🚨 North Korean Hackers Target Tech Job Seekers! 👔

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that protects you against cyberthreats a hell of lot better than the U.S. government protects its hurricane-stricken citizens ⛈️🌪️🚣‍♀️👨🏻‍🦳🏌😡😥 #Helene #Milton Sending love to our friends & readers across the pond ❤️❤️❤️

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Qualcomm, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Qualcomm it took you so long? 😏

🚨 Qualcomm Issues Critical Security Patches – Update Now! ⚠️

Qualcomm has rolled out updates fixing nearly two dozen vulnerabilities, including CVE-2024-43047 (CVSS 7.8), a bug under active exploitation in the wild! ⚡ 

This high-severity flaw in the Digital Signal Processor (DSP) Service could lead to memory corruption and is already being targeted, likely in spyware attacks aimed at civil society. Qualcomm urges OEMs to deploy the patch ASAP! 🔧📱 

Another major issue addressed is CVE-2024-33066 (CVSS 9.8), a critical WLAN flaw that could also cause memory corruption. Google’s Project Zero and Amnesty International Security Lab helped flag these threats. 🚨💥 Qualcomm joins Google’s October Android bulletin, tackling vulnerabilities from Imagination Technologies, MediaTek, and Qualcomm. 🌐🔐 

Now, on to this week’s hottest cybersecurity news stories: 

  • 👨🏽‍💻 N. Korean hackers are tricking developers w/ fake job interviews 👔

  • 🌐 Microsoft: Beware of file hosting services in business email attacks 🗃️

  • 😈 Lua-based malware cheats would-be cheaters with fake gaming cheats 🎮

Korea criminals strike again! 🚀

🚨 North Korean Hackers Target Tech Job Seekers! 👔

💼 Job interviews or cyber traps? Be aware! North Korea-linked hackers are targeting tech job seekers through fake interviews to spread malware. 🎯 The malicious campaign, named Contagious Interview, was first exposed by Palo Alto Networks' Unit 42 in late 2023.

📩 How It Works

Hackers pose as employers on job platforms, offering interviews to unsuspecting software developers. They trick victims into downloading malware disguised as coding assignments. 🖥️ The first stage of the attack instals BeaverTail, a downloader targeting both Windows and macOS. This then loads InvisibleFerret, a Python-based backdoor.

🦊 Sneaky Techniques!

The hackers continue their attacks despite being exposed, as their tactics remain effective. They use fake video conferencing apps to spread malware—now using the Qt framework for cross-platform infection. BeaverTail can steal browser passwords and cryptocurrency wallet data! 💳💻

🔍 What's Next?

These hackers haven't changed much about their strategy because it works! The malware can steal from 13 different cryptocurrency wallets, likely making this a financially motivated campaign to fund the North Korean regime. 🕵️‍♂️ 

Stay vigilant, especially if you're a developer seeking new opportunities—fake interviews might be more than just a bad offer. 🔒

These daily stock trade alerts shouldn’t be free!

The stock market can be a rewarding opportunity to grow your wealth, but who has the time??

Full time jobs, kids, other commitments…with a packed schedule, nearly 150,000 people turn to Bullseye Trades to get free trade alerts sent directly to their phone.

World renowned trader, Jeff Bishop, dials in on his top trades, detailing his thoughts and game plan.

Instantly sent directly to your phone and email. Your access is just a click away!

Subscribe for Free

It’s the file hostess with the mostest (malware) 👾 

 🚨 Beware: Cybercriminals Exploit Trusted File Services! 🗃️

🛑 Microsoft warns of a new wave of attacks targeting enterprise users by abusing trusted file-hosting services like SharePoint, OneDrive, and Dropbox. These platforms are being used as sneaky tools to bypass security defences and carry out phishing and Business Email Compromise (BEC) attacks.

🎯 What’s the Goal?

Cybercriminals are using legitimate internet services (LIS) to trick users into sharing sensitive info, leading to financial fraud, data theft, and attacks on other systems. They’ve coined this technique Living-Off-Trusted-Sites (LOTS), which takes advantage of widely trusted platforms to escape detection.

📧 The Phishing Tactic

Here's how it works: A phishing email directs a user to a "view-only" file on a trusted service like OneDrive. To access it, the user must log in with their email and a one-time password (OTP). Clicking on the link redirects them to a phishing page, where attackers steal login credentials and even two-factor authentication (2FA) tokens. 🔑💻

💼 Business Email Compromise

Once inside, attackers use the stolen credentials to launch BEC scams, aiming for financial gain. These scams often involve impersonating trusted vendors or partners, tricking companies into making fraudulent payments.

🛠️ Phishing-as-a-Service (PhaaS)

Attackers are also using Mamba 2FA, a phishing kit sold for $250/month, allowing cybercriminals to steal credentials and bypass 2FA using tools like Telegram bots. 📲

Stay alert, especially when accessing shared files. Cyber attackers are getting smarter—don’t get caught in their net! 🔒

News for humans, by humans.

  • Today's news.

  • Edited to be unbiased as humanly possible.

  • Every morning, we triple-check headlines, stories, and sources for bias.

  • All by hand with no algorithms.

Sign up now!

Would-be cheaters! Don’t be Lua’d in 👀 

🚨 Gamers Beware: Fake Cheats Deliver Dangerous Malware! 🎮

👾 Gamers looking for cheats are falling into a cyber trap! Attackers are using fake cheat sites to trick users into downloading Lua-based malware, capable of infecting systems and delivering harmful payloads. 🦠

🕹️ How It Works

Cybercriminals target student gamers searching for cheat engines like Solara and Electron, using fake websites to distribute malicious files. The malware, hidden in ZIP archives hosted on GitHub, includes a Lua compiler and script designed to compromise your system by communicating with a command-and-control server to download more malware like RedLine Stealer.

🔐 Staying Hidden

This malware uses obfuscated Lua scripts to avoid detection, making it easier to fly under the radar. Once installed, it can establish persistence, hide processes, and even download additional payloads, putting your system—and data—at serious risk.

💻 What's the Damage?

Attackers use infostealers like RedLine to collect credentials and sell them on the dark web, potentially leading to more sophisticated attacks. Crypto investors are also being targeted, with malware replacing cryptocurrency wallets and silently mining coins. 💰

👾 Stay safe and avoid downloading cheats from unverified sources. Cybercriminals are lurking, ready to turn your gaming habits into their next payday! 💥

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Vulnerabilities in Kia vehicles that could have been exploited

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s always phishing for compliments so feedback welcome y’all 🎣🎣🎣

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Progress Software, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

‘Bout time we saw some Progress 😏

🚨 Critical WhatsUp Gold Updates – Patch Now! 🩹

Progress Software has dropped another round of updates for WhatsUp Gold to squash six security bugs, including two critical ones (CVSS 9.8)! 🐞⚠️

The latest version 24.0.1, released on September 20, 2024, fixes vulnerabilities like CVE-2024-46909 and CVE-2024-8785. Shoutout to researchers from Summoning Team, Trend Micro, and Tenable for spotting these! 👏💻

Trend Micro warns that hackers are actively exploiting old WhatsUp Gold flaws, so update ASAP to stay safe and avoid attacks! 💥🔒 Don’t let your network be the next target! 🚀🔥

Now, on to this week’s hottest cybersecurity news stories: 

  • 🚗 I could tell you about the ploy to control cars via number plates… 🕹️

  • 🌄 South & SE Asia beware. Cloudflare says Indian hackers are on it 👨🏾‍💻

  • 🕵 New KLogEXE, FPSpy malware deployed by N. Korean hackers 🚀

But I’d have to Kia you 🙈😬😂

🚨 Newly Patched Kia Vulnerabilities Could Have Allowed Remote Control of Vehicles 🚗

Talk about driving without a licence (plate) 💀 Cybersecurity researchers recently disclosed a set of vulnerabilities in Kia vehicles that could have been exploited to gain remote control over key vehicle functions using nothing more than a licence plate number. These vulnerabilities, which have since been patched, affected nearly all Kia models manufactured after 2013.

💥 Key Findings

Researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll discovered that attackers could remotely gain control over a Kia vehicle's functions such as unlocking doors, starting the engine, or honking, all in under 30 seconds. The attacks did not even require an active Kia Connect subscription, meaning any vehicle equipped with the hardware was at risk.

🛠️ How the Attack Worked

  • Dealer Infrastructure Exploit: The vulnerabilities centred around the Kia dealership infrastructure (kiaconnect.kdealer.com) used for vehicle activations. Attackers could create a fake account through a series of HTTP requests and generate an access token.

  • Extracting Sensitive Data: With the token, the attackers could send another HTTP request to the dealer's API gateway to retrieve sensitive data, such as the vehicle owner's name, phone number, email, and VIN (Vehicle Identification Number).

  • Taking Over Vehicle Control: By issuing only four HTTP requests, attackers could modify the owner’s permissions and add themselves as a "secondary user" on the vehicle. This allowed them to run commands on the vehicle without the owner's knowledge.

🔑 No User Alerts

Perhaps most concerning is that the vehicle owner was not notified that their permissions had been changed or that their vehicle had been accessed. Attackers could use a licence plate number to retrieve the VIN and send commands like unlock, start, or honk.

⚔️ Attack Example

In a hypothetical scenario, an attacker could use a custom dashboard to enter the licence plate of a Kia vehicle, retrieve the victim’s personal information in 30 seconds, and begin sending remote commands to the vehicle.

⚠️ Patched Vulnerabilities

After being responsibly disclosed in June 2024, Kia patched the vulnerabilities by August 2024. There is no evidence to suggest that these flaws were exploited in real-world attacks before the patches were deployed.

🛡️ Continued Risks in Automotive Security

The researchers noted that vulnerabilities in connected cars will continue to surface, likening them to software issues that could allow someone to take over online accounts. As cars become more integrated with technology, manufacturers must remain vigilant to prevent malicious actors from gaining unauthorised control of vehicles.

This discovery highlights the ongoing cybersecurity challenges in the automotive sector, especially as vehicles become more connected and reliant on digital infrastructure.

Secure Your Microsoft 365 Environment

81% of M365 users fall victim to breaches. Download a complimentary copy of our eBook to gain a deeper understanding of safeguarding your Microsoft 365 environment. Partner with Rubrik and Microsoft to proactively defend against cyber threats and protect your critical business data.

Watch out for Cloudflare ups 👀

🚨 Advanced Threat Actor "SloppyLemming" Targets South, SE Asia With Espionage 🕵🏻‍♂️

Cybersecurity researchers have tracked an advanced threat actor, dubbed SloppyLemming, using cloud services to execute credential harvesting, malware delivery, and command-and-control (C2) operations. Cloudflare is monitoring this activity under multiple aliases, including Outrider Tiger and Fishing Elephant.

🔍 Key Insights

  • Active Since 2021: SloppyLemming has been operational since July 2021, with earlier campaigns linked to the deployment of malware like Ares RAT and WarHawk. These tools have been tied to threat groups SideWinder and SideCopy.

  • Espionage Focus: The group primarily targets government, law enforcement, telecommunications, energy, and education sectors across South and East Asia, including countries like Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.

📧 Spear-Phishing and Credential Harvesting

SloppyLemming’s campaigns often involve spear-phishing emails designed to instil a false sense of urgency. Victims are lured into clicking on malicious links that redirect them to credential harvesting pages.

CloudPhish Tool: The actor utilises a custom-built tool called CloudPhish, which uses Cloudflare Workers to handle the credential exfiltration process.

💻 Malware Delivery Techniques

The actor has been observed using booby-trapped RAR archives exploiting the WinRAR flaw (CVE-2023-38831). These RAR files contain executables that stealthily load malicious DLLs like CRYPTSP.dll to download remote access trojans hosted on services such as Dropbox.

Another tactic involves delivering malware through phishing campaigns impersonating legitimate entities like the Punjab Information Technology Board (PITB) in Pakistan.

🔗 Use of Cloudflare Workers and C2 Infrastructure

SloppyLemming's infrastructure relies on Cloudflare Workers to mediate requests between victims and the actual C2 domains. For example, they have used Cloudflare Workers to relay commands to their primary C2 domain, "aljazeerak[.]online."

🎯 Targeted Sectors

SloppyLemming has been heavily focused on Pakistani police departments, law enforcement, and entities tied to the nuclear power facility in Pakistan. Other targeted entities include Sri Lankan and Bangladeshi government and military organisations, as well as Chinese energy and academic sectors.

🔒 Security Concerns

The increasing use of cloud services by adversaries like SloppyLemming highlights the need for vigilant monitoring of cloud-based environments, as they can be easily leveraged for espionage campaigns. Organisations in targeted sectors should be aware of phishing tactics and take steps to safeguard their credentials and networks from such sophisticated attacks.

This discovery underscores the evolving complexity of state-sponsored cyber threats and the critical need for robust security measures across the Asia-Pacific region.

Hackers: I’m bringing EXE back 🙃

🚨 N. Korean APT Group "Kimsuky" Deploys New Malware: KLogEXE, FPSpy 👾

Cybersecurity researchers have detected two new malware strains, KLogEXE and FPSpy, attributed to the Kimsuky threat actor, also known as APT43, ARCHIPELAGO, and Velvet Chollima. This North Korean-linked group, active since at least 2012, is notorious for its spear-phishing tactics and is believed to be enhancing its malware arsenal with these new additions.

🔍 Key Insights

  • Kimsuky’s Evolving Toolkit: The two malware strains—KLogEXE and FPSpy—expand the group's already potent toolset. KLogEXE is a C++ variant of a previous PowerShell-based keylogger called InfoKey, while FPSpy is a backdoor with additional functionality for system reconnaissance and payload execution.

  • Spear-Phishing Tactics: The group continues to employ spear-phishing as its primary method of attack. Carefully crafted emails are used to lure targets into downloading malicious ZIP files, which then execute malware upon extraction.

  • Functionality of the Malware: KLogEXE: Monitors keystrokes, mouse clicks, and gathers data about applications running on compromised systems. FPSpy: Similar to older Kimsuky malware strains like KGH_SPY, it can collect system information, execute commands, and enumerate directories and files.

🎯 Targeted Regions

Kimsuky’s operations in this campaign seem focused on Japan and South Korea, aligning with their historical targeting patterns in the government, technology, and defence sectors.

🛡️ Growing Threat

The discovery of code similarities between KLogEXE and FPSpy suggests they are likely developed by the same group, indicating the evolving and sophisticated nature of Kimsuky’s operations.

This new campaign demonstrates North Korean threat actors' persistent ability to adapt and refine their tools for espionage and cyber operations in East Asia, posing a continued challenge for regional cybersecurity defences.

Take care, folks! 👍

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Europol nets major phishing operation targeting phone credentials

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s rolling like cyber thunder ⚡

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

 Congrats to Google, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

E.T. phone Chrome 👽

 🚨 New Chrome Features Boost Data Control & Security! 🔒

 Google is rolling out new features in Chrome to give users better control over their data and enhance protection against online threats.

The updated Safety Check now runs automatically, revoking site permissions and flagging suspicious notifications in real time. It also warns users about risky Chrome extensions and compromised passwords stored in Google Password Manager. 📱💻

Users can now easily unsubscribe from unwanted notifications on Android and Pixel devices, and grant one-time permissions for camera and mic access, improving privacy management. Stay safe and in control with the latest Chrome update! 🚀🔐

Now, on to this week’s hottest cybersecurity news stories: 

  • 👮 Europol nets major phishing operation targeting phone credentials 📱

  • 👨🏻‍💻 Hackers manipulate your OpenAI history to implant fake memories 🧠

  • 🚢 Transportation companies targeted with Lumma Stealer and NetSupport 🎯

It’s been PhaaSed out ❌❌❌ No catch and release either 🎣

Donald Trump GIF by GIPHY News

Gif by news on Giphy

🚨 Takedown of International Criminal Network Behind Phishing Scheme 🛡️

Law enforcement authorities have successfully dismantled an international criminal network responsible for a phishing-as-a-service (PhaaS) platform known as iServer, which has targeted over 483,000 victims globally. Countries most affected include Chile (77,000), Colombia (70,000), and Ecuador (42,000), among others.

The takedown, called Operation Kaerb, was a joint effort between multiple countries, including Spain, Argentina, Chile, Colombia, and Peru. The operation, which ran from September 10 to 17, led to the arrest of an Argentinian national believed to be the mastermind behind iServer since 2018.

In total, 17 arrests were made, with 28 searches conducted, and over 921 items—including electronic devices, weapons, and mobile phones—were seized. Notably, 1.2 million phones are estimated to have been unlocked by the criminal network to date.

🛒 Phishing-as-a-Service (PhaaS) Platform

iServer was an automated phishing platform specifically designed to harvest credentials to unlock stolen or lost phones, setting it apart from typical phishing operations. The platform offered a web interface that allowed criminals, referred to as "unlockers," to retrieve passwords and user credentials from cloud-based platforms. These credentials were then used to bypass Lost Mode and unlink devices from their rightful owners.

🔗 Phishing Tactics

The attackers sent SMS messages to phone theft victims, tricking them into clicking links that redirected them to phishing landing pages. Victims were asked to enter credentials, device passcodes, and two-factor authentication (2FA) codes, which were then abused to gain full access to the stolen devices.

iServer automated the creation of phishing pages that mimicked popular cloud-based mobile platforms, ensuring its effectiveness as a tool for cybercriminals. This PhaaS platform enabled even low-skilled criminals to participate in these illegal activities.

🙌 Criminal Network Disrupted

In total, 51 suspects have been arrested in connection with Ghost, with notable operations targeting criminals in Australia, Ireland, and Italy. This global crackdown on cybercrime demonstrates how law enforcement agencies are increasingly focused on dismantling organised crime groups that exploit sophisticated technology to commit fraud, theft, and other illegal activities.

The takedown of iServer is another victory in the ongoing battle against cybercriminal networks that use phishing and other methods to unlock stolen devices and compromise sensitive data.

🥡 Takeaway

This high-profile case serves as a reminder of the importance of protecting your devices and accounts from phishing attempts and fraudulent messages. It also underscores the growing threat posed by phishing-as-a-service platforms that empower even less technically skilled criminals to carry out wide-reaching cyberattacks.

Want SOC 2 compliance without the Security Theater?

Question 🤔 does your SOC 2 program feel like Security Theater? Just checking pointless boxes, not actually building security?

In an industry filled with security theater vendors, Oneleet is the only security-first compliance platform that provides an “all in one” solution for SOC 2.

