Nvidia GeForce version 11.0.1.163 suffers from an unquoted service path vulnerability.

    # Exploit Title: Nvidia GeForce v11.0.1.163 - Unquoted Service Path# Date: 2024-11-25# Exploit Author: Milad Karimi (Ex3ptionaL)# Contact: miladgrayhat@gmail.com# t.me/Ci3c0# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# MiRROR-H: https://mirror-h.org/search/hacker/49626/# Vendor Homepage: https://www.nvidia.com/es-la/# Software Link: https://www.nvidia.com/es-la/# Version: 11.0.1.163# Tested on: Windows 10 Pro x64 EspC:\>wmic service get name, pathname, displayname, startmode | findstr"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v"""NVIDIA Update Service Daemon      nvUpdatusService                          C:\Program Files(x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe                                                 AutoC:\>sc qc nvUpdatusService[SC] QueryServiceConfig CORRECTONOMBRE_SERVICIO: nvUpdatusService        TIPO               : 10  WIN32_OWN_PROCESS        TIPO_INICIO        : 2   AUTO_START  (DELAYED)        CONTROL_ERROR      : 1   NORMAL        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIACorporation\NVIDIA Updatus\daemonu.exe        GRUPO_ORDEN_CARGA  :        ETIQUETA           : 0        NOMBRE_MOSTRAR     : NVIDIA Update Service Daemon        DEPENDENCIAS       :        NOMBRE_INICIO_SERVICIO: .\UpdatusUser

Nvidia GeForce 11.0.1.163 Unquoted Service Path

Microsoft is readying a new release of Windows in 2025 that will have significant security controls, such as more resilient drivers and a "self-defending" operating system kernel.

Source: mundissima via Shutterstock

Microsoft is making sweeping changes to its Windows operating system (OS) in the wake of this past summer's flawed CrowdStrike update, which caused millions of commercial devices to crash and cost customers billions of dollars in downtime.

The incident was a major impetus for the new Windows Resiliency Initiative, introduced and outlined during a session at last week's Microsoft Ignite conference. Microsoft officials said the changes are being made based on what they learned from the July 19 event, resulting in what they promised to be a more reliable and secure OS in 2025.

David Weston, Microsoft's vice president of enterprise and OS security, identified three objectives intended to make Windows more secure: faster and simpler recovery times, more resilient drivers, and tools and changes to how the OS kernel is secured to make it "more effective and self-defending."

The changes will also affect software developers and third-party security tool providers.

"We're working together across the industry and will improve reliability, based on lessons from July, with new changes and standards in the OS," said Pavan Davuluri, corporate VP for Windows and devices at Microsoft.

The new Windows release is being designed to resist malware and script attacks with stronger controls for applications and drivers, while improved identity protection aims to prevent phishing attacks. Microsoft is also establishing a new approach to privilege access management, Davuluri said.

Microsoft will release a preview of the new release to Windows Insiders next July. It will include tighter controls over what applications and software drivers are permitted to run, stronger identity management, quick machine recovery, personal data encryption for folders, and improved OS management and configuration capabilities.

The release is poised to arrive just as Microsoft ends support for Windows 10 on Oct. 14, 2025. Although Microsoft has been encouraging customers to upgrade to Windows 11, which was released in 2021, on an ongoing basis, nearly 61% of all PCs worldwide still have Windows 10, according to Statcounter.

**Enabling Security Partners to Build Outside the Kernel**

Further, tied to its long-term Secure Future Initiative announced a year ago, Microsoft is moving to safer programming languages by incrementally shifting from C++ to Rust. A new Windows Resilient Security Platform will enable third-party security product developers to build their products outside of the kernel, Weston explained.

"We're ensuring this platform will enable security solution providers to have the access they need to detect and respond to threats without introducing complexity into the kernel," he said. "This change will help end-user protection and antivirus products provide a high level of security and easier recovery."

While the moves should make Windows more resilient to attacks, Forrester senior analyst Paddy Harrington would like to see Microsoft tighten access even further.

"I would much prefer it if Microsoft bit the bullet and put the walls back up. That would mean recoding for everyone who messes in the kernel driver world, including Microsoft, but it's a safer method of operation," says Harrington, who first opined on that point in a July blog post.

