A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses.
The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses.

The initiative, dubbed the **Pall Mall Process**, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for States, industry, and civil society in relation to the development, facilitation, purchase, and use of such tools.

The declaration stated that "uncontrolled dissemination" of spyware offerings contributes to "unintentional escalation in cyberspace," noting it poses risks to cyber stability, human rights, national security, and digital security.

"Where these tools are used maliciously, attacks can access victims' devices, listen to calls, obtain photos and remotely operate a camera and microphone via 'zero-click' spyware, meaning no user interaction is needed," the U.K. government said in a press release.

According to the National Cyber Security Centre (NCSC), thousands of individuals are estimated to have been globally targeted by spyware campaigns every year.

"And as the commercial market for these tools grows, so too will the number and severity of cyber attacks compromising our devices and our digital systems, causing increasingly expensive damage and making it more challenging than ever for our cyber defenses to protect public institutions and services," Deputy Prime Minister Oliver Dowden said at the U.K.-France Cyber Proliferation conference.

Notably missing from the list of countries that participated in the event is Israel, which is home to a number of private sector offensive actors (PSOAs) or commercial surveillance vendors (CSVs) such as Candiru, Intellexa (Cytrox), NSO Group, and QuaDream.

Recorded Future News reported that Hungary, Mexico, Spain, and Thailand – which have been linked to spyware abuses in the past – did not sign the pledge.

The multi-stakeholder action coincides with an announcement by the U.S. Department of State to deny visas for individuals that it deems to be involved with the misuse of dangerous spyware technology.

"Until recently, a lack of accountability has enabled the spyware industry to proliferate dangerous surveillance tools around the world," Google said in a statement shared with The Hacker News. "Limiting spyware vendors' ability to operate in the US helps to change the incentive structure which has allowed their continued growth."

One hand, spyware such as Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. On the other hand, they have also been routinely abused by oppressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents, and other civil society members.

Such intrusions typically leverage zero-click (or one-click) exploits to surreptitiously deliver the surveillanceware onto the targets' Google Android and Apple iOS devices with the goal of harvesting sensitive information.

That having said, ongoing efforts to combat and contain the spyware ecosystem have been something of a whack-a-mole, underscoring the challenge of fending off recurring and lesser-known players who provide or come up with similar cyber weapons.

This also extends to the fact that CSVs continue to expend effort developing new exploit chains as companies like Apple, Google, and others discover and plug the zero-day vulnerabilities.

Source: Google's Threat Analysis Group (TAG)

"As long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large," Google's Threat Analysis Group (TAG) said.

An extensive report published by TAG this week revealed that the company is tracking roughly 40 commercial spyware companies that sell their products to government agencies, with 11 of them linked to the exploitation of 74 zero-days in Google Chrome (24), Android (20), iOS (16), Windows (6), Adobe (2), and Mozilla Firefox (1).

Unknown state-sponsored actors, for example, exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409) as a zero-day last year to infect victims with spyware developed by Barcelona-based Variston. The flaws were patched by Apple in April and May 2023.

The campaign, discovered in March 2023, delivered a link via SMS and targeted iPhones located in Indonesia running iOS versions 16.3.0 and 16.3.1 with an aim to deploy the BridgeHead spyware implant via the Heliconia exploitation framework. Weaponization by Variston is a high-severity security shortcoming in Qualcomm chips (CVE-2023-33063) that first came to light in October 2023.

The complete list of zero-day vulnerabilities in Apple iOS and Google Chrome that were discovered in 2023 and have been tied to specific spyware vendors is as follows:

**Zero-day Exploit**

**Associated Spyware Vendor**

CVE-2023-28205 and CVE-2023-28206 (Apple iOS)

Variston (BridgeHead)

CVE-2023-2033 (Google Chrome)

Intellexa/Cytrox (Predator)

CVE-2023-2136 (Google Chrome)

Intellexa/Cytrox (Predator)

CVE-2023-32409 (Apple iOS)

Variston (BridgeHead)

CVE-2023-3079 (Google Chrome)

Intellexa/Cytrox (Predator)