We’ll build you a real-world Security Program, perform the Penetration Test, integrate with a 3rd Party Auditor, and provide the Compliance Software … all within one platform.

Schedule a demo for pricing

Memories, in the corner of AI 🎶🥺💀

🚨 Researcher Exploits ChatGPT Vulnerability to Hijack Long-Term Memory 🛡️

A security researcher named Johann Rehberger recently uncovered a vulnerability in ChatGPT's long-term memory feature, which could allow malicious actors to store false information or inject harmful instructions into the system. Initially reported to OpenAI in May, the issue was labelled as a "safety issue" rather than a security flaw, leading Rehberger to develop a proof-of-concept (PoC) exploit that further demonstrated the potential damage.

📄 ChatGPT's Long-Term Memory Feature

Introduced by OpenAI in February 2024, the long-term memory feature stores details from prior interactions, so ChatGPT can retain context about a user’s preferences, beliefs, or personal details for future use. This enables the AI to have more personalised conversations, but it also introduced vulnerabilities.

🚩 Exploit via Prompt Injection

Rehberger discovered that prompt injections—where malicious instructions are embedded in untrusted content such as emails, websites, or documents—could manipulate ChatGPT's memory, leading it to store and recall false information. He demonstrated how ChatGPT could be tricked into believing a user was "102 years old," lived in a fictional world like the Matrix, or subscribed to beliefs like the Earth being flat. The AI would then use this manipulated information to guide future conversations, potentially over time leading to malicious outcomes.

🔗 Proof-of-Concept: Exfiltrating User Data

In a more advanced demonstration, Rehberger crafted a PoC in which all user input and ChatGPT output could be exfiltrated to an external server by simply having ChatGPT interact with a malicious link. The attack worked by exploiting a flaw in ChatGPT’s macOS app, making it possible to send all input and output to an attacker’s server via a malicious image hosted on a link.

🔨 OpenAI's Response: Partial Fix

OpenAI responded to Rehberger's findings with a partial fix that prevents memory from being abused as a vector for exfiltration. However, the vulnerability remains that prompt injections can still cause ChatGPT’s memory tool to store false or malicious data, even if it no longer leads to data leaks.

⚠️ Ongoing Risks & Precautions

LLM users are advised to be cautious and monitor for signs of new memory additions, especially after interacting with potentially untrusted content. Regularly reviewing stored memories for any unusual or unauthorised entries is crucial to prevent this form of attack. OpenAI provides specific guidance on managing stored memories to minimise risks.

The vulnerability reveals the evolving security challenges associated with AI-driven tools that are designed to enhance personalised user experiences but may open doors for potential exploitation.

🥡 Takeaway

This incident highlights the importance of robust security measures for AI systems like ChatGPT, especially as advanced features like long-term memory become more widely adopted. The case also underscores how prompt injections can introduce persistent threats, making it vital for AI developers and users alike to maintain vigilance against potential vulnerabilities in such emerging technologies.

No problem, I’ll just give the NetSupport desk a ring 💀💀💀

🚨 New Phishing Campaign Targets North American Transportation Companies 🛡️

Transportation and logistics companies in North America are the focus of a phishing campaign that seeks to distribute a variety of malicious software, including information stealers and Remote Access Trojans (RATs).

🔐 Phishing Strategy

According to Proofpoint, the attackers use compromised legitimate email accounts from transportation and shipping companies to inject malicious content into ongoing email conversations. So far, 15 breached email accounts have been identified as being part of this campaign. The method by which these accounts were initially compromised is still unknown, and the identities of the attackers remain unclear.

💻 Delivered Malware

Between May and July 2024, the primary malware distributed included Lumma Stealer, StealC, and NetSupport. However, by August 2024, the attackers modified their tactics. They began using new infrastructure, updated delivery techniques, and included additional malware such as DanaBot and Arechclient2.

📝 Attack Vectors

The phishing emails typically contain attachments like internet shortcut (.URL) files or Google Drive URLs. When these files are launched, they use Server Message Block (SMB) to retrieve the malware payload from a remote server. Additionally, a technique known as ClickFix was used to trick victims into running Base64-encoded PowerShell scripts, initiating the malware infection.

🛑 Targeted Companies & Tactics

The campaign has targeted companies using specific fleet management software, such as Samsara, AMB Logistic, and Astra TMS, indicating that the attackers conduct research on their targets before launching their phishing campaigns. The use of such specific lures suggests that these threat actors may be focused on stealing sensitive data or exploiting vulnerabilities related to logistics and transportation operations.

🛠️ Broader Malware Landscape

This attack comes as new strains of information stealers emerge in the wild, including Angry Stealer, BLX Stealer, and CryptBot-related malware like Yet Another Silly Stealer (YASS). Additionally, a new version of the RomCom RAT, codenamed SnipBot, has been observed in other phishing attacks. This malware allows attackers to execute commands on victim systems, upload/download files, and create archives using 7-Zip.

Though RomCom has been associated with ransomware attacks, recent campaigns suggest a shift toward espionage, particularly with the involvement of the group known as Tropical Scorpius (Void Rabisu).

🥡 Key Takeaway

This phishing campaign is a reminder of the importance of cybersecurity vigilance, particularly in industries like transportation and logistics where compromised systems can lead to significant operational disruptions. As attackers evolve their tactics, businesses must continue to update their security measures and educate employees on phishing risks.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Join John Hammond & Daniel Miessler at DevSecCon 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Snyk

Snyk is thrilled to announce DevSecCon 2024, Developing AI Trust Oct 8-9, a FREE virtual summit designed for DevOps, developer and security pros of all levels.

Hear from industry heavyweights John Hammond, Principal Security Researcher at Huntress, and Daniel Miessler, Founder of Fabric and author of the Unsupervised Learning blog.

You’ll walk away with the prescriptive DevSecOps approach needed to build and maintain trust in the age of AI-powered development.

Don’t miss this chance to learn from the best and elevate your security game.

John Hammond
Daniel Miessler

Binance bro 👨🏻‍💼

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s rolling like cyber thunder ⚡

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to SolarWinds, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Solar Winds this round 🥊

🚨 SolarWinds Fixes Critical Flaws in Access Rights Manager! 👨🏻‍💼

SolarWinds has released updates to patch two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability, CVE-2024-28991 (CVSS 9.0), that could lead to remote code execution. 🔓💥 This flaw stems from the deserialization of untrusted data, allowing authenticated users to execute arbitrary code. 🚨 While authentication is required, it can be bypassed, making the flaw even more dangerous. ⚠️

Another issue, CVE-2024-28990 (CVSS 6.3), involves a hard-coded credential that could give unauthorized access to the RabbitMQ management console. 🐰🔓 Both vulnerabilities have been fixed in ARM version 2024.3.1, and while there's no evidence of active exploitation, users are urged to update immediately! 🛡️

Stay ahead of the threats—update now! 🚀🔒

Now, on to this week’s hottest cybersecurity news stories: 

🚨 Binance Warns of Global Clipper Malware Threat Targeting Crypto Users! 💸💻

🚨 SaaS Apps: The Convenience & The Security Risk! 💼🔐

🚨 Phishing Campaigns Exploit HTTP Header Refresh for Credential Theft 🕵️‍♂️🔐

Binance bro 👨🏻‍💼

 🚨 Binance Warns of Global Clipper Malware Threat Targeting Crypto Users! 💸💻

Binance has issued a warning about a global clipper malware threat targeting cryptocurrency users, aiming to facilitate financial fraud by hijacking clipboard data. 🔓🚨 Clipper malware, also called ClipBankers, monitors a user's clipboard and replaces copied cryptocurrency wallet addresses with those controlled by attackers. This sneaky swap redirects digital assets to rogue wallets instead of the intended destination. 💼💸

The issue surged on August 27, 2024, causing significant financial losses, especially for users downloading unofficial apps and plugins on Android, iOS, and web platforms. 📱💻 Binance is actively blocklisting attacker addresses and has advised affected users to check for suspicious software. 🔒🔍

Binance urges users to avoid downloading software from unofficial sources and ensure apps are authentic. This malware often spreads through unofficial channels, especially when users search for apps in their native languages. 🌐⚠️

Cryptocurrency scams remain widespread, with 2023 marking a record year for fraud, leading to over $5.6 billion in losses, according to the FBI. 💰 Binance and security firms are on high alert, and users are encouraged to stay vigilant! 🛡️💡

Transform the way you run your business using AI (Extended Labour day Sale)💰

Imagine a future where your business runs like a well-oiled machine, effortlessly growing and thriving while you focus on what truly matters.
This isn't a dream—it's the power of AI, and it's within your reach.

Join this AI Business Growth & Strategy Masterclass and discover how to revolutionize your approach to business.
In just 4 hours, you’ll gain the tools, insights, and strategies to not just survive, but dominate your market.

What You’ll Experience: 
🌟 Discover AI techniques that give you a competitive edge
💡 Learn how to pivot your business model for unstoppable growth
💼 Develop AI-driven strategies that turn challenges into opportunities
⏰ Free up your time and energy by automating the mundane, focusing on what you love

🗓️ Tomorrow | ⏱️ 10 AM EST

This is more than just a workshop—it's a turning point.
The first 100 to register get in for FREE. Don’t miss the chance to change your business trajectory forever.

Sign up here to save your seat! 👈

Don’t SaaS me 💅🏻

🚨 SaaS Apps: The Convenience & The Security Risk! 💼🔐

With just a few clicks, any SaaS app can transform into a powerhouse for collaboration, CRM, workflow management, marketing, HR, and more. 📊💻 But this convenience also brings significant security risks, as these apps often serve as entry points for threat actors to breach corporate environments and steal sensitive data. 🕵️‍♂️💰

As companies rapidly adopt SaaS applications, their security measures are struggling to keep pace. The rise in attacks like account takeovers and credential leaks is proof of this gap. 🔓👾 On the user side, there's a pressing need for a security-first approach—monitoring access risks and potential threats—but with so many apps, users, and data, this is easier said than done. 😓

The Security Gaps 📉🔍

What leaves organizations vulnerable is a lack of clarity, context, and timely action. Security teams must sift through mountains of threat data, figure out which are relevant, assess the risk, and analyze things like user permissions and data sharing—all while time ticks away! ⏳ This effort consumes massive resources, and many threats slip through the cracks.

Enter Threat Intelligence 💡🛡️ 

This is where threat intelligence steps in. It's a game-changer! 🎯 Threat intelligence provides actionable data about potential threats, giving security teams real-time insights they can act on before it's too late. 🚨 

The Numbers Don't Lie! 📊 

Did you know that right now, 24 billion stolen credentials are floating around on the Darknet? 😱 According to research by ReliaQuest and Microsoft, there are 4,000 password attacks blocked every second! Without specialized threat intelligence, managing these massive numbers of threats is nearly impossible. 🔒🧠

For example, in the 2024 Dropbox Sign breach, attackers exploited OAuth vulnerabilities to gain access to sensitive data like API keys and OAuth tokens. 🚨 This highlighted the importance of proactive security measures and swift response to leaked credentials. 🏃‍♂️💻

MFA: A Solution or Not? 🔐

While Multi-Factor Authentication (MFA) is often touted as a solution, it’s not foolproof. Recent attacks on Change Healthcare and Snowflake showed that attackers can still bypass MFA. The real issue lies in poorly configured apps and security gaps in critical business applications. This is why companies need SaaS-specific threat intelligence—to act before attackers seize control. ⚡👾

Tailored Threat Intelligence for SaaS 🚨

With custom SaaS threat intelligence, security teams receive real-time, contextual alerts when their specific SaaS apps are at risk. 🎯💬 For example, when GitHub suffered a security breach in 2023, stolen OAuth tokens were used to download sensitive data. Immediate action—like revoking tokens—was critical to prevent further damage. 🔐 Swift response is key to minimizing potential losses.

Wing Security: Your SaaS Protector 🛡️💼

Companies like Wing Security are leading the charge in SaaS-specific threat intelligence. 🌟 With a combination of machine learning and expert human analysis, Wing’s platform offers prioritized, timely alerts that guide users through steps like suspending users, revoking tokens, and creating tickets. 🎟️🔧

Wing Security's holistic SaaS security solution ensures that configurations are secure and data is protected across the entire SaaS ecosystem. 🔄🔐 Their platform simplifies SaaS security management, helping CISOs sleep a little better at night. 🌙💤

Stay secure in your SaaS ecosystem—your company’s data depends on it! 💪

Seeking impartial news? Meet 1440.

Every day, 3.5 million readers turn to 1440 for their factual news. We sift through 100+ sources to bring you a complete summary of politics, global events, business, and culture, all in a brief 5-minute email. Enjoy an impartial news experience.

Join for free today!

Phishing for credentials 🎣

🚨 Phishing Campaigns Exploit HTTP Header Refresh for Credential Theft 🕵️‍♂️🔐

Cybersecurity researchers have uncovered a large-scale phishing campaign leveraging refresh entries in HTTP headers to deliver spoofed email login pages, aiming to steal users' credentials. 📨🔓

Unlike typical phishing schemes that manipulate HTML content, these attacks abuse the HTTP response header, which directs browsers to automatically reload or refresh a web page without user interaction. This tactic adds a layer of sophistication, making the attack harder to detect. 🚨

How It Works ⚙️

The infection chain begins with a phishing email containing a malicious link. Clicking the link redirects users to a spoofed login page, often mimicking legitimate websites. The Refresh response header carries the redirect, masking the attacker's intent and pre-filling the victims' email addresses to make the fraudulent page seem authentic. 😱🔐

These attacks were observed between May and July 2024, targeting large corporations, government agencies, and educational institutions across South Korea and the U.S. More than 2,000 malicious URLs were associated with the campaigns. 💻

Key targets: Business and economy (36%), financial services (12.9%), government (6.9%), health (5.7%), and tech (5.4%) sectors.

Attackers also use legitimate domains that offer URL shortening and tracking services, further camouflaging their activities. The tactic of redirecting to official sites makes these phishing attempts even more deceptive, increasing the success rate of credential theft. 🔗⚠️

BEC and Phishing’s Costly Toll 💰

These phishing attacks are just one part of a broader trend of Business Email Compromise (BEC), which continues to be a top avenue for cybercriminals. The FBI reports that BEC scams cost U.S. and global organizations a staggering $55.49 billion between October 2013 and December 2023. Over 305,000 incidents were reported during this period. 📉💼

BEC attacks, like these phishing campaigns, exploit human trust and familiarity, often using legitimate-looking emails and websites to deceive users into handing over sensitive information.

Evolving Phishing Tactics 🎯

Cybercriminals are continuously refining their tactics. In recent scams, deepfake videos of public figures and CEOs have been used to lure victims into bogus investment schemes like Quantum AI. Attackers use social media ads and fake websites to entice users into paying fees, only to lock them out of their accounts and steal their money. 📽️💸

Another emerging threat is the use of automated CAPTCHA-solving services provided by groups like Greasy Opal. Operating since 2009, Greasy Opal offers cybercriminals tools for credential stuffing, fake account creation, and browser automation. Their services, available for as little as $190 with a monthly subscription, cater to a wide array of cybercrime activities, helping threat actors bypass basic security measures like CAPTCHAs. 🧩🔍

One notorious user of these services is Storm-1152, a Vietnamese cybercrime group identified by Microsoft for selling fraudulent Microsoft accounts. These sophisticated operations reflect the growing trend of gray zone cyber businesses, where tools created for legitimate purposes are repurposed for illegal activities. 🌐👥

Protect Yourself 💡

With attackers employing increasingly clever tactics like HTTP header refresh abuse, it’s more critical than ever for organizations to bolster their email security defenses, educate users on phishing awareness, and deploy advanced detection technologies that can identify and mitigate these evolving threats. Stay vigilant, and don't click suspicious links! 🔒

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

They drew first blood 🔪🩸☠️

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that leaves cybercriminals sleeping with the phishes 🐟🐠🐡

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Veeam, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Redeem Veeam 🏀

🚨 Veeam Urgently Patches 18 Security Flaws! 🐞

Veeam has released updates to fix 18 security vulnerabilities, including five critical flaws that could allow remote code execution. 

Key vulnerabilities include CVE-2024-40711 (CVSS 9.8) and CVE-2024-38650 (CVSS 9.9), affecting Veeam Backup & Replication, Veeam ONE, and Veeam Service Provider Console. Users should update to the latest versions immediately to mitigate risks, as Veeam has become a popular target for ransomware attacks. 

Notably, Rapid7 reports that Veeam was exploited in over 20% of its incident response cases in 2024! ⚠️🚀🔒

Now, on to this week’s hottest cybersecurity news stories: 

  • 🔪 New RAMBO attack steals data with RAM radio signals 📻

  • 🐼 Mustang Panda bamboozles Asia-Pacific govts w/ malware 👾

  • 🐉 Chinese hackers target human rights studies in Middle East 🐪

They drew first blood 🔪🩸☠️

🚨 New Side-Channel Attack 'RAMBO' Exploits Radio Signals from RAM 🖥️

A novel side-channel attack named RAMBO has been uncovered, leveraging radio signals emitted by a device’s random access memory (RAM) to exfiltrate sensitive data from air-gapped networks. 

This technique was developed by Dr. Mordechai Guri, head of the Offensive Cyber Research Lab at Ben Gurion University in Israel. RAMBO uses software-generated radio signals to encode and transmit sensitive information, such as files, images, encryption keys, and biometric data, posing a significant threat to highly secure, isolated systems. 📡💾

⚙️ How RAMBO Works

The attack relies on software-defined radio (SDR) hardware and a simple antenna to intercept the transmitted radio signals from compromised devices. 

These signals can be decoded and translated back into binary information by a remote attacker, using SDR to demodulate and retrieve the exfiltrated data. 

The malware manipulates the RAM’s clock frequencies to generate electromagnetic emissions that are encoded using Manchester encoding, allowing the data to be transmitted covertly. 

This technique has been demonstrated on systems with Intel i7 3.6GHz CPUs and 16 GB RAM, achieving data exfiltration speeds of up to 1,000 bits per second. 📈🔑

👀 Exfiltration Capabilities of RAMBO

The RAMBO attack can leak various types of data, including keystrokes, documents, and biometric information. 

For example:

Keystrokes: Exfiltrated in real-time with 16 bits per key.

  • RSA Encryption Keys: A 4096-bit key can be exfiltrated in about 41.96 seconds at low speeds.

  • Small Files: Biometric data, images (.jpg), and documents (.txt, .docx) can be transmitted within 400 seconds at slower speeds and even faster at higher speeds.

