Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access…

Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access to sensitive data like the camera and microphone. Patch now to stay protected.

A vulnerability discovered by cybersecurity researchers at Microsoft Threat Intelligence in macOS allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, granting unauthorized access to sensitive user data.

Dubbed “HM Surf” by researchers; researchers warned that active exploitation may be taking place. The vulnerability has been assigned CVE-2024-44133.

The HM Surf vulnerability involves removing the TCC protection for the **Safari browser** directory and modifying a configuration file, enabling attackers to access users’ browsing history, camera, microphone, and location without their consent. The vulnerability is serious as it also allows attackers to gather sensitive information and use it for malicious purposes.

****How the Vulnerability Works****

The **TCC technology** prevents apps from accessing users’ personal information without their prior consent and knowledge. However, the HM Surf vulnerability exploits a weakness in the way TCC protects the Safari browser directory. By removing the TCC protection and modifying the configuration file, attackers can gain access to sensitive user data.

Microsoft’s blog post shared with Hackread.com ahead of publishing on October 18, 2024, detected “potential exploitation” activity associated with **Adload**, a prevalent macOS malware (adware) family.

The company’s behavioural monitoring protections in Microsoft Defender for Endpoint have identified suspicious activity, including anomalous modification of the Preferences file through HM Surf or other methods.

**John Bambenek**, President at Bambenek Consulting weighed in on the situation, urging users to install patches and save their data, especially their videos.

_“_In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do and the most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use,_“_ John warned. _“_Security teams should update, however, it is important to have defences in place that prevent malware getting on the machines in the first place._“_

****Apple’s Response****

Apple has released a fix for the vulnerability as part of **security updates for macOS Sequoia**, which was released on September 16, 2024. The company has also introduced new APIs for App Group Containers that make System Integrity Policy (SIP) protect configuration files from being modified by an external attacker.

To protect themselves from this vulnerability, macOS users are urged to apply the security updates as soon as possible. Additionally, users should be cautious when granting permissions to apps and ensure that they only allow access to sensitive information when necessary.

****Install Patches ASAP!****

The identification, reporting, and patching of the HM Surf vulnerability highlight one key point: cross-platform threat intelligence sharing is essential for a secure cybersecurity future. Businesses and users should install the security patches released by Apple in September. For the future, it’s recommended to enable auto-updates on macOS devices so that such threats are automatically addressed with new security updates.

1.  **Apple Safari Safest, Google Chrome Riskiest Browser**
2.  **Apple Issues Device Updates to Patch Critical Vulnerability**
3.  **Hackers Could Exploit Microsoft Teams on macOS to Steal Data**
4.  **Scylla Ad Fraud on iOS, Android Users Halted by Apple and Google**
5.  **Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!**

“HM Surf” macOS Flaw Lets Attackers Access Camera and Mic – Patch Now!

