Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic.

In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.

Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.

Kaspersky attributes the attack to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad magic.

The experts noticed that TTPs observed during this campaign have no direct link to any known campaigns.

PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.

“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.

The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.

Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

Kaspersky analyzed two plugins respectively used to capture screenshots every three seconds and collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors.” concludes the report. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CommonMagic)

The post New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict appeared first on Security Affairs.

In a sudden turn of events, Baphomet, the current administrator of BreachForums, said in an update on March 21, 2023, that the hacking forum has been officially taken down but emphasized that "it's not the end." "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all," Baphomet noted in a message posted on the BreachForums Telegram

The threat group tracked as REF2924 has been observed deploying previously unseen malware in its attacks aimed at entities in South and Southeast Asia. The malware, dubbed NAPLISTENER by Elastic Security Labs, is an HTTP listener programmed in C# and is designed to evade "network-based forms of detection." REF2924 is the moniker assigned to an activity cluster linked to attacks against an entity

The NuGet repository is the target of a new "sophisticated and highly-malicious attack" aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. "The packages contained a PowerShell script that would execute upon installation and trigger a download of a '

US health services company Independent Living Systems (ILS) discloses a data breach that impacted more than 4 million individuals.

US health services company Independent Living Systems (ILS) disclosed a data breach that exposed personal and medical information for more than 4 million individuals.

Independent Living Systems, offers a comprehensive range of turnkey payer services including clinical and third-party administrative services to managed care organizations and providers.

ILS provides assistance beyond the clinical realm at every stage of care from hospitalization to the treatment of chronic illnesses to personalized care management including nutritional support.

The company provides its services to over 4.2 million individuals.

“On July 5, 2022, we experienced an incident involving the inaccessibility of certain computer systems on our network. We responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. Through our response efforts, we learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022.” reads the Notice of Data breach published by the company. “During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.“

The security breach was discovered on July 5, 2022, when some of the systems at the company became inaccessible. This circumstance suggests that the systems were infected with ransomware. The company launched an investigation into the incident with the support of external cybersecurity experts. The investigation revealed that between June 30 and July 5, threat actors had access to certain systems.

The notice of data breach states that the types of impacted information varies by individual and could have included, name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information.

The company is notifying the impacted individuals via letters.

ILS also informed the relevant authorities, including the Maine Attorney General’s office, which reported that the data breach impacted 4,226,508 individuals. The Maine Attorney General’s office reported that the data breach occurred on June 3, 2022.

The company offers, for free, to the impacted individuals 12 months, Experian, credit monitoring and restoration services.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Independent Living Systems)

The post Independent Living Systems data breach impacts more than 4M individuals appeared first on Security Affairs.

Baphomet, the current administrator of BreachForums, announced that the popular hacking forum has been officially taken down.

U.S. law enforcement arrested last week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused to be the owner of the popular hacking forum BreachForums. 

The news of the arrest was first reported by Bloomberg, which reported that federal agents arrested Conor Brian Fitzpatrick from Peekskill, New York.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET.

pompompurin always confirmed that he was ‘not affiliated with RaidForums in any capacity,’

The law enforcement authorities have yet to shut down the website, while another admin of the forum that goes online with the alias “Baphomet” announced that he is taking the control of the platform.

Baphomet initially added that he believes that the feds haven’t had access to the infrastructure.

On March 21, 2023, Baphomet, which is the current administrator of BreachForums, announced that the hacking forum has been officially taken down.

The decision to shut down the forum is the response of the administrator to the increasing pressure by law enforcement. He likely suspected that the feds have gained access to the site’s components taking over it.

Baphomet also added that “it’s not the end” of the forums, he is likely planning to launch a new platform in the future.

“Hello everyone. Please consider this the final update for Breached. I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is. I want to make it clear, that while this initial announcement is not positive, it’s not the end. I’m going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all.” reads the last message published by Baphomet. “As stated in the attached message please give me 24 hours to get some rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere. Please see my final confirmation of this here: http://baph.is/finalupdate.txt.asc“

We cannot exclude that Baphomet can launch a new platform or work with competitor marketplaces.

“Interestingly, he stated that the Telegram channel would maintain operation and that he was looking to create new infrastructure which would replace BreachForum even working with competitor marketplaces. As of writing, the onion site has been taken down and is unreachable.” reported Darkowl.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

The post BreachForums current Admin Baphomet shuts down BreachForums appeared first on Security Affairs.

Active Directory (AD) is a powerful authentication and directory service used by organizations worldwide. With this ubiquity and power comes the potential for abuse. Insider threats offer some of the most potentials for destruction. Many internal users have over-provisioned access and visibility into the internal network. Insiders' level of access and trust in a network leads to unique

The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware onto targeted machines. According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group's continuous efforts to refine and retool its tactics

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released eight Industrial Control Systems (ICS) advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. This includes 13 security vulnerabilities in Delta Electronics' InfraSuite Device Master, a real-time device monitoring software. All versions prior to 1.0.5 are

The European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report for the transport sector.

A new report published by the European Union Agency for Cybersecurity (ENISA) analyzes threats and incidents in the transport sector. The report covers incidents in aviation, maritime, railway, and road transport industries between January 2021 and October 2022.

The report provides a detailed analysis of the prime threats to the transport sector, the threat actors and related motivations.

During the period covered by the report, the expert identified the following prime threats:

• ransomware attacks (38%),
• data related threats (30%),
• malware (17%),
• denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks (16%),
• phishing / spear phishing (10%),
• supply-chain attacks (10%).

During the reporting period, ransomware was the most prominent threat against the sector in 2022. The researchers pointed out that the ransomware attacks doubled compared to the previous year. Threat actors behind ransomware attacks are not exclusively financially-motivated.

Nation-state actors, cybercriminals, and hacktivists, are the threat actors with the biggest impact on the organizations in the sector.

Most of the attacks on the transport sector (54%) are carried out by cybercriminals.

The report warns that hacktivist activity targeting the transport sector, including DDoS attacks, is likely to continue. Airports, railways and transport authorities are privileged targets of hacktivists.

The good news is that ENISA experts did not receive reliable information on a cyberattack affecting the safety of transport.

The researchers also warn that future Ransomware attacks will likely target and disrupt OT operations.

“The majority of attacks on the transport sector target information technology (IT) systems. Operational
disruptions can occur as a consequence of these attacks, but the operational technology (OT) systems are
rarely being targeted.” states the report. “Ransomware groups will likely target and disrupt OT operations in the foreseeable future.”

The aviation sector is facing multiple threats, with ransomware and malware attacks and data-related threats being the most prominent threats. Experts warn of the number of ransomware
attacks targeting airports and rogue websites impersonating airlines used by scammers in 2022.

“Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding the distribution of cyber threats, motivations, trends and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved.” said Juhan Lepassaar, EU Agency for Cybersecurity Executive Director.

Let me suggest the reading of the report that is available here:

https://www.enisa.europa.eu/publications/enisa-transport-threat-landscape

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, transport sector)

The post ENISA: Ransomware became a prominent threat against the transport sector in 2022 appeared first on Security Affairs.

Cisco Talos researchers published PoC exploits for vulnerabilities in Netgear Orbi 750 series router and extender satellites.

Netgear Orbi is a line of mesh Wi-Fi systems designed to provide high-speed, reliable Wi-Fi coverage throughout a home or business. The Orbi system consists of a main router and one or more satellite units that work together to create a seamless Wi-Fi network that can cover a large area with consistent, high-speed Wi-Fi.

One of the key benefits of the Orbi system is its use of mesh networking technology, which allows the satellite units to communicate with the main router and with each other to provide strong Wi-Fi coverage throughout the home or business.

Cisco worked with Netgeat to solve the issues and is disclosing them according to its 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

Cisco Talos researchers published Proof-of-concept (PoC) exploits for multiple vulnerabilities in Netgear’s Orbi 750 series router and extender satellites.

The experts discovered four vulnerabilities in the Netgear Orbi mesh wireless system, the most critical one is a critical remote code vulnerability, tracked as CVE-2022-37337 (CVSS v3.1: 9.1), that resides in the access control functionality of the Netgear Orbi router.

“A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5.” states Talos. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”

A threat actor can exploit the flaw by sending a specially crafted HTTP request.

“Talos discovered a vulnerability in the Orbi Satellite — TALOS-2022-1596 (CVE-2022-37337) — that could lead to arbitrary command execution on the device. The user needs to authenticate into the mesh system first, meaning they’d need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful. Then, the adversary needs to send a specially crafted HTTP request to trigger the vulnerability.” reads the advisory published by Cisco Talos.

Cisco published a Proof of Concept exploit for this issue:

Below is the timeline for this issue that was reported by Dave McDaniel of Cisco Talos:

2022-08-30 – Initial Vendor Contact
2022-09-05 – Vendor Disclosure
2023-01-19 – Vendor Patch Release
2023-03-21 – Public Release

Another two issues discovered by the researchers are respectively tracked TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429). The flaws impacts the main Orbi router, their exploitation can lead to arbitrary command execution if the attacker sends a specially crafted network request or JSON object, respectively.

The last flaw discovered by Talos is tracked as TALOS-2022-1598 (CVE-2022-38458), an attacker can exploit these flaws to carry out a man-in-the-middle attack to trick the service’s Web Services Management tool into disclosing sensitive information.

Netgear addressed the flaws with the release of the firmware version 4.6.14.3 on January 19, 2023.

The security firm is not aware of attacks in the wild exploiting these flaws.

“Users are encouraged to update these affected products as soon as possible: Netgear Orbi Satellite RBS750, version 4.6.8.5. Talos tested and confirmed these versions of the Orbi system could be exploited by these vulnerabilities.” concludes the advisory.

The company also released Snort rules (60474 – 60477 and 60499) to detect exploitation attempts against this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear Orbi)

The post Experts released PoC exploits for severe flaws in Netgear Orbi routers appeared first on Security Affairs.

A tainted version of the legitimate ChatGPT extension for Chrome, designed to steal Facebook accounts, has thousands of downloads.

Guardio’s security team uncovered a new variant of a malicious Chat-GPT Chrome Extension that was already downloaded by thousands a day.

The version employed in a recent campaign is based on a legitimate open-source project, threat actors added malicious code to steal Facebook accounts.

The legitimate extension is named “ChatGPT for Google” and allows the integration of ChatGPT on search results.

The new malicious Chrome Extension is distributed since March 14, 2023, through sponsored Google search results and uploaded to the official Chrome Store. Experts noticed that it was first uploaded to the Chrome Web Store on February 14, 2023.

According to the researchers, it is able to steal Facebook session cookies and compromise accounts in masses.

“The new variant of the FakeGPT Chrome extension, titled “Chat GPT For Google”, is once again targeting your Facebook accounts under a cover of a ChatGPT integration for your Browser.” reads the post published by Guardio Labs. “This time, threat actors didn’t have to work hard on the look and feel of this malicious ChatGPT-themed extension — they just forked and edited a well-known open-source project that does exactly that. From zero to “hero” in probably less than 2 minutes.”

Netizens searching for “Chat GPT 4” because interested in testing the new algorithm of the latest version of the popular chatbot, end up clicking on a sponsored search result. The link redirects victims to a landing page offering the ChatGPT extension from the official Chrome Store. The extension will give users access to ChatGPT from the search results, but will also compromise their Facebook account.

Once the victim installed the extension, the malicious code uses the OnInstalled handler function to steal Facebook session cookies. Then attackers use stolen cookies to log in to the victim’s Facebook account and take over it.

The malicious code uses the Chrome Extension API to collect a list of cookies used by Facebook and encrypts them with the AES using the key “chatgpt4google.”

The collected cookies are sent to the attackers’ server via a GET request.

“The cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value. This technique is used here to try and sneak the cookies out without any DPI (Deep Packet Inspection) mechanisms raising alerts on the packet payload (which is why it is encrypted as well).” continues the report. “Only note that there is no X-Cached-Key Header in the HTTP protocol! There is aX-Cache-Key header (without the ‘d’) used for responses, not requests.”

Guardio researchers reported their findings to Google which quickly removed the extension from the Chrome store. At the time of removal, the malicious extension was installed by more than 9000 users.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The post Rogue ChatGPT extension FakeGPT hijacked Facebook accounts appeared first on Security Affairs.

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.

In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.

Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question.

On Feb. 28, 2023, researchers at the Chinese security firm DarkNavy published a blog post purporting to show evidence that a major Chinese ecommerce company’s app was using this same three-exploit chain to read user data stored by other apps on the affected device, and to make its app nearly impossible to remove.

DarkNavy likewise did not name the app they said was responsible for the attacks. In fact, the researchers took care to redact the name of the app from multiple code screenshots published in their writeup. DarkNavy did not respond to requests for clarification.

“At present, a large number of end users have complained on multiple social platforms,” reads a translated version of the DarkNavy blog post. “The app has problems such as inexplicable installation, privacy leakage, and inability to uninstall.”

On March 3, 2023, a denizen of the now-defunct cybercrime community BreachForums posted a thread which noted that a unique component of the malicious app code highlighted by DarkNavy also was found in the ecommerce application whose name was apparently redacted from the DarkNavy analysis: Pinduoduo.

On March 4, 2023, e-commerce expert Liu Huafang posted on the Chinese social media network Weibo that Pinduoduo’s app was using security vulnerabilities to gain market share by stealing user data from its competitors. That Weibo post has since been deleted.

On March 7, the newly created Github account Davinci1010 published a technical analysis claiming that until recently Pinduoduo’s source code included a “backdoor,” a hacking term used to describe code that allows an adversary to remotely and secretly connect to a compromised system at will.

That analysis includes links to archived versions of Pinduoduo’s app released before March 5 (version 6.50 and lower), which is when Davinci1010 says a new version of the app removed the malicious code.

Pinduoduo has not yet responded to requests for comment. Pinduoduo parent company PDD Holdings told Reuters Google has not shared details about why it suspended the app.

The company told CNN that it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” and said there were “several apps that have been suspended from Google Play at the same time.”

Pinduoduo is among China’s most popular e-commerce platforms, boasting approximately 900 million monthly active users.

Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — Google Play.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” a Google spokesperson said in a statement to Reuters, adding that the Play version of the app has been suspended for security concerns.

However, Google Play is not available to consumers in China. As a result, the app will still be available via other mobile app stores catering to the Chinese market — including those operated by Huawei, Oppo, Tencent and VIVO.

Google said its ban did not affect the PDD Holdings app Temu, which is an online shopping platform in the United States. According to The Washington Post, four of the Apple App Store’s 10 most-downloaded free apps are owned by Chinese companies, including Temu and the social media network TikTok.

The Pinduoduo suspension comes as lawmakers in Congress this week are gearing up to grill the CEO of TikTok over national security concerns. TikTok, which is owned by Beijing-based ByteDance, said last month that it now has roughly 150 million monthly active users in the United States.

A new cybersecurity strategy released earlier this month by the Biden administration singled out China as the greatest cyber threat to the U.S. and Western interests. The strategy says China now presents the “broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

Entertainment industry giant Lionsgate leaked users’ IP addresses and information about what content they watch on its movie-streaming platform, according to research from Cybernews.

Original post at https://cybernews.com/security/lionsgate-data-leak/

During their investigation, our researchers discovered that the video-streaming platform Lionsgate Play had leaked user data through an open ElasticSearch instance.

The Cybernews research team discovered an unprotected 20GB of server logs that contained nearly 30 million entries, with the oldest dated May 2022. The logs exposed subscribers’ IP addresses and user data concerning device, operating system, and web browser.

Logs also leaked the platform’s usage data, typically used for analytics and performance tracking. URLs found in logs contained titles and IDs of what content users watched on the platform, along with search queries entered by the users.

Researchers also found unidentified hashes with logged HTTP GET requests, records of requests made by clients that are usually used to get data from a web server: when these requests are made, they get stored in log files on the server.

Researchers could not determine the exact purpose or usage of the hashes. However, the hashes all containing more than 156 characters indicates they were intended to remain unchanged for long periods of time.

“Hashes didn’t match any commonly used hashing algorithms. Since these hashes were included in the HTTP requests, we believe they could have been used as secrets for authentication, or just user IDs,” said researchers.

Cybernews reached out to Lionsgate about the leak, and the company responded by closing an open instance. However, at the time of writing, it has yet to provide an official response.

Big hitter at risk

Lionsgate Entertainment Corporation, the Canadian-American entertainment company operating the platform, owns several well-known movie and TV franchises that have gained worldwide recognition, including Twilight Saga, Saw, Terminator, The Hunger Games, and The Divergent Series.

While Netflix stays at the top of all streaming platforms with over 230 million subscribers, Lionsgate has over 37 million global subscribers and generated $3.6 billion in revenue last year.

Accelerated by COVID-19, the popularity of online streaming platforms has been growing. In 2022, the subscription rates to video-on-demand platforms reached 83% in the US, showing an increase of more than 30% during eight years.

But, as the number of users on platforms increases, they are becoming a tempting target for cybercriminals. Even minor security loopholes might cause serious damage, yet security is often overlooked. The research by Cybernews is a stellar example of this tendency.

