Categories: News
Tags: week

Tags:  security

Tags:  July

Tags:  2023

A list of topics we covered in the week of July 10 to July 16 of 2023



(Read more...)




The post A week in security (July 10 - 16) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (July 10 - 16)

By Waqas
The developer behind the malicious app, Limestone Software Solutions, has also been banned from the Google Play Store.
This is a post from HackRead.com Read the original post: Google Removes Swing VPN Android App Exposed as DDoS Botnet

The app under discussion, Swing VPN – Fast VPN Proxy, was uncovered as a DDoS botnet by a cybersecurity researcher named “Lecromee” on June 4th, 2023.

On June 4th, 2023, cybersecurity researcher “Lecromee” uncovered alarming information about the popular VPN app, Swing VPN – Fast VPN Proxy. Developed by Limestone Software Solutions for Android and iOS platforms, Swing VPN’s Android version was found to be operating as a dangerous **DDoS botnet**, posing significant risks to its unsuspecting users.

Hackread.com, first **reported on the issue** on June 21, 2023, after Lecromee’s investigation raised serious concerns. The findings indicated that the app, which claimed to offer legitimate VPN services, was harbouring malicious intent and could carry out distributed denial of service (DDoS) attacks.

Shortly after the report was published, Hackread.com was contacted by Google on June 22, confirming the veracity of the claims. In response to the alarming discovery, Google took immediate action and swiftly removed Swing VPN’s Android app with over 5 million installs from the **Google Play Store**.

It is worth noting that another app from Limestone Software Solutions, called **Hotspot for Swing VPN**, has also been removed from the app store along with Swing VPN – Fast VPN Proxy.

A Google spokesperson emphasized the company’s commitment to user safety and security, stating,

> “The app was removed from Google Play on June 22, and the developer has been banned. Users are also protected by Google Play Protect, which warns users of apps known to exhibit malicious behaviour on Android devices with Google Play Services, even when those apps come from other sources.”
> 
> Google

The removal of **Swing VPN – Fast VPN Proxy** app from the official app store highlights the ongoing challenges faced by platforms like Google Play in combating malicious apps. Unfortunately, such occurrences are not uncommon, and Google continuously works to enhance its security measures to protect users.

However, users themselves must remain vigilant and cautious about the apps they download and grant permission to. Cybersecurity experts recommend the following best practices to stay safe:

*   **Research Before Download**: Always research the app and its developer before downloading it. Check user reviews, ratings, and previous security incidents, if any.
*   **Update Regularly**: Keep all apps, including VPNs, up-to-date with the latest versions and security patches to minimize vulnerabilities.
*   **Verify Permissions**: Be cautious about granting excessive permissions to apps. Review and understand the permissions an app requests before installation.
*   **Use Reputable Sources**: Stick to trusted app stores like Google Play and Apple’s App Store to minimize the risk of downloading malicious apps.
*   **Antivirus Software**: Install reputable antivirus software on your device to detect and block potential threats.

As the digital landscape continues to evolve, staying informed and vigilant against cyber threats is crucial. The Swing VPN incident serves as a reminder that even seemingly legitimate apps can harbour dangerous intentions, making it essential for users to prioritize their online safety.

If you suspect any app or service is engaging in malicious behaviour, report it to the respective app store or platform immediately. By working together, users, researchers, and tech companies can create a safer digital environment for everyone.

If you are an Android user, you can follow this **link** to report an app or an app developer. For iOS users, this **link** can be helpful.

1.  Fake GitHub Repos Delivering Malware as PoCs
2.  Google kicks out 600 malicious apps from Play Store
3.  Apple removed all major VPN apps from Chinese App Store
4.  Google removes ClearURLs Chrome extension from its store
5.  Google Fails To Remove “App Developer” Behind Malware Scam

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Removes Swing VPN Android App Exposed as DDoS Botnet

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.

This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.



**CleverTap Cordova Plugin**

  

**👋 Introduction**

The CleverTap Cordova Plugin for Mobile Customer Engagement and Analytics solutions.

For more information check out our website and documentation.

To get started, sign up here.

**✅ Supported Versions**

*   CleverTap Android SDK version 4.6.6
*   CleverTap iOS SDK version 4.2.2

**🚀 Installation and Quick Start**

To install CleverTap for Cordova, follow the steps mentioned below:

When you create your CleverTap account, you will also get a -Test account. Use the -Test account for development and the main account for production.

**Install the Plugin**

Grab the Account ID and Token values from your CleverTap Dashboard -> Settings.

**For Android _Important_**

Starting with v2.0.0, the plugin uses FCM rather than GCM. To configure FCM, add your google-services.json to the root of your cordova project **before you add the plugin**.  
The plugin uses an after plugin add hook script to configure your project for FCM.  
If the google-services.json file is not present in your project when the script runs, FCM will not be configured properly and will not work.

