An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message.

**free5GC AMF denial of service vulnerability**

High severity GitHub Reviewed Published Dec 22, 2023 to the GitHub Advisory Database • Updated Dec 22, 2023

GHSA-jcrr-rr6w-8c83: free5GC AMF denial of service vulnerability

Members of the US Congress touted improvements to children’s privacy protections as an urgent priority. So why didn’t they do anything about it?

It’s been 15 years since suicides overtook homicides as the second leading cause of death for children ages 10 to 14 years old. Two years since the first Meta whistleblower warned United States senators that America’s children are at risk from “disastrous” decisions being made in Silicon Valley. (And a little over a month since a second Meta whistleblower testified, “They knew and they were not acting on it.”) And it’s been roughly one year since a wave of new, younger lawmakers—many raising their own young children—were seated in the House of Representatives. “As a mom of two kids, you know, we want to make sure that their online experience is safe,” Representative Beth Van Duyne, a Texas Republican, tells WIRED.

All those changes—including an alarming doubling of the adolescent suicide rate—and yet, one constant remains: congressional inaction. Amid a flurry of blockbuster whistleblower hearings, soaring campaign promises, tear-soaked press conferences with the families of teens lost to cyberbullying, and dozens of competing bills that members have introduced aimed at protecting kids in cyberspace—nothing.

Congressional inaction has left the door open for the Biden administration to lead on the issue. On Wednesday, the Federal Trade Commission unveiled its proposal for a new set of guidelines to govern social media firms. The FTC wants to prohibit social media companies from identifying children—like targeting their cell numbers—when they’re online, while also limiting which data is collected on students, including having apps not target children under 13 with ads by default. With House Republicans now taking steps to impeach Joe Biden, why would they want to cede their oversight authority over American tech firms to the White House? Most don’t.

With so much interest—and increased pressure from agencies like the FTC—why hasn’t Congress protected kids yet? “I’ve never been able to figure that out either,” Representative Dan Crenshaw, a Texas Republican who sits on the Energy and Commerce Committee, which has jurisdiction on the issue, tells WIRED. Of course, there are theories floating around the marble halls of the US Capitol.

“M–O–N–E–Y”

Teams of tech lobbyists on Capitol Hill have dropped upward of $75 million (not including Q4 totals, which aren’t due until January 22) in 2023. Of the 637 “internet” lobbyists, as money and politics nonprofit Open Secrets dubs the sector, a whopping 73.31 percent are former government employees. Many of these lobbyists are from the same congressional offices and committees now tasked with regulating the internet. They’re not very subtle.

One social media firm or another seems to always be blanketing Washington with a feel-good, policy-focused ad campaign. At the start of the year, TikTok—which, at $3.7 million, spent more in Q3 lobbying this year than it did throughout all of 2019 and 2020 combined—plastered DC’s metro system, historic Union Station, and _The Washington Post_ with ads. When its CEO was dragged in to testify to an angry Congress this spring, it even paid for travel, room, and board for dozens of sympathetic “influencers.” For the past month or so, Meta ads have blanketed the Beltway: “Instagram supports federal legislation that puts parents in charge of teen app downloads,” the ad reads, without saying which measures it’s actively trying to kill on Capitol Hill.

Lawmakers say the ad blitz shows what they’re up against from technology firms. “M–O–N–E–Y,” Senator Josh Hawley, a Missouri Republican, spells out to WIRED. “They’re only in favor of stuff if they can write it.”

In the last Congress and again this summer, two key kid-focused digital measures both sailed through the Senate Commerce Committee. The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) outlaws targeting children with advertising while also banning data collection on teenage social media users, to name a few of its provisions. The controversial Kids Online Safety Act (KOSA) mandates annual minor-focused risk assessments within social media giants while also giving parents and regulators new tools to protect children.

The two measures enjoy broad support, which is why they get out of committee with ease. But they’ve never been brought to the Senate floor for a vote by all 100 US senators. Critics say many members are supportive in the relatively obscure confines of their committees, but some of that support withers away under the intense lobbying scrutiny that comes once bills make the queue for Senate consideration. So far, members have been shielded, but those days seem to be over. “That’s because, in committee, they know they’re not going to have to vote on it on the floor. I know that for a fact,” Hawley, who’s up for reelection in 2024, says. “I can tell you, I’m going to get much more aggressive come the new year about forcing votes. I think it’s time to start putting people on record.”