PRESS RELEASE

October 17, 2024: OpenAI is projected to generate over $10 billion in revenue next year, a clear sign that the adoption of generative AI is accelerating. Yet, most companies struggle to deploy large AI models in production. With the steep costs and complexities involved, nearly 90% of machine learning projects are estimated never to make it to production. Addressing this pressing issue, Simplismart is today announcing a $7m funding round for its infrastructure that enables organizations to deploy AI models seamlessly. Like the shift to cloud computing, which relied on tools like Terraform and mobile app development fueled by Android, Simplismart is positioning itself as the critical enabler for AI’s transition into mainstream enterprise operations.   
The series A funding round was led by Accel with participation from Shastra VC, Titan Capital, and high-profile angels, including Akshay Kothari, Co-Founder of Notion. This tranche, more than ten times the size of their previous round, will fuel R&D and growth for their enterprise-focused MLOps orchestration platform.  
The company was co-founded in 2022 by Amritanshu Jain, who tackled cloud infrastructure challenges at Oracle Cloud, and Devansh Ghatak, who honed his expertise on search algorithms at Google Search. In just two years, with under $1m in initial funding, Simplismart has outperformed public benchmarks by building the world’s fastest inference engine. This engine allows organizations to run machine learning models at lightning speed, significantly boosting performance while driving down costs.  
Simplismart’s fast inference engine allows users to leverage optimized performance for all their model deployments. For example, Its software-level optimization helps run Llama3.1 (8B) at an impressive throughput of >440 tokens per second. While most competitors focus on hardware optimisations or cloud computing, Simplismart has engineered this breakthrough in speed within a comprehensive MLOps platform tailored for on-prem enterprise deployments - agnostic towards choice of model and cloud platform.  
“Building generative AI applications is a core need for enterprises today. However, the adoption of generative AI is far behind the rate of new developments. It’s because enterprises struggle with four bottlenecks: lack of standardized workflows, high costs leading to poor ROI, data privacy, and the need to control and customise the system to avoid downtime and limits from other services,” said Amritanshu Jain, Co-Founder and CEO at Simplismart  
Simplismart’s platform offers organizations a declarative language (similar to Terraform) that simplifies fine-tuning, deploying, and monitoring genAI models at scale. Third-party APIs often bring concerns around data security, rate limits, and utter lack of flexibility, while deploying AI in-house comes with its own set of hurdles: access to computing power, model optimisation, scaling infrastructure, CI/CD pipelines, and cost efficiency, all requiring highly skilled machine learning engineers. Simplismart’s end-to-end MLOps platform standardizes these orchestration workflows, allowing the teams to focus on their core product needs rather than spending numerous manhours building this infrastructure.  
Amritanshu Jain added: “Until now, enterprises could leverage off-the-shelf capabilities to orchestrate their MLOps workloads since the quantum of workloads, be it the size of data, model or compute required, was small. As the models get larger and the workload increases, it will be imperative to have command over the orchestration workflows. Every new technology goes through the same cycle: exactly what Terraform did for cloud, android studio for mobile, and Databricks/Snowflake did for data.”  
“As GenAI undergoes its Cambrian explosion moment, developers are starting to realise that customizing & deploying open-source models on their infrastructure carries significant merit; it unlocks control over performance, costs, customizability over proprietary data, flexibility in the backend stack, and high levels of privacy/security”, said Anand Daniel, Partner at Accel. “We were happy to see that Simplismart’s team saw this opportunity quite early, but what blew us away was how their tiny team had already begun serving some of the fastest-growing GenAI companies in production. It furthered our belief that Simplismart has a shot at winning in the massive but fiercely competitive global AI infrastructure market.”  
Solving MLOps workflows will allow more enterprises to deploy genAI applications with more control. They want to manage the tradeoff between performance and cost to suit their needs. Simplismart believes that providing enterprises with granular Lego blocks to assemble their inference engine and deployment environments is key to driving adoption. 

You May Also Like

Ex-Oracle, Google Engineers Raise $7m From Accel for Public Launch of Simplismart to Empower AI Adoption

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Thursday, October 17, 2024 14:00

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

1.  **You can’t do any of this without people.** This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. 
2.  **You can carve out your own niche in cybersecurity.** That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  
3.  **Be a sponge.** Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

**The one big thing **

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

**Why do I care? **

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

**Top security headlines of the week **

**Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks.** Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch) 

**Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices.** While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch) 

**As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study.** Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys) 

**Can’t get enough Talos? **

*   Attackers Delight: Why Does Healthcare See So Many Attacks? 
*   Ghidra data type archive for Windows driver functions 
*   Protecting major events: An incident response blueprint 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

_There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter._

What I’ve learned in my first 7-ish years in cybersecurity

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users…

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users into downloading malware. Discover the latest tactics employed by these malicious actors and stay safe online.

Cybersecurity researchers at Sekoia have detected an uptick in cyberattacks targeting users of the popular video conferencing platform, Google Meet, employing a notorious tactic, dubbed “ClickFix.” This tactic emerged in May 2024 and involves mimicking legitimate services like Google Chrome, Facebook, or Google Meet, to trick users into downloading malware.

According to Sekoia’s report, attackers are displaying fake error messages mimicking legitimate alerts from Google Meet, prompting users to click a “Fix It” button or perform other actions. However, these actions unknowingly execute malicious code that installs malware on the victim’s device. 

The ClickFix campaign leverages multiple malware distribution campaigns. Sekoia researchers analyzed a ClickFix cluster impersonating Google Meet video conferences, which targeted both Windows and macOS users.

For Windows users, the fake error message claimed microphone or headset issues, prompting them to copy a script that downloaded Stealc and Rhadamanthys infostealers. macOS users were tricked into downloading the AMOS Stealer malware.  