**Post-Incident Security Summit in Redmond**

Two months after the CrowdStrike incident, Microsoft hosted its Windows Endpoint Security Ecosystem Summit, in Redmond, Wash., with security vendors and representatives of the US Cybersecurity and Infrastructure Security Agency (CISA) on hand to discuss how to make the OS more resilient.

Leading into the meeting, Weston indicated that an examination of Windows crash reports signaled the need to change how kernel drivers are deployed.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are, by nature, constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote in a July 27 post.

Following the summit, CISA last month published its Safe Software Deployment white paper, co-authored by the FBI, the Australian Signals Directorate's Australian Cyber Security Centre, and the Joint Cyber Defense Collaborative.

Omdia principal analyst Andrew Braunberg says that Microsoft is one of numerous vendors that have issued statements of support for CISA's Secure by Design pledge. However, it remains to be seen if it will follow through.

"It will be interesting to see if there is any change in behavior from Microsoft and other large software companies because of \[Donald\] Trump's win \[of the U.S. presidential election\]," Braunberg says. "These companies may reassess the external benefits of this support given a reduced, or eliminated, CISA under the new administration. There are international drivers for embracing Secure by Design principles, such as the EU Cyber Resiliency Act, but CISA has been the primary advocate in the US."

Nevertheless, Weston described CISA as playing an essential role in determining Microsoft's revamped security and resiliency standards for Windows endpoints.

"They are providing a framework for the whole IT industry to ensure that all partners, customers, and organizations are able to stay ahead of evolving security threats," he said.

Among the vendors at Microsoft's summit was CrowdStrike, which signaled it is endorsing Microsoft's Windows Resiliency Initiative.

"Microsoft's initiatives build on the discussions CrowdStrike participated in at the Windows Endpoint Security Summit in September, and we welcome innovations that enhance resiliency for our shared customers," a CrowdStrike spokesperson said. "The entire industry benefits when we collaborate to create a more resilient and open ecosystem that strengthens security for all."

Endpoint protection provider ESET is offering conditional support for Microsoft's initiative.

"In general, we support this evolution if it demonstrates measurable improvements to stability and strongly stress this must be on condition that any change must not weaken security, affect performance, or limit the choice and differentiation between cybersecurity solutions for customers," says ESET CTO Juraj Malcho.

**Shifting to Trusted Apps and Drivers**

Because many attacks result from users who download malicious or unsafe apps and drivers, Microsoft is adding Smart App Control and App Control for Business to Windows. These features use artificial intelligence to let administrators employ policies that require verified applications, according to Weston. He noted that Microsoft already offers this through App Locker, but it is complicated to manage.

A feature called "robust app control" will ensure that only verified apps can run, eliminating attacks from malicious attachments and socially engineered malware, he added.

**Thwarting Identity-Based Attacks and Overprivileged Accounts**

According to Microsoft's Entra ID data, more than 600 million identity attacks occur every day, 99% of which are password-based. In response, Microsoft has hardened its Windows Hello multifactor authentication capability, which uses biometrics. Microsoft has extended Windows Hello support for passkeys.

As part of its latest Windows Insider build, last week Microsoft released a preview of updates to its implementation of the WebAuthn APIs that will enable plug-in support for passkeys. In the coming months, Microsoft said third-party password managers will work with the native Windows passkey provider using Windows Hello. 

The new Windows release will also aim to reduce attacks resulting from users who have too many privileges and organizations that have insufficient privilege controls, which, according to Microsoft's Digital Defense report, are the cause of 93% of ransomware attacks.

A new feature called "administrator protection" will give employees standard user permissions by default "so they can still make Windows system changes, including app installation, but only when necessary and only after authorizing the change using Windows Hello," Weston said. "Admin protection will be incredibly disruptive to attackers, as they no longer have elevated privileges by default, and it will help ensure that employees do not use malware and remain in control of Windows."

According to Forrester's Harrington, the new app control approach should help organizations lock down their endpoints.

"I think there will be plenty of businesses who still go to third parties because of the flexibility those solutions bring," he says. "But this is a good move by Microsoft to breathe life back into the app control solution. For all those functions, I would have liked to see these moves earlier in the Windows 11 releases, but with Windows 10 going end-of-service next year, the timing works to give more enterprises reasons to move to Windows 11."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Boosts Device Security With Windows Resiliency Initiative

Printer issues are very common, but searching Google for help may get you into more trouble than you'd expect.

