Google has swiftly responded to the discovery of a new zero-day vulnerability, identified as CVE-2024-4761, affecting its Chrome web browser. This high-severity flaw impacts the V8 JavaScript and WebAssembly engine and was anonymously reported on May 9, 2024. The vulnerability, categorized as an out-of-bounds write bug, has already been exploited in the wild, prompting Google to expedite the release of emergency fixes. Out-of-bounds write bugs are notorious for their potential to corrupt data, cause crashes, or enable malicious actors to execute arbitrary code on compromised systems.

Notably, this development follows closely on the heels of Google patching another actively exploited vulnerability, CVE-2024-4671, which involved a use-after-free flaw in the Visuals component. Google's prompt action underscores the ongoing efforts to safeguard users against emerging cyber threats and underscores the critical importance of timely software updates.

Since the beginning of the year, Google has addressed a total of six zero-day vulnerabilities, with three of them showcased at the Pwn2Own hacking contest held in Vancouver in March. These vulnerabilities, including CVE-2024-0519, CVE-2024-2886, CVE-2024-2887, CVE-2024-3159, and CVE-2024-4671, highlight the evolving landscape of cyber threats and the continuous need for vigilance in software security.

To mitigate potential risks associated with CVE-2024-4761, users are strongly advised to update their Chrome browsers to the latest version - specifically, version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux. Additionally, users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should remain vigilant and apply the necessary patches as soon as they become available.

Newly Disclosed Vulnerabilities in VMware Workstation and Fusion Pose Risk of Code Execution and Data Exposure

The recent disclosure by VMware highlights four security vulnerabilities affecting its Workstation and Fusion products, posing risks of information exposure, denial-of-service (DoS) attacks, and potential code execution under specific conditions. These vulnerabilities, collectively tracked as CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, and CVE-2024-22270, impact Workstation versions 17.x and Fusion versions 13.x. VMware promptly addressed these issues in version 17.5.2 for Workstation and version 13.5.2 for Fusion.

The vulnerabilities span a range of weaknesses, including a use-after-free flaw in the Bluetooth device (CVE-2024-22267), a heap buffer-overflow vulnerability in Shader functionality (CVE-2024-22268), and two information disclosure flaws affecting Bluetooth functionality (CVE-2024-22269) and Host Guest File Sharing (HGFS) functionality (CVE-2024-22270). Exploitation of these vulnerabilities could allow threat actors with varying levels of access privileges to execute arbitrary code, trigger DoS conditions, or access sensitive information stored in hypervisor memory.

Notably, CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 were initially demonstrated at the Pwn2Own hacking contest in March 2024, underscoring the real-world exploitability of these flaws. As interim measures, VMware recommends users disable Bluetooth support on virtual machines and deactivate the 3D acceleration feature until the patches can be applied. However, there are no equivalent mitigations for CVE-2024-22270, emphasizing the importance of promptly updating affected systems.

This advisory follows VMware's earlier patch release addressing critical security flaws in ESXi, Workstation, and Fusion products, reaffirming the company's commitment to promptly addressing security vulnerabilities to protect its users and their virtual environments.

A critical security flaw tracked as CVE-2024-3094 has been exposed in the widely used Linux data compression utility XZ Utils, allowing remote code execution. Discovered by Microsoft engineer Andres Freund, the backdoor enables attackers to bypass secure shell authentication and gain full system access.

The malicious code was deliberately inserted by a project maintainer named Jia Tan, who meticulously built credibility over two years before introducing the backdoor in the XZ Utils 5.6.0 and 5.6.1 release tarballs. Tan's sockpuppet accounts, including Jigar Kumar and Dennis Ens, reportedly orchestrated feature requests and issue reports to influence the addition of Tan as a co-maintainer.

Lasse Collin, the original maintainer, acknowledged the breach, emphasizing that the compromised tarballs were created and signed by Tan. Filippo Valsorda's analysis revealed that remote attackers can execute arbitrary payloads through an SSH certificate, circumventing authentication protocols to take control of victim machines.

The incident underscores the sophistication of the state-sponsored operation behind the supply chain attack, prompting concerns over the security of open-source software projects and the need for robust tools and processes to detect tampering and malicious features.

This discovery echoes previous supply chain attacks like Apache Log4j, highlighting the vulnerabilities inherent in open-source and volunteer-run projects and emphasizing the importance of adopting measures to identify and mitigate such threats.

Trend Micro Exposes Sophisticated Tactics of Earth Freybug's Latest Espionage Campaign with UNAPIMON Malware

Security experts have identified a new threat activity cluster dubbed Earth Freybug, which has unleashed a sophisticated malware named UNAPIMON as part of its espionage and financially motivated campaigns since at least 2012. Earth Freybug, believed to be a subset of the China-linked APT41 group, employs a variety of tactics, including living-off-the-land binaries (LOLBins) and custom malware, to target organizations globally.

UNAPIMON, the latest addition to Earth Freybug's arsenal, is designed to evade detection by employing advanced techniques. It prevents child processes from being monitored by leveraging DLL hijacking and API unhooking methods. This allows the malware to operate stealthily, avoiding detection in sandbox environments that utilize API monitoring through hooking mechanisms.

The attack chain initiated by Earth Freybug begins with the use of a legitimate executable associated with VMware Tools to create a scheduled task and deploy a malicious batch script named "cc.bat" on the victim's machine. This batch script collects system information and launches another scheduled task to execute UNAPIMON.

Notably, UNAPIMON utilizes a service called SessionEnv to load a malicious DLL, TSMSISrv.DLL, which is responsible for dropping the UNAPIMON DLL file and injecting it into critical processes like cmd.exe and SessionEnv itself. This grants the attackers remote access to the compromised system, effectively turning it into a backdoor.

Despite its simple C++ codebase, UNAPIMON demonstrates the author's coding prowess and creativity. By leveraging the Detours library, the malware evades detection and analysis, making it challenging for security researchers to uncover its malicious activities.

The discovery of UNAPIMON underscores the evolving tactics of Earth Freybug and highlights the importance of implementing robust cybersecurity measures. Even seemingly simple techniques, when applied effectively, can significantly enhance the stealth and effectiveness of cyberattacks. As such, organizations must remain vigilant and employ comprehensive security solutions to detect and mitigate threats posed by sophisticated threat actors like Earth Freybug.

A set of seven packages discovered on the Python Package Index (PyPI) repository has been found to harbor malware designed to steal BIP39 mnemonic phrases, crucial for recovering private keys of cryptocurrency wallets. ReversingLabs has dubbed the software supply chain attack campaign as BIPClip, noting that the packages collectively amassed 7,451 downloads before being removed from PyPI.

According to security researcher Karlo Zanki, the attack, active since December 4, 2022, targets developers involved in cryptocurrency wallet generation and security projects, reflecting the persistent interest of threat actors in crypto-related supply chain attacks.

In a bid to evade detection, one of the packages, mnemonic_to_address, appeared benign but listed bip39-mnemonic-decrypt as a dependency, containing the malicious component. The malware operates by exfiltrating stolen mnemonic phrases to a server controlled by the threat actors.

Additionally, packages such as public-address-generator and erc20-scanner serve as lures to transmit stolen data to the same command-and-control (C2) server. Another package, hashdecrypts, functions independently, harvesting data through near-identical code.

ReversingLabs uncovered references to a GitHub profile named "HashSnake," featuring a repository named hCrypto, advertised as a tool to extract mnemonic phrases from crypto wallets. The campaign, ongoing for over a year, indicates a concerted effort by threat actors to compromise crypto assets.

Furthermore, the HashSnake account maintains a presence on Telegram and YouTube, promoting malicious tools such as xMultiChecker 2.0, emphasizing the threat posed by organized cybercriminals within open-source ecosystems.

These findings underscore the risks inherent in open-source repositories, exacerbated by the exploitation of abandoned projects by threat actors. The case serves as a reminder for developers and organizations to remain vigilant against software supply chain attacks and adopt robust security measures to safeguard against such threats.

Exploitation of Popup Builder and Ultimate Member Plugins Puts WordPress Sites at Risk, Highlighting Urgency for Patching and Vigilance

A new malware campaign exploiting a high-severity security flaw in the Popup Builder plugin for WordPress has infected more than 3,900 sites within three weeks, as reported by Sucuri. Orchestrated from domains registered since February 12, 2024, the attacks capitalize on CVE-2023-6000, allowing the injection of malicious JavaScript code.

The malware campaign, identified by security researcher Puja Srivastava, injects two variants of malicious code aimed at redirecting site visitors to phishing and scam pages. WordPress site owners are urged to maintain up-to-date plugins and conduct scans for suspicious code or users to mitigate risks.

This incident occurs alongside Wordfence's disclosure of a high-severity cross-site scripting (XSS) vulnerability in the Ultimate Member plugin (CVE-2024-2123), affecting versions up to 2.8.3. Exploitation of this flaw, characterized by insufficient input sanitization, could grant unauthenticated attackers administrative user access on vulnerable sites.

The Ultimate Member vulnerability follows a similar flaw (CVE-2024-1071) addressed in version 2.8.3, highlighting the ongoing security challenges faced by WordPress plugins. Additionally, a file upload vulnerability in the Avada WordPress theme (CVE-2024-1468) has been discovered, allowing authenticated attackers to upload arbitrary files for potential remote code execution.

These incidents underscore the critical need for WordPress site owners to promptly apply security patches and remain vigilant against emerging threats to safeguard their websites from exploitation and malware infections.

Guardio Labs has exposed a complex email hijacking operation named SubdoMailing, which exploits over 8,000 subdomains belonging to reputable brands and institutions for the proliferation of spam and click monetization. Tracked since September 2022, the campaign is orchestrated by a threat actor dubbed ResurrecAds, known for reviving defunct domains associated with major brands to manipulate the digital advertising ecosystem for illicit gains.

ResurrecAds manages an extensive infrastructure including hosts, SMTP servers, IP addresses, and private residential ISP connections, leveraging stolen resources to circulate millions of spam and phishing emails daily. The emails, masquerading as legitimate communications, deceive recipients and evade standard security measures by using images instead of text, and employing sophisticated redirection techniques.

Notably, the subdomains targeted belong to prominent brands such as ACLU, eBay, Marvel, and VMware, among others, adding credibility to the malicious emails. By bypassing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) checks, the campaign successfully circumvents email authentication methods designed to prevent spoofing.

Guardio's investigation revealed instances of deceptive email origins, with subdomains like marthastewart.msn.com redirecting to malicious domains through CNAME records. This technique inherits SPF policies, enabling attackers to send emails as if from reputable domains. Furthermore, the hijackers exploit abandoned subdomains with dangling CNAME records or defunct DNS SPF records, seizing control to host malicious content.

To counter this threat, Guardio has launched a SubdoMailing Checker tool to help domain administrators and site owners detect signs of compromise. The operation, meticulously designed to distribute malicious advertisements and maximize click revenue, demonstrates the sophistication and agility of modern cybercriminal networks.

Threat Actor UAC-0184 Utilizes Steganography and War-Themed Lures to Deploy Remote Access Trojans, CERT-UA Reports Additional Attacks via Signal App and PikaBot Malware Resurgence

A malicious campaign targeting Ukrainian entities based in Finland has been uncovered, employing a commercial remote access trojan (RAT) named Remcos RAT, distributed via a malware loader known as IDAT Loader. Tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0184, the attack leverages steganography techniques for defense evasion.

Morphisec researcher Michael Dereviashkin emphasized the role of steganography in evading defenses, as IDAT Loader, associated with the Hijack Loader family, serves payloads like DanaBot, SystemBC, and RedLine Stealer. TA544, another threat actor, has also used IDAT Loader to distribute Remcos RAT and SystemBC via phishing attacks.

The phishing campaign, disclosed by CERT-UA in January 2024, utilizes war-themed lures to initiate an infection chain leading to IDAT Loader deployment, which extracts Remcos RAT using embedded steganographic PNG files.

In a separate development, CERT-UA revealed targeting of defense forces through the Signal instant messaging app, distributing a booby-trapped Microsoft Excel document executing COOKBOX, a PowerShell-based malware attributed to cluster UAC-0149.

Simultaneously, malware campaigns propagating PikaBot malware have resurged since February 8, 2024, using an updated variant with new unpacking methods, heavy obfuscation, and modifications to core module functionality. Elastic Security Labs reported ongoing development of this variant.

The coordinated efforts of threat actors utilizing various attack vectors underscore the evolving nature of cyber threats, demanding continuous vigilance and adaptation of defense strategies to safeguard against malicious activities.

Jobs/Internships

Coinbase - Software Engineer, Frontend - Consumer - Fully Remote

Roku - Senior Product Manager, Ad Measurement - New York, New York · On-site

Amplitude - Staff Software Engineer, Data Pipeline - Vancouver, BC, Canada · On-site

Motorola Solutions - Data Scientist Intern (Summer 2024) - Schaumburg, IL

Adobe - 2024 Intern - Software Engineer - New York, NY · On-site

UBS - Internship 2024, DevOps Developer, UBS Scenario Hub - Zurich, Zurich, Switzerland · Hybrid

A Chinese-speaking threat actor known as GoldFactory has been identified as the creator of highly sophisticated banking trojans, unveiling a previously undocumented iOS malware named GoldPickaxe capable of harvesting sensitive personal data. Active since mid-2023, GoldFactory has also developed Android-based malware such as GoldDigger and its variants, targeting users in the Asia-Pacific region, particularly Thailand and Vietnam.

GoldPickaxe, distributed through social engineering campaigns, employs a variety of distribution methods including smishing and phishing messages, as well as fake URLs leading to the installation of the malware. Notably, the iOS variant leverages Apple's TestFlight platform and booby-trapped URLs to gain complete control over iOS devices.

The sophistication of GoldPickaxe extends to its ability to bypass security measures such as facial recognition for transaction confirmation. The malware prompts victims to record a video, later used to create deepfake videos with face-swapping AI services.

Both Android and iOS variants of GoldPickaxe are designed to intercept SMS messages, collect identity documents and photos, and proxy traffic through compromised devices. The Android version, an evolutionary successor of GoldDiggerPlus, targets over 20 applications from various sectors to steal login credentials.

GoldDigger, discovered in June 2023, targets Vietnamese financial applications and has spawned upgraded variants like GoldDiggerPlus, which embeds another trojan component named GoldKefu. GoldKefu, impersonating a popular Vietnamese messaging app, tricks victims into revealing banking credentials through fake alerts and overlays.

The emergence of GoldFactory's mobile banking malware underscores the evolving landscape of cyber threats, with social engineering schemes evolving to deliver malware while circumventing traditional security measures. To mitigate these risks, users are advised to avoid clicking on suspicious links, installing apps from untrusted sources, and regularly reviewing app permissions.

GoldFactory's operations reflect a high level of sophistication and operational maturity, with separate development and operator groups dedicated to specific regions. The group continuously enhances its toolset to adapt to targeted environments, posing significant challenges for cybersecurity defenses.

Turla Expands Arsenal with TinyTurla-NG, Utilizes Compromised WordPress Sites for Command-and-Control in Latest Campaign

The Russian-linked threat actor Turla has been identified deploying a new backdoor, TinyTurla-NG, in a targeted campaign spanning three months, aimed at Polish non-governmental organizations (NGOs) in December 2023. Cisco Talos, in a recent technical report, described TinyTurla-NG as a "last chance" backdoor deployed when other unauthorized access methods fail or are detected.

This backdoor shares similarities with TinyTurla, a previously documented implant used by Turla in intrusions targeting entities in the U.S., Germany, and Afghanistan since at least 2020. Turla, also known as Iron Hunter and Venomous Bear, is associated with the Russian Federal Security Service (FSB).

In addition to targeting Polish NGOs, Turla has recently focused on the defense sector in Ukraine and Eastern Europe, deploying a new .NET-based backdoor named DeliveryCheck, and upgrading its Kazuar implant, utilized since 2017.

The campaign involving TinyTurla-NG commenced on December 18, 2023, and continued until January 27, 2024, although suspicions suggest activity might have begun in November 2023 based on malware compilation dates. The distribution method of the backdoor remains unknown, but compromised WordPress-based websites serve as command-and-control (C2) endpoints, enabling the execution of commands via PowerShell or Command Prompt, as well as file download/upload.

Furthermore, TinyTurla-NG serves as a conduit for delivering PowerShell scripts labeled TurlaPower-NG, designed to extract key material used to secure password databases of popular password management software.

In a related development, Microsoft and OpenAI disclosed that Russian nation-state actors are exploring generative artificial intelligence tools, including large language models like ChatGPT, to understand satellite communication protocols, radar imaging technologies, and seek assistance with scripting tasks, underscoring the evolving sophistication of cyber threats.

Jobs/Internships:

Prodigy Education - Senior Data Scientist - Greater Toronto Area, Ontario · Hybrid

EasyPost - Staff Automation Engineer - Fully Remote

Expedition Technology - Senior Software Engineer - Full Stack - Herndon, Virginia, United States · On-site

Coinbase - Summer 2024 - Software Engineer Intern - Fully Remote

Chime - Software Engineer Intern, Savings - San Francisco, CA · Hybrid

Neuralink - Software Engineer Intern, Implant Team - Fremont, California, United States · On-site

Hello Subscribers,

I hope you are having a great day. As the job market tightens we feel that interview preparation for any job is crucial to landing a job these days. This is why we have partnered with Captiva AI, an artificial intelligence powered job preparation platform for technology, marketing, consulting, sales, finance, and accounting roles. The app is free for download my scanning the QR code above or following this link.

Aggressive APT28 Exploits NTLM Vulnerabilities, Targets Organizations Across Sectors Worldwide

From April 2022 to November 2023, Russian state-sponsored actors, identified as the notorious hacking crew APT28, executed NT LAN Manager (NTLM) v2 hash relay attacks on high-value targets globally. The group, also known as Blue Athena, Fancy Bear, and others, focused on organizations involved in foreign affairs, energy, defense, transportation, labor, social welfare, finance, parenthood, and local city councils.

Cybersecurity firm Trend Micro characterized these intrusions as a cost-efficient method automating brute-force attempts to infiltrate networks. APT28, operated by Russia's GRU military intelligence service since at least 2009, has a history of spear-phishing and strategic web compromises.

In April 2023, the group was implicated in attacks exploiting patched flaws in Cisco networking equipment, and later in the year, it gained attention for exploiting privilege escalation flaws in Microsoft Outlook and WinRAR. This allowed APT28 to access user Net-NTLMv2 hashes and stage NTLM Relay attacks, compromising email accounts.

The threat actor continued evolving its tactics, incorporating anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers. These routers, potentially breached or compromised by a third party, were used for scanning, probing, and sending spear-phishing emails. Post-exploitation activities involved modifying folder permissions in victims' mailboxes, enabling lateral movement within organizations.

Notably, APT28 targeted Ukrainian entities using CVE-2023-23397 exploits, leveraging lures related to the Israel-Hamas conflict, and employing custom backdoors like HeadLace. Recent campaigns against European governments involved bogus Microsoft Outlook login pages on webhook[.]site URLs. At least 100 EdgeOS routers were estimated to be infected.

The article concludes with insights into the group's sophisticated post-exploitation actions, emphasizing the complexity of initial intrusions drowned out by loud and aggressive campaigns. Simultaneously, another Russian threat actor, COLDRIVER, was revealed to impersonate researchers and academics in an ongoing hacking campaign, redirecting victims to credential harvesting pages.

UAC-0027 Identified as Threat Actor Behind DirtyMoe Malware, While Phishing Campaign STEADY#URSA Linked to Russian Threat Actor Shuckworm

The Computer Emergency Response Team of Ukraine (CERT-UA) has raised an alarm, reporting that more than 2,000 computers in Ukraine have fallen victim to the DirtyMoe malware, with the campaign attributed to the threat actor UAC-0027. DirtyMoe, operational since 2016, possesses the capabilities of cryptojacking and launching distributed denial-of-service (DDoS) attacks. Earlier this year, cybersecurity firm Avast highlighted the malware's worm-like propagation through known security flaws.

Delivery of the DDoS botnet is facilitated by the Purple Fox malware or via fraudulent MSI installer packages for popular software like Telegram. Purple Fox, equipped with a rootkit for stealth, complicates detection and removal. The initial access vector in the Ukrainian campaign remains unknown. CERT-UA recommends organizations keep systems updated, enforce network segmentation, and monitor network traffic for anomalies.

Simultaneously, security firm Securonix revealed an ongoing phishing campaign, STEADY#URSA, targeting Ukrainian military personnel. The campaign aims to deploy a custom PowerShell backdoor named SUBTLE-PAWS. The attack involves executing a malicious shortcut file, initiating a PowerShell payload. The threat actor behind this campaign is identified as Shuckworm, also known as Aqua Blizzard, Gamaredon, and others, associated with Russia's Federal Security Service (FSB) since at least 2013.

SUBTLE-PAWS, beyond establishing persistence, employs Telegram's platform Telegraph for command-and-control (C2) communication, a tactic noted since early 2023. The malware can spread through removable drives, using advanced techniques to execute dynamic payloads stored in the Windows Registry. This method enhances evasion of traditional file-based detection, allowing the malware to initiate itself post-reboots or interruptions. The disclosure follows previous reports of Gamaredon's USB-based worm named LitterDrifter, further underscoring the evolving and persistent nature of cyber threats targeting Ukraine.

HackerPulse

Want to get a remote job at Amazon?

Start reading HackerPulse Dispatch & level up your skills as an engineer.

Get weekly:

🔹 Useful Tools & Libs

🔹 Best AI paper digests

🔹 No-nonsense career boosters

Go 👉 https://hackerpulse.substack.com

Jobs/Internships:

Roku - Product Manager, Advertising - Santa Monica, California · On-site

Coinbase - Site Reliability Engineer - Client Platform - Fully Remote

Airbnb - Senior Frontend Engineer, Guest Displays & Platforms - On-site

Intel - Software Engineering Intern - Santa Clara, CA · On-site

Western Digital - Summer 2024 Intern, Python Development - San Jose, CA

Neuralink - Software Engineer Intern, Implant Team - Fremont, California, United States · On-site

A critical vulnerability named Sys:All has been uncovered in Google Kubernetes Engine (GKE), putting an estimated 250,000 active clusters at risk of unauthorized takeover. Discovered by cloud security firm Orca, the flaw arises from a widespread misconception regarding the system:authenticated group in GKE, allowing any Google-authenticated account (even outside the organization) to be included. Security researcher Ofir Yakobi notes that this misconfiguration, if exploited, could enable external threat actors with a Google account to seize control of the Kubernetes cluster.

The system:authenticated group, meant to include verified and deterministic identities, includes all authenticated entities, including human users and service accounts. Exploiting this loophole could lead to severe consequences, enabling threat actors to perform lateral movement, engage in cryptomining, execute denial-of-service attacks, and steal sensitive data without leaving traceable links to the originating Gmail or Google Workspace account.

The attack vector could expose various sensitive data, such as JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and credentials to container registries. Following responsible disclosure to Google, the company has taken steps to address the issue, blocking the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later. Google recommends users avoid binding the system:authenticated group to any RBAC roles and assess and remove unsafe bindings.

While there is no public record of large-scale attacks exploiting this vulnerability, Orca warns that it could be a matter of time, underscoring the need for users to take immediate steps to secure their cluster access controls. The improvement in GKE versions is acknowledged, but the company emphasizes the continued existence of other roles and permissions that can still be assigned to the system:authenticated group, urging heightened security measures.

Emerging Threat: Kasseika Ransomware Utilizes Bring Your Own Vulnerable Driver (BYOVD) Attack for Effective Security Disarmament

The ransomware group Kasseika has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack, following in the footsteps of other threat actors like Akira, AvosLocker, BlackByte, and RobbinHood. Identified by cybersecurity firm Trend Micro in mid-December 2023, Kasseika demonstrates similarities with the now-defunct BlackMatter ransomware, raising suspicions of a potential connection. The BYOVD tactic allows threat actors to terminate antivirus processes and services, facilitating the deployment of ransomware on compromised Windows hosts.

Kasseika's attack chain begins with a phishing email for initial access, deploying remote administration tools (RATs) to gain privileged access and move laterally within the target network. The threat actors employ Microsoft's Sysinternals PsExec utility to execute a malicious batch script, checking for the existence of the "Martini.exe" process and terminating it if found. The subsequent download and execution of the "Martini.sys" driver aim to disable 991 security tools.

The ransomware payload, named "smartscreen_protected.exe," then initiates the encryption process using ChaCha20 and RSA algorithms, terminating processes and services accessing Windows Restart Manager. Kasseika demands a 50 bitcoin payment within 72 hours, threatening an additional $500,000 every 24 hours after the deadline. Victims must post a payment screenshot to an actor-controlled Telegram group to receive a decryptor.

Additionally, Kasseika wipes traces of its activity by clearing the system's event logs using the wevtutil.exe binary, enhancing the challenge for security tools to identify and respond to malicious activities. This development underscores the evolving tactics of ransomware groups, emphasizing the need for robust cybersecurity measures to thwart sophisticated attacks.

Jobs/Internships

Zip Co - Software Engineer, Core Product - Sydney, New South Wales, Australia

Coinbase - Site Reliability Engineer - Client Platform - Fully Remote

BlackSky - Senior Machine Learning Engineer - Fully Remote

SpaceX - Summer 2024 Software Engineering Internship/Co-op - On-site

NeuraFlash - UX Design Intern - United States, NY · On-site

T-Mobile - Summer 2024 Data Science Internship - Bellevue, WA

A startling revelation by cybersecurity experts highlights the vulnerability of over 178,000 SonicWall firewalls to critical flaws that could lead to denial-of-service (DoS) and remote code execution (RCE) attacks. The two security vulnerabilities, CVE-2022-22274 and CVE-2023-0656, potentially allow remote, unauthenticated attackers to exploit SonicOS via HTTP requests, triggering stack-based buffer overflows.

Jon Williams, a senior security engineer at Bishop Fox, emphasizes that the flaws, though fundamentally similar, are exploitable at different HTTP URI paths due to the reuse of a vulnerable code pattern. While there are no reports of active exploitation in the wild, a proof-of-concept (PoC) for CVE-2023-0656 was published in April 2023 by the SSD Secure Disclosure team.

The cybersecurity firm emphasizes the potential weaponization of these vulnerabilities by malicious actors to induce repeated crashes, forcing the SonicWall appliance into maintenance mode. This action necessitates administrative intervention to restore normal functionality, posing a significant risk to affected devices.

It's noteworthy that over 146,000 publicly-accessible devices are susceptible to a flaw that was disclosed almost two years ago, underlining the urgency for users to update to the latest versions and ensure that the management interface is not exposed to the internet. The revelation underscores the critical need for proactive measures to safeguard network infrastructure against potential threats exploiting these SonicOS vulnerabilities.

Security Alert: Cybercriminals Utilize Microsoft Windows Vulnerability to Deploy Phemedrone Stealer

Threat actors are capitalizing on a recently patched security flaw in Microsoft Windows to deploy an open-source information stealer known as Phemedrone Stealer, targeting web browsers, cryptocurrency wallets, and messaging apps such as Telegram, Steam, and Discord. Trend Micro researchers identified the active exploitation of CVE-2023-36025, a security bypass vulnerability in Windows SmartScreen, which Microsoft addressed in its November 2023 Patch Tuesday updates.

Phemedrone Stealer's capabilities include capturing screenshots, collecting data on hardware, location, and operating system details, and stealing sensitive information. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server. The attack vector involves the use of malicious Internet Shortcut (.URL) files hosted on Discord or cloud services, exploiting CVE-2023-36025 to execute a control panel (.CPL) file that circumvents Windows Defender SmartScreen.

The researchers outline the infection process, wherein the malicious .CPL file executes a PowerShell loader ("DATA3.txt") that serves as a launchpad for Donut, an open-source shellcode loader. Donut decrypts and executes Phemedrone Stealer, which is actively maintained on GitHub and Telegram by its developers.

Despite the security patch, threat actors persist in exploiting CVE-2023-36025, showcasing their adaptability in evading Windows Defender SmartScreen protections. The incident underscores the ongoing challenges in securing systems against evolving cyber threats, with attackers swiftly incorporating newly disclosed exploits into their attack chains to maximize impact.

Jobs/Internships:

The Trade Desk - 2024 Summer Internship - Software Engineering - Hong Kong

Workato - Intern - Technical Program Manager (Partner Success) - Bangalore, India

Bybit - APP/Mobile Engineer (Full-Time Internship) - Hong Kong, Hong Kong SAR

Spark Investment Management - PhD Computer Scientist/Software Developer $750K++ - New York, NY

Roblox - Principal Technical Program Manager, Engine - San Mateo, CA, United States

A newly discovered Python-based hacking tool named FBot is causing concern in cybersecurity circles as it actively targets web servers, cloud services, content management systems (CMS), and SaaS platforms, including heavyweights like Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio. Uncovered by SentinelOne researchers, FBot stands out due to its diverse set of features, including credential harvesting for spamming attacks, tools for AWS account hijacking, and functionalities enabling assaults on PayPal and various SaaS accounts.

While FBot shares similarities with other cloud hacking tools like AlienFox, GreenBot, Legion, and Predator, it distinguishes itself by not referencing any source code from AndroxGh0st. Its primary objective is to compromise cloud, SaaS, and web services, harvesting credentials for initial access, with the eventual goal of monetizing this access by selling it to other threat actors.

FBot's capabilities include generating API keys for AWS and Sendgrid, random IP address generation, reverse IP scanning, and validation of PayPal accounts and associated email addresses. Interestingly, FBot initiates PayPal API requests through a retail sales website, "robertkalinkin.com," indicating a noteworthy point of convergence with several Legion Stealer samples.

The tool also features AWS-specific functionalities, checking for AWS Simple Email Service (SES) email configuration details and determining EC2 service quotas for targeted accounts. Additionally, its Twilio-related functionality gathers information about the account, such as balance, currency, and connected phone numbers.

