A heartfelt appeal from Cynthia: Metacurity urgently requires your backing to keep delivering daily summaries of the most pivotal infosec developments that you need to stay informed about. Please consider subscribing to a paid plan so I can sustain this vital work.

In an impressive feat, researchers delved into making vulnerabilities in WHOIS clients exploitable by studying how these clients parse responses from WHOIS servers. Their investigation revealed that the WHOIS server for the .MOBI TLD had transitioned from whois.dotmobiregistry.net to whois.nic.mobi a few years ago. Notably, the dotmobiregistry.net domain was left to expire around December 2023, enabling them to acquire dotmobiregistry.net.

By deploying a WHOIS server under the whois.dotmobiregistry.net hostname, they aimed to observe active communications, yielding astonishing results. They uncovered over 135,000 unique systems interacting with their server, and by September 4, 2024, they had received 2.5 million queries. These queries originated from various GOV and MIL mail servers, likely checking domains for incoming emails, as well as from numerous cybersecurity tools and firms like VirusTotal, URLSCAN, and Group-IB that still considered this WHOIS server authoritative.

Crucially, they discovered that multiple Certificate Authorities (CAs), which issue TLS/SSL certificates for domains like Google.mobi and Microsoft.mobi, were using their WHOIS server to verify domain ownership via the ‘Domain Email Validation’ mechanism. They demonstrated this vulnerability with GlobalSign, showing that for ‘microsoft.mobi’, GlobalSign would recognize ‘[email protected]’ as an authoritative email address based on their WHOIS server’s response.

This effectively compromised the CA process for the entire .mobi TLD. By controlling the WHOIS server, they could respond to queries from anyone who hadn’t updated their client to the new address, eliminating the need for Man-In-The-Middle attacks or other complex exploits. They simply waited for queries and could theoretically respond with any data they chose. (Benjamin Harris and Aliz Hammond / Watchtowr Labs)

In related news, Microsoft has addressed a critical bug that left some Windows 10 PCs unpatched against actively exploited vulnerabilities for several months. The most noteworthy flaw disclosed was CVE-2024-43491. Microsoft noted this vulnerability caused rollbacks of fixes for certain Windows 10 systems released in 2015, affecting systems updated between March 2024 and August 2024.

To resolve this issue, users must apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates. Kev Breen from Immersive Labs explained that the root cause of CVE-2024-43491 was incorrect handling of build version numbers by the update service on specific Windows 10 versions.

Microsoft also fixed two zero-day vulnerabilities this month: CVE-2024-38226 in Microsoft Publisher, which allows attackers to bypass the “Mark of the Web” security feature, and CVE-2024-38217, another Mark of the Web bypass affecting Office. Both flaws exploit malicious Office files opened by targets.

Adobe released updates addressing security vulnerabilities in several products including Reader and Acrobat, After Effects, Premiere Pro, Illustrator, ColdFusion, Adobe Audition, and Photoshop. Adobe reported no known exploits in the wild for these issues. (Brian Krebs / Krebs on Security)

Meta’s global privacy director Melinda Claybaugh faced scrutiny over claims that Meta was collecting data from all Australians to train its AI tools. Initially rejecting these claims, she later admitted that public photos of minors could be scraped if they appeared on user accounts. In June, Meta informed EU and US users that their data would be used for AI training unless they opted out. However, no such opt-out was offered to Australians. (Jake Evans / ABC.net.au)

An independent investigation by SlowMist indicated a breach in Indodax’s withdrawal system, allowing hackers to withdraw funds from its hot wallet. Cyvers suggested attacks on other systems like the signature machine. The hacker stole significant amounts including $1.42 million in Bitcoin and over $14.6 million in ERC-20 tokens. They detected over 150 suspicious transactions across multiple networks and observed the hacker converting stolen funds to ETH and using crypto-mixing services like Tornado Cash to launder the loot anonymously. Yosi Hammer from Cyvers suspects North Korea’s Lazarus group may be responsible due to similarities in attack patterns. (Arijit Sarkar / Cointelegraph)

KemperSports reported a data breach affecting over 62,000 individuals to the Maine Attorney General’s Office. The breach exposed personal information including names and Social Security numbers primarily related to current and former employees. Although there is no evidence of misuse or identity theft, affected individuals are offered one year of free credit monitoring and identity restoration services. No ransomware group has claimed responsibility for the attack. (Eduard Kovacs / Security Week)

In funding news, SYN Ventures led a round with Zscaler and Lightspeed Venture Partners participating, while another round included Q Fund VC with contributions from notable figures like Eddy Shalev and Danny Yamin. (Duncan Riley / Silicon Angle; CTech)

Federal prosecutors have indicted Erin Humber and Matthew Robert Allison for leading “Terrorgram,” a network on Telegram promoting white supremacist violence.

Ford Motor Company is seeking a patent for technology that would tailor in-car advertising by listening to conversations among vehicle occupants and analyzing historical location data.