By Waqas
ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks.
This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities

The new 0-Day vulnerability was actively exploited by the Winter Vivern cyberespionage group before its discovery and subsequent patch by Roundcube, a web-based IMAP email client, with ESET’s report.

The Russian cyberespionage group Winter Vivern (_aka_ TA473, and UAC-0114), known for its persistent attacks on European and Central Asian governments, has once again made headlines. ESET, a Slovak cybersecurity firm, has recently revealed the group’s utilization of a 0-day (zero-day) cross-site scripting (XSS) vulnerability in the Roundcube Webmail server, signaling an alarming escalation in their tactics.

ESET researchers, who have been closely monitoring Winter Vivern’s activities for over a year, discovered the exploitation of this new vulnerability on October 11th, 2023. This XSS vulnerability, identified as CVE-2023-5631, allowed attackers to remotely compromise Roundcube Webmail servers, a popular email platform.

Notably, this vulnerability is distinct from CVE-2020-35730, a previously exploited flaw by the same group, as outlined in ESET’s research.

****Targeted Entities****

The campaign orchestrated by Winter Vivern focused on Roundcube Webmail servers belonging to governmental entities and a think tank, all situated within Europe. This is in line with the group’s primary objective of targeting government institutions and organizations in Europe and Central Asia.

****Modus Operandi****

Winter Vivern is infamous for employing a variety of tactics to infiltrate their targets, including the use of malicious documents, phishing websites, and a custom PowerShell backdoor. While there is a low level of confidence, ESET researchers suggest a potential connection between Winter Vivern and MoustachedBouncer, a Belarus-aligned group.

Since at least 2022, as reported by Hackread.com, Winter Vivern has been known to target Zimbra and Roundcube email servers owned by governmental entities. Additionally, the group exploited CVE-2020-35730, another XSS vulnerability in Roundcube, in August and September 2023.

It is worth mentioning that Winter Vivern is not the only threat actor exploiting Roundcube vulnerabilities. Sednit (also known as APT28) has been seen using the same XSS vulnerability in Roundcube, occasionally targeting the same victims.

****The Exploited Vulnerability (CVE-2023-5631)****

This XSS vulnerability, according to ESET’s blog post, could be exploited remotely by sending a specially crafted email message. In this particular campaign, the emails were sent from the address team.managment@outlookcom with the subject line “Get started in your Outlook.”

The malicious email appeared ordinary at first glance, but upon examining the HTML source code, a concealed SVG tag containing a base64-encoded payload was revealed. The payload was concealed within the onerror attribute of an image tag in the SVG. When decoded, this payload led to the execution of JavaScript code in the victim’s browser.

Surprisingly, the JavaScript injection worked even on fully patched Roundcube instances. The vulnerability was traced back to the server-side script rcube\_washtml.php, which did not adequately sanitize the malicious SVG document before incorporating it into the HTML page interpreted by the user.

ESET researchers reported the issue to Roundcube, and the vulnerability was patched promptly on October 14th, 2023. The affected Roundcube versions include 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

The malicious email (ESET)

****Implications and Conclusion****

Winter Vivern’s transition to a 0-day vulnerability is a clear indication of their determination to infiltrate high-value targets. Despite the group’s relatively unsophisticated toolset, they remain a significant threat to European governments. Their success can be attributed to their persistent phishing campaigns and the prevalence of outdated, vulnerable applications used by targeted organizations.

In response to ESET’s discovery, the Roundcube team acted swiftly to address the vulnerability. A disclosure timeline reveals that the vulnerability was reported on October 12, and the necessary patches were released just two days later, ensuring the security of Roundcube Webmail servers.

ESET Research commended the Roundcube developers for their rapid response and collaboration in resolving the issue. It is vital that organizations and government entities keep their software up to date to mitigate the risk of such attacks in the future.

1.  ProtonMail Code Vulnerabilities Leaked Emails
2.  APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
3.  Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study
4.  Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird
6.  EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability

APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities

Organizations should focus on four key areas to advance employee education and "cyber smartness."

