Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark Web Exploits

Key Takeaways


Cyble researchers have identified high-priority vulnerabilities in products from Ivanti, Microsoft, Qualcomm, Zimbra, and the Common Unix Printing System (CUPS).

Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited – and Cyble researchers have observed threat actors discussing the other three zero-days on cybercrime forums.

Cyble also detected 14 vulnerability exploits discussed on dark web forums, suggesting that they may soon be under attack, if not already.

Overview

Cyble Research and Intelligence Labs (CRIL) investigated 22 vulnerabilities during the week of Oct. 2-8 and identified six products that security teams should prioritize for patching and mitigation.

Additionally, Cyble researchers detected 14 vulnerabilities and exploits shared on cybercrime forums that security analysts should also prioritize – including the three Microsoft zero-days not yet under active exploitation.

Cyble’s weekly IT vulnerability report covering the period of Oct. 2-8 also offered best practices that all security teams should follow.

Top IT Vulnerabilities This Week

CRIL researchers identified eight vulnerabilities in six products that security teams should prioritize; three affect Ivanti Cloud Services Appliances (CSA).

CVE-2024-9379, CVE-2024-9380, CVE-2024-9381: Ivanti CSA

These three critical vulnerabilities impact Ivanti Cloud Services Appliance (CSA), an internet appliance designed to facilitate secure communication and management of devices over the internet. It serves as a bridge between the core server and managed devices, enabling them to communicate even when they are behind firewalls or using proxies.

CVE-2024-9379 is an SQL injection flaw that a remote authenticated attacker with admin privileges can trigger. CVE-2024-9380 is an OS command injection vulnerability that allows a remote authenticated attacker with admin privileges to achieve remote code execution. CVE-2024-9381 is a path traversal vulnerability that allows a remote authenticated attacker with admin privileges to bypass restrictions. In a recent advisory, Ivanti disclosed attackers’ exploitation of CVE-2024- 9379, CVE-2024-9380, or CVE-2024-9381, chained with CVE-2024-8963. CISA also issued an advisory urging security teams to patch the flaws.

CVE-2024-47176: CUPS

This vulnerability impacts the Common Unix Printing System, an open-source printing system designed for Linux and other Unix-like operating systems, providing a standardized framework for managing and controlling printers, enabling computers to act as print servers that accept print jobs from client machines, process them, and send them to the appropriate printer. Recently, researchers disclosed that threat actors can exploit vulnerabilities to launch distributed denial-of-service (DDoS) attacks with a 600x amplification factor. Under certain conditions, attackers can chain the set of vulnerabilities in multiple components of CUPS to execute arbitrary code remotely on vulnerable machines. Cyble researchers had warned about the CUPS vulnerability the previous week and reiterated the warning as new exploits emerged.

CVE-2024-45519: Zimbra

This 9.8-severity vulnerability impacts Zimbra Collaboration Suite (ZCS), an integrated communication and collaboration platform designed for businesses and organizations, integrating various tools for email, calendaring, contact management, and document sharing. Unauthenticated users can exploit the flaw to execute commands. Recently, researchers disclosed that attackers are actively exploiting the RCE vulnerability that can be triggered simply by sending specially crafted emails with commands to execute in the CC field, which are then executed when the postjournal service processes the email. Cyble researchers also observed multiple discussions of the vulnerability on the dark web (see Dark Web section below).

CVE-2024-43047: Qualcomm

This zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of Qualcomm chipsets can also be leveraged in spyware campaigns targeting Android devices. Cyble published a report and has highlighted the exploitation of CVE-2024-43047 in targeted attacks. OEMs are encouraged to apply the provided patches immediately. Users concerned about their devices should reach out to manufacturers for specific patch details. 

CVE-2024-43572 and CVE-2024-43573: Microsoft

Microsoft’s October 2024 Patch Tuesday included security updates for 118 flaws, including five publicly disclosed zero-days, two of which are being actively exploited: CVE-2024-43572, a Remote Code Execution vulnerability in Windows Management Console, and CVE-2024-43573, a spoofing vulnerability in the Windows MSHTML Platform.

Cyble researchers observed cybercrime exploit discussions on the other zero days reported by Microsoft (see Dark Web section below): CVE-2024-38200, a Microsoft Office Spoofing vulnerability; CVE-2024-29050, a Remote Code Execution (RCE) flaw in Windows 10 for x32- and x64-based Systems; and CVE-2024-6769, a Privilege Escalation vulnerability in Windows 10, Windows 11 – 10.0.0, Windows Server 2016, Windows Server 2019 – 10.0.0.

Dark Web and Cybercrime Forum Exploits

CRIL observed multiple Telegram channels and cybercrime forums sharing or discussing exploits weaponizing different vulnerabilities. The vulnerabilities under discussion included:


CVE-2024-38200: A critical vulnerability affecting multiple versions of Microsoft Office that arises from improper handling of certain document properties within Microsoft Office applications. It could potentially expose sensitive information such as NTLM hashes.

CVE-2024-29050: A Windows Cryptographic Services Remote Code Execution (RCE) vulnerability that arises from truncation errors that occur when a primitive data type is cast to a smaller size, resulting in potential data loss during conversion.

CVE-2024-6769: A vulnerability affecting multiple versions of Microsoft Windows, including Windows 10, Windows 11, and various Windows Server editions. The vulnerability exploits a combination of DLL Hijacking and Activation Cache Poisoning, allowing an attacker to elevate privileges from a medium to a high-integrity process without triggering a User Account Control (UAC) prompt.

CVE-2024-7479: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of VPN drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.

CVE-2024-7481: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of printer drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.

CVE-2024-36435: A critical vulnerability in the Baseboard Management Controller (BMC) firmware of several Supermicro enterprise products. The vulnerability allows unauthenticated attackers to exploit a buffer overflow, leading to remote code execution (RCE).

CVE-2024-38816: A high-severity path traversal vulnerability discovered in the Spring Framework and VMWare Tanzu Spring platform, affecting multiple versions. This vulnerability allows attackers to exploit improper handling of static resources, potentially gaining unauthorized access to sensitive files on the server.

CVE-2024-45519: Proofs of Concept (PoCs) of this widely reported Zimbra vulnerability are shared on multiple Telegram channels. It is a critical Remote Code Execution (RCE) vulnerability that was discovered in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform.

CVE-2024-45409: A critical vulnerability affecting the Ruby SAML and OmniAuth SAML libraries. This flaw allows unauthenticated attackers to bypass Security Assertion Markup Language (SAML) authentication mechanisms by exploiting weaknesses in the signature verification process of SAML responses. Cyble honeypot sensors detected active attacks on this vulnerability.