CVE-2023-41061 and CVE-2023-41064 (Apple iOS)

NSO Group (Pegasus)

CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 (Apple iOS)

Intellexa/Cytrox (Predator)

CVE-2023-5217 (Google Chrome)

Candiru (DevilsTongue)

CVE-2023-4211 (Arm Mali GPU)

Cy4Gate (Epeius)

CVE-2023-33063 (Qualcomm Adreno GPU)

Variston (BridgeHead)

CVE-2023-33106 and CVE-2023-33107 (Qualcomm Adreno GPU)

Cy4Gate (Epeius)

CVE-2023-42916 and CVE-2023-42917 (Apple iOS)

PARS Defense

CVE-2023-7024 (Google Chrome)

NSO Group (Pegasus)

"Private sector firms have been involved in discovering and selling exploits for many years, but the rise of turnkey espionage solutions is a newer phenomena," the tech giant said.

"CSVs operate with deep technical expertise to offer 'pay-to-play' tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual's device."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Global Coalition and Tech Giants Unite Against Commercial Spyware Abuse

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

**Django denial-of-service attack in the intcomma template filter**

Moderate severity GitHub Reviewed Published Feb 7, 2024 to the GitHub Advisory Database • Updated Feb 7, 2024

GHSA-xxj9-f6rv-m3x4: Django denial-of-service attack in the intcomma template filter

By Uzair Amir
Delve into automated versus manual API testing for efficient software delivery. See how automation speeds validation while manual…
This is a post from HackRead.com Read the original post: How Does Automated API Testing Differ from Manual API Testing: Unveiling the Advantages

Delve into automated versus manual API testing for efficient software delivery. See how automation speeds validation while manual testing provides human insight, ensuring comprehensive coverage for robust development.

In the domain of software development, the distinction between automated and manual API testing is pivotal for efficient and reliable software delivery. Automated API testing harnesses the power of software tools to execute tests on an application’s interface, verifying interactions and responses without human intervention.

This method ensures that APIs, which serve as crucial communication channels between different software systems, consistently behave as expected under various conditions. By emphasizing API testing automation and its best practices, this approach contributes to the reliability and efficiency of these integral components in software development.

Manual API testing, on the other hand, relies on a human tester to manually send requests to the API and assess the responses. While this approach allows for nuanced and exploratory testing, it can be time-consuming and less consistent compared to its automated counterpart. Choosing between these methodologies often depends on specific project requirements, with a blend of both strategies being ideal for thorough testing coverage.

****Key Takeaways****

*   Automated API testing enables faster and more reliable validation of APIs.
*   Manual testing provides detailed exploratory testing with human insight.
*   A combination of both testing methods offers a comprehensive approach.

****Comparative Analysis of Automated and Manual API Testing****

In exploring the differences between automated and manual API testing, it’s essential to understand their distinct methodologies, the tools and techniques involved, and the skills that testers need to effectively execute these tasks. These key areas reveal the benefits and challenges associated with each approach during the development process of APIs.

****Fundamental Differences****

Automated API testing and manual API testing vary in several fundamental ways. Automation leverages testing tools to execute predefined tests on an API without human intervention, allowing for continuous and consistent testing throughout the development lifecycle. In contrast, manual testing relies on a tester to manually perform the tests by directly interacting with the API, which can be time-consuming and prone to human error.

*   **Automated API Testing**:  
    *   Consistently executes a suite of tests
    *   Ideal for regression, performance, and security testing
    *   Facilitates testing in multiple environments and conditions
*   **Manual API Testing**:  
    *   Requires human judgment for exploratory testing
    *   Beneficial during the early stages of development and for ad-hoc testing
    *   Allows for nuanced observation and insight that automated tools might miss

****Testing Tools and Techniques****

Different testing tools are available for both manual and automated testing, each with unique features designed to cater to specific testing objectives. These tools facilitate automated functional, performance, security, and integration testing.

