Top News

• Google Pixel screen-lock hack earns researcher $70k

"A security researcher scored a $70k bug bounty payout after accidentally discovering a Google Pixel lock-screen bypass hack.
The vulnerability, discovered by David Schütz, meant an attacker could unlock any Google Pixel phone without knowing the passcode. Google fixed the issue (tracked at CVE-2022-20465) with a November update, allowing Schütz to go public with his findings.
The vulnerability created a means for a potential hacker to bypass lock-screen protections such as fingerprint or PIN authentication and obtain physical access to a target device. The hack could be carried out with minimal technical skill against a range of mobile devices running Android, by following a series of steps.
Fortunately, the exploit is not something that would lend itself to remote exploitation."

Link

TLP¹ : Green

• Researchers warn of malicious packages on PyPI using steganography

"Experts discovered a malicious package on the Python Package Index (PyPI) that uses steganographic to hide malware within image files.
CheckPoint researchers discovered a malicious package, named ‘apicolor,’ on the Python Package Index (PyPI) that uses steganographic to hide malware within image files.
The malicious package infects PyPI users through open-source projects on Github.
The package was uploaded to PyPI on October 31, 2022, it had a vague header stating this is a ‘core lib for REST API’."

Link

TLP¹ : Green

• An $8 mess — Twitter Blue 'verified' accounts push crypto scams

"Twitter has officially rolled out its Twitter Blue program for an $8 monthly fee that confers upon the Tweeter multiple benefits, including the much-sought blue badge.
Whereas previously, only accounts of notable personalities and organizations earned the blue-tick, it's now open to anyone willing to shed the monthly fee.
But, all this has led to its own set of problems, such as threat actors now impersonating famous people and still being granted a "verified" status. "

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• FSB-linked hacker group disguises as Ukrainian officials to spread malware

"Armageddon, a hacker group affiliated with the Russian government, has been observed sending phishing emails on behalf of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
Ukraine's Computer Emergency Response Team (CERT) detected a large number of emails containing malicious links. Following the malicious link triggers malware – most commonly data-stealing malware – download.
Phishing emails are being spread using @mail.gov.ua.
"It means that the criminals are getting increasingly scrupulous in disguising themselves as Ukrainian public officials," CERT-UA said."

Link

TLP¹ : Green

• Kaspersky to kill its VPN service in Russia next week

"Kaspersky is stopping the operation and sales of its VPN product, Kaspersky Secure Connection, in the Russian Federation, with the free version to be suspended as early as November 15, 2022.
As the Moscow-based company informed on its Russian blog earlier this week, the shutdown of the VPN service will be staged, so that impact on customers remains minimal.
Purchases of the paid version of Kaspersky Secure Connection will remain available on both the official website and mobile app stores until December 2022.
Customers with active subscriptions will continue to enjoy the product's VPN service until the end of the paid period, which cannot go beyond the end of 2023 (one-year subscription).
Russian-based users of the free version of Kaspersky Secure Connection will not be able to continue using the product after November 15, 2022, so they will have to seek alternatives."

Link

TLP¹ : Green

• Russian LockBit ransomware operator arrested in Canada

"Europol has announced today the arrest of a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.
The suspect was arrested in Ontario, Canada, last month following an investigation led by the French National Gendarmerie with the help of Europol's European Cybercrime Centre (EC3), the FBI, and the Canadian Royal Canadian Mounted Police (RCMP).
"One of the world's most prolific ransomware operators has been arrested on 26 October in Ontario, Canada," Europol said today.
"A 33-year old Russian national, the suspect is believed to have deployed the LockBit ransomware to carry out attacks against critical infrastructure and large industrial groups across the world."
Law enforcement agents also seized eight computers and 32 external hard drives, two firearms, and €400,000 worth of cryptocurrency from the suspect's home "

Link

TLP¹ : Green

• EU aims for a block-wide cyber defense to fend off Russia

"Russia’s invasion of Ukraine prompted the European Union to call for a unified cyber defense policy and measures.
Calling out the blurring line between civilian and military cyberspace, the European Commission (EC) suggests the European block respond by developing a joint cyber defense approach.
“It is a stark reminder that the EU needs close military and civilian cooperation in cyberspace to become a stronger security provider. The EU needs to take on more responsibility for its own security,” EC’s joint communication to the European Parliament and Council said."

Link

TLP¹ : Green

• US Health Dept warns of Venus ransomware targeting healthcare orgs

"The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the country's healthcare organizations.
In an analyst note issued by the Health Sector Cybersecurity Coordination Center (HC3), HHS' security team also mentions that it knows about at least one incident where Venus ransomware was deployed on the networks of a U.S. healthcare org.
However, there is no known data leak site that threat actors deploying Venus ransomware are known to use for publishing stolen data online, according to HC3's report.
"HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently," the report warns.
"The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time.""

Link

TLP¹ : Green

• FBI warns scammers now impersonate refund payment portals

"The FBI warns that tech support scammers are now impersonating financial institutions' refund payment portals to harvest victims' sensitive information and add legitimacy.
In today's public service announcement, the federal law enforcement agency said that the fraudsters trick victims (generally someone from within the elderly population) via email or phone calls into giving them access to their computers by impersonating representatives of technical or computer repair services.
"Within the body of the email, the scammers will indicate the specific service to be renewed with a price commonly in the range of $300 to $500 USD, provoking a sense of urgency in the victims to contact them and provide information for a refund," the FBI said.
"In this case, the scammers claim to aid in securing a refund through remote access to the victim's computer.""

Link

TLP¹ : Green

• Chinese Spyware Targets Uyghurs Through Apps: Report

"Cybersecurity researchers said they have found evidence of Chinese spyware in Uyghur-language apps that can track the location and harvest the data of Uyghurs living in China and abroad.
Uyghurs are a Turkic Muslim minority predominantly in China's northwestern region of Xinjiang, where a recent UN report said Beijing may have committed crimes against humanity.
The United States and lawmakers in other Western countries say China's treatment of the Uyghurs amounts to genocide.
A Thursday report by San Francisco-based cybersecurity firm Lookout claims that since 2018, multiple Uyghur-language Android apps have been found to be infected with two strains of spyware linked to Chinese state-backed hacker groups."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Foxit Patches Several Code Execution Vulnerabilities in PDF Reader

"Popular PDF document reader Foxit Reader has been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution.
The feature-rich PDF reader provides broad functionality to users, including support for multimedia documents and dynamic forms via JavaScript support, which also expands the application’s attack surface.
This week, Cisco’s Talos security researchers have published information on four vulnerabilities in Foxit Reader’s JavaScript engine that could be exploited to achieve arbitrary code execution."

Link

TLP¹ : Green

• Multiple High-Severity Flaw Affect Widely Used OpenLiteSpeed Web Server Software

"Multiple high-severity flaws have been uncovered in the open source OpenLiteSpeed Web Server as well as its enterprise variant that could be weaponized to achieve remote code execution.
"By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution," Palo Alto Networks Unit 42 said in a Thursday report.
OpenLiteSpeed, the open source edition of LiteSpeed Web Server, is the sixth most popular web server, accounting for 1.9 million unique servers across the world."

Link

TLP¹ : Green

• CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

"The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model.
The SSVC system was created in 2019 by CISA and Carnegie Mellon University's Software Engineering Institute (SEI), and a year later CISA developed its own customized SSVC decision tree for security flaws relevant to government and critical infrastructure organizations.
CISA is now encouraging organizations of all sizes to use its version of the SSVC for vulnerability management."

Link

TLP¹ : Green

• CSRF in Plesk API enabled privilege escalation

"The REST API of Plesk was vulnerable to client-side request forgery (CSRF), which could lead to multiple potential attacks, including malicious file upload and privilege escalation.
Plesk is a very popular administration tool for web hosting and data center providers. Users usually use its web interface to administer their websites and file servers. This interface has been exhaustively tested and patched against security holes.
However, according to the findings of Adrian Tiron, a security researcher at Fortbridge, the REST API that allows third-party programs access to Plesk’s functionality was not as sturdy as its web user interface counterpart."

Link

TLP¹ : Green

• Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products

"Cisco this week announced the release of patches for 33 high- and medium-severity vulnerabilities impacting enterprise firewall products running Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software.
The most severe of the security defects is CVE-2022-20927, a bug in the dynamic access policies (DAP) functionality of ASA and FTD software, allowing a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
Due to improper processing of data received from the Posture (HostScan) module, an attacker could send crafted HostScan data to cause the affected device to reload, Cisco explains."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• VPN vs. DNS Security

"When you are trying to get another layer of cyber protection that would not require a lot of resources, you are most likely choosing between a VPN service & a DNS Security solution. Let's discuss both."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Worok hackers hide new malware in PNGs using steganography

"A threat group tracked as 'Worok' hides malware within PNG images to infect victims' machines with information-stealing malware without raising alarms.
This has been confirmed by researchers at Avast, who built upon the findings of ESET, the first to spot and report on Worok's activity in early September 2022.
ESET warned that Worok targeted high-profile victims, including government entities in the Middle East, Southeast Asia, and South Africa, but their visibility into the group's attack chain was limited. 
Avast's report is based on additional artifacts the company captured from Worok attacks, confirming ESET's assumptions about the nature of the PNG files and adding new information on the type of malware payloads and the data exfiltration method."

Link

TLP¹ : Green

• QBOT – A HTML SMUGGLING TECHNIQUE TO TARGET VICTIMS

"QBot, also known as Qakbot, QuackBot, and Pinkslipbot, is a Banking Trojan that was first observed in 2007. Today, Qbot is still a vicious and persistent threat to organizations and has become one of the leading Banking Trojans globally. Over the years, it has changed its initial techniques to deliver payloads like using VBA macros, Excel 4 macros, VBS files, exploits like Follina, etc. Recently in Quick Heal’s Security Labs, we have come across a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”"

Link

TLP¹ : Green

• An Untrustworthy TLS Certificate in Browsers

"The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy:
Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.
The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade."

Link

TLP¹ : Green

• Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks

"To study credentials attacks on RDP, we operate high-interaction honeypots on the Internet. We analyzed over 2.3 million connections that supplied hashed credentials and attempted to crack them. This article will highlight insights from these attacks and provide mitigation advice."

Link

TLP¹ : Green

• These Two Google Play Store Apps Spotted Distributing Xenomorph Banking Trojan

"Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware.
"Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi said in an analysis published Thursday.
"It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests."
The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact."

Link

TLP¹ : Green

• Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns

"The emergence of new Web3 technologies in recent years has resulted in drastic changes to the way content is hosted and accessed on the internet. Many of these technologies are focused on circumventing censorship and decentralizing control of large portions of the content and infrastructure people use and access on a regular basis. While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns. Over the past few years, Talos has observed an increase in the number of cybercriminals taking advantage of technologies like the InterPlanetary File System (IPFS) to facilitate the hosting of malicious content as they provide the equivalent of “bulletproof hosting” and are extremely resilient to attempts to moderate the content stored there."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp