🔓 [CyberFacts Weekly - Issue 0x03] Twice the Content, New Workflow

Two SGX SDK vulns patched / Twitch leak not surprising / Abusing GitHub Actions / YouTube MP4 parsing vuln patched / Thingiverse leak (36GB) / 2.4 Tbps DDoS hit Azure customer / Proton bug bounty / Ransomware payments up 40% YoY / Trump’s website defaced / Candy maker hit by ransomware / Abusing garage door openers / ATM PIN guessing

Hello! 👋

I should have never skipped last week’s CyberFacts Weekly, because…guess what, now I had to process twice the load! 🥵

But last week was definitely too packed with prepping for Black Hat Europe and I had to prioritize that! By the way, consider attending Black Hat Europe, which is taking place both on site (at the London ExCeL) and virtually.

Despite being overwhelmed, I finally found the time to use Zotero to manage this digest. Here’s the workflow:

  1. Every time I find an interesting news item, I tag it in my favorite RSS reader so it gets pushed immediately in the feed and via Twitter.
  2. Every once in a while I skim through the list of tagged items in my reader and visit the web page.
  3. Use Zotero Companion to take a snapshot and automagically import it into Zotero along with the relevant metadata.
  4. I organize the items into sub-collections and create child notes to highlight the relevant bits.
  5. Use Better BibTex for Zotero to keep a synced JSON database for each weekly issue.
  6. Run a Python script I cooked to convert from the JSON database into the Markdown file that holds each issue.

It looks more complex than it actually is, but it’s much better than having to fumble with a JSON manually, having to reorder manually, get the dates wrong, etc.

A lot has happened in the past two weeks, but these are my personal highlights:

  • Two SGX Enclave SDKs Patched Against Info-disclosure Exploits
  • Former Twitch Engineers Says the Massive Leak isn’t Surprising
  • Abusing GitHub Actions to Bypass Code Reviews
  • Video Transcoding Pipelines Can be Exploited, Too

All the rest, as usual, it’s here below! If you like this, consider subscribing!

Top Picks

Discord CDN Abused to Spread 27 Unique Malware Types

by Team RiskIQ

Discord has been used by 140 million people just in 2021. RiskIQ has discovered that its CDN is being abused by cybercriminals to deploy malware files.

Edward Snowden Launches Global Encryption Day to Promote the Use of Strong Encryption

by Mike Butcher // TechCrunch

The Global Encryption Coalition promotes and defends encryption in key countries and multilateral fora where it is under threat. It also supports efforts by companies to offer encrypted services to their users.

WinRAR Trial is Affected by a Trivial Vulnerability Allowing RCE (CVE-2021-35052)

by Igor Sak-Sakovskiy // PT SWARM

The trial version of WinRAR is affected by a vulnerability that allows an attacker to intercept and modify requests sent to the user of the application and can be used to achieve remote code execution on a victim’s computer.

However, it seems that the CVE ID mentioned in the original blog post is not (yet?) correctly assigned to this vulnerability.

Trick or Treat: Ransomware Interrupts Production at US Candy Maker

by Lee Mathews // Forbes

Not many details available about this attack that took place on Oct 9th.

Brave Browser Enables Brave Search as the Default Search Engine

by Brave // Brave Browser

New Brave users will have the privacy-friendly Brave Search functionality in the Brave browser.

How a simple Linux kernel memory corruption bug can lead to complete system compromise

by Jarn Horn // Project Zero

A “straightforward Linux kernel locking bug” can lead to whole system compromise if not mitigated.

CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware | CISA


Threat actors have been using BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization.

RCE Exploit for iOS 15.0.2 Safari Running on iPhone 13 Pro Acquired During the Tianfu Cup

by Davey Winder // Forbes

During the Tianfu Cup, the top-ranked team dropped a remote code execution exploit of the mobile Safari web browser running iOS 15.0.2 on the iPhone 13 Pro.

Other targets exploited during the contest include Windows 10, iOS 15, Ubuntu, and Chrome.

The Home Page of Donald Trump's Website has been Defaced

by Joseph Cox // Motherboard

RootAyyildiz told Motherboard in a Facebook message that they defaced the Trump site using Server Side Template Injection (SSTI), which is a technique where an attacker can put their own arbitrary code into a site’s template. They said they had control over that part of the site for 3 months.

If you’re curious, my colleagues and I did a research on web defacement.

Several TV Broadcasts Interrupted as Sinclair Got Hit by a Ransomware Attack

by Catalin Cimpanu // The Record by Recorded Future

Sinclair formally confirmed the ransomware attack a day after this initial report in SEC documents.

Known Ransomware Payments Grows 40% YoY in 2021

by Ian Talley // Wall Street Journal

Nearly $600 million in transactions were linked to possible ransomware payments in so-called Suspicious Activity Reports financial services firms filed to the U.S. government in the first six months of this year, according to a Treasury Department report. That is more than 40% more than the total for all of 2020.

Fraudsters Allegedly Used Deepfake Voice-Cloning to Authorized a $35M Transfer

by Thomas Brewster // Forbes

It’s only the second known case of fraudsters allegedly using voice-shaping tools to carry out a heist, but appears to have been far more successful than the first, in which fraudsters used the tech to impersonate a CEO of a U.K.-based energy firm in an attempt to steal $240,000 in 2019, according to the Wall Street Journal.

Apple Client-side Content Scanning Feature More Harmful Than Useful

by Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, Carmela Troncoso // arXiv:2110.07450 [cs]

The controversial and quickly retired client-side content scanning (CSS) feature by Apple creates serious security and privacy risks for all society, whereas the benefit it can provide for law enforcement is problematic.

Thingiverse Data Leak (36GB worth of email addresses and 3D models)

by Mihir Bagwe // Data Breach Today

A database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community, dating back to October 2020.

Former Twitch Engineers Says the Massive Leak isn't Surprising

by Lorenzo Franceschi-Bicchierai // Motherboard

“This attack definitely had the characteristic of a minimally skilled adversary,” he told Motherboard.

Also AMD Zen CPUs Exhibit Meltdown Patterns, not Just Intel

by Catalin Cimpanu // The Record by Recorded Future

Researchers have demonstrated that also the AMD Zen family of CPUs exibits Meltdown patterns, confirming the possibility of exploiting them for transient execution hijacking attacks, like in Intel CPUs.

Abusing GitHub Actions to Bypass Code Reviews

by Omer Gil // Cider Security

It’s possible to abuse the unique token generated when each Actions workflow is run to authorized a push command to upload unreviewed code to a protected branch, bypassing reviews.

Two SGX Enclave SDKs Patched Against Info-disclosure Exploits

by Jinhua Cui, Jason Zhijingcheng Yu, Shweta Shinde, Prateek Saxena, Zhiping Cai // arXiv:2110.06657 [cs]

The vulnerability lies in how the exceptions are handled, allowing ROP-style exploitation leading to info disclosure of the data protected by the enclave.

As Catalin Cimpanu reminds us:

Over the past few years, we’ve seen similar attacks that broke SGX enclaves to retrieve data. Past examples include PlunderVolt, SgxSpectre, Foreshadow, BranchScope, Platypus, V0LTpwn, Game of Threads, AsyncShock, The Guard’s Dilemma, and Iago.

MyKing Botnet (aka Smominru and DarkCloud) has been Active Since 2016

by Jan Rubín, Jakub Kaloč // Avast Threat Labs

MyKing is a botnet that has been active since 2016, if not earlier. According to the research, the operators of MyKings have accumulated more than $24 million USD in Bitcoin, Ethereum, and Dogecoin cryptowallets.

Proton Launches Bug Bounty Program

by Proton Team // ProtonMail Blog

Proton, which recently publicly announced that “now they keep logs”, has launched a bug bounty program in partnership with Bug Bounty Switzerland.

Microsoft Unaffected by a 2.4 Tbps DDoS Attack Against Azure

by Amir Dahan // Microsoft Blog

[Microsoft has] observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.

Video Transcoding Pipelines Can be Exploited, Too

by Florian Mathieu // Keyboard Warrior

An independent researcher has accidentally discovered a vulnerability in YouTube video timestamp calculation, and was able to cook a 4MB video claimed to have 15 hours of footage. Google has acknowledged the contribution in their Hall of Fame.

Cloudflare launches Cloudflare Research Hub

by Vânia Gonçalves, Thomas Ristenpart // Cloudflare Blog

Cloudflare launches an academic-style research branch, inviting interns and visiting researchers to collaborate in research projects.

Also Noteworthy

FIN7 is now Running a New Fake Company to Recruit IT Specialists to Participate in Ransomware Attacks

by Gemini Advisory // Gemini Advisory Blog

FIN7’s decision to use a fake cybersecurity company to recruit IT specialists for its criminal activity is driven by FIN7’s desire for comparatively cheap, skilled labor. Bastion Secure’s job offers for IT specialist positions ranged between $800 and $1,200 USD a month.

How the Direct-on-Receiver (DOR) Feature of Some Garage Door Openers Can be Abused

by Sébastien Dudek // Trend Micro Research

Using jamming and replaying signals, the research shows how to record a second remote into the receiver and keep permanent access.

Two Individuals Sentenced for Providing “Bulletproof Hosting” for Cybercriminals

by Office of Public Affairs // U.S. Department of Justice

Two Eastern European men were sentenced for providing “bulletproof hosting” services, which were used by cybercriminals between 2009 to 2015 to distribute malware and attack financial institutions and victims throughout the United States.

Chrome v95 Breaking Changes: No More FTP and Old U2F Keys

by Catalin Cimpanu // The Record by Recorded Future

Chrome v95 removes support for FTP (ftp://), old-gen U2F keys and few other breaking changes.

New PurpleFox botnet variant uses WebSockets for C2 communication

by Bill Toulas // BleepingComputer

The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.

Advanced Spoofing of a Browser Fingerprint is Possible

by Bill Toulas // BleepingComputer

Researchers from TAMU and UFL have demonstrated that it’s possible to spoof a browser’s activity to the point that state-of-the-art browser-fingerprinting techniques won’t be able to tell the difference from the real, spoofed browser.

by Ashley Shen // Google Threat Analysis Group

Since 2019, Google’s Threat Analysis Group tracked and disrupted financially motivated phishing campaigns targeting YouTubers with cookie-stealing malware.

Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices

by Sonatype Security Research Team // Sonatype Blog

Multiple malicious packages on the npm registry disguise themselves as legitimate JavaScript libraries, but were caught launching cryptominers on Windows, macOS and Linux machines.

DDoS Attacks Against Russian Firms Have Tripled in 2021

by Bill Toulas // BleepingComputer

In a report from Rostelecom, the largest telecommunications provider in Russia, September 2021 was recorded as the worst period for DDoS attacks again Russia in recent history.

During that time, threat actors launched 90% of all 2021 DDoS attacks analyzed in the report, a notable surge that also manifested in other regions.

Free decrypter released for BlackByte ransomware victims

by Catalin Cimpanu // The Record by Recorded Future

Trustwave has released on Friday a free utility that victims of the BlackByte ransomware can use to decrypt and restore their files without paying the ransom demand.

Mobile Malware Hides into Unofficial "Squid Game" Apps

by Thomas Brewster // Forbes

If you’re going crazy for Squid Game like the rest of the Netflix-watching world, you might be tempted to download an app based on the smash hit TV show. But beware: Developers have already managed to get malware masquerading as a Squid Game phone wallpaper app onto Google Play as hundreds of unofficial apps have hit the Android app store.

Accenture lost 'proprietary information' in summer ransomware attack

by Tim Starks // CyberScoop

Accenture has acknowledged in a filing to the Securities and Exchange Commission that outsiders extracted “proprietary information” in a cyber incident this summer.

Guessing a PIN From Hands' Micro Movements

by Bill Toulas // BleepingComputer

It’s possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands ( paper).

Ongoing Cyber Threats to U.S. Water and Wastewater Systems | CISA

by CISA // ICS Alert

Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA.

Source: The Record

Missouri Governor vs. Responsible Vulnerability Disclosure

by Brian Krebs // Krebs on Security

Missouri Gov. Parson said he would seek to prosecute and investigate who reported a “leaky” web page of the Missouri state Department of Elementary and Secondary Education (DESE) that allowed anyone able to inspect the source code of the page to view teacher certifications, credentials, and over 100,000 SSNs.

OpenSea Fixes Vulnerabilities Reported by Check Point Research

by Mitchell Clark // The Verge

OpenSea has fixed vulnerabilities in its platform that could’ve let hackers steal someone’s crypto after sending them a maliciously crafted NFT. The issue was found by security firm Check Point Research, which noticed tweets from people claiming they were hacked after being gifted NFTs […]

GitHub is Revoking Weak SSH Keys Generated by GitKraken

by Mike Hanley // The GitHub Blog

GitHub has revoked all keys generated by [the] vulnerable versions of the GitKraken client that were in use on GitHub.com, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency.

FontOnLake: Previously unknown malware family targeting Linux

by ESET Research // WeLiveSecurity

ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux.


Deepfence Releases ThreatMapper Open Source

by Deepfence // GitHub

Deepfence ThreatMapper is a tool to monitor running applications, in cloud, Kubernetes, Docker, and fargate serverless.

VMware Labs Releases an Open-source Attack Surface Watchdog

by VMware Labs // GitHub

The Attack Source Framework (ASF) is a watchdog that, provided Domain, IP address or CIDR (Internal or External), will discover assets/subdomains, enumerate their ports and services, track deltas and serve as a continuous and flexible attacking and alerting framework leveraging an additional layer of support against 0 day vulnerabilities with publicly available POCs.

Fuzz CPU Emulators to Find Logic Bugs in the Silicon!

by Kostya Serebryany, Maxim Lifantsev, Konstantin Shtoyk, Doug Kwan

That’s what SiliFuzz does, and that’s a pretty smart idea, because CPU emulators are typically developed around the specifications of the silicon CPU. Under this hypothesis, if a SiliFuzz fuzzer will find a bug in an emulator, it’s worth looking for the same bug in the bare metal CPU!

L0phtCrack is Now Open Source

by @dildog

L0phtCrack is no longer being sold. The current owners have no plans to sell licenses or support subscriptions for the L0phtCrack software. All sales have ceased as of July 1, 2021. Refunds for any subscription renewals after June 30, 2021 are being processed.

Pithus: An Open-source Mobile Threat Intelligence Platform

by @evilcel3ri

Pithus brings transparency through clear and structured reports. Activists, journalists, NGOs, and any other technical community can easily generate these reports and leverage them to better understand the threat landscape.

Intel Labs Releases Open-source Debugging Tool to Detect Anomalous Patterns

by Niranjan Hasabnis, Justin Gottschlich // arXiv:2011.03616 [cs]

ControlFlag is a self-supervised idiosyncratic pattern detection system that learns typical patterns that occur in the control structures of high-level programming languages, such as C/C++, by mining these patterns from open-source repositories (on GitHub and other version control systems). It then applies learned patterns to detect anomalous patterns in user’s code.


Akamai Technologies Completes Acquisition of Guardicore

by October 21, 2021 // Dark Reading

[Akamai] has completed its acquisition of Guardicore of Tel Aviv, Israel. On September 29, Akamai announced an agreement between the two parties for Akamai to acquire the company in exchange for approximately $600 million.

Combination of McAfee Enterprise and FireEye Complete

by FireEye // FireEye Press Releases

McAfee Enterprise and FireEye today announced Symphony Technology Group (“STG”) has closed its sponsored acquisition of FireEye in an all-cash transaction totaling $1.2 billion. This transaction completes the combination of McAfee Enterprise with FireEye.

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! 🙃

Thanks! Cheers, Fede