack Lloyd (jack@randombit.net). If you would like to encrypt your mail please use:

pub   rsa3072/57123B60 2015-03-23
      Key fingerprint = 4E60 C735 51AF 2188 DF0A  5A62 78E9 8043 5712 3B60
      uid         Jack Lloyd <jack@randombit.net>

This key can be found in the file doc/pgpkey.txt or online at https://keybase.io/jacklloyd and on most PGP keyservers.

**2022¶**

*   2022-11-16: Failure to correctly check OCSP responder embedded certificate
    
    OCSP responses for some end entity are either signed by the issuing CA certificate of the PKI, or an OCSP responder certificate that the PKI authorized to sign responses in their name. In the latter case, the responder certificate (and its validation path certificate) may be embedded into the OCSP response and clients must verify that such certificates are indeed authorized by the CA when validating OCSP responses.
    
    The OCSP implementation failed to verify that an authorized responder certificate embedded in an OCSP response is authorized by the issuing CA. As a result, any valid signature by an embedded certificate passed the check and was allowed to make claims about the revocation status of certificates of any CA.
    
    Attackers that are in a position to spoof OCSP responses for a client could therefore render legitimate certificates of a 3rd party CA as revoked or even use a compromised (and actually revoked) certificate by spoofing an OCSP-“OK” response. E.g. an attacker could exploit this to impersonate a legitimate TLS server using a compromised certificate of that host and get around the revocation check using OCSP stapling.
    
    Introduced in 1.11.34, fixed in 2.19.3
    

**2020¶**

*   2020-12-21 (CVE-2021-24115): Codec encoding/decoding was not constant time
    
    The base64, base32, base58 and hex encoding/decoding routines used lookup tables which could leak information via a cache-based side channel attack. The encoding tables were small and unlikely to be exploitable, but the decoding tables were large enough to cause non-negligible information leakage. In particular parsing an unencrypted PEM-encoded private key within an SGX enclave could be easily attacked to leak key material.
    
    Identified and reported by Jan Wichelmann, Thomas Eisenbarth, Sebastian Berndt, and Florian Sieck.
    
    Fixed in 2.17.3
    
*   2020-07-05: Failure to enforce name constraints on alternative names
    
    The path validation algorithm enforced name constraints on the primary DN included in the certificate but failed to do so against alternative DNs which may be included in the subject alternative name. This would allow a corrupted sub-CA which was constrained by a name constraints extension in its own certificate to issue a certificate containing a prohibited DN. Until 2.15.0, there was no API to access these alternative name DNs so it is unlikely that any application would make incorrect access control decisions on the basis of the incorrect DN. Reported by Mario Korth of Ruhr-Universität Bochum.
    
    Introduced in 1.11.29, fixed in 2.15.0
    
*   2020-03-24: Side channel during CBC padding
    
    The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg.
    
    Fixed in 2.14.0, all prior versions affected.
    

**2018¶**

*   2018-12-17 (CVE-2018-20187): Side channel during ECC key generation
    
    A timing side channel during ECC key generation could leak information about the high bits of the secret scalar. Such information allows an attacker to perform a brute force attack on the key somewhat more efficiently than they would otherwise. Found by Ján Jančár using ECTester.
    
    Introduced in 1.11.20, fixed in 2.8.0.
    
*   2018-06-13 (CVE-2018-12435): ECDSA side channel
    
    A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key. Found by Keegan Ryan of NCC Group.
    
    Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected.
    
*   2018-04-10 (CVE-2018-9860): Memory overread in TLS CBC decryption
    
    An off by one error in TLS CBC decryption meant that for a particular malformed ciphertext, the receiver would miscompute a length field and HMAC exactly 64K bytes of data following the record buffer as if it was part of the message. This cannot be used to leak information since the MAC comparison will subsequently fail and the connection will be closed. However it might be used for denial of service. Found by OSS-Fuzz.
    
    Bug introduced in 1.11.32, fixed in 2.6.0
    
*   2018-03-29 (CVE-2018-9127): Invalid wildcard match
    
    RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard certificate such as b*.domain.com would match any hosts *b*.domain.com instead of just server names beginning with b. The host and certificate would still have to be in the same domain name. Reported by Fabian Weißberg of Rohde and Schwarz Cybersecurity.
    
    Bug introduced in 2.2.0, fixed in 2.5.0
    

**2017¶**

*   2017-10-02 (CVE-2017-14737): Potential side channel using cache information
    
    In the Montgomery exponentiation code, a table of precomputed values is used. An attacker able to analyze which cache lines were accessed (perhaps via an active attack such as Prime+Probe) could recover information about the exponent. Identified in “CacheD: Identifying Cache-Based Timing Channels in Production Software” by Wang, Wang, Liu, Zhang, and Wu (Usenix Security 2017).
    
    Fixed in 1.10.17 and 2.3.0, all prior versions affected.
    
*   2017-07-16: Failure to fully zeroize memory before free
    
    The secure\_allocator type attempts to zeroize memory before freeing it. Due to a error sometimes only a portion of the memory would be zeroed, because of a confusion between the number of elements vs the number of bytes that those elements use. So byte vectors would always be fully zeroed (since the two notions result in the same value), but for example with an array of 32-bit integers, only the first 1/4 of the elements would be zeroed before being deallocated. This may result in information leakage, if an attacker can access memory on the heap. Reported by Roman Pozlevich.
    
    Bug introduced in 1.11.10, fixed in 2.2.0
    
*   2017-04-04 (CVE-2017-2801): Incorrect comparison in X.509 DN strings
    
    Botan’s implementation of X.509 name comparisons had a flaw which could result in an out of bound memory read while processing a specially formed DN. This could potentially be exploited for information disclosure or denial of service, or result in incorrect validation results. Found independently by Aleksandar Nikolic of Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure.
    
    Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16
    
*   2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation
    
    Botan’s implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt’s standard 72 characters limit. Passwords with lengths between these two bounds could be cracked more easily than should be the case due to the final password bytes being ignored. Found and reported by Solar Designer.
    
    Bug introduced in 1.11.0, fixed in 2.1.0.
    

**2016¶**

*   2016-11-27 (CVE-2016-9132) Integer overflow in BER decoder
    
    While decoding BER length fields, an integer overflow could occur. This could occur while parsing untrusted inputs such as X.509 certificates. The overflow does not seem to lead to any obviously exploitable condition, but exploitation cannot be positively ruled out. Only 32-bit platforms are likely affected; to cause an overflow on 64-bit the parsed data would have to be many gigabytes. Bug found by Falko Strenzke, cryptosource GmbH.
    
    Fixed in 1.10.14 and 1.11.34, all prior versions affected.
    
*   2016-10-26 (CVE-2016-8871) OAEP side channel
    
    A side channel in OAEP decoding could be used to distinguish RSA ciphertexts that did or did not have a leading 0 byte. For an attacker capable of precisely measuring the time taken for OAEP decoding, this could be used as an oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation seems difficult as OAEP decoding is always paired with RSA decryption, which takes substantially more (and variable) time, and so will tend to mask the timing channel. This attack does seems well within reach of a local attacker capable of a cache or branch predictor based side channel attack. Finding, analysis, and patch by Juraj Somorovsky.
    
    Introduced in 1.11.29, fixed in 1.11.33
    
*   2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
    
    On systems without a native 128-bit integer type, the Curve25519 code invoked undefined behavior. This was known to produce incorrect results on 32-bit ARM when compiled by Clang.
    
    Introduced in 1.11.12, fixed in 1.11.31
    
*   2016-08-30 (CVE-2016-6879) Bad result from X509\_Certificate::allowed\_usage
    
    If allowed\_usage was called with more than one Key\_Usage set in the enum value, the function would return true if _any_ of the allowed usages were set, instead of if _all_ of the allowed usages are set. This could be used to bypass an application key usage check. Credit to Daniel Neus of Rohde & Schwarz Cybersecurity for finding this issue.
    
    Introduced in 1.11.0, fixed in 1.11.31
    
*   2016-03-17 (CVE-2016-2849): ECDSA side channel
    
    ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually recover the ECDSA secret key. Found by Sean Devlin.
    
    Introduced in 1.7.15, fixed in 1.10.13 and 1.11.29
    
*   2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy
    
    TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication.
    
    The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy.
    
    Introduced in 1.11.0, fixed in 1.11.29
    
*   2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction
    
    The P-521 reduction function would overwrite zero to one word following the allocated block. This could potentially result in remote code execution or a crash. Found with AFL
    
    Introduced in 1.11.10, fixed in 1.11.27
    
*   2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point
    
    The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
    
    The bigint\_mul and bigint\_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
    
    The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
    
    On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure\_vector objects. After this point the write will hit the guard page at the end of the mmap’ed region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
    
    Found by Alex Gaynor fuzzing with AFL
    
    Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11
    
*   2016-02-01 (CVE-2016-2194): Infinite loop in modular square root algorithm
    
    The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression. Found by AFL
    
    Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11
    

**2015¶**

*   2015-11-04: TLS certificate authentication bypass
    
    When the bugs affecting X.509 path validation were fixed in 1.11.22, a check in Credentials\_Manager::verify\_certificate\_chain was accidentally removed which caused path validation failures not to be signaled to the TLS layer. So for affected versions, certificate authentication in TLS is bypassed. As a workaround, applications can override the call and implement the correct check. Reported by Florent Le Coz in GH #324
    
    Introduced in 1.11.22, fixed in 1.11.24
    
*   2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
    
    A padding oracle attack was possible against TLS CBC ciphersuites because if a certain length check on the packet fields failed, a different alert type than one used for message authentication failure would be returned to the sender. This check triggering would leak information about the value of the padding bytes and could be used to perform iterative decryption.
    
    As with most such oracle attacks, the danger depends on the underlying protocol - HTTP servers are particularly vulnerable. The current analysis suggests that to exploit it an attacker would first have to guess several bytes of plaintext, but again this is quite possible in many situations including HTTP.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
    
    When evaluating a certificate path, if a loop in the certificate chain was encountered (for instance where C1 certifies C2, which certifies C1) an infinite loop would occur eventually resulting in memory exhaustion. Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.6, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
    
    RFC 6125 specifies how to match a X.509v3 certificate against a DNS name for application usage.
    
    Otherwise valid certificates using wildcards would be accepted as matching certain hostnames that should they should not according to RFC 6125. For example a certificate issued for *.example.com should match foo.example.com but not example.com or bar.foo.example.com. Previously Botan would accept such a certificate as also valid for bar.foo.example.com.
    
    RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509\_Certificate::matches\_dns\_name would always check both names.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
    
    During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was input dependent. If these differences could be measured by an attacker, it could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5 decoding has been rewritten to use a sequence of operations which do not contain any input-dependent indexes or jumps. Notations for checking constant time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
    
    Fixed in 1.11.22 and 1.10.13. Affected all previous versions.
    
*   2015-08-03 (CVE-2015-5726): Crash in BER decoder
    
    The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    
*   2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
    
    The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    

**2014¶**

*   2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
    
    A bug in the Miller-Rabin primality test resulted in only a single random base being used instead of a sequence of such bases. This increased the probability that a non-prime would be accepted by is\_prime or that a randomly generated prime might actually be composite. The probability of a random 1024 bit number being incorrectly classed as prime with a single base is around 2^-40. Reported by Jeff Marrison.
    
    Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9

CVE-2017-7252: Security Advisories — Botan

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.

Thursday, November 2, 2023 14:11

Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. 

This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.  

In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT. 

However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028). I’ve written before about the dangers of people thinking it’s cool to still run Windows 7, which was already a surprise to me, but then by reading more about Windows CE this week, I found that some of the most important hardware the U.S. relies on still use Windows CE: voting machines. 

A Windows CE phone was at the center of the “Hillary Clinton emails” drama during the 2016 presidential election, and since then, security researchers have found that some voting machines using Windows CE are vulnerable to various exploits.   

I found one DEF CON 25 attendee in 2017 who went to the conference’s first-ever “Voting Village” where researchers poked and prodded various voting systems, including the ExpressPoll 5000 voter registration system that used Windows CE 5.0. Needless to say, the ExpressPoll 5000 didn’t stand a chance. 

I couldn’t find any information on if there are still any ExpressPoll 5000s in the wild, but the Maryland State Board of Elections was still accepting the devices into their pool of devices that could be certified to be used in elections with an “acceptance test” as of 2016. 

