Normal view

There are new articles available, click to refresh the page.
Today — 23 February 2024Main stream

Micropatches Released for Microsoft Outlook Information Disclosure Vulnerability (CVE-2023-35636)

23 February 2024 at 13:51



In December 2023, still-Supported Microsoft Outlook versions got an official patch for CVE-2023-35636, a vulnerability that allowed an attacker to coerce user's Outlook to authenticate to attacker's remote server, revealing user's NTLM hash in the process.

The vulnerability was discovered by Varonis researcher Dolev Taler, who wrote up a detailed article about it. In summary, a calendar file attached to an email can point to any URL, including a UNC path on a remote computer - and when the user tried to open such file, their computer would connect to the remote network share and, upon request, authenticate to it and reveal user's NTLM hash.

Microsoft's December patch changed Outlook's behavior such that whenever an ICS (calendar) file is opened from a specified location (instead of as an attachment), Outlook would display a security warning alerting the user about the potentially harmful content and asking their approval to continue.

While still-supported Microsoft Office versions have received the official vendor fix for this vulnerability, Office 2010 and 2013 - which we have security-adopted - are also vulnerable. In order to protect our users, we have created our own micropatch for this vulnerability.

Our patch is logically identical to Microsoft's.

Micropatch Availability

The micropatch was written for the following security-adopted versions of Office with all available updates installed:

  1. Microsoft Office 2013
  2. Microsoft Office 2010

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Office 2010 or 2013, 0patch will make sure such vulnerabilities won't be exploited on your computers - and you won't even have to know or care about updating.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email [email protected] for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center. 

We'd like to thank Dolev Taler for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.


RepoReaper - An Automated Tool Crafted To Meticulously Scan And Identify Exposed .Git Repositories Within Specified Domains And Their Subdomains

By: Zion3R
23 February 2024 at 11:30

RepoReaper is a precision tool designed to automate the identification of exposed .git repositories across a list of domains and subdomains. By processing a user-provided text file with domain names, RepoReaper systematically checks each for publicly accessible .git files. This enables rapid assessment and protection against information leaks, making RepoReaper an essential resource for security teams and web developers.

  • Automated scanning of domains and subdomains for exposed .git repositories.
  • Streamlines the detection of sensitive data exposures.
  • User-friendly command-line interface.
  • Ideal for security audits and Bug Bounty.


Clone the repository and install the required dependencies:

git clone https://github.com/YourUsername/RepoReaper.git
cd RepoReaper
pip install -r requirements.txt
chmod +x RepoReaper.py


RepoReaper is executed from the command line and will prompt for the path to a file containing a list of domains or subdomains to be scanned.

To start RepoReaper, simply run:

python3 RepoReaper.py

Upon execution, RepoReaper will ask for the path to the file containing the domains or subdomains: Enter the path of the file containing domains

Provide the path to your text file when prompted. The file should contain one domain or subdomain per line, like so:


RepoReaper will then proceed to scan the provided domains or subdomains for exposed .git repositories and report its findings. 


This tool is intended for educational purposes and security research only. The user assumes all responsibility for any damages or misuse resulting from its use.

Yesterday — 22 February 2024Main stream

TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem

22 February 2024 at 19:00
TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem

When we talk about the term “fake news,” most people likely picture a certain person who made the term infamous. 

And when we talk about misinformation and disinformation, many will remember the “Russian troll farms” that popped up during the 2016 U.S. presidential election and were unmasked and shut down during former president Barack Obama’s final days in office. 

But a few recent actions from TikTok, the most popular online social media platform, show that the problem of spreading misinformation and disinformation goes far beyond the borders of the U.S. 

TikTok announced last week it was launching in-app “election centres” to help combat misinformation and inform users of facts when they view videos about elections in European Union nations. This includes 27 unique apps that all use the country’s native language.  

In a statement on their site, the social media company said this effort is to “ensure people can easily separate fact from fiction.” 

Part of me can’t help but wonder if this wasn’t a problem of the company’s own creation after they allowed misinformation about the COVID-19 global pandemic to spread rapidly and use an algorithm that enhances “controversial” videos about different international brands. But I can certainly hope that these election centres provide more context than the little info box Twitter launched a while ago.  

I think this is important to note, though, that this problem just goes beyond American culture. Fake news, disinformation, misinformation – whatever label you want to put on it – will not just go away if one election in the U.S. goes one way or the other. It is an issue that is spreading on all platforms in all countries. 

I’ve been at fault in the past for just wanting to put the blame on Twitter. While they have been one of the worst offenders of allowing misinformation on their site, they are far from the only offenders or the only platform where users can spread this time of misinformation, even if they are doing it by accident. 

Just like any other platform, it’s easy for someone on TikTok to simply “share” or “like” someone else’s video if they find it compelling without giving it a second thought. Your friends and family are likely spreading misinformation on their feeds without even knowing it or doing it with any malicious intent. Regardless of where you live in the world, this is likely true. 

It’s amplified in the U.S. because our political theater is such that when something happens, everyone else on the world stage notices it. I can’t say that folks in the U.S. are necessarily invested in the national elections in Greece.  

But if misinformation is allowed to spread during the Greek elections, it’s going to spread to U.S. presidential elections. Once the infrastructure is in place for disinformation to flourish on a platform, it’s nearly impossible to get rid of, no matter the topic.  

The one big thing 

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. We have observed all three malware families being delivered during the same timeframe from the same storage bucket within Google Cloud. 

Why do I care? 

Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. For example, the current variant of Astaroth targets more than 300 institutions across 15 Latin American countries. 

So now what? 

Talos has released new ClamAV signatures and Snort rules to protect against these various banking trojans. Our researchers have also alerted Google of this activity so that they may address it internally on Cloud Run. 

Top security headlines of the week 

Poland is launching a formal investigation into whether its former government leaders misused the Pegasus spyware. Parliament created a coalition to see if the Law and Justice (PiS) government, previously the ruling party of Poland, used the controversial spyware to track and target its political opponents. Current ruling leaders used a promise of an investigation as one of their top campaign platforms. Meanwhile, NSO Group, the creators of Pegasus, have reportedly created a new one-click exploit called “MMS Fingerprint” that it offers as an infection tool for the spyware. MMS Fingerprint allows Pegasus users to learn a great deal about a target Blackberry, iPhone or Android device by sending a specially crafted Multimedia Messaging Service (MMS) message. A contract between an NSO Group reseller and a customer in Ghana exposed the information, including a promise that MMS Fingerprint required “No user interaction, engagement, or message opening ... to receive the device fingerprint.” (Politico, DarkReading) 

The spyware startup Variston is reportedly shrinking and is preparing to completely close. Variston is known for launching spyware that can target iPhones, Android devices and some PCs. A disgruntled employee reportedly leaked information about the company and the zero-day exploits they used to Google’s Threat Analysis Group, which allowed Google to unmask the operation. This eventually led to several employees and developers leaving Variston. Variston, founded in 2018, previously used three zero-day vulnerabilities to target Apple devices, including a campaign in March 2023 to target iPhones in Indonesia. Reporters and researchers have yet to find who, exactly, Variston sold their services and technology to, though former employees have said some of the spyware was sent to the United Arab Emirates. (Tech Crunch, Google) 

Volt Typhoon, a large APT based in China, is reportedly still exfiltrating sensitive information on operational technology (OT) networks. Volt Typhoon has been known to target organizations in the communications, manufacturing, utility, IT and education sectors across the globe, though it’s recently become more noteworthy for its targeting of critical networks in the U.S. A new report from cybersecurity firm Dragos says that it spotted Volt Typhoon conducting scanning activities against electric companies between November and December 2023. Volt Typhoon is traditionally known for espionage and data theft on behalf of the Chinese government. But Dragos also says that the actor has also recently infiltrated a large U.S. city's emergency services network, as well as critical infrastructure networks in Africa. The report states that the OT data stolen may cause “unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.” (SecurityWeek, The Register) 

Can’t get enough Talos? 

Upcoming events where you can find Talos 

S4x24 (March 4 - 27) 

Miami Beach, Florida 

To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine. 

RSA (May 6 - 9) 

San Francisco, California 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 6d167aee7013d61b0832937773cd71d77493a05d6ffb1849bdfb1477622e54c2 
MD5: 36503fd339663027f5909793ea49ccbc 
Typical Filename: telivy_agent_2.3.1.exe 
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1    
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   
MD5: df11b3105df8d7c70e7b501e210e3cc3   
Typical Filename: DOC001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201