Previously observed using fake Coinbase jobs, the North Korea-sponsored APT has expanded into using Crypo.com gigs as cover to distribute malware.

Researchers are warning that Lazarus has expanded its campaign using fake jobs with cryptocurrency exchanges to trick macOS users into downloading malware.

Just last month, researchers observed Lazarus using Coinbase job openings to trick macOS users into downloading malware. Now, SentinelOne says the same threat group has expanded its phishing campaign to include fraud job postings at another cryptocurrency exchange, Crypto.com.

According to the SentinelOne report on the new crypto job lure, the additional victims were initially contacted by Lazarus through LinkedIn messaging.

Lazarus is an advanced persistent threat (APT) group with ties to the North Korean state. SentinelOne pointed out that the attack group has been targeting cryptocurrency exchanges since 2018, and has specifically used fake cryptocurrency exchange jobs as lures since 2020.

"The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges," the SentinelOne researchers wrote. "This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings

Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.

**802.2a-1993****Standard for Flow Control Techniques for Bridged Local Area Networks**

Provide updates to the existing 802.2 Standard.

Learn More

**802.2b-1993****Standard for Acknowledged Connectionless-Mode Service and Protocol (Type 3 Operation)**

Abstract not available. See ISO/IEC 8802-2.

Learn More

**802.2c-1997****Part 2: Logical link control--Supplement 3: Conformance requirements**

This IEEE Standards product is part of the 802 family on LAN/MAN. This standard is part of a family of standards for local area networks (LANs) and metropolitan area networks (MANs) that deals with the physical and data link layers as defined by the ISO Open Systems Interconnection Basic Reference Model. The functions, features, protocol, and services of the Logical Link Control (LLC) sublayer, which constitutes the top sublayer in the data link layer of the ISO/IEC 8802 LAN protocol, are described. The services required of, or by, the LLC sublayer at the logical interfaces with the network layer, the medium access control (MAC) sublayer, and the LLC sublayer management function are specified. The protocol data unit (PDU) structure for data communication systems is defined using bit-oriented procedures, as are three types of operation for data communication between service access points. In the first type of operation, PDUs are exchanged between LLCs without the need for the establishment of a data link connection. In the second type of operation, a data link connection is established between two LLCs prior to any exchange of information-bearing PDUs. In the third type of operation, PDUs are exchanged between LLCs without the need for the establishment of a data link connection, but stations are permitted to both send data and request the return of data simultaneously.

Learn More

**802.2d-1993****Supplement to 802.2, Information Processing Systems - Local Area Networks - Part 2: Logical Link Control**

Abstract not available. See ISO/IEC 8802-2.

Learn More

**802.2e-1993****Supplement to 802.2, Information Processing Systems - Local Area Networks - Part 2: Logical Link Control - Bit Referencing**

Abstract not available. See ISO/IEC 8802-2.

Learn More

**802.2f-1997****Managed objects definition for logical link control (LLC)**

Define LLC Management Objects for Type 1, Type 2, and Type 3 Operations, including their attributes, actions, and event notifications.

Learn More

**802.2h-1997****Optional toleration of duplicate information transfer format protocol data units (IPDUs)**

Provide a procedural option in Type 2 operation that will allow a receiver to tolerate the receipt of an already correctly received I PDU by discarding it instead of initiating a Frame Reject (FRMR) exception condition that would require the reset of the logical link control procedure.

Learn More

**802.5p-1993****Standard for Information Processing Systems--Local Area Networks--Part 2: Logical Link Control--Annex X: End system Route Determination**

Abstract not available. See ISO/IEC 8802-5.

Learn More

No Inactive-Reserved Standards

CVE-2021-27853: IEEE SA - ISO/IEEE International Standard - Information processing systems – Local area networks - Part 2: Logic Link Control

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

Posted Sep 27, 2022

Authored by Yousef Alraddadi

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7e9852e1ba3b10ed9809857eace8d6e330d1f9d7306d8b2d80c0851d85229f86

Download | Favorite | View

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

    # Exploit Title: Online Birth Certificate Management System - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Add Details.3) add full name payload => <script>alert(document.cookie);</script>4) and all field enter payload only Contact Number enter number