Other Diebold voting machines used in the 2016 presidential election also ran outdated versions of Windows CE. (Vice News had a video segment on this topic that’s since been scrubbed from the internet, but there’s a great written recap of the segment here.)  

Again, there is no real proof that these systems are still being used in the wild. After the security concerns stemming from the 2016 election, the U.S. took a much tougher look at election security and continues to invest heavily in more secure voting machines, so there’s a possibility these devices are all now out of service, patched, or hopefully just buried in a ditch somewhere.  

But it does get to a larger point, that a lot of the technology our government relies on is \*old\*. Many voting systems used in the 2020 presidential election relied on Windows 7, which also is now at its end-of-life and isn’t receiving any security updates. Support for Windows 8.1 ended at the beginning of this year, and who knows what devices are floating out there still using versions of that OS, and Windows 10 will reach its end-of-life period in October 2025, so by the time we get to the 2028 election (I can’t even fathom that as a real year still), I suspect we’ll be seeing lots of stories of all the voting devices relying on that.  

**The one big thing **

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures. Although Arid Viper is believed to be based out of Gaza, Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war. The malicious apps Arid Viper uses are very similar to other legitimate apps, so it’s fairly easy for an unsuspecting user to get hit.  

**Why do I care? **

Spyware is very dangerous no matter how you twist it, but in this particular case, Arid Viper’s spyware collects the target’s sensitive personal information off their devices and disables security notifications so the actor can install more malware. The use of spyware across the globe continues to be a major issue that governments have had a hard time reigning in (and sometimes the governments themselves are the ones using it). 

**So now what? **

Our blog post has more details on the malicious apps being used in this campaign, so potential targets know what to be on the lookout for. We also have several new IOCs available for defenders to add to their blocklists. Potentially sensitive targets like politicians, journalists or activists may want to enable “safe” modes on their mobile devices, which can help protect against all types of spyware.  

**Top security headlines of the week **

**U.S. President Joe Biden signed a sweeping Executive Order this week attempting to regulate the use of AI and put several privacy safeguards in place.** The order also calls on Congress to pass national AI privacy legislation. Under the new rules, leading AI developers will need to share safety test results and other information about their software with the government. The National Institute of Standards and Technology will also create new standards to ensure AI tools are safe and secure before they’re publicly released. Federal agencies will now also need to change the way they use AI, with the hopes that the private sector will follow suit. Federal benefits programs and contractors will need to ensure that any AI tools they rely on do not deepen any racial biases in their activities. However, privacy experts only view the Executive Order as a small first step that needs to be augmented by national legislation and enforcement. (AP News, ABC News) 

**The U.S. government is preparing for an influx of Iranian-backed cyber attacks in retaliation for the U.S.’ support of Israel in its war against Hamas.** FBI Director Christopher Wray told a Congressional committee this week that, “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands.” New research also indicates that Iranian threat actors have carried out a range of cyber espionage activities across the Middle East, looking to collect sensitive intelligence and disrupt important services. There may be up 15 different hacking groups affiliated directly with, or serving as a proxy for, the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence. (Politico, The New York Times) 

**Cloud computing company Citrix is warning of the mass exploitation of a critical vulnerability in its NetScaler ADC/Gateway devices.** Known as “Citrix Bleed,” CVE-2023-4966 is an information disclosure vulnerability that could allow attackers to steal valid session tokens from internet-facing Netscaler devices running vulnerable software. Citrix disclosed the vulnerability on Oct. 10, warning users to update affected devices immediately. However, security researchers soon found that attackers had been exploiting the vulnerability since August. Researcher Kevin Beaumont reported on his personal social media channels that he found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. (HelpNet Security, Ars Technica) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #140: Chicken Soup and Contact Centers 
*   Talos Takes Ep. #160: Patching 101 
*   Cisco Talos Incident Response On Air for Q3 2023 
*   Arid Viper Campaign Targets Arabic-Speaking Users 
*   Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 21d709b0593c19ad2798903ae02de7ecdbf8033b3e791b70d7595bca64b99721**   
**MD5:** af8a072f20c8e647f53eb735528f070d   
**Typical Filename:** Head Office.exe   
**Claimed Product:** Head Office   
**Detection Name:** Win.Dropper.Pykspa::100.sbx.vioc 

