Google announced support for a V8 Sandbox in the Chrome web browser to protect users from exploits triggering memory corruption issues.

Google has announced support for what’s called a V8 Sandbox in the Chrome web browser. The company included the V8 Sandbox in Chrome’s Vulnerability Reward Program (VRP). Chrome 123 is a sort of “beta” release for the sandbox designed to mitigate memory corruption issues in the Javascript engine.

The V8 Sandbox is designed to prevent memory corruption issues that would impact other areas of memory in the process.

Almost every Chrome exploits observed in the wild between 2021 and 2023 triggered a memory corruption issue in a Chrome renderer process that was exploited for remote code execution (RCE). The majority of these issues (60%) impacted the V8 Javascript engine.

“V8 vulnerabilities are rarely “classic” memory corruption bugs (use-after-frees, out-of-bounds accesses, etc.) but instead subtle logic issues which can in turn be exploited to corrupt memory. As such, existing memory safety solutions are, for the most part, not applicable to V8.” reads the announcement. “In particular, neither switching to a memory safe language, such as Rust, nor using current or future hardware memory safety features, such as memory tagging, can help with the security challenges faced by V8 today.”

The researchers highlighted that a common thread among nearly all V8 vulnerabilities is that the eventual memory corruption occurs within the V8 heap. This is primarily because the compiler and runtime predominantly deal with V8 HeapObject instances.

To mitigate such vulnerabilities the researchers devised a technique to isolate V8’s (heap) memory to prevent memory corruption from spreading to other parts of the process’ memory.

“The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’ virtual address space (“the sandbox”), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).” states Google. “The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities. Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation.”

Software-based sandbox replaces data types that can access out-of-sandbox memory with “sandbox-compatible” alternatives.

In the software-based sandbox, only the V8 heap is enclosed within the sandbox. As a result, the overall structure is similar to the sandboxing model employed by WebAssembly.

The researchers state that the majority of the overhead generated by the sandbox primarily arises from the pointer table indirection for external objects. A minor overhead is related to the use of offsets instead of raw pointers, primarily involving a shift+add operation, anyway this is quite inexpensive. The sandbox’s overhead is approximately 1% or less on standard workloads, as determined by measurements using the Speedometer and JetStream benchmark suites. Consequently, the V8 Sandbox can be activated by default on compatible platforms.

“The V8 Sandbox must be enabled/disabled at build time using the v8_enable_sandbox build flag. It is (for technical reasons) not possible to enable/disable the sandbox at runtime. The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte.” concludes the announcement.

“The V8 Sandbox has already been enabled by default on 64-bit (specifically x64 and arm64) versions of Chrome on Android, ChromeOS, Linux, macOS, and Windows for roughly the last two years.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, V8 Sandbox)

2023 CL0P Growth  Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor the ‘CryptoMix’ ransomware, brought about by its owner CL0P ransomware, a cybercrime organisation. Over the years the group remained active with significant campaigns throughout 2020 to 2022. But in 2023 the CL0P ransomware gang took itself to new heights and became one of the

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024. The

Human rights activists in Morocco and the Western Sahara region are the targets of a new threat actor that leverages phishing attacks to trick victims into installing bogus Android apps and serve credential harvesting pages for Windows users. Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks. The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News. "Its primary method of operation

Researchers discovered a sophisticated multi-stage attack that leverages ScrubCrypt to drop VenomRAT along with many malicious plugins.

Fortinet researchers observed a threat actor sending out a phishing email containing malicious Scalable Vector Graphics (SVG) files. The email is crafted to trick recipients into clicking on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. Then the attackers use ScrubCrypt to load the final payload VenomRAT. The malicious code connects the command and control (C2) server to install additional plugins on the victims’ system., which include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed to drain funds from specific crypto wallets.

The campaign is notable for its utilization of the BatCloak malware obfuscation engine and ScrubCrypt to distribute the malware through obfuscated batch scripts.

BatCloak is a fully undetectable (FUD) malware obfuscation engine used by threat actors to stealthily deliver their malware since September 2022.

In June 2023, Trend Micro researchers detailed the malware obfuscation engine BatCloak which multiple threat actors used. The samples analyzed by the experts demonstrated a remarkable ability to persistently evade anti-malware solutions

The researchers discovered that the BatCloak engine was part of FUD builder named Jlaive that began circulating in 2022, The analysis of the Jlaive repository revealed the developer (ch2sh)’s effort in FUD technologies. The developers used AES encryption and implemented techniques to bypass the anti-malware scan interface (AMSI). After the repository containing the open-source tool was taken down in September 2022, it has since been cloned and modified by other threat actors. The researchers discovered modified versions and clones offered Jlaive as a one-time service for purchase, instead of a classic subscription-based model. While many of the repositories containing modified or cloned Jlaive versions continue to be removed from code hosting sites such as GitHub and GitLab, threat actors continue to upload the code and in some cases development team have also ported to other languages such as Rust.

The ScrubCrypt crypter is available for sale on hacking forums, it allows securing applications with a unique BAT packing method.

ScrubCrypt was first detailed by Fortinet in March 2023 when a threat actor tracked as 8220 Gang was spotted using it in cryptojacking campaigns.

Fortinet experts conclude that this campaign is very sophisticated because leveraging multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt.

“The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.” concludes the report that also includes indicators of compromise (IoCs). “The attackers’ ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ScrubCrypt)

Researchers found multiple vulnerabilities in LG webOS running on smart TVs that could allow attackers to gain root access to the devices.

Bitdefender researchers discovered multiple vulnerabilities in LG webOS running on smart TVs that could be exploited to bypass authorization and gain root access on the devices.

The vulnerabilities discovered by the researchers impact WebOS versions 4 through 7 running on LG TVs.

“WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by the LG ThinkQ smartphone app to control the TV. To set up the app, the user must enter a PIN code into the display on the TV screen.” reads the advisory. “An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile.”

The researchers pointed out that despite the vulnerable service is intended for LAN access only, querying Shodan they identified over 91,000 devices that expose the service to the Internet. At this time, the number of exposed devices decreased to 88,000. Most of the Internet-facing devices are in South Korea, Hong Kong, the U.S., Sweden, and Finland.

Below is the list of vulnerabilities discovered by the experts in November 2023:

• CVE-2023-6317 – An authentication bypass issue that can be exploited to bypass PIN verification and add a privileged user profile to the TV set without requiring user interaction
• CVE-2023-6318 – An elevation of privileges issue that can be exploited to elevate privileges and gain root access to take control of the device
• CVE-2023-6319 – A vulnerability that allows operating system command injection by manipulating a library named asm responsible for showing music lyrics
• CVE-2023-6320 – A vulnerability that allows for the injection of authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint

The vulnerabilities impact the following webOS versions:

• webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
• webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
• webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
• webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA

Below is the disclosure timeline:

• November 01, 2023: Vendor disclosure
• November 15, 2023: Vendor confirms the vulnerabilities.
• December 14, 2023: Vendor requests extension
• March 22, 2024: Patch release
• April 09, 2024: Public release of this report

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, smart TVs)

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.

“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”

Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.

“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”

CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.

“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”

Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.

Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.

Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.

KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.

“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments. "The Rust standard library did not properly escape

Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild. Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its

As technology evolves and our dependence on digital systems increases, the cybersecurity threat landscape also rapidly changes, posing fresh challenges for organizations striving to protect their assets and data.

The battle between cybersecurity defenders and malicious actors rages on in the vast digital expanse of today’s interconnected world. As technology advances and our reliance on digital infrastructure grows, the threat landscape morphs and mutates, presenting new challenges for organizations trying to safeguard their assets and data.

The common maxim today is that when it comes to breaches, it’s no longer a case of ‘if’ but ‘when’ or ‘how often?’. Cybersecurity has always been seen as a catch-up game, with determined adversaries a step ahead.

However, while companies struggle to stay ahead of emerging threats, there are several tools and approaches they can adopt to bolster their cybersecurity strategies.

A Dynamic, Complex Threat Landscape

Today’s cyber threat landscape is characterized by its dynamic and complex nature. No longer confined to isolated malware or phishing attacks, threats now encompass a wide range of sophisticated tactics, techniques, and procedures (TTPs) used by cybercriminals and nation-state actors alike.

The cybercriminal’s arsenal grows daily, from ransomware and supply chain attacks to advanced persistent threats (APTs) and zero-day exploits.

One of the primary reasons why entities battle to stay ahead of emerging threats is the rapid pace of technological innovation. As businesses in every sector embrace digital transformation initiatives, adopting cloud computing, Internet of Things (IoT) devices, automation, AI, and interconnected ecosystems, their attack surface widens exponentially.

Each new technology comes with its own set of vulnerabilities and potential chinks in the armor for attackers to slip through, making it increasingly challenging to maintain robust defenses.

Moreover, the asymmetric nature of cyber attacks exacerbates the problem. While security practitioners must safeguard against every possible attack vector, adversaries only need to exploit a single weakness to get a foot in the door.

This inherent imbalance tilts the scales in the attackers’ favor, forcing organizations into a perpetual game of cat and mouse as they attempt to anticipate and mitigate the barrage of evolving threats.

Old Tools Are Failing Miserably

In their mission to strengthen their digital defenses, defenders employ a range of tools and approaches, each with their strengths and weaknesses. Historically, traditional perimeter-based defenses, such as firewalls and intrusion detection systems (IDS), were the foundation of most cybersecurity strategies.

While effective at foiling known threats and preventing unauthorized access to network resources, these traditional measures fail miserably in the face of increasingly sophisticated attacks that bypass perimeter defenses through social engineering or insider threats.

Similarly, in this era of distributed work, employees access company resources from various locations and devices. The idea that a secure network perimeter will keep the bad guys out has become obsolete.

With the proliferation of remote workers and cloud-based apps and services, the boundaries of the corporate network have blurred, with little distinction between inside and outside.

As a result, bad actors have a much broader attack surface to exploit. Moreover, the rise of the bring-your-own-everything phenomenon – be it device, application, or connection – complicates matters even more. Businesses now have to work hard to enforce consistent security controls across a diverse array of personal and corporate-owned devices, unsanctioned apps, and shadow IT.

It’s clear that in today’s distributed world, reliance on perimeter-based defenses alone leaves entities vulnerable to sophisticated cyber threats that can circumvent these measures with ease.

Navigating Through a Sea of Options

There are a range of threat detection and response solutions to help identify any malicious activity that could compromise the network and then help security teams respond quickly to mitigate or neutralize the threat before it can turn into a major incident.

Endpoint security solutions, including antivirus software and Endpoint Detection and Response (EDR) tools, aim to protect individual devices from malicious activity. By monitoring endpoint behavior and pinpointing anomalous patterns that might be signs of a cyber threat, these tools provide a crucial layer of defense against malware, ransomware, and other endpoint-centric attacks.

However, their effectiveness is often limited by the sheer volume of endpoints in today’s IT environments, making comprehensive endpoint protection a daunting task for large enterprises.

Managed Detection and Response (MDR) is a security service designed to improve organizations’ protection against modern cyber threats. These services bring advanced threat detection, incident response, and continuous monitoring together to enable security teams to quickly recognize unusual activity, identify threats, and take immediate action. However, MDR also runs the risk of false positives, leading to wasted time and resources.

Gaining Holistic Visibility into Environments

In response to these challenges, another approach to cybersecurity is gaining traction – Extended Detection and Response (XDR). Building upon the foundational principles of EDR and threat intelligence, XDR integrates data from multiple security controls, such as endpoints, networks, cloud environments, and applications, into one unified platform.

