AnonymousMedia.org

Category: Uncategorized

  • ClickFix Attacks Still Using the Finger

    ClickFix Attacks Still Using the Finger


    Introduction

    Since as early as November 2025, the finger protocol has been used in ClickFix social engineering attacks. BleepingComputer posted a report of this activity on November 15th, and Didier Stevens posted a short follow-up in an ISC diary the next day.

    I often investigate two campaigns that employ ClickFix attacks: KongTuke and SmartApeSG. When I checked earlier this week on Thursday, December 11th, both campaigns used commands that ran finger.exe in Windows to retrieve malicious content.

    So after nearly a month, ClickFix attacks are still giving us the finger.



    Shown above: ClickFix attacks running finger.exe.

    KongTuke Example

    My investigation of KongTuke activity on December 11th revealed a command for finger gcaptcha@captchaver[.]top from the fake CAPTCHA page.



    Shown above: Example of fake CAPTCHA page from the KongTuke campaign on December 11th, 2025.

    I recorded network traffic generated by running this ClickFix script, and I used the finger filter in Wireshark to find finger traffic over TCP port 79.



    Shown above: Finding finger traffic using the finger filter in Wireshark.

    Following the TCP stream of this traffic revealed text returned from the server. The result was a powershell command with Base64 encoded text.



    Shown above: Text returned from the server in response to the finger command.

    SmartApeSG Example

    My investigation of SmartApeSG activity on December 11th revealed a command for finger [email protected][.]108 from the fake CAPTCHA page.



    Shown above: Example of fake CAPTCHA page from the SmartApeSG campaign on December 11th, 2025.

    I recorded network traffic generated by running this ClickFix script, and I used the finger filter in Wireshark to find finger traffic over TCP port 79.



    Shown above: Finding finger traffic using the finger filter in Wireshark.

    Following the TCP stream of this traffic revealed text returned from the server. The result was a script to retrieve content from pmidpils[.]com/yhb.jpg then save and run that content on the user’s Windows host.



    Shown above: Text returned from the server in response to the finger command.

    Final Words

    As Didier Stevens noted in last month’s diary about this activity, corporate environments with an explicit proxy will block TCP port 79 traffic generated by finger.exe. However, if TCP port 79 traffic isn’t blocked, these attacks could still be effective.

    Bradley Duncan

    brad [at] malware-traffic-analysis.net



    Source link

  • ISC Stormcast For Friday, December 12th, 2025 https://isc.sans.edu/podcastdetail/9736

    ISC Stormcast For Friday, December 12th, 2025 https://isc.sans.edu/podcastdetail/9736



    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



    Source link

  • Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild

    Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild


    Dec 13, 2025Ravie LakshmananZero-Day / Vulnerability

    Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week.

    The vulnerabilities are listed below –

    • CVE-2025-43529 (CVSS score: N/A) – A use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content
    • CVE-2025-14174 (CVSS score: 8.8) – A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content

    Apple said it’s aware that the shortcomings “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

    It’s worth noting that CVE-2025-14174 is the same vulnerability that Google issued patches for in its Chrome browser on December 10, 2025. It’s been described by the tech giant as an out-of-bounds memory access in the company’s open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically in its Metal renderer.

    Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw, while Apple credited TAG with finding CVE-2025-43529.

    Cybersecurity

    This indicates that the vulnerabilities were likely weaponized in highly-targeted mercenary spyware attacks, given that they both affect WebKit, the rendering engine that’s also used in all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.

    The flaws have been addressed in the following versions and devices –

    • iOS 26.2 and iPadOS 26.2 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
    • iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
    • macOS Tahoe 26.2 – Macs running macOS Tahoe
    • tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)
    • watchOS 26.2 – Apple Watch Series 6 and later
    • visionOS 26.2 – Apple Vision Pro (all models)
    • Safari 26.2 – Macs running macOS Sonoma and macOS Sequoia

    With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.



    Source link