**SHA 256:** 032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe   
**MD5:** a5cc0738a563489458f6541c3d3dc722   
**Typical Filename:** wuauclt.exe   
**Claimed Product:** Microsoft® Windows® Operating System   
**Detection Name:** Win.Dropper.Vools::100.sbx.tg 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c      
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c      
**Typical Filename:** AAct.exe      
**Claimed Product:** N/A        
**Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd

You’d be surprised to know what devices are still using Windows CE

By Waqas
Mandiant Investigates Zero-Day Exploitation in Citrix Vulnerability, CVE-2023-4966.
This is a post from HackRead.com Read the original post: Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

According to Mandiant, the Citrix vulnerability which specifically impacts NetScaler ADC and Gateway appliances, has been detected in the wild since late August 2023.

Citrix, a provider of NetScaler ADC and Gateway appliances, released a security bulletin on October 10, 2023, detailing a vulnerability (CVE-2023-4966) exposing sensitive information. Mandiant, a **Google-owned** prominent cybersecurity firm, has identified instances of both zero-day exploitation and subsequent exploitation of this vulnerability following Citrix’s disclosure.

The vulnerability specifically affects NetScaler ADC and Gateway appliances and has been observed in the wild since late August 2023, continuing after the release of the security advisory by the company.

Mandiant’s investigations revealed successful exploitation incidents, allowing threat actors to take control of legitimate user sessions on these Citrix appliances, bypassing authentication measures, including passwords and multi-factor authentication.

Mandiant’s findings shed light on factors that help in identifying exploitation activities and highlight various post-exploitation techniques witnessed during their incident response investigations.

**Vulnerable Endpoints**

When Citrix released firmware updates addressing **CVE-2023-4966**, Mandiant employed similar methods as **Assetnote**, an external attack surface management firm, to identify vulnerable functions and create a proof of concept (PoC). Prior to Citrix’s publication, Mandiant was already investigating session takeovers, which they believed were the result of zero-day exploitation.

With differential firmware analysis, they pinpointed the vulnerable endpoint by crafting an HTTP GET request with an extended Host header, causing a vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.

**Investigation Challenges**

A significant challenge in investigating these vulnerable appliances lies in the absence of request logging for the vulnerable endpoint on the appliance’s web server. Mandiant recommends relying on **web application firewalls (WAF)** or similar network appliances recording HTTP/S requests directed towards these NetScaler devices to identify attempted exploitations.

**Techniques for Identifying Exploitation**

Mandiant outlined several techniques to identify potential exploitation and subsequent session hijacking. These include scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.

**Post-Exploitation Activities**

Following successful exploitation, Mandiant observed several post-exploitation tactics, such as surveillance, credential harvesting, and lateral movement through RDP. Threat actors used various tools and techniques to gain access, including **Mimikatz** for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, **AnyDesk**, and **SplashTop**.

**Victimology and Attribution**

Mandiant’s investigation spans multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They are tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability.

> _“Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows. The common tools observed across multiple intrusions were: csvde.exe certutil.exe local.exe nbtscan.exe.”_
> 
> Mandiant

**Timothy Morris**, Chief Security Advisor at Tanium also commented on the issue and wanted that the Netscaler exploitation is at large scale right now. “Session Hijacking” could be low risk, however, it could also be extremely high-risk, depending upon the session being hijacked,” Morris said.

“It is important that customers patch immediately and do the necessary incident response threat hunting. In other words, don’t assume that “If I patch, I’m good.” That might prevent the next exploitation attempt (i.e. repairing the broken window) but doesn’t resolve what might have already happened (i.e. who is already in the house due to the previously broken window),” added Morris.

**Remediation Efforts**

Mandiant published a **blog post** offering remediation recommendations and guidance to mitigate this vulnerability.

In conclusion, this revelation provides insights into the exploitation and post-exploitation activities resulting from the Citrix vulnerability CVE-2023-4966. Mandiant’s ongoing investigation aims to understand the intricacies of the exploit and provide comprehensive guidance for remediation.