The thing is, no one really knows what would happen if COPPA 2.0 or KOSA were voted on. “I don’t have any predictions or any insights,” Senator Roger Wicker, the Mississippi Republican who chaired the Commerce Committee until Democrats reclaimed senatorial power in 2021, tells WIRED. The resistance remains hard to nail down. Republicans blame Democrats. Democrats blame Republicans. Everyone blames the tech industry. “In the legislative process where you’re not bringing something to the floor for debate—which is where you could have a lot of input—then one person can hold something up,” Senator Maria Cantwell, a Democrat who chairs the Senate Commerce Committee, tells WIRED.

Because a broader data privacy bill remains gridlocked to death on Capitol Hill, Congress now has these offshoot measures aimed specifically at children, according to Cantwell. “We want to get a privacy bill, overall,” she says. “That’s what we focused on, because we think that framework gives the biggest protections, including for kids. But we’ve allowed these \[children-focused measures\] to see if they can make it through so that they wouldn’t have to be part of a larger discussion.”

While Hawley’s convinced Big Money keeps derailing the effort, others disagree. These issues just take time, nuance, and compromise, congressional leaders in both chambers argue. “We keep trying. We need a bipartisan, bicameral consensus, and that’s what we’re trying to do,” Representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, tells WIRED. “I don’t think it’s any special interest. I think it’s just the fact that it’s hard to get the Senate and the House and the Democrats and Republicans to agree, but we’re trying. I think we’re making progress.”

KOSA Complications

In the last Congress, KOSA—the Kids Online Safety Act—was formally endorsed by 13 Senate cosponsors. That number has more than tripled to 46 cosponsors in this Congress. KOSA cosponsors—Senators Marsha Blackburn, a Republican from Tennessee, and Richard Blumenthal, a Connecticut Democrat—say their personal lobbying of their colleagues is paying off, even if the measure remains stalled. “We’re pushing forward,” Blumenthal tells WIRED. “I’m very hopeful we’ll see a vote early next year. I think we’re feeling it.” Still, while the measure is broadly bipartisan, there’s been a recent wave of opposition to it on the civil libertarian left.

In our post-_Roe_ reality, digital rights and reproductive freedom are now intertwined, and highly suspect. KOSA is now in the crosshairs of groups like the American Civil Liberties Union (ACLU) over free speech and expression concerns. This fall, upward of 100 parents of trans and gender-expansive children penned an open letter opposing KOSA, saying it would “make our kids less safe, not more safe.”

“It would grant extraordinary new power to right-wing state attorneys general to dictate what content younger users can see on social media, cutting our kids off from lifesaving online resources and community,” the letter, released by digital rights group Fight for The Future, reads. “These are the same attorneys general that are actively working to ban gender-affirming health care that saves kids’ lives, criminalize drag performances, and label families that accept our children as ‘groomers’ and ‘child abusers.’”

The outcry from the progressive end of the spectrum has given those groups new, powerful advocates in Congress. In the end of the year legislative-twister at the Capitol, some KOSA supporters were itching for the proposal to be “fast-tracked,” a unanimous consent agreement where all 100 senators surrender their right to filibuster. But opponents got word and put an end to those efforts. “Until the bill is amended to foreclose the ability of state attorneys general to wage war on important reproductive and LGBTQ content, I will object to any unanimous consent request in relation to this legislation,” Senator Ron Wyden, an Oregon Democrat, told his Senate colleagues in a speech on the Senate floor last month.

KOSA’s sponsors know they still haven’t secured the 60 votes needed for passage, so one alerted party leaders they would oppose their own measure if it were brought up before the New Year. Senate Majority Leader Chuck Schumer’s office didn’t respond to a request for comment on whether he had—or has—plans to bring it to the floor. But Schumer says that before Congress can effectively regulate generative AI—one of his top priorities—America needs a federal data privacy law. “There was pretty much consensus that we need some kind of privacy law,” Schumer told reporters last month. “There are lots of disagreements, but it’s important to try and get that done.”