*   **Automation Tools**:
    *   Postman: Enables quick API testing with a user-friendly interface
    *   SOAPUI: Offers extensive capabilities for both REST and SOAP APIs
    *   REST Assured: Integrates easily with Java-based projects for API validations
    *   Karate: Allows writing tests in a readable domain-specific language

In the realm of manual API testing, tools like Jira can be used to track and manage testing efforts, and documentation plays a significant role in guiding the manual testing process.

*   **Manual Testing Techniques**:
    *   Documentation Review: Critical in understanding API behavior and test cases
    *   Exploratory Testing: Involves interactively tinkering with API endpoints
    *   Use Case Testing: Focuses on the API’s functional requirements

****Skills and Expertise Required****

The skills and expertise required for manual and automated testing differ substantially. Manual API testing typically demands a strong understanding of the API’s functional requirements and the ability to meticulously document and report findings. Testers need superior attention to detail and analytical skills for exploratory testing practices and use case validation.

*   **Manual Testing Skills**:
    *   Substantial functional understanding of APIs
    *   Analytical thinking for exploring and validating API responses

On the other hand, automated API testing requires knowledge of scripting and proficiency in using selected API testing tools. Understanding best practices in automation, development, and continuous integration processes becomes crucial. Testers should also be adept at creating comprehensive test environments that mimic real-world scenarios for more effective testing.

*   **Automated Testing Skills**:
    *   Technical know-how in scripting and familiarity with various automation tools
    *   Proficiency in setting up environments and integrating tests with CI/CD pipelines

Automated API testing has significantly transformed the software development process, offering a range of benefits that optimize performance and ensure the delivery of high-quality applications. These advantages particularly resonate with agile development teams that prioritize speed, efficiency, and frequent iteration.

****Speed and Efficiency****

Automated tests execute much faster than manual tests, enabling teams to perform functional tests, unit tests, and integration tests at an increased pace. This rapid execution facilitates parallel testing, thereby saving time and resources that are pivotal in an agile and CI/CD environment. The shortened feedback loop allows bugs and errors to be identified and addressed promptly, contributing to a more efficient development cycle.

****Accuracy and Reliability****

Automation reduces human error, leading to more accurate test results. Test automation tools can repeatedly run the same set of tests in the same manner, increasing the reliability of the testing process. This high degree of consistency helps in uncovering defects that might be missed during manual testing due to oversight or tester fatigue.

****Integration with Development Workflows****

Automated API testing is designed to integrate seamlessly into modern CI/CD pipelines, advocating for a ‘shift left’ approach where testing occurs earlier in the software development process. This allows for continuous testing throughout the lifecycle of the application, from development to deployment, aligning with the agile development ethos. Additionally, maintenance becomes less cumbersome as automated tests can be easily updated alongside changes in API functionality, ensuring that the tests evolve with the application.

****Conclusion****

Automated API testing and manual API testing serve distinct purposes within the software development lifecycle. Automated testing shines in high-volume, repetitive tasks, enabling swift and consistent feedback, perfect for regression and load testing. In contrast, manual testing is irreplaceable for exploratory scenarios where human intuition and creative test design are paramount.

The advantages of automated testing—such as scalability, speed, and reliability—are counterbalanced by the flexibility and nuanced observations that come with manual testing. They are not competing practices but complementary, with the choice between them often guided by the specific requirements of the project at hand. The integration of both approaches tends to yield a more robust and thorough testing regimen.

1.  **The Most Common API Vulnerabilities**
2.  **A Guide to Crafting a Dynamic App Using Weather APIs**
3.  **API Security: Unveiling Practices for a Secure Digital Ecosystem**
4.  **OpenAI Releases Developer APIs for ChatGPT and Whisper Models**

How Does Automated API Testing Differ from Manual API Testing: Unveiling the Advantages

The `Webhook::verify` function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in `v1,` as the signature, which would always pass verification.


**Svix vulnerable to improper comparison of different-length signatures**

Moderate severity GitHub Reviewed Published Feb 6, 2024 to the GitHub Advisory Database • Updated Feb 6, 2024

GHSA-w277-wpqf-rcfv: Svix vulnerable to improper comparison of different-length signatures

New EU rules mean WhatsApp and Messenger must be interoperable with other chat apps. Here’s how that will work.