****_Editor’s note:_****

_The article includes limited technical details about the vulnerability, exploitation techniques, and detection methods. Please note that this is a summarization of the extensive information provided in the original blog post by Mandiant._

****_RELATED ARTICLES_****

1.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
2.  Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
3.  JetBrains Patches TeamCity Flaw Allowing RCE and Server Hijacking
4.  iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird

Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

By Waqas
A cybersecurity incident apparently involving collaboration between Russians and Americans...
This is a post from HackRead.com Read the original post: Russian Pair Charged with JFK Airport Taxi System Hack for Over 2 Years

Two Russian hackers and two Americans have been accused of a two-year-long hacking scheme involving the taxi dispatch system at JFK Airport, where they earned over $100,000 by assisting taxi drivers in skipping the line.

Two Russian nationals, Aleksandr Derebenetc (aka Sasha Novgorod) and Kirill Shipulin (aka Kirill Russia), have been charged with hacking the taxi dispatch system at John F. Kennedy International Airport (JFK).

Talking about taxis and hacking; **in September 2022**, Anonymous hacktivists, in cooperation with the IT Army of Ukraine, hacked the app for the ride-hailing service Yandex Taxi in Moscow, Russia, causing a massive traffic jam.

The indictment was unsealed by Damian Williams, the United States Attorney for the Southern District of New York, and the Inspector General of the Port Authority of New York and New Jersey, John Gay.

Two American nationals, Daniel Abayev, 47, and Peter Leyman, 49, both hailing from Queens, NY, have been accused of collaborating with the Russians to move certain taxis to the front of the line in exchange for payment. The scheme started in September 2019 and continued until September 2021. 

According to the **indictment**, the four individuals used several tactics, including malware, social engineering, and stolen passwords, to access the JFK taxi dispatch system, and conspired to let their desired taxi drivers bypass the long wait times and cut in line.

Abayev and Leyman helped Derebenetc, 30, of Nizhniy Novgorod, Russia, and Shipulin,30, of Moscow, Russia, by recruiting taxi drivers and collecting payments. In addition, they acted as the operation’s frontmen and stayed in touch with the drivers to decide which ones would skip the queue.

Prosecutors allege that the conspirators developed a plan to hack the dispatch systems in 2019 and tried several strategies, such as bribing people to insert a malware-infected flash drive into the computers connected with the taxi system, gaining unauthorized access to the dispatch system through a WiFi connection, and stealing computer tablets that were connected to that system.

Once they infiltrated the dispatch system, the conspirators used messaging apps to communicate with the drivers, give them instructions, and select the drivers who would skip the line and at what time.

When they had access to the system, they would message the drivers “Shop Open,” and when the connection wasn’t successful, they would message them “Shop Closed.” The perpetrators also issued warnings to the drivers to prevent them from going to certain areas around the airport and raising suspicion. 

According to the court filing, the conspirators gained and lost access to the taxi system repeatedly. When they had access, they offered the drivers to move to the front of the dispatch queue for a $10 fee and waived it for those who convinced other drivers to participate in this scheme. 

Many drivers benefitted from this service, noted the US Department of Justice. The gang booked 2,463 queue cuts in a single week during December 2019. Through this scheme, the conspirators enabled at least 1,000 trips daily, and it turned out to be a profitable venture for them as they made over $100,000.

Derbentec and Shipulin are charged with two counts of conspiracy to commit computer intrusion, which carry a maximum sentence of ten years in prison. Abayev and Leyman, have pled guilty to one count of conspiracy to commit computer intrusion and face a maximum sentence of five years.

> __“As_ alleged in the indictment, these four defendants conspired to hack into the taxi dispatch system at JFK airport. Cyber hacking can pose grave threats to infrastructure systems that we rely on every day, and our Office is dedicated to pursuing criminal hackers, whether they be in Russia or here in New York.”_
> 
> U.S. Attorney Damian Williams

**_**RELATED ARTICLES**_**

1.  Russian Dark Net Markets Dominate the Global Illicit Drug Trade
2.  Military Satellite Access Sold on Russian Hacker Forum for $15,000
3.  2 San Francisco Int. airport websites hacked with info-stealer code
4.  Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
5.  Power Grids to Airports: TETRA Radio Hacking Risks Global Infrastructure

Tag

#cisco