By aggregating and correlating telemetry data from disparate sources, XDR enables security professionals to gain holistic visibility into their environments and root out sophisticated threats that might slip through traditional security nets. Unlike tools that look at a single dimension (the endpoint), XDR architectures extend across multiple security dimensions.

One of the critical strengths of XDR is its ability to contextualize security alerts within the broader context of a company’s environment. By analyzing telemetry data across multiple vectors, these platforms can identify complex attack chains and separate legitimate threats from benign anomalies, reducing false positives and facilitating more precise threat detection.

 Moreover, these solutions feature centralized management and orchestration capabilities to streamline incident response workflows, enabling security teams to quickly investigate and remediate security incidents across the entire attack surface.

However, like all security solutions, XDR has its limitations. Implementation challenges, such as integration complexities and interoperability issues with existing security tools, can be a stumbling block to adopting these solutions.

Furthermore, the effectiveness of these tools depends heavily on the quality and timeliness of the telemetry data ingested into the platform. Incomplete or outdated data sources have been known to compromise the efficacy of threat detection and response.

Navigating the Future of Cybersecurity

When it comes to cybersecurity, there’s no one-size-fits-all solution. Every company operates within a unique risk environment influenced by factors such as industry, size, and infrastructure.

When navigating this landscape, each business must thoroughly evaluate the pros and cons of various detection and response options. Whether it’s investing in intrusion detection systems, deploying endpoint protection tools, or implementing robust incident response plans, the decision hinges on a full understanding of the company’s specific vulnerabilities and operational needs.

What works for one may not work for another. Therefore, the path to effective cybersecurity requires a tailored approach, where informed decisions are made based on individual needs and circumstances, ensuring a robust defense against evolving threats.

About the Author: Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cybersecurity Threat Landscape)

We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems? Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think. Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers

Cybersecurity researchers have disclosed what they say is the "first native Spectre v2 exploit" against the Linux kernel on Intel systems that could be exploited to read sensitive data from the memory. The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.5 kB/sec by bypassing existing Spectre v2/BHI mitigations, researchers from Systems and

The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain

Threat actors are now taking advantage of GitHub's search functionality to trick unsuspecting users looking for popular repositories into downloading spurious counterparts that serve malware. The latest assault on the open-source software supply chain involves concealing malicious code within Microsoft Visual Code project files that's designed to download next-stage payloads from a remote URL,

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files (WSFs) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick

Microsoft Patches Tuesday security updates for April 2024 addressed three Critical vulnerabilities, none actively exploited in the wild.

Microsoft Patches Tuesday security updates for April 2024 addressed 147 vulnerabilities in multiple products. This is the highest number of fixed issues from Microsoft this year and the largest since at least 2017. The issues impact Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. According to ZDI, three of these vulnerabilities were reported through their ZDI program.

Only three vulnerabilities, tracked as CVE-2024-21322, CVE-2024-21323, and CVE-2024-29053, are rated Critical, the good news is that they are not actively exploited in the wild.

Below are some of the most interesting issues addressed by the IT giant:

CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability. An attacker can exploit this security feature bypass vulnerability by tricking a user into launching malicious files using a launcher application that requests that no UI be shown. An attacker could send the targeted user a specially crafted file that is designed to trigger the remote code execution issue. The flaw is actively exploited in the wild.

CVE-2024-20678 – Remote Procedure Call Runtime Remote Code Execution Vulnerability. Any authenticated user can exploit this vulnerability, according to Microsoft it does not require admin or other elevated privileges.

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability – The flaw reported by Sophos ties a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The driver was used in attacks in the wild to deploy a backdoor.

CVE-2024-26221 – Windows DNS Server Remote Code Execution Vulnerability. In a network-based attack an attacker would need to have the privileges to query the Domain Name Service (DNS). If the timing of DNS queries is perfect, the attacker could execute code remotely on the target server.