A frequent annoyance of contemporary life is having to shuffle through different messaging apps to reach the right person. Messenger, iMessage, WhatsApp, Signal—they all exist in their own silos of group chats and contacts. Soon, though, WhatsApp will do the previously unthinkable for its 2 billion users: allow people to message you from another app. At least, that's the plan.

For about the past two years, WhatsApp has been building a way for other messaging apps to plug themselves into its service and let people chat across apps—all without breaking the end-to-end encryption it uses to protect the privacy and security of people’s messages. The move is the first time the chat app has opened itself up this way, and it potentially offers greater competition.

It isn’t a shift entirely of WhatsApp’s own making. In September, European, lawmakers designated WhatsApp parent Meta as one of six influential “gatekeeer” companies under its sweeping Digital Markets Act, giving it six months to open its walled garden to others. With just a few weeks to go before that time is up, WhatsApp is detailing how its interoperability with other apps may work.

“There’s real tension between offering an easy way to offer this interoperability to third parties whilst at the same time preserving the WhatsApp privacy, security, and integrity bar,” says Dick Brouwer, an engineering director at WhatsApp who has worked on Meta rolling out encryption to its Messenger app. “I think we're pretty happy with where we’ve landed.”

Interoperability in both WhatsApp and Messenger—as dictated by Europe’s rules—will initially focus on text messaging, sending images, voice messages, videos, and files between two people. Calls and group chats will come years down the line. Europe’s rules apply only to messaging services, not traditional SMS messaging. “One of the core requirements here, and this is really important, is for users for this to be opt-in,” says Brouwer. “I can choose whether or not I want to participate in being open to exchanging messages with third parties. This is important, because it could be a big source of spam and scams.”

WhatsApp users who opt in will see messages from other apps in a separate section at the top of their inbox. This “third-party chats” inbox has previously been spotted in development versions of the app. “The early thinking here is to put a separate inbox, given that these networks are very different,” Brouwer says. “We cannot offer the same level of privacy and security,” he says. If WhatsApp were to add SMS, it would use a separate inbox as well, although there are no plans to add it, he says.

Overall, the idea behind interoperability is simple. You shouldn’t need to know what messaging app your friends or family use to get in touch with them, and you should be able to communicate from one app to another without having to download both. In an ideal interoperable world, you could, for example, use Apple’s iMessage to chat with someone on Telegram. However, for apps with millions or billions of users, making this a reality isn’t straightforward—encrypted messaging apps use their own configurations and different protocols and have different standards when it comes to privacy.

Despite WhatsApp working on its interoperability plan for more than a year, it will still take some time for third-party chats to hit people’s apps. Messaging companies that want to interoperate with WhatsApp or Messenger will need to sign an agreement with the company and follow its terms. The full details of the plan will be published in March, Brouwer says; under EU laws, the company will have several months to implement it.

Brouwer says Meta would prefer if other apps use the Signal encryption protocol, which its systems are based upon. Other than its namesake app and the Meta-owned messengers, the Signal Protocol is publicly disclosed as being used in Google Messages and Skype. To send messages, third-party apps will need to encrypt content using the Signal Protocol and then package it into message stanzas in the eXtensible Markup Language (XML). When receiving messages, apps will need to connect to WhatsApp’s servers.

“We think that the best way to deliver this approach is through a solution that is built on WhatsApp’s existing client-server architecture,” Brouwer says, adding it has been working with other companies on the plans. “This effectively means that the approach that we’re trying to take is for WhatsApp to document our client- server protocol and letting third-party clients connect directly to our infrastructure and exchange messages with WhatsApp clients.”

There is some flexibility to WhatsApp interoperability. Meta’s app will also allow other apps to use different encryption protocols if they can “demonstrate” they reach the security standards that WhatsApp outlines in its guidance. There will also be the option, Brouwer says, for third-party developers to add a proxy between their apps and WhatsApp’s server. This, he says, could give developers more “flexibility” and remove the need for them to use WhatsApp’s client-server protocols, but it also “increases the potential attack vectors.”