The efficiency of RAMBO makes it capable of leaking relatively brief information over a short period, underscoring the risk it poses to air-gapped systems. 📉🗂️ 

🛡️ Potential Countermeasures

To mitigate the risk of RAMBO and similar side-channel attacks, the following countermeasures are recommended:

  • Red-Black Zone Restrictions: Enforce strict separation of sensitive data and general-use zones.

  • Intrusion Detection Systems (IDS): Monitor memory access at the hypervisor level.

  • Radio Jammers: Deploy jamming devices to disrupt unauthorized radio communications.

  • Faraday Cages: Use Faraday cages to block electromagnetic emissions from sensitive equipment.

These measures aim to minimize the attack surface and enhance the security of air-gapped networks against electromagnetic-based data exfiltration techniques. 🔒🛑

🏞️ RAMBO in the Broader Threat Landscape

RAMBO joins a growing arsenal of unconventional data exfiltration techniques targeting air-gapped networks, often viewed as the last line of defense for protecting highly sensitive information. 

As with all side-channel attacks, the initial infection vector requires the air-gapped network to be compromised, which can occur through rogue insiders, malicious USB devices, or supply chain attacks. 

Once the malware is in place, these covert channels can be activated, enabling attackers to bypass traditional network defenses and exfiltrate critical data with stealth and precision. 🚫💻

Stay vigilant and employ robust security measures to safeguard against these evolving threats.

🦾 Master AI & ChatGPT for FREE in just 3 hours 🤯

1 Million+ people have attended, and are RAVING about this AI Workshop.
Don’t believe us? Attend it for free and see it for yourself.

Save your spot here. (100 free spots only)

Highly Recommended: 🚀

Join this 3-hour Power-Packed Masterclass worth $399 for absolutely free and learn 20+ AI tools to become 10x better & faster at what you do

👉Save your seat  now (FREE for First 100)

🗓️ Tomorrow | ⏱️ 10 AM EST

In this Masterclass, you’ll learn how to:

🚀 Do quick excel analysis & make AI-powered PPTs 
🚀 Build your own personal AI assistant to save 10+ hours
🚀 Become an expert at prompting & learn 20+ AI tools
🚀 Research faster & make your life a lot simpler & more…

👉 Register here (Offer valid for First 100 people only)🎁

Asia-Pacific Governments: Slow your Mustang down 🐼🙏🎸

🚨 Mustang Panda Ups Its Game with New Malware Tools! 🛠️

The cyber threat group known as Mustang Panda (or Earth Preta) is stepping up its attacks with a refined arsenal, according to Trend Micro. Mustang Panda, active in the Asia-Pacific region, is using a variety of new tools to steal data and deliver more dangerous malware. 🌐🕵️‍♂️

🔧 Key Tools and Tactics

  • PUBLOAD: A downloader linked to Mustang Panda since 2022, used to deliver the PlugX malware, and now spreading via a worm variant called HIUPAN. 🪱💾

  • FDMTP & PTSOCKET: New tools introduced by PUBLOAD to enhance data exfiltration options, with FDMTP acting as a secondary control tool and PTSOCKET enabling multi-thread file transfers. 📤📊 

  • DOWNBAIT & CBROVER: Part of a "fast-paced" spear-phishing campaign targeting countries like Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan. These tools help deliver further payloads like the PlugX remote access trojan (RAT). 🎯📩

📁 Data Theft

Mustang Panda is known for targeting government entities, stealing documents, spreadsheets, and presentations (.doc, .xls, .pdf, etc.) by compressing and exfiltrating them via FTP or custom programs. 🗂️🕵️‍♀️

💡 Recent Findings

Palo Alto Networks Unit 42 highlighted Mustang Panda's crafty use of Visual Studio Code's reverse shell feature, showing their ongoing evolution in attack strategies. 🖥️🔒

"Mustang Panda is rapidly advancing its techniques, making their attacks more complex and effective," say researchers. The group continues to refine its methods, including multi-stage malware chains and potentially exploiting cloud services for exfiltration. 🌩️🚀 

Stay alert! 🚨🔍

All your news. None of the bias.

Be the smartest person in the room by reading 1440! Dive into 1440, where 3.5 million readers find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight.

Subscribe to 1440 today.

Oh, the humanity! 🙃

🚨 Tropic Trooper Strikes Again! 🏝️

Government entities in the Middle East and Malaysia are under attack by Tropic Trooper, a cyber threat group active since 2011, and also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda. This group is notorious for targeting sectors like government, healthcare, and high-tech industries in Taiwan, Hong Kong, and the Philippines. 🖥️🛡️

🎯 New Targets

Kaspersky detected Tropic Trooper’s activity in June 2024 when they found a new version of the China Chopper web shell on a public server running the Umbraco CMS. 🐍🌐 They are now targeting critical government entities in the Middle East, particularly those focused on human rights studies, marking a strategic shift for the group. 🏛️📊

🛠️ Attack Tools

Crowdoor Malware is a variant of SparrowDoor backdoor and is deployed via .NET modules in Umbraco CMS. It acts as a loader for Cobalt Strike, maintains persistence, and harvests sensitive information. 🕵️‍♂️💻 Tropic Trooper exploits vulnerabilities in applications like Adobe ColdFusion and Microsoft Exchange Server to deliver these web shells. 🐞🔓

⚠️ Persistent Threat

Even after detection, Tropic Trooper adapted quickly, uploading new malware samples to evade security measures. 🛡️🔄 Their focus? A CMS publishing studies on human rights, specifically around the Israel-Hamas conflict—highlighting a deliberate and strategic target. 🌍✍️

Stay vigilant! 🚨🔒

That’s all for this week, folks. Take care, it’s a jungle out there 🏝️🦜🌊 🦍🐒

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 Bitcoin ATM Scams Surge, Costing Victims Millions! 💸

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that thinks hackers are about as innocent as Ricky Jones 😂😂😂 #NotGuilty lol 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Cisco, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Cisco ahead cyber-punk, make my day 🏜️

🚨 Critical Cisco Flaws Patched! Update Now! ⚠️

Cisco has released security updates for two critical vulnerabilities in its Smart Licensing Utility, both rated CVE-2024-20439 and CVE-2024-20440, with a CVSS score of 9.8! 😲 These flaws allow unauthenticated, remote attackers to elevate privileges or access sensitive information. One involves an undocumented static user credential for an admin account, while the other leverages verbose debug logs accessible through crafted HTTP requests. 🔓📂

These flaws are independent but only exploitable when the Cisco Smart Licensing Utility is actively running. Users of versions 2.0.0, 2.1.0, and 2.2.0 should update to version 2.3.0, which is not vulnerable. 🛡️

Cisco also patched a command injection vulnerability in its Identity Services Engine (CVE-2024-20469, CVSS 6.0), allowing authenticated attackers to elevate privileges to root. Affected versions include Cisco ISE 3.2 (3.2P7) and 3.3 (3.3P4). Although PoC exploit code exists, there's no known malicious exploitation—yet! Update now to stay safe! 🔒🚀💻

Now, on to this week’s hottest cybersecurity news stories: 

  • 🏧 Bitcoin ATM scammers Madoff with $65M in 1st 1/2 of 2024 💰

  • 👨🏻‍💻 Ironic hackers spoof GlobalProtect VPN to deliver Wikiloader 👾 

  • 👔 Job seekers beware! N. Korean hackers are coming for you 🎯

That’s a Bit of a worry 👀😬💀 Sorry, was that joke a Bit cryptic? 😏

🚨 Bitcoin ATM Scams Surge, Costing Victims Millions! 💸

Bitcoin ATM scams are on the rise, with victims losing a staggering $114 million in 2023, nearly 10 times the $12 million lost in 2020, according to the Federal Trade Commission (FTC). Already, $65 million has been reported lost in just the first half of 2024. These scams are evolving, but the core tactic remains the same: tricking people into paying scammers under false pretences. 💰📉

🔍 How Bitcoin ATM Scams Work

Bitcoin ATMs, found in places like gas stations and grocery stores, allow users to buy and sell cryptocurrency. Scammers exploit this by contacting victims via phone, text, or online pop-ups, often impersonating bank or government officials. They convince victims that their bank accounts have been compromised and urge them to withdraw cash to secure their funds in what the scammers misleadingly refer to as “safety lockers.” 🚨📲

🛑 The Scam Process

Once the victim arrives at a Bitcoin ATM, scammers instruct them to deposit their cash by scanning a QR code at the machine. This code directs the funds straight into the scammer's crypto wallet, leaving the victim with nothing. The FTC reports that the median loss from these scams is around $10,000, highlighting the devastating financial impact on individuals. 🏧🔒

🚨 Warnings and Regulations

The FBI flagged this scam in 2021, prompting states like Vermont and Minnesota to introduce daily transaction limits on crypto kiosks to curb these fraudulent activities. Despite these efforts, the scams continue to thrive, underscoring the importance of verifying any unexpected financial requests and never withdrawing money based on unsolicited instructions. 🚫📞

⚠️ Other Rising Crypto Scams Bitcoin

ATM scams are just one piece of the larger fraud landscape. Deepfake crypto scams on platforms like YouTube, scammers impersonating journalists to drain digital wallets, and “pig butchering” scams—where victims are groomed over time to invest in fake schemes—are also on the rise. Notably, a former bank CEO was recently arrested for stealing millions in a fraudulent crypto investment. 🐷💥

🔑 Stay Safe and Vigilant 

As cryptocurrency and related technologies become more mainstream, so do the scams. It's crucial to remain vigilant, verify the legitimacy of all financial communications, and be sceptical of anyone asking you to withdraw or deposit funds in unusual ways. Protect your wallet and your peace of mind! 🔐💡

Steal our best value stock ideas.

