Oddbean new post about | logout

Notes by Catalin Cimpanu | export

â–² â–¼
 New attack on RSA—the Marvin Attack, a new variation of the 1998 Bleichenbacher timing attack

"The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key. "

https://people.redhat.com/~hkario/marvin/

https://files.mastodon.social/media_attachments/files/111/143/030/821/378/690/original/6e5c9c57777db105.png 
â–² â–¼
 Finally... hope many more follow suit

"Chase U.K. to Block Crypto Payments Citing Fraud, Scams"

https://www.coindesk.com/policy/2023/09/26/chase-uk-to-block-crypto-payments-citing-fraud-scams/ 
â–² â–¼
 Chinese security firm Xitan Laboratory has published a write-up on "five remote control backdoors" allegedly used by the NSA to breach the Xi'an Northwestern Polytechnical University in June of last year.

The five backdoors are NOPEN, FireJet, SecondDate, CunningHeretic, and StoicSurgeon

https://mp.weixin.qq.com/s/N_jJzk5ZqJEyU8COqBzzxQ 
â–² â–¼
 "Using Side Eye, a machine learning assisted tool that Fu and his research team created, Fu can determine the gender of someone speaking in the room where a photo was taken –– and even the exact words they spoke."

https://news.northeastern.edu/2023/09/25/audio-recovery-still-images-silent-videos/ 
â–² â–¼
 This research blew my mind... basically they're using image stabilization technology in modern phones to see how camera lenses adjust themselves to sound waves (spoken words) and then extracting that information from photos, reconstructing the sound.

🤯 🤯 🤯 🤯 🤯 🤯 🤯 
â–² â–¼
 DevSecOps company Phylum has discovered 46 malicious JavaScript and Python libraries—41 on npm and 5 on PyPI—designed to steal Kubernetes configuration files and SSH keys from infected systems: https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/

The campaign is related to a cluster of activity Sonatype spotted last week: https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys 
â–² â–¼
 Reddit has removed the ability for its users to opt out of personalized ads.

https://www.reddit.com/r/reddit/comments/16tqihd/settings_updateschanges_to_ad_personalization/ 
â–² â–¼
 Did you expect the WebP zero-day to impact LibreOffice too? Cause I didn't

https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ 
â–² â–¼
 PT Security say new APT named Dark River has targeted at least four Russian defense industry companies

The group's main tool is the MataDoor backdoor

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/ 
â–² â–¼
 Chrome 117, released earlier this month, supports Encrypted ClientHello (ECH) for fully encrypted TLS traffic.

https://groups.google.com/a/chromium.org/g/blink-dev/c/CmlXjQeNWDI/m/hx-_4lNBAQAJ 
â–² â–¼
 everyone's talking about cs2

has everyone finally got so fed up of subscriptions that they're go... 
â–² â–¼
 @1889f834 lol... thought you were talking about CounterStrike 2 
â–² â–¼
 Google has released a security update to patch another Chrome zero-day vulnerability. Tracked as CVE-2023-5217, the zero-day resides in libvpx, a codec for processing VP8, VP9, and AV1 video files in Chrome.

The company says it spotted the attacks this Monday and released a security update two days later, on Wednesday.

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html 
â–² â–¼
 Talks from the DEFCON 31 security conference, which took place this Augst, are now available on YouTube.

https://www.youtube.com/@DEFCONConference/playlists

https://files.mastodon.social/media_attachments/files/111/139/468/795/577/892/original/28868fe392e70077.png 
â–² â–¼
 Joint US and Japanese security advisory warn of attacks from a Chinese APT named BlackTech that likes to compromise routers at subsidiaries and then pivot to main corporate US/JP headquarters

The group has a craving for Cisco routers... nom nom nom

https://www.cisa.gov/news-events/alerts/2023/09/27/nsa-fbi-cisa-and-japanese-partners-release-advisory-prc-linked-cyber-actors 
â–² â–¼
 Cisco has responded to the joint US-JP security advisory that Chinese APT BlackTech is replacing Cisco router firmware in attacks:

"The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. There is no indication that any Cisco vulnerabilities were exploited."