So far, it is unclear which companies, if any, are planning to connect their services to WhatsApp. WIRED asked 10 owners of messaging or chat services—including Google, Telegram, Viber, and Signal—whether they intend to look at interoperability or had worked with WhatsApp on its plans. The majority of companies didn’t respond to the request for comment. Those that did, Snap and Discord, said they had nothing to add. (The European Commission is investigating whether Apple’s iMessage meets the thresholds to offer interoperability with other apps itself. The company did not respond to a request for comment. It has also faced recent challenges in the US about the closed nature of iMessage.)

Matthew Hodgson, the cofounder of Matrix, which is building an open source standard for encryption and operates the messaging app Element, confirms that his company has worked with WhatsApp on interoperability in an “experimental” way but that he cannot say any more due to signing a nondisclosure agreement. In a talk last weekend, Hodgson demonstrated “hypothetical” architectures for ways that Matrix could connect to the systems of two gatekeepers that don’t use the same encryption protocols.

Meanwhile, Julia Weis, a spokesperson for the Swiss messaging app Threema, says that while WhatsApp did approach it to discuss its interoperability plans, the proposed system didn’t meet Threema’s security and privacy standards. “WhatsApp specifies all the protocols, and we’d have no way of knowing what actually happens with the user data that gets transferred to WhatsApp—after all, WhatsApp is closed source,” Weis says. (WhatsApp’s privacy policy states how it uses people’s data.)

When the EU first announced that messaging apps may have to work together in early 2022, many leading cryptographers opposed the idea, saying it adds complexity and potentially introduces more security and privacy risks. Carmela Troncoso, an associate professor at the Swiss university École Polytechnique Fédérale de Lausanne, who focuses on security and privacy engineering, says interoperability moves could potentially lead to different power relationships between companies, depending on how they are implemented.

“This move for interoperability will, on the one hand, open the market, but also maybe close the market in the sense that now the bigger players are going to have more decisional power,” Troncoso says. “Now, if the big player makes a move and you want to continue being interoperable with this big player, because your users are hooked up to this, you're going to have to follow.”

While the interoperability of encrypted messaging apps may be possible, there are some fundamental challenges about how the systems will work in the real world. How much of a problem spam and scamming will be across apps is largely unknown until people start using interoperable setups. There are also questions about how people will find each other across different apps. For instance, WhatsApp uses your phone number to interact and message other people, while Threema randomly generates eight-digit IDs for people’s accounts. Linking up with WhatsApp “could de-anonymize Threema users,” Weis, the Threema spokesperson says.

Meta’s Brouwer says the company is still working on the interoperability features and the level of support it will make available for companies wanting to integrate with it. “Nobody quite knows how this works,” Brouwer says. “We have no idea what the demand is.” However, he says, the decision was made to use WhatsApp’s existing architecture to run interoperability, as it means that it can more easily scale up the system for group chats in the future. It also reduces the potential for people’s data to be exposed to multiple servers, Brouwer says.

Ultimately, interoperability will evolve over time, and from Meta’s perspective, Brouwer says, it will be more challenging to add new features to it quickly. “We don't believe interop chats and WhatsApp chats can evolve at the same pace,” he says, claiming it is “harder to evolve an open network” compared to a closed one. “The second you do something different—than what we know works really well—you open up a wormhole of security, privacy issues, and complexity that is always going to be much bigger than you think it is.”

WhatsApp Chats Will Soon Work With Other Encrypted Messaging Apps

A path traversal vulnerability in version 1.4.0 or newer of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with.


**Allegro AI ClearML path traversal vulnerability**

High severity GitHub Reviewed Published Feb 6, 2024 to the GitHub Advisory Database • Updated Feb 6, 2024

GHSA-m95h-p4gg-wfw3: Allegro AI ClearML path traversal vulnerability

Deserialization of untrusted data can occur in version 0.17.0 or newer of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.


