Cyber Security Informer

Google TAG spotted actors using new code signing tricks to evade detection

Security Affairs

SEPTEMBER 26, 2021

Researchers from Google’s TAG team reported that financially motivated actors are using new code signing tricks to evade detection. Researchers from Google’s Threat Analysis Group reported that financially motivated actors are using new code signing tricks to evade detection. ” read the analysis published by Google TAG.

Software

Software Hacking Cybercrime Information Security

CISA adds Google Chromium V8 Type Confusion bug to its Known Exploited Vulnerabilities catalog

Security Affairs

FEBRUARY 7, 2024

The vulnerability impacts Google Chrome prior to 116.0.5845.179, it allows a remote attacker to execute arbitrary code via a crafted HTML page. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. reads the analysis published by Google TAG. “We

Spyware

Spyware Hacking Cybersecurity Risk

North Korea-linked threat actors target cybersecurity experts with a zero-day

Security Affairs

SEPTEMBER 8, 2023

The attacks that took place in the past weeks were detected by researchers at Google’s Threat Analysis Group (TAG). “Recently, TAG became aware of a new campaign likely from the same actors based on similarities with the previous campaign. ” reads the advisory published by Google TAG.

Cybersecurity

Cybersecurity Media Accountability Software

Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware

Security Affairs

SEPTEMBER 22, 2023

Citizen Lab and Google’s TAG revealed that the three recently patched Apple zero-days were used to install Cytrox Predator spyware. CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit. TAG experts explained that they were unable to capture the full Predator implant.

Spyware

Spyware Surveillance Mobile Hacking

Crickets from Chirp Systems in Smart Lock Key Leak

Krebs on Security

APRIL 15, 2024

government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021.

Software

Software Mobile Marketing Engineering

CVE-2024-21378 — Remote Code Execution in Microsoft Outlook

NetSpi Technical

MARCH 11, 2024

In 2023 NetSPI discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. Note, a pull request containing the proof-of-concept code is forthcoming to provide organizations with sufficient time to patch. However, the syncing capability of these form objects was never altered.

Authentication

Authentication Penetration Testing Technology Phishing

Burger King forgets to put a password on their systems, again

Security Affairs

AUGUST 2, 2023

If a threat actor is able to find and exploit an arbitrary PHP code execution vulnerability within the site, the credentials within.env could allow easier and more stealthy extraction of the MySQL database. Another piece of sensitive information that the research team observed included a Google Tag Manager ID.

Passwords

Passwords Accountability Mobile Hacking

Critical flaw in Ninja Forms WordPress Plugin actively exploited in the wild

Security Affairs

JUNE 19, 2022

The analysis of the updates revealed that they patched a code injection vulnerability that an unauthenticated attacker can exploit to execute arbitrary code or delete arbitrary files on the websites where a separate POP chain was present. The vulnerability resides in the Merge Tag feature of the plugin.

Hacking

Hacking Cybersecurity Information Security

Google links three exploitation frameworks to Spanish commercial spyware vendor Variston

Security Affairs

NOVEMBER 30, 2022

Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston. While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked Variston IT, a Spanish firm. ” TAG concludes.

Spyware

Spyware Surveillance Risk Internet

Apple released iOS 17.2 to address a dozen of security flaws

Security Affairs

DECEMBER 12, 2023

Successful exploitation of the flaw may lead to arbitrary code execution. Apple also addressed a code execution flaw, tracked as CVE-2023-42890, in the WebKit. Processing web content may lead to arbitrary code execution. The IT giant addressed the flaw by improving memory handling.

Surveillance

Surveillance Hacking Information Security

CVE-2021-31805 RCE bug in Apache Struts was finally patched

Security Affairs

APRIL 13, 2022

The remote code execution flaw, tracked as CVE-2020-17530, resides in forced OGNL evaluation when evaluated on raw user input in tag attributes. Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution – similar to S2-059.”

Software

Software Hacking Cybersecurity Information Security

Weekly Update 359

Troy Hunt

AUGUST 5, 2023

I settled for dumping stuff in a <pre> tag for now and will invest the time in doing it right later on.) What's the best tooling to start teaching kids to code Python on Windows with? (I Case in point: read my pain from last night about converting thousands of words of lawyer speak T&Cs from Microsoft Word to HTML.

Passwords

Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike

Security Affairs

OCTOBER 18, 2022

HelpSystems, the company that developed the Cobalt Strike platform, addressed a critical remote code execution vulnerability in its software. HelpSystems, the company that developed the commercial post-exploitation toolkit Cobalt Strike, addressed a critical remote code execution vulnerability, tracked as CVE-2022-42948, in its platform.