One Thing After Another

Over in the House, most eyes are on whether freshman speaker Mike Johnson can avert a government shutdown in the New Year. With such a green leader at the helm, House committees are, seemingly, more powerful than before, as members report trying to be the first person to get Johnson’s ear on an array of issues. While there’s no companion measure to KOSA in the House, children’s data privacy remains a top priority for the GOP majority in that chamber. The issue came up as a top priority in the last weekly in-person meeting of the Republican majority on the powerful House Energy and Commerce Committee.

“It’s not dead. It’s a priority for us,” Representative Richard Hudson, a North Carolina Republican, tells WIRED. He’s the current chair of the National Republican Congressional Campaign Committee where he’s tasked with helping the GOP expand its House majority—or, at least, not lose its majority—in 2024. Hudson knows many of his newer members ran on protecting the nation’s children from online predators, legal and illegal ones alike. Now comes the hard work of threading the proverbial needle. “It’s a very difficult question,” Hudson says. “You’re trying to balance rights versus protecting kids, and that’s tough. But our chairwoman is very focused on getting it done.”

If these children’s data measures are ever debated and voted on, dozens of other more niche privacy protection measures will likely be offered by both party’s rank-and-file lawmakers. Some ideas focus on protecting reproductive and geolocation data from law enforcement, especially in states that have outlawed most abortions. Other measures would strip Section 230 liability protections from sites that, say, host child sexual abuse material or promote the sexual abuse of minors. Another proposal would incentivize, through drastically increased federal fines, tech firms to proactively report any child exploitation efforts they uncover.

There’s more. This year in the Senate, a new bipartisan measure was introduced to outright ban social media for children under 13, while also requiring parental consent until those minors turn 18. Its sponsors include some of the Senate’s most conservative lawmakers—Tom Cotton, an Arkansas Republican, and Katie Britt, an Alabama Republican—and some of the chamber’s most progressive members—Chris Murphy, a Connecticut Democrat, and Brian Schatz, a Hawaii Democrat. Just bringing a measure to protect minors to the floor without ensuring its passage isn’t good enough for Schatz.

“If we can enact it, that would be great, but there’s no sense bringing something to the floor just to make a point,” Schatz, a father of two, tells WIRED.

If party leaders don’t put one or all of these bills on the floor for votes, Hawley, the Republican senator, vows to use all the instruments in his senatorial toolkit to force the issue in 2024.

“I think it’s time to start putting people on record,” Hawley, who authored a measure prohibiting social media accounts for children under age 16, tells WIRED. “Clearly, the leadership’s not going to bring this to the floor. I think that’s pretty clear. So I think we’ve got to get much more aggressive about forcing votes. What I’d really love to do is start trying to attach this to bills where we have roll call votes, because members hate roll call votes. So expect me to get very aggressive about this.”

Hot Air

Congress knows how to grab headlines—making laws is another conversation. This 118th Congress, with a mere 22 bills signed into law, is currently the least productive session witnessed in decades.

While no data privacy votes are scheduled in the new year, a fireworks display is already on the books. Fresh into the start of 2024, senators on the judiciary committee are dragging in five tech CEOs for a made-for-campaign-fodder hearing on children’s privacy issues. Law enforcement was already called in. See, while TikTok CEO Shou Zi Chew and Meta’s Mark Zuckerberg agreed to testify, subpoenas—some hand-delivered by US marshals after Discord and X “refused to cooperate”—were issued for the other three tech titans: X CEO Linda Yaccarino, Snap’s Evan Spiegel, and Discord’s Jason Citron.

“We’ve known from the beginning that our efforts to protect children online would be met with hesitation from Big Tech. They finally are being forced to acknowledge their failures when it comes to protecting kids. Now that all five companies are cooperating, we look forward to hearing from their CEOs,” Senators Dick Durbin, the committee’s Democratic chair, and Lindsey Graham, the committee’s top Republican, released in a joint statement the Monday before Thanksgiving. “Parents and kids demand action.”

Parents and kids are still wondering whether they can count on this Congress for that action. As of now, Congress has shown they can’t.

Congress Sure Made a Lot of Noise About Kids’ Privacy in 2023—and Not Much Else

I tried to sell a futon on Facebook Marketplace and nearly all I got were scammers.

This year, I decided to get rid of my Amazon starter couch and buy a real one. So I listed the generic, velvet-green futon on Facebook Marketplace, thinking some college students or recent New York transplants would happily scoop it up at a discounted price.