Data could aid cyberattacks

“With the growing number of new streaming services, we can see that the risk of misconfigurations and data breaches also grows,” said Cybernews researchers.

According to them, the leaked information in this particular case is not typically shared in hacker communities. Nevertheless, it is still sensitive.

“It can be useful in targeted attacks, especially when combined with other leaked or publicly available information,” researchers explained.

The combination of users’ IP addresses and device data can be exploited by malicious actors to create targeted attacks against them, delivering harmful payloads to their devices.

User agents could have provided attackers insight into what operating system or services the user is running, helping crooks to identify potential vulnerabilities that can be exploited for malicious purposes.

User agents are information about a user’s device operating system, browser, and sometimes screen resolution and size. They also help ensure that a webpage is displayed correctly on a device.

“Threat actors can cross-reference a user’s search queries and viewed content with their IP address to build a more comprehensive profile of the individual,” researchers said.

Along with usage data, threat actors can identify patterns of behaviour and potentially use this information to craft more accurate, targeted phishing attacks aimed at stealing personal information.

If you want to know about other streaming platforms affected by data leaks give a look at the original post at https://cybernews.com/security/lionsgate-data-leak/

About the author: Paulina Okunytė, Journalist at Cybernews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lionsgate)

The post <strong>Lionsgate streaming platform with 37m subscribers leaks user data</strong> appeared first on Security Affairs.

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service (NIS). The intrusions are

Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023. The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell based on tooling overlaps. "The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy

In 2022 alone, global cyberattacks increased by 38%, resulting in substantial business loss, including financial and reputational damage. Meanwhile, corporate security budgets have risen significantly because of the growing sophistication of attacks and the number of cybersecurity solutions introduced into the market. With this rise in threats, budgets, and solutions, how prepared are industries

On the first day of Pwn2Own Vancouver 2023, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day flaws.

The Pwn2Own Vancouver 2023 has begun, this hacking competition has 19 entries targeting nine different targets – including two Tesla attempts.

On the first day of the event, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day vulnerabilities demonstrated by the participants.

That wraps up the first day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Model 3!) for 12 zero-days during the first day of the contest. Stay tuned for day two of the contest tomorrow! #Pwn2Own pic.twitter.com/UTvzqxmi8E

— Zero Day Initiative (@thezdi) March 22, 2023

The first hack of the day was performed by the AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa), who demonstrated a zero-day attack against Adobe Reader in the Enterprise Applications category. Hariri earned $50,000 and 5 Master of Pwn points.

One of the most interesting attacks was conducted by the Singapore team STAR Labs (@starlabs_sg), they successfully targeted Microsoft SharePoint in the Server category earning $100,000 and 10 Master of Pwn points.

The STAR Labs team also hacked Ubuntu Desktop with a previously known exploit earning $15,000 and 1.5 Master of Pwn points.

Bien Pham (@bienpnn) from Qrious Security (@qriousec) exploited an OOB Read and a stacked-based buffer overflow against Oracle VirtualBox. He earned $40,000 and 4 Master of Pwn points.

Then the researcher Marcin Wiązowski exploited an improper input validation issue to elevate privileges on Windows 11. He earned $30,000 and 3 Master of Pwn points.

The team of the offensive security company Synacktiv (@Synacktiv) demonstrated a TOCTOU (time-of-check to time-of-use) attack against Tesla – Gateway. They earned $100,000 and 10 Master of Pwn points and a Tesla Model 3. The same team also exploited a TOCTOU bug to escalate privileges on Apple macOS earning $40,000 and 4 Master of Pwn points.

The only failed attempt of the day was of last_minute_pwnie which attempted to demonstrate an Ubuntu exploit.

The Pwn2Own Vancouver 2023 continues … stay tuned!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)

The post Pwn2Own Vancouver 2023 Day 1: Windows 11 and Tesla hacked appeared first on Security Affairs.

An emerging Android banking trojan dubbed Nexus has already been adopted by several threat actors to target 450 financial applications and conduct fraud. "Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy said in a report published this week. "Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and

Dole Food Company confirmed that threat actors behind the recent ransomware attack had access to employees’ data.

Dole Food Company is an Irish agricultural multinational corporation, it is one of the world’s largest producers of fruit and vegetables, operating with 38,500 full-time and seasonal employees who supply some 300 products in 75 countries. Dole reported 2021 revenues of $6.5 billion.