CVE-2024-26304: A critical vulnerability affecting HPE Aruba Devices, classified as an unauthenticated buffer overflow vulnerability in the L2/L3 Management Service accessed via the PAPI Protocol. The vulnerability allows attackers to send specially crafted packets to the PAPI UDP port (8211), potentially enabling them to execute arbitrary code as a privileged user on the affected system.

CVE-2024-5830: A critical security vulnerability was discovered in Google Chrome’s V8 JavaScript engine, affecting versions prior to 126.0.6478.54. This vulnerability is a type confusion bug, which an attacker can exploit to execute arbitrary code within the Chrome renderer sandbox simply by enticing a victim to visit a malicious website.

CVE-2024-44193: This is a vulnerability affecting Apple iTunes for Windows, specifically versions prior to 12.13.3. The vulnerability allows local attackers to elevate their privileges on affected systems, posing significant security risks.

CVE-2024-8275: A threat actor (TA) shared a PoC on a forum for a critical SQL injection vulnerability discovered in the Events Calendar Plugin for WordPress. The vulnerability affects all versions up to and including 6.6.4 and arises from insufficient input validation in specific functions.

CVE-2024-43363: A TA on a forum shared a PoC for a high-severity vulnerability affecting Cacti, a fault management framework. The vulnerability allows attackers to exploit the system remotely, potentially compromising sensitive data and system integrity.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:


To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark Web Exploits appeared first on Cyble.

Blog – Cyble – ​Read More

ANY.RUN’s Upgraded Linux Sandbox for Fast and Secure Malware Analysis

At ANY.RUN, we’re always working to improve our services, and this time, we’ve focused on making our Linux sandbox even better. We’ve fine-tuned every detail to ensure it runs as smoothly and reliably as our Windows environment.  

From bug fixes to feature enhancements, our Linux sandbox is now more powerful and stable than ever, giving you a seamless experience when analyzing Linux malware. 

What’s Updated in ANY.RUN’s Linux Sandbox? 

We’ve packed our latest update with powerful new features and improvements that upgrade both performance and usability.  

Here’s what’s new in our Linux sandbox and how these enhancements benefit you: 

Stable Chrome browser by default: We’ve integrated a stable version of Chrome as the default browser for Linux environments. This ensures smoother, faster browsing and more reliable interaction with suspicious websites during your analysis sessions. 

Chrome browser inside ANY.RUN’s Linux sandbox

Improved process tree performance: We’ve eliminated the lag that previously occurred when navigating the process tree. Now, you can explore process details without any delays, making malware behavior analysis much more efficient. 

Improved process tree inside Linux sandbox

Additional file uploads for Linux: This means that you can now upload files in real time while an analysis session is running, enabling a more dynamic investigation process. Instead of having to restart or set up a new session for each file, you can simply upload more files during the current session. 

Additional file uploads in updated Linux sandbox

File events tracking: This feature allows users to monitor and log every action the malware performs on files within the Linux sandbox environment. For example, if the malware creates, modifies, deletes, or moves files, those actions are now captured and presented in the analysis report. 

Analyze malware in Linux and Windows VMs

Sign up for a free ANY.RUN account to access interactive malware analysis with no limit.

Investigate any threat with ease.



Now you can get a clearer view of how the malware interacts with the file system, providing deeper insights into the malware’s behavior and making it easier to trace malicious activities. 

File modifications demonstrated in ANY.RUN’s Linux sandbox

Clipboard feature: A new clipboard function has been introduced, allowing you to copy and paste content directly within the sandbox. This small addition significantly improves workflow and efficiency during interactive sessions. 

VM Clipboard in Linux sandbox

Improved Locale (OS Language) selection: We’ve enhanced the Locale (OS Language) choice feature in the Linux sandbox, making it more reliable and error-free. Now, during configuration, you can easily select the desired locale from the dropdown menu, ensuring that the operating system language is set correctly for your analysis session. 

This improvement is crucial because malware often behaves differently depending on the system’s language settings. For example, some malware may only activate in specific locales, or attackers may target systems based on region-specific characteristics. By choosing the correct locale, you can replicate real-world scenarios more accurately.

Improved Locale selection in Linux sandbox 

Internal stability improvements: We’ve also carried out other optimizations to ensure the Linux sandbox runs as smoothly and reliably as our Windows sandbox.  

These improvements include removing various bugs, making performance tweaks, and implementing backend updates. While these changes might not be immediately visible, they play a crucial role in enhancing the overall stability and efficiency of the Linux sandbox, giving you a seamless experience when analyzing malware. 

Let’s Analyze Mirai Malware in Linux Sandbox 

To see the updated Linux sandbox in action, let’s dive into how one of the most infamous Linux malware threats, Mirai, can be analyzed in just a few steps. 

It’s easy, fast and straightforward: 

1. Choose the right option for analysis 

To begin the analysis, we need to choose one of the options: 

Upload the suspicious file: You can explore a variety of formats, including shell scripts, ELF executables, tarballs, and more. Even common files like Word documents, which might carry hidden malware targeting Linux, can be checked thoroughly. 

Copy and paste the suspicious link: Safely browse shady websites, whether they’re suspected of hosting malware or trying to pull off phishing scams. 

Linux malware analysis options inside ANY.RUN 

2. Configure the sandbox settings

After selecting the option you need, you can adjust the sandbox settings. A key step is choosing “Linux OS” from the list of operating systems in the dropdown menu. This ensures the analysis session will run on a Linux system, providing the right environment for your testing. 

Ready? Hit that “Run analysis” button and start interacting with the file or link to check if it’s malicious. 

In our case, we’re running a malware analysis session with Mirai: 

Mirai malware analyzed in ANY.RUN’s Linux sandbox 

3. Start analyzing the Linux malware 

After launching the analysis, the Linux sandbox will display tags related to the threat at hand.  

Just take a glance at the top-right corner of the screen. In our case, the sandbox provides tags “mirai” and “botnet”.

Once you finish the analysis, the sandbox will show the final verdict, letting you know if the file or link is malicious or safe.  

Malicious activity label displayed in ANY.RUN’s Linux sandbox

If you want more details about the specific malware, you can click on the links provided by the Tracker located next to the indicators. This will take you to the malware tracker, where you can read a detailed description of the malware, including its origin, execution analysis, distribution methods, and much more. 

Learn to analyze malware

See detailed guide to advanced malware and phishing analysis with ANY.RUN’s Interactive Sandbox.

Investigate any threat with ease.



Detailed malware processes 

Next, over on the right side, you’ll find the process tree, showing all the parent PIDs and their child PIDs. This gives you a clear view of how malware behaves across processes. Want more details? Just click on any process, and you’ll get a deep dive into its activity. 

Process details displayed in ANY.RUN’s Linux malware 

Network analysis details 

Below the virtual machine, you’ll also see a breakdown of all the network activity—split into HTTP requests, connections, DNS requests, and detected threats. This info is key for understanding the malware’s behavior.  