SentinelOne uncovered FBot samples dating from July 2022 to the present, suggesting active usage in the wild. While it remains unclear whether the tool is actively maintained and how it's distributed, the cybersecurity firm notes indications that FBot is likely a product of private development work, potentially being distributed through smaller-scale operations. This aligns with the trend of bespoke "private bots" in the realm of cloud attack tools, tailored to individual buyers and highlighting the evolving landscape of cyber threats.

Cybersecurity Alert: GitHub's Popularity Exploited by Threat Actors for Command-and-Control and Payload Delivery

The widespread adoption of GitHub in IT environments has inadvertently turned the platform into a prime choice for threat actors seeking to host and deliver malicious payloads, establish command-and-control (C2) operations, and serve as points for data exfiltration. Recorded Future has coined this tactic as "living-off-trusted-sites" (LOTS), a play on the living-off-the-land (LotL) techniques employed by threat actors to camouflage their activities within legitimate platforms, making detection and attribution more challenging.

GitHub's appeal to threat actors lies in its ability to blend with legitimate network traffic, effectively evading traditional security defenses. While the platform is not commonly used for full-fledged C2 implementations, it serves as a prevalent dead drop resolver, wherein threat actors leverage actor-controlled GitHub repositories to obtain the actual C2 URL. This tactic is notably employed by malware such as Drokbk and ShellBox.

Another observed but less frequent use of GitHub by threat actors is for data exfiltration. Recorded Future suggests that this rarity could be attributed to concerns related to file size and storage limitations, as well as discoverability issues.

Beyond these main schemes, threat actors employ various GitHub features for infrastructure-related purposes. GitHub Pages, for example, have been repurposed as phishing hosts or traffic redirectors, with some campaigns employing GitHub repositories as backup C2 channels.

This trend aligns with a broader pattern of malicious actors exploiting legitimate internet services, including Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord. Other source code and version control platforms like GitLab, BitBucket, and Codeberg are also not immune to exploitation.

Recorded Future emphasizes the complexity of addressing GitHub abuse detection, noting that a combination of detection strategies tailored to specific environments, organizational structures, service usage patterns, and risk tolerance is essential in combating these evolving cyber threats. The report serves as a cybersecurity alert, highlighting the need for heightened vigilance in the face of adversaries leveraging trusted platforms for nefarious purposes.

Google has reached a settlement in a lawsuit filed back in June 2020, where the company faced accusations of misleading users about the privacy of their internet activity while using the "incognito" or "private" mode on web browsers. The lawsuit, seeking at least $5 billion in damages, alleged that Google's tracking practices violated federal wiretap laws, allowing the collection of user data despite the presumption of privacy in these modes.

The specific terms of the settlement remain undisclosed. Plaintiffs argued that Google utilized Google Analytics to gather information even in private mode, amassing a significant volume of user data unbeknownst to those who believed their browsing was shielded from tracking.

While Google defended itself by highlighting warnings displayed when users activated Chrome's incognito mode, indicating that some information might still be visible to certain entities, U.S. District Judge Yvonne Gonzalez Rogers contested this defense. The Judge ruled that Google's failure to explicitly inform users about the extent of data collection in incognito mode nullified the argument that users had consented to this tracking.

Importantly, enabling incognito or private mode merely prevents the local storage of browsing history, providing users with a browsing session without saving data on the device. However, this does not prevent websites utilizing advertising technologies and analytics APIs from tracking and potentially correlating user activity, such as IP addresses, within that session.

This legal battle underlines the nuances of online privacy and user consent, shedding light on the complexities surrounding how user data is managed, tracked, and disclosed by tech giants. The settlement brings closure to this contentious issue, prompting a reexamination of the transparency and user notification practices in digital privacy policies.

National Security Alarms Sound as Attacks Strike Albanian Infrastructure

Albania faced another wave of cyber assaults targeting significant entities, including the Assembly of the Republic and One Albania, revealed by the country's National Authority for Electronic Certification and Cyber Security (AKCESK). Despite these attacks not currently classified as critical infrastructure under prevailing legislation, they've raised concerns about the nation's cybersecurity defenses.

One Albania, serving a substantial subscriber base, reassured customers via Facebook that its services remained unscathed by the security incident, asserting the swift handling of the situation.

AKCESK disclosed that the intrusions originated from non-Albanian IP addresses, emphasizing their real-time identification of potential threats. Efforts are now focused on tracking the source, restoring compromised systems, and reinforcing security measures to thwart future incidents.

The agency's proactive response includes a thorough review and bolstering of existing cybersecurity strategies prompted by this breach.

Although the full scale of the attacks remains unclear, an Iranian hacker group named Homeland Justice claimed responsibility on its Telegram channel. The group's statement also mentioned breaching Air Albania, the country's flag carrier airline, in a quest to target "supporters of terrorists," amplifying the gravity of the situation.

This development follows prior cyber assaults on Albanian government services in mid-July 2022, where Homeland Justice similarly claimed responsibility. These previous attacks prompted the U.S. government to impose sanctions on Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmail Khatib, citing their involvement in cyber-enabled activities against the U.S. and its allies. The recent events in Albania underscore the persistent challenges in safeguarding against international cyber threats and highlight the need for robust defense mechanisms in the face of evolving cyber warfare tactics.

Jobs/Internships:

ByteDance - Operating System Software Engineer (Operating System), System Technologies and Engineering - Singapore

Microsoft - Product Manager - Redmond, WA

Northrop Gruman - Sr. Principal Engineer Quality - Philadelphia, PA

Facebook - Data Engineering Intern, Analytics - San Francisco, CA

Panasonic - Software Engineering Intern - Irvine, CA

Mastercard - Data Scientist Intern, Internship Program 2024 - Dubai, United Arab Emirates

New findings reveal a vulnerability in over 15,000 Go module repositories hosted on GitHub, exposing them to a threat termed "repojacking." Repojacking exploits changes or deletions in account usernames, allowing malicious actors to create repositories under the same name and former username to execute open-source software supply chain attacks.

Chief Technology Officer at VulnCheck, Jacob Baines, highlighted the issue, stating that more than 9,000 repositories are vulnerable due to GitHub username changes, with an additional 6,000 susceptible to account deletions. These repositories collectively house a staggering 800,000 Go module-versions.

Repojacking poses a significant risk to software repositories on GitHub, as malicious actors can leverage username changes or deletions to stage attacks, particularly affecting Go programming language modules. Unlike other package managers like npm or PyPI, Go modules are decentralized, published on version control platforms, making them more prone to such attacks.

The attack involves an attacker registering an unused username, duplicating a module repository, and publishing a new module to caching platforms like proxy.golang.org and go.pkg.dev. This bypasses GitHub's countermeasure of popular repository namespace retirement, which blocks attempts to create repositories with retired namespaces cloned more than 100 times. Vulnerability in Go modules remains as they are cached by the module mirror, allowing possible bypasses despite less frequent cloning.

VulnCheck highlighted the challenge in mitigating these repojackings, suggesting that a resolution requires intervention from either Go or GitHub. Baines advised Go developers to remain vigilant about the modules they use and the state of their repositories.

Additionally, a separate disclosure by Lasso Security revealed the exposure of 1,681 API tokens on platforms like Hugging Face and GitHub, including tokens linked to major companies like Google, Meta, Microsoft, and VMware. These exposed tokens pose threats of supply chain attacks, training data poisoning, and model theft.

The discoveries highlight the urgency for enhanced security measures on repository platforms and increased awareness among developers to safeguard against potential vulnerabilities and attacks.

Insights into a Novel Technique to Circumvent iOS Security Measures, Exploiting Lockdown Mode Vulnerabilities

Researchers at Jamf Threat Labs have unveiled a worrying technique that exploits an iPhone's Lockdown Mode, creating a deceptive appearance of heightened security while covertly maintaining access to compromised devices. Lockdown Mode, introduced by Apple as a security feature with the release of iOS 16, is designed to protect individuals, especially high-risk targets, from sophisticated digital threats such as spyware. However, despite its intended purpose, Lockdown Mode doesn't prevent malware execution on infected devices. This vulnerability allows attackers, having infiltrated a device through other security flaws, to activate a simulated Lockdown Mode, misleading users into believing their device is secure.

The fake Lockdown Mode is achieved by manipulating specific functions triggered when the setting is activated. By manipulating these functions, such as setLockdownModeGloballyEnabled, the attacker can create a fake Lockdown Mode, generate a file ("/fakelockdownmode_on"), and initiate a userspace reboot. This reboot terminates all processes and restarts the system, appearing to activate Lockdown Mode, yet it doesn't affect the kernel. As a result, any malware present on the device without persistence mechanisms continues to exist and operate even after this type of reboot, enabling surreptitious surveillance of the device's users.

Furthermore, attackers can alter Lockdown Mode settings within the Safari web browser, potentially allowing access to PDF files, which are usually restricted when Lockdown Mode is enabled.

While Lockdown Mode has been elevated to a kernel-level security feature in iOS 17, making it more difficult to modify without a system reboot, this discovery highlights potential vulnerabilities in thwarting post-exploitation tampering attempts. This latest revelation follows a previous demonstration by Jamf, where they illustrated a method to maintain access to an Apple device by tricking users into believing their device's Airplane Mode was activated. These discoveries underscore the ongoing challenges in fortifying iOS devices against sophisticated exploitation attempts.

Jobs/Internships:

Sysdig - Director of Engineering - Hybrid

Rocket Lab - Senior Software Engineer - Operations - Long Beach, California, United States · On-site

Brex - Senior Software Engineer, Product Security - On-site

Plume - Software Engineer Intern - Palo Alto, CA · Hybrid

Humane - Software Engineering Intern, Device Experiences - San Francisco, CA · On-site

Instro - Data Science & Machine Learning Intern - South San Francisco, CA · On-site

New research from Blackwing Intelligence has unveiled a series of vulnerabilities posing a significant risk to Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. The flaws, identified in the fingerprint sensors manufactured by Goodix, Synaptics, and ELAN, could potentially bypass the authentication process.

Researchers Jesse D'Aguanno and Timo Teräs discovered weaknesses in the "match on chip" (MoC) fingerprint sensors, which integrate biometric management functions directly into the sensor's integrated circuit. Despite MoC preventing stored fingerprint data replay, it fails to stop a malicious sensor from falsely authenticating a user or replaying previously recorded host-sensor communications.

The vulnerabilities in the sensors, particularly ELAN, Synaptics, and Goodix, open avenues for adversary-in-the-middle (AitM) attacks and bypassing Secure Device Connection Protocol (SDCP) protections. ELAN's lack of SDCP support enables USB devices to mimic the fingerprint sensor and authenticate unauthorized users.

Synaptics' flawed implementation, turning off SDCP by default and relying on an insecure Transport Layer Security (TLS) stack, facilitates the circumvention of biometric authentication.

Exploiting Goodix's sensor involves taking advantage of differences in enrollment operations between Windows and Linux systems, leveraging cleartext USB communication and unauthenticated configuration packets to bypass authentication.

To address these vulnerabilities, the researchers recommend OEMs enable SDCP and conduct audits by independent experts on fingerprint sensor implementations. Despite Microsoft's efforts with SDCP, device manufacturers' misinterpretation of its objectives and the limited coverage of device operations leave substantial attack surfaces exposed.

This revelation echoes previous instances where Windows Hello biometric authentication was compromised, underscoring the need for continuous improvements and meticulous scrutiny of security implementations in biometric authentication systems.

As Employee Demand Soars, CISOs Wrestle with Risks Posed by Unsuspected AI Adoptions

The rapid adoption of AI tools by employees outside conventional review procedures is becoming a significant challenge for CISOs and cybersecurity teams, mirroring the historical dilemma posed by shadow IT in the SaaS landscape. With AI, the surge in employee-driven demand for tools, exemplified by ChatGPT's swift ascent to 100 million users, intensifies the pressure on security teams to accommodate this trend.

While studies highlight a potential 40% boost in productivity through generative AI, the urgency to fast-track AI adoption without proper scrutiny is mounting. However, succumbing to these demands introduces serious risks of SaaS data leakage and breaches, especially with employees gravitating towards AI tools developed by small entities and indie developers.

Indie AI startups, boasting tens of thousands of apps, entice users with freemium models and product-led growth strategies but typically lack the stringent security measures inherent in enterprise-grade solutions. Offensive security engineer and AI researcher Joseph Thacker outlines the risks associated with these indie AI tools:

Data Leakage: Generative AI tools have broad access to user inputs, leading to potential data exposure and leaks, as seen in the case of leaked ChatGPT chat histories.

Content Quality Issues: Large language models (LLMs) can generate inaccurate or nonsensical outputs (termed hallucinations), raising concerns about misinformation and ethical considerations.

Product Vulnerabilities: Smaller organizations behind indie AI tools often overlook addressing common product vulnerabilities, making them more susceptible to various attack vectors.

Compliance Risk: Non-compliance with established data privacy laws and regulations (like SOC 2 compliance) could result in hefty penalties for organizations using these tools.

Connecting indie AI tools to enterprise SaaS apps elevates productivity but significantly amplifies the risk of backdoor attacks. AI-to-SaaS connections, facilitated by OAuth access tokens, inherit lax security standards of indie AI tools, creating potential entry points for threat actors targeting sensitive data within organizational SaaS systems.

To mitigate these risks, CISOs and cybersecurity teams should focus on fundamental strategies:

Standard Due Diligence: Understand and review AI tool terms thoroughly.

Application and Data Policies: Establish clear guidelines on allowed AI tools and data usage.

Employee Training: Educate employees on risks and policy adherence.

Vendor Assessments: Scrutinize security measures and compliance of indie AI vendors.

Communication and Accessibility: Establish open dialogue and clear guidelines for AI tool usage.

Creating an environment where security is seen as a business enabler rather than a barrier is crucial for long-term SaaS and AI security. Aligning cybersecurity goals with business objectives fosters cooperation and compliance, reducing the chances of unauthorized AI tool adoptions that jeopardize SaaS security.

Jobs/Internships

Iterable - Senior Software Engineer, Backend (Ecosystems) - Fully Remote

Coupang - Staff, Backend Engineer (FTS-Data Science) - Seoul, South Korea · On-site

Ripple - Staff Software Engineer, Finance Engineering - Toronto, Canada · On-site

HashiCorp - Software Engineering Intern - Hybrid

Datto - Junior Software Engineer Intern - Sydney Central Business District, New South Wales, Australia · On-site

Thermo Fisher Scientific - Software Engineering Intern - Pleasanton, CA

Ubisoft - Machine Learning Engineer Assistant – Internship (6-month) February/March 2024 (F/H/NB) - Paris, Île-de-France, France

The U.S. Federal Communications Commission (FCC) has announced the adoption of new regulations designed to shield consumers from cell phone account scams, particularly targeting SIM-swapping attacks and port-out frauds orchestrated by malicious actors.

These rules aim to protect consumers from scammers who execute covert SIM card swaps or transfer phone numbers to new carriers without gaining physical access to a victim's phone, as stated by the FCC this week.

SIM swapping involves transferring a user's account to a SIM card controlled by a scammer by convincing the victim's wireless carrier. Conversely, port-out fraud occurs when a bad actor, posing as the victim, moves their phone number from one service provider to another without the victim's knowledge.

The newly adopted rules, proposed in July 2023, mandate wireless providers to implement secure authentication methods before redirecting a customer's phone number to a new device or provider.

Furthermore, these regulations demand that customers receive immediate notifications whenever a SIM change or port-out request occurs on their accounts, allowing them to take necessary steps to protect themselves against such attacks.

The severity of SIM swapping as a threat has been evident, enabling threat actors like LAPSUS$ and Scattered Spider to infiltrate corporate networks. By gaining control of a victim's phone number, attackers can intercept SMS-based two-factor authentication codes, leading to the compromise of victims' online accounts.

FCC Commissioner Geoffrey Starks highlighted the importance of secure verification procedures and privacy guarantees from wireless providers to protect consumers. He emphasized the need for consumers to feel secure without fearing unauthorized phone control.

In addition to these measures, the FCC has announced an inquiry into the impact of artificial intelligence (AI) on robocalls and robotexts. While AI could enhance tools to block unwanted calls and texts, the agency recognizes the potential for AI to aid bad actors in defrauding consumers by mimicking trusted voices or sources.

The FCC's proactive steps aim to reinforce security in telecommunications and mitigate evolving threats, ensuring consumer confidence and trust in the integrity of phone services amidst technological advancements and emerging risks.

Check Point Reveals Intricate Techniques Employed by Gamaredon and APT29 in State-Sponsored Campaigns

Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been identified utilizing a USB-propagating worm, dubbed LitterDrifter, in a series of attacks targeting entities within Ukraine. Check Point, uncovering the latest tactics of the Gamaredon group, highlighted their large-scale campaigns focused on espionage objectives.

LitterDrifter, a multifaceted worm, spreads through USB drives and establishes communication with command-and-control (C&C) servers. Written in VBS, its spreader module conceals the malware in USB drives alongside a randomized LNK file. Notably, the worm's C&C strategy involves using domains as placeholders for circulating IP addresses used as C2 servers.

The worm's ability to connect to a C&C server extracted from a Telegram channel has been observed repeatedly throughout the year, indicating its adaptive tactics. Although primarily targeting Ukraine, signs of potential infection outside the region were detected across various countries.

Gamaredon's evolving attack methods have exhibited rapid data exfiltration capabilities, highlighting the group's efficiency in transmitting sensitive information within an hour of the initial compromise. Check Point concluded that LitterDrifter was designed for expansive data collection, employing straightforward yet highly effective techniques to target a broad spectrum of entities in the region.

Concurrently, Ukraine's National Cybersecurity Coordination Center (NCSCC) reported Russian state-sponsored hacker intrusions targeting European embassies, leveraging the WinRAR vulnerability (CVE-2023-38831). Attributed to APT29, these attacks employed benign-looking lures offering BMWs for sale, with the attack chain exploiting the vulnerability to deploy a PowerShell script from a remote server.

NCSCC highlighted the growing sophistication and popularity of exploiting the CVE-2023-38831 vulnerability by Russian intelligence services, demonstrating a concerning trend in cyber operations.

Additionally, the Computer Emergency Response Team of Ukraine (CERT-UA) identified a phishing campaign deploying malicious RAR archives masquerading as Security Service of Ukraine (SBU) documents. Tracked as UAC-0050, this campaign aimed at state authorities in Ukraine, deploying the Remcos RAT through deceptive executable files within the archives.

These recent revelations underscore the escalating cyber threats faced by Ukraine, portraying a landscape wherein advanced espionage groups continually refine their tactics and exploit vulnerabilities to infiltrate critical entities, emphasizing the necessity for heightened vigilance and robust cybersecurity measures.

Jobs/Internships:

Cognite - Senior Machine Learning Engineer - Austin, Texas · Hybrid

Everbridge - Senior Software Engineer I - Lansing, MI · Hybrid

Mistplay - Senior Manager, DevOps Engineering - Fully Remote

Coinbase - Summer 2024 - Product Design Intern - Fully Remote

Freddie Mac - Single-Family Software Developer Intern - Summer 2024 (Hybrid - 3 Days in Office) - McLean, VA · Hybrid

The Aerospace Corporation - 2024 Data Science Graduate Intern -  Colorado Springs, CO · El Segundo, CA · Hybrid

Dependabot, lauded as a revolutionary tool in software development for simplifying the arduous task of managing outdated dependencies, recently faced a significant issue highlighted by Checkmarx. This issue exposed a vulnerability exploited by malicious actors who leveraged Dependabot's credibility, attempting to deceive developers by impersonating the tool and pushing changes disguised as authentic suggestions. While Dependabot represents a considerable advancement in automating software maintenance, this incident brings to light inherent vulnerabilities within Continuous Integration and Continuous Deployment (CI/CD) workflows.

The advent of CI/CD workflows has substantially transformed the landscape of software development. These workflows enable developers to seamlessly merge code and deploy it to production environments while ensuring high standards of code quality and security. However, they also act as conduits between the external and internal realms of development, creating potential risks. For instance, there are concerns about the incorporation of unvetted third-party libraries or the insecure management of external APIs, which can lead to the integration of malicious code or expose sensitive credentials.

Despite the industry's push towards secure-by-design workflows, platforms such as GitHub Actions and GitLab CI/CD often prioritize user-friendliness over robust security measures. This trade-off can result in inherent vulnerabilities. Issues like the inadvertent leakage of sensitive information, including credentials, remain prevalent concerns. These vulnerabilities are further exacerbated by misconfigurations and breaches in CI/CD provider systems.

To fortify CI/CD pipelines and ensure the security of the software supply chain, developers and organizations must adopt proactive security measures. Recommendations encompass several strategies, including enforcing strict access controls, implementing multi-factor authentication (MFA), utilizing OpenID Connect for secure external connections, vetting pre-reviewed dependencies, securing runtime secrets, deploying advanced defense systems like honeytokens, and adopting scalable solutions for monitoring and incident management.

The necessity of a holistic approach is paramount, emphasizing vigilance and proactive measures. Solutions like the GitGuardian Platform serve as comprehensive tools aiding organizations in monitoring and preventing CI/CD incidents, thereby fortifying security in software development pipelines. By collectively adopting these strategies, organizations can establish adaptable security protocols, mitigating evolving threats within CI/CD workflows and the broader software supply chain landscape.

Kaspersky Uncovers Advanced Ducktail Stealer Campaign Aimed at Indian Marketing Professionals

Vietnamese threat actors associated with the Ducktail stealer malware have expanded their cyber operations in a campaign that specifically targeted marketing professionals in India between March and early October 2023, with a focus on hijacking Facebook business accounts.

Kaspersky's recent report highlighted a significant departure in the attackers' strategy. Unlike previous campaigns reliant on .NET applications, this one utilized Delphi as its programming language. Ducktail, alongside Duckport and NodeStealer, comprises a cybercrime ecosystem originating from Vietnam. The attackers leveraged sponsored Facebook ads to propagate malicious content, aiming to deploy malware capable of extracting victims' login cookies and assuming control of their accounts.

The modus operandi of these attacks primarily targets users with access to a Facebook Business account. Once unauthorized access is gained, the fraudsters exploit the accounts for financial gain by placing advertisements, perpetuating the infections further.

The campaign detailed by the Russian cybersecurity firm involved sending archive files to potential victims disguised as PDFs. Upon opening the file, a malicious executable is launched, saving a PowerShell script and a decoy PDF locally. The script, leveraging the default PDF viewer, initiates a series of actions, including pausing the Chrome browser process.

The executable further downloads and executes a rogue library named libEGL.dll, scanning specific folders for Chromium-based browser shortcuts. The malware alters these shortcuts, appending a command line switch to launch a rogue extension camouflaged as the legitimate Google Docs Offline add-on.

This rogue extension covertly sends information about open tabs to a server controlled by the threat actors in Vietnam while simultaneously hijacking the targeted Facebook business accounts.

This evolution in tactics, deploying Delphi-based malware and employing intricate techniques to infiltrate and manipulate browser extensions, signals an escalated threat level and a shift towards more sophisticated cyber operations by these Vietnamese threat actors. This revelation underscores the evolving nature of cyber threats and the importance of heightened vigilance and security measures to counter such advanced attacks in the digital landscape.

Jobs/Internships:

Coinbase - Senior Product Manager, Base Ecosystem - Fully Remote

Roku - Senior Software Engineer, Cloud Services - Roku Pay - Bengaluru, India · On-site

Motional - Senior Software Engineer, Real-Time Infrastructure - Singapore, Central, Singapore · On-site

Discord - Software Engineer Intern, Data Products - Fully Remote

NBC - Software Engineering Internships – Summer 2024 - Universal City, CA

Neuralink - Software Engineering Intern, Implant and Robot Manufacturing - Fremont, California, United States · On-site

Arid Viper, also known as APT-C-23, Desert Falcon, or TAG-63, has been identified as the perpetrator of an Android spyware campaign targeting Arabic-speaking users. Cisco Talos, a cybersecurity firm, revealed that this espionage group employs a counterfeit dating app to surreptitiously collect sensitive information from infected devices and execute additional malicious code. Although active since at least 2017, there is no apparent connection between this campaign and the Israel-Hamas conflict.

The campaign, believed to have started no earlier than April 2022, features a mobile malware strain that shares source code similarities with a legitimate dating app named Skipped, suggesting a potential link between the malicious operators and the app's developers or an attempt to deceive users.

Arid Viper's tactics include using seemingly benign chat applications to deliver malware, akin to the 'honey trap' strategy employed in the past, where fake profiles on social media platforms were used to trick potential targets into installing malicious software.

Cisco Talos also uncovered a network of companies creating dating-themed applications similar to Skipped, available for download from official app stores for Android and iOS. Notably, these simulated dating apps raise the possibility that Arid Viper operators may utilize them in future malicious campaigns.

The attack chain involves sending targets a link to a tutorial video for the purported dating application, hosted on video-sharing services like YouTube. Within the video description is a URL that, when clicked, leads to a domain controlled by the attackers, serving the APK malware.

Once installed, the malware hides on the victim's device by disabling system and security notifications, especially on Samsung mobile devices and Android phones with APK package names containing the word "security" to avoid detection. It also requests intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts.

Additionally, the malware can retrieve system information, receive updated command-and-control (C2) domains from the current C2 server, and download additional malware disguised as legitimate apps, including Facebook Messenger, Instagram, and WhatsApp.

This revelation coincides with Recorded Future's findings, suggesting possible connections between Arid Viper and Hamas through infrastructure overlaps related to an Android application called Al Qassam. This app has been disseminated in a Telegram Channel claiming affiliation with the Izz ad-Din al-Qassam Brigades, the military wing of Hamas. These observations hint at potential shared infrastructure resources between Arid Viper (TAG-63) and the broader Hamas organization.

Agonizing Serpens deploys novel wiper malware to steal sensitive data and render infected systems unusable, raising concerns about upgraded capabilities

A series of destructive cyber attacks that commenced in January 2023 and persisted until October have specifically targeted Israeli higher education and technology sectors. The attacks have been attributed to an Iranian nation-state hacking group known as "Agonizing Serpens," which also goes by the aliases Agrius, BlackShadow, and Pink Sandstorm (formerly Americium). According to a report from Palo Alto Networks Unit 42, these attacks are marked by attempts to steal sensitive data, including personally identifiable information (PII) and intellectual property, followed by deploying various wiper malware to cover the attackers' tracks and render the compromised endpoints inoperable.

The novel wiper malware used in these attacks includes MultiLayer, PartialWasher, and BFG Agonizer, alongside a bespoke tool called Sqlextractor, which is employed to extract information from database servers. Agonizing Serpens has been active since at least December 2020 and has a history of launching wiper attacks against Israeli entities. In May, Check Point reported on the group's use of the ransomware strain "Moneybird" in attacks targeting Israel.

The modus operandi in these recent attacks involves exploiting vulnerable internet-facing web servers as initial access points to deploy web shells, perform reconnaissance on victim networks, and acquire administrative user credentials. The attackers then move laterally within the network, exfiltrate data using a combination of public and custom tools, such as Sqlextractor, WinSCP, and PuTTY, and finally deliver the wiper malware.

• MultiLayer: This .NET malware enumerates files for deletion or corruption with random data, making data recovery extremely challenging and rendering the system unusable by wiping the boot sector.

• PartialWasher: A C++-based malware that scans drives to wipe specified folders and their subfolders.

• BFG Agonizer: This malware leverages the open-source project CRYLINE-v5.0 and plays a significant role in the attacks.

Agonizing Serpens is linked to Agrius through code overlaps with other malware families like Apostle, IPsec Helper, and Fantasy, which the group has previously used. The researchers at Unit 42 have noted an apparent enhancement of the group's capabilities, including efforts to bypass endpoint detection and response (EDR) and other security measures. To achieve this, Agonizing Serpens has been rotating between various known proof-of-concept (PoC) and pentesting tools, as well as custom tools, signaling an ongoing and concerning evolution in their tactics and resources.

Jobs/Internships:

OKX - Software Engineer - Python (Quant Platform - Data Services/ HFT Service) - On-site

AccelByte - Senior Site Reliability Engineer (SRE) - Fully Remote

Rocket Lab - Principal Neutron Safety & Reliability Engineer - Auckland, New Zealand · On-site

Coinbase - Summer 2024 - Product Design Intern - Fully Remote

Circle - Software Engineer, Intern 2024 - Boston, Massachusetts, United States · On-site

ByteDance - Software Engineer Intern (Data-Data Platform-Data Management Suite-US) - 2024 Summer (BS/MS) - San Jose, CA

In a decisive move to bolster its national cybersecurity, Canada has implemented a ban on the use of Tencent's WeChat and Kaspersky's suite of applications on government-issued mobile devices, effective as of October 30, 2023. The government's decision is grounded in concerns over an "unacceptable level of risk to privacy and security." Anita Anand, President of the Treasury Board, emphasized that this action is a risk-based approach to safeguarding government information and networks, as these apps reportedly grant considerable access to device contents.

WeChat, developed by the Chinese tech giant Tencent, is an all-in-one platform with over 1 billion monthly active users, encompassing instant messaging, social media, and mobile payment services. Meanwhile, Kaspersky, a prominent Russian cybersecurity vendor, decried the ban as politically motivated, asserting that it lacks comprehensive evaluation of the integrity of their products and services. The prohibition follows a similar ban on ByteDance-owned TikTok from government devices in February 2023 and the U.S. Federal Communications Commission's addition of Kaspersky to the "Covered List" in March 2022, citing "unacceptable risk to national security." Canada's action underscores its commitment to maintaining the security and privacy of government information, in a landscape where concerns over data security and geopolitical influences continue to shape digital policy decisions.

Meta's move aims to address evolving data protection regulations in Europe, offering users the choice to access Facebook and Instagram without ads for a fee

In response to changing data protection regulations in the European Union (EU), European Economic Area (EEA), and Switzerland, Meta, the parent company of Facebook and Instagram, has unveiled plans to introduce an ad-free subscription option for users in these regions. This ad-free subscription, priced at €9.99 per month on the web and €12.99 per month on iOS and Android, is set to be officially available starting next month, granting users the choice to enjoy a personalized ad-free experience on these social media platforms.

Meta's decision to offer this subscription model follows a €390 million fine imposed in January related to breaches of the General Data Protection Regulation (GDPR) by the Irish Data Protection Commission (DPC). The DPC found that users had no option but to accept Meta's terms of service to access its digital platforms, which included consent for targeted advertising based on their online activity.

Starting in November, users in these regions will be able to choose between the free, ad-supported version or the paid, ad-free subscription. During the subscription period, Meta commits not to use subscribers' information for advertising purposes.

Additionally, Meta plans to introduce a fee for additional accounts listed in a user's Account Center, beginning March 1, 2024, amounting to €6 per month on the web and €8 per month on iOS or Android.

This move aligns with Meta's intention, announced in August 2023, to transition to a consent-based approach that allows users to opt out of behavioral advertising practices. The company cites a July ruling from the Court of Justice of the European Union (CJEU), which supports the concept of offering an equivalent alternative for a fee, not accompanied by extensive data processing operations.

Simultaneously, Meta will temporarily pause displaying ads to users under 18 in regions where the ad-free subscription is accessible, starting on November 6, 2023.

In presenting this ad-free subscription option, Meta seeks to balance the demands of European regulators, empower users with choice, and maintain its ability to serve all individuals in the EU, EEA, and Switzerland, emphasizing its commitment to data privacy and compliance with evolving regulations.

Jobs/Internships:

Amazon - Sr. Software Development Engineer, Device OS - Mexico City, Mexico

Rocket Lab - Senior Software Engineer – Operations Software - Auckland, New Zealand · On-site

Loop - Software Engineer, 2024 New Grad - San Francisco - California, United States · On-site

Apptronik - Software Engineer Intern - Perception (Summer 2024) - Austin, TX · On-site

Stripe - Software Engineering Intern - On-site

Adobe - 2024 Intern - Machine Learning Engineer - San Jose, CA · On-site

In a robust move to safeguard Android users, Google is strengthening its defenses with a significant update to Play Protect. This enhancement introduces real-time code-level scanning to thwart novel malicious apps even before they make their way onto Android devices.

Google proudly states, "Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats." Play Protect, a free built-in threat detection service, diligently scans Android devices for any potentially harmful apps, whether they're sourced from the Play Store or external locations. In the most severe cases, it may even prevent the installation of suspicious apps.

This latest check builds upon existing protective measures, where users were alerted if an app was known to be malicious based on existing scanning data or if it raised suspicions through on-device machine learning. With the introduction of this real-time safeguard, key signals from the app are extracted and sent to Play Protect's backend infrastructure for a code-level evaluation. This process happens in real-time, determining whether the app is safe to install or harbors malicious intent.

Google emphasizes that this enhancement is essential in the ongoing battle against malicious polymorphic apps, which employ various tactics, including AI, to shape-shift and avoid detection. This crucial feature is initially being rolled out in select countries, commencing with India.

This security upgrade arrives as threat actors continuously devise new methods to disseminate Android malware, often through deceptive apps or APK files distributed via messaging platforms. Additionally, it follows a comprehensive revision to the Android Security Paper, offering an overview of the platform's proactive security measures, spanning hardware, anti-exploitation, Google Security Services, and APIs tailored for businesses and governments. As the Android landscape evolves, Google remains committed to keeping users safe from emerging threats. Stay vigilant and keep your devices updated!

Ex-NSA Insider's Bold Espionage Attempt Unraveled by Covert FBI Operation

In a gripping espionage tale, a former employee of the U.S. National Security Agency (NSA), Jareh Sebastian Dalke, has admitted guilt in a dramatic case involving the attempted transmission of classified defense information to a supposed Russian contact. This startling development unfolded more than a year after his arrest, shedding light on a covert operation that saw the tables turned on the would-be spy.

Dalke, who held a position as an Information Systems Security Designer at the NSA, enjoyed Top Secret clearance during his brief tenure from June 6, 2022, to July 1, 2022. He had access to highly sensitive documents, which he allegedly tried to share with Russia. The U.S. Department of Justice revealed that Dalke confessed to sending excerpts from three classified documents to an individual he believed to be a Russian agent. However, unbeknownst to him, this supposed agent was, in fact, an undercover employee of the U.S. Federal Bureau of Investigation (FBI).

Not stopping at the transmission, Dalke reportedly requested a substantial $85,000 in exchange for the classified information he possessed, which he claimed would be of significant value to Russia, with promises of sharing more documents in the future.

This cloak-and-dagger exchange took place at Union Station in downtown Denver, Colorado, via a laptop. It included five files, four of which contained Top Secret National Defense Information (NDI). These documents encompassed critical details about the NSA's plans for an undisclosed cryptographic program, as well as assessments of U.S. defense capabilities and Russia's offensive capacities.

The fifth file was a letter from Dalke, expressing his willingness to provide information and hinting at a future partnership with the recipient.

However, the story took a sudden turn when authorities arrested Dalke on September 28, 2022, just moments after the file transfer, revealing the FBI's covert operation.

Having now pleaded guilty, Dalke faces his sentencing on April 26, 2024, with the possibility of a maximum penalty of life in prison, marking a dramatic conclusion to a tale of espionage and intrigue.

Jobs/Internships:

iHerb - Senior Software Developer- Back End - On-site

Lyft - Data Scientist, Decisions - Lyft Business - San Francisco, CA · Hybrid

Airbnb - Staff Software Engineer, Host Pricing & Settings - Fully Remote

Walmart - Software Engineer III - Front End - Dallas, TX

Coinbase - Software Engineer Intern, Backend - Fully Remote

Two Six Technologies - Software Engineer Summer Intern - Arlington, Virginia · On-site

Pinterest - Software Engineering Intern 2024 (Palo Alto) - Palo Alto, CA, US · On-site

Dropbox - Software Engineer Intern (Summer 2024) - Fully Remote

In a cyber twist that sounds like it's straight out of a thriller, a devious malware campaign dubbed "EtherHiding" has emerged, taking advantage of Binance's Smart Chain (BSC) contracts to serve malicious code. Guardio Labs discovered this campaign, and it marks a significant escalation in the ongoing battle against online threats. Initially, the attackers utilized compromised WordPress sites, tricking visitors with fake browser update warnings, ultimately leading to the deployment of information-stealing malware. But when their initial hosting method was taken down, they cleverly pivoted to the decentralized and anonymous world of blockchain, making their campaign harder than ever to detect and stop.

Security experts Nati Tal and Oleg Zaytsev commented, "This campaign is up and harder than ever to detect and take down." This devious campaign targets WordPress sites, exploiting vulnerabilities in plugins and known security flaws, giving attackers the power to hijack websites at will. The latest attacks involve injecting obfuscated JavaScript into infected sites to query Binance's Smart Chain, creating a smart contract controlled by the attacker. This contract retrieves a third-stage payload from a command-and-control server to serve deceptive browser update notices. When victims click the update button, they unknowingly download a malicious executable from legitimate file hosting services, making it an intricate and elusive operation.

What makes it even more challenging to combat is that the decentralized nature of blockchain hosting means there's currently no way to intervene and disrupt the attack chain. As the researchers pointed out, "Visitors of compromised WordPress sites have no clue as to what is going on under the hood." The malware campaign, despite being tagged as fake and malicious, continues to deliver its harmful payload, leaving users at risk.

This is part of a broader campaign called "ClearFake," which employs a JavaScript framework to deploy malware on compromised websites using drive-by download techniques. The attack chains lead to the deployment of various malware loaders and trojans, suggesting a connection between different threat groups. So, users of WordPress, beware! It's crucial to follow security best practices, keep your systems updated, remove unwanted admin users, and use strong passwords to protect your website from these stealthy attackers. Stay safe in the ever-evolving world of cyber threats.

SMS Phishing Campaigns Weaponize Spyware, Evading Detection and Data Theft

In the world of Android malware, SpyNote is a formidable adversary, and it's just been laid bare, revealing its extensive information-gathering arsenal. This cunning banking trojan is typically disseminated through SMS phishing campaigns, luring victims into installing the app via embedded links, as disclosed by cybersecurity experts at F-Secure.

SpyNote doesn't stop at seeking invasive permissions to access call logs, camera, SMS messages, and external storage. What sets it apart is its talent for remaining hidden from prying eyes, camouflaging itself on the Android home screen and the Recents screen, making it incredibly challenging to detect.

F-Secure researcher Amit Tambe explained, "The SpyNote malware app can be launched via an external trigger. Upon receiving the intent, the malware app launches the main activity." However, its real power lies in obtaining accessibility permissions, which it then exploits to grant itself even more permissions. This includes the ability to record audio and phone calls, log keystrokes, and capture screenshots using the MediaProjection API.

But there's more to this threat. A closer examination has revealed the existence of diehard services, designed to thwart any attempts at termination, whether by victims or the Android operating system. This is achieved by registering a broadcast receiver that automatically restarts the malware whenever it's on the verge of being shut down. Additionally, trying to uninstall the malicious app via the device's Settings is an exercise in frustration, as it cleverly thwarts attempts by exploiting accessibility APIs.

As Amit Tambe pointed out, "The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on. It stays hidden on the victim's device making it challenging to notice. It also makes uninstallation extremely tricky." In fact, victims are left with no recourse but to perform a factory reset, wiping all data in the process.

This revelation coincides with the disclosure by F-Secure of a deceptive Android app posing as an operating system update. It entices victims into granting accessibility services permissions and then stealthily siphons off SMS and bank data, highlighting the ever-evolving and insidious nature of cyber threats in the Android ecosystem. Stay vigilant, Android users!

Jobs/Internships:

Ada - Intermediate Full Stack Engineer, Growth - Fully Remote

Improbable - Full Stack Senior Software Engineer – Backend Services - Fully Remote

Stripe - Software Engineering, New Grad - On-site

CrowdStrike - Sr. Software Engineer - Cloud Platform (Remote) - New York, NY

Intel - GPU Software Engineering Intern - Gdansk Metropolitan Area · On-site

Johns Hopkins University Applied Physics Laboratory - 2024 Internship -Computer Scientist / Applied Mathematician / Engineer - Scientific Applications for Intelligence, Surveillance, and Reconnaissance - Laurel, MD

MKS - 2024 Summer Undergraduate Intern/Co-op - Software Engineer - Rochester, NY

John Deere - Product Engineering Intern - Electrical/Software Design, Spring 2024 Grovetown, GA - Grovetown, GA

A threat actor originating from Gaza, identified as "Storm-1133," has been uncovered in a series of cyber attacks primarily targeting private-sector organizations in Israel, with a focus on energy, defense, and telecommunications companies. Microsoft disclosed these details in its fourth annual Digital Defense Report.

Microsoft's assessment links this group to furthering the interests of Hamas, a Sunni militant organization that holds de facto authority in the Gaza Strip. The majority of their activities have been directed toward organizations perceived as hostile to Hamas.

The campaign involved a range of targets, including entities within the Israeli energy and defense sectors, as well as those aligned with Fatah, a Palestinian political party based in the West Bank.

The attack strategy employed by Storm-1133 is multifaceted, incorporating social engineering and the creation of fake profiles on LinkedIn. These fraudulent profiles masquerade as Israeli human resources managers, project coordinators, and software developers. The goal is to initiate contact with employees at Israeli organizations, send phishing messages, conduct reconnaissance, and deliver malware.

Microsoft also observed attempts by Storm-1133 to infiltrate third-party organizations with known links to Israeli entities of interest. These intrusions aim to establish backdoors and configure a command-and-control (C2) infrastructure hosted on Google Drive, allowing the group to dynamically update their C2 infrastructure.

This tactic serves to stay one step ahead of static network-based defenses and enhances their evasion capabilities, as noted by Microsoft.

The disclosure coincides with an increase in hacktivist operations amid the escalation of the Israeli-Palestinian conflict. Groups like "Ghosts of Palestine" have conducted malicious activities targeting government websites and IT systems in Israel, the United States, and India.

The evolving threat landscape also reveals a shift in nation-state cyber activities, moving from destructive and disruptive operations to long-term espionage campaigns. Nations such as the United States, Ukraine, Israel, and South Korea have become prominent targets in Europe, the Middle East, North Africa, and the Asia-Pacific regions.

Iranian and North Korean state actors are demonstrating heightened sophistication in their cyber operations, inching closer to the capabilities of cyber actors from nations like Russia and China.

This evolution in tradecraft is exemplified by the repeated use of custom tools and backdoors, such as "MischiefTut" employed by Mint Sandstorm (also known as Charming Kitten), which are designed to facilitate persistence, evade detection, and steal credentials.

AI Models Like ChatGPT Pose Security Risks When Misused or Prompted Inappropriately

The proliferation of large language models (LLMs), such as ChatGPT, has raised concerns about their potential misuse and the cybersecurity risks they pose. Researchers have discovered that these models can be manipulated through prompt engineering to generate malicious content, including code for keyloggers and other harmful software.

In one case, Moonlock Lab, a cybersecurity company, shared an incident where their malware research engineer had a dream about an attacker writing code with keywords like "MyHotKeyHandler," "Keylogger," and "macOS." Moonlock Lab approached ChatGPT to recreate the malicious code and seek ways to counter the attack. While the generated code may not always be functional, it can assist malicious actors in creating polymorphic malware.

The issue of malicious prompt engineering is widespread, with cybersecurity researchers even developing a "Universal LLM Jailbreak" that bypasses content filters of various AI systems, including ChatGPT. These jailbreaks use carefully crafted reprompts to manipulate the AI models into providing unwanted or harmful responses.

AI models' accessibility and adaptability have made them susceptible to hacking, allowing them to bypass content filters and societal restrictions. From role-playing characters to unconventional requests, AI can deviate from its intended use, potentially revealing dangerous information or assisting in unethical activities.

Prompt injections, where users instruct AI models to work unexpectedly, are a rising concern. These injections can subtly reprogram the AI without its knowledge, making them difficult to detect and prevent. As AI becomes more integrated into applications and services, the risk of indirect prompt injections grows.

To mitigate these risks, organizations using LLMs must establish trust boundaries and implement security guardrails. These guardrails should limit the AI's access to data and restrict its ability to make significant changes, helping prevent misuse and potential cybersecurity breaches as generative AI continues to evolve.

Jobs/Internships

Moxion Power - Senior Director of Manufacturing Engineering - Richmond, CA

Gopuff - Senior Software Engineer - Platform - Hybrid

Rackspace - Azure Cloud Engineer - II (R -17732) - Fully Remote

ION - Product Manager - Hybrid

Scale AI - Machine Learning Research Engineering Intern - San Francisco, CA · Hybrid

Riot Games - Software Engineering Intern - Los Angeles, USA · On-site

Pentair - Engineering Leadership Development Internship Program - Summer 2024 - Hanover Park, IL · Apex, NC · Boardman, OH · White Bear, MN

Adobe - 2024 Intern - Software Developer - San Jose, CA

A troubling and deceptive campaign has emerged, involving the compromise of GitHub accounts and the surreptitious commitment of malicious code disguised as contributions from Dependabot. The nefarious objective behind this campaign is to pilfer passwords from unsuspecting developers.

In a technical report, Checkmarx provides insight into the workings of this campaign, revealing that "the malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modifies any existing JavaScript files in the attacked project with web-form password-stealer malware code, affecting any end-user who submits their password in a web form."

Notably, the malware is engineered to capture GitHub secrets and variables and transmit them to a remote server through the utilization of a GitHub Action.

Checkmarx observed unusual commits to numerous public and private GitHub repositories occurring between July 8 and 11, 2023. These deceptive commits were the result of malicious actors utilizing stolen GitHub personal access tokens (PATs) to make fraudulent code contributions to users' repositories while posing as Dependabot.

Dependabot, a legitimate service, is designed to notify users of security vulnerabilities in a project's dependencies by autonomously generating pull requests to keep them updated.

The attackers gained unauthorized access to these accounts by compromising PATs, which were likely silently exfiltrated from the victims' development environments. A significant portion of the compromised users appears to be located in Indonesia.

The exact method by which this theft occurred remains unclear, though suspicions point toward a potential rogue package inadvertently installed by the developers.

This incident underscores the ongoing efforts of threat actors to taint open-source ecosystems and facilitate supply chain compromises. It is indicative of a larger trend, as evidenced by a recent data exfiltration campaign targeting npm and PyPI. This campaign employed 39 counterfeit packages to collect sensitive machine information and transmit it to a remote server.

These modules were published over a span of several days in September 2023 and demonstrated a progressive increase in complexity, scope, and obfuscation techniques, according to Phylum, a software supply chain security company.

Phylum is also tracking what it categorizes as a substantial typosquat campaign targeting npm. In this campaign, 125 packages masquerading as "angular" and "react" are being used to send machine information to a remote Discord channel. The author claims this is part of a "research project" to identify potential vulnerabilities in bug bounty programs, a violation of npm's Acceptable Use Policy that places strain on those tasked with maintaining clean ecosystems.

As the threat landscape continues to evolve, such incidents emphasize the importance of vigilance and security measures in the realm of software development and open-source contributions.

North Korea-Linked Threat Actors Employ Crafty Social Engineering Tactics to Infiltrate Strategic Targets

In a concerning revelation, the Lazarus Group, a notorious North Korea-linked cyber-espionage outfit, has been tied to a sophisticated cyber-espionage attack directed at an undisclosed aerospace company in Spain. The attack involved a clever ruse in which employees of the targeted firm were approached by threat actors impersonating recruiters from Meta Platforms.

ESET security researcher Peter Kálnai, who shared the technical details of the attack, explained, "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz."

This cyber offensive is part of a broader spear-phishing campaign referred to as "Operation Dream Job." The campaign's primary aim is to lure employees working for potential strategic targets, enticing them with fictitious job opportunities as bait to initiate the infection chain.

Earlier in the year, the same hacking group was linked to an attack wave targeting Linux users. In this previous campaign, threat actors utilized counterfeit HSBC job offers as a guise to deploy a backdoor named SimplexTea.

The most recent attack, designed for Windows systems, culminates in the deployment of an implant dubbed "LightlessCan," representing a significant leap in sophistication compared to its predecessor, "BLINDINGCAN." The latter is also known as AIRDRY or ZetaNile and is a malware known for its ability to harvest sensitive information from compromised hosts.

The attack was initiated when the target received a message on LinkedIn from a bogus recruiter claiming to work for Meta Platforms. The impersonator sent two coding challenges, supposedly part of the recruitment process, and persuaded the victim to execute test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.

These ISO files contained malicious binaries (Quiz1.exe and Quiz2.exe) and, when downloaded and executed on a company-provided device, led to the compromise of the system and the breach of the corporate network.

Subsequently, the attackers employed an HTTP(S) downloader known as NickelLoader to facilitate the deployment of various programs into the victim's computer's memory. This included the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as "miniBlindingCan" (also known as AIRDRY.V2).

LightlessCan boasts support for up to 68 distinct commands, with 43 of them currently implemented. On the other hand, miniBlindingCan's primary function is to transmit system information and retrieve files from a remote server, among other tasks.

A notable feature of this campaign is the use of execution guardrails to ensure that payloads are decrypted and executed only on the intended victim's machine. This strategic shift enhances stealthiness and complicates the detection and analysis of the attackers' activities.

The Lazarus Group, along with other threat clusters from North Korea, has been increasingly active in recent months, targeting a range of industries and sectors across various countries. Their operations span manufacturing and real estate in India, telecom companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the United States, as reported by Kaspersky.

Jobs/Internships:

Attentive - Senior Software Engineer, Fullstack - New York, NY · Hybrid

Mews - Full-Stack Engineer - Barcelona, Barcelona, Spain · Hybrid

Coinbase - Product Manager II - Fully Remote

Improbable - Lead Software Engineer - Gameplay, Metaverse - Fully Remote

Zoox - Robot Software Infrastructure, Software Engineering Intern - Foster City, CA

Northrop Gruman - 2024 Software Engineering Intern - Warner Robins, GA 

Temasek - Project Intern, Cybersecurity (Data Science & Analytics) - Singapore, Singapore

IBM - Front End Developer Intern (May 2024 - 16 months) - Markham, Ontario, Canada · Hybrid