Architecture

Architecture Software Hacking Information Security

Retrofitting Temporal Memory Safety on C++

Google Security

MAY 26, 2022

The examples are endless: C++ smart pointers of all kinds are used to better define and manage ownership on application level; static analysis in compilers is used to avoid compiling problematic code in the first place; where static analysis fails, dynamic tools such as C++ sanitizers can intercept accesses and catch problems on specific executions.

Technology

Technology Architecture Authentication Software

XSS flaw in WordPress WP-Members Plugin can lead to script injection

Security Affairs

APRIL 2, 2024

“When viewed by an administrator, the malicious code is executed in the context of the administrator’s browser session and allows for the creation of malicious administrator users as well as changes to an affected site’s settings which could lead to a complete site takeover.” ” reads the advisory published by Wordfence.

Accountability

Accountability Hacking Information Security

120 Compromised Ad Servers Target Millions of Internet Users

The Hacker News

APRIL 20, 2021

An ongoing malvertising campaign tracked as "Tag Barnakle" has been behind the breach of more than 120 ad servers over the past year to sneakily inject code in an attempt to serve malicious advertisements that redirect users to rogue websites, thus exposing victims to scamware or malware.

Internet

Internet Internet Advertising Malware

Millions of sites could be hacked due to flaws in popular WordPress plugins

Security Affairs

MARCH 19, 2021

Experts found vulnerabilities in two WordPress plugins that could be exploited to run arbitrary code and potentially take over a website. Security researchers disclosed vulnerabilities in Elementor and WP Super Cache WordPress plugins that could be exploited to run arbitrary code and take over a website under certain circumstances.

Hacking

Hacking Authentication

APT37 used Internet Explorer Zero-Day in a recent campaign

Security Affairs

DECEMBER 8, 2022

” reads the post published by TAG. TAG determined that the APT group abused the zero-day vulnerability in the JScript engine of Internet Explorer. An attacker can exploit the flaw to execute arbitrary code when the victim visits an attacker-controlled website. CVE-2017-0199 ). Pierluigi Paganini.

Internet

Internet Internet Engineering Malware

Dell notifies customers about data breach

Malwarebytes

MAY 10, 2024

I am the only person who has the data.” The information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information.”

Data breaches

Data breaches Passwords Phishing Big data

Apache Software Foundation fixes code execution flaw in Apache Struts 2

Security Affairs

DECEMBER 8, 2020

The Apache Software Foundation addressed a possible remote code execution vulnerability in Struts 2 related to the OGNL technology. . The Apache Software Foundation has released a security update to address a “possible remote code execution” flaw in Struts 2 that is related to the OGNL technology. . ” Pierluigi Paganini.

Software

Software Technology Hacking Cybersecurity

RFID: Is it Secret? Is it Safe?

Approachable Cyber Threats

JULY 19, 2022

RFID uses electromagnetic fields in the form of radio waves to establish communication links between an RFID tag or transmitter and an RFID reader or receiver. Pieces of information are transmitted through the link that the reader uses to establish authenticity of the tag or transmitter and authorize access. Is RFID secure?

Risk

Risk Encryption Technology Retail

Dependabot impersonators cause trouble on GitHub

Malwarebytes

SEPTEMBER 29, 2023

GitHub is experiencing issues of the “breached account and malicious code” variety. Once the attackers have control over the stolen accounts, they would change the alias for said accounts to “Dependabot[bot]” and begin making potentially dangerous code commits. At this point, a “Commit” is made.

Accountability

Accountability Scams Social Engineering Passwords

Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG

Security Affairs

JULY 13, 2023

.” The vulnerability is reflected Cross-Site Scripting (XSS) that was discovered by Clément Lecigne of Google Threat Analysis Group (TAG). Google TAG researchers focus on identifying and countering advanced and persistent threats. Thank you to @Zimbra for publishing this advisory and mitigation advice!

Hacking

Hacking Backups Cyber threats Authentication

Shadowserver reported that +15K Citrix servers are likely vulnerable to attacks exploiting the flaw CVE-2023-3519

Security Affairs

JULY 23, 2023

Update on CVE-2023-3519 vulnerable IPs: we now tag 15K Citrix IPs as vulnerable to CVE-2023-3519. We extended the tagging logic to tag as vulnerable all that return Last Modified headers with a date before July 1, 2023 00:00:00Z. reads the advisory published by CISA. “In We also improved NetScaler AAA detection coverage.

VPN

VPN Cyber Attacks Software Cybersecurity

North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT and Media Firms

The Hacker News

MARCH 25, 2022

Google's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. based organizations

Media

Media Government

Google TAG argues surveillance firm RCS Labs was helped by ISPs to infect mobile users

Security Affairs

JUNE 24, 2022

Google’s Threat Analysis Group (TAG) revealed that the Italian spyware vendor RCS Labs was supported by ISPs to spy on users. TAG researchers tracked more than 30 vendors selling exploits or surveillance capabilities to nation-state actors. ” continues the analysis. Follow me on Twitter: @securityaffairs and Facebook.

Surveillance

Surveillance Mobile Spyware Telecommunications

Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks

Security Affairs

OCTOBER 25, 2023

The analysis of the email HTML source code revealed the presence of a SVG tag at the end, which contains a base64-encoded payload. The messages were sent from team.managment@outlook[.]com com and had the subject Get started in your Outlook. ” reads the analysis published by ESET. ” reads the analysis published by ESET.

Software

Software Government Phishing Internet

A New PowerShell Backdoor Is Being Used in Log4j Attacks

Heimadal Security

JANUARY 12, 2022

At the end of 2021 proof-of-concept exploits for a significant zero-day vulnerability discovered in the widely used Apache Log4j Java-based logging library were distributed online, exposing both home users and businesses to continuous remote code execution assaults.

Cybersecurity

New Kritec Magecart skimmer found on Magento stores

Malwarebytes

MARCH 22, 2023

Original campaign using WebSockets Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada's largest liquor store (LCBO). shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.

Technical Analysis of Xloader’s Code Obfuscation in Version 4.3

Security Boulevard

MARCH 30, 2023

Xloader implements different obfuscation methods and several encryption layers to protect critical parts of code and data from analysis. The developers behind this malware family continue to update the code with improved obfuscation and encryption layers with each new version that is released.

Encryption

Encryption Malware

CISA ADDS CHROME AND PERL LIBRARY FLAWS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Security Affairs

JANUARY 3, 2024

The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm. CVE-2023-7101 – The flaw is Spreadsheet::ParseExcel Remote Code Execution Vulnerability. Google released emergency updates to address this zero-day vulnerability.

Surveillance

Surveillance Cybersecurity Hacking Risk

Abusing Windows Container Isolation Framework to avoid detection by security products

Security Affairs

AUGUST 31, 2023

Because we can override files using the IO_REPARSE_TAG_WCI_1 reparse tag without the detection of antivirus drivers, their detection algorithm will not receive the whole picture and thus will not trigger.” Scan files with the tag in the PRE_CLEANUP function even if they were not altered. ” continues the report.

Antivirus

Antivirus Ransomware Hacking Malware

A new Magecart campaign hides the malicious code in 404 error page

Security Affairs

OCTOBER 12, 2023

Researchers from the Akamai Security Intelligence Group uncovered a Magecart web skimming campaign that is manipulating the website’s default 404 error page to hide malicious code. ” The attack chain of this campaign consists of three main parts: loader, malicious attack code, and data exfiltration. .

Retail

Retail Security Intelligence Hacking Software

macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

Security Affairs

NOVEMBER 12, 2021

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. “To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. The macOS exploits were different from the iOS ones.

Malware

Malware Media Surveillance Encryption

YouTube creators’ accounts hijacked with cookie-stealing malware

Security Affairs

OCTOBER 20, 2021

A Cookie Theft malware was employed in phishing attacks against YouTube creators, Google’s Threat Analysis Group (TAG) warns. According to Google’s Threat Analysis Group (TAG) researchers, who spotted the campaign, the attacks were launched by multiple hack-for-hire actors recruited on Russian-speaking forums.

Accountability

Accountability Malware Phishing Social Engineering

Magecart campaign abuses legitimate sites to host web skimmers and act as C2

Security Affairs

JUNE 5, 2023

Magecart attacks target e-commerce websites, the name “Magecart” is derived from the malicious code (JavaScript) typically injected by the attackers into compromised websites. The attack chain commences by scanning the web for vulnerable legitimate sites and hacking them to inject malicious code.

Retail

Retail Hacking Software Malware

Google TAG shares details about exploit chains used to install commercial spyware

Security Affairs

MARCH 29, 2023

Google’s Threat Analysis Group (TAG) discovered several exploit chains targeting Android, iOS, and Chrome to install commercial spyware. Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. links sent over SMS to users.

Spyware

Spyware Surveillance Firmware Internet

Crooks use HTML smuggling to spread QBot malware via SVG files

Security Affairs

DECEMBER 14, 2022

The malicious HTML code is generated within the browser on the target device which is already inside the security perimeter of the victim’s network. . “SVG images are constructed using XML, allowing them to be placed within HTML using ordinary XML markup tags. ” reads the analysis published by Talos.

Malware

Malware Phishing Passwords Hacking

Accelerating incident response using generative AI

Google Security

APRIL 26, 2024

Input processing The type of data we process during incidents can be messy and often unstructured: Free-form text, logs, images, links, impact stats, timelines, and code snippets. We needed to structure all of that data so the LLM “knew” which part of the information serves what purpose.

Risk

Risk Engineering Accountability Technology

Is it OK to train an AI on your images, without permission?

Malwarebytes

MAY 2, 2023

This is a reasonable concern, especially as site owners would essentially be responsible for adding ever more entries to their code on a daily basis. Website owners contend that it's not physically possible to have to tell every tool in existence that they wish to opt-out. Rather, the tool should be opt-in.

Engineering

Engineering Internet Internet Ransomware

CVE-2024-21378 — Remote Code Execution in Microsoft Outlook

NetSpi Technical

MARCH 11, 2024

In 2023 NetSPI discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. Note, a pull request containing the proof-of-concept code is forthcoming to provide organizations with sufficient time to patch. However, the syncing capability of these form objects was never altered.

Authentication

Authentication Penetration Testing Technology Phishing

CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog

Security Affairs

APRIL 1, 2023

Google TAG shared indicators of compromise (IoCs) for both campaigns. The experts pointed out that both campaigns were limited and highly targeted. The exploits were used to install commercial spyware and malicious apps on targets’ devices.

Spyware

Spyware Surveillance Mobile Education

Threat actors actively exploit Control Web Panel RCE following PoC release

Security Affairs

JANUARY 12, 2023

Threat actors are actively exploiting a recently patched critical remote code execution (RCE) vulnerability in Control Web Panel (CWP). Ongoing mass exploitation of CVE-2022-44877 (Centos Web Panel 7 Unauthenticated Remote Code Execution). pic.twitter.com/PC8b9frmA9 — Germán Fernández (@1ZRR4H) January 11, 2023.

Hacking

Hacking Software Information Security

QR codes in email phishing

SecureList

SEPTEMBER 27, 2023

QR codes are everywhere: you can see them on posters and leaflets, ATM screens, price tags and merchandise, historical buildings and monuments. And yet you don’t see lots of QR codes in email: users often read messages on their phones without any other device handy for scanning. What is a QR code?

Phishing

Phishing Passwords Scams Accountability

Google TAG spotted actors using new code signing tricks to evade detection

CISA adds Google Chromium V8 Type Confusion bug to its Known Exploited Vulnerabilities catalog

Trending Sources

North Korea-linked threat actors target cybersecurity experts with a zero-day

Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware

Crickets from Chirp Systems in Smart Lock Key Leak

CVE-2024-21378 — Remote Code Execution in Microsoft Outlook

Burger King forgets to put a password on their systems, again

Critical flaw in Ninja Forms WordPress Plugin actively exploited in the wild

Google links three exploitation frameworks to Spanish commercial spyware vendor Variston

Apple released iOS 17.2 to address a dozen of security flaws

CVE-2021-31805 RCE bug in Apache Struts was finally patched

Weekly Update 359

Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike

Retrofitting Temporal Memory Safety on C++

XSS flaw in WordPress WP-Members Plugin can lead to script injection

120 Compromised Ad Servers Target Millions of Internet Users

Millions of sites could be hacked due to flaws in popular WordPress plugins

APT37 used Internet Explorer Zero-Day in a recent campaign

Dell notifies customers about data breach

Apache Software Foundation fixes code execution flaw in Apache Struts 2

RFID: Is it Secret? Is it Safe?

Dependabot impersonators cause trouble on GitHub

Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG

Shadowserver reported that +15K Citrix servers are likely vulnerable to attacks exploiting the flaw CVE-2023-3519

North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT and Media Firms

Google TAG argues surveillance firm RCS Labs was helped by ISPs to infect mobile users

Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks

A New PowerShell Backdoor Is Being Used in Log4j Attacks

New Kritec Magecart skimmer found on Magento stores

Technical Analysis of Xloader’s Code Obfuscation in Version 4.3

CISA ADDS CHROME AND PERL LIBRARY FLAWS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Abusing Windows Container Isolation Framework to avoid detection by security products

A new Magecart campaign hides the malicious code in 404 error page

macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

YouTube creators’ accounts hijacked with cookie-stealing malware

Magecart campaign abuses legitimate sites to host web skimmers and act as C2

Google TAG shares details about exploit chains used to install commercial spyware

Crooks use HTML smuggling to spread QBot malware via SVG files

Accelerating incident response using generative AI

Is it OK to train an AI on your images, without permission?

CVE-2024-21378 — Remote Code Execution in Microsoft Outlook

CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog

Threat actors actively exploit Control Web Panel RCE following PoC release

QR codes in email phishing

Stay Connected