Experts Alert Linear eMerge E3 Systems to a Serious Unpatched Vulnerability

An unpatched flaw in Nice Linear eMerge E3 access controller systems could enable the execution of arbitrary operating system (OS) commands, according to cybersecurity security researchers.

According to VulnCheck, the vulnerability, which has been given the CVE identifier CVE-2024-9441, has a CVSS score of 9.8 out of a possible 10.0.

“A vulnerability in the Nortek Linear eMerge E3 allows remote unauthenticated attackers to cause the device to execute arbitrary command,” SSD Disclosure said in an advisory for the flaw released late last month, stating the vendor has yet to provide a fix or a workaround.

The following Nortek Linear eMerge E3 Access Control versions are affected by the defect: 1.00.05 and 1.00.07, 0.32-03i, 0.32-04m, 0.32-05p, 0.32-05z, 0.32-07p, 0.32-07e, 0.32-08e, 0.32-08f, 0.32-09c, and 1.00.05.

After being made public, proof-of-concept (PoC) exploits for the vulnerability were made available, which sparked worries that threat actors might take advantage of it.

Notably, a threat actor called Flax Typhoon used another critical vulnerability that affected E3, CVE-2019-7256 (CVSS score: 10.0), to enlist vulnerable devices into the now-demolished Raptor Train botnet.

Even though the issue was first revealed in May 2019, the company didn’t fix it until earlier this March.

“But given the vendor’s slow response to the previous CVE-2019-7256, we don’t expect a patch for CVE-2024-9441 any time soon,” VulnCheck’s Jacob Baines said. “Organizations using the Linear Emerge E3 series should act quickly to take these devices offline or isolate them.”

According to a statement provided to SSD Disclosure, Nice advises users to adhere to security best practices, which include limiting internet access to the product, implementing network segmentation, and setting it up behind a network firewall.

Microsoft and the US Take Control of 107 Russian Domains in a Large-Scale Cyberfraud Raid

On Thursday, Microsoft and the US Department of Justice (DoJ) announced the seizure of 107 domains from state-sponsored threat actors connected to Russia, which were being used to enable computer fraud and abuse within the nation.

“The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” stated Lisa Monaco, Deputy Attorney General.

Threat actor COLDRIVER, also known as Blue Callisto, BlueCharlie (or TAG-53), Calisto (sometimes spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, has been linked to the activity.

The group has been operational since at least 2012 and is considered to be part of Center 18 of the Russian Federal Security Service (FSB).

Two group members, Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, were sanctioned by the US and UK governments in December 2023 for their spear-phishing and malicious credential harvesting activities. The same two people were then subject to sanctions by the European Council in June 2024.

According to the Department of Justice, threat actors were using the recently taken over 41 domains to “commit violations of unauthorized access to a computer to obtain information from a department or agency of the United States, unauthorized access to a computer to obtain information from a protected computer, and causing damage to a protected computer.”

The domains are purportedly part of a spear-phishing campaign that targets the email accounts of the federal government of the United States and other victims in an attempt to obtain credentials and important information.

In addition, Microsoft announced that it had filed a corresponding civil action to take control of 66 more internet domains that COLDRIVER had been using to target more than 30 civil society organizations and entities between January 2023 and August 2024.

This includes think tanks and NGOs that assist government workers, military personnel, and intelligence officials, especially those who aid Ukraine and other NATO nations like the U.K. and the U.S. Access Now and the Citizen Lab previously documented COLDRIVER’s targeting of NGOs in August 2024.

New Zealand Women vs. India Women: A Growing Rivalry in Women’s Cricket

Over the past ten years, women’s cricket has experienced tremendous growth in terms of popularity and skill. The match between the Indian women’s cricket team and the New Zealand women’s team has been one of the most thrilling in recent memory. Fans are treated to exciting matches that highlight the advancement of women’s cricket on the global scene each time these two teams play.

Historical Context

India and New Zealand have historically been strong rivals in the women’s cricket league. Both sides have a long history of turning out elite players and have participated in prestigious competitions such as the T20 World Cup and the ICC Women’s World Cup. New Zealand has always been one of the stronger teams, especially in the early years of women’s international cricket, even though India has gained popularity more recently due to increased investment in women’s cricket.

In the past, New Zealand has typically prevailed over India in their interactions, but recently, the tide has started to turn. India’s younger players, including Shafali Verma and Smriti Mandhana, have given the team new life and increased their threat level on the international scene.

Memorable Matches

Some of the recent clashes between these two sides have been high-octane affairs, particularly in the limited-overs formats.

1. 2017 ICC Women’s World Cup

In one of the pivotal matches of the 2017 Women’s World Cup, India faced New Zealand in a virtual knockout game. India, led by a masterclass century from Mithali Raj, posted a competitive total. New Zealand, in reply, crumbled under pressure, with India winning the match comprehensively. This win propelled India to the semi-finals and highlighted the growing strength of Indian women’s cricket.

2. 2022 Women’s Cricket World Cup

In a closely fought encounter during the 2022 ICC Women’s Cricket World Cup, New Zealand emerged victorious against India by 62 runs. New Zealand’s Amelia Kerr played a stellar all-round game, scoring 50 runs and taking crucial wickets to break India’s back. India struggled to chase the total, with their batters failing to build substantial partnerships. The match was a reminder of New Zealand’s tenacity and ability to perform in pressure situations.

Key Players to Watch

1. Sophie Devine (New Zealand)

A powerful hitter and exceptional leader, Sophie Devine has been one of the pillars of New Zealand women’s cricket. Known for her aggressive batting style, Devine is a match-winner on her day and can change the course of a game with both bat and ball.

2. Amelia Kerr (New Zealand)

Amelia Kerr is a rising star in world cricket. At a young age, she’s already made a name for herself with her all-round performances. Her leg-spin and solid batting make her a key player in New Zealand’s lineup.

3. Smriti Mandhana (India)

Smriti Mandhana has been the face of Indian women’s cricket for several years now. Her ability to dominate bowling attacks with elegant stroke play and her consistency at the top of the order make her a vital part of India’s lineup.

4. Harmanpreet Kaur (India)

Known for her explosive batting and remarkable leadership, Harmanpreet Kaur is a player who thrives under pressure. Her century in the 2017 World Cup semi-final is still regarded as one of the greatest innings in women’s cricket history.

The Rivalry Today

As women’s cricket continues to evolve, so does the rivalry between New Zealand and India. The two teams now stand shoulder-to-shoulder in terms of talent and performance. Both teams have their eyes on major ICC tournaments, and each encounter between them is seen as a potential preview of key matchups in the knockout stages of global events.

Off the field, the visibility of women’s cricket has grown, and matchups like New Zealand vs. India are crucial in driving the sport’s popularity. With players like Sophie Devine, Amelia Kerr, Smriti Mandhana, and Harmanpreet Kaur leading their respective teams, the competition between these two nations is fiercer than ever.

Conclusion

India vs. The New Zealand Women The rivalry between women is becoming more and more exciting. Due to the talent on both sides, cricket fans everywhere can expect an exciting game of cricket during these matches. Matches like these will be crucial to the future of women’s cricket as the sport continues to grow internationally and inspire the upcoming generation of cricket players and fans.

Watch this space for more fireworks as these two teams continue their global rivalry!

Mozilla is facing a privacy complaint for using Firefox to enable tracking without getting user consent.

The Austrian data protection authority (DPA) has received a complaint from Vienna-based privacy non-profit noyb, short for None Of Your Business, against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without specifically requesting users’ consent.

“Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites,” said noyb. “Basically, the tracking is now managed by the browser instead of specific websites.

Additionally, Noyb criticized Mozilla for supposedly adopting Google’s strategy by “secretly” turning on the feature by default without alerting users to it.

PPA is similar to Google’s Privacy Sandbox project in Chrome and is now enabled as an experimental feature in Firefox version 128.

Google has now abandoned the program, which aimed to replace third-party tracking cookies with a set of web browser-integrated advertising APIs that allow advertisers to learn about users’ interests and display relevant adverts.

Stated differently, the web browser serves as a mediator, storing data about the many categories into which people may be assigned according to their online surfing habits.

According to Mozilla, PPA is a “non-invasive alternative to cross-site tracking,” allowing websites to “understand how their ads perform without collecting data about individual people.”

Additionally, it is comparable to Apple’s Privacy Preserving Ad Click Attribution, which permits online marketers to gauge the success of their campaigns without jeopardizing user privacy.

PPA functions as follows: Ad-serving websites can request that Firefox remember their advertisements in the form of an impression, which contains information about the advertising themselves, including the destination website.

Definition of a network packet: What is a packet?

What is a packet?

A network is a group of two or more connected computers. The Internet is a network of networks — multiple networks around the world that are all interconnected with each other

A packet is a brief section of a bigger communication in networking. Packets are used to separate data being delivered via computer networks*, like the Internet. The computer or device that receives these packets then reassembles them.

Let’s say Alice is writing Bob a letter, but Bob can only fit envelopes the size of a small index card through his mail slot. Alice breaks up her message into much smaller chunks, each just a few words long, and writes these portions out on index cards rather than putting it on regular paper and then attempting to fit it through the postal slot. Bob receives the stack of cards from her, and he arranges them so he can read the entire message.

Why use packets?

It might be feasible, in theory, to transfer files and data across the Internet without breaking them up into discrete information packets. A lengthy uninterrupted line of bits, or discrete information units sent as electrical pulses that computers can understand, could be sent from one computer to another.

However, if more than two computers are involved, this strategy quickly becomes unfeasible. No third computer could utilize the same connections to convey data while the lengthy line of bits traveled between the two computers; it had to wait its turn.

The Internet operates as a “packet switching” network in contrast to this methodology. The ability of networking hardware to process packets independently of one another is known as packet switching. Additionally, it implies that packets can go via several network paths to reach the same location as long as they all get there. (In certain protocols, even if each packet traveled a different path to get there, they still need to arrive at their final destinations in the correct sequence.)

Packets from different computers can flow across the same lines in virtually any order thanks to packet switching. This makes it possible for several connections to occur simultaneously over the same networking equipment.

Honeypots: Turning the Tables on Hackers

In the cat-and-mouse game of cybersecurity, defenders are constantly seeking innovative ways to outmaneuver malicious actors. One such ingenious tool in the cybersecurity arsenal is the honeypot—a deceptive trap designed to lure hackers into revealing their tactics, techniques, and intentions. While the concept of a honeypot might sound like something out of a spy thriller, its real-world applications are both fascinating and crucial in the ongoing battle against cyber threats.

Unveiling the Honeypot

Imagine a virtual trap, meticulously crafted to mimic a legitimate system or network component. This could be a fake server, a dummy database, or even an entire network segment designed to attract the attention of cybercriminals. The allure lies in the seeming vulnerability of the honeypot, enticing hackers to exploit it.

How Honeypots Work

Honeypots are intentionally designed with vulnerabilities or enticing data that would attract an attacker. They are placed strategically within a network or system, often in locations where real assets are located. Once a hacker takes the bait and interacts with the honeypot, its purpose is twofold:

  1. Gathering Threat Intelligence: Every action taken by the attacker within the honeypot is meticulously logged and analyzed. This includes attempted exploits, malware samples, command inputs, and even lateral movement within the decoy environment. By observing these activities, cybersecurity professionals gain valuable insights into the tools and tactics used by hackers.
  2. Diverting Attention: Honeypots serve as a distraction, diverting the attention of attackers away from critical assets. While hackers are occupied with the decoy system, defenders have the opportunity to fortify real systems, update defenses, and prepare countermeasures.

Types of Honeypots

Honeypots come in various forms, each with its unique characteristics and applications:

  1. Research Honeypots: These are designed primarily for gathering threat intelligence. They are often low-interaction, meaning they simulate only basic services to observe attacker behavior without risking the compromise of critical systems.
  2. Production Honeypots: Unlike research honeypots, production honeypots are deployed within a live environment alongside real assets. They closely mimic the behavior and vulnerabilities of legitimate systems, serving both as a diversion and as a means to detect and block attacks in real-time.
  3. High-Interaction Honeypots: These are fully-featured emulations of entire systems or networks. They allow attackers to interact deeply with the environment, providing a wealth of information to defenders. However, they also carry a higher risk, as sophisticated attackers might detect their true nature.

Advantages of Honeypots

  • Early Threat Detection: Honeypots can detect threats at the reconnaissance stage, long before an attacker reaches critical systems.
  • Understanding Attack Techniques: By analyzing hacker interactions, cybersecurity professionals gain insights into new and emerging attack methods.
  • Enhanced Incident Response: Real-time alerts from honeypots allow for swift incident response, minimizing potential damage.
  • Legal and Ethical: Since honeypots are designed as traps, their use falls within legal and ethical boundaries when deployed within one’s own network.

Challenges and Considerations

While honeypots are powerful tools, their deployment requires careful planning and consideration:

  • Resource Intensive: Honeypots require dedicated resources for maintenance, monitoring, and analysis.
  • False Positives: Interactions with honeypots might sometimes be triggered by legitimate activities, requiring skilled analysts to differentiate between real threats and benign events.
  • Deception Maintenance: To remain effective, honeypots must stay updated to mimic current systems accurately.

Conclusion: Turning the Tables

In the ever-evolving landscape of cybersecurity, defenders are tasked with staying one step ahead of cyber threats. Honeypots offer a proactive and strategic approach, allowing organizations to gain valuable insights into the minds of attackers while bolstering their defenses.

By turning the tables on hackers and enticing them into carefully crafted traps, cybersecurity professionals gather invaluable intelligence, fortify critical systems, and create a formidable line of defense against even the most sophisticated adversaries.

In the intricate dance between defenders and attackers, honeypots stand as a testament to human ingenuity and the relentless pursuit of cybersecurity excellence. As organizations continue to embrace these deceptive tools, the balance of power in the cyber realm shifts, with defenders gaining a crucial edge in the ongoing battle for digital security.

DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

The agency attributed the campaign to a threat actor it calls UAC-0027.

DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware’s ability to propagate in a worm-like fashion by taking advantage of known security flaws.

The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.The agency attributed the campaign to a threat actor it calls UAC-0027.DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware's ability to propagate in a worm-like fashion by taking advantage of known security flaws.The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.

The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.

“The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive),” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it’s assessed to be part of Russia’s Federal Security Service (FSB).

SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram’s blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.

RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

It seems that the attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.

The first step in the infection chain is the distribution of a ZIP file through phishing or drive-by compromise. This file contains an MSI installer file that launches a.NET downloader, which verifies the victim’s geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry stated.

The threat actor has added new features to the malware, such as support for banking fraud-related commands, targeting cryptocurrency trading platforms and banks in Mexico, initiating a reverse shell, extracting content from the clipboard, and fetching and executing additional payloads.

The campaign’s use of Mexico Starlink IPs and the addition of Spanish-language instructions to the modified RAT payload provide the threat actor with links to Latin America. Moreover, the lures used are only effective for businesses big enough to submit reports directly to the department of the Mexican Social Security Institute (IMSS).

“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the business stated. “This activity has continued for over two years, and shows no signs of stopping.”

The results coincide with the announcement from IOActive that it has discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) in the Lamassu Douro bitcoin ATMs that could provide physical access to an attacker the ability to take complete control of the machines and steal user data.

The ATM’s software update mechanism and its capacity to scan QR codes are exploited by the attackers to supply their own malicious file and start the execution of arbitrary code, thereby enabling the attacks. In October 2023, the Swiss company resolved the issues.

Update Chrome Now to Fix New Actively Exploited Vulnerability

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.

The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.

“By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service,” according to MITRE’s Common Weakness Enumeration (CWE).

Additional details about the nature of the attacks and the threat actors that may be exploiting it have been withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.

“Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads a description of the flaw on the NIST’s National Vulnerability Database (NVD).

The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.

Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.