Elon Musk: We're modifying the algorithm to surface tweets from smaller accounts

The accounts:

https://files.mastodon.social/media_attachments/files/113/050/803/376/456/241/original/4fda4f51ec1b9b3c.png 

 Happy one-week anniversary, CrowdStrike customers! 

 Thanks to that stupid EU cookie bs, the 
Wayback Machine is now capturing those popups instead of a site's content 

 How about you f*** off instead

https://files.mastodon.social/media_attachments/files/112/496/985/619/878/396/original/fab386ee92fd6d36.png 

 Sometimes I wonder why the f*** I even bother using Signal 

 Travian is still online

I am actually impressed 

 GhostRace - Exploiting and Mitigating Speculative Race Conditions

https://www.vusec.net/projects/ghostrace/ 

 Jury Finds Russian-Swedish Operator of ‘Bitcoin Fog’ Guilty of Running the Darknet Cryptocurrency Mixer 

https://www.justice.gov/usao-dc/pr/jury-finds-russian-swedish-operator-bitcoin-fog-guilty-running-darknet-cryptocurrency 

 Hunt & Hackett looks at the leak from Chinese hacker-for-hire contractor i-SOON and its possible ties to at least three Chinese APTs—Poison Carp (also known as Evil Eye, Earth Empusa, EvilBamboo), Jackpot Panda, and APT41 (also known as Double Dragon, Wicked Panda, Bronze Atlas).

https://www.huntandhackett.com/blog/isoon-leak-sheds-light 

 Broadcom has merged Carbon Black into its Symantec cybersecurity division.

The two brands will continue to operate separately. Broadcom acquired the Carbon Black Black last year as part of its $69 billion acquisition of VMware. The company initially planned to sell off Carbon Black.

Broadcom previously acquired Symantec for $10.7 billion in August 2019.

https://www.broadcom.com/blog/broadcom-brings-together-two-proven-portfolios-to-deliver-complete-hybrid-cloud-cybersecurity 

 Tuta has enabled quantum-safe encryption by default on all new Tuta Mail accounts.

https://tuta.com/blog/post-quantum-cryptography 

 Is Twitch just endless commercials now? 

 Spotify saying the quiet part out loud

Article title: Spotify will end service in Uruguay due to bill requiring fair pay for artists

https://mixmag.net/read/spotify-end-service-uruguay-copyright-law-change-artists-fair-pay-amendment-news 

 Senior Ukrainian cybersecurity officials sacked amid corruption probe

Yurii Shchyhol and Victor Zhora were accused of participating in a scheme to contract software at inflated prices. 

https://cyberscoop.com/zhora-shchyhol-fired-corruption/ 

 Binarly has an analysis of the private key leaks that took place at Lenovo in September 2022 and MSI in April 2023.

The report's main finding was that multiple companies were apparently using the same Intel Boot Guard private keys to sign different types of firmware images.

https://binarly.io/posts/Dissecting_Intels_Explanation_of_Key_Usage_in_Integrated_Firmware_Images_IFWI/index.html 

 Google has launched a new .ing TLD

All customers must use HTTPS for this one

https://blog.google/products/registry/introducing-the-ing-top-level-domain/

https://files.mastodon.social/media_attachments/files/111/338/286/557/842/437/original/15c5bb82b45a3738.png 

 Enterprise software giant VMWare has published two security advisories to fix two sets of issues in its vCenter Server and Tools applications.

The worst of the two is the vCenter update, which fixes a 9.8/10-rated memory issue that can lead to remote code execution attacks (CVE-2023-34048).

https://www.vmware.com/security/advisories/VMSA-2023-0023.html 

 PortSwigger researchers have taken the concept behind the HTTP2 Rapid Reset attack that was being used to launch DDoS attacks and have applied it in a manner that allows threat actors to perform remote race condition attacks with just one single TCP package

https://portswigger.net/research/the-single-packet-attack-making-remote-race-conditions-local

https://files.mastodon.social/media_attachments/files/111/279/061/410/194/748/original/2cf4fd5d65e2cfca.png 

 The I-know-better-then-my-customers-now-give-me-money CEO resigns

"John Riccitiello steps down as CEO of Unity after pricing battle"

https://venturebeat.com/games/john-riccitiello-steps-down-as-ceo-of-unity-after-pricing-battle/ 

 Newsletter: https://riskybiznews.substack.com/p/tech-companies-eu-vulnerability-disclosure-rules
Podcast: https://risky.biz/RBNEWS205/

-Tech companies and security firms rally against EU vulnerability disclosure rules
-Apple and Atlassian patch zero-days
-Supermicro patches BMC bugs
-PEACHPIT ad fraud botnet goes down
-23andMe denies data breach
-Lyca Mobile goes down in cyber attack
-Sony discloses MOVEit breach
-NVD reaches 200k entries
-ECH support lands in Firefox
-Android 14 is out
-Pixel 8 support extended to 7 years
-Russia tests social scoring system

https://files.mastodon.social/media_attachments/files/111/187/279/427/874/859/original/5a51edb7b5128c32.png 

 Human Security has taken down the PEACHPIT ad fraud botnet

https://www.humansecurity.com/company/satori-threat-intelligence/badbox

https://files.mastodon.social/media_attachments/files/111/184/090/131/165/415/original/0b939a007a47b30d.png 

 Massive outage impacts Xiaomi devices in Russia and Belarus

https://www.rbc.ru/technology_and_media/05/10/2023/651dd1a49a79477a0afffc4f 

 ESET researchers have identified a cyber-espionage campaign targeting a governmental entity in Guyana.

While ESET has not formally attributed the attacks, they believe the campaign was the work of a China-aligned threat group.

https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/

https://files.mastodon.social/media_attachments/files/111/183/522/498/944/499/original/5d23325831ad1c77.png 

 Ransomware is being deployed within one day of initial access in more than 50% of engagements. 

In just 12 months the median dwell time identified in the annual Secureworks State of the Threat Report has freefallen from 4.5 days to less than one day.

In 10% of cases, ransomware was even deployed within five hours of initial access.

https://www.secureworks.com/about/press/ransomware-dwell-time-hits-low-of-24-hours 

 The US NIST National Vulnerability Database (NVD) is now storing information on more than 200,000 vulnerabilities

https://www.linkedin.com/feed/update/urn:li:activity:7115682975899426818/ 

 Yesterday, Google released Android 14: https://blog.google/products/android/android-14/

...and announced seven years of security updates for Pixel devices: https://blog.google/products/pixel/google-pixel-8-pro/ 

 Researchers from TruffleSecurity have identified more than 700 live API keys and passwords that were included in comments filed with pull requests and issues filed on GitHub.

https://trufflesecurity.com/blog/thousands-of-github-comments-leak-live-api-keys

https://files.mastodon.social/media_attachments/files/111/182/912/069/294/616/original/b7dcb9e4d1872555.webp 

 The Binarly REsearch team has discovered multiple vulnerabilities in the Supermicro IPMI firmware component developed by ATEN. 

Vulnerabilities can be exploited by unauthenticated remote attackers and could result in obtaining the root of the BMC system.

https://binarly.io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/

https://files.mastodon.social/media_attachments/files/111/182/152/709/042/922/original/dcec5371498a6b12.png 

 The X.org team has patched five vulnerabilities in two of its component libraries.

https://lists.x.org/archives/xorg/2023-October/061506.html 

 The US House of Representatives has passed a bill that would remove minimum education requirements on federal cybersecurity jobs.

Named the Modernizing the Acquisition of Cybersecurity Experts Act, the bill passed with an overwhelming 394-1 vote

https://fedscoop.com/house-passes-bill-relax-federal-cyber-educational-requirements/ 

 From cURL founder on the nazi-X-chan:

"We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE." 

 Ukraine Energy Minister German Galushchenko says cyberattacks are a bigger threat to the country's power grid than rockets and drones because the repercussions of a cyber incident can paralyze whole systems rather than impact small substations—as rockets usually tend to do

https://archive.ph/Y2srj 

 Apple has a security update for iOS devices to patch two actively exploited zero-days.

The first is a vulnerability (CVE-2023-42824) in the iOS kernel that Apple says was exploited against older iPhones using iOS 16.6 or lower.

The second is a zero-day (CVE-2023-5217) in the Libvpx library that Google discovered last week, and Apple also ported and fixed in iOS.

https://support.apple.com/en-us/HT213961 

 Atlassian has released a security update to patch an actively exploited zero-day in Confluence "Data Center" and "Server" appliances.

Tracked as CVE-2023-22515, the vulnerability is a local privilege escalation that can be used to create unauthorized admin accounts and access Confluence resources.

https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html 

 Interesting episode this week from Pat and Adam, with Pat talking to Kroll about how Clop has been testing its MOVEit exploits for over 2 years before this year's hacks

https://risky.biz/RBNEWS724/ 

 Newsletter: https://riskybiznews.substack.com/p/ransomware-gangs-go-after-teamcity-ws-ftp
Podcast: https://risky.biz/RBNEWS204/

-Ransomware gangs hit TeamCity and WS_FTP servers
-Website leak exposes Russian military and intelligence centers
-Mandatory MFA for AWS root accounts
-Google Cloud moves security feature behind paywall
-Gmail adds more anti-spam features
-Arm, Google, and Qualcomm patch zero-days
-European Media Freedom Act adds some anti-spyware protections for journalists
-FSB wants to track geolocation data
-VPN ban incoming in RU in 2024

https://files.mastodon.social/media_attachments/files/111/175/951/451/641/474/original/a8317cc3eb9ea361.png 

 he European Parliament has proposed an updated version of the European Media Freedom Act that includes a ban on the use of spyware against journalists.

The new document does not introduce a full blanket ban. Spyware may be used against journalists as a "last resort" and on a "case-by-case basis" under judicial authority to investigate serious crimes, such as terrorism or human trafficking.

https://www.europarl.europa.eu/news/en/press-room/20230929IPR06111/media-freedom-act-meps-tighten-rules-to-protect-journalists-and-media-outlets 

 Amazon makes MFA mandatory for AWS root access

"Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed."

https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/ 

 Cado Security has open-sourced cloudgrep, a tool for searching resources across S3 cloud storage servers.

>>>>>>>"It currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3."

https://github.com/cado-security/cloudgrep 

 Android patches Libwebp zero-day and a second GPU driver exploit in Arm Mali

https://source.android.com/docs/security/bulletin/2023-10-01 

 ThreatFabric has published an in-depth analysis of two Android malware strains used by the APT41 Chinese cyber-espionage group.

https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack

They're named LightSpy and AndroidControl and are the DragonEgg and WyrmSpy strains first spotted by Lookout earlier this year.

https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41 

 The website of the Lorenz ransomware gang has leaked every message ever sent through its contact form. Copies of all messages are available here.

https://github.com/htmalgae/research/blob/main/lorenz-contact-form-messages.txt 

 DataDog's security team has open-sourced a tool named KubeHound that can be used to analyze Kubernetes clusters and create graphs of possible attach paths.

Blog: https://securitylabs.datadoghq.com/articles/kubehound-identify-kubernetes-attack-paths/

Tool: https://kubehound.io/

https://files.mastodon.social/media_attachments/files/111/167/679/036/805/386/original/e5422373f83c6679.png 

 Ransomware groups are exploiting a recently disclosed vulnerability in JetBrains TeamCity servers to breach corporate networks

https://files.mastodon.social/media_attachments/files/111/167/634/197/943/428/original/059173f6645ec9b9.png 

 Exim patches are out: https://www.exim.org/download.html

Analysis of that no-auth RCE: https://labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/

"But in the meantime, don’t panic - this one is more of a damp squib than a world-ending catastrophe." 

 For the love of God infosec community.... stop dumping PoCs two days after a patch is out.

At least allow IT teams to schedule a patch.

jfc almighty! 

 Newsletter: https://riskybiznews.substack.com/p/disclosure-snafu-delays-exim-patch-a-year
Podcast: https://risky.biz/RBNEWS203/

-Exim drama explained
-New major bug hits Progress (MOVEit) customers
-Greek govt sabotages spyware investigation
-IronNet ceases all operations
-SBU infiltrated ransomware gangs
-ShinyHunter member pleads guilty
-8 scam call centers disrupted in India
-Malicious ads in Bing AI chat
-Malware adopts smart contracts
-Clop torrents lead back to Moscow
-Phantom Hacker scams on the rise
-New AWS honeypots probed within 3 minutes

https://files.mastodon.social/media_attachments/files/111/164/591/952/516/821/original/05899544ecc69ade.png 

 A malware gang is storing parts of malicious JavaScript code inside smart contracts hosted on the Binance blockchain

https://finsin.cl/2023/09/29/infeccion-en-sitio-web-de-e-commerce-chileno/ 

 It is October and I am now ultra aware of cybersecurity 

 Cybersecurity firm IronNet has ceased all operations across all subsidiaries after the company ran out of funds

https://www.securityweek.com/bankrupt-ironnet-shuts-down-operations/ 

 Israeli officials have allowed local police to deploy the Pegasus spyware in a one-time case to investigate the murder of a Palestinian family.

Officials have allowed police to use the spyware for surveillance but not to extract data from infected devices.

https://www.timesofisrael.com/ag-approves-use-of-pegasus-phone-spyware-in-probe-of-shooting-that-killed-5/ 

 Back in June, the Clop gang began releasing some of the data from the MOVEit hacks as torrent files after it began having problems with its hosting infrastructure.

Researchers from Palo Alto Networks have analyzed the seeds of the Clop torrent files and found that most of the stolen MOVEit files have been released through three IP addresses belonging to Moscow-based web hosting provider FlyServers.

https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/ 

 CyFirma security researcher Kaushík Pał has discovered a new hacking forum named SeekShell that launched earlier this year

https://www.linkedin.com/posts/kaushik%7Epal_cybersecurity-threatintelligence-blockchain-activity-7113730677891633152-TrpH/ 

 Someone tried baiting people into downloading malware on r/cybersecurity

https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/

https://files.mastodon.social/media_attachments/files/111/159/106/288/232/911/original/b50a2adc814e2975.png 

 Details and PoC for that WS_FTP 10.0 CVSS vulnerability (CVE-2023-40044):

https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044

Exploitation requires an HTTPS POST request.

There are currently more than 550 WS_FTP servers connected to the internet, according to Shodan.

This is very bad! 

 French cybersecurity firm Intrinsec has a 31-page report on the GuLoader malware, the Italian company behind it, and its recent campaigns

https://www.intrinsec.com/cyber_threats_targetting_energy_industry/

https://files.mastodon.social/media_attachments/files/111/156/934/028/191/873/original/95ba4be3631966b9.png 

 After a PoC was released last week, threat actors are now exploiting a vulnerability (CVE-2023-42793) in the JetBrains TeamCity CI/CD server to gain access to corporate repositories.

https://viz.greynoise.io/tag/jetbrains-teamcity-authentication-bypass-attempt?days=10 

 Adobe Photoshop is now a web app (too):

https://photoshop.adobe.com

https://files.mastodon.social/media_attachments/files/111/155/077/969/296/544/original/b7678d630b6e202b.png 

 Newsletter: https://riskybiznews.substack.com/p/chinese-apt-hacks-subsidiaries
Podcast: https://risky.biz/RBNEWS202/

-Chinese APT hacks subsidiaries, pivots to corporate headquarters
-Google and Mozilla patch another Chrome & Firefox zero-day
-Cisco patches its own zero-day
-new DarkRiver APT targets Russian defense sector
-HVAC platform Johnson Controls goes down in ransomware incident
-Google urges SMS EoL
-OpenSSL 1.x EoL
-82% of CISA staff to be furlough in govt shutdown
-Twitter fully embraces propaganda
-Russian hacker couple detained

https://files.mastodon.social/media_attachments/files/111/147/683/873/963/212/original/885399558440f810.png 

 The Chrome zero-day from yesterday (CVE-2023-5217: Heap buffer overflow in libvpx) also received a fix in Firefox a few hours ago

https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ 

 Chinese security firm Rising analyzes Megazord, the latest version of the Akira ransomware.

http://it.rising.com.cn/fanglesuo/20045.html 

 Resecurity looks at the history of the RansomedVC ransomware and data extortion gang, which has made quite a few headlines lately after their alleged intrusions at Sony and NTT Docomo.

https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-is-known-about-the-ransomware-group-targeting-major-japanese-businesses

https://files.mastodon.social/media_attachments/files/111/144/204/666/321/956/original/2c501d0dc419659b.png 

 Cisco has released 14 security updates for various products.

Of the 14, there's a security patch marked as critical for Cisco Catalyst WAN switches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z 

 A threat actor named ScamClub is abusing ad platforms to place malicious ads on reputable websites that redirect users to phishing pages, gift card scams, and giveaway scams.

The group has been active since 2019, has employed multiple browser zero-days, and is believed to have made an estimated $8.5 million in the first half of the year alone.

Security firm Confiant has linked the group's operations to a Hong Kong company named WayTop International Advertising Limited.

https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537 

 Manifest confusion attacks also work on PyPI:
https://stiankri.substack.com/p/manifest-confusion-in-pypi

The initial attack was only demoed on npm: https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem 

 New attack on RSA—the Marvin Attack, a new variation of the 1998 Bleichenbacher timing attack

"The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key. "

https://people.redhat.com/~hkario/marvin/

https://files.mastodon.social/media_attachments/files/111/143/030/821/378/690/original/6e5c9c57777db105.png