This month we celebrate the 20th anniversary of Cybersecurity Awareness Month — a dedicated time for industry, government, academia, and nonprofits to come together and raise awareness about the importance of cybersecurity for everyone.

Since its creation, Cybersecurity Awareness Month has grown from a national US initiative to a global movement that educates individuals and organizations about best practices and promotes a culture of cybersecurity. By dedicating a specific month to awareness, the industry encourages proactive measures, knowledge-sharing, and collective responsibility — ultimately helping more people envision their roles in cybersecurity and in making organizations and the world safer.

Cybersecurity knowledge-sharing is particularly important, as human risk has become one of the strongest vectors that modern security organizations must contend with. Today it accounts for more than 80% of cybersecurity incidents. Companies must find an effective way to uplevel cybersecurity education across the entire organization — not just within their security teams — if we hope to strengthen our collective security postures.

Read on to learn how technology can help security teams drive greater results, and explore key behaviors to focus on when spreading cybersecurity awareness across your organization.

**4 User Behaviors to Emphasize In Cybersecurity Education Materials**

At its core, cybersecurity awareness is about managing human risk. Companies can help advance this mission by providing cybersecurity education and skilling resources across their organizations. Education can include tips ranging from the fundamentals of cyber hygiene to day-to-day behaviors, such as identifying and avoiding tech support scams, advice on improving data and device security practices, and more.

In honor of Cybersecurity Awareness Month, here are the top four areas that Microsoft recommends focusing on to advance employee education and "cyber smartness."

**Enabling Multifactor Authentication

Multifactor authentication (MFA) can protect against 99.2% of attacks by offering stronger security than traditional passwords. As such, it's an incredible tool in the average employee's arsenal to uplevel security practices across your organization. We recommend periodically reminding users to enable MFA measures, such as biometrics or single-use codes, across their devices, apps, and account settings.

****Strengthening the Sign-In Process**

Along the same lines, it's important to remember that hackers don't break in. They sign in. If passwordless authentication is not an option, encourage employees to create stronger passwords using their browser's password generator. Length matters more than complexity here, so any passwords created should be at least 12 characters long. A password manager can be particularly helpful in tracking all current passwords.

**Updating Software**

Keeping software current with the latest security updates and patches is a vital step in protecting Internet-connected devices. On the individual user level, employees should be encouraged to set up automatic software updates to decrease the risk of vulnerabilities that can lead to ransomware and other malware. Likewise, consider creating an educational pamphlet that teaches employees how to check privacy and security settings against your desired level of information-sharing any time they register a new account, download an app, or acquire a new device.

**Recognizing and Reporting Phishing**

Finally, phishing scams are a significant threat vector that criminal actors leverage to infiltrate networks and steal sensitive data. Employees should be educated on best practices to avoid phishing scams, such as checking the sender's email address for verifiable contact information or an unrelated sender address and verifying the sender before clicking on links or opening email attachments. 

While the above tips are focused on changing user behaviors, technology has a role to play, too. Innovation is critical in creating new efficiencies for already overburdened security teams. By embracing leading technology advancements, such as generative AI, security teams can simplify complex toolsets and surface deeper insights across their entire data estates to better monitor threat activity in real time. This combination of leading technical innovations and broader user education can help empower security teams to streamline workflows and focus more of their time on the day-to-day work of cyber defense.

We invite you to leverage cybersecurity awareness not only this month, but all year round, to make sure everyone in your organizations is empowered to be cyber smart and assume a role in fighting cyber threats.

This Cybersecurity Awareness Month, Don't Lose Sight of Human Risk

Emerging RaaS operation uses Rhysida ransomware paired with a wicked infostealer called Lumar, researchers warn.

Operating since last May, an emerging ransomware strain called Rhysida was deployed along with new stealer malware called Lumar for a potent new one-two punch against Brazil's popular PIX payment system users.

Researchers from Kaspersky reported Rhysida is functioning as a ransomware-as-a-service (RaaS) operation with a demonstrated ability to quickly evolve.

"It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design," Kaspersky said in its findings about the group. "While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve."

The ransomware campaign targeting PIX has been ongoing since December 2022, the Kaspersky team noted, adding that Rhysida was deployed along with a complimentary malware-as-a-service (MaaS) infostealer called Lumar to target users of the payment system.

Lumar first emerged in July 2023, the report added, and can steal data on Telegram sessions, passwords, cookies, autofill information, desktop files, and even cryptographic wallets.

Notably, the Kaspersky team said the Lumar stealer is compact, without sacrificing functionality.

"The malware's efficient data collection is facilitated by the use of three separate threads," the report added. "The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meet Rhysida, a New Ransomware Strain That Deletes Itself

Zatik takes a fractional approach to AppSec leadership to help small firms access the expertise they need to build secure-by-design software.

One of the fundamental principles of secure-by-design software development is that organizations need to account for security concerns right out of the gate. It's built into the way the applications are designed, architected, and coded. The trouble for small companies that build software is that it can be really hard for them to access and pay for the kind of application security expertise necessary to fold that kind of accountability into the engineering or DevOps process. And so small companies build and ship their software — oftentimes innovative applications upon which their whole business model is based — without much consideration for security.

By the time a startup has "grown up" and built its business big enough to feasibly hire some application security professionals, secure-by-design has already gone out the window. The software stack has already accumulated a ton of security technical debt. That new AppSec team is behind the eight ball before they even start. And without expensive refactoring, oftentimes all they can do is bolt on security controls or apply Band-Aids to security problems that may run very deep.

It's an age-old problem, and one that's simply not practical to get all preachy about to small business owners or small dev teams.

"Experienced application security people are in short supply, and they're getting hoovered up by the big companies, by the Microsofts, Amazons, Apples, and Googles of the world, and if you are a smaller company, you're just not competing on that playing field," explains Kymberlee Price, who has led product security and AppSec teams, worked as a security researcher, and run red team and incident response operations for the likes of Microsoft, Amazon, and Bugcrowd.

Price has been around the block enough to recognize that not only are best-in-class product security pros and security-aware developers still the "unicorns" of the software engineering market, but also that most small businesses aren't big enough to even have enough work to keep one of them busy for very long.

"They don't need a unicorn full time. They need a unicorn maybe for a quarter to set some strategy, and then they need 10% of a unicorn for the rest of the year," she says.

**Sharing the Unicorns**

This is the underlying problem Price hopes to alleviate with her new consulting firm, Zatik. Together with co-founder Jon Callas, another security luminary known for founding PGP and Silent Circle, Price hopes to level the software security playing field for startups and small businesses. Zatik is a fractional security consulting firm that helps companies tap into that small percentage of unicorn-level AppSec expertise that they need to get a security program up and running. It's built in the same mold as a virtual CISO (vCISOs), with a slightly different focus.

"We love virtual CISOs. But they're frequently enterprise-focused and compliance-focused. And we're more looking at, how do you build your product securely by design, the DevOps pipeline, CI/CD, security controls, and things like that," Price explains. "So it's a really nice complement to that fractional model."

For some companies, if they're early enough in their arc, they may need the full package of building out an entire cybersecurity program — something she and Callas are equipped to help them navigate.

"Our sweet spot really is securing the developer experience, but we can help them look at their tech stack, make some recommendations, and make some introductions to other partners," says Price.

She says that she and Callas currently run the company themselves, but they plan on adding more staff as Zatik scales and also leaning on a network of partners to provide additional expertise in areas as necessary for their clients.

"I mean, I can't help you secure your product if you have no employee access control," Price says. "So we wouldn't turn our nose up at other areas."

Ultimately, the goal is to help smaller companies develop that security-by-design ethos from the outset. Price sees that not only as a great business opportunity, but a way to move the needle on security across the tech world.

"One of the things I love about the kind of small companies we're talking to is we're getting in early in their maturity cycle," she says. "So as they're growing, they're growing with a secure-by-design platform where the engineers they're hiring and managing understand that this is 'just how we do it.' Of course we have branch protection, of course we do these things because it was there from day one, versus the security team showing up later and demanding that they have to change things."

Do Small Companies Need Fractional AppSec Teams Akin to Virtual CISOs?

By Owais Sultan
Looking for a SaaS SEO consultant? We’ve rounded up the top 15 SaaS SEO experts you need to…
This is a post from HackRead.com Read the original post: 15 Best SaaS SEO Experts That Will Help You Dominate Online

15 Best SaaS SEO Experts That Will Help You Dominate Online

By Waqas
This incident is a perfect example of the phrase "one thing leading to another.
This is a post from HackRead.com Read the original post: 1Password Discloses Security Incident Linked to Okta Breach

On October 23, 2023, 1Password’s CTO, Pedro Canahuati, disclosed the incident, stating that threat actors were unable to access or steal user data during the attack.

On October 24, 2023, 1Password disclosed (PDF) a security incident that was linked to the recent breach of Okta’s support system. The incident occurred when a threat actor gained access to an IT employee’s Okta session token by leveraging access to a stolen credential and used it to access 1Password’s Okta administrative portal.

While 1Password says that no user data was accessed during the incident, the incident highlights the importance of strong security practices for both Okta customers and password managers.

The latest security breach at Okta serves as the second cyberattack on the company. In March 2022, LAPSUS$ hackers claimed to have breached Okta and Microsoft after leaking a trove of their data on Telegram.

****How the Okta Breach Impacted 1Password****

Okta is a popular identity and access management (IAM) platform that helps organizations manage user access to their applications. On October 20, 2023, Okta disclosed that threat actors had gained access to its support systems and stolen authentication data for some of its customers.

1Password is one of the customers that was impacted by the Okta breach. On September 29, 1Password detected suspicious activity on its Okta instance. After a thorough investigation, 1Password concluded that a threat actor had used a stolen session token to access 1Password’s Okta administrative portal

> _“Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta. The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack.”_
> 
> Pedro Canahuati – CTO 1Password’s

****What 1Password Is Doing to Mitigate the Impact of the Incident****

1Password has taken a number of steps to mitigate the impact of the incident, including:

*   Launching an investigation into the incident.
*   Terminating the threat actor’s session immediately.
*   Implementing stricter access controls for Okta users.

****What 1Password Users Can Do to Protect Their Accounts****

1Password users can take the following steps to protect their accounts:

*   Keep their 1Password app up to date.
*   Change their 1Password password regularly.
*   Use a strong, unique password for their 1Password account.
*   Enable two-factor authentication for their 1Password account.
*   Be careful about clicking on links in emails or messages from unknown senders.

****What This Incident Means for IAM and Password Management Security****

The 1Password incident highlights the importance of strong security practices for both IAM and password management platforms. IAM platforms like Okta need to implement robust security controls to protect their customers’ data. All Password managers need to implement multi-factor authentication and other security measures to protect their users’ passwords.

Organizations that use Okta or other IAM platforms should review their security policies and procedures to ensure that they are taking all necessary precautions to protect their data. Organizations that use password managers should also review their security settings and enable multi-factor authentication for all users.

****_RELATED ARTICLES_****

1.  GoTo’s LastPass Breach: Encrypted Customer Data Taken
2.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT
3.  PasswordState password manager’s update hijacked to drop malware
4.  LastPass Employee PC Hacked with Keylogger to Access Password Vault
5.  Passwords by Kaspersky Password Manager exposed to brute-force attack

1Password Discloses Security Incident Linked to Okta Breach

Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegment::IsValidRange(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Read Access