In February, the company announced that it has suffered a ransomware attack that impacted its operations. At the time of the disclosure, the company did not provide details about the attack.

“Dole plc (DOLE:NYSE) announced today that the company recently experienced a cybersecurity incident that has been identified as ransomware.” reads a notice published by the company. “Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems.”

Now Dole Food Company has confirmed threat actors behind the February ransomware attack had access to the information of an undisclosed number of employees.

“We have in the past experienced, and may in the future face, cybersecurity incidents. In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information.” reads the annual report filed with the U.S. Securities and Exchange Commission (SEC). “Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.”

In February the company revealed that the attack had a limited impact on its operations.

“Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.” continues the report.

Despite the company denying a huge impact on its operations, it was forced to shut down production plants across North America.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dole Food Company)

The post Dole discloses data breach after February ransomware attack appeared first on Security Affairs.

Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications.

Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed by multiple groups in attacks against 450 financial applications.

The Nexus ransomware was first analyzed in early March by researchers from the threat intelligence firm Cyble.

Nexus is available via a Malware-as-a-Service (MaaS) subscription and is advertised on underground forums or through private channels (e.g., Telegram) since January 2023.

It was available for rent at a price of $3000 per month.

However, Cleafy’s Threat Intelligence & Response Team reported having detected the first Nexus infections in June 2022, months before the MaaS was publicly advertised.

Experts believe that the Nexus Trojan is early stages of development despite multiple campaigns are actively using it in the wild.

“Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception. It also provides a built-in list of injections against 450 financial applications.” reads the analysis published by Cleafy.

The authors claim that Nexus has been entirely written from scratch, but the researchers found similarities between Nexus and the SOVA banking trojan, which appeared on the threat landscape in August 2021.

Like other malware, Nexus doesn’t infect systems located in Russia and CIS countries.

The Nexus Trojan can target multiple banking and cryptocurrency in an attempt to take over customers’ accounts. It relies on overlay attacks and keylogging features to capture customers’ credentials.

The malware also supports features to bypass two-factor authentication (2FA) using both SMSs or the Google Authenticator app by abusing of Android’s accessibility services.

The Android Trojan also supports a mechanism for auto-update.

The analysis of various samples revealed that the malware is equipped with encryption capabilities which appear to be under development due to the presence of debugging strings and the lack of usage references.

“As always, the main question here is: Does it represent a threat to Android users? At the time of writing, the absence of a VNC module limits its action range and its capabilities; however, according to the infection rate retrieved from multiple C2 panels, Nexus is a real threat that is capable of infecting hundreds of devices around the world.” concludes the report. “Because of that, we cannot exclude that it will be ready to take the stage in the next few months.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Nexus, an emerging Android banking Trojan targets 450 financial apps appeared first on Security Affairs.

Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts. The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally

Cisco addressed tens of vulnerabilities in its IOS and IOS XE software, six of these issues have been rated ‘high severity’.

Cisco published the March 2023 Semiannual IOS and IOS XE Software Security Advisory that addresses several vulnerabilities in IOS and IOS XE software.

Below is the list of flaws addressed by the IT giant in this bundled publication:

Cisco Security Advisory	CVE ID	Security Impact Rating	CVSS Base Score
Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability	CVE-2023-20080	High	8.6
Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability	CVE-2023-20072	High	8.6
Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability	CVE-2023-20027	High	8.6
Cisco IOS XE SD-WAN Software Command Injection Vulnerability	CVE-2023-20035	High	7.8
Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability	CVE-2023-20065	High	7.8
Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability	CVE-2023-20067	High	7.4
Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability	CVE-2023-20081	Medium	6.8
Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability	CVE-2023-20100	Medium	6.8
Cisco IOS XE Software Web UI Path Traversal Vulnerability	CVE-2023-20066	Medium	6.5
Cisco IOS XE Software Privilege Escalation Vulnerability	CVE-2023-20029	Medium	4.4

The most important severe vulnerabilities addressed by the company are:

CVE-2023-20080 (CVSS score 8.6) – Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability. An unauthenticated, remote attacker can trigger the flaw to cause DoS condition.

“This vulnerability is due to insufficient validation of data boundaries. An attacker could exploit this vulnerability by sending crafted DHCPv6 messages to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly.” reads the advisory.

CVE-2023-20072 (CVSS score 8.6) – Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability. An unauthenticated, remote attacker can trigger the flaw to cause an affected system to reload, resulting in a denial of service (DoS) condition.

“This vulnerability is due to the improper handling of large fragmented tunnel protocol packets. One example of a tunnel protocol is Generic Routing Encapsulation (GRE). An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system.” reads the advisory. “A successful exploit could allow the attacker to cause the affected system to reload, resulting in a DoS condition.”

CVE-2023-20027 (CVSS score 8.6) – Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability. An unauthenticated, remote attacker can exploit this vulnerability to cause a denial of service (DoS) condition on a vulnerable device.

“This vulnerability is due to improper reassembly of large packets that occurs when VFR is enabled on either a tunnel interface or on a physical interface that is configured with a maximum transmission unit (MTU) greater than 4,615 bytes. An attacker could exploit this vulnerability by sending fragmented packets through a VFR-enabled interface on an affected device.” reads the advisory. “A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.”

Cisco also addressed an IOS XE SD-WAN software command injection vulnerability tracked as CVE-2023-20035 (CVSS Score 7.8) and an IOS XE Software IOx Application Hosting Environment privilege escalation vulnerability tracked as CVE-2023-20065 (CVSS Score 7.8).

The good news is that the company is not aware of attacks in the wild exploiting one of the flaws addressed with the release of semiannual IOS and IOS XE software security advisory bundle.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IOS XE)

The post Cisco fixed multiple severe vulnerabilities in its IOS and IOS XE software appeared first on Security Affairs.

Researchers released a PoC exploit code for a high-severity vulnerability in Veeam Backup & Replication (VBR) software.

Veeam recently addressed a high-severity flaw, tracked as CVE-2023-27532, in Veeam Backup and Replication (VBR) software. An unauthenticated user with access to the Veeam backup service (TCP 9401 by default) can exploit the flaw to request cleartext credentials.

A remote attacker can exploit the flaw to access the backup systems of a target organization and execute arbitrary code as ‘SYSTEM.’

“Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database.” reads the advisory published by the vendor. “This may lead to an attacker gaining access to the backup infrastructure hosts.”

The company addressed the flaw with the release of Veeam Backup & Replication build numbers:

• 12 (build 12.0.0.1420 P20230223)
• 11a (build 11.0.1.1261 P20230227)

The researchers at Horizon3’s Attack Team published technical details for this vulnerability along with a PoC exploit code.

The researchers performed reverse engineering of Veeam’s Backup Service, they focused on the port used by the Veeam backup service.

The researchers discovered that is possible to abuse an unsecured API endpoint to retrieve credentials in plaintext from the VBR configuration database.

This is made possible by the great prior research of @HuntressLabs, @Y4er_ChaBug, @codewhitesec!

— Horizon3 Attack Team (@Horizon3Attack) March 23, 2023

​“We have examined the vulnerable port, reverse engineered the Veeam Backup Service, and constructed a WCF client using .NET core. We have also shown how to extract credentials from the Veeam database by invoking the CredentialsDbScopeGetAllCreds and CredentialsDbScopeFindCredentials endpoints. Finally, we have released our POC on Github, which is built on .NET core and capable of running on Linux, making it accessible to a wider audience.” reads the analysis published by the experts. “It is important to note that this vulnerability should be taken seriously and patches should be applied as soon as possible to ensure the security of your organization.”

The researchers explained that their work is based on the “great prior research” conducted by researchers from HuntressLabs, @CODE WHITE GmbH, and Y4er_ChaBug.

Veeam Backup & Replication CVE-2023-27532 Response (By HuntressLabs)

Huntress researchers reported that on their install base composed of 2 million devices, they uncovered 7,500 hosts with a vulnerable version of the Veeam Backup & Replication service present.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Backup & Replication)

The post Experts published PoC exploit code for Veeam Backup & Replication bug appeared first on Security Affairs.

South Korean beauty content platform, PowderRoom, has leaked the personal information of nearly one million people.

• Established in 2003, PowderRoom is a South Korean beauty content platform connecting 3.5 million members and thousands of beauty brands
• It calls itself the first and the biggest beauty community in South Korea that “allows you to experience new brand products faster than anyone else and share the experience”
• It exposed up to a million users’ full names, phone numbers, emails, Instagram usernames and home addresses
• The database was publicly available for over a year
• Attackers could have exploited the data to launch phishing and device hijacking attacks, make unauthorized purchases, and stalk users
• Cybernews reached out to PowderRoom and the Korean National Computer Emergency Response Team, and the data was secured

The Cybernews research team discovered that the South Korean social platform, powderroom.co.kr – which markets itself as the nation’s biggest beauty community – was leaking the private data of a million users.