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023 
â–² â–¼
 Newsletter: https://riskybiznews.substack.com/p/cisa-releases-hbom-framework
Podcast: https://risky.biz/RBNEWS201/

-CISA releases HBOM framework
-Crypto platform Mixin hacked for $200 million
-the UK is also conducting hunt-forward missions
-Google open-sources BinDiff
-HTX (Huobi) hacked for $8mil
-OpenSea rotates API keys
-New Iran government hack
-MOVEit victim count passes 2K
-Sony investigates ransomware attack
-New Windows 11 security features
-Firefox 118 has built-in translations
-Patreon privacy update puts all profiles public

https://files.mastodon.social/media_attachments/files/111/136/160/594/279/981/original/65ed4392ade537b3.png 
â–² â–¼
 Plus:

-UN-ASEAN-China collaboration to fight scams
-FSB agent detained for getting bribes from cybercrime group
-Shadow ransomware renames to C0met
-New ShadowSyndicate group
-Malware reports on Xenomorph, HijackLoader, Lu0Bot, ZenRAT, MoneyMessage, Hive, Retch, SHO, NSA backdoors
-APT reports on AtlasCross, STARK#VORTEX
-Russian APT activity in Ukraine switches to phishing
-Openfire servers infected with ransomware/cryptominers
-JetBrains TeamCity security update
-Sophos closes Naked Security

https://files.mastodon.social/media_attachments/files/111/136/174/659/697/498/original/1af9d7cc7d4259ef.png 
â–² â–¼
 A major UK logistics operator, KNP Logistics, has filed for administration and will fire roughly 730 employees after a ransomware attack impacted its operations and market position earlier this year in June

https://www.bbc.com/news/uk-england-northamptonshire-66927965 
â–² â–¼
 nostr:npub1zj46mlm94ekxxlc26xk3yyse9c89jd6hrf9q6ce34w045es6a86sqzfyjh Who's the translation provi... 
â–² â–¼
 @12711df6 it's done locally, via language packs 
â–² â–¼
 Another report of OpenFire exploitation: https://news.drweb.com/show/?i=14756

See VulnCheck (https://vulncheck.com/blog/openfire-cve-2023-32315) and Surevine (https://www.surevine.com/openfire-cve-2023-32315-what-we-know/) from August and June respectively

CVE is CVE-2023-32315 
â–² â–¼
 The number of companies impacted by Clop's MOVEit hacking spree has formally surpassed 2,000, according to security firm Emsisoft.

https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/

https://files.mastodon.social/media_attachments/files/111/131/654/604/699/913/original/ab1887e11296beca.png 
â–² â–¼
 Google fixes another LibWebP bug... gives it a 10.0 CVSSv3 score.

CVE-2023-5129: https://nvd.nist.gov/vuln/detail/CVE-2023-5129 
â–² â–¼
 Report on ShadowSyndicate, an affiliate for seven different RaaS platforms:  Quantum, Nokoyawa, AlphV, Royal, Clop, Cactus, and Play

https://www.group-ib.com/blog/shadowsyndicate-raas/ 
â–² â–¼
 Sophos has closed its Naked Security blog: https://news.sophos.com/en-us/2023/09/26/update-on-naked-security/ 
â–² â–¼
 The HTX cryptocurrency exchange has lost $8 million worth of Ether after a hacker gained access and emptied one of its hot wallets

https://archive.ph/QLLbL 
â–² â–¼
 Chinese security firm NSFOCUS has discovered a new APT group named AtlasCross that has been running spear-phishing operations aimed at infecting its victims with the DangerAds and AtlasAgent malware.

The company didn't attribute the attacks to any state but said the campaign was interesting because it spoofed US Red Cross operations.

https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/

https://files.mastodon.social/media_attachments/files/111/130/802/816/923/145/original/74d6add7a8a644f8.png 
â–² â–¼
 JetBrains has released a security update for TeamCity on-premise CI/CD servers to fix an authentication bypass vulnerability that could have allowed attackers to run malicious code on customer systems.

https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/ 
â–² â–¼
 Google's Christian Blichmann has open-sourced BinDiff, a tool used to compare the structure of binary files. The tool has been free to use since 2016, but its source code was still private.

https://github.com/google/bindiff/releases/tag/v8 
â–² â–¼
 RansomedVC claims to have breached Sony and is selling their data after the company refused to pay a ransom

https://files.mastodon.social/media_attachments/files/111/128/056/709/973/090/original/4cb4bf9568b8710a.png 
â–² â–¼
 Some CERT-UA naming conventions from the report:

UAC-0010 (Gamaredon/FSB)
UAC-0056 (GRU)
UAC-0028 (APT28/GRU)
UAC-0082 (Sandworm/GRU)
UAC-0144/UAC-0024/UAC-0003 (Turla)
UAC-0029 (APT29/SVR)
UAC-0109 (Zarya)
UAC-0106 (XakNet)
UAC-0107 (CyberArmyofRussia) 
â–² â–¼
 Some observed trends:

-targeting law enforcement agencies investigating Russian war crimes
-revisiting past victims to maintain access
-focus on immediate data exfil
-less  malware op, more phishing ops
-constant attacks on the UA media to plant fake news and disinformation
-LOLBIN is king
-relentless targeting of email servers 
â–² â–¼
 Ukraine's SSSCIP agency has released a report detailing how the tactics of Russian hackers have changed in the first half of the year

Seems activity has gone down

https://cip.gov.ua/en/news/yak-zminyuyutsya-taktiki-cili-i-spromozhnosti-khakerskikh-grup-uryadu-rf-ta-kontrolovanikh-nim-ugrupovan-zvit

https://files.mastodon.social/media_attachments/files/111/127/816/932/706/957/original/ef9b5974732e2bd0.png 
â–² â–¼
 Some CERT-UA naming conventions from the report:

UAC-0010 (Gamaredon/FSB)
UAC-0056 (GRU)
UAC-0028 (APT28/GRU)
UAC-0082 (Sandworm/GRU)
UAC-0144/UAC-0024/UAC-0003 (Turla)
UAC-0029 (APT29/SVR)
UAC-0109 (Zarya)
UAC-0106 (XakNet)
UAC-0107 (CyberArmyofRussia) 
â–² â–¼
 DeFi platform Mixin hacked for $200 million

https://archive.li/AnB0O 
â–² â–¼
 Not gonna lie.... Substack is starting to piss me off.

Why is there no more "View on web" link in its newsletters? 
â–² â–¼
 Catching up with a week's worth of news is a PITA 
â–² â–¼
 @15e2bc2d Translation: We'll allow bot networks to manipulate Notes to help out our QAnon right-wing propaganda brethren from being mass-embarrassed on a daily basis. 
â–² â–¼
 Newsletter: https://riskybiznews.substack.com/p/north-korean-hackers-are-behind-coinex-hack
Podcast: https://risky.biz/RBNEWS199/

-Lazarus steals $54 million from CoinEx crypto-exchange
-US wants countries to commit to not paying ransoms;
-Caesars paid $15 million ransom
-Meduza head infected with Pegasus spyware
-DevOps companies Retool and Rollback get hacked
-Airbus and MalindoAir suffer data leaks
-Windows 11 to block SMB from sending NTLM outside an org
-DOD releases Cyber Strategy
-US Army to focus on OSINT
-Spyware firms weaponize online ads

https://files.mastodon.social/media_attachments/files/111/068/655/834/484/865/original/f5c53d46fd55ec87.png 
â–² â–¼
 Plus:

-French prosecutors appeal PyLocky case dismissal
-New PTI-257 group
-Reports from VISA, Europol, NSA+FBI+CISA
-Malware reports on Lydia spyware, MetaStealer, DBatLoader, 3AM and Sphynx ransomware
-Operation Rusty Flag hits Azerbaijan
-Peach Sandstorm Iranian APT behind wave of password-spraying
-APT reports on APT36, Lazarus, Konni
-Qihoo360 threatens to expose 13 NSA staffers
-ThemeBleed vulnerability
-GitHub Actions worm
-GitHub repojacking vulnerability
-Azure HDInsight vulns

https://files.mastodon.social/media_attachments/files/111/068/672/177/242/172/original/c0019644716ac797.png 
â–² â–¼
 There are definitely some web developers who need to be yeeted into the Sun.

How the hell are you freezing browser rendering with your shitty JS code in 2023!!!!! 
 nostr:npub1zj46mlm94ekxxlc26xk3yyse9c89jd6hrf9q6ce34w045es6a86sqzfyjh Any significance to announc... 
â–² â–¼
 @f7fc9739 Doubt it. It's very likely Bluetooth vulns, like their previous research: https://asset-group.github.io/cves.html 
â–² â–¼
 nostr:npub1zj46mlm94ekxxlc26xk3yyse9c89jd6hrf9q6ce34w045es6a86sqzfyjh 

Where's this from, and on... 
 nostr:npub1zj46mlm94ekxxlc26xk3yyse9c89jd6hrf9q6ce34w045es6a86sqzfyjh Pretext: Countries like ðŸ‡... 
â–² â–¼
 @CyberHues take your "US hegemony" talking points back to the racist site, plz 
â–² â–¼
 Qihoo360:

"With the cooperation of industry partners from multiple countries, our work has made a major breakthrough and has now successfully identified the true identity of the US National Security Agency (NSA) staff member who launched the cyber attack on Northwestern Polytechnical University." 
â–² â–¼
 ThemeBleed - RCE in Windows Themes

https://exploits.forsale/themebleed/ 
â–² â–¼
 nostr:npub1zj46mlm94ekxxlc26xk3yyse9c89jd6hrf9q6ce34w045es6a86sqzfyjh I would be curious to hear ... 
â–² â–¼
 @fbbcf627 Timeline of the attack seems to indicate it is 
â–² â–¼
 Caesars paid hackers $15 million after they initially requested $30 million

https://www.casino.org/vitalvegas/caesars-entertainment-paid-millions-to-hackers-now-look-like-geniuses/ 
â–² â–¼
 DevOps company Retool discloses hack: https://retool.com/blog/mfa-isnt-mfa/

DevOps company Rollbar discloses hack: https://archive.ph/Pp27e 
â–² â–¼
 From the Retool incident (related to those Okta attacks from last month):

"The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice".... then reset MFA and took control of the Okta account. 
â–² â–¼
 SentinelOne has discovered a new infostealer targeting macOS systems named MetaStealer: https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/

It is unclear if this is related to a similar infostealer targeting Windows systems, discovered last year by NCC Group: https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/ 
â–² â–¼
 Broadcom's Symantec division has discovered a new Rust-based ransomware strain named 3AM.

Symantec saw the ransomware used in one attack so far, where a known ransomware affiliate deployed it on a victim's network after Lockbit was detected and blocked.

The 3AM ransomware comes with a Tor-based support and payment portal but does not appear to operate a dark web leak site (yet).

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit 
â–² â–¼
 White House urging dozens of countries to publicly commit to not pay ransoms

https://therecord.media/counter-ransomware-initiative-members-ransom-payments-statement 
â–² â–¼
 Is iPhone15 the most European iPhone ever? I read lots of complains from US people.. but surprisi... 
â–² â–¼
 @753983c1 why exactly? 
â–² â–¼
 @15e2bc2d Nice, more propaganda capabilities. Can't fall behind to Twitter and Telegram, can't we. 
â–² â–¼
 Anybody know of a good service that tracks total annual US data breaches and number of victims? I... 
â–² â–¼
 @7d506386 I'd normally say threat intel firms, but 20 years back... is a lot.

Maybe Risk Based Security?

Cyber-insurers might have that data too. 
â–² â–¼
 nostr:npub17lgy0rj5a2nwpnyc4hup6ufpfz7wz6dzcgd3crm6fm2yd34dcz0qlk9uux by now I'm quite frustrated... 
â–² â–¼
 @c9ef8197 @f7d0478e Most journalists are lazy self-praising morons. I should know. 
â–² â–¼
 Newsletter: https://riskybiznews.substack.com/p/cisa-to-provide-free-security-scans-water
Podcast: https://risky.biz/RBNEWS198/

-CISA to provide free security scans to public water utilities
-Adobe, Google, Mozilla, and Microsoft patch zero-days
-MGM Resorts suffers mysterious cyber incident
-Dutch football federation pays ransom to avoid player data leak
-arXiv suffers DDoS attack
-Free Download Manager supply chain attack
-Twitch extensions hijacked to spread spam
-Council of Europe calls for spyware investigations
-Smaller fines in the UK

https://files.mastodon.social/media_attachments/files/111/057/223/245/411/103/original/f839c9ebe9d550c3.png 
â–² â–¼
 Also:

-Chrome 117 is out
-Smaller fines in the UK if you report hacks to the NCSC
-CISA publishes OSS roadmap
-CyberCom completes 50 hunt forward missions
-Football Leaks hacker sentenced
-Storm-0324 saw running MSFT Teams phishing campaigns
-Malware reports on CatDDoS, Hook, MidgeDropper, OriginBotnet, RomCom, Cuba, Remcos, Prohqcker
-Ballistic Bobcat hacks 32 Israeli companies
-Redfly compromises Asian power grid
-Patch Tuesday is out
-WiKI-Eve attack
-FBI warns of CSAM sextortions

https://files.mastodon.social/media_attachments/files/111/057/232/777/303/000/original/5b1908262be60b23.png 
â–² â–¼
 oh no... it's Patch Tuesday today, isn't it! 
â–² â–¼
 Newsletter: https://riskybiznews.substack.com/p/microsoft-to-phase-out-3rd-party-printer-drivers
Podcast: https://risky.biz/RBNEWS197/

-Microsoft to phase out 3rd-party printer drivers
-Akira and Lockbit exploit Cisco ASA/FTD zero-day
-FBI links Stake crypto-heist to North Korea
-Ukrainian hacktivists unmask Russia's Cuban mercenary recruiting scheme
-Ransomware hits Sri Lanka govt
-Twitter bans scraping
-15 Israeli opposition party members have a WhatsApp issue mysteriously at the same time
-China's Myanmar fraud crackdown hits 1.2k
-Chinese info-op on Gab

https://files.mastodon.social/media_attachments/files/111/045/942/288/389/865/original/f1ed7e7fd57ab687.png 
â–² â–¼
 A Vietnamese threat actor going by the name of MrTonyScam has been conducting expansive Facebook Messenger spam campaigns delivering malware using malicious attachments.

https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d

https://files.mastodon.social/media_attachments/files/111/041/674/783/769/663/original/50fbf2e76356c2e0.png 
â–² â–¼
 BugProve researchers have identified 33 vulnerabilities in Zabio IP security cameras.

Seven of the reported vulnerabilities are pre-authentication remote code execution flaws that can be used to hijack affected security camera models.

The company has published details and proof-of-concept scripts for all issues after the vendor failed to respond for almost nine months.

https://bugprove.com/knowledge-hub/cve-2023-3959-cve-2023-4249-multiple-critical-vulnerabilities-in-zavio-ip-cameras/ 
â–² â–¼
 An academic study of 4,600 malicious Python libraries found that 72% of packages persisted across PyPI mirror sites even after the libraries were removed from the main PyPI website.

https://about.honywen.com/publication/2023ase/ 
â–² â–¼
 "I brought down a scamming operation with 15 bytes of PHP"

https://archive.li/hhn6C 
â–² â–¼
 @974a6e71 I hate it.... of all the software patches the fintech industry and public needs to know, a privately sold seldomly exploited is not one of them 
â–² â–¼
 Plus:

-IronNet furloughs workers
-Vulns in ProtonMail, Firefox, Apache Superset, Jenkins, Cisco, K8s
-IRM hotel booking 0-day
-New shelLM honeypot system
-Chinese IOs improve dramatically
-North Korean hackers on Mastodon
-APT reports on ScarCruft, APT28
-APT attacks on Fortinet and Zoho systems
-Malware reports on DarkGate, Raspberry Robin, AtomicStealer, RegStealer, AgentTesla, crypto-miners in the cloud
-Pandora malware impacts Android TVs
-Rayobyte's role in DDoS attacks

https://files.mastodon.social/media_attachments/files/111/028/961/275/468/993/original/19d204910c37e399.png 
â–² â–¼
 And:

-Polish Senate investigation into Pegasus scandal
-China weaponized its vulnerability disclosure program
-Verizon fined for lying about cybersecurity
-Adobe Creative Cloud Sync EoL
-Emsisoft has a critical update after GlobalSign blunder
-SeeTickets reveals skimming incident
-LastPass hack thefts estimated at $35mil
-Seville, Spain's 4th largest city, hit by ransomware attack
-Android 14 is annoying researchers
-ICC to investigate cyber war crimes
-Internet censorship in RU is now at 850k

https://files.mastodon.social/media_attachments/files/111/028/976/387/627/756/original/7e30769d67316b5c.png 
â–² â–¼
 Newsletter: https://riskybiznews.substack.com/p/us-and-uk-dox-sanction-trickbot-conti-member
Podcast: https://risky.biz/RBNEWS196/

-US and UK dox and sanction 11 more Trickbot/Conti members
-China bans iPhones for government work
-Microsoft explains how it lost its signing key
-Apple patches zero-days used to install NSO Group's Pegasus spyware without user interaction
-Cars are a privacy nightmare
-Chrome to get a new UI
-Russian businessman sentenced for hacking
-PYTA31's PyPI campaign still going
-W3LL gang made half a mil from hacking tools

https://files.mastodon.social/media_attachments/files/111/028/942/166/371/892/original/bd33724de04fb753.png 
â–² â–¼
 Plus:

-IronNet furloughs workers
-Vulns in ProtonMail, Firefox, Apache Superset, Jenkins, Cisco, K8s
-IRM hotel booking 0-day
-New shelLM honeypot system
-Chinese IOs improve dramatically
-North Korean hackers on Mastodon
-APT reports on ScarCruft, APT28
-APT attacks on Fortinet and Zoho systems
-Malware reports on DarkGate, Raspberry Robin, AtomicStealer, RegStealer, AgentTesla, crypto-miners in the cloud
-Pandora malware impacts Android TVs
-Rayobyte's role in DDoS attacks

https://files.mastodon.social/media_attachments/files/111/028/961/275/468/993/original/19d204910c37e399.png 
â–² â–¼
 Apple releases iOS and macOS security updates to fix two zero-days, one discovered by CitizenLab

https://support.apple.com/en-us/HT201222

https://files.mastodon.social/media_attachments/files/111/025/110/396/535/064/original/3b5ce0ed51305a47.png 
â–² â–¼
 More on this from CitizenLab, which says both iOS zero-days were part of a zero-click no-user-interaction exploit chain named BLASTPASS.

The exploit was used in the wild to install the NSO Group Pegasus spyware on the latest version of iOS (16.6).

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/