**Using Cordova**

# ensure npm is installed: npm -g install npm
cordova plugin add https://github.com/CleverTap/clevertap-cordova.git --variable CLEVERTAP\_ACCOUNT\_ID="YOUR CLEVERTAP ACCOUNT ID" --variable CLEVERTAP\_TOKEN="YOUR CELVERTAP ACCOUNT TOKEN"

**Using Ionic**

ionic cordova plugin add clevertap-cordova@latest --variable CLEVERTAP\_ACCOUNT\_ID="YOUR CLEVERTAP ACCOUNT ID" --variable CLEVERTAP\_TOKEN="YOUR CELVERTAP ACCOUNT TOKEN"

**For Ionic 5**

npm install @ionic-native/clevertap --save 

*   Be sure to add CleverTap as a provider in your app module.

  constructor(platform: Platform, statusBar: StatusBar, splashScreen: SplashScreen, clevertap: CleverTap) {
    platform.ready().then(() \=> {
      // Okay, so the platform is ready and our plugins are available.
      // Here you can do any higher level native things you might need.
      statusBar.styleDefault();
      splashScreen.hide();

      ...
      clevertap.setDebugLevel(2);
      clevertap.getCleverTapID()((id) \=> {console.log(id)});
      ...
    });
  }
}

**🛠 Integration**

See our Technical Documentation for Android and Technical Documentation for iOS for instructions on integrating CleverTap into your app.

**📑 Documentation & Example**

*   See our CleverTap Plugin Usage Documentation
    
*   See the included Example Cordova project for usage.
    
*   See the included Ionic Example project for usage.
    

**⁉️ Questions?**

If you have questions or concerns, you can reach out to the CleverTap support team from the CleverTap Dashboard.

**TroubleShooting Guide:** Please refer here if you are facing common integration issues.

CVE-2023-2507: GitHub - CleverTap/clevertap-cordova: CleverTap Cordova Plugin

PNP4Nagios through 81ebfc5 has stored XSS in the AJAX controller via the basket API and filters. This affects 0.6.26.

Hi,

the AJAX controller allows for stored cross site scripting due to missing input validation.

Before this fix you could send and store arbitrary characters via the basket API and filters

Examples:

*   item="><svg/onclick=alert('foobar')> in add/basket
*   sfilters="><svg/onclick=alert('foobar')>

curl 'http://localhost:8080/pnp4nagios//ajax/basket/add' --compressed -X POST 
-H 'Accept: \*/\*' -H 'Accept-Language: en-US,en;q=0.5' 
-H 'Accept-Encoding: gzip, deflate, br' 
-H 'Referer: http://localhost:8080/pnp4nagios/graph?host=.pnp-internal&srv=runtime' 
-H 'Origin: http://localhost:8080' 
-H 'Connection: keep-alive' 
-H 'Sec-Fetch-Site: same-origin' 
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' 
-H 'X-Requested-With: XMLHttpRequest'
-H 'Pragma: no-cache' 
-H 'Cache-Control: no-cache' --data-raw $'item="><svg/onclick=alert(\\'foobar\\')>'

CVE-2023-38350: Fix XSS in AJAX controller for basket by martialblog · Pull Request #16 · pnp4nagios/pnp4nagios

PNP4Nagios through 81ebfc5 lacks CSRF protection in the AJAX controller. This affects 0.6.26.

Hello,

The controller was missing CSRF protection. This fix uses per-session tokens that are send with each POST request to the controller.

For this, I backported the Security.php from a newer Kohana, since an update of the entire Framework seemed counterproductive for this particular fix.

I'm not super fluent in PHP and therefore decided on a guard clause pattern, hope that's OK. Let me know if I should adjust anything.

Regards  
Markus

CVE-2023-38349: Add CSRF Token to Template View and AJAX Controller by martialblog · Pull Request #17 · pnp4nagios/pnp4nagios

Microsoft Edge for iOS Spoofing Vulnerability

CVE-2023-36883

All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format.
"A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," UpdraftPlus, the maintainers of AIOS,

Password Security / WordPress

All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format.

"A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," UpdraftPlus, the maintainers of AIOS, said.

"This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website."

The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were "absolutely shocked that a security plugin is making such a basic security 101 error."

AIOS also noted that the updates remove the existing logged data from the database, but emphasized successful exploitation requires a threat actor to have already compromised a WordPress site by other means and have administrative privileges, or gained unauthorized access to unencrypted site backups.

"As such, the opportunity for someone to gain privileges that they did not already have, are small," the company said. "The patched version stops passwords from being logged, and clears all previous saved passwords."