The platform exposed full names, phone numbers, emails, Instagram usernames, and even home addresses. Researchers estimate that the database was publicly available for over a year.

Backed by beauty-product manufacturers, PowderRoom has hundreds of thousands of followers on social media, and its Android app has been downloaded more than 100,000 times on Google Play.

On the platform, users can review beauty products while being encouraged to actively participate and receive perks.

Personal data leaked

On December 15, researchers found a publicly accessible database with nearly 140GB of data. Some server logs included entries containing personal information, such as names, phone numbers, and home addresses, along with metadata about user devices and browsers used to access the site. The dataset included over a million email addresses.

Among the leaked data, researchers found a million tokens used for authentication and accessing the website.

Abusing them, threat actors could hijack user accounts and purchase products on the platform using the payment methods linked with the account. Additionally, attackers could modify account details, and post comments and reviews.

Leaking home addresses and phone numbers is a cause of concern, since exposing such information might lead to in-person stalking or harassment of the users of the platform.

If you want to know how to protect yourself, give a look at the original post at: https://cybernews.com/security/powder-room-data-leak/

Update March 25, 2024

Below is the message sent by PowderRoom CEO to clarify some points:

The issue was solved on March 3rd.

1. You mentioned that our customer information cannot cause a purchase.

We don’t have card and payment information and so “unauthorized purchases” are not impossible.
2. Also, I’d like you to exclude any mention of speculative damage that can be used for crimes such as stalking.
3. There is a difference in the number of members we have.

There are about 200,000 people who have personal information and have logged in at least once.
Therefore, 1 million number might be login auth token number. so the title we hope the title “A million at risk from user data leak at Korean beauty platform gets changed

Thank you again for pointing out that we can resolve security.
We will also strengthen the security system with the cooperation of the Korean security agency.

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PowderRoom)

The post Hundreds of thousands of users at risk from data leak at Korean beauty platform PowderRoom appeared first on Security Affairs.

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. Put differently, the issue could permit

A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor, active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a

Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities.

On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities, bringing the total awarded to $850,000!

The bug hunters demonstrated zero-day attacks against the Oracle VirtualBox virtualization platform, Microsoft Teams, Tesla Model 3, and the Ubuntu Desktop OS.

The day began with the success/collision achieved by Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) from Synacktiv (@Synacktiv) demonstrating a 3-bug chain against Oracle VirtualBox with a Host EoP. The success was classified as a “collision” because one of the bugs exploited in the attack was previously known. The due earned $80,000 and 8 Master of Pwn points.

The researchers @hoangnx99, @rskvp93, and @_q5ca from Team Viettel (@vcslab) chained 2 vulnerabilities to hack Microsoft Teams. They earn $75,000 and 8 Master of Pwn points.

Of course, the most interesting attack was conducted by David Berard (@_p0ly_) and Vincent Dehors (@vdehors) from Synacktiv (@Synacktiv) who exploited a heap overflow and an OOB write to hack Tesla – Infotainment Unconfined Root. They qualify for a Tier 2 award, earning $250,000 and 25 Master of Pwn points. The team also won the Tesla Model 3 they have hacked.

The researcher dungdm (@_piers2) of Team Viettel (@vcslab) exploited an uninitialized variable and a UAF bug to hack Oracle VirtualBox. He earned $40,000 and 4 Master of Pwn points.

Tanguy Dubroca (@SidewayRE) from Synacktiv was awarded $30,000 for demonstrating the exploitation of an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop. They earn $30,000 and 3 Master of Pwn points.

“That wraps up Day 2 of Pwn2Own Vancouver 2023! We awarded $475,000 for 10 unique zero-days during the second day of the contest. We’ll continue posting results and videos to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.” concludes the post published ZDI.

On the first day of Pwn2Own Vancouver 2023, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day flaws.

The Pwn2Own Vancouver 2023 continues … stay tuned!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)

The post Pwn2Own Vancouver 2023 Day 2: Microsoft Teams, Oracle VirtualBox, and Tesla hacked appeared first on Security Affairs.