The full list of flaw fixed by Microsoft in April 2024 is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patches Tuesday)

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.

A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.

Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”

Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”

Original story:

The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.

A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.

The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered space-twitter.com, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.

Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).

Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.

“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”

The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:

“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”

An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store. Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It's tracking the group behind the operation under the

Fortinet addressed multiple issues in FortiOS and other products, including a critical remote code execution flaw in FortiClientLinux.

Fortinet fixed a dozen vulnerabilities in multiple products, including a critical-severity remote code execution (RCE) issue, tracked as CVE-2023-45590 (CVSS score of 9.4), in FortiClientLinux.

The vulnerability is an Improper Control of Generation of Code (‘Code Injection’) issue that resides in FortiClientLinux. An unauthenticated attacker can trigger the flaw to execute arbitrary code by tricking a FortiClientLinux user into visiting a specially crafted website.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website.” reads the advisory published by Fortinet.

Below are the impacted versions and the one released by the company to fix the issue.

Version	Affected	Solution
FortiClientLinux 7.2	7.2.0	Upgrade to 7.2.1 or above
FortiClientLinux 7.0	7.0.6 through 7.0.10	Upgrade to 7.0.11 or above
FortiClientLinux 7.0	7.0.3 through 7.0.4	Upgrade to 7.0.11 or above

The vulnerability was reported to Fortinet by the security researcher CataLpa from Dbappsecurity.

Fortinet did not reveal if this vulnerability is actively exploited in attacks in the wild.

US CISA published an alert to warn Fortinet users of the security updates released by the vendor to address multiple vulnerabilities in its products, including OS and FortiProxy.

“Fortinet released security updates to address vulnerabilities in multiple products, including OS and FortiProxy. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.” reads the alert that encourages users and administrators to review the following advisories and apply necessary updates: 

• FR-IR-23-345 FortiClientMac – Lack of configuration file validation
• FG-IR-23-493 FortiOS & FortiProxy – Administrator cookie leakage
• FG-IR-23-087 FortiClient Linux – Remote Code Execution due to dangerous   nodejs configuration

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

AT&T confirmed that the data breach impacted 51 million former and current customers and is notifying them.

AT&T revealed that the recently disclosed data breach impacts more than 51 million former and current customers and is notifying them.

In March 2024, more than 70,000,000 records from an unspecified division of AT&T were leaked onto Breached forum, vx-underground researchers reported.

The researchers confirmed that the leaked data is legitimate, however, it is still unclear if the information was stolen from a third-party organization linked to AT&T.

The seller, who goes online with the moniker MajorNelson, claimed that the data was obtained from an unnamed AT&T division by @ShinyHunters in 2021. The archive contains 73.481.539 records.

“It should be noted before anyone hits us with an “aktschually” – the data was stolen in 2021. It was leaked online today.” said vx-underground.

In August 2021, the ShinyHunters group claimed to have a database containing private information on roughly 70 million AT&T customers, but the company denied that they had been stolen from its systems.

ShinyHunters is a popular hacking crew that is known to have offered for sale data stolen from tens of major organizations, including Tokopedia, Homechef, Chatbooks.com, Microsoft, and Minted.

In August 2021, the group asked $1 million for the entire database, or $200,000 for access, according to the RestorePrivacy website that examined a sample that appears authentic.

“While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid.” reads the RestorePrivacy website. “Here is the data that is available in this leak:

• Name
• Phone number
• Physical address
• Email address
• Social security number
• Date of birth”

The threat actors claimed that data belonged to AT&T customers in the United States, the group told RestorePrivacy that they were available to support AT&T in securing its systems for a reward.

AT&T initially denied any data breach, below is the statement from the telecomunication giant:

“Based on our investigation Thursday, the information that appeared in an internet chat room does not appear to have come from our systems,”

Later, the telecommunications company retracted its initial denial and confirmed the data breach. The data was “released on the dark web approximately two weeks ago,” said the company.

“It is not yet known whether the data … originated from AT&T or one of its vendors,” the company added. “Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.”

The company pointed out that it was not aware of any compromise of its infrastructure.

“We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. We believe and are working to confirm that the data set discussed today is the same dataset that has been recycled several times on this forum.” AT&T told CNN.

The company speculates that leaked data are from 2019 or earlier.

AT&T is notifying the 51,226,382 individuals impacted according to the data breach notification shared with the Maine Attorney General.

“The information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode.” reads the data breach notification. “To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier.”

The telecommunication giant offers impacted customers one year of complimentary credit monitoring, identity theft detection and resolution services provided by Experian’s IdentityWorksSM.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Group Health Cooperative of South Central Wisconsin disclosed a data breach that impacted over 500,000 individuals.

The Group Health Cooperative of South Central Wisconsin (GHC-SCW) is a non-profit organization that provides health insurance and medical care services to its members in the Madison metropolitan area of Wisconsin.

The organization disclosed a data breach after a ransomware attack, the incident impacted 533,809 individuals.

The data breach occurred on January 24, 2024, and was discovered on January 25 when GHC-SCW identified unauthorized access to its network. The Information Technology (IT) Department isolated and secured the organization’s network in response to the incident.

The Group Health Cooperative of South Central Wisconsin (GHC-SCW) notified the FBI and is responding to the incident with the help of external cybersecurity experts.

“The attacker attempted to encrypt GHC-SCW’s system but was unsuccessful.” reads the data breach notification shared with the Maine Attorney General. “On February 9, 2024, during our investigation, we discovered indications that the attacker had copied some of GHC-SCW’s data, which included protected health information (PHI).”

The potentially compromised PHI may have included member/patient name, address, telephone number, e-mail address, date of birth and/or death, social security number, member number, and Medicare and/or Medicaid number.

A ransomware group contacted the organization claiming the theft of data.

“Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data,” continues the notification letter.

The data breach notification doesn’t name the ransomware group that hit the organization, however the BlackSuit gang added Group Health Cooperative to it Tor leak site in March. The ransomware group claimed to have stolen patient and member data, financial documents, employee data, NDAs, contracts, several databases, and emails.

The company pointed out that they have no indication that information has been used or further disclosed.

Group Health Cooperative also added that they have implemented enhanced security measures across all our systems and networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Group Health Cooperative)

Fortinet has released patches to address a critical security flaw impacting FortiClientLinux that could be exploited to achieve arbitrary code execution. Tracked as CVE-2023-45590, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10. "An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks. It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted

Microsoft addressed two zero-day vulnerabilities (CVE-2024-29988 and CVE-2024-26234) actively exploited by threat actors to deliver malware

Microsoft addressed two zero-day vulnerabilities, tracked as CVE-2024-29988 and CVE-2024-26234, that threat actors are exploiting to deliver malware.

Microsoft Patches Tuesday security updates for April 2024 addressed 147 vulnerabilities in multiple products. This is the highest number of fixed issues from Microsoft this year and the largest since at least 2017. The issues impact Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. According to ZDI, three of these vulnerabilities were reported through their ZDI program.

Below are the descriptions of the two flaws:

CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability. An attacker can exploit this security feature bypass vulnerability by tricking a user into launching malicious files using a launcher application that requests that no UI be shown. An attacker could send the targeted user a specially crafted file designed to trigger the remote code execution issue. The flaw is actively exploited in the wild but Microsoft did not confirm it in the advisory.

“This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies.” reported ZDI.

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability – The flaw reported by Sophos ties a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The driver was used in attacks in the wild to deploy a backdoor. In December 2023, Sophos X-Ops received a report of a false positive detection on an executable that was signed using a valid Microsoft Hardware Publisher Certificate. However, the researchers noticed that the version info for the supposedly clean file looked a little suspicious. Attackers were attempting to personate the legitimate company Thales Group.