**Proof of Concept**

poc-wasm-interp-01.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3549==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000064a0fe bp 0x7ffcceb61670 sp 0x7ffcceb61640 T0)
==3549==The signal is caused by a READ memory access.
==3549==Hint: address points to the zero page.
    #0 0x64a0fe in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const /home/lain/wabt\_asan/src/interp/interp.cc:734:19
    #1 0x649cd7 in wabt::interp::Memory::Init(unsigned long, wabt::interp::DataSegment const&, unsigned long, unsigned long) /home/lain/wabt\_asan/src/interp/interp.cc:617:11
    #2 0x666cb4 in wabt::interp::Thread::DoMemoryInit(wabt::interp::Instr, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:2075:3
    #3 0x65b199 in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1510:32
    #4 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #5 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #6 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #7 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #8 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #9 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #10 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #11 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #12 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #13 0x7f9f8fa00082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #14 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/src/interp/interp.cc:734:19 in wabt::interp::DataSegment::IsValidRange(unsigned long, unsigned long) const
==3549==ABORTING

CVE-2023-46331: Out-of-Bound Memory Read in DataSegment::IsValidRange() · Issue #2310 · WebAssembly/wabt

WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataSegment::Drop(), which lead to segmentation fault.

**Environment**

OS               : Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux
Commit           : 0e78c24fd231d5ee67ccd271bfa317faa963281c
Version          : 1.0.33 (git~1.0.33-35-gdddc03d3)
Clang Verison    : 12.0.1
Build            : mkdir build && cd build && export CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" && cmake .. && cmake --build .
Affected Tool    : wasm-interp
Enabled Features : None
Impact           : Out-of-Bound Memory Write Access

**Proof of Concept**

poc-wasm-interp-02.zip

**Stack Trace Provide By AddressSanitizer**

$  ~/wabt\_asan/bin/wasm-interp poc.wasm
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000067f426 bp 0x7ffd04e28310 sp 0x7ffd04e28300 T0)
==3641==The signal is caused by a WRITE memory access.
==3641==Hint: address points to the zero page.
    #0 0x67f426 in wabt::interp::DataSegment::Drop() /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9
    #1 0x6670be in wabt::interp::Thread::DoDataDrop(wabt::interp::Instr) /home/lain/wabt\_asan/src/interp/interp.cc:2081:33
    #2 0x65b29a in wabt::interp::Thread::StepInternal(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1511:32
    #3 0x65352b in wabt::interp::Thread::Run(int, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1086:19
    #4 0x645a70 in wabt::interp::Thread::Run(wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:1078:14
    #5 0x644caf in wabt::interp::DefinedFunc::DoCall(wabt::interp::Thread&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:428:19
    #6 0x64417d in wabt::interp::Func::Call(wabt::interp::Store&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> > const&, std::vector<wabt::interp::Value, std::allocator<wabt::interp::Value> >&, wabt::interp::RefPtr<wabt::interp::Trap>\*, wabt::Stream\*) /home/lain/wabt\_asan/src/interp/interp.cc:394:10
    #7 0x6512e6 in wabt::interp::Instance::Instantiate(wabt::interp::Store&, wabt::interp::Ref, std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> > const&, wabt::interp::RefPtr<wabt::interp::Trap>\*) /home/lain/wabt\_asan/src/interp/interp.cc:944:22
    #8 0x5693e5 in InstantiateModule(std::vector<wabt::interp::Ref, std::allocator<wabt::interp::Ref> >&, wabt::interp::RefPtr<wabt::interp::Module> const&, wabt::interp::RefPtr<wabt::interp::Instance>\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:340:19
    #9 0x562e82 in ReadAndRunModule(char const\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:423:3
    #10 0x561f67 in ProgramMain(int, char\*\*) /home/lain/wabt\_asan/src/tools/wasm-interp.cc:450:25
    #11 0x563191 in main /home/lain/wabt\_asan/src/tools/wasm-interp.cc:456:10
    #12 0x7f77c7bdc082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x4845ed in \_start (/home/lain/wabt\_asan/bin/wasm-interp+0x4845ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lain/wabt\_asan/include/wabt/interp/interp-inl.h:906:9 in wabt::interp::DataSegment::Drop()
==3641==ABORTING

Tag

#microsoft