LOLBAS in the Wild: 11 Living-Off-The-Land Binaries Used for Malicious Purposes

Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts (LOLBAS) that could be maliciously abused by threat actors to conduct post-exploitation activities. "LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes," Pentera security researcher Nir Chako said. "This makes it hard for security teams

Android’s August 2023 Updates Patch Critical RCE (CVE-2023-21273 & CVE-2023-21282) Bugs

Google this week announced the August 2023 security updates for Android devices, with patches for over 48 vulnerabilities, including two critical remote code execution (RCE) bugs and a critical elevation of privilege flaw. Google’s...

The post Android’s August 2023 Updates Patch Critical RCE (CVE-2023-21273 & CVE-2023-21282) Bugs appeared first on Penetration Testing.

43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was off

Experts found 43 Android apps in Google Play with 2.5 million installs that displayed advertisements while a phone’s screen was off. Recently, researchers from McAfee’s Mobile Research Team discovered 43 Android apps in Google Play with 2.5 million installs that loaded advertisements while a phone’s screen was off. The experts pointed out that this behavior […]

The post 43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was off appeared first on Security Affairs.

CVE-2023-39526: Critical SQL injection in PrestaShop

With the rapid growth of e-commerce and online transactions, a seamless shopping experience has become a necessity for businesses around the world. For many merchants, PrestaShop has been the platform of choice, earning the...

The post CVE-2023-39526: Critical SQL injection in PrestaShop appeared first on Penetration Testing.

GNOME Files silently extracts setuid files from ZIP archives

Posted by Georgi Guninski on Aug 07

Affected: GNOME Files 43.4 (nautilus) on fedora 37

Description:

If an user A opens in GNOME files zip archive containing
`setuid` file F, then F will be silently extracted to
a subdirectory of CWD.

If F is accessible by hostile local user B and B executes F,
then F will be executed as from user A.

tar(1) and unzip(1) are not vulnerable to this attack.

Session for creating the ZIP.
After that just open f.zip in GNOME files.

Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits

Threat actors such as the operators of the Cl0p ransomware family increasingly exploit unknown and day-one vulnerabilities in their attacks.

Apple Users See Big Mac Attack, Says Accenture

Accenture's Cyber Threat Intelligence unit has observed a tenfold rise in Dark Web threat actors targeting macOS since 2019, and the trend is poised to continue.

Zoom trains its AI model with some user data, without giving them an opt-out option

Zoom changed its terms of service requiring users to allow AI to train on all their data without giving them an opt-out option. Zoom updated its terms of service and informed users that it will train its artificial intelligence models using some of its data. The update will be effective as of July 27, and accepting […]

The post Zoom trains its AI model with some user data, without giving them an opt-out option appeared first on Security Affairs.

SecurityScorecard Launches Managed Cyber Risk Services to Mitigate Zero-Day and Critical Supply Chain Vulnerabilities

Akamai Research: Rampant Abuse of Zero-Day and One-Day Vulnerabilities Leads to 143% Increase in Victims of Ransomware

LetMeSpy Android Spyware Service Shuts Down After Data Breach

By Waqas

LetMeSpy Faces Demise After Devastating Data Breach: Spyware Service Shuts Down Amidst Massive User Data Compromise.

This is a post from HackRead.com Read the original post: LetMeSpy Android Spyware Service Shuts Down After Data Breach

Google Search Asked to Remove One Billion ‘Pirate’ Links in 9 Months

In a period of less than nine months, Google received requests to remove over a billion links to pirate sites from its search engine. This is a significant increase compared to recent years, but not necessarily a new trend. More than a quarter of all reported links, relating to a single website, were sent by MindGeek, the parent company of PornHub.

From: TF, for the latest news on copyright battles, piracy and more.

Hackers increasingly abuse Cloudflare Tunnels for stealthy connections

Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence.

The technique isn't entirely new, as Phylum reported in January 2023 that threat actors created malicious PyPI packages that used Cloudflare Tunnels to stealthy steal data or remotely access devices.

However, it appears that more threat actors have started to use this tactic, as GuidePoint's DFIR and GRIT teams reported last week, seeing an uptick in activity.

Abusing Cloudflare Tunnels

CloudFlare Tunnels is a popular feature provided by Cloudflare, allowing users to create secure, outbound-only connections to the Cloudflare network for web servers or applications.

Users can deploy a tunnel simply by installing one of the available cloudflared clients for Linux, Windows, macOS, and Docker.

From there, the service is exposed to the internet on a user-specified hostname to accommodate legitimate use-case scenarios such as resource sharing, testing, etc.