Since September, I have received many inquiries about this couch—nearly all from people who are likely scammers. They respond to the listing and offer me full price in Facebook Messenger from the jump (maybe my first clue, a real Facebook Marketplace veteran knows to haggle). Then, they ask some basic questions that are already in the item’s description: “Where are you located?” “What’s the condition?” Once I’ve repeated myself and given the cross streets closest to my home, there comes another refrain: The buyer either says they must pay now, so that I would take the item off the listing, or so that their husband/brother/son/mover, you name it, can come pick up the futon later that day.

Because it seems no real person would offer to send payment over Zelle _before_ ever seeing that the futon is real, I didn’t accept any of these offers. If I did, it’s likely these people would have sent a phishing link—either as a text to my phone number or in an email—disguised as communication from Zelle, looking to drain me of more money than the couch is worth. For now, I’m stuck with this futon, folded up in the corner of my tiny apartment. So far I’ve been unable to use Facebook Marketplace for its intended purpose: buying and selling useful things among my neighbors.

What happened to me is just one example of the many ways experts say people are getting scammed on Facebook Marketplace. Some scams come from what looks like a seller listing big-ticket items that don’t exist, like a car, and asking for prepaid debit cards purporting to be for eBay and Amazon payments as down payments before vanishing. Peer-to-peer online shopping has always been a buyer-beware endeavor, but sellers themselves are being scammed too. A freelance writer from Australia recounted her own embarrassing story in _The Guardian_ just last month, when she lost $1,000 while trying to sell a pair of boots after plugging sensitive information into a phishing link sent by a scammer.

Facebook is far from the only place scams happen—they’re common across many online selling platforms. But as its Marketplace has soared in popularity since its debut in 2016, scammers have sought to exploit the tool, experts say. Marketplace’s design supplied a layer of transparency and trust for person-to-person transactions; rather than interacting anonymously through a Craigslist ad, people were using profiles that typically included full names and photos. And with an existing Facebook profile, users could upload photos, write descriptions, and seamlessly post a listing with just a few clicks. By 2021, Facebook Marketplace had 1 billion monthly users, growing as ecommerce flourished during the height of the Covid-19 pandemic.

Now, bad actors are relying on that built-in trust to manipulate people out of far more money than their second-hand items may be worth. The scams have become a common feature of the app, and Meta, the $800 billion parent company of Facebook, hasn’t been able to shut them down.

“What happens offline often makes its way into online environments, and that unfortunately includes scams," Ryan Daniels, a Meta spokesperson, tells me. Daniels says the company works “aggressively to quickly identify, disable, and ban scams and accounts associated with them.” The company is also working on a new notification system to “help people better identify potential scams around payment apps" that should begin rolling out over the next few months. Daniels did not share more information about how those notifications will work.

Many scams and attempted scams go unreported, so it’s impossible to understand the scale of the problem. In a 2022 survey of 1,000 people in England, one in six said they were scammed on the marketplace. Another 2022 survey of 1,000 people in the US found that 62 percent had encountered a scam on Facebook. From January 2022 to November 2023, the Better Business Bureau’s scam tracker logged more than 1,200 reports that mentioned Facebook Marketplace in the US and Canada.

The scammers targeting me followed the same script: two messages from different accounts even included the same odd spacing format and just changed a word or two from each other, asking: “Alright I hope this is a legit post because I will be paying the $100 now so you can mark the item as sold my sister will come pick it up but I’ll send the money?” As more of these messages flowed into my DMs, I insisted on being paid in person, and the potential buyers vanished after one or two more wild excuses as to why that wouldn’t be possible. When I wrote “bye, scammer” to one, they replied with “lmao” just before I reported the profile to Facebook.

The scams follow similar patterns, because fraudsters conduct business like multilevel marketers, says Adrianus Warmenhoven, a member of the security advisory board for network security company NordVPN. Someone may develop a scam, then sell it as a toolkit with scripts and phishing links. People also can buy orphaned and hacked Facebook accounts, giving them access to profiles that look like real people with long account histories. Many of the messages I received came from accounts that were created a decade ago or more, showing that these aren’t new accounts created for the sole purpose of scamming people on Marketplace. “A lot of criminal stuff is not being executed by computer-savvy or even criminal-savvy people,” Warmenhoven says. Some of these tools, experts say, are sold on the dark web. But there are also chats on Telegram advertising hundreds of bundled bunches of Facebook accounts from specific countries for sale in bulk. Telegram did not respond to a request for comment.

Some scams encourage people to upgrade their Zelle accounts to a business tier to receive money from a buyer, according to the Better Business Bureau, and come from emails mimicking Zelle, but with different domains. That upgrade appears to cost $300, and the buyer promises to send it if the seller will then refund it. The catch: the $300 was never sent and appeared only in faked screenshots or emails. So, when the seller sends $300, they're really just losing the money.

Zelle’s website notes that it will send emails only from domains ending in @zelle.com and @zellepay.com, and any others could be scams. The company did not answer more specific questions about Facebook Marketplace scams, citing an effort to keep intel from fraudsters.

Other scammers use Google Voice, asking people for their verification code—all under the guise of verifying that the person isn’t a scammer. But with that code, a scammer can then create a Google Voice number using the victim’s phone number, which helps them to conceal their identity for future scams. Additionally, it can help them impersonate someone and get access to their accounts, according to the US Federal Trade Commission. When asked for comment on Facebook Marketplace scams, Google pointed to guidance it posts for people to not share their verification codes, and the company has ways for people to reclaim stolen Google Voice numbers.

Experts say the constant evolving nature of scams makes them tricky for companies to defeat. “It’s a giant game of whack-a-mole,” says Zulfikar Ramzan, chief scientist with digital security company Aura. “They change something about the way they’ve done a scam. It’s really difficult for any organization to keep up with that volume at scale.”

Meta has continued to grow Facebook Marketplace even as scams linger. A 2022 ProPublica investigation found that Facebook Marketplace scams had run rampant and that the company was potentially understaffed to a degree that impeded its ability to stop scammers. In addition to in-house workers, Meta had contracted 400 Accenture workers around the world and gave each person more than 600 complaints or requests for help to process each day. Even worse, ProPublica found a number of alleged armed robberies and murders had occurred in relation to Facebook Marketplace meetups. Meta, Facebook’s parent company, did not answer questions about how it monitors scams now and the information in the ProPublica investigation.

Facebook Marketplace has evolved to more than just selling in the neighborhood. There are options to ship products after a sale, and some small shops have used the platform to grow their business. All of these different types of transactions bring different concerns about scams. Marketplace offers purchase protection, but it doesn’t cover payments made through third-party sites like Zelle, items picked up locally, or transactions conducted through Facebook Messenger.

I lost track of the number of people who seemed eager to scam me—I reported lots of scammers and then left chats, which disappeared. A few people may have been legitimately interested but dropped off early in the conversation. In the end, the frustration wasn’t worth the cash. I’m stuck with this couch, and there’s only one solution left. I’m heading over to another side of Facebook entirely: Buy Nothing.

Facebook Marketplace Is Being Ruined by Zelle Scammers

Affected versions of this crate did not validate the size of buffers when attempting to decode messages.

This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.

This flaw was corrected by validating the size of the buffers before attempting to decode the message.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-6ggr-cwv4-g7qg

**Remotely exploitable denial of service in Rosenpass**

High severity GitHub Reviewed Published Dec 21, 2023 to the GitHub Advisory Database • Updated Dec 21, 2023

**Package**

cargo rosenpass (Rust)

**Affected versions**

< 0.2.1

**Description**

Affected versions of this crate did not validate the size of buffers when attempting to decode messages.

This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.

This flaw was corrected by validating the size of the buffers before attempting to decode the message.

**References**

*   rosenpass/rosenpass@9343985
*   https://rustsec.org/advisories/RUSTSEC-2023-0077.html

Published to the GitHub Advisory Database

Dec 21, 2023

Last updated

Dec 21, 2023

GHSA-6ggr-cwv4-g7qg: Remotely exploitable denial of service in Rosenpass

Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

In a notice for its customers, Xfinity acknowledges it recently fell victim to a data security incident. Xfinity is Comcast’s brand for TV, internet, and home phone services, sometimes referred to as Comcast Cable Communications.

During the data breach the attackers were able to access 35.8 million customers’ usernames and hashed passwords. For some customers, other personal information may have been exposed, such as names, contact information, the last four digits of social security numbers, dates of birth, and secret questions combined with answers.

