Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Adobe. Show all posts
malware
Adobe Creative Cloud Service Cthulhu CyberCrime Cyberhackers Cybersecurity CyberThreat DMG MaaS macOS malware

Fake macOS Apps Infect Devices, Steal Sensitive Data in the Latest Malware Attack

 


The latest cyber-attack uncovered by security researchers is an information stealer that targets Apple macOS hosts and gathers a wide array of information to reach sensitive computer data. It underscores how threat actors are increasingly targeting the OS as a target. As of late 2023, malware dubbed Cthulhu Stealer was available as a malware-as-a-service (MaaS) product and was priced at $500 per month as part of a subscription-based price structure. 

As far as the architecture is concerned, it can support both x86_64 and Arm platforms. Several cybersecurity researchers have discovered a new form of macOS malware that can steal user's sensitive data in the most insidious ways. A malware called Cthulhu Stealer has been spotted that impersonates popular applications to infect users with Trojan malware that allows the malware to steal passwords for users' operating systems and the iCloud keychain, as well as cryptocurrency wallets. 

A $500/month service offering for bad actors has reportedly been available since late 2023, as part of the Cthulhu Stealer program. It is particularly effective because it can masquerade as legitimate software and thus make itself appear more appealing. A Cado Security researcher has pointed out that Cthulhu Stealer is an Apple disk image (DMG) that carries two binaries, depending on the architecture of the machine, according to Gould. 

Using Golang, the malware disguises itself as a legitimate piece of software and disguises itself as a malicious application. A few of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP because the last of these is an open-source tool that can patch Adobe apps to bypass Creative Cloud service encryption and use the serial key to activate them without having to create a login account with a creator's account. 

A user who launches an unsigned file that has been explicitly allowed to be run – i.e., bypassing Gatekeeper protections – will be prompted to enter their system password when they launch it. In addition to Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer using this postscript-based approach, other software developers have adopted similar approaches. Afterwards, a second prompt will appear asking the user to enter their MetaMask password for the third time. 

This tool was also designed with the goal of harvesting system information and dumping iCloud Keychain passwords using an open-source tool called Chain Breaker which an anonymous developer developed. There are several ways the data theft takes place, including through the use of web browser cookies and information from Telegram accounts. This information is compressed and stored in a ZIP file, before being sent to a command-and-control server (C2).

It is believed that the main purpose of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from a wide range of shops and services, including game accounts, to steal information. The functionality and features of Cthulhu Stealer are very similar to that of Atomic Stealer, which implies that it was probably developed by the same person who modified Atomic Stealer. As users can see from the above paragraph, Atomic Stealer and Cthulhu both use Osascript as a password prompt. Even the spelling mistakes in the two games are identical. 

As a result, the threat actors responsible for the malware appear to have vanished, in part due to disagreements over payments, which has led to affiliates accusing the main developer of an exit scam, which has led to him being permanently banned from the cybercrime marketplace he used to advertise the malware in the first place. It is important to note that Cthulhu Stealer does not have very sophisticated anti-analysis techniques that would allow it to operate stealthily, which could be used to avoid detection. 

As well as this, it does not include any features that set it apart from similar underground offerings, apart from the fortress is one issue that affects this. Malware like Cthulhu Stealer, as well as other software threats like it, can cause far less damage when users take macOS' security features seriously, so they do not fall victim to them. 

MacOS is much less commonly targeted by malware threats than Windows or Linux, but users are advised to stay away from downloading software from sources they don't trust, stay away from installing apps that are not verified, and make sure their systems are updated with the latest security measures. 

There has been a surge in macOS malware recently and in response Apple announced this week that an update is coming to its next version of the operating system that will add more friction when trying to open software that is not signed correctly or notarized, which will help prevent future outbreaks of macOS malware.
Read more »
Privacy
Adobe AI Models Artifcial Intelligence data security Meta Microsoft Privacy

Tech Giants Face Backlash Over AI Privacy Concerns






Microsoft recently faced material backlash over its new AI tool, Recall, leading to a delayed release. Recall, introduced last month as a feature of Microsoft's new AI companion, captures screen images every few seconds to create a searchable library. This includes sensitive information like passwords and private conversations. The tool's release was postponed indefinitely after criticism from data privacy experts, including the UK's Information Commissioner's Office (ICO).

In response, Microsoft announced changes to Recall. Initially planned for a broad release on June 18, 2024, it will first be available to Windows Insider Program users. The company assured that Recall would be turned off by default and emphasised its commitment to privacy and security. Despite these assurances, Microsoft declined to comment on claims that the tool posed a security risk.

Recall was showcased during Microsoft's developer conference, with Yusuf Mehdi, Corporate Vice President, highlighting its ability to access virtually anything on a user's PC. Following its debut, the ICO vowed to investigate privacy concerns. On June 13, Microsoft announced updates to Recall, reinforcing its "commitment to responsible AI" and privacy principles.

Adobe Overhauls Terms of Service 

Adobe faced a wave of criticism after updating its terms of service, which many users interpreted as allowing the company to use their work for AI training without proper consent. Users were required to agree to a clause granting Adobe a broad licence over their content, leading to suspicions that Adobe was using this content to train generative AI models like Firefly.

Adobe officials, including President David Wadhwani and Chief Trust Officer Dana Rao, denied these claims and clarified that the terms were misinterpreted. They reassured users that their content would not be used for AI training without explicit permission, except for submissions to the Adobe Stock marketplace. The company acknowledged the need for clearer communication and has since updated its terms to explicitly state these protections.

The controversy began with Firefly's release in March 2023, when artists noticed AI-generated imagery mimicking their styles. Users like YouTuber Sasha Yanshin cancelled their Adobe subscriptions in protest. Adobe's Chief Product Officer, Scott Belsky, admitted the wording was unclear and emphasised the importance of trust and transparency.

Meta Faces Scrutiny Over AI Training Practices

Meta, the parent company of Facebook and Instagram, has also been criticised for using user data to train its AI tools. Concerns were raised when Martin Keary, Vice President of Product Design at Muse Group, revealed that Meta planned to use public content from social media for AI training.

Meta responded by assuring users that it only used public content and did not access private messages or information from users under 18. An opt-out form was introduced for EU users, but U.S. users have limited options due to the lack of national privacy laws. Meta emphasised that its latest AI model, Llama 2, was not trained on user data, but users remain concerned about their privacy.

Suspicion arose in May 2023, with users questioning Meta's security policy changes. Meta's official statement to European users clarified its practices, but the opt-out form, available under Privacy Policy settings, remains a complex process. The company can only address user requests if they demonstrate that the AI "has knowledge" of them.

The recent actions by Microsoft, Adobe, and Meta highlight the growing tensions between tech giants and their users over data privacy and AI development. As these companies navigate user concerns and regulatory scrutiny, the debate over how AI tools should handle personal data continues to intensify. The tech industry's future will heavily depend on balancing innovation with ethical considerations and user trust.


Read more »
online transactions
Adobe Breach Cyber Security E Commerce Magento online transactions

E-commerce Breach: Hackers Target Magento, Steal Payment Data

 




In a concerning development for e-commerce security, hackers have been discovered exploiting a critical flaw in the popular Magento platform, leaving numerous online stores vulnerable to data breaches. The vulnerability, identified as CVE-2024-20720 with a severity score of 9.1, was acknowledged and addressed by Adobe in security updates released on February 13, 2024.

The exploit involves injecting a persistent backdoor into e-commerce websites, allowing threat actors to execute arbitrary commands and potentially steal sensitive payment data. Security experts from Sansec revealed that attackers are utilising a cleverly crafted layout template stored in the database to automatically insert malicious code into the system.

By combining the Magento layout parser with the beberlei/assert package, hackers can execute system commands, particularly targeting the checkout cart section of affected websites. This malicious code, facilitated by the 'sed' command, enables the installation of a payment skimmer, designed to capture and transmit financial information to compromised Magento stores under the attackers' control.

This incident underlines the urgency for e-commerce businesses to promptly apply security patches provided by Magento to mitigate the risk of exploitation. Failure to do so could leave them susceptible to financial losses and reputational damage.

The exploitation of vulnerabilities within the Magento platform has become an ongoing concern within the realm of e-commerce security. Since its acquisition by Adobe in 2018 for a significant $1.68 billion, Magento has grown to power more than 150,000 online stores worldwide. However, this widespread adoption has inadvertently made it an enticing target for cybercriminals seeking to exploit weaknesses in its infrastructure. One notable example of such exploitation is the MageCart attacks, which have highlighted the persistent threat posed by outdated and unsupported versions of Magento.

Given the prevalence of these vulnerabilities, it is pivotal for online merchants to prioritise cybersecurity measures to safeguard their customers' sensitive data and uphold trust within the e-commerce ecosystem. This necessitates a proactive approach that includes regular software updates, the implementation of robust security protocols, and continuous monitoring for any suspicious activities.

Industry stakeholders are urged to collaborate closely to enhance cybersecurity resilience and protect the integrity of online transactions. By staying informed and proactive, businesses can effectively combat cyber threats and uphold the security of their e-commerce operations.



Read more »
X
Adobe Amazon Artificial Intelligence Cyberattacks CyberCrime Microsoft Technology TikTok X

Corporate Accountability: Tech Titans Address the Menace of Misleading AI in Elections

 


In a report issued on Friday, 20 leading technology companies pledged to take proactive steps to prevent deceptive uses of artificial intelligence from interfering with global elections, including Google, Meta, Microsoft, OpenAI, TikTok, X, Amazon and Adobe. 

According to a press release issued by the 20 companies participating in the event, they are committed to “developing tools to detect and address online distributions of artificial intelligence content that is intended to deceive voters.” 

The companies are also committed to educating voters about the use of artificial intelligence and providing transparency in elections around the world. It was the head of the Munich Security Conference, which announced the accord, that lauded the agreement as a critical step towards improving election integrity, increasing social resilience, and creating trustworthy technology practices that would help advance the advancement of election integrity. 

It is expected that in 2024, over 4 billion people will be eligible to cast ballots in over 40 different countries. A growing number of experts are saying that easy-to-use generative AI tools could potentially be used by bad actors in those campaigns to sway votes and influence those elections. 

From simple text prompts, users can generate images, videos, and audio using tools that use generative artificial intelligence (AI). It can be said that some of these services do not have the necessary security measures in place to prevent users from creating content that suggests politicians or celebrities say things they have never said or do things they have never done. 

In a tech industry "agreement" intended to reduce voter deception regarding candidates, election officials, and the voting process, the technology industry aims at AI-generated images, video, and audio. It is important to note, however, that it does not call for an outright ban on such content in its entirety. 

It should be noted that while the agreement is intended to show unity among platforms with billions of users, it mostly outlines efforts that are already being implemented, such as those designed to identify and label artificial intelligence-generated content already in the pipeline. 

Especially in the upcoming election year, which is going to see millions of people head to the polls in countries all around the world, there is growing concern about how artificial intelligence software could mislead voters and maliciously misrepresent candidates. 

AI appears to have already impersonated President Biden in New Hampshire's January primary attempting to discourage Democrats from voting in the primary as well as purportedly showing a leading candidate claiming to have rigged the election in Slovakia last September by using obvious AI-generated audio. 

The agreement, endorsed by a consortium of 20 corporations, encompasses entities involved in the creation and dissemination of AI-generated content, such as OpenAI, Anthropic, and Adobe, among others. Notably, Eleven Labs, whose voice replication technology is suspected to have been utilized in fabricating the false Biden audio, is among the signatories. 

Social media platforms including Meta, TikTok, and X, formerly known as Twitter, have also joined the accord. Nick Clegg, Meta's President of Global Affairs, emphasized the imperative for collective action within the industry, citing the pervasive threat posed by AI. 

The accord delineates a comprehensive set of principles aimed at combating deceptive election-related content, advocating for transparent disclosure of origins and heightened public awareness. Specifically addressing AI-generated audio, video, and imagery, the accord targets content falsifying the appearance, voice, or conduct of political figures, as well as disseminating misinformation about electoral processes. 

Acknowledged as a pivotal stride in fortifying digital communities against detrimental AI content, the accord underscores a collaborative effort complementing individual corporate initiatives. As per the "Tech Accord to Combat Deceptive Use of AI in 2024 Elections," signatories commit to developing and deploying technologies to mitigate risks associated with deceptive AI election content, including the potential utilization of open-source solutions where applicable.

 Notably, Adobe, Amazon, Arm, Google, IBM, and Microsoft, alongside others, have lent their support to the accord, as confirmed in the latest statement.
Read more »
virus
Adobe ColdFusion Cyber Attacks CyberCrime Cybersecurity Ransomware Software virus

ColdFusion's Close Call: A Peek into the Anatomy of a Failed Ransomware Strike

 


Several threat actors have recently used outdated Adobe software to exploit systems and deploy ransomware payloads, highlighting the ever-evolving tactics that they use to attack networks and deploy the ransomware payloads. It has been discovered that the attack took place during September and early October and was aimed at gaining access to Windows servers and releasing ransomware. However, it was a valuable learning experience, which served as a valuable learning opportunity despite the failure of the attack. 

In order to uncover the attack, Sophos researchers examined the threat actor's approach to the attack. The researchers discovered that the attacker intended to use leaked source code from the LockBit 3.0 ransomware family of a malware family known for its fast and effective execution. 

Other campaigns have also repurposed different ransomware variants in order to create new variants of the virus. Threat actors have always been interested in the servers as they are undoubtedly one of the most effective ways of attacking an organization, as they are one of the more efficient paths to penetrate it. 

Generally, server-related accounts have the highest privilege levels in the network, making it easy for their administrators to easily move from one machine to another in the network. There are a variety of threats being delivered to servers that have been observed by Sophos X-Ops, and the most common payloads are the Cobalt Strike Beacons, ransomware, fileless PowerShell backdoors, miners, and webshells, among others.  

Several efforts were made by an unknown actor in September and into the first half of October to exploit vulnerabilities in outdated, unsupported versions of Adobe’s ColdFusion Server software so that they could gain access to the Windows servers on which they were running, and eventually pivot to the exploitation of ransomware infections. 

Although no one of these attacks was successful, the telemetry that they provided allowed us to find out who was responsible, and to retrieve the payloads that were being deployed as part of those attacks. The researchers at Sophos who uncovered the attack found that the threat actor was attempting to deploy ransomware derived from a family of ransomware known as LockBit 3.0 that was created with the leaked source code. 

In other campaigns, Sophos researchers also noticed that a similar pattern was occurring. The attackers are likely to have chosen LockBit 3.0 ransomware as the most effective family and the fastest. A typical approach these threat actors take is aiming for holes in unpatched versions of software, and that is exactly what they did in this case. Rather than implementing new techniques, the attacker used old and unsupported ColdFusion version 11 software to target.

The Adobe ColdFusion service announced last week that three critical vulnerabilities had been discovered. First of all, on July 11, it announced patches for CVE-2023-29300, a deserialization issue that could result in arbitrary code execution, as well as CVE-2023-20298, an improper access control issue that could lead to a security feature bypass. 

On July 14, the company also released patches to fix another deserialization vulnerability, CVE-2023-38203, which may result in executing arbitrary code. Adobe made a mistake in sending notification emails to some customers in which it claimed it was aware of attacks targeting CVE-2023-29300.

However, no evidence has been presented that this flaw has been actually exploited.  Rapid7, a cybersecurity firm that has been following the CVE-2023-29298 and CVE-2023-38203 vulnerabilities that were patched last week, reported on Monday that none of them seem to have been exploited in the wild yet. 

As Accel7 discovered in its analysis, CVE-2023-38203 has been chained with another vulnerability, likely CVE-2023-38203, which is demonstrated in attacks observed by the firm that were undertaken by attackers who used PowerShell commands to create webshells that gave them access to the targeted system. 

A blog post detailing the findings of CVE-2023-38203 was published by researchers at ProjectDiscovery on July 12, just before Adobe announced its patch to address the issue. Rapid7 believes ProjectDiscovery initially thought that by posting the blog post, they were actually disclosing CVE-2023-29300, which had already been fixed by Adobe, but in fact, their blog post was in fact about CVE-2023-38203, which the vendor was still yet to issue a patch for. 

As it turned out, Adobe announced patches on July 14 as part of its announcement of patches for CVE-2023-38203, and it clarified that the company was making available a proof-of-concept (PoC) blog post to explain the security hole.  

The other important factor is investing in robust endpoint detection and response (EDR) systems, which can detect and prevent ransomware attacks. Effective EDR systems can prevent ransomware attacks from occurring. Using software that is supported by the organization, regularly updating the system, and leveraging security controls that can detect and mitigate evolving threats are important for organizations. 

Particularly, endpoint behavioural detection software can be effective in detecting suspicious activities on an endpoint as well as guarding against ransomware attacks by detecting suspicious activities. The recent failed hack on ColdFusion servers sheds great light on the evolving landscape of ransomware attacks and sheds new light on how ransomware attacks will evolve in the future.

Throughout the course of the year, threat actors continue to increase their tactics and find new vulnerabilities to exploit. There are however several ways in which organizations can effectively protect themselves from cyber threats. They can maintain a fully up-to-date software strategy, implement robust security controls, and use sophisticated endpoint monitoring and response systems. 

When it comes to mitigating the risks associated with ransomware, it is crucial to stay proactive and vigilant at all times. It was reported on March 12, 2023, that the U.S. National Security Agency (NSA) has added to its known exploited vulnerabilities list an Adobe ColdFusion vulnerability with a CVSS score of 8.6 which has been tracked as CVE-2023-26360, which is tracked as the CVE-2023-22132 in the Adobe ColdFusion patched by the vendor. 

A serious flaw in this software lies in the way it handles access control, which could allow a remote attacker to execute any code he chooses. As a result of this vulnerability, an arbitrary file system read could also occur, along with a memory leak.
Read more »
Windows
Adobe Adobe Acrobat macOS Software Security Vulnerabilties and Exploits Windows

Adobe Patches 30 Acrobat, Reader Vulnerabilities

Adobe

Adobe has recently released a large batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and MacOS installations. In this blog post, we’ll take a closer look at the details of these updates and what they mean for users.

The Details

On Tuesday, Adobe released a critical-level advisory listing the 30 security flaws that were patched in this update. The company cautioned that successful exploitation of these vulnerabilities could result in application denial-of-service attacks, arbitrary code execution, memory leaks, and feature bypasses. Among the affected programs are Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

The majority of the bugs were memory safety issues, according to Adobe. The company also claimed to be unaware of any public exploits of these vulnerabilities. In addition to these patches, Adobe also released a separate critical update addressing three security flaws.

What This Means for Users

For users of Adobe’s Acrobat and Reader software, this update is an important one to install. The vulnerabilities that have been patched could potentially allow attackers to execute arbitrary code on a user’s system or cause application denial-of-service attacks. By installing the updates, users can protect themselves from these potential threats.

It’s always important to keep software up-to-date with the latest security patches to ensure that your system is protected from known vulnerabilities. This is especially true for widely-used software like Adobe’s Acrobat and Reader programs.

What next?

Adobe’s recent release of security updates for its Acrobat and Reader software is an important step in protecting users from potential threats. By patching at least 30 vulnerabilities affecting Windows and MacOS installations, Adobe has taken proactive measures to ensure the safety and security of its users. As always, it’s important for users to install these updates as soon as possible to protect themselves from potential exploits.

Read more »
Vulnerabilities and Exploits
Adobe Apple Cisco Security CVE vulnerability Microsoft Vulnerabilities and Exploits

50% of KEV Catalog Were Big Corporations

According to Grey Noise, almost 50% of the upgrades to the KEV catalog in 2022 were due to actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products. The KEV catalog's earlier vulnerabilities from before 2022 made up 77% of the updates. 

In the initial year of the catalog's existence, CISA identified over 850 vulnerabilities, excluding   300 vulnerabilities reported in November and December 2021. As per CSW's Decoding of the CISA KEV study, "the fact they are a part of CISA KEV is rather significant as it suggests that many businesses are still using these outdated systems and therefore are ideal targets for attackers."

Based on a study by a team from Cyber Security Works, a handful of the vulnerabilities in the KEV catalog come from devices that have already reached End-of-Life (EOL) and End-of-Service-Life (EOSL). Despite the fact that Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog identifies 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

The catalog has evolved into the official source for information on vulnerabilities by attackers, even though it was initially designed for vital infrastructure and public service firms. It is crucial since, by 2022, the National Vulnerability Database assigned Common Vulnerabilities and Exposures (CVE) identifiers to over 12,000 vulnerabilities.  Corporate teams can establish customized priority lists using the catalog's curated list of CVEs that are currently being attacked. 

In reality, CSW discovered there was a slight delay between the time a CVE Numbering Authority (CNA) like Mozilla or MITRE issued a CVE to a flaw and the time the vulnerability was posted to the NVD. For instance, the BitPaymer ransomware took advantage of a vulnerability in Apple WebKitGTK (CVE-2019-8720), which Red Hat assigned a CVE for in October 2019 but was added to the KEV catalog in March. As of the beginning of November, it has not been included in the NVD.  

According to CSW, 22% of the vulnerabilities in the catalog are privileging execution issues while 36% of the vulnerabilities are remote code execution problems. Whenever a vulnerability is actively being exploited, has a CVE assigned to it, and is supported by clear mitigation instructions, does CISA update the KEV catalog. 


Read more »
Zoom
Ad Blocking Adobe Google Ads GPU malware Phishing Attacks Racoon Stealer Zoom

Cybercriminals Use Google Ads to Deploy Malware

 

Hackers are utilizing the Google Ads service more consistently than ever before to transmit malware. As soon as the victims click the download link on the threat actors' fake versions of the official websites, trojanized software is distributed. 

Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, Torrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave are some of the companies impersonated in these operations.

Raccoon Stealer, a modified variant of Vidar Stealer, and the IcedID loader are two examples of malware propagating to victims' systems. As a result, anyone looking for reliable software on a site with no active ad blocker will see commercials first and be more inclined to click on them because they closely resemble the search result.

Threat actors use a method in that phase to get beyond Google's automatic checks. If Google determines that the launch site is malicious, the operation is blocked and the advertisements are withdrawn. The trick, according to Guardio and Trend Micro, is to send users who click on the advertisement to a malicious site imitating the software project from a relevant but innocuous site made by the threat actor.

Vermux, a threat group, was discovered employing a significant number of masquerAds websites and domains, mainly operating out of Russia, to target GPUs and cryptocurrency wallets owned by Americans.

According to the researchers, in October they came across a malvertising operation where hackers, identified as DEV-0569, utilized Google Ads to send consumers to a malicious file download page. Microsoft claimed that it informed Google about the traffic distribution network abuse.

As per Microsoft, the techniques enable the group to reach more people and increase the number of victims. From August through October, Microsoft observed the threat actor distributing the BATLOADER malware using phishing emails that seemed to be genuine installers for various programs, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. 

Use the necessary safety protocols such as an ad-blocker on your browser to block these campaigns by prohibiting Google Search sponsored results from appearing. Users should scroll down until they find the desired software project's official domain. Furthermore, a suspicious installer's unusually large file size is a red flag.  
Read more »
Subscribe to: Posts (Atom)