HTTP requests in ANY.RUN’s sandbox

For example, in our analysis session with Mirai malware, we can see how it uploads ELF files designed for specific system architectures. 

Static discovery with ELF execution 

By piecing together these insights, you get a comprehensive look at how the malware operates, making it easier to investigate and respond to potential threats. 

Collection of IOCs and network reputation 

For further analysis of the malware, you can easily gather all the IOCs (Indicators of Compromise) linked to the task by clicking the IOC button on the right side of the screen. 

No need to jump between tabs—everything you need is collected in one place, making it quicker and easier to manage.

Plus, before each IOC, you’ll find a network reputation indicator that lets you know whether the item is whitelisted or flagged as malicious, so you can prioritize it in your investigation. 

IOCs gathered inside ANY.RUN’s Linux sandbox 

MITRE ATT&CK tactics and techniques 

ANY.RUN’s Linux sandbox also includes the MITRE ATT&CK Matrix framework, which is super helpful for understanding the techniques and tactics used in malware attacks.  

Simply click the ATT&CK button, and you’ll be redirected to a new page showing all the techniques employed in the specific malware activity.  

MITRE ATT&CK tactics and techniques used for Mirai malware attack

For example, in our Mirai malware analysis, one of the tactics used by the attackers was leveraging wget to download additional content—highlighting just how attackers manipulate common tools for malicious purposes. 

MITRE ATT&CK Matrix framework techniques displayed in ANY.RUN’s Linux sandbox 

Process graph 

ANY.RUN’s Linux sandbox offers a process graph that visually maps out the entire malware attack, showing every action the malware takes from start to finish. This graph gives you a clear, easy-to-understand view of the attack’s flow—how it starts, what files are accessed, and what processes are executed. 

This feature is especially useful for more complex malware, where multiple actions happen simultaneously. You can zoom in on individual processes or view the bigger picture to get a complete understanding of how malware spreads and what it’s trying to accomplish. 

Here is the process graph of our analysis, showing how Mirai infiltrates the system: 

Process graph of Mirai malware  

Mirai malware analysis text report 

During our interactive analysis of Mirai malware in the Linux sandbox, we saw just how detailed the investigation can get. From process trees to network interactions, the sandbox provides a deep dive into every aspect of the malware’s behavior. 

Mirai text report generated by ANY.RUN’s Linux sandbox 

If you need to collect and review all this information later, you can easily do so by clicking the “Text Report” button in the upper right corner. This feature gathers all the critical details into one report, combining everything from the process graphs to the full scope of network activity for further analysis.  

Learn more: Malware Analysis Report in One Click 

Why Use ANY.RUN’s Linux Sandbox? 

ANY.RUN’s Linux sandbox is built for both security professionals and beginners who need a reliable and fast environment to analyze malware targeting Linux systems. 

Real-time analysis: Watch malware activity live and react to the behavior instantly. 

Full isolation: Safely inspect files and URLs without risking your main system. 

Comprehensive threat detection: Handle all Linux malware types, including backdoors and crypto miners. 

Easy setup: Start a session in just a few clicks—no complex setup required. 

Interactive environment: Interact directly with the malware and see its impact in real-time. 

Centralized IOCs: All indicators of compromise are gathered in one spot for easy access. 

Secure Cloud: Everything runs safely in the cloud—no need for local software. 

Detailed report: Receive a comprehensive analysis report after each session, including all critical findings. 

Experience ANY.RUN’s Full Power with a Free Trial 

Unlock the full potential of ANY.RUN with advanced features to elevate your malware analysis: 

Windows 11 VM

Private mode

Team collaboration tools 

API access and integration with Splunk and OpenCTI

And more

Request free trial → 

About ANY.RUN   

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.   

The post ANY.RUN’s Upgraded Linux Sandbox <br>for Fast and Secure Malware Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

What to do if you receive a sextortion email | Kaspersky official blog

Sextortion — a portmanteau of “sex” and “extortion” — originally referred to blackmail using compromising photos or videos obtained either by hacking a victim’s device or voluntarily from the victim themselves. While this form of crime still exists, today’s sextortioners are far less likely to be in the possession of any juicy material. Some varieties of sextortion work even when the victim knows for certain that no compromising material featuring them could possibly exist. Let’s get to the bottom (so to speak) of all the latest sextortion scams, and ways to counter them.

“Your spouse is cheating on you”

This fresh sextortion tactic preys on jealousy instead of shame. A spouse receives an email from a “security company” saying it has gained access to (read: hacked) their other half’s personal devices and found proof of infidelity. For details, including a downloaded data archive, the recipient is invited to follow the link kindly provided. Of course, the attackers have no data at all other than the names and email addresses of the couple, and the link is there to extract money.

“I recorded you on video”

This is the classic sextortion scheme. The victim receives an email claiming that the sender hacked their computer or smartphone and recorded them through the webcam while they were browsing porn sites. To stop friends and family from seeing the video, the “hackers” demand an urgent payment in cryptocurrency. To make it more convincing, they may address the victim by name and insert in the email an actual password the recipient has used for some accounts. In reality, the sextortioners simply buy databases of stolen credentials, thousands of which are available on the dark web, and then fire out standard emails with passwords from this database to the corresponding addresses.

“You have a beautiful home”

To target those unfazed by cybervillains knowing their password, a new scheme was invented. The perpetrator mentions that if the victim fails to contact the attackers about the hush payment, they’ll come to discuss the matter in person. To add weight to the threat, the email includes a photo of the victim’s home taken from Google Maps. Obviously, for this trick to work, the attackers need databases that contain not only emails and passwords but also home addresses, which they can get from online-store data leaks.

“I recorded you on video, see for yourself”

Another popular sextortion scam doesn’t demand a cryptocurrency payment but instead tries to install malware on the victim’s computer. An email invites the recipient to watch a video to see how serious the threat is, but to do so they need to visit a website and install a special player — infected, of course.

“You’ve been deepfaked”

This relatively new version of the scam works quite well on people who are sure that no compromising videos of them exist. After all, deepfake videos and deepfake porn with celebrities’ faces superimposed on porn actors’ bodies have been widely reported in the media. The scam comes in two flavors: in one, the attackers simply claim to have made a deepfake; in the other, they actually have. It’s easy to tell them apart: in the latter, the deepfake is immediately presented to the victim — sometimes even in the form of a physical letter delivered to their work address. To make such a deepfake, of course, good-quality photos and videos of the victim are needed. You can reduce your chances of being attacked in this way by not posting countless selfies and other clear shots of your face on social media.