**File Tags**

*   ActiveX (932)
*   Advisory (78,276)
*   Arbitrary (15,276)
*   BBS (2,859)
*   Bypass (1,598)
*   CGI (1,013)
*   Code Execution (6,771)
*   Conference (671)
*   Cracker (799)
*   CSRF (3,277)
*   DoS (22,065)
*   Encryption (2,340)
*   Exploit (50,129)
*   File Inclusion (4,160)
*   File Upload (945)
*   Firewall (821)
*   Info Disclosure (2,565)
*   Intrusion Detection (861)
*   Java (2,823)
*   JavaScript (808)
*   Kernel (6,156)
*   Local (14,093)
*   Magazine (586)
*   Overflow (12,252)
*   Perl (1,413)
*   PHP (5,057)
*   Proof of Concept (2,284)
*   Protocol (3,350)
*   Python (1,406)
*   Remote (29,862)
*   Root (3,466)
*   Ruby (581)
*   Scanner (1,630)
*   Security Tool (7,737)
*   Shell (3,077)
*   Shellcode (1,203)
*   Sniffer (883)
*   Spoof (2,123)
*   SQL Injection (16,057)
*   TCP (2,369)
*   Trojan (682)
*   UDP (872)
*   Virus (660)
*   Vulnerability (30,657)
*   Web (9,114)
*   Whitepaper (3,723)
*   x86 (943)
*   XSS (17,396)
*   Other

**File Archives**

*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   Older

**Systems**

*   AIX (426)
*   Apple (1,899)
*   BSD (369)
*   CentOS (55)
*   Cisco (1,915)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,207)
*   HPUX (878)
*   iOS (323)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (42,923)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (12,009)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,027)
*   UNIX (9,115)
*   UnixWare (185)
*   Windows (6,473)
*   Other

Online Birth Certificate Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2022-6713-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6713-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6713  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-3032 CVE-2022-3033 CVE-2022-3034   
                   CVE-2022-36059 CVE-2022-40956 CVE-2022-40957   
                   CVE-2022-40958 CVE-2022-40959 CVE-2022-40960   
                   CVE-2022-40962   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.3.0.

Security Fix(es):

* Mozilla: Leaking of sensitive information when composing a response to an  
HTML email with a META refresh tag (CVE-2022-3033)

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Remote content specified in an HTML document that was nested  
inside an iframe's srcdoc attribute was not blocked (CVE-2022-3032)

* Mozilla: An iframe element in an HTML email could trigger a network  
request (CVE-2022-3034)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to  
denial-of-service attack (CVE-2022-36059)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2123255 - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked  
2123256 - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag  
2123257 - CVE-2022-3034 Mozilla: An iframe element in an HTML email could trigger a network request  
2123258 - CVE-2022-36059 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack  
2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.3.0-3.el8_4.src.rpm

aarch64:  
thunderbird-102.3.0-3.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.aarch64.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.3.0-3.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.3.0-3.el8_4.s390x.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.s390x.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.s390x.rpm

x86_64:  
thunderbird-102.3.0-3.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_4.x86_64.rpm  
thunderbird-debugsource-102.3.0-3.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3032  
https://access.redhat.com/security/cve/CVE-2022-3033  
https://access.redhat.com/security/cve/CVE-2022-3034  
https://access.redhat.com/security/cve/CVE-2022-36059  
https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0LtzjgjWX9erEAQjkww//aB0FxGjWJ+ep1n3d5H7rcazn5Yk1gbxt  
EBpgmmL/JeX0KgrqLyVz2SiaY52njGg064SjOCYnAfJovIVIp26xFX0FMY2sc844  
xBgW/KE130rr7JOZhARvZyaLyqusKgC56NdN0tNw30mgR4DGwhkv4Ihiodzub376  
NponjXM+i/hZnD8xEL+bz8g+DDB/pda2nvsyITqxXcGhJomnTd1ovZvjLbcrV+XP  
JHE5G5Ln0+VmXXT9VSNx0q4y6OqPEMCaX0tbLIgJH1nYSLAKqGi9KSCru6gYa+/A  
vP+a6F4dcvhNEntNLCVOjYiyELF0PR2Ofe5SOzt+ole7igA4zvhXo0xVGh/i3wHI  
Fff3j+zqqeWyvsuo9jh+7b3hxL0Rn8WvSwutrR1bwrobC5HvMACADeQ7dSKNwwR5  
h7GbEFTKj0C2YZGY12AfKd2q9+0nZYdyATZsofX/SZ4YW9xI1kiCiF1BcbnOtP67  
v2nRvnwPS6VlECkbDQA2fBB/kjwoRZiO1wix+dGIeBYzfLFI/EXikmQSg7iGvb1t  
vjnaX7W6J1/pDIrt4xGNuUs/yaEMMUHRIvt4TSCiOuVljZUgNA9MbZ9DWl8q4WBD  
/GjDi4xOJSHX2lDL3DkC1Ie0mKsB1Pl9GGT+HTAHPFsmEA3pTjFtA+7lay8/9Jcn  
ATDPcvn3yiI=  
=xfpu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6713-01

Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say.

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.  

Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.

"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.

"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

These ever-evolving threats demand that enterprises also must sharpen their defenses and deploy advanced security solutions that harden their respective attack surfaces and obfuscate sensitive resources, which will make them difficult targets to attack in the first place, Pimplaskar adds.

**Previous Ties to BlackMatter**

The researchers' analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — used Exmatter to exfiltrate data from corporate victims last December and January, before deploying ransomware in a double extortion attack, researchers from Kaspersky reported previously.

In fact, Kaspersky used Exmatter, also known as Fendr, to link BlackCat/ALPHV activity with that of BlackMatter in the threat brief, which was published earlier this year.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter's tool of the same name.

**How the Exmatter Destructor Works**

Using a routine named "Sync," the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter can exfiltrate queued files by uploading them to an attacker-controlled IP address, Mayer said.

"The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server," he explained in the post.

The data-destruction process lies within a class defined within the sample named "Eraser" that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that's taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

"The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers," Mayer wrote, "as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them." Mayer wrote.

**Work in Progress**

There are a number of clues to indicate that Exmatter's data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

One artifact in the sample that points to this is the fact that the second file’s chunk length, which is used to overwrite the first file, is randomly decided and could be as short as 1 byte long.

The data-destruction process also has no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected at all, the researchers noted.

Moreover, the function that creates the instance of the Eraser class — aptly named "Erase" — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

**Why Destroy Instead of Encrypt?**

Developing data-corruption and destruction capabilities in lieu of encrypting data has a number of benefits for ransomware actors, the researchers noted, especially as data exfiltration and double-extortion (i.e., threatening to leak stolen data) has become a rather common behavior of threat actors. This has made developing stable, secure, and fast ransomware to encrypt files redundant and costly compared to corrupting files and using the exfiltrated copies as the means of data recovery, they said.

Eliminating encryption altogether also can make the process faster for RaaS affiliates, avoiding scenarios in which they lose profits because victims find other ways to decrypt the data, the researchers noted.

"These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own," Mayer observed, "replacing development-heavy ransomware with data destruction."

BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems.
"When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called **NullMixer** on compromised systems.

"When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others."

Besides siphoning users' credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections.

Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable file that, for its part, drops and launches a second setup binary designed to deliver an array of malicious files.

These malicious websites leverage search engine optimization (SEO) poisoning techniques such as keyword stuffing to feature them highly in search engine results. Similar tactics have been adopted by actors behind GootLoader and SolarMarker campaigns.

NullMixer, last month, was linked to the distribution of a rogue Google Chrome extension called FB Stealer, which is capable of Facebook credential theft and search engine substitution.

Some of the other prominent malware families distributed by the dropper include DanaBot and a raft of information-stealing malware such as ColdStealer, PseudoManuscrypt, Raccoon Stealer, Redline Stealer, and Vidar.

Also deployed using NullMixer are trojan downloaders like FormatLoader, GCleaner, LegionLoader (aka Satacom), LgoogLoader, PrivateLoader, SgnitLoader, ShortLoader, and SmokeLoader, as well as the C-Joker cryptocurrency wallet stealer.

Kaspersky said it blocked attempts to infect more than 47,778 victims worldwide, with a majority of the users located in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the U.S. The threat actor operating NullMixer has not been attributed to a known group.

The latest findings are yet another indication that malware and unwanted applications are being increasingly propagated via pirated software. It's also recommended to check online accounts regularly for unknown transactions.

"Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time," Kaspersky researcher Haim Zigel said. "Receiving NullMixer, users get several threats at once."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

A crime syndicate based in Russia steals millions of dollars from credit card companies using fake dating and porn sites on hundreds of domains to rack up fraudulent charges.

A subscription service scam has garnered millions of dollars in credit card charges by creating fake dating and porn sites, staffing them with live customer support, and using stolen credit card accounts to pay for "services." 

Endpoint security firm ReasonLabs stated in a Sept. 23 advisory that a Russian-speaking cybercrime group has created hundreds of fraudulent websites since 2019, likely using third-party proxies, as well as dozens of business sites that act as both a generic name for credit card charges and as a hub for customer support calls. By using recurring charges that are small enough to escape many customers' notice, the fraudsters were able to keep chargeback requests low enough to avoid being shut down and continue profiting from the scam.

While the different components of the scheme are not original, the sum total managed to bypass credit card companies' fraud detection and garner millions of dollars in revenue, ReasonLabs' research team said in the advisory.

"Eventually, once — some of — these users find these charges, they will immediately approach the issuer for a dispute and replacement of the card number, which will cause chargebacks."

The three-year scam highlights the resurgence of credit-card fraud, especially for businesses that are dealing with a hybrid workforce. Two-thirds of companies have experienced fraud in the past year, according to a recent study from KPMG. Security experts have meanwhile warned that third-party scripts on websites — part of the software supply chain — could be at risk of being co-opted to steal credentials and credit-card information.

**Designed to Seem Legitimate**

In the latest credit card scam, the cybercriminals created the right mix of components to dodge anti-fraud defenses and to remain unnoticed by consumers who don't always check their credit card bills, researchers said. While unsurprising, the scope of the fraud is quite brazen, Timothy Morris, technology strategist for security management firm Tanium, said in a statement sent to Dark Reading.

"Real companies can run virtually, so it isn’t hard to imagine fake companies running virtually," he said. "Front-end user interfaces, back-end customer support, payment providers, \[and other components\] give this swindle all the ingredients of legitimacy."

The business sites that originated the charges and appeared to be legitimate all have similar structure, with the organization's name, a motto, and information on how to contact support. ReasonLabs found 75 support sites, all with the same HTML code, importing the same JavaScript files, and having identical comments, the company said.

The scheme was also given the veneer of credibility by these 200 fake sites — mainly adult- and dating-themed — that supposedly were the source of the charges. While adult sites are classified as high risk in the financial industry, the combination of live sites and active business hubs helped make the scheme seem legitimate.

The type of fake site that the fraudsters used also likely made the scheme more successful, Matt Mullins, senior security researcher at Cybrary, said in a statement sent to Dark Reading.

"Dating sites, adult sites, and other services have social stigmas associated with them that puts the victim in a questionable light," he said. "This questionable light also makes it more likely that a victim will try to resolve it themselves versus calling up a customer service representative and trying to resolve it."

Finally, the criminal group uses typical credit card spending patterns to make the transaction less suspicious. Rather than use test transactions followed by large transaction, the criminal group uses recurring payments of small dollar amounts to escape notice.  

Because most financial providers have strict agreements with high-risk businesses — such as adult sites — to limit the level of chargebacks, the cybercriminal group takes a variety of actions to avoid chargebacks. The fake businesses' names are fairly generic, they charge small dollar amounts, allow the user to cancel their "subscription," and have live customer support, ReasonLabs said.

"The fraudsters applied each individual customer service website for payment processing in order to distribute the chargebacks between many websites rather than just one," the company stated in its advisory. "This would ensure that their payment processing capabilities will not be revoked once one site reaches the agreed rate of chargebacks, or refunds, which is divided by the number of legit transactions."

The campaign is ongoing, but ReasonLabs has notified the companies affected by the fraud to help shut down the cybercriminal enterprise.

Fake Sites Siphon Millions of Dollars in 3-Year Scam

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system.
In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.
The latest disclosure builds on previous

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system.

In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.

The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which delved into a similar phony job posting for the Coinbase cryptocurrency exchange platform.

Both these fake job advertisements are just the latest in a series of attacks dubbed Operation In(ter)ception, which, in turn, is a constituent of a broader campaign tracked under the name Operation Dream Job.

Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site LinkedIn.

