Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability

CVE-2023-36021

Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

CVE-2023-36028

Microsoft Remote Registry Service Remote Code Execution Vulnerability

CVE-2023-36423

Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

CVE-2023-36428

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-36041

By Deeba Ahmed
As per cybersecurity researchers at Proofpoint, the APT group TA402 operates in support of Palestinian espionage objectives, with a primary focus on intelligence collection.
This is a post from HackRead.com Read the original post: Pro-Palestinian TA402 APT Using IronWind Malware in New Attack

The recently discovered IronWind malware is distributed via email attachments, cleverly disguised as official correspondence related to the “Economic Cooperation Program with the Countries of the Gulf Cooperation Council 2023-2024.”

Proofpoint cybersecurity researchers have discovered a **new phishing campaign** against Israeli entities, launched by a Middle Eastern APT group, TA402. Proofpoint has been monitoring TA402’s activities since 2020.

The group is also known as Gaza Cybergang, Molerats, WIRTE, and Frankenstein. Researchers agree that TA402 is a pro-Palestinian threat actor targeting Israel for intelligence gathering. The **group had previously been identified** using Facebook, Google Drive, and Dropbox to propagate malware

“TA402 operates in support of Palestinian espionage objectives with a focus on intelligence collection.” This aligns with earlier reports published by Proofpoint on this specific threat actor.”

The company’s latest report, authored by Joshua Miller and the Proofpoint Threat Research Team, revealed that the attackers used a novel initial access downloader dubbed IronWind in this campaign.

IronWind malware is written in the **Go programming language**. After getting deployed, it allows attackers to load additional malware, such as remote access trojans or keyloggers, to steal sensitive data.

Proofpoint researchers found that the attackers are targeting individuals and organizations linked to the Israeli government or military institutions. The campaign started in July 2023 and continued until October 2023. TA402 has consistently engaged in targeted activities and strongly focused on Middle Eastern and North African entities.

Using the labyrinthine infection chain IronWinds indicates that the threat actors have become more sophisticated in their choice of attack mechanisms and are focusing on evading security measures.

The group used a compromised Ministry of Foreign Affairs email account to target Middle Eastern government officials in this phishing campaign. The email message had an economic-themed social engineering lure that read:

“برنامج التعاون الإقتصادي مع دول مجلس التعاون الخليجي 2023-2024″ (Translation: Economic cooperation program with the countries of the Gulf Cooperation Council 2023-2024,”) the **blog post** revealed.

What’s interesting is that TA402 used three different delivery methods between July and October. This includes Dropbox links and XLL and RAR file attachments. Each variation leads to the downloading of a DLL containing the multifunctional malware. The email **delivered a Dropbox** link in July, from where a malicious Microsoft PowerPoint Add-in (PPAM) file was downloaded.

This file contained a macro, which dropped three files- version.dll (IronWind), timeout.exe (IronWind sideloader), and gatherNetworkInfo.vbs. When IronWind is sideloaded, the downloader sends an HTTP GET request to a known TA402 C2 domain (theconomicsnet) hosted on 191.101.78189. 

In August, the attacker included an XLL file in the email, which loaded IronWind. In October, the attacker sent an **RAR attachment** containing a renamed version of tabcal.exe to sideload the downloader instead of using the PPAM file. The same month, TA402 used the Gaza war conflict for the first time as a lure in emails.

TA402 has avoided using cloud services like Dropbox API, which Proofpoint had noticed in its activities in 2021 and 2022, and used attacker-controlled C2 infrastructure.

TA402 APT’s infection chain from November 2021 to January 2022 and infection chain in July 2023 campaign (Credit: Proofpoint)

This is a serious threat, and organizations must take steps to protect themselves. They should implement **cybersecurity awareness training for employees**, keep their systems up to date, and be on the lookout for suspicious activity. Hackread.com is tracking the activities of TA402 and will post updates as they become available.

****_RELATED ARTICLES_****

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware**
3.  **Deadglyph Backdoor Linked to Stealth Falcon APT in the Middle East**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine**
6.  **Gelsemium APT Group Uses “Rare” Backdoor in Southeast Asian Attack**

Pro-Palestinian TA402 APT Using IronWind Malware in New Attack

In Abbott ID NOW before 7.1, settings can be modified via physical access to an internal serial port.

**Access the most recent product security updates from Abbott and its suppliers here.****NOVEMBER 14, 2023****Product Security Bulletin: ID Now**

Abbott has reviewed the level of potential impact of this vulnerability on product performance and safety, and has taken appropriate steps to mitigate this issue in its latest software update, v7.1.

****JANUARY 5, 2022******Product Security Bulletin: Apache Log4j**

Abbott is aware of the recently discovered remote code execution vulnerability impacting Apache Log4j, a logging tool commonly used in Java-based software applications.  

**DECEMBER 8, 2020****Product Security Bulletin: Amnesia:33**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in third-party open-source networking software components (TCP/IP stacks), commonly referred to as "Amnesia:33".

****SEPTEMBER 7, 2020******Product Security Bulletin: Treck TCP/IP "Ripple 20"**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in the Treck TCP/IP stack, commonly referred to as"Ripple 20". According to published reports, including the CISA Alert1, the security vulnerabilities in the software that supports network connectivity could allow remote code execution or exposure of sensitive information.

****OCTOBER 8, 2020******Product Security Bulletin: "Sweyntooth" BLE**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in third-party Bluetooth Low Energy (BLE) components, commonly referred to as “SweynTooth”. According to published reports, including the CISA Alert1, the vulnerabilities expose flaws in specific BLE components from multiple chip manufacturers that could allow an unauthorized user to interrupt BLE communication or bypass security.

****NOVEMBER 2, 2020******Product Security Bulletin: Microsoft CryptoAPI Spoofing**

Abbott is monitoring developments related to the recently published CISA Alert (Alert AA20-014A) identifying vulnerabilities in Microsoft’s Windows CryptoAPI, an application programming interface that enables developers to secure Windows-based applications. 

****JULY 7, 2020******Product Security Bulletin: VxWorks IPNet Vulnerabilities**

Abbott is monitoring developments related to recently published advisory (ICSA-19-211-01) identifying 11 IPNet vulnerabilities in Wind River’s VxWorks and other widely used Real Time Operating Systems (RTOSs). These vulnerabilities were reported by security researchers at Armis and are sometimes referred to as “Urgent/11”. RTOSs are used in a wide variety of products, including printers, routers, medical devices, firewalls, VOIP phones and industrial controllers.

****MAY 22, 2019******Product Security Bulletin: Microsoft RDP**

Abbott is aware of and actively monitoring updates related to the Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708), which was announced by Microsoft on May 14, 2019.

****JANUARY 12, 2018******Product Security Bulletin: Meltdown/Spectre**

The National Health Information Sharing and Analysis Center (NH-ISAC) has issued an advisory to the industry regarding Meltdown and Spectre, two new widespread cybersecurity vulnerabilities impacting processors in nearly every computer and mobile device.

CVE-2023-47262: Product Advisories

By Waqas
Omegle was founded on March 25, 2009.
This is a post from HackRead.com Read the original post: Video Chat Website Omegle Permanently Shuts Down

Omegle’s founder Brooks Leif K-Brooks, cited the rampant misuse of the platform by pedophiles and other criminals as a major factor in the decision to shut it down.

Omegle, a widely used video chat website that allows users to connect randomly with strangers, ceased operations on November 8, 2023. The closure was announced by founder Leif K-Brooks, who said that operating the website was “no longer sustainable, financially nor psychologically.”

Brooks cited the rampant misuse of the platform by paedophiles and other criminals as a major factor in the decision to shut it down. In recent years, Omegle has been mentioned in more than 50 cases (**1** & **2**) against paedophiles, and the site has been criticized by child protection organizations for its lack of safety features.

Brooks also said that the stress and expense of fighting the misuse of Omegle was too much to bear. “Frankly, I don’t want to have a heart attack in my 30s,” he **said** in a statement on the website.

Statement from Omegle founder Leif K-Brooks (Click or open in new tab to enlarge)

At the time of closure, **according to** Help Mama, Omegle had a user base of 235 million active users on a weekly basis. The platform maintained a strong daily presence, with 3.35 million users engaging actively each day.

Breaking down the numbers further, Omegle sustained hourly traffic of 139,880 active users, drawing in a consistent stream of 2,331 users every minute. The platform’s appeal was evident in its rapid growth, welcoming 39 new visitors every second.

Geographically, a significant portion of Omegle’s user demographic hailed from the United States, constituting 29.93% of the total user base. These statistics highlight the widespread and continuous engagement that Omegle enjoys on a global scale.

However, the closure of Omegle is a loss for many people who used the platform to connect with new friends and strangers from all over the world. The platform also played a vital role in YouTube and TikTok prank culture. Yet, it is also a reminder of the dangers of online anonymity and the challenges of keeping online platforms safe for users.

Alternatives to Omegle include Chatroulette, Chatrandom, and Tinychat. These platforms offer similar features to Omegle, but they have also been criticized for their lack of safety features. Users should be cautious when using any online platform that allows them to connect with strangers.

****_RELATED ARTICLES_****

1.  **9 risky apps that you need to monitor on your kids’ smartphone**
2.  **Microsoft’s new tool detects & reports pedophiles from online chats**
3.  **Operation Narsil – INTERPOL Busts Decade-Old Child Abuse Network**
4.  **How chat platforms are using Machine Learning for content moderation?**
5.  **Anonymous shut down thousands of Dark Web sites for hosting child porn**

Video Chat Website Omegle Permanently Shuts Down

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.
"An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming

The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.

"An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language," Kaspersky said in a report published last week.

Ducktail, alongside Duckport and NodeStealer, is part of a cybercrime ecosystem operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims' login cookies and ultimately taking control of their accounts.

Such attacks primarily single out users who may have access to a Facebook Business account. The fraudsters then use the unauthorized access to place advertisements for financial gain, perpetuating the infections further.

In the campaign documented by the Russian cybersecurity firm, potential targets looking for a career change are sent archive files containing a malicious executable that's disguised with a PDF icon to trick them into launching the binary.

Doing so results in the malicious file saving a PowerShell script named param.ps1 and a decoy PDF document locally to the "C:\\Users\\Public" folder in Windows.

"The script uses the default PDF viewer on the device to open the decoy, pauses for five minutes, and then terminates the Chrome browser process," Kaspersky said.

The parent executable also downloads and launches a rogue library named libEGL.dll, which scans the "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs" and "C:\\ProgramData\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" folders for any shortcut (i.e., LNK file) to a Chromium-based web browser.

The next stage entails altering the browser's LNK shortcut file by suffixing a "\--load-extension" command line switch to launch a rogue extension that masquerades as the legitimate Google Docs Offline add-on to fly under the radar.

The extension, for its part, is designed to send information about all open tabs to an actor-controlled server registered in Vietnam and hijack the Facebook business accounts.

**Google Sues Scammers for Using Bard Lures to Spread Malware**

The findings underscore a strategic shift in Ducktail's attack techniques and come as Google filed a lawsuit against three unknown individuals in India and Vietnam for capitalizing on the public's interest in generative AI tools such as Bard to spread malware via Facebook and pilfer social media login credentials.

"Defendants distribute links to their malware through social media posts, ads (i.e., sponsored posts), and pages, each of which purport to offer downloadable versions of Bard or other Google AI products," the company alleged in its complaint.

"When a user logged into a social media account clicks the links displayed in Defendants' ads or on their pages, the links redirect to an external website from which a RAR archive, a type of file, downloads to the user's computer."

The archive files include an installer file that's capable of installing a browser extension adept at pilfering victims' social media accounts.

Earlier this May, Meta said it observed threat actors creating deceptive browser extensions available in official web stores that claim to offer ChatGPT-related tools and that it detected and blocked over 1,000 unique URLs from being shared across its services.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft