Links 

https://cybersecuritynews.com/telegram-controlled-tgrat-attacking-linux/

https://thehackernews.com/2024/07/digicert-to-revoke-83000-ssl.html

https://www.securityweek.com/digicert-revoking-83000-certificates-of-6800-customers

https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html

https://try.cloudflare.com

https://www.darkreading.com/cloud-security/convincing-linkedin-profiles-target-saudi-workers-information-leakage

Telegram-Controlled tgRat Attacking Linux Systems 

• TgRat Trojan 

• Original version found in 2022 

• Windows Based 

• Modern Version 

• Targets Linux 

• Uses Bash interpreter 

• Features 

• Download Files (from Telegram) 

• Upload Files (From Host) 

• Take Screen Shots 

• Execute Commands 

• Individual control or group control 

• Distinct ID and Chanel join 

• Telegram 

• Trojan joins a telegram channel to receive commands 

• Unconventional C2 server 

• Better hidden 

• Defense 

• Look for Telegram traffic from servers 

• Install EDR 

DigiCert Revoke 83,000 customer certificates 

• DigiCert 

• one of the leading certificate authorities (CAs) 

• Certificates are crucial for establishing secure, encrypted connections between users and websites or applications. 

• protect sensitive data, such as login credentials and payment information, from being intercepted by malicious actors 

• Issue 

• Issue with how it verified if a certificate is issued to the rightful owner of a domain. 

• DNS C Name Record:  Random Value (_ before) they give you; you add it to your DNS server, they verify it. 

• DigiCert had failed to include the underscore prefix with the random value used in some CNAME-based validation cases 

• Code update in the automation process 

• While they did check, didn’t check for the underscore, just the workflows and functionality 

• Customer reached out to them, how they found the issue 

• Impact 

• impacts approximately 0.4% of certificates 

• Bugzilla report, affects 83,267 certificates and 6,807 customers 

• Some customers asked for delay revocation 

• No more 

• July 29^th, 2024, notified impacted customers 

• 24 hours 

• all impacted certificates, regardless of circumstances, will be revoked no later than August 3, 2024, 7:30 p.m. UTC. 

• Fix 

• sign into their DigiCert accounts 

• generating a Certificate Signing Request (CSR) 

• Reissuing a new certificate after passing DCV. 

Criminals Abusing Cloudflare Tunnels (again) 

• Cloudflare Tunnels 

• service offered by Cloudflare 

• to create secure, encrypted connections between their local servers and the Cloudflare network 

• without exposing their servers directly to the internet 

• simplify network configurations by bypassing traditional firewall or NAT setups. 

• It’s Free 

• Not New 

• Sysdig uncovered a cryptojacking and proxyjacking campaign dubbed LABRAT 

• now-patched critical flaw in GitLab 

• infiltrate targets and obscure their command-and-control (C2) servers using Cloudflare tunnels. 

• Initial Attack 

• phishing email containing a ZIP archive 

• URL shortcut file 

• that a Windows shortcut file 

• hosted on a TryCloudflare-proxied server. 

• executes next-stage batch scripts 

• retrieves and executes additional Python payloads 

• displaying a decoy PDF document 

• Danger 

• hide their malicious activities from detection 

• bypass traditional security measures 

• difficult for defenders to spot and block their attacks 

• deliver malware to victims’ systems 

• Malware Using it 

• AsyncRAT: A remote access trojan (RAT) that allows attackers to control infected systems remotely, steal data, and spy on victims by recording keystrokes or capturing screenshots. 

• GuLoader: A malware loader that downloads and executes additional malicious payloads on the victim’s machine, often using anti-detection techniques like encryption. 

• PureLogs Stealer: A data-stealing malware designed to capture and exfiltrate sensitive information such as login credentials and browser data. 

• Remcos RAT: A remote access trojan known for its extensive capabilities, including keylogging, screen capturing, and remote control of infected devices. 

• Venom RAT: A versatile trojan used by cybercriminals to take control of systems, steal information, and conduct surveillance. 

• XWorm: A sophisticated piece of malware that functions as both a RAT and a worm, allowing it to spread across networks while providing attackers with remote access to infected machines. 

LinkedIn Profiles Target Workers for Information Leakage 

• Black Hat Middle East and Africa 

• researchers said they uncovered nearly a thousand fake profiles 

• created with the aim of reaching out to companies in the Middle East 

• well-connected synthetic identities. 

• Financial fraud 

• convince employees in specific roles to provide sensitive corporate information. 

• LinkedIn profiles targeting Saudi professionals 

• appeared to be young women in their 20s 

• Muslim names 

• usually, they claimed to work in Southeast Asia 

• extremely difficult to discern as part of a threat campaign.  

• In the case of one profile of a “person” claiming to be head of product at a large company, for example 

• the fake profile was perfect, except that the person indicated that they worked in a tiny town outside Riyadh 

• that has no industry 

• profile image was traced back to a Ukrainian website. 

• Working 

• the profiles would send a contact request to anyone 

• most people were not hesitant to accept 

• If settings aren’t changed, once accepted they see your LinkedIN contact list 

• extensive data on organizations and their employees. 

• a repository of crowdsourced information on workers