On October 25, 2023, Xfinity discovered suspicious activity and subsequently determined that between October 16 and 19 unauthorized access to its internal systems occured.

Xfinity says it notified federal law enforcement and started an investigation, which revealed the attackers had used the Citrix Bleed vulnerability. Affiliates of at least two ransomware groups, LockBit and Medusa, have been observed exploiting Citrix Bleed as part of attacks against organizations. Whether one of those affiliates was behind this attack is not known.

On October 10, 2023, Citrix released security updates to address Citrix Bleed, but many organizations struggle to patch in a timely manner. Although you would expect a large company like Comcast to have some type of vulnerability and patch management deployed.

The company is notifying customers through a variety of channels, including through the Xfinity website, email, and news media.

Xfinity has required customers to reset their passwords to protect affected accounts. In addition, Xfinity strongly recommends that customers enable two-factor or multi-factor authentication to secure their Xfinity account.

It is not advisable to use the same password for multiple accounts, but if you did, Xfinity recommends that you change the passwords for any accounts that share your Xfinity password.

Customers with questions can contact Xfinity’s dedicated call center at 888-799-2560 toll-free 24 hours a day, seven days a week. More information is available on the Xfinity website.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Comcast’s Xfinity breached by Citrix Bleed; 36 million customer’s data accessed 

Learn how RaaS gangs use LOTL tactics in their attacks on organizations.

Discover the intersection of **Ransomware-as-a-Service (RaaS)** gangs and **Living Off The Land (LOTL)** attacks in our latest webinar, now available on-demand, led by cybersecurity experts Ian Thomas, Mark Stockley, and Bill Cozens.

The webinar revealed how RaaS gangs use LOTL tactics, leveraging legitimate IT tools like Powershell and WMI to blend malicious activities within normal network operations, significantly challenging detection efforts.

Attendees gained an in-depth understanding of LOTL attacks, tools exploited by RaaS gangs, and strategies for IT teams to identify and block these advanced threats.

Some highlights from the webinar include:

*   **Expert analysis**: Insights from seasoned cybersecurity professionals on the critical need for multi-layered defense strategies.
*   **Practical advice**: Real-world, actionable tips for IT teams to detect and counter covert LOTL operations.
*   **Case studies**: Detailed scenarios demonstrating the impact and complexity of LOTL attacks.

Understanding the relationship between LOTL and RaaS is vital for evolving cybersecurity strategies. The webinar emphasizes the importance of blending technology and human expertise to detect and combat these sophisticated threats effectively.

Enhance your ransomware knowledge and preparedness by watching this essential webinar on-demand. Alternatively, download the report that the webinar is based on here.

**Watch the webinar on-demand**

 Webinar recap: Ransomware gangs and Living Off The Land attacks (LOTL) 

By Waqas
Peach Sandstorm, also recognized as HOLMIUM, has recently focused on global Defense Industrial Base (DIB) targets.
This is a post from HackRead.com Read the original post: Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector

In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government.

Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the latest activities of the Iranian nation-state actor Peach Sandstorm, also known as HOLMIUM. The group has been making efforts to deploy a newly developed backdoor called FalseFont, specifically targeting individuals within the Defense Industrial Base (DIB).

This disclosure follows Microsoft’s earlier findings, outlined in a September 2023 blog post, where Peach Sandstorm was identified as targeting sectors such as satellites and pharmaceuticals on a global scale.

Identity attack lifecycle of Peach Sandstorm as of September 2023 (Microsoft)

Microsoft’s investigative team believes that Peach Sandstorm is actively pursuing intelligence gathering for the Iranian government, aligning their actions with state interests.

According to Microsoft’s tweets shared today, FalseFont stands out as a custom backdoor equipped with a diverse set of functionalities. These capabilities enable operators to gain remote access to compromised systems, execute additional files, and transmit information to its Command and Control (C2) servers. The first instances of FalseFont in action were detected against targets in early November 2023.

The development and deployment of FalseFont showcase a consistent evolution in Peach Sandstorm’s tactics, a trend observed by Microsoft over the past year. This suggests a continuous effort by Peach Sandstorm to enhance their tradecraft.

It’s worth noting that Microsoft Defender Antivirus already detects FalseFont as Backdoor:MSIL/FalseFont.A!dha. Although Microsoft is monitoring Peach Sandstorm’s activities, unsuspecting users should be on the lookout for phishing and social engineering attacks that may be employed by Peach Sandstorm to spread the FalseFont backdoor.

Here are some key points to follow for protection against phishing and social engineering attacks that may deliver the FalseFont backdoor to your device:

*   **Be Skeptical of Emails:** Exercise caution when receiving unexpected emails, especially those containing suspicious attachments or links. Verify the sender’s legitimacy before interacting with any content, as FalseFont often infiltrates systems through phishing emails.
*   **Update Security Software:** Ensure that your antivirus and anti-malware software are up-to-date. Regularly install security patches and updates to safeguard against vulnerabilities that attackers might exploit to deliver the FalseFont backdoor.
*   **Verify Email Addresses:** Double-check email addresses, particularly in communication related to sensitive information or financial transactions. FalseFont attackers often use deceptive email addresses to mimic legitimate entities.
*   **Use Multi-Factor Authentication (MFA):** Implement MFA for all relevant accounts to add an extra layer of security. Even if credentials are compromised, MFA can prevent unauthorized access, reducing the risk of FalseFont infiltration.
*   **Employee Training:** Conduct regular phishing awareness training for employees to recognize and report suspicious emails. Educate them about the tactics used by attackers to deploy FalseFont and emphasize the importance of staying alert.

**Guarding Against Social Engineering Attacks Delivering FalseFont:**

*   **Verify Caller Identity:** Be cautious when receiving unexpected calls or messages, especially those requesting sensitive information. Verify the identity of the caller independently before sharing any personal or confidential details.
*   **Beware of Urgency:** Social engineering attacks often create a sense of urgency or emergency. Be sceptical of requests demanding immediate action, and take time to independently verify the legitimacy of such communications to avoid falling victim to FalseFont.
*   **Limit Information Sharing on Social Media:** Minimize the amount of personal and professional information shared on social media platforms. Attackers may use publicly available details for targeted social engineering attacks, leading to the deployment of the FalseFont backdoor.
*   **Educate on Social Engineering Tactics:** Provide training on social engineering tactics and red flags associated with deceptive communication. Awareness about manipulation techniques helps users identify and thwart attempts to deliver FalseFont through social engineering.
*   **Regularly Review Privacy Settings:** Periodically review and adjust privacy settings on online accounts and social media platforms. Restricting access to personal information reduces the chances of attackers gathering details for crafting convincing social engineering attacks and deploying FalseFont.

****_RELATED ARTICLES_****

1.  **Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware**
2.  **Some social engineering & Facebook will gift your account to hackers**
3.  **Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
4.  **Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices**
5.  **Iran’s MuddyWater Group Hits Israelis with Fake Memo Spear-Phishing**

Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector

automad up to 1.10.9 is vulnerable to an authenticated blind server-side request forgery in `importUrl` as the `import` function on the `FileController.php` file was not properly validating the value of the `importUrl` argument. This issue may allow attackers to perform a port scan against the local environment or abuse some service.

**Authenticated Blind SSRF in automad/automad**

Moderate severity GitHub Reviewed Published Dec 21, 2023 to the GitHub Advisory Database • Updated Dec 29, 2023

GHSA-q5q3-qm26-9jwm: Authenticated Blind SSRF in automad/automad

A vulnerability was found in automad up to 1.10.9. This affects the function upload of the file `FileCollectionController.php` of the component `Content Type Handler`. The manipulation leads to unrestricted upload. The attack may be launched remotely and an exploit has been disclosed publicly.

**Unrestricted File Upload affecting automad**

Moderate severity GitHub Reviewed Published Dec 21, 2023 to the GitHub Advisory Database • Updated Dec 29, 2023

GHSA-fpph-mqc8-h6q5: Unrestricted File Upload affecting automad

automad up to 1.10.9 does not implement anti-CSRF tokens by default, making it vulnerable Cross-Site Request Forgery (CSRF). An attacker may exploit this vulnerability to force an admin into creating or deleting users. An exploit has been disclosed publicly.

**Cross-Site Request Forgery (CSRF) in automad/automad**

Moderate severity GitHub Reviewed Published Dec 21, 2023 to the GitHub Advisory Database • Updated Dec 29, 2023

Tag

#git