“However, after digging into both our internal data and reports on VirusTotal, we discovered that the file was previously bundled with a setup file for a product named LaiXi Android Screen Mirroring, “a marketing software…[that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”” reported Sophos. “It’s worth noting that while we can’t prove the legitimacy of the LaiXi software – the GitHub repository has no code as of this writing, but contains a link to what we assume is the developer’s website – we are confident that the file we investigated is a malicious backdoor.”

There’s no evidence indicating intentional inclusion of the malicious file by LaiXi developers or involvement of a threat actor in a supply chain attack during the application’s compilation/building process.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Apple is warning iPhone users in over 90 countries of targeted mercenary spyware attacks, Reuters agency reported.

Apple is alerting iPhone users in 92 countries about mercenary spyware attacks, reported Reuters.

Reuters only mentioned India as one of the countries where users were targeted by the attacks.

According to a threat notification email sent to targeted users, the IT giant detected attempts to “remotely compromise the iPhone.”

The company did not attribute the targeted attacks to “any specific state-sponsored attacker”.

“Initially, Apple explicitly referred to “state-sponsored attacks.” After the last warnings to Indian opposition politicians and journalists, the government there appeared to be annoyed – unfavorable for Apple, after all, India is becoming increasingly important as an iPhone production location.” reported the German website Heise. “Meanwhile, the iPhone company instead speaks diplomatically of “mercenary spyware” and notes that such attacks “have historically been associated with state actors.””

Apple started sending such kind of threat notifications in 2021, and since then the company has notified users in more than 150 countries.

Apple recommends that targeted iPhone users update their devices to the latest software version and contact cybersecurity experts to investigate potential compromise.

In response to a wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) in July 2022 Apple developed a new security feature, called lockdown mode, to protect its users against highly targeted cyberattacks.

Some of the protections implemented in the lockdown mode are:

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to

GitGuardian is famous for its annual State of Secrets Sprawl report. In their 2023 report, they found over 10 million exposed passwords, API keys, and other credentials exposed in public GitHub commits. The takeaways in their 2024 report did not just highlight 12.8 million new exposed secrets in GitHub, but a number in the popular Python package repository PyPI. PyPI,

Palo Alto Networks fixed several vulnerabilities in its PAN-OS operating system, including 3 issues that can trigger a DoS condition on its firewalls.

Palo Alto Networks released security updates to address several high-severity vulnerabilities in its PAN-OS operating system.

The company fixed the following DoS vulnerabilities:

CVE-2024-3385 – The company reported that a packet processing mechanism in Palo Alto Networks PAN-OS software allows a remote attacker to reboot hardware-based firewalls. Repeated attacks can eventually trigger a DoS condition by forcing the firewall into maintenance mode, requiring manual intervention to restore online functionality. This issue affects hardware firewall models PA-5400 Series firewalls and PA-7000 Series firewalls when GTP security is disabled. 

“Palo Alto Networks is not aware of any malicious exploitation of this issue. This was encountered by two customers in normal production usage.” reads the advisory.

Another DoS vulnerability in PAN-OS addressed by the vendor is tracked as CVE-2024-3384.

A remote attacker can trigger the flaw to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks can eventually trigger a DoS condition by forcing the firewall into maintenance mode, requiring manual intervention to restore online functionality.

The flaw affects only PAN-OS configurations with NTLM authentication enabled.

The third DoS vulnerability addressed by the vendor is tracked as CVE-2024-3382.

“A memory leak exists in Palo Alto Networks PAN-OS software that enables an attacker to send a burst of crafted packets through the firewall that eventually prevents the firewall from processing traffic. This issue applies only to PA-5400 Series devices that are running PAN-OS software with the SSL Forward Proxy feature enabled.” reads the advisory.

Palo Alto Networks also fixed an improper Group Membership Change vulnerability in Cloud Identity Engine (CIE). The PAN-OS issue tracked as CVE-2024-3383 ‘impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.’

The vendor is not aware of attacks in the wild exploiting any of these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)