As a precaution, it's recommended that users enable two-factor authentication on WordPress and change the passwords, particularly if the same credential combinations have been used on other sites.

The disclosure comes as Wordfence revealed a critical flaw impacting WPEverest's User Registration plugin (CVE-2023-3342, CVSS score: 9.9) that has over 60,000 active installations. The vulnerability has been addressed in version 3.0.2.1.

"This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server," Wordfence researcher István Márton said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text

Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer RazerCentral <=7.11.0.558 on Windows allows a malicious actor with local access to gain SYSTEM privilege via communicating with the named pipe as a low-privilege user and triggering an insecure .NET deserialization.

**Summary**

**Product**

Razer CentralService

**Vendor**

Razer

**Severity**

High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.

**Affected Versions**

Razer Central 7.11.0.558 and below

**Tested Versions**

Razer Central 7.8.0.381 to 7.11.0.558

**CVE Identifier**

CVE-2023-3513

**CVSS3.1 Scoring System**

**Base Score:** 7.8 (High) **Vector String:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Local

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview**

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

**Description of the vulnerability**

One of these services is called RazerCentralService.exe, which acts as a central service for managing user information and notifications. Other applications can communicate with this service through a named pipe. However, there is a bug in RazerCentralService.exe that allows a user with low privileges to execute code as a system on a machine with RazerCentralService installed.

While analyzing Razer software, we found that a file called RazerCentralService.exe``, which runs under the SYSTEM\`\` account, tries to access a non-existent file located at the following path:

    'C:\\ProgramData\\Razer\\Razer Central\\Accounts\\' + dirname +'\\Razer Central\\ConnectedAccounts\\ConnectedAccounts.bin'
    

The dirname variable represents a folder that begins with the prefix RZR_ followed by a series of hexadecimal characters. This folder is automatically generated once the user successfully logs into the system. Furthermore, we also verified the permissions assigned to the Razer Central folder.

    s:\windows\razer>icacls "C:\ProgramData\Razer\Razer Central\Accounts\RZR_xxxxxxxxxxxxxxxxxxxx\Razer Central"
    C:\ProgramData\Razer\Razer Central\Accounts\RZR_xxxxxxxxxxxxxxxxxxxx\Razer Central NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                                                               CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                                                               BUILTIN\Users:(I)(OI)(CI)(RX)
                                                                                               BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
    
    Successfully processed 1 files; Failed processing 0 files
    

Within this directory, we possess the flexibility to incorporate files or folders. Additionally, we hold the capability to substitute the ConnectedAccounts\ConnectedAccounts.bin file with our personalized iteration. This particular binary file is safeguarded through encryption, utilizing the AES-CBC algorithm. Notably, it employs a hardcoded key that conveniently facilitates both encryption and decryption operations.

    def decrypt_ConnectedAccounts():
    	iv = "RZR_0280d8694a5582614c434074453e"[:16].encode('utf-8')
    	key = base64.b64decode("11Ir9bXYlDOU0xiKQszUlZ2N57TNS/GCAyLnZfj6Ibo=")
    	print (len(key)*8)
    	ciphertext = open(r"C:\ProgramData\Razer\Razer Central\Accounts\RZR_0280d8694a5582614c434074453e\Razer Central\ConnectedAccounts\ConnectedAccounts.bin", 'rb').read()
    	print ('===========')
    	cipher = AES.new(key, AES.MODE_CBC, iv)
    	plaintext = cipher.decrypt(ciphertext)
    	print (plaintext)
    	print ('================')
    

The code snippet below demonstrates the execution of a specific piece of code when the ConnectedAccounts.bin file undergoes deserialization using a binary formatter. This code is located within the AccountManager.dll module, which is loaded by the RazerCentralService.exe process.

    		private void Load()
    		{
    			try
    			{
    				SettingReadResult setting = this.m_settingsController.GetSetting("Razer Central", "ConnectedAccounts", "ConnectedAccounts.bin", SettingSource.Local, SettingSource.Undefined);
    				if (!setting.Success)
    				{
    					if (setting.ResultLocal == LoadResult.Failed_DataNotFound)
    					{
    						ConnectedAccountsManager.Logger.Info("No connected account credentials found.");
    					}
    					else
    					{
    						ConnectedAccountsManager.Logger.Error("Failed to load connected account credentials: " + setting.ResultLocal);
    					}
    				}
    				else
    				{
    					using (MemoryStream memoryStream = new MemoryStream(setting.Setting.Value))
    					{
    						Aes aes = Aes.Create();
    						aes.BlockSize = 128;
    						aes.KeySize = 256;
    						aes.Key = Convert.FromBase64String(ConnectedAccountsManager.m_keyString);
    						aes.IV = this.IV;
    						using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
    						{
    							BinaryFormatter binaryFormatter = new BinaryFormatter();
    							this.m_credentials = (Dictionary<ConnectedAccount, ConnectedAccountCredentials>)binaryFormatter.Deserialize(cryptoStream);
    						}
    					}
    				}
    			}
    			catch (Exception exception)
    			{
    				ConnectedAccountsManager.Logger.Error("Exception loading connected account credentials", exception);
    				this.m_credentials = new Dictionary<ConnectedAccount, ConnectedAccountCredentials>();
    				this.Save();
    			}
    		}
    