Cloudflare Tunnels provide a range of access controls, gateway configurations, team management, and user analytics, giving users a high degree of control over the tunnel and the exposed compromised services.

In GuidePoint's report, the researchers say that more threat actors abuse Cloudflare Tunnels for nefarious purposes, such as gaining stealthy persistent access to the victim's network, evading detection, and exfiltrating compromised devices' data.

A single command from the victim's device, which doesn't expose anything other than the attacker's unique tunnel token, is enough to set up the discreet communication channel. At the same time, the threat actor can modify a tunnel's configuration, disable, and enable it as needed in real-time.

Setting up a malicious tunnel
Source: GuidePoint

"The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure," explains GuidePoint.

"For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection."

Because the HTTPS connection and data exchange occurs over QUIC on port 7844, it is unlikely that firewalls or other network protection solutions will flag this process unless they are specifically configured to do so.

SMB connection to a victim's device
Source: GuidePoint

Also, if the attacker wants to be even more stealthy, they can abuse Cloudflare's 'TryCloudflare' feature that lets users create one-time tunnels without creating an account.

To make matters worse, GuidePoint says it's also possible to abuse Cloudflare's 'Private Networks' feature to allow an attacker who has established a tunnel to a single client (victim) device to access an entire range of internal IP addresses remotely.

"Now that the private network is configured, I can pivot to devices on the local network, accessing services that are limited to local network users," warned GuidePoint researcher Nic Finn.

To detect unauthorized use of Cloudflare Tunnels, GuidePoint recommends that organizations monitor for specific DNS queries (shared in the report) and use non-standard ports like 7844.

Furthermore, as Cloudflare Tunnel requires the installation of the 'cloudflared' client, defenders can detect its use by monitoring file hashes associated with client releases.

Cyberinsurance Firm Resilience Raises $100 Million to Expand Its Cyber Risk Platform

Resilience Cyber Insurance Solutions has raised $100 million through a Series D funding round to support global expansion of its cyber risk platform that was launched earlier this year.

The post Cyberinsurance Firm Resilience Raises $100 Million to Expand Its Cyber Risk Platform appeared first on SecurityWeek.

Hands on with Windows 11's new modern File Explorer

With the introduction of Windows 11 23H2, Microsoft has modernized File Explorer on Windows 11, bringing a fresher look and feel to the system's integral file management tool.

This update is not only visually pleasing but also comes with enhanced features and functions aimed at boosting productivity and making navigation simpler.

Among the new enhancements, the redesigned File Explorer now features a modern home page powered by WinUI, which integrates the Fluent Design System into all controls and styles.

The modern Windows 11File Explorer
Source: BleepingComputer

For those logged into Windows using an Azure Active Directory (AAD) account, recommended files will appear in a carousel with the soon-to-be-introduced support for file thumbnails.

Quick Access folders, Favorites, and Recent sections also get a visual overhaul, providing a seamless, contemporary user experience.

The new File Explorer has an updated address bar that can distinguish between local and cloud folders, displaying built-in status. Particularly for OneDrive users, the address bar will also indicate your OneDrive sync status and provide a flyout for your quota.

Another exciting introduction is the modernized details pane (accessed by ALT + Shift + P). This pane offers a variety of contextual information about selected files, including file thumbnails, share status, file activity, related files and emails, and more.

This new feature enhances the user's ability to manage and collaborate on files without opening them

A new Gallery View

Microsoft is also introducing the Gallery, a new feature in File Explorer designed to simplify access to your photo collection. The photos displayed in the Gallery are the same ones you'd see in the 'All Photos' view of the Photos app.

New File Explorer Gallery view
Source: BleepingComputer

The new gallery is optimized to showcase your most recent photos, and if you have the OneDrive Camera Roll Backup set up, photos you take will automatically appear at the top of the view.

Users can choose which folders appear in the Gallery and can even add subfolders to filter specific content.

Overall, the modernized File Explorer on Windows 11 breathes new life into a tool that is central to users' daily interactions with their computers.

From smart address bars to detailed file insights and easy photo access, the update greatly enhances user experience, making file management easier and more efficient.

If you want to test the new File Explorer yourself, you can install the Windows Insider Beta, Dev, and Canary preview builds.

Researcher Exposes Cryptocurrency Scam Network of 300 Domains

By Habiba Rashid

A new investigation by cybersecurity researcher Jeremiah Fowler from VPNmentor reveals an elaborate cryptocurrency scam that employs over 300 fake websites to steal funds from unsuspecting victims and lure new investors.

This is a post from HackRead.com Read the original post: Researcher Exposes Cryptocurrency Scam Network of 300 Domains

PoC released for critical Citrix ADC 0-day flaw – CVE-2023-3519

A proof-of-concept (PoC) for CVE-2023-3519, a critical vulnerability in Citrix ADC that allows remote code execution, has been published last weekend. CVE-2023-3519 is not simply another item in an ever-growing list of digital security...

The post PoC released for critical Citrix ADC 0-day flaw – CVE-2023-3519 appeared first on Penetration Testing.

New Malware Campaign Targets Inexperienced Cyber Criminals with OpenBullet Configs

A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information. Bot mitigation company Kasada said the activity is designed to "exploit trusted criminal networks," describing it as an instance of advanced threat actors "

North Korea compromised Russian missile engineering firm NPO Mashinostroyeniya

Two North Korea-linked APT groups compromised the infrastructure of the major Russian missile engineering firm NPO Mashinostroyeniya. Cybersecurity firm SentinelOne linked the compromise of the major Russian missile engineering firm NPO Mashinostroyeniya to two different North Korea-linked APT groups. NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash) is a leading Russian manufacturer of missiles and military […]

The post North Korea compromised Russian missile engineering firm NPO Mashinostroyeniya appeared first on Security Affairs.

Colorado warns hackers stole 16 years of public school data

Colorado’s state government has warned students and teachers in the state that hackers may have accessed their personal information — dating back as far as 2004. In a notice on its website, the Colorado Department of Higher Education (CDHE) confirmed it experienced a ransomware incident that saw hackers access and copy data from its systems […]

SANS Teaches Cybersecurity Leadership in Saudi Arabia

Infosecurity learning modules will cover security planning, policy, and leadership.

CVE-2023-3823 & CVE-2023-3824 – PHP Security Vulnerabilities: What You Need to Know

PHP is a popular programming language used to create dynamic web pages. However, like any software, it is not immune to security vulnerabilities. In recent months, two new security vulnerabilities have been discovered in...

The post CVE-2023-3823 & CVE-2023-3824 – PHP Security Vulnerabilities: What You Need to Know appeared first on Penetration Testing.

Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics

The group continues to target SQL servers, adding the Remcos RAT, BatCloak, and Metasploit in an attack that shows advance obfuscation methods.

Google Play apps with 2.5M installs load ads when screen's off

The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery.

McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies. Google subsequently removed the apps from Android's official store.

The applications were mainly media streaming apps and news aggregators, and the target audience was predominately Korean. However, the same deceptive tactics could very easily be applied to other app categories and more diverse user demographics.

While these applications are considered adware, they still pose a risk to users as they open the door to potential user profiling risks, exhaust device battery life, consume significant internet data, and perpetrate fraud against advertisers.

Some of the affected Android apps
Source: McAfee

Hiding in Google Play

McAfee's report says the adware was hidden in Google Play apps that impersonated the TV/DMB Player, Music Downloader, News, and Calendar applications.

Once installed on the device, the adware apps wait several weeks before activating their ad-fraud activity to deceive the users and evade detection by Google reviewers.

McAfee says the adware’s configuration can be remotely modified and updated via Firebase Storage or Messaging, so its operators can adjust the period of dormancy and other parameters.

The idleness latency configuration
Source: McAfee

Android utilizes a power-saving feature that puts an app into standby mode when a device is not being used, preventing it from running in the background and utilizing CPU, memory, and network resources.

When the malicious adware apps are installed, users will be prompted to add them as an exclusion to Android's power-saving system, allowing the malicious apps to run in the background.

This exclusion allows the adware apps to fetch and load advertisements even when the device's screen is off, fraudulently generating revenue and giving the users no apparent way to realize what is happening.

Traffic is exchanged in the background while device screen is off
Source: McAfee

McAfee comments that it might be possible for users to briefly glimpse the loaded ads when they turn on a device's screen before they are automatically closed.

However, the most solid indicator of compromise remains an inexplicably high battery consumption while the device is idle.

To check which apps consume the most energy on your Android device, head to "Settings → Battery → Battery Usage," where "total" and "background" usage are indicated.

McAfee says that the adware apps also request permission to draw over other apps, typically used by banking trojans that overlay phishing pages on top of legitimate e-banking apps; however, no phishing behavior was observed in this case.

Android users are advised to always read reviews before installing apps and to scrutinize requested permissions while installing new apps before allowing them to install.

Colorado Dept. of Higher Education Hit With Massive Data Breach

Last week, the department uncovered a data breach that occurred back in June stemming from what it deems to be a cybersecurity ransomware incident.