**Allegro AI ClearML vulnerable to deserialization of untrusted data**

High severity GitHub Reviewed Published Feb 6, 2024 to the GitHub Advisory Database • Updated Feb 6, 2024

GHSA-cpcw-9h9m-wqw9: Allegro AI ClearML vulnerable to deserialization of untrusted data

The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer.
"This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News.
Ov3r_Stealer

Social Engineering / Malvertising

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed **Ov3r\_Stealer**.

"This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News.

Ov3r\_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.

While the exact end goal of the campaign is unknown, it's likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r\_Stealer could be updated over time to act as a QakBot-like loader for additional payloads, including ransomware.

The starting point of the attack is a weaponized PDF file that purports to be a file hosted on OneDrive, urging users to click on an "Access Document" button embedded into it.

Trustwave said it identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO Andy Jassy as well as via Facebook ads for digital advertising jobs.

Users who end up clicking on the button are served an internet shortcut (.URL) file that masquerades as a DocuSign document hosted on Discord's content delivery network (CDN). The shortcut file then acts as a conduit to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary ("control.exe").

The execution of the CPL file leads to the retrieval of a PowerShell loader ("DATA1.txt") from a GitHub repository to ultimately launch Ov3r\_Stealer.

It's worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having put to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).

The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r\_Stealer shares code-level overlaps with Phemedrone.

"This malware has recently been reported, and it may be that Phemedrone was re-purposed and renamed to Ov3r\_Stealer," Trustwave said. "The main difference between the two is that Phemedrone is written in C#."

The findings come as Hudson Rock revealed that threat actors are advertising their access to law enforcement request portals of major organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections.

They also follow the emergence of a category of infections called CrackedCantil that take leverage cracked software as an initial access vector to drop loaders like PrivateLoader and SmokeLoader, when subsequently act as a delivery mechanism for information stealers, crypto miners, proxy botnets, and ransomware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

Today, Malwarebytes released its 2024 State of Malware report, detailing six cyberthreats that resource-constrained IT teams should pay attention to in 2024. Top of the list is “Big Game” ransomware, the most serious cyberthreat to businesses all around the world.

Big game attacks extort vast ransoms from organizations by holding their data hostage—either with encryption, the threat of damaging data leaks, or both. The report reveals that, awash with money, the number of known Big Game attacks surged by 68% in 2023, thanks to Ransomware-as-a-Service groups like LockBit and ALPHV.

Known ransomware attacks July 2022 – December 2023

Big Game ransomware is just one part of a thriving and highly organized cybercrime business—a multi-billion-dollar mirror to the legitimate economy it feeds off. Its ecosystem supports entire supply chains, dotted about with specialized organizations like access brokers and malicious software vendors. It has brand names, PR stunts, HR departments, incentive schemes, and “employees of the month.”

And like broader, law-abiding “Business” at large, cybercrime has settled on a collection of tools that work. Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware.

For years, the latest iterations of these ideas have only offered marginal improvements on their predecessors. As a result, innovation in cybercrime has increasingly shifted towards tactics—advancements that focus more on how attacks can succeed and less on what malware can do. The 2024 State of Malware report also details how ransomware gangs use Living of the Land (LotL) techniques to hide in plain sight, and how one gang, CL0P, turned to automated zero-day attacks to break ransomware’s scalability barrier.

The report also explains how cybercriminals turned to a tactic called “malvertising” in 2023, using search ads and disposable websites that mimic legitimate brands to distribute malware as an alternative to malicious emails and document macros.

And as Macs continued to buck the trend in declining PC sales, some criminals began to add Mac malware, like Atomic Stealer, to their Windows distribution channels.

As we enter 2024, malware is as dangerous as ever, but when it is used, it is just one link in an attack chain of multiple different threats. IT and security teams now face active adversaries, zero-day exploits, compromised accounts, social engineering, and a range of other threats that don’t meet the traditional definition of malware. Against this backdrop, security budgets are shrinking while resource-constrained IT and security teams firefight ever more complex environments.

When it comes to security, “more of the same” will not work in 2024, so this year’s report also outlines what effective cyberdefense in the year ahead will require.

To learn more about the most serious threats facing IT teams in 2024, and how to combat them, download the 2024 State of Malware report.

Tag

#git