The intrusions commence with the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com, while, in the background, it deletes the Terminal's saved state ("com.apple.Terminal.savedState").

The downloader, also similar to the safarifontagent library employed in the Coinbase attack chain, subsequently acts as a conduit for a bare-bones second-stage bundle named "WifiAnalyticsServ.app," which is a copycat version of "FinderFontsUpdater.app."

"The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent," SentinelOne researchers Dinesh Devadoss and Phil Stokes said. "This functions as a downloader from a \[command-and-control\] server."

The final payload delivered to the compromised machine is unknown owing to the fact that the C2 server responsible for hosting the malware is currently offline.

These attacks are not isolated, for the Lazarus Group has a history of carrying out cyber-assaults on blockchain and cryptocurrency platforms as a sanctions-evading mechanism, enabling the adversaries to gain unauthorized access to enterprise networks and steal digital funds.

"The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

Gentoo Linux Security Advisory 202209-15 - Multiple vulnerabilities have been found in Oracle JDK and JRE, the worst of which could result in the arbitrary execution of code. Versions less than or equal to 11.0.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Oracle JDK/JRE: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #732630, #717638  
       ID: 202209-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Oracle JDK and JRE, the  
worst of which could result in the arbitrary execution of code.

Background  
==========

Java Platform, Standard Edition (Java SE) lets you develop and deploy  
Java applications on desktops and servers, as well as in today's  
demanding embedded environments. Java offers the rich user interface,  
performance, versatility, portability, and security that today's  
applications require.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-java/oracle-jdk-bin    <= 11.0.2                 Vulnerable!  
  2  dev-java/oracle-jre-bin    <= 1.8.0.202              Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in Oracle's JDK and JRE  
software suites. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Certain uses of untrusted data by Oracle JDK and JRE could result in  
arbitrary code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for the Oracle JDK and JRE. We recommend  
that users remove it, and use dev-java/openjdk, dev-java/openjdk-bin, or  
dev-java/openjdk-jre-bin instead:

  # emerge --ask --depclean "dev-java/oracle-jre-bin"  
  # emerge --ask --depclean "dev-java/oracle-jdk-bin"

References  
==========

[ 1 ] CVE-2020-2585  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2585  
[ 2 ] CVE-2020-2755  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2755  
[ 3 ] CVE-2020-2756  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2756  
[ 4 ] CVE-2020-2757  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2757  
[ 5 ] CVE-2020-2773  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2773  
[ 6 ] CVE-2020-2781  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2781  
[ 7 ] CVE-2020-2800  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2800  
[ 8 ] CVE-2020-2803  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2803  
[ 9 ] CVE-2020-2805  
      https://nvd.nist.gov/vuln/detail/CVE-2020-2805  
[ 10 ] CVE-2020-14556  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14556  
[ 11 ] CVE-2020-14562  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14562  
[ 12 ] CVE-2020-14573  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14573  
[ 13 ] CVE-2020-14577  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14577  
[ 14 ] CVE-2020-14578  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14578  
[ 15 ] CVE-2020-14579  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14579  
[ 16 ] CVE-2020-14581  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14581  
[ 17 ] CVE-2020-14583  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14583  
[ 18 ] CVE-2020-14593  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14593  
[ 19 ] CVE-2020-14621  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14621  
[ 20 ] CVE-2020-14664  
      https://nvd.nist.gov/vuln/detail/CVE-2020-14664

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-15

Gentoo Linux Security Advisory 202209-14 - Multiple vulnerabilities have been discovered in Fetchmail, the worst of which could result in email disclosure to third parties. Versions less than 6.4.22 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Fetchmail: Multiple Vulnerabilities  
     Date: September 25, 2022  
     Bugs: #810676, #804921  
       ID: 202209-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Fetchmail, the worst of  
which could result in email disclosure to third parties.

Background  
==========

Fetchmail is a remote mail retrieval and forwarding utility.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-mail/fetchmail         < 6.4.22                    >= 6.4.22

Description  
===========

Multiple vulnerabilities have been discovered in Fetchmail. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Fetchmail users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.4.22"

References  
==========

[ 1 ] CVE-2021-36386  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36386  
[ 2 ] CVE-2021-39272  
      https://nvd.nist.gov/vuln/detail/CVE-2021-39272

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-14

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac