Headline
Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!
Welcome to this week’s edition of the Threat Source newsletter. I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase
Thursday, November 3, 2022 16:11
Welcome to this week’s edition of the Threat Source newsletter.
I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase of Twitter and the subsequent exodus led me down the nostalgic path of thinking about how times change and platforms change but things largely remain the same. Until now. We’ve grown as an entire internet community and we remember the pain of moving from app to app and site to site. Many top infosec follows have deactivated their accounts while others are weighing when and if they will leave. Several have moved to decentralized solutions like mastodon.social which saw an uptick of more than 70,000 new users in a single day after the purchase was official. In theory Mastadon can’t be controlled by a single person or entity and to me it feels like this is the next step in our path as an internet community. Will it catch on and be the answer to all of our needs? Doubtful. It is a step in the evolution of the internet and I’m very interested to see what the next adaptation brings.
The one big thing
Cisco Talos Incident Response recently released their Quarterly Report highlighting the ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. This quarter saw ongoing Qakbot, Hive, and Vice Society activity as well as the emergence of Black Basta, which first surfaced in April 2022. Adversaries continue to leverage not only LoLBins but a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. Defenders continue to struggle with MFA rollouts, as lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services.
Why do I care?
Understanding the current tools and trends used by attackers, as well as understanding the vulnerabilities that are targeted are intrinsic to good security posture. Knowing your environment is step one. Understanding that same environment from the view of the attacker is the next step. Per the report “In nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.”
So now what?
Ensuring that you know your environment and are covering the base of the security pyramid well is critical. Patch, self-assess, and follow trusted threat intelligence sources. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication and to disable or delete inactive accounts from Active Directory to prevent suspicious activity.
For the OpenSSL vulnerability we strongly recommend users mitigate affected OpenSSL systems as soon as possible by upgrading to version 3.0.7. Talos has released coverage across the device portfolio including Snort Rules: 60790, 300306-300307 to protect against exploitation of CVE-2022-3602 and ClamAV signature, Multios.Exploit.CVE_2022_3602-9976476-0, to detect malware artifacts related to this threat.
Top security headlines of the week
Security researchers were once again falsely implied by a ransomware gang in an effort to indicate their involvement. This time around Azov implicated BleepingComputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, Lawrence Abrams, and Vitali Kremez, urging infected users to contact them via their accounts on Twitter to recover files.
Dropbox was the target of a recent phishing campaign that led to attackers gaining access to code stored in Github and copying 130 code repositories, including third-party libraries, internal software projects, and a few tools and configuration files maintained by the Dropbox security team. The attackers didn’t gain access to any user content, passwords, or payment information. The Dropbox security team released a report detailing how they handled the incident.
Can’t get enough Talos?
- https://blog.talosintelligence.com/researcher-spotlight-how-azim-khodjibaev-went-from-hunting-real-world-threats-to-threats-on-the-dark-web/
- https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/
- https://blog.talosintelligence.com/openssl-vulnerability/
- https://youtu.be/KhG6RUZgMas
Upcoming events where you can find Talos
BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal
SIS(Security Intelligence Summit), 2022.ON (Nov. 29)
Josun Palace, Seoul
Most prevalent malware files from Talos telemetry over the past week
SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection
SHA256:
d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86
MD5: 69fbf6849d935432bac8b04bdb00fd68
Typical Filename: KMSAuto++.exe
Detection Name: W32.File.MalParent
SHA256:
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256:
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02
SHA 256:
00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: outlook.exe
Claimed Product: MS Outlook
Detection Name: W32.00AB15B194-95.SBX.TG
Related news
The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints.
Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link.
The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).
A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.
A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and Foundry Frontend 6.228.0.
Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.
The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.
A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Red Hat Security Advisory 2023-0786-01 - Network observability is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console.
Network observability 1.1.0 release for OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0813: A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication.
Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.
Summary Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services. Any customer action that is required will be highlighted in this blog and our associated Security Update … Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) Read More »
Gentoo Linux Security Advisory 202211-1 - Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. Versions less than 3.0.7:0/3 are affected.
Red Hat Security Advisory 2022-7288-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full strength general purpose cryptography library. Issues addressed include a buffer overflow vulnerability.
By Deeba Ahmed The OpenSSL vulnerability was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations. This is a post from HackRead.com Read the original post: OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week
**Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and are known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Organizations should update to the latest encryption (version 3.0.7) as soon as possible, but there's no need for Heartbleed-like panic, security experts say.
In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or
An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3602: OpenSSL: X.509 Email Address Buffer Overflow * CVE-2022-3786: OpenSSL: X.509 Email Address Variable Length Buffer Overflow
Ubuntu Security Notice 5710-1 - It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVP_CIPHER_meth_new function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext.
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to up...