> _“Given the variety of initial malicious websites redirecting to this infrastructure, we assess with high confidence that it is shared among multiple threat actors. They collaborate within a centralized Traffers team to share certain resources, including this infrastructure and the AMOS Stealer, which is also sold as Malware-as-a-Service.”_
> 
> Sekoia

****Possible Perpetrators****

The investigation revealed that two cybercrime groups, “Slavic Nation Empire” (linked with cryptocurrency scam team Marko Polo) and “Scamquerteo Team” (a subgroup of cryptocurrency scam team CryptoLove), were likely behind this ClickFix cluster. These groups specialize in targeting users involved in cryptocurrency assets, Web3 applications, and decentralized finance (DeFi).  

Both teams use the same ClickFix template to impersonate Google Meet, suggesting they share materials and infrastructure. Sekoia analysts estimate that both teams use the same cybercrime service to supply the fake Google Meet cluster, and it is likely that a third party manages their infrastructure or registers their domain names.

The malware delivered through these attacks includes infostealers, botnets, and remote access tools. These malicious programs can steal sensitive data, compromise systems, and enable further attacks.

****ClickFix Scope****

The ClickFix tactic is particularly dangerous because it bypasses traditional security measures. By not requiring users to download a file directly, it avoids detection by web browser security features. This makes it more likely to ensnare unsuspecting victims.  

To protect yourself from ClickFix attacks, be cautious of unexpected error messages, verify scripts before copying and pasting them from unknown sources, use strong security software like antivirus and anti-malware, be cautious with links, and enable two-factor authentication to add an extra layer of security to your online accounts.

1.  Konni RAT Exploiting Word Docs to Steal Data from Windows
2.  Fake Chrome Browser Update Installs NetSupport Manager RAT
3.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
4.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
5.  Popular Android Screen Recorder iRecorder App Revealed as Trojan

ClickFix Attack: Fake Google Meet Alerts Install Malware on Windows, macOS

Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how…

Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how this innovative solution helps protect users from malicious apps and safeguards their personal information.

While accessibility features have greatly enhanced the usability of smartphones for people with disabilities, they have also introduced new vulnerabilities that malicious actors can exploit. The latest research reveals that malware can leverage these features to gain unauthorized access and perform harmful actions, such as transferring funds, compromising personal data, and preventing uninstallation.

For your information, accessibility (A11y) refers to the design and development of products, services, and environments used by people with disabilities. Common accessibility features include screen readers, voice-to-text software, captioning, keyboard navigation, and color contrast.

Accessibility permissions, designed for apps to interact with screen content and perform actions like reading text or clicking buttons, can be abused by malicious apps to execute actions without user consent, leading to severe consequences.

Screenshot: Georgia Tech

****DVa: A New Tool for Protection****

Researchers at Georgia Tech have developed a cloud-based tool called **Detector of Victim-specific Accessibility (DVa)** (PDF)to combat this growing threat. DVa scans Android devices for malware that exploits accessibility features and provides detailed reports to users and security researchers.

DVa is a backend service that analyzes malware detected by security systems like Google Play Protect. It tricks the malware into revealing its targets and attack methods by mimicking potential victim apps and simulating accessibility events.

This helps identify specific apps targeted by the malware and unique ways it abuses accessibility features, providing users with information about detected malware, affected apps, targeted victims, and potential damages.

Users can take immediate action to uninstall malicious apps and protect their devices. DVa sends reports to Google, enabling the company to address the issue and remove **malicious apps from the Play Store**.

DVa malware analysis technique dynamically models victim-specific A11y information, allowing investigators to access live interaction between the malware and this information. Researchers used it to analyze **Cerberus malware** and discovered an unknown automatic transaction abuse vector targeting 12 new victims and 0-day dynamically loaded routines targeting 12 additional victims.

The growing reliance on accessibility features highlights the need to balance usability and security. As systems become more accessible, it’s crucial to implement security measures to prevent malicious exploitation. Tools like DVa that provide users with necessary information, can help mitigate risks associated with accessibility-exploiting malware, ensuring a safer mobile experience for all.

1.  **Best Paid and Free OSINT Tools for 2024**
2.  **New tool detects fake 4G cell phone towers**
3.  **Mockingbird AI Tool Detects Deepfake Audio with 90% accuracy**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices**

New Tool DVa Detects and Removes Android Malware

ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts…

ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers.

A recent investigation by ESET Research into the **Telekopye scam toolkit network** has highlighted a problematic development- the network’s expansion to target popular accommodation booking platforms like Booking.com and Airbnb. 

ESET researchers reported a substantial increase in accommodation-themed scams in July 2024, surpassing Telekopye’s original **marketplace-targeted scams** for the first time. By leveraging compromised accounts of legitimate hotels and accommodation providers, these scammers create highly convincing phishing pages designed to steal personal and financial information from unsuspecting travelers.

**What is the **Telekopye Toolkit?****

Telekopye is a sophisticated toolkit that enables cybercriminals to launch online marketplace scams at scale. Operated by organized groups with thousands of members, Telekopye provides scammers with the tools and infrastructure needed to execute their fraudulent schemes efficiently.

Telekopye scammers, called “**Neanderthals**,” are targeting accommodation booking platforms through a variety of deceptive strategies. This includes compromised accounts, targeted emails, personalized phishing pages, and stolen payment information.

Neanderthals acquire legitimate accommodation provider accounts, likely through stolen credentials purchased on cybercriminal forums. Using these accounts, they send emails to users (Mammoths) with recent bookings, claiming a payment issue.

According to ESET’s **report** shared with Hackread.com, the email contains a link to a seemingly legitimate webpage mimicking the booking platform. The page includes pre-filled information about the user’s specific booking, making it highly believable. Once victims click on the phishing link, they are directed to a page designed to steal their personal and financial information, including credit card details.

> “Throughout our tracking of Telekopye, we’ve observed that different Telegram groups implement their own advanced features into the toolkit, aimed at speeding up the scam process, improving communication with targets, protecting phishing websites against disruption by competitors, and other goals.”
> 
> Jakub Souček and Radek Jizba -C ybersecurity researchers – ESET

****The Growing Threat****

Telekopye scams have seen a notable surge in activity, particularly **targeting Booking.com** and Airbnb users during the summer holiday season. This indicates a growing trend and the need for increased attention from travelers.

Screenshots show fake Booking.com form and fake Booking.com payment created with the Telekopye toolkit (Via ESET)

It is worth noting that in late 2023, Czech and Ukrainian police **arrested** tens of cybercriminals using Telekopye, including key players, in two joint operations following ESET Research’s series. The operations targeted an unspecified number of Telekopye groups, which had accumulated at least €5 million /US$ 5.5 million since 2021.

The arrests helped identify their recruitment and employment practices, indicating that it was primarily managed by middle-aged men from Eastern Europe and West and Central Asia.

To protect yourself from Telekopye scams, always verify platform communication with official representatives and avoid clicking on external links. Be cautious of unusual requests for payment or additional information.

Additionally, use strong security practices, such as strong passwords and two-factor authentication. By understanding the Telekopye threat and implementing these protective measures, travelers can significantly reduce their risk of falling victim to these sophisticated scams.

1.  **RIG Exploit Toolkit Drops CeidPageLock Malware to Hijack Browsers**
2.  **New GEOBOX Tool Hijacks Raspberry Pi, Lets Hackers Fake Location**
3.  **Telegram Android Vulnerability “EvilVideo” Sends Malware as Videos**
4.  **FishXProxy Phishing Kit Making Phishing Accessible to Script Kiddies**
5.  **New V3B Phishing Kit Steals Logins and OTPs from EU Banking Users**

New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN.
"This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week.
First spotted in the wild in 2019, TrickMo is so named for

Mobile Security / Financial Fraud

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN.

"This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week.

First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android's accessibility services.

Last month, Italian cybersecurity company Cleafy disclosed updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including carrying out unauthorized transactions.

Some of the new variants of the malware have also been equipped to harvest the device's unlock pattern or PIN by presenting to the victim a deceptive User Interface (UI) that mimics the device's actual unlock screen.

The UI is an HTML page that's hosted on an external website and displayed in full-screen mode, thus giving the impression that it's a legitimate unlock screen.

Should unsuspecting users enter their unlock pattern or PIN, the information, alongside a unique device identifier, is transmitted to an attacker-controlled server ("android.ipgeo\[.\]at") in the form of an HTTP POST request.

Zimperium said the lack of adequate security protections for the C2 servers made it possible to gain insight into the kinds of data stored in them. This includes files with approximately 13,000 unique IP addresses, most of which are geolocated to Canada, the U.A.E., Turkey, and Germany.

"These stolen credentials are not only limited to banking information but also encompass those used to access corporate resources such as VPNs and internal websites," Yaswant said. "This underscores the critical importance of protecting mobile devices, as they can serve as a primary entry point for cyberattacks on organizations."

Another notable aspect is the broad targeting of TrickMo, gathering data from applications spanning multiple categories such as banking, enterprise, job and recruitment, e-commerce, trading, social media, streaming and entertainment, VPN, government, education, telecom, and healthcare.

The development comes amid the emergence of a new ErrorFather Android banking trojan campaign that employs a variant of Cerberus to conduct financial fraud.

"The emergence of ErrorFather highlights the persistent danger of repurposed malware, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered," Broadcom-owned Symantec said.

According to data from Zscaler ThreatLabz, financially motivated mobile attacks involving banking malware have witnessed a 29% jump during the period June 2023 to April 2024, when compared to the previous year.

India came out as the top target for mobile attacks during the time frame, experiencing 28% of all attacks, followed by the U.S., Canada, South Africa, the Netherlands, Mexico, Brazil, Nigeria, Singapore, and the Philippines.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This…

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This advanced trojan uses sophisticated techniques to evade detection, steal credentials, and enable remote access to infected devices.

Cybersecurity researchers at DomainTools have released their new research on Octo2, a new version of the notorious Octo malware family. Octo2 targets Android mobile devices and based on its activity, researchers believe that it will target users globally soon.

According to Steve Behm, Solutions Engineer at DomainTools, Octo2 represents a major change in cybersecurity threats. This updated version of the prolific Octo (ExobotCompact) family spreads rapidly due to its enhanced features, global adoption of its predecessor, and aggressive distribution tactics. 

Octo2 features improved remote access trojan capabilities, ensuring reliable communication and control over infected devices even in challenging network conditions. Moreover, its enhanced Anti-Analysis and Anti-Detection techniques can hinder security analysis and detection, making it more difficult to identify and neutralize the threat.

In addition, the use of DGA-Based C2 server generation algorithm (DGA) to create dynamic command and control (C2) server addresses adds a layer of complexity, making it harder for security systems to track and disrupt communication.

“We were eventually able to expand the original 9 domains and 7 TLDs to 269 domains and 12 TLDs first seen from August 22nd, 2024 to October 4th, 2024,” reads DomainTool’s **blog post** shared with Hackread.com ahead of publishing on October 10, 2024.

****Currently Targeting Europe****

Early samples of Octo2 have been observed in several European countries, including Italy, Poland, Moldova, and Hungary. However, given the global reach of the original Octo and the improvements in Octo2, its distribution is expected to expand rapidly. 

****Attack Pattern** – Disguised as VPN and Browser**

The malware often disguises itself as legitimate applications, such as Google Chrome, NordVPN, or “Enterprise Europe Network,” to deceive unsuspecting users. It employs a dropper called **Zombinder** to deliver the malicious payload, prompting users to install a seemingly harmless plugin that is actually Octo2.   

For your information, Zombinder is another Android malware that was actively sold on the dark web in 2022. Its developers also offered a Windows version. At that time, Zombinder was found distributing the notorious **Xenomorph banking malware**, disguised as the VidMate app.

Once a device gets infected, Octo2 allows remote access to mobile devices, intercepting push notifications, harvesting credentials, and performing unauthorized actions, such as allowing for unauthorized login and access. The **Conficker worm discovered in 2008** is one of the earliest examples of a DGA used by malware families and so far 50 malware families, including Zeus and Dyre, have been identified to be using DGA domains.

****Abusing Domain Generation Algorithms****

Octo2’s use of a DGA (Domain Generation Algorithms – Different from **Registered Domain Generation Algorithms – RDGAs**) to generate its C2 server address is a significant enhancement. This technique allows the malware to constantly change its communication endpoints, making it more resilient to takedowns and detection efforts. While researchers can identify the patterns used to generate these domains, the dynamic nature of the C2 infrastructure presents a massive threat.  

Domain Tools researchers warn users to be cautious of Octo2 malware and avoid downloading apps or software from third-party sites. For businesses, using **threat intelligence** is important. This includes advanced detection tools like sandboxing, monitoring DNS traffic for unusual activity, and using endpoint security solutions to spot malicious behaviour on infected devices. Regular DNS traffic monitoring can also help detect DGA-based malware.

1.  **Android Malware Ajina.Banker Steals 2FA Codesvia Telegram**
2.  **BingoMod Android Malware Posing as Security Apps, Wipes Data**
3.  **SMS Stealer Targeting Android Users via Malicious Apps and Ads**
4.  **Phishing Attacks Target European Bank Users on iOS and Android**
5.  **Telegram Android Vulnerability “EvilVideo” Sends Malware as Videos**

Tag

#android