“You’re going to jail”

Another variety of sextortion is a scam email accusing the recipient of possessing child pornography. The sender claims to be work for law enforcement and is preparing a list of pedophiles for mass arrest. The recipient is among them, states the email. To get their name removed from the list, the victim is invited to pay a ransom. Criminals can be quite creative with their threats, so some variants of the scheme are even more outlandish: the sender may “work for the CIA”, “manage a website for hiring hitmen”, or even “have planted a bomb under your house”.

What to do if you receive a sextortion email

Don’t panic. Nearly all sextortion scams are just empty threats. Scammers send out millions of identical emails and do nothing to those who ignore them (since that’s all they can do). Therefore, the best response is to mark the email as spam and delete it. By the way, Kaspersky Plus and Kaspersky Premium users are protected against the vast majority of spam, as well as malicious websites and apps that are distributed under the guise of such spam.

The exception is when you know the sender personally, or there are real incriminating photos and videos attached to the email. In this case, you could be dealing not only with sextortion but also with defamatory deepfakes — two very serious crimes in most countries. Put all embarrassment aside and contact the police immediately.

How to guard against intimate photo leaks

If you’ve ever taken a nude, sent it to someone, or saved it on a device, read our detailed guide on how to safely store intimate photos and videos, and what to do if they still leak online (spoiler: they can still be removed even from the internet!)

Kaspersky official blog – ​Read More

Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus

Key Takeaways


Cyble Research and Intelligence Labs (CRIL) identified a campaign called “ErrorFather” that utilized an undetected Cerberus Android Banking Trojan payload.

ErrorFather employs a sophisticated infection chain involving multiple stages (session-based droppers, native libraries, and encrypted payloads), complicating detection and removal efforts.

The campaign ramped up in activity in September and October 2024, with more samples and ongoing campaigns suggesting active targeting and scaling by the Threat Actors (TAs) behind the ErrorFather campaign.

The final payload employs keylogging, overlay attacks, VNC, and Domain Generation Algorithm (DGA) to perform malicious activities.

ErrorFather’s incorporation of a Domain Generation Algorithm (DGA) ensures resilience by enabling dynamic C&C server updates, keeping the malware operational even if primary servers are taken down.

The campaign highlights how repurposed malware from leaks can continue to pose significant threats years after its original appearance.

Overview

The Cerberus Android Banking Trojan initially emerged in 2019 and was available for rent on underground forums. It gained notoriety for its ability to target financial and social media apps by exploiting the Accessibility service, using overlay attacks, and incorporating VNC and keylogging features. Its widespread reach made it one of the most well-known banking trojans at the time.

In 2020, following the leak of Cerberus’ source code, a new variant called “Alien” appeared, leveraging Cerberus’ codebase. Then, in 2021, another banking trojan called “ERMAC” surfaced, also building on Cerberus’ code and targeting over 450 financial and social media apps.

At the beginning of 2024, a new threat known as the Phoenix Android Banking Trojan was discovered. Claiming to be a fresh botnet, Phoenix was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications.

Cyble Research and Intelligence Labs (CRIL) recently uncovered several malicious samples posing as Chrome and Play Store apps. These samples use a multi-stage dropper to deploy a banking trojan payload, which was found to be leveraging the Cerberus Banking Trojan.

The identified sample “0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7” acts as a first-stage dropper application that drops and installs the final-signed.apk from assets, communicates with a Telegram Bot URL, and sends the device model, brand, and API version.

The Telegram Bot ID corresponds to the ErrorFather Bot, as shown in the figure below. Given the bot’s name and the recent updates to this variant (covered in the Technical Analysis section), we are referring to this campaign as ErrorFather.

We have identified approximately 15 samples related to the ErrorFather campaign, including session-based droppers and their associated payloads. The first sample was detected in mid-September 2024, followed by a noticeable increase in samples during the first week of October 2024, with an active Command and Control (C&C) server suggesting ongoing campaigns.

The following section provides a technical analysis of the Cerberus malware used by the ErrorFather Campaign.

Technical Details

Multi-staged dropper

The primary APK is a session-based dropper that contains a second-stage APK file named “final-signed.apk” within the Assets folder. It uses the Google Play Store icon and employs a session-based installation technique to install the APK from the assets, bypassing restricted settings.

The second-stage dropper, “final-signed.apk,” has a manifest file that requests dangerous permissions and services, but the code implementation is missing, indicating that the malware is packed. It includes a native file, “libmcfae.so,” which is immediately loaded after installation to decrypt and execute the final payload.

The native file is responsible for handling the final payload. It uses the encrypted file “rbyypivsnw.png,” obtains the AES key and initialization vector (IV), performs decryption, and loads the “decrypted.dex” file at the location /data/data/suds.expend.affiliate.rising/code_cache/, as illustrated in the figure below.

The decrypted.dex file is the final payload, containing malicious functionalities such as keylogging, overlay attacks, VNC, PII collection, and the use of a Domain Generation Algorithm (DGA) to create a Command and Control (C&C) server. Notably, when submitted to VirusTotal, the decrypted.dex file was not flagged by any antivirus engine.

Leveraging Cerberus code

Based on the detection count, initially, we suspected it to be a fresh banking trojan, but upon deeper analysis of the final payload, we discovered significant code similarities with Cerberus. The TA behind the ErrorFather campaign had modified variable names, used more obfuscation, and reorganized the code, effectively evading detection despite Cerberus being identified in 2019.

Comparing the Cerberus sample and the more recent Phoenix botnet, we noticed changes in this recent variant of Cerberus used in the ErrorFather campaign, particularly in its C&C structure. These differences suggest that the identified sample is a distinct malware variant.

Use of DGA

We observed the malware retrieving list of C&C servers using two methods. First, after installation and establishing a connection with the main C&C server, referred to by the TA as “PoisonConnect,” the malware receives a list of four additional C&C servers. It then stores these in the “ConnectGates” shared preferences setting, as shown in the figure below.

We observed a slight variation in the C&C communication. Samples from the ErrorFather campaign solely use RC4 encryption to send a full JSON payload, including the action type. In contrast, earlier Cerberus samples utilized Base64 encoding combined with RC4, with the action type sent unencrypted via separate parameters. The figure below illustrates the C&C communication for both the ErrorFather campaign and the earlier Cerberus samples.

Second, the malware incorporates a DGA (Domain Generation Algorithm) that utilizes the Istanbul timezone to obtain the current date and time. It then generates MD5 and passes the digest to SHA-1 hash, appending one of four extensions: “.click”, “.com”, “.homes”, and “.net”. These generated domains are stored in the same “ConnectGates” setting. The figure below demonstrates the DGA used in the ErrorFather campaign.

The figure below illustrates the malware connecting to domains generated by a DGA when the primary C&C server is unavailable.

In 2022, Alien was observed similarly implementing a DGA process. However, unlike the ErrorFather campaign, it did not maintain a list of domains, used only the “.xyz” extension, and did not rely on a specific timezone.

Actions used by malware

The TA has renamed the “Actions” to “Types,” as shown in Figure 11. These renamed types indicate the actions performed by the malware and the expected commands from the C&C server. Upon analysis, we observed that the actions carried out by this malware closely resemble those seen in earlier Cerberus variants, with the primary difference being the renaming of action identifiers. Below is a comprehensive list of actions performed by the malware.

Type of action
Description

checkAppList
Send the list of installed application package names

getFile
Sends the target application package name to receive the HTML injection file

getResponse
Retrieve the server’s response, and if it is “ok”, store the application log in the shared preferences file.

PrimeService
This action is used to send key logs of targeted application.

getBox
This action is used to send SMSs from the infected device.

fa2prime
Not Implemented

prContact
Used to send contacts to the server

listAppX
This action is similar to the “checkAppList” function, where the malware stores the list of installed application package names based on a command from the server; otherwise, the list remains empty. It will then send the list of installed application package names using this action name.

slService
Sends Accessibility logs

ErrorWatch
Sends error logs using this action type

device_status
Sends device status related to WebSocket connection

image
Sends captured images as a part of the VNC function

traverse
Sends accessibility node information

CheckDomain
This action is sent by DGA generated domain to validate domain

RegisterUser
Registers device and receives registration ID, it is similar to bot ID

CheckUser
Sends setting information and checks whether the user is registered or not

VNC implementation using MediaProjection

During our malware analysis, we identified two keywords related to VNC: “StatusVNC” and “StatusHVNC.” While HVNC implementation is absent in this campaign, it was previously present in the Phoenix botnet, a fork of Cerberus. VNC functionality is implemented using MediaProjection, along with a WebSocket connection to continuously transmit screen images and receive VNC actions from the Websocket response to interact with the device.

Overlay Attack

The overlay technique remains unchanged from the earlier Cerberus variant. The malware first sends the installed application package names list to identify potential targets. Once a target is identified, the server responds with the package names of the target applications. The malware then uses the “getFile” action to retrieve the HTML web injection page, as shown in the figure below.

When the victim interacts with the target application, the malware loads a fake phishing page over the legitimate app. This tricks the victim into entering their login credentials and credit card details on the fraudulent banking overlay page.

The Cerberus malware used in the ErrorFather campaign can carry out financial fraud through VNC, keylogging, and overlay attacks.

Conclusion

The Cerberus Android Banking Trojan, first identified in 2019, became a prominent tool for financial fraud using VNC, keylogging, and overlay attacks. Following the leak of its source code, various threat actors repurposed the Cerberus code to develop new banking trojans, including Alien, ERMAC, and Phoenix. The ErrorFather campaign is another example of this pattern. While the TA behind ErrorFather has slightly modified the malware, it remains primarily based on the original Cerberus code, making it inappropriate to classify it as entirely new malware.

In the ErrorFather campaign, the malware uses a multi-stage dropper to deploy its payload and leverages techniques such as VNC, keylogging, and HTML injection for fraudulent purposes. Notably, the campaign utilizes a Telegram bot named “ErrorFather” to communicate with the malware. Despite being an older malware strain, the modified Cerberus used in this campaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled malware from previous leaks.

The ErrorFather campaign exemplifies how cybercriminals continue to repurpose and exploit leaked malware source code, underscoring the persistent threat of Cerberus-based attacks even years after the original malware’s discovery.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:


Download and install software only from official app stores like Google Play Store or the iOS App Store.

Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.

Use strong passwords and enforce multi-factor authentication wherever possible.

Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.

Be wary of opening any links received via SMS or emails delivered to your phone.

Ensure that Google Play Protect is enabled on Android devices.

Be careful while enabling any permissions.

Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Procedure

Initial Access (TA0027)
Phishing (T1660)
Malware distributing via phishing site

Execution (TA0041)
Native API (T1575)
Malware using native code to drop final payload

Defense Evasion (TA0030)
Masquerading: Match Legitimate Name or Location (T1655.001)
Malware pretending to be the Google Play Update and Chrome application

Defense Evasion (TA0030)
Application Discovery (T1418)
Collects installed application package name list to identify target

Defense Evasion (TA0030)
Indicator Removal on Host: Uninstall Malicious Application (T1630.001)  
Malware can uninstall itself

Defense Evasion (TA0030)
Input Injection (T1516)
Malware can mimic user interaction, perform clicks and various gestures, and input data

Collection (TA0035)
Input Capture: Keylogging (T1417.001)
Malware can capture keystrokes

Discovery (TA0032)
Software Discovery (T1418)
Malware collects installed application package list

Discovery (TA0032)
System Information Discovery (T1426)
The malware collects basic device information.

Collection (TA0035)
Screen Capture (T1513)
Malware can record screen content

Collection (TA0035)
Audio Capture (T1429)
Malware captures Audio recordings

Collection (TA0035)
Call Control (T1616)
Malware can make calls

Collection (TA0035)
Protected User Data: Contact List (T1636.003)
Malware steals contacts

Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device

Command and Control (TA0037)
Dynamic Resolution: Domain Generation Algorithms (T1637.001)
Malware has implemented DGA

Command and Control (TA0037)
Encrypted Channel: Symmetric Cryptography (T1521.001)
Malware uses RC4 for encrypting C&C communication

Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description

0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 9373860987c13cff160251366d2c6eb5cbb3867e 0544cc3bcd124e6e3f5200416d073b77
SHA256 SHA1 MD5
Session-based dropper

880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc cb6f9bcd4b491858583ee9f10b72c0582bf94ab1 d9763c68ebbfaeef4334cfefc54b322f
SHA256 SHA1 MD5
Second-stage dropper

6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b f9d5b402acee67675f87d33d7d52b364
SHA256 SHA1 MD5
Final undetected Cerberus payload

hxxp://cmsspain[.homes hxxp://consulting-service-andro[.ru hxxp://cmscrocospain[.shop hxxp://cmsspain[.lol hxxp://cmsspain[.shop
URL
C&C server

hxxp://elstersecure-plus[.online hxxps://secure-plus[.online/ElsterSecure[.apk
URL
Distribution and phishing URL

hxxps://api[.telegram[.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text=
URL
Telegram bot URL

4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e 8f3e3a2a63110674ea63fb6abe4a1889fc516dd6851e8c47298c7987e67ff9b6 c570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14 a2c701fcea4ed167fdb3131d292124eb55389bc746fcef8ca2c8642ba925895c 8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14 ee87b4c50e5573cba366efaa01b8719902b8bed8277f1903e764f9b4334778d0 136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11 5bd21d0007d34f67faeb71081309e25903f15f237c1f7b094634584ca9dd873e 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49 befe69191247abf80c5a725e1f1024f7195fa85a7af759db2546941711f6e6ae 9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3
SHA256
Malicious First and second-stage files from the ErrorFather campaign

The post Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus appeared first on Cyble.

Blog – Cyble – ​Read More

Docusign-themed phishing emails | Kaspersky official blog

Phishers are forever devising new tricks and finding new services to exploit and impersonate in their phishing campaigns. Today we talk about phishing emails that appear to come from Docusign, the world’s most popular e-signature service.

How Docusign-themed phishing works

The attack begins with an email, typically designed to resemble a legitimate Docusign communication. In this particular scheme, phishers don’t generally bother meticulously forging or masking the sender address, because genuine Docusign emails can originate from any address due to the service’s customization options.

In most cases, the victim is notified that they need to electronically sign a document — usually a financial one — the exact purpose of which isn’t entirely clear from the text of the email.

Example of a phishing email supposedly from Docusign: in this case, the link to the phishing page is located right in the body of the email

In some cases, phishers employ an additional trick we’ve covered in a separate post before: the email contains a PDF attachment with a QR code inside.

Example of a phishing email supposedly from Docusign with a PDF attachment instead of a link

The victim is prompted to scan this QR code — supposedly to access the document for signing. In reality, the QR code leads to a phishing website. This method tricks users into opening the malicious link not on their computers, but on their smartphones — where phishing URLs are harder to detect, and security software might not be installed.

Sometimes the email doesn’t mention Docusign at all. In one version of the PDF-with-QR-code scam, which we recently discussed in a post about spearphishing techniques in mass emails, only inside the PDF is Docusign mentioned.

Another example of a phishing PDF attachment with a link hidden in a QR code

Sometimes the cybercriminals take care to replicate the appearance of a legitimate Docusign email — complete with a security code at the foot of the email:

High-quality fake Docusign email

In some cases, phishers mimic Docusign integration with Microsoft SharePoint:

Example of phishers mimicking Docusign integration with Microsoft SharePoint

And in other cases, scam emails have nothing in common with the genuine ones. Here, for instance, the phishers were too lazy even to add the Docusign logo:

This phishing email doesn’t even have the Docusign logo

In short, the tactics and quality of execution can vary from email to email. However, the core principle remains the same: phishers rely on the recipient not understanding how e-signing with Docusign actually works.

The inattentive victim follows the link (or QR code) to the phishing page and enters their work login credentials, which go straight to the attackers.

Usernames and passwords harvested through successful phishing attacks are often compiled into databases sold on illicit dark web marketplaces, and later used to attack organizations.

How e-signing with Docusign actually works

The actual process of signing a document with Docusign for the regular user is simplicity itself. You receive an email from the party requesting the signature — which contains an unmissable big yellow <em>Review Document</em> button.

A genuine Docusign email looks something like this. Source

Clicking this button redirects you through a unique link to the Docusign website (on the docusign.net domain). The page that opens displays a short message from the initiating party, flanked by a <em>Continue</em> button, similarly large and yellow.

Clicking the button in the email immediately opens the document-signing page at Docusign.com. Source

The document for signing is available immediately — without entering any passwords. You simply review it, maybe add some details (such as name, date, and so on) in the appropriate fields, apply your signature, and click the <em>Finish</em> button (which is — you guessed it — also big and yellow). All done. No further actions required.

Now for what Docusign will NEVER do:

Send a PDF attachment with a link to a document to be signed. Bona fide Docusign notifications have no attachments, and display the <em>Review Document</em> button directly in the body of the email.
Give you no choice but to scan a QR code. Docusign works on both mobile devices and computers, so a link is always provided to access the document — not a QR code.
Require you to enter work login credentials. All the information Docusign needs is contained within the unique link sent in the email, so regular users aren’t required to undergo authentication to sign a document.
Force you to register with or log in to Docusign. After you sign the document, Docusign might suggest creating an account, but it’s entirely optional.

Remember that the whole purpose of Docusign is to make it as easy as possible for companies and individuals to exchange electronically-signed documents.

Any additional steps or restrictions — such as creating an account, entering credentials, opening attachments, or using only a smartphone to sign — go against this principle. Therefore, Docusign asks for none of this and strives to make the signing process as quick and simple as possible.

How to guard against phishing

To protect your organization from phishing attacks that impersonate Docusign or other popular services, consider the following measures:

Filtering out suspicious and unwanted email at the gateway level — our comprehensive solution Kaspersky Security for Mail Servers will do this for you.
Protecting endpoints from phishing redirects with Kaspersky Small Office Security or Kaspersky Next — depending on the size of your organization.
Raising employee awareness of cyberthreats with specialized training. Such training is easy to deliver using our educational Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More

Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework

Key Takeaways


Cyble honeypot sensors detected several new cyberattacks in recent days, targeting vulnerabilities in the Ruby SAML library, D-Link NAS devices, the aiohttp client-server framework, a WordPress plugin, and more.

Cyble’s Vulnerability Intelligence unit also discovered new phishing campaigns and brute-force attacks.

Clients are urged to address the vulnerabilities identified in the report and apply best practices.

Overview

The Cyble Vulnerability Intelligence unit identified several new cyberattacks during the week of Oct. 2-8.

Among the targets are the Ruby SAML library, several D-Link NAS devices, the aiohttp client-server framework used for asyncio and Python, and a popular WordPress plugin used by restaurants and other businesses.

Cyble sensors also uncovered more than 350 new phishing email addresses and thousands of brute-force attacks.

Vulnerabilities Targeted by Threat Actors

The full report for clients looked at more than 40 vulnerabilities under active exploitation by threat actors. Here are four new attacks identified in the report.

Ruby SAML Improper Verification of Cryptographic Signature Vulnerability

The Ruby SAML library implements the client side of SAML authorization. Ruby-SAML in versions up to 1.12.2 and 1.13.0 up to 1.16.0 does not properly verify the signature of the SAML Response. By exploiting the 9.8-severity vulnerability CVE-2024-45409, an unauthenticated attacker with access to any signed SAML document (by the IdP) can forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The vulnerability is fixed in 1.17.0 and 1.12.3.

aiohttp Path Traversal

CVE-2024-23334 is a Path Traversal vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory. When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are recommended mitigations. Version 3.9.2 fixes this issue.

D-Link NAS Devices Hard-Coded Credentials Vulnerability

A 9.8-severity vulnerability, CVE-2024-3272, is being targeted in end-of-life D-Link NAS devices DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403. The issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely, and the exploit has been disclosed to the public. The associated identifier of this vulnerability is VDB-259283. The vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

PriceListo SQL Injection Vulnerability

CVE-2024-38793 is an improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in the PriceListo Best Restaurant Menu WordPress plugin, allowing for SQL Injection attacks. The issue affects Best Restaurant Menu by PriceListo through 1.4.1.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

Brute-Force Attacks

Cyble sensors also detected thousands of brute-force attacks. Among the top 5 attacker countries, Cyble researchers observed attacks originating from Vietnam targeting ports 22 (43%), 445 (32%), 23 (17%), and 3389 (8%). Attacks originating from Russia targeted ports 3389 (58%), 5900 (35%), 1433 (5%), 3306 (1%) and 445 (1%). Greece, Colombia, and Bulgaria majorly targeted ports 1433, 5900, and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Identified

Cyble sensors also detected 351 new phishing email addresses. Below are six phishing scams of note identified by Cyble:

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

Claim Directives 
info@szhualilian.com 
Claim Scam 
Fake refund against claims 

DEAR WINNER 
contact@wine.plala.or.jp 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

GOD BLESS YOU…. 
info@advanceairsystem.com 
Donation Scam 
Scammers posing as a Donor to donate money 

CHOSEN- EMAIL 
test@mps.elnusa.co.id 
Investment Scam 
Unrealistic investment offers to steal funds or data 

Order 3038137699167518: cleared customs 
support@otm4n3-recrypto.to   
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake government compensation to collect financial details 

Cyble Recommendations

Cyble researchers recommend the following security controls:


Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework appeared first on Cyble.

Blog – Cyble – ​Read More

GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe

ESET research dives deep into a series of attacks that leveraged bespoke toolsets to compromise air-gapped systems belonging to governmental and diplomatic entities

WeLiveSecurity – ​Read More

Data Breach and DDoS Attacks Take Archive.org and Open Library Offline

Key Takeaways


The massive 57-petabyte Internet Archive has been hit by a data breach, website defacement, exfiltration and DDoS attacks in recent days.

The breach and DDoS attacks so far appear unconnected.

A copy of a user authentication database containing the email addresses and credentials of 31 million users has been provided to Have I Been Pwned.

The attackers have faced criticism for attacking a nonprofit whose goal is to preserve knowledge.

Questions have been raised about Archive’s handling of JavaScript, which appears central to the breach.

As of now, Archive.org and Open Library are offline, and recovery efforts are expected to take “days, not weeks.”

Overview

The Internet Archive has taken its Archive.org and OpenLibrary.org sites offline in response to a data breach and repeated DDoS attacks.

The breach of a user authentication database, which exposed the email addresses and credentials of 31 million users, likely occurred on Sept. 28, as that is the most recent date in a 6.4GB SQL file provided to Troy Hunt of Have I Been Pwned. Archive users did not become aware of the breach until two days ago, when a JavaScript alert appeared on the site that read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

Internet Archive founder Brewster Kahle confirmed the attacks and website defacement in a Tweet on October 9: “DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

The DDoS attacks returned yesterday, and Archive and Open Library were taken offline, opting for “being cautious and prioritizing keeping data safe at the expense of service availability.”

In an update today, Kahle said: “The data is safe. Services are offline as we examine and strengthen them. Sorry, but needed. @internetarchive staff is working hard. Estimated Timeline: days, not weeks.”

In the meantime, this notice appears on the Archive home page, and the Open Library site was down at the time of publication:

Breach and DDoS Attacks May Not Be Linked

Shortly after the breach became public, the DDoS attacks were launched by the threat actor group SN_BLACKMETA. In an alert to clients, Cyble said there is as of yet no evidence that the breach and DDoS attacks are related.

“There is no correlation whether the threat actor group SN_BLACKMETA who is behind the DDoS attacks is the same group that also breached Internet Archive,” Cyble said in the alert.

SN_BLACKMETA appears to misunderstand the nature of the non-governmental, non-profit Internet Archive, as the threat group stated as its motive for the attacks that “the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of “Israel”.”

Commenters on Twitter and apparently even in the group’s own Telegram channel (now taken down) criticized targeting the Internet Archive, which has preserved a vast amount of data and records on a small budget. At last count, the Archive contained 57 petabytes of data and more than 866 billion web pages across four data centers in its mission to provide “universal access to all knowledge.”

On Mastodon, independent cybersecurity researcher Kevin Beaumont said, “that isn’t sticking it to some evil multinational, it’s attacking a genuinely great resource run on near nothing resource, sweat and tears. If you’re going to attack things – please aim better.”

Archive Website Security Questioned

In the wake of the attacks, questions are being raised about the Internet Archive’s website security, which allowed a breach, exfiltration, defacement and DDoS attacks within a short time period.

“A Website as large as archive.org should be able to isolate hashed passwords from public accessible Javascript,” one commenter noted. “Wikipedia makes extensive use of Javascript. As far as i know, Javascript is disabled on preferences pages and login Pages.”

The post Data Breach and DDoS Attacks Take Archive.org and Open Library Offline appeared first on Cyble.

Blog – Cyble – ​Read More

Security and privacy settings in Strava | Kaspersky official blog

In a previous post about the privacy of running apps in general, we explained why these apps are a goldmine of personal data for scammers and criminals of all kinds: unfortunately, by default they share sensitive data — including one’s precise location — with virtually anyone. As we mentioned, the consequences can be dire — from leaking the locations of secret facilities, to stalking and even assassination attempts.

In the mentioned previous we also shared detailed instructions on general smartphone settings to minimize these risks. In this and subsequent posts, we discuss specific privacy settings for the most popular running apps. Let’s start with Strava.

Strava (available for Android and iOS) is arguably the most popular app for tracking running, cycling, and hiking workouts. And it’s also the only one that has remained independent: all other major running apps have already been acquired by sportswear giants. Incidentally, Strava has been at the center of several data privacy controversies — including the famous heatmap incident that exposed the location of numerous secret military facilities.

Strava is also often criticized whenever questions arise about how users can track each other through fitness apps. Frankly, these criticisms are still valid: Strava’s default settings are far from private — the app actively encourages you to share your data with the entire internet.

Thankfully, this can be fixed: Strava offers a decent range of privacy settings. To access them, tap You in the bottom-right corner of the screen, then tap the gear icon in the top right corner, and in the window that opens, select Privacy Controls.

Where to find privacy settings in the Strava app: You → Settings → Privacy Controls

First, make your profile private by selecting Profile Page and changing its visibility to Followers. Next, go through the options Activities, Group Activities, Flybys, Local Legends, and Mentions — and set them all to either Followers or — even better — Only You or No One.

Now, we recommend going to Map Visibility and selecting one of the ways the app will hide your run/ride maps:

Hide the start and end points of activities that happen at specific address. This feature allows you to use an address and a radius around it in meters to define an area where your movements will be hidden. This way, you can mask your regular start and finish locations — such as your home address.
Hide the start and end points of activities no matter where they happen. Simply select a radius in meters, and any start and end points will automatically be hidden. This option is more convenient than the first one — and you won’t have to share your address with the app.
Hide your activity maps from others completely. If you choose this option, all location data from your future (but not past) workouts will only be visible to you.

How to hide your activity location data in the Strava app: You → Settings → Privacy Controls → Map Visibility

Keep in mind that, if you use Strava frequently, hiding only the start and end points might not be enough. A study published in late 2022 demonstrates a method for pinpointing hidden locations with 85% accuracy. Therefore, we recommend choosing the third option: Map Visibility → Hide your activity maps from others completely → Hide All Maps.

Note that the privacy settings in Strava aren’t retroactive. If you’ve previously recorded some workouts in the app, the hiding features won’t apply to them. To fix this, go to the Edit Past Activities section, tap Get Started, select Activity Visibility, and tap Next. In the next window, choose either Followers or Only You and tap Next again. After a while (not instantly), your past activities will be hidden.

How to hide past activities in the Strava app: You → Settings → Privacy Controls → Edit Past Activities

The next tip is for those who regularly exercise at sensitive locations and don’t want to accidentally expose them. Go to Aggregated Data Usage and toggle off Contribute your activity data to de-identified, aggregate data sets. After this, your runs won’t appear in places like Strava Metro, the Global Heatmap (the one that leaked the military base locations), Points of Interest, Start Points, or Community Generated Routes.

Go to Public Photos on Routes and disable Share photos with the community. If your profile is private and your activities are hidden from the public, photos you add to your runs shouldn’t be visible anyway. But just in case Strava decides to change things, it’s best to disable this feature explicitly.

Finally, go to Do Not Share My Personal Information and toggle on the switch. This will prevent Strava from selling your data to third parties for targeted advertising (or whatever else those parties might be up to).

Congratulations, you’ve now properly set up your privacy in Strava!

You can learn how to set up privacy in other apps — from social media to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy and protect you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog for more how-to guides and helpful articles to always stay one step ahead of scammers.

Kaspersky official blog – ​Read More

How to properly configure privacy in running apps | Kaspersky official blog

Fitness apps, by their very nature, have access to a wealth of personal data, especially data that tracks outdoor activities — primarily running. During tracking, they collect a ton of data — heart rate and other physical activity metrics, step count, distance covered, elevation changes, and, of course, geolocation — to give you a detailed analysis of your workout.

And people rarely jog in random locations; their routes usually repeat and are often close to home, work, school, military base… Essentially, places they go to often and, most likely, at regular times. What happens if this information falls into the wrong hands?

The consequences can be catastrophic. For instance, a few years ago, a map published by a certain running app revealed the locations of several secret military facilities. And in the summer of 2023, a hitman allegedly used this data to shoot to death Russian submarine commander Stanislav Rzhitsky during his run.

Of course, the leakage of geolocation data can be dangerous not only for military personnel. It’s easy to imagine scenarios where it could lead to trouble not only for obvious targets — such as celebrities, political figures, or top company executives — but for ordinary people too.

Once they’ve got their hands on your movement data, attackers can readily use it for blackmail and intimidation. If the victim hears that the criminal knows all their movements and where they live, they’re significantly more likely to get scared and comply with any demands.

In addition to direct threats, geolocation info complements perfectly data leaked from other apps, or collected through doxing — making targeted attacks much more potent. Don’t think that you’re not important enough for scammers to prepare a complex attack: anyone can become a victim, and the criminals’ end goal isn’t always financial gain.

But it’s not just geolocation data that running apps collect and analyze. Like all fitness apps, they monitor activity and physical condition, which can reveal a lot about a person’s health. This information can also be used in a social engineering attack — because the more an attacker knows about their victim, the more sophisticated and effective their actions can be.

So, it’s essential to take due care when choosing your running app and setting up its privacy — and our tips will help you do just that.

General tips for choosing a running app and configuring its privacy

The first thing you absolutely shouldn’t do is install every running tracker in existence and then choose the one you like best. This way, you’ll hand over your personal data to everyone, significantly increasing the risk of it falling into the wrong hands. The fewer apps you use, the lower the risk of a data leak — but remember, no company can guarantee 100% data security.

Some companies invest more in the security of their users than others, and preference should be given to those who take data protection and anonymization seriously. To ensure this, carefully read the privacy policy of your chosen app: responsible developers will specify what data the app collects, for what purpose, which data might be shared with third parties, and what rights users have regarding their personal data. It’s also worth searching online or asking an AI assistant if the app you’re interested in has been involved in any data leaks — simply type the app’s name plus “data breaches” or “data leak” into a search engine. And, of course, checking user reviews is also a must.

Once you’ve chosen and installed an app, the next thing to do is configure its privacy settings. Unfortunately, many running apps share collected data — including your geolocation — with the entire internet by default. You’ll find links to detailed instructions on how to set up privacy for the most popular running apps — Strava, Nike Run Club, MapMyRun, adidas Running, and ASICS Runkeeper — at the end of this post.

As with any other app, it’s a good idea to use your smartphone’s operating system features to minimize tracking. For example, on iOS, when you first launch the app, you can block it from tracking your activity in other apps. Don’t ignore this option.

In addition, don’t grant the running app access to data that it doesn’t need to function — such as photos, calls, messages, or contacts. To reduce the amount of location data collected, don’t allow fitness trackers (or most other apps, for that matter) to monitor your geolocation continuously — choose the “Only while using the app” option, available on iOS and the latest versions of Android. You can set this when you first launch the app, or later by reviewing all the app’s permissions in your smartphone’s settings or, for Android devices, in Kaspersky for Android.

In general, it’s a good idea to regularly check your smartphone’s privacy and security settings to see which apps have access to which data.

Keep in mind that privacy settings won’t protect you from being tracked if someone guesses your account password. Unfortunately, none of the most popular running apps currently support two-factor authentication — although they really should. Therefore, the best thing you can do to protect your account is to create a long and complex password — preferably at least 16 characters long. Of course, it should be unique. To ensure you don’t forget this combination of characters, save it in a password manager — which, by the way, can also generate a highly secure random password for you.

Privacy settings for popular running apps

We’ve selected the most popular jogging apps and prepared recommendations on how to set up privacy in each of them. Subscribe to our blog to make sure you don’t miss the instructions for your running tracker. As we publish the privacy setup guides, we’ll be updating this post with the relevant links. The following apps will be covered:

Strava
Nike Run Club
MapMyRun
adidas Running (formerly Runtastic)
ASICS Runkeeper

To learn how to set up privacy for other apps — from browsers and social networks to operating systems — visit our website Privacy Checker.

Kaspersky official blog – ​Read More