Anyone who has ever used a printer likely has had a frustrating experience at some point. There always seems to be some kind of issue with the software not responding, paper getting jammed or one of many other possible failures.

When people need help, they often turn to Google (and now AI) to look for an answer. This is where scammers come in, preying on unsuspecting and irate users ready to throw their printer out the window.

After clicking on a malicious Google ad, victims are redirected to a fraudulent site often using official brand names and logos. The crooks’ end goal is to get people to call them, and they achieve that by tricking them with fake printer drivers that always fail to install.

In this blog post, we review how this scam works and how to stay away from it.

**Malicious Search Ads**

Two of the most popular printer brands are HP and Canon. If you were to Google for help related to either of those brands right now, you would likely see sponsored results at the top of the search results page.

Unfortunately, in the majority of cases these ads are not from trusted providers but instead from tech support scammers. In the image below, you can see 4 ads shown for the query ‘_hp printer help_‘. It’s only after those that the official HP website appears.

If you were to say that consumers stand no chance, you’d be right. Unless you clicked on the official (organic search results), you’d end up getting scammed.

The list of sites includes:

megadrive\[.\]solutions  
geeksprosoftwareprints\[.\]org  
select-easy123print\[.\]com  
printcaretech\[.\]com

**The driver scam**

A driver is a software program that your computer uses to talk to physical hardware (i.e. your printer). In the early Microsoft Windows days, drivers were very important to get printers, monitors and other peripherals working. Today, the operating system is usually good at detecting new hardware and installing the required drivers automatically. There are some exceptions, not to mention that some manufacturers like to package additional software with their drivers.

After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to “install”. This is entirely fake, and the only thing the website displays is a recorded animation that will always end up with the same error message.

This type of error is very similar to those seen in the “Microsoft tech support scam”, typically done via a browser hijack. Scammers want to scare and then get their victims to contact them directly, via phone or live chat.

**Remote access and extortion**

There are many people that fall for these types of scams and entire armies of tech support agents working in poor conditions ready to defraud them. The script is usually standard across scams, with the support agent impersonating a popular brand and requesting personal information from the victim.

It is quite common for scammers to request and be granted remote access to the user’s computer. This gives them leverage to do a number of things, such as stealing data, locking the machine or even using it to log into the victim’s bank account.

This is why it is so important to be extremely cautious with online search ads, and search results in general. Browser extensions such as Malwarebytes Browser Guard will block ads but also the scam or malware sites associated with these schemes.

This won’t help with your printer issues, but at least it’ll save you the trouble of being defrauded. When it comes to such questions, online forums are usually a good place to start, and if you’re lucky to count a computer person in your family, that’s always a good favor to ask for.

 Printer problems? Beware the bogus help 

Check Point Research has discovered cybercriminals exploiting the popular Godot Game Engine to deliver malicious software. Discover the techniques used by attackers and how to protect yourself from these threats.

****SUMMARY****

*   **Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.**

*   **GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.**

*   **The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.**

*   **GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.**

*   **The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.**

Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.

The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments.  The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024. 

“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.

According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.

Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.

For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.

As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.

The attack flow (Via CPR)

****Godot Engine’s Statement****

The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.

The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.

Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.

1.  **Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm**
2.  **What is Blockchain Gaming and its Play-to-Earn Model?**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **Winos4.0 Malware Hits Windows via Fake Gaming Apps**
5.  **Gaming Firms, Community Members Hit by Dark Frost Botnet**

Godot Engine Exploited to Spread Malware on Windows, macOS, Linux

Python has emerged as a powerful ally in combating rising cybersecurity threats and tracking cybercrime through tools leveraging…

Python has emerged as a powerful ally in combating rising cybersecurity threats and tracking cybercrime through tools leveraging **threat intelligence**. With its versatility and powerful libraries, experts today can create solutions that run large algorithms and enhance searchability and scalability.

****Unmatched Versatility in Threat Detection****

Cyber threats are evolving rapidly, and tools must stay ahead to counter them effectively. Python stands out with its versatility and a wide range of libraries tailored for cybersecurity. For instance, Scapy allows developers to analyze network packets, identifying suspicious behaviours before they can cause harm. Additionally, Python can be used to create predictive models to detect and mitigate threats using frameworks like TensorFlow.

****Real-life use cases highlight Python’s potential****

Python is incredibly useful in real-world cybersecurity. For network monitoring, tools like **Pyshark** leverage Python to decode and analyze network traffic for anomalies. Automated penetration testing benefits from Python scripts that streamline server and application vulnerability scans. In malware analysis, the Python-based **YARA** library plays a crucial role in identifying patterns of malicious code, making it an invaluable tool for threat detection.

Beyond technical strength, Python’s simplicity makes it easy for cybersecurity teams of different levels of expertise to work together. **Python software development services** are used by developers and analysts alike to easily integrate threat detection into existing systems.   

****Why Python Outshines Other Languages in Cybersecurity**  **

Python isn’t the only programming language out there—so what sets it apart? Its rich ecosystem, ability to quickly prototype, and cross-platform compatibility make it stand out from languages like Java or C++. Python enables rapid development of tools that can respond to threats in real-time, a critical factor in combating modern cyber risks.

Stay tuned as we explore how Python accelerates incident response and powers proactive defence systems, helping organizations stay ahead of security threats worldwide.

****Python’s Role in Accelerating Incident Response**  **

Quick action is necessary for incident response to limit the damage. The automation of repetitive tasks and real-time analysis make Python an ideal tool for this. Its simple syntax enables teams to write scripts that respond to threats quickly and resolve the issues faster.  

****Key ways Python aids incident response****

Python plays a vital role in incident response by streamlining critical tasks. Libraries like Loguru help parse server logs to identify irregularities, while Python scripts enable real-time alerts when threats are detected.

Tools like **Beautiful Soup** automate data extraction from compromised systems, and custom scripts can isolate infected systems to prevent the spread of malicious activity. These capabilities make Python an invaluable asset in managing and mitigating cyber threats effectively.

Python software development service helps organizations improve their incident response, reducing downtime and protecting their critical assets. Thanks to Python’s robust capabilities, teams can accelerate risk mitigation and manage what was once a potential crisis as an ordinary event.    

****Proactive Defense Through Python Development**  **

Python isn’t just reactive—it’s also a proactive tool for combating threats right from the start. With its extensive libraries and frameworks, cybersecurity teams can build predictive analytics tools to identify potential vulnerabilities and detect unusual patterns, keeping organizations one step ahead of attackers.

For instance, Python integrates seamlessly with AI tools for real-time anomaly detection. Developers can create algorithms to monitor network behavior and trigger instant alerts when deviations occur. Additionally, Python’s flexibility allows it to integrate easily with existing security infrastructures without stretching budgets.

By leveraging Python, businesses can reduce the risk of breaches, maintain stakeholder trust, and strengthen their overall security posture. Its proactive capabilities transform cybersecurity from a reactive necessity into a strategic advantage, enhancing digital protection at every level.

****Key Advantages of Python in Cyber Defense**  **

Python is a powerhouse in cybersecurity, offering developers and organizations unmatched efficiency in tackling complex security challenges. With extensive libraries like Cryptography and Hashlib for secure encryption and hashing, Python ensures data protection is seamless.

Furthermore, its cross-platform support allows it to work effortlessly across Windows, Linux, and macOS without compromising security. Python’s user-friendly syntax accelerates tool development and reduces deployment time, while its vast and active community continuously updates resources to address evolving threats. This combination of features makes Python a key factor for cybersecurity solutions.

1.  **Top Software Development Outsourcing Trends**
2.  **Why is learning Python important in Data Science?**
3.  **A Step-by-Step Guide to How Threat Hunting Works**
4.  **Power of Cloud App Development, DevOps for Businesses**
5.  **The Essential Tools and Plugins for WordPress Development**

How Python Software Development Enhances Cyber Defense

Group-IB has discovered that cybercriminals are using fake betting apps and ads with AI-generated voices to steal personal information and money. Discover the tactics used by scammers and how to avoid falling victim to these fraudulent schemes.

**SUMMARY**

*   **Scammers Use Fake Ads**: Cybercriminals are creating fake betting app ads to lure users and steal money and personal information.

*   **AI-Generated Voices**: Scammers use AI-generated voices in multiple languages to make their schemes seem more credible.

*   **Massive Reach**: Over 500 fake ads and 1,377 malicious sites have been identified, targeting users in regions like Egypt, the Middle East, Europe, and Asia.

*   **Serious Losses**: Victims have reported losing significant amounts, with some losing over $10,000 to these scams.

*   **Stay Safe**: Avoid downloading apps from unofficial sources, be wary of too-good-to-be-true offers, and always use strong security measures.

Cybersecurity firm Group-IB has observed a surge in **fake betting** game advertisements across various social media platforms. In its detailed investigation, shared with Hackread.com, Group-IB’s CERT team discovered deceptive ads designed to lure unsuspecting users by promising easy money, ultimately leading to financial loss and personal data compromise. The ads typically target users in regions like Egypt, the Middle East, Europe, and Asia.

One of the fake apps used in the scam (Source: Group-IB)

Researchers, reportedly, discovered over 500 deceptive ads and 1,377 malicious websites targeting users to download fraudulent applications. Further probing revealed that cybercriminals are employing advanced techniques to make these fraudulent ads appear legitimate.

This, according to Group-IB’s **blog post**, includes using AI-generated voices in multiple languages to create a sense of authenticity, even when the scam originates from a different country. Victims have suffered significant financial losses, with some reporting losses exceeding US$10,000.

As soon as a user clicks on a deceptive ad, they are directed to download a fraudulent app. These apps are typically distributed through third-party websites or APK files and are capable of bypassing security measures on official app stores. Upon installation, the app requests various personal and financial information, which is then harvested by the scammers.

> _“Group-IB CERT discovered these scams across multiple regions, with more than 200 ads targeting Egypt, 160 ads in the GCC, and another 140 in Europe and Asia. The momentum of such scams has rapidly increased, with scammers continually expanding into new markets.”_
> 
> Group-IB

Fake reviews and testimonials are a key facilitating factor in these scams, as these enhance the legitimacy of the fake apps. These reviews feature detailed narratives, screenshots, and photos of “successful” players, creating the illusion of a highly profitable and trustworthy game, and generating attraction for the scam.

Fake reviews on one of the fraud apps (Source: Group-IB)

Fake betting apps can lead to severe consequences for users, such as financial loss through “bait and switch” tactics, identity theft due to the collection of personal information, and device compromise. Malicious apps can compromise device security, allowing attackers to access sensitive data and install additional malware, posing a significant risk to users’ personal information.

We have been witnessing a gradual rise in fake gaming apps compromising users’ devices. Recently, Hackread **reported** Fortinet’s FortiGuard Labs discovery of a new malicious campaign targeting Microsoft Windows users using game-related applications to deliver Winos4.0, an advanced malware framework similar to Cobalt Strike and Sliver. Earlier this week, Indian authorities **busted** an international gang of cybercriminals who used fake gaming apps to mint over 190cr from unsuspecting users.

Hence, it is essential to be cautious of quick money offers to avoid falling victim to such scams. Always download apps from official stores, avoid suspicious links, use strong security measures like passwords and two-factor authentication, and stay updated on the latest online scams and **phishing techniques** to stay safe.

1.  **Crooks Exploit Satellite Live Feed Delay for Betting Advantage**
2.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
3.  **Chinese Scammers Exploit Cloned Sites in Vast Gambling Network**
4.  **Facebook Malvertising Campaign Drops Malware via Fake Bitwarden**
5.  **Dude Finds Flaw in World’s Biggest Gambling Site, Steals $1M in BTC**

Fake Betting Apps Using AI-Generated Voices to Sensitive Data

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁 📹 Video on YouTube, LinkedIn🗞 Post on Habr (rus)🗒 Digest […]

**New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities.** The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn  
🗞 Post on Habr (rus)  
🗒 Digest on the PT website

Content:

🔻 00:37 **Elevation of Privilege** – Microsoft Streaming Service (CVE-2024-30090)  
🔻 01:46 **Elevation of Privilege** – Windows Kernel-Mode Driver (CVE-2024-35250)  
🔻 02:38 **Spoofing** – Windows MSHTML Platform (CVE-2024-43573)  
🔻 03:43 **Remote Code Execution** – XWiki Platform (CVE-2024-31982)  
🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.  
🔻 05:22 Social “Attack on the complainer“  
🔻 06:35 “Ford’s method” for motivating IT staff to fix vulnerabilities: will it work?  
🔻 08:00 About the digest, habr and the question contest 🎁  
🔻 08:29 Backstage

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities

Watch out for the Russian hackers from the infamous RomRom group, also known as Storm-0978, Tropical Scorpius, or UNC2596, and their use of a custom backdoor.

****SUMMARY****

*   **RomCom Exploits Double Zero-Day:** RomCom, a Russia-linked group used previously unknown vulnerabilities in Firefox and Windows in a sophisticated attack campaign.

*   **Attack Chain:** Visiting a malicious webpage triggered a Firefox flaw, and then a Windows bug allowed the installation of RomCom’s backdoor.

*   **Targeted Sectors:** RomCom targeted government, pharmaceutical, legal, and other sectors in Europe and North America for espionage and cybercrime.

*   **Quick Patches:** Mozilla and Microsoft rapidly released updates to fix the vulnerabilities, highlighting the importance of software updates.

*   **Sophisticated Threat:** The attack shows the advanced capabilities of state-sponsored cyber groups and the need for strong cybersecurity measures.

Cyber security researchers at ESET have exposed a malicious campaign by the Russia-linked **RomCom group**, which combined two previously unknown (zero-day) vulnerabilities to compromise targeted systems including Windows and Firefox.

The attack chain, first detected on October 8th, started with a vulnerability in Mozilla Firefox, Thunderbird, and Tor Browser (**CVE-2024-9680**, CVSS score 9.8). If a user with a vulnerable browser visited a customized webpage, malicious code could run within the browser’s restricted environment without any user interaction. This vulnerability, a “use-after-free” bug in the animation feature of Firefox, was quickly addressed by Mozilla within 24 hours of being notified by ESET.

However, the attack didn’t stop there. RomCom chained this browser vulnerability with another zero-day flaw in Windows (**CVE-2024-49039**, CVSS score 8.8) to bypass the browser’s security “sandbox.” This second vulnerability allowed the attackers to run code with the privileges of the logged-in user, taking control of the system. Microsoft released a fix for this issue on November 12th.

The exploit chain worked by first redirecting users to fake websites, which used domains designed to appear legitimate and included the names of other organizations, before sending them to a server hosting the exploit code.

These fake sites often used the prefix or suffix “redir” or “red” to a legitimate domain, and the redirection at the end of the attack took the victims to the legitimate website, hiding the attack. Once the exploit successfully ran, it installed **RomCom’s custom backdoor**, giving the attackers remote access and control over the infected machine.

Exploit flow (Via ESET)

ESET’s **investigation** shows that RomCom targeted various sectors, including government entities in Ukraine, the pharmaceutical industry in the US, and the legal sector in Germany, for both espionage and cybercrime purposes. The group, also known as **Storm-0978, Tropical Scorpius, or UNC2596**, is known for both opportunistic attacks and targeted espionage.

From October 10th to November 4th, ESET’s data showed that users visiting these malicious websites were primarily located in Europe and North America, with the number of victims ranging from one to as many as 250 in some countries.

This cyberattack campaign goes on to show the importance of quick vulnerability disclosure and patching. It also emphasises the need for users to remain alert and keep their software up to date to prevent exploitation of **zero-day vulnerabilities**.

1.  **Russian Cyber Offensive Shifts Focus to Ukraine’s Military**
2.  **Russian APT29 Use NSO Group-Style Exploits in Attacks, Google**
3.  **Russian Malware Targets Ukrainian Military Recruits via Telegram**
4.  **Russian Hackers Phish Critical Sectors with Microsoft, AWS Lures**
5.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**

Russian Hackers Exploit Firefox and Windows 0-Days to Deploy Backdoor

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert…

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert advisories to mitigate these critical security risks.

In a recent presentation at SANS HackFest Hollywood 2024, cybersecurity researchers at London, England-based firm AmberWolf have revealed critical security vulnerabilities in widely used corporate Virtual Private Network (VPN) clients allowing attackers to target macOS and Windows systems.

These vulnerabilities, found in both traditional SSL-VPN clients and modern Zero Trust solutions, could be exploited by attackers to gain remote code execution and elevated privileges on end-user devices.

The researchers found that VPN clients, while essential for secure remote access, often have deep system access. This makes them attractive and possibly a lucrative target for hackers.

The main problem lies in how these clients trust VPN servers. Attackers can create malicious VPN servers that exploit this trust, allowing them to run commands and gain administrator-level access to a user’s computer with little to no user interaction.

****NachoVPN****

To help the security community understand and mitigate these risks, the researchers have released NachoVPN, an open-source tool that simulates the attack scenarios discussed in their presentation. This tool acts as a malicious VPN server and shows how it can exploit weaknesses in different VPN clients. NachoVPN is designed to be easy to use and can be adapted to test for new vulnerabilities as they are discovered.

_“_NachoVPN serves as a proof-of-concept tool to simulate rogue VPN servers capable of exploiting these vulnerabilities, AmberWolf researchers wrote in their blog post. _“_It showcases how insecure behaviours in VPN clients can be leveraged to gain privileged code execution._“_

Alongside NachoVPN, the researchers have published detailed advisories documenting the specific vulnerabilities disclosed during their presentation. These advisories provide technical descriptions, attack vectors, and mitigation recommendations to help organizations protect themselves against these threats.

****Vulnerabilities****

The vulnerabilities affect popular corporate VPN clients, including Palo Alto GlobalProtect and SonicWall NetExtender for Windows. The advisories, identified as CVE-2024-5921 and CVE-2024-29014, highlight the risks of remote code execution and privilege escalation via malicious VPN servers.

****NachoVPN on GitHub****

For more information about NachoVPN and the disclosed vulnerabilities, interested parties can visit the project’s **GitHub** repository and review the detailed advisories. The researchers’ presentation from SANS HackFest Hollywood 2024 is also available on the SANS YouTube channel, providing further insights into their findings and recommendations.

1.  ASUS and NordVPN Partner to Integrate VPN into Routers
2.  Hackers Calling Employees to Steal VPN Logins from Firms
3.  Ivanti VPN Flaws Exploited by DSLog Backdoor, Crypto Miners
4.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws
5.  Hackers Use Stolen VPN Access against Ivanti Users Despite Patches

AmberWolf Launches NachoVPN Tool to Tackle VPN Security Risks

The preview version now includes multiple security-focused additions Microsoft had promised to add, such as SecureBoot, BitLocker, and Windows Hello.

Source: Mundissima via Shutterstock

Six months after announcing (and modifying and delaying) Windows Recall, Microsoft has released a first-look preview of a reworked version for Windows Insiders via its Dev Channel. 

The preview is available only to Windows Insiders with Qualcomm Snapdragon X Elite and Plus Copilot+ PCs. The build of Windows that includes Recall (preview) with Click to Do (Preview) is Windows 11 Insider Preview Build 26120.2415 (KB5046723), Microsoft said. Support for Intel- and AMD-powered Copilot+ PCs will be available at a later date.

Recall takes "snapshots" of a user's PC that can be searched at anytime, thus allowing users to "recall" any application action, website visited, or image or document previously accessed on the system. Recall uses optical character recognition (OCR) to extract the text in screenshots and saves both of the images and text into a searchable database. When users describe what they are looking for, Recall searches the database to help them find it. The built-in neural processing unit is capable of running artificial intelligence (AI) and machine learning workloads locally and does not store anything in the cloud. This means Microsoft doesn't have access to any Recall snapshots, and none of the snapshots will be used to train Microsoft's AI models.

Recall was initially scheduled to be released last summer, but Microsoft had repeatedly delayed it to address privacy concerns. In September, the company explained how it was working to secure Recall snapshots.

Several of the new security-focused additions are available in the preview. Those who download the preview must opt in to saving snapshots, which is a change from the original plan to make it an opt-out feature. Recall now requires BitLocker disk encryption and Secure Boot to be enabled. Users must also be enrolled in Windows Hello because they must reauthenticate with Hello each time they access Recall's database. Users have the ability to delete any snapshot they want, and the system can detect sensitive personal data, like credit card numbers, passwords, and PINs, and won’t save them.

Users can also opt out of using Recall on specific apps and websites or just uninstall it altogether. For enterprise and education users, Recall will be managed by IT administrators. Administrators can also completely uninstall Recall if they are concerned about data exposure. 

The purpose of the Windows Insider preview is to give users the ability to try out the feature in real-world scenarios and help Microsoft identify issues that need to be addressed. Users can submit their feedback of the preview versions of Recall and Click to Do (recognize text and images in Recall snapshots and then copy the text or save images out of the snapshots) via the Feedback Hub. Insiders are asked to provide feedback on Recall's "updated security and privacy architecture" through the Windows Insider Preview Bug Bounty Program. 

Microsoft did not say how long it plans to keep Recall in preview before it would be considered ready for general release.

Tag

#windows