By leveraging the power of ysoserial.net, we gain the ability to execute code with elevated privileges as the SYSTEM user. This process of deserialization occurs in two scenarios: when a user logs in or when the machine restarts. Moreover, we can also initiate the deserialization process by utilizing a named pipe. Notably, the RazerCentralService.exe grants read/write access to its pipe for all users.

    pipe_name = r'\\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C}'
    

Here is a proof of concept (POC) written in Python 2 that you can use to execute notepad.exe as the SYSTEM user. Simply run the POC code provided here

**Reproduction Steps**

For simplicity, follow the following steps to re-produce.

1.  Install the Razer software.
2.  Install Python 2 and the necessary Python modules.
3.  Log in and wait for 3-5 minutes to ensure that the directory at C:\ProgramData\Razer\Razer Central\Accounts exists.
4.  Execute the exploit script using Python 2.

**Conclusion**

Having great power entails having great responsibility. When you operate as the SYSTEM user, you possess substantial power and carry significant responsibilities. Therefore, it is crucial to exercise caution in your actions. Additionally, it is important to understand that relying solely on an encrypted file with a hardcoded key does not guarantee security. To address any potential issues, you can follow the suggested steps outlined below:

*   Avoid using binary formatter for deserialization.
*   Ensure correct permissions are set for your namedpipe.
*   Check your directory permissions.

**Credits**

Phan Thanh Duy (@PTDuy) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

CVE-2023-3513: (CVE-2023-3513) RazerCentralService unsafe deserialization Escalation of Privilege Vulnerability

By Habiba Rashid
Due to privacy concerns, Meta has not yet released the Threads app in EU countries, creating a loophole for criminals to upload fake versions of the app.
This is a post from HackRead.com Read the original post: Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

**Apple has removed the fake THREADS app from the European App Store, ending its top position as the number 1 iOS app until July 11, 2023, when it was reported.**

In a recent development, Apple has **taken down** a fake version of the popular Threads app from its App Store in Europe. The fake app, developed by SocialKit LTD, had been soaring up the charts of the most downloaded apps. However, thanks to the diligent work of cybersecurity firm and iOS developer **Mysk**, the fraudulent app has been exposed and removed, and the developer’s account has been suspended.

Among the apps created by SocialKit LTD that have been removed are ChatGP, SelfMe: Selfie AI Face Editor, and Remove Background Eraser, among others. The fakeThreads app had gained significant traction, particularly in Germany, the Netherlands, and Switzerland, where it had claimed the number one position in the App Store rankings.

Fake app topping in EU countries (Screenshots via Mysk – Twitter)

The original Threads app, launched by Meta as a competitor to Twitter, has garnered more than 100 million downloads worldwide since its release earlier this month. However, the app has yet to be made available in the European Union due to the bloc’s stringent privacy laws.

This absence has created an opportunity for cybercriminals to capitalize on the demand by producing counterfeit apps and employing over 700 phoney domain names in a single day, according to a **report**.

Mysk, in a tweet, highlighted the concerning statistics regarding the genuine app’s absence in the European market. They stated, “Statistically, exactly 0% of iOS users looking for Threads in the EU have downloaded the right app. If app sideloading was possible, the percentage of EU users downloading the right app would certainly be greater than 0%.”

Cybersecurity analyst Veriti warns users, especially those in Europe, to exercise caution when downloading knock-off versions of Threads, as they often serve as conduits for malware or phishing attacks. It is crucial to obtain the app from trusted sources and exercise due diligence at all times.

While the fraudulent Threads app has been removed from the European App Store, similar bogus apps have also been detected on other platforms. Before the official launch of Instagram’s Threads on July 6, several impersonating apps were circulating on the Google Play Store, prompting Google to eventually remove them.

Nevertheless, ChatGPT’s official app for iPhone has **already been released**, while its Android app could soon be available on the Google Play Store.

**RELATED ARTICLES**

1.  Google Deletes Fake BatteryBot Pro Malware App
2.  Scylla Ad Fraud Attack on iOS Users Halted by Apple
3.  Apple removes Clearview AI iPhone app from App Store
4.  Apple removes anti-virus apps from store for “stealing data”
5.  Google removes ClearURLs Chrome extension from app store

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

Tag

#ios