PayPal, Disney, and Nike all dropped 50-80% recently from all-time highs.

Are they undervalued? Can they turn around? What’s next? You don’t have time to track every stock, but should you be forced to miss all the best opportunities?

That’s why we scour hundreds of value stock ideas for you. Whenever we find something interesting, we send it straight to your inbox.

Subscribe free to Value Investor Daily with one click so you never miss out on our research again.

Hackers: You better GlobalProtect yo’self before you wreck yo’self, fool! 😈

🚨 Malvertising Campaign Spoofs GlobalProtect VPN to Spread WikiLoader Malware 👾

Cybersecurity researchers have uncovered a new malware campaign that spoofs Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (also known as WailingCrab) loader via a search engine optimization (SEO) campaign. This activity, observed in June 2024, marks a shift from the previously known phishing-based propagation methods used by the malware. 🦠🚀

🔍 SEO Poisoning as Initial Access

The campaign employs SEO poisoning, a tactic where attackers manipulate search engine results to lure victims into visiting malicious websites that spoof legitimate results. In this case, the attackers cloned websites and relabeled them as GlobalProtect, leveraging cloud-based Git repositories to host the fake software. When users search for GlobalProtect, they are shown Google ads that redirect them to these malicious pages, initiating the infection process. 🖥️🔗

⚙️ How the Malware Operates

Victims who download the fake GlobalProtect software are tricked into running an MSI installer containing an executable named "GlobalProtect64.exe." This executable is actually a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) that is used to sideload a malicious DLL called "i4jinst.dll." This sequence ultimately leads to the execution of shellcode that downloads and launches the WikiLoader backdoor from a remote server. 📥🔒

🛡️ Evading Detection

To enhance its effectiveness and evade detection, the malware employs various anti-analysis techniques. It checks if it's running in a virtualized environment and terminates itself if processes related to virtual machine software are detected. Additionally, the campaign uses spoofed, compromised, and legitimate infrastructure to bolster the operational security and robustness of the loader, featuring multiple command-and-control (C2) configurations. 🛡️🚫

⚠️ Fake Error Messages and Deceptive Tactics

To further deceive victims and create an illusion of legitimacy, the installer displays a fake error message at the end of the process, claiming that certain libraries are missing from the user's Windows computer. This tactic helps mask the true nature of the malware and reduces suspicion among victims. 🖥️⚠️

🔄 Shift from Phishing to SEO Poisoning

The reason behind the shift from phishing emails to SEO poisoning as the malware's delivery mechanism remains unclear. Researchers from Unit 42 speculate that this could be the work of a new initial access broker (IAB) or a strategic move by existing groups in response to public disclosures of previous tactics. The malware, first documented by Proofpoint in August 2023, is known to be linked to the threat actor TA544 and has been used to deploy other malware like Danabot and Ursnif. 📧➡️🌐

🌍 Global Reach

The disclosure of this campaign comes shortly after Trend Micro identified a similar campaign targeting users in the Middle East with backdoor malware through fake GlobalProtect VPN software. This highlights the broad and evolving threat landscape as attackers continuously adapt their strategies to bypass security measures and reach more victims globally. 🌐🚩

🛡️ Stay Vigilant 

Users are advised to be cautious when downloading software and ensure they are accessing official websites. Always double-check URLs, avoid clicking on suspicious ads, and consider using reputable cybersecurity tools to detect and block malvertising threats. 🛡️🔍

Looking for a new Korea? 🙃

🚨 North Korean Threat Actors Use Fake Video Conferencing Apps 💻

North Korean threat actors, identified as part of the Lazarus Group (also known as Famous Chollima), have launched a new malware campaign dubbed "Contagious Interview" that leverages fake video conferencing software to compromise developer systems. This campaign, also tracked as DEV#POPPER, involves impersonating FreeConference.com with a phony application that instals malware on targeted devices. 📉💻

🔍 Spoofing Legitimate Software

Detected by Singaporean cybersecurity firm Group-IB in mid-August 2024, this campaign marks a continuation of Lazarus Group's tactics, including distributing malware through native installers for both Windows and macOS. Initially, the attackers used fictitious job interviews to lure victims into downloading and running Node.js projects containing BeaverTail, a downloader malware that deploys InvisibleFerret—a cross-platform Python backdoor with capabilities for remote control, keylogging, and browser data theft. 🖥️🐍

⚠️ Recent Developments

Starting in July 2024, the malware distribution method evolved to include Windows MSI installers and macOS disk images (DMG) disguised as the legitimate MiroTalk video conferencing software. However, the latest attack wave replaced MiroTalk with FreeConference.com, using an installer named "FCCCall.msi" hosted on a malicious website, freeconference[.]io, which shares the same registrar as the fraudulent mirotalk[.]net site. 🚨🔗

🧑‍💻 Social Engineering Tactics

The attack often begins on job search platforms like LinkedIn, We Work Remotely (WWR), Moonlight, and Upwork, where Lazarus Group scouts for potential victims. After establishing initial contact, the attackers typically move conversations to Telegram, where they persuade job seekers to download a video conferencing app or a Node.js project under the guise of a technical task required for a job interview. 🎯📲

💡 Expanding Infection Vectors

The attackers have been diversifying their infection vectors by injecting malicious JavaScript into cryptocurrency- and gaming-related repositories, retrieving BeaverTail JavaScript code from domains like ipcheck[.]cloud and regioncheck[.]net. This approach was also noted by security firm Phylum in connection with a malicious npm package called helmet-validate, suggesting a broadening of their propagation methods. 📦📉

⚙️ Continuous Refinement and Expansion

The emergence of CivetQ and other modular updates highlight the active development and evolving sophistication of Lazarus Group's tools. These enhancements reflect the group's ongoing commitment to refining their tactics, with no indication of slowing down as their campaign extends into late 2024. The Lazarus Group has adapted their strategies to exploit new platforms and targets, showing increased creativity and reach. 🛠️🧑‍💻

🛡️ Stay Vigilant

Job seekers, developers, and companies should exercise caution when downloading software or engaging with unsolicited job opportunities. Verify the legitimacy of all communications and software downloads, particularly those involving unfamiliar platforms or requests to install additional applications during the hiring process. Ensure robust cybersecurity measures are in place to detect and mitigate these sophisticated threats. 🛡️🚫

That’s all for this week, folks! 👋🏻

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 Cyberattack on Seattle airport

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s trying its damndest not to laugh about the Mbapp-hack… However, Manchester is RED and Tottenham are s*** 🙊🙈🙉 JK

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Windows, the cybercriminals are no match… for your (soon to be released 🙈) patch! 🩹

Check out this freshly hatched patch 🐣

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳

Congrats to Apache, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Apached 🙃

🚨 Critical Apache OFBiz Flaw Actively Exploited! 🚁

CISA has added a critical vulnerability (CVE-2024-38856) in the Apache OFBiz ERP system to its Known Exploited Vulnerabilities (KEV) catalogue due to active exploitation in the wild! 🛡️ This flaw, with a CVSS score of 9.8, allows remote code execution through a Groovy payload by unauthenticated attackers. 🖥️💥

The vulnerability, initially described as a patch bypass for CVE-2024-36104, exposes critical endpoints via crafted requests, leading to remote code execution. 🔓⚠️ Proof-of-concept exploits are already available, signalling significant attacker interest in these flaws. 🚨

CISA previously flagged another Apache OFBiz flaw (CVE-2024-32113) linked to Mirai botnet attacks. Organisations are urged to update to version 18.12.15 to stay protected! 🔒 FCEB agencies must apply the updates by September 17, 2024. Don’t delay—secure your systems now! 🚀🔧✨

Now, on to this week’s hottest cybersecurity news stories: 

  • ✈️ Cyberattack on Seattle airport’s website causes mass delays ⌛

  • ⚽ Mbapp-hack own goal promotes $460M crypto scam on X 💸

  • 📱 NGate Android malware NFC data to clone contactless cards 💳

Hackers are sleepless in Seattle ✈️

🚨✈️ Tech Trouble Hits Seattle Airport! 🖥️

Major Delays at SeaTac Seattle-Tacoma International Airport, America’s 11th-busiest, faced severe delays over the weekend due to a suspected cyberattack that disrupted several computer systems. 🛫❌

🕵️‍♂️ Possible Cyberattack?

On Saturday, the Port of Seattle reported system outages hinting at a potential cyber intrusion. Critical systems were isolated, and efforts to restore full service are ongoing. No timeline for resolution has been given yet. ⏳🔧

📉 Flight Delays Galore

The disruption caused chaos for travellers, with 53% of departing flights and 46% of arrivals delayed on Saturday. The trouble continued into Sunday, with delays affecting 36% of outgoing and 30% of incoming flights. Travellers were advised to arrive earlier than usual as phone and baggage-check systems struggled to function. ⌛🛄

💻 Website Woes

Though flights began returning to schedule by Monday morning, the airport's website remained down. Authorities have not provided an estimate for when full services will be restored. 📵🌐

🛡️ Stay Prepared!

If you’re flying through SeaTac, plan for extra time and stay updated on the latest flight information as recovery efforts continue. Safe travels! 🚀🛫

Work With Daymond? For FREE →

BREAKING NEWS: 5 days of FREE value from Russell Brunson, Daymond John, and 20+ other elite entrepreneurs!

We’re hosting a virtual 5-day challenge called, Your First Funnel Challenge!

In the challenge, we’ll walk you through step-by-step on how to launch your business idea into the world with a funnel!

⏰ But hurry! Seats are filling up fast and this is a closed-door event.

Save your seat

Mhacké 💀

🚨⚽️ Mbappé X Account Hack Costs Traders Millions! 💸🔒

High-Profile Hack and Scam Alert Soccer star Kylian Mbappé's X account was hacked on August 29, leading to chaos both online and in the crypto market. Alongside a series of bizarre posts slamming Lionel Messi and insulting Tottenham, the hacker promoted a fake cryptocurrency token named $MBAPPE, falsely promising to “double” any tokens sent to a specific address. 🤑📉

💥 Bizarre Posts Spark Confusion

Hackers used Mbappé's account to post strange messages, including insults towards Lionel Messi, claims about joining Manchester United on a free transfer in 2028, and derogatory comments about Tottenham. These posts were quickly deleted, but not before causing a stir among fans and followers. 🤯🚫

💰 Huge Crypto Losses

The scam caused the market cap of the fraudulent MBAPPE token to skyrocket to $460 million, before crashing to less than $100,000. One trader lost over $1 million in Solana tokens in just an hour after buying into the scam, highlighting the dangers of celebrity-related crypto schemes. 😱❌

🕵️‍♂️ Onchain Insights

Onchain intelligence firm Lookonchain reported that a trader spent 7,156 Solana ($1.03M) on the fake token, which is now worth only $9.2K. This event adds to a growing list of celebrity-related crypto scams, including the collapse of TrumpCoin earlier this year. 📉⚠️

🚨 Warnings Issued

Crypto.com and other major crypto firms have warned traders not to fall for the fake Mbappé token, emphasising the importance of caution in the volatile crypto market. 🛡️🚫

📈 Not Everyone Lost

While many suffered significant losses, some savvy traders made quick profits. One trader turned $28 into $124,000 by cashing out just before the token’s price collapse. It’s a reminder of the high risks—and occasional rewards—in the world of crypto scams. 💸💥

🔑 Stay Safe!

Always double-check endorsements and be wary of “too good to be true” offers, especially on social media. Protect your investments, and listen to the latest updates on "It's All Kicking Off!" with new episodes every Monday and Thursday. 🌐🔒

Hopefully updates will soon Ngate the issue 👀

🚨📱 New Android Malware Steals Your Payment Info! 💳💥

Meet NGate(or don’t! 💀): A New Threat Cybersecurity researchers have uncovered NGate, a dangerous Android malware that steals contactless payment data from victims’ credit and debit cards and relays it to an attacker’s device for fraudulent activities. The malware, tracked by Slovak cybersecurity firm ESET, targets financial institutions in Czechia and has been linked to three banks in the region. 🚨💳📉

🛠️ How NGate Works

NGate operates through malicious apps installed on Android devices, which relay NFC data from victims' payment cards to an attacker-controlled device that can then emulate the original card and withdraw money from ATMs. The malware abuses a legitimate tool called NFCGate, initially developed for security research by students at TU Darmstadt in 2015. 📲🚨

🔍 Attack Tactics

The attack relies heavily on social engineering, using SMS phishing and fake domains that mimic legitimate banking sites or apps. Victims are tricked into installing malicious progressive web apps (PWAs) or WebAPKs, which then prompt them to enter sensitive information like their banking ID, date of birth, and PIN code. The app even instructs users to enable NFC and scan their card to capture the payment data. 📧⚠️

📞 Phishing and Fake Calls

After installation, the attackers further exploit victims by posing as bank employees in phone calls, claiming their accounts have been compromised. They instruct victims to change their PIN and validate their banking card through NGate, again sent via SMS links. These apps were not found on the Google Play Store, and Google confirmed that its Play Protect system guards against known versions of NGate. ☎️🔒

🚔 Crackdown and Arrests

Six NGate apps were identified between November 2023 and March 2024. The campaign likely ceased after Czech authorities arrested a 22-year-old linked to ATM fund thefts. Despite the arrest, the sophisticated techniques of NGate highlight the evolving threats in mobile banking fraud. 🚨👮‍♂️

🌐 NGate's Infrastructure

The malware uses two servers: one for phishing to collect sensitive information and initiate NFC relay attacks, and another for redirecting NFC traffic to the attacker’s device. This operation shows the complexity and organised nature of NGate’s fraud tactics. 🖥️📡

⚠️ Stay Alert!

This discovery comes alongside another new threat: a variant of the Copybara banking trojan that uses voice phishing (vishing) to steal bank credentials. Both NGate and Copybara exploit Android’s accessibility services to exert control over infected devices, demonstrating the need for vigilance when installing apps and sharing sensitive information. 🛡️📱

Stay informed, and always verify the legitimacy of apps before installation! 🚫📲

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 FBI Takes Down Radar/Dispossessor Ransomware Infrastructure 💥

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes all our UK readers a sunny, safe, and sound August Bank Holiday Weekend 🍾🍾🍾 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Windows, the cybercriminals are no match… for your (soon to be released 🙈) patch! 🩹

Check out this freshly hatched patch 🐣

🛡️🚨 Patch Alert: Microsoft Fixes 90 Security Flaws, 10 Zero-Days! 🚨🛡️

Microsoft has released patches for 90 security flaws, including 10 critical zero-days—six of which are actively being exploited in the wild! 🔥 Of these, nine are rated Critical, 80 Important, and one Moderate. The key zero-days include CVE-2024-38189 (CVSS 8.8) for remote code execution in Microsoft Project, and CVE-2024-38178 (CVSS 7.5), a Windows Scripting Engine memory corruption vulnerability. 🖥️💣

These updates also tackle issues like privilege escalation (CVE-2024-38193) and bypassing security features (CVE-2024-38213). Don't forget to update your systems ASAP to stay protected! 💻🔒

Additionally, 36 vulnerabilities in Microsoft Edge were patched, and other vendors like Adobe, Google, Intel, and more have released crucial updates. Stay ahead of the threats—keep your systems secure! 🚀🔐📱

Now, on to this week’s hottest cybersecurity news stories: 

  • 👨🏻‍💻 Dispossesser ransomware servers shut down by FBI 👮🏻‍♂️

  • 🐞 Vulnerabilities discovered in AI-powered Azure health bot 🤖

  • 👤 Black Basta-Linked attacks target Users w/ SystemBC malware 👾

Dispossesser gets dispossessed 👮🏻‍♂️👀💀 

🚨 FBI Takes Down Radar/Dispossessor Ransomware Infrastructure 💥

🎯 Major Disruption! The FBI has dismantled the online infrastructure of Radar/Dispossessor, a rising ransomware group targeting small-to-mid-sized businesses globally. This operation involved taking down multiple servers and criminal domains across the U.S., U.K., and Germany.

🦹 Who is Dispossessor?

Active since August 2023, Radar/Dispossessor quickly made a name for itself in sectors like healthcare, education, and finance. The group, allegedly led by someone using the alias "Brain," employs a Ransomware-as-a-Service (RaaS) model similar to LockBit, using dual-extortion tactics to pressure victims into paying up.

🔗 Attack Tactics

Dispossessor exploits security flaws and weak passwords to breach systems, encrypt data, and demand ransom. If victims don’t respond, the group ups the ante by directly contacting company employees and threatening to leak sensitive data on video platforms.

🌍 Global Reach

So far, 43 companies across 14 countries, including the U.S., U.K., Germany, and Australia, have fallen victim to Dispossessor attacks. The group shares tools and profits with another entity called Radar, suggesting a close collaboration between the two.

🔍 The Bigger Picture

This takedown is part of a broader global effort to combat ransomware, which remains a significant threat. Ransomware groups are increasingly targeting smaller organisations, exploiting vulnerabilities, and operating with a level of sophistication that mirrors legitimate businesses.

💡 Stay Vigilant

As ransomware groups continue to evolve, businesses must stay vigilant, bolster security measures, and prepare for the possibility of being targeted.

Power your competitive advantage with intelligent automation from ELEKS

ELEKS' intelligent automation service transforms your business operations through data-driven solutions. We automate complex tasks, streamlining processes to increase productivity and reduce operational costs. Our tailored solutions adapt to your changing needs and help you unlock new growth opportunities by freeing your team to focus on high-value tasks.

The result? Enhanced customer satisfaction, improved client retention, and a stronger market position.

Talk to our automation specialists

Azure as you’re born 🙃

🚨 Critical Flaws in Microsoft Azure Health Bot Service Patched 🛡️

🔍 Security Risks in Healthcare Bots! Cybersecurity researchers have uncovered two critical vulnerabilities in Microsoft's Azure Health Bot Service that could have allowed attackers to access sensitive patient data by moving laterally within customer environments. The issues, now patched by Microsoft, were reported by Tenable in a detailed investigation.

🤖 What is Azure Health Bot?

Azure Health Bot is a cloud platform used by healthcare organisations to develop AI-powered virtual assistants for tasks like managing patient interactions and administrative workloads. These bots are widely used by insurance providers and healthcare entities to help users with tasks such as checking claim statuses or finding nearby doctors.

⚠️ Vulnerabilities Exposed

Tenable's research focused on a feature called Data Connections within the service, which allows bots to integrate with external data sources. Despite built-in security measures, Tenable discovered that these safeguards could be bypassed using redirect responses, allowing attackers to obtain access tokens for sensitive internal resources.

Additionally, another endpoint supporting the FHIR data exchange format was found vulnerable to similar exploits. The flaws raised significant concerns about the security of AI-driven healthcare tools, emphasising the need for robust web app and cloud security practices.

🔧 Microsoft’s Response

After Tenable reported these issues in mid-2024, Microsoft swiftly rolled out patches to all affected regions. There's no evidence to suggest these vulnerabilities were exploited in the wild, but the incident underscores the importance of securing AI-based services in critical sectors like healthcare.

🛡️ Ongoing Security Efforts

This discovery comes shortly after another reported flaw in Microsoft Entra ID, which allowed for privilege escalation. These incidents highlight the evolving nature of cybersecurity threats in the era of AI and cloud computing.

By keeping software up-to-date and applying rigorous security measures, organisations can better protect sensitive data from emerging threats.

You Black Basta- WOAH! Easy now 💀💀💀

🚨 Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Group 🛡️

Cybersecurity researchers have uncovered an ongoing social engineering campaign with ties to the Black Basta ransomware group. This campaign, which has been linked to multiple intrusion attempts, is focused on credential theft and deploying the SystemBC malware dropper.

🎣 Attack Methodology

The attack begins with an "email bomb," followed by a phone call from the attackers who pose as IT staff offering a "solution" to the overwhelmed users. The attackers typically make these calls via Microsoft Teams, making the scam appear legitimate.

Victims are then convinced to download and install AnyDesk, a legitimate remote access software, which the attackers use as a channel to deploy further malicious payloads and exfiltrate sensitive data. One notable part of the attack is the use of a fake executable named "AntiSpam.exe," which pretends to be an email spam filter update and tricks users into entering their Windows credentials.

🦠 Malware Deployment

Once the attackers gain access, they execute several binaries, DLL files, and PowerShell scripts, including a Golang-based HTTP beacon that establishes contact with a remote server, a SOCKS proxy, and the SystemBC malware. This layered approach allows the attackers to maintain persistent access and potentially exfiltrate more sensitive data.

⚠️ Broader Context and Trends

This campaign is part of a broader trend in social engineering and phishing attacks. Data from ReliaQuest indicates that SocGholish (FakeUpdates), GootLoader, and Raspberry Robin are among the most commonly observed loader strains in 2024, serving as gateways for ransomware deployment.

Interestingly, GootLoader has replaced QakBot on the top-three list this year, reflecting shifts in malware distribution strategies. Many of these loaders are marketed on dark web forums under subscription models, making it easier for even less technically skilled attackers to launch sophisticated attacks.

🔍 Additional Threats

Phishing attacks have also been observed using the 0bj3ctivity Stealer and Ande Loader in multi-layered distribution mechanisms. These attacks involve obfuscated and encrypted scripts, memory injection techniques, and enhanced anti-detection features, making them harder to detect.

In a related trend, threat actors have been weaponizing fake QR codes and malvertising campaigns. For instance, some campaigns have hijacked Facebook pages to promote seemingly legitimate AI tools, which are then used to deliver Lumma Stealer malware.

🔧 Mitigation Strategies

To defend against these sophisticated attacks, it is recommended to block unapproved remote desktop solutions, educate employees about phishing tactics, and be vigilant against suspicious communications, especially those purporting to be from internal IT staff.

🌐 Staying Safe

As attackers continue to innovate with social engineering techniques, it’s crucial for both individuals and organisations to maintain robust security practices, including advanced detection mechanisms and continuous monitoring of potential threats.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 North Korea’s “Laptop Farm” in Nashville Exposed! 💻

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s always phishing for compliments 🎣 Feedback welcome! 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Windows, the cybercriminals are no match… for your (soon to be released 🙈) patch! 🩹

Check out this freshly hatched patch 🐣

🚨 Microsoft Office Zero-Day Flaw Exposed 🚨

🔓 Unpatched Office Vulnerability Could Leak Sensitive Data 🔓 Microsoft has revealed a critical zero-day vulnerability in Office, tracked as CVE-2024-38200 (CVSS score: 7.5). This spoofing flaw affects multiple Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps​ (World Economic Forum).

⚠️ Web-Based Attack Threat ⚠️

In a potential attack scenario, hackers could host a malicious website or use compromised sites to trick users into opening specially crafted files. The attack relies on convincing users to click on a link, usually through phishing emails or instant messages

🩹 Patch just in 🩹

A formal patch for CVE-2024-38200 was shipped on August 13 as part of its monthly Patch Tuesday updates, but the tech giant said it identified an alternative fix that it has enabled via Feature Flighting as of July 30, 2024. 

Now, on to this week’s hottest cybersecurity news stories: 

  • 👮‍♂️ Nashville man charged for helping N. Koreans to get U.S. tech jobs 💻

  • 👂 Hackers could be eavesdropping on you via your Sonos speakers 🔊 

  • 🛒 PhaaS (phishing-as-a-service) contribute to all time in phishing attacks 🎣

Nashville man: Looking for a new Korea? 👀🙈💀 

🚨 North Korea’s “Laptop Farm” in Nashville Exposed! 💻

🤖 Fraud Scheme Uncovered 🤖 The U.S. Department of Justice (DoJ) has charged 38-year-old Matthew Isaac Knoot from Nashville for allegedly running a “laptop farm” to help North Korean IT workers secure remote jobs with American and British companies. These roles allegedly funded North Korea’s illicit weapons program.

💻 Deceptive Operations 💻
Knoot is accused of using stolen identities, including that of "Andrew M.," to deceive companies into hiring North Korean operatives. These workers used the stolen identity to secure jobs, while Knoot facilitated their access by hosting company laptops at his residence and installing unauthorised software.

🕵️ Exposing the Scheme 🕵️

From July 2022 to August 2023, Knoot’s operation allegedly caused over $500,000 in damages. He faces serious charges, including wire fraud and identity theft, which could result in up to 20 years in prison. This case follows similar charges against another individual, Christina Marie Chapman, earlier this year.

🏞️ Bigger Picture 🏞️

The scheme highlights ongoing threats posed by North Korean cyber operations, as recent advisories warn about IT workers generating revenue for the regime from abroad. The situation underscores the importance of vigilance in hiring practices, especially in the digital age.

Want SOC 2 compliance without the Security Theater?

  • Get the all-in-one platform for SOC 2

  • Build real-world security 💪

  • Penetration testing, compliance software, 3rd party audit, & vCISO

Schedule a demo for pricing!

Are you sitting comfortably? Then I'll begin 👂😬💀

🚨 Sonos Smart Speakers Vulnerable to Hacking! 🎶

🔓 New Security Flaws Exposed 🔓 Researchers have uncovered critical vulnerabilities in Sonos smart speakers that could allow hackers to take control of the devices, exposing users to potential cyber threats. The flaws, tracked as CVE-2024-3109 and CVE-2024-3110, affect various Sonos models and could be exploited to access private audio streams or launch attacks on home networks.

🎤 Speaker Hijacking Risk 🎤

One flaw allows attackers to remotely control speakers, play audio, and even transmit private conversations if the device is compromised. The second flaw could let attackers execute malicious code by sending specially crafted network requests to the speakers, potentially compromising other devices on the same network.

🩹 Patch On the Way 🩹

Sonos has acknowledged the vulnerabilities and is working on patches to address these issues. Users are advised to ensure their devices are updated with the latest firmware and to monitor any unusual activity on their networks.

🚨 Stay Secure 🚨

This discovery serves as a reminder of the security risks associated with smart home devices. As more gadgets become connected, the importance of robust cybersecurity measures becomes critical to protect against potential threats.

We were hoping it was just a PhaaSe 👀🙈😏

🚨 Phishing Attacks Surge in 2023: AI and PhaaS Fuel the Fire 🎣

💼 Phishing Incidents Skyrocket! 💼 In 2023, a staggering 94% of businesses were hit by phishing attacks, marking a 40% increase from the previous year, according to research from Egress. This sharp rise is largely attributed to the growing use of AI and the emergence of Phishing as a Service (PhaaS).

🤖 AI’s Role in the Rise 🤖

Generative AI has made it easier than ever for cybercriminals to craft convincing phishing content, from malicious emails to deepfake videos. AI can also assist in writing the malware often deployed during phishing campaigns, making these attacks more sophisticated and difficult to detect.

🎣 Phishing as a Service (PhaaS) 🎣

PhaaS platforms allow even those with limited technical skills to launch phishing attacks by hiring skilled attackers. This has democratised phishing, enabling more frequent and targeted campaigns.

📅 Timely and Targeted Attacks 📅

The surge in phishing is also driven by threat actors’ ability to quickly respond to current events, like the CrowdStrike “Blue Screen of Death” incident and major events like the Olympics and UEFA Euro 2024. These attacks often capitalise on the confusion or excitement surrounding such events, making them particularly effective.

🔍 Stay Vigilant 🔍

With AI and PhaaS making phishing easier, businesses and individuals must stay informed and take proactive steps to protect themselves from these evolving threats.

That’s all for this week, folks! Stay safe out there 🛡️🛡️🛡️

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter