Debian Linux Security Advisory 5798-1 - Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5798-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 26, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : activemq  
CVE ID         : CVE-2023-46604

Christoper L. Shannon discovered that the implementation of the OpenWire  
protocol in Apache ActiveMQ was susceptible to the execution of  
arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in  
version 5.17.2+dfsg-2+deb12u1.

We recommend that you upgrade your activemq packages.

For the detailed security status of activemq please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/activemq

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmccx3gACgkQEMKTtsN8  
TjY5bg//ZDPT1SXTCW7reOmPv3i1J7I8Cv8rNkogL73R1SBE+1C5CutQzAESJkid  
0BzW+q9A2qVvDyxgM8pcxuYI53olVH8fPzDViHYit4K4Ac0o66fmfA42ipC21sNd  
it9Zo1WROyYenvLvGEx4bQXL8UamoVpMCIy/2o5t0b60P5glOjjfqHJadRbvZgJA  
QvdD3UTASnsrqWgf5+4HON9nUBjNJL9cdPkxPkskBVAYJrMpLvNEvkofcB1YIPgs  
UW0UwNJe50CCddeDhOY59nO1m0TAG0gbgEgPJ3U2Zasdou2OqTRFp7wt0RBwmvFW  
wikkyRqfg0sZM4bDZIz74c58qJRd2dJBIShTBQiXB2qcX3v7tNUp+2cVjUUhZq3d  
jXIS1uupmpn4MVIA5CgLFsBsoOzg+Zn7WxXNMih0CIUAUWLmGPrMRiinm4rB81t1  
1zOMpaRByCuO1Tnc03dDaX0sl5ydWc+O2nkRxsWowXXGw/UDMSdNbrLmr/kJwNnR  
cmePkv6PPLBznTWpuk9elriYLn2D8VLvRHx2TGj+W21Qky4QOYUVYVpHgHYW5GpE  
4jkrozdb/GhUUN7QIqssmJzyXGNUBKf+7DBPBUqmV2Pcvp5uNa1s3J0zanP6OKda  
dfnlfI6Ov8WH3O/P60suZF8QBvlRvjnscNaC9HUVZ/ROqgy7MFo=  
=JXv0  
-----END PGP SIGNATURE-----

Debian Security Advisory 5798-1

Debian Linux Security Advisory 5797-1 - Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5797-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 25, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : twistedCVE ID         : CVE-2023-46137 CVE-2024-41671 CVE-2024-41810Multiple security issues were found in Twisted, an event-based frameworkfor internet applications, which could result in incorrect ordering ofHTTP requests or cross-site scripting.For the stable distribution (bookworm), these problems have been fixed inversion 22.4.0-4+deb12u1.We recommend that you upgrade your twisted packages.For the detailed security status of twisted please refer toits security tracker page at:https://security-tracker.debian.org/tracker/twistedFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcb3uEACgkQEMKTtsN8TjZEtw//VpqsmdlkvjKnR1rYRjoopuH1cx5lSdB5u7EoXGiSKTp9Dt5l2Q44fl+Pi2uLjO/IX5ZbtiWDeNvBoFYfaqvHBlv680WiaUnmvTzPuovB2fT5Q7ZOdI7SH5y2yhYpmaapZSb2kRYgcFO38Vi3M1LxU60t7lSXd3F5+6BopPEBRT9q0nwHAPB8NSvhC/VQQa9BejPIggJD1koYxJlQz76VhAi3c7W60ySRk2YKQryYdyZwdpsvrrz0G05nwZO+f6tXVihehGT2rv5OpfwGmcHZ/iwxY/IFpywdkrsnx1mV2NGVZw3t2JQYl7r/Vs3XLg4C3Zx2NLzZgBp007ZG4vz2f4LmEe9M+bYI8NgCAzPRUJg2T4+ZoD09Dmmlk/yo+ihBxSef3H5nDkiO9a4OsEQzk74o1Hlg1ZbiUqk/7BdSar92LszlzuJVXqpAHVtIIlUwkS+L6Z+O2iYhSBUTumrrrbRsdoo00uvHWeGOw1VmRZKYdMpoxX2St60BRUdBZuIHlcw5qoymiIDOI/fgykCtdAbdCWj/GE6AGO4i7scOj8u8deqh/N5kKNzdijjkzmEQvd7e3/VSEVfBc+4CJHUMKVELaNDGflaneWxXpHLmz/pu2hwNoPw2XL9X1bVzvph3A+Yl+oXLZUJkrELuo9Rmnv7qJ9MS9QnOpHyw0KFgEsQ==faBY-----END PGP SIGNATURE-----

Debian Security Advisory 5797-1

Debian Linux Security Advisory 5796-1 - Multiple security issues were found in libheif, a library to parse HEIF and AVIF files, which could result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5796-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 25, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libheifCVE ID         : CVE-2023-29659 CVE-2023-49462 CVE-2024-41311Multiple security issues were found in libheif, a library to parse HEIFand AVIF files, which could result in denial of service or potentiallythe execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 1.15.1-1+deb12u1.We recommend that you upgrade your libheif packages.For the detailed security status of libheif please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libheifFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcb3t8ACgkQEMKTtsN8Tjb/Zg//dGKfFs/w3AIgnaNKk+evGsFtaBdva6K2zkTOhGzVK+RoBCdP8egjfka+WCUYNQKVQr2XOd4ieih5DYg6CS/Tmn32X34sRN8St9UAz+sFXkkUZ9bBxSDS93LP1H+lGLfhqtHUAJv6febY+6RiAmV6vhzMIAuVTJxjdwGFvOFtu0f2aDQKEHTMIhpjpJDDCmjTciGmzjvSOpzVAw07nbeJFzvE/BR+wLg3fRMNG7RmQhZcG9O4B+RCHaJBzNAM1bM3q1OGkH5Ek3/owyIUtYft3iT2uGKZkZUzwJ4ZvOMxX9qyP22Gxl6+yfm5R1qDoXIBJMGVdjPIan3XK1XfKya9cCQkvNb+75W62WatkJw3TcomCFXXzcv2cKDOAbXGmIZHbAW+q6B5QWP86Ui10sBQsXW9lMmQW8mu4h13ZjgFelUsP6b9MWKKMRzFkqSh9me0bIlEvxl29/2HA08XnpV19//6j8PwANsBlGXnnDes0Y4uKrUKA8Q95zNuWG3owahc7z4+6nY92qoh5sswloIy1dXnhg6KYTuYL5JkxheIfOsh0fLG0eNfv5cV9mWKc9/A5BxSdBQz3x5bBNgH4R1L7z6/0+z/jo1Z6L904F4KsUiWnDeYKJNwhY+iOrDh5wDSrDA4+xVBtOo/q+6pR0c91GGoJImo9AEhXRKMGVKjjvw==JcU1-----END PGP SIGNATURE-----

Debian Security Advisory 5796-1

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated building/project name exposure vulnerability.

**ABB Cylon Aspect 3.08.01 getApplicationNamesJS.php Building/Project Name Exposure**

    ABB Cylon Aspect 3.08.01 (getApplicationNamesJS.php) Building/Project Name ExposureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The building management system suffers from an unauthenticated building/projectname exposure.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5850Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5850.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl http://192.168.73.31/getApplicationNamesJS.phpvar instanceDirectory=["1":"OOU KrstePMisirkov_Kumanovo"];

ABB Cylon Aspect 3.08.01 getApplicationNamesJS.php Building/Project Name Exposure

Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8235.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.39 security update  
Advisory ID:        RHSA-2024:8235-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8235  
Issue date:         2024-10-28  
Revision:           03  
CVE Names:          CVE-2023-29401  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.39. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8238

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* openstack-ironic: Specially crafted image may allow authenticated users  
to gain access to potentially sensitive data (CVE-2024-44082)  
* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize  
filename parameter of Context.FileAttachment function (CVE-2023-29401)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)  
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP)  
(CVE-2023-48795)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29401

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2216957  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2309331  
https://issues.redhat.com/browse/OCPBUGS-25727  
https://issues.redhat.com/browse/OCPBUGS-32266  
https://issues.redhat.com/browse/OCPBUGS-37353  
https://issues.redhat.com/browse/OCPBUGS-37552  
https://issues.redhat.com/browse/OCPBUGS-39019  
https://issues.redhat.com/browse/OCPBUGS-41246  
https://issues.redhat.com/browse/OCPBUGS-41836  
https://issues.redhat.com/browse/OCPBUGS-41918  
https://issues.redhat.com/browse/OCPBUGS-42517  
https://issues.redhat.com/browse/OCPBUGS-42518  
https://issues.redhat.com/browse/OCPBUGS-42533  
https://issues.redhat.com/browse/OCPBUGS-42567  
https://issues.redhat.com/browse/OCPBUGS-42603  
https://issues.redhat.com/browse/OCPBUGS-42757  
https://issues.redhat.com/browse/OCPBUGS-42828  
https://issues.redhat.com/browse/OCPBUGS-42986

Red Hat Security Advisory 2024-8235-03

A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense.
Google's Threat Analysis Group (TAG) and Mandiant are tracking the activity under the name UNC5812. The threat group, which operates a Telegram channel named civildefense_com_ua, was created on

Cyber Espionage / Android

A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense.

Google's Threat Analysis Group (TAG) and Mandiant are tracking the activity under the name **UNC5812**. The threat group, which operates a Telegram channel named civildefense\_com\_ua, was created on September 10, 2024. As of writing, the channel has 184 subscribers. It also maintains a website at civildefense.com\[.\]ua that was registered on April 24, 2024.

"'Civil Defense' claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters," the company said in a report shared with The Hacker News.

Should these programs be installed on Android devices that have Google Play Protect disabled, they are engineered to deploy an operating system-specific commodity malware along with a decoy mapping application dubbed SUNSPINNER.

UNC5812 is also said to be actively engaged in influence operations, disseminating narratives and soliciting content intended to undermine support for Ukraine's mobilization and military recruitment efforts.

"UNC5812's campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine," Google Threat Intelligence Group said.

Civil Defense, which has had its Telegram channel and website promoted by other legitimate, established Ukrainian-language Telegram channels, aims to direct victims to its website from where malicious software is downloaded depending on the operating system.

For Windows users, the ZIP archive leads to the deployment of a newly discovered PHP-based malware loader named Pronsis that's used to distribute SUNSPINNER and an off-the-shelf stealer malware known as PureStealer that's advertised for anywhere between $150 for a monthly subscription to $699 for a lifetime license.

SUNSPINNER, for its part, displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server.

For those who are navigating to the website from Android devices, the attack chain deploys a malicious APK file (package name: "com.http.masters") that embeds a remote access trojan referred to as CraxsRAT.

The website also includes instructions that guide victims on how to disable Google Play Protect and grant it all the requested permissions, allowing the malware to function unimpeded.

CraxsRAT is a notorious Android malware family that comes with capabilities for remote device control and advanced spyware functions such as keylogging, gesture manipulation, and recording of cameras, screens, and calls.

After the malware was publicly exposed by Cyfirma in late August 2023, EVLF, the threat actor behind the project, decided to cease activity, but not before selling their Telegram channel to a Chinese-speaking threat actor.

As of May 2024, EVLF is said to have stopped development on the malware due to scammers and cracked versions, but said they are working on a new web-based version that can be accessed from any machine.

"While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis," Google said.

"The website's FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to 'protect the anonymity and security' of its users, and directing them to a set of accompanying video instructions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Espionage Group Targets Ukrainian Military with Malware via Telegram

Relying on EOL software leaves critical systems exposed — making it a problem no business can afford to ignore.

Jason Meller, Vice President of Product, 1Password

October 28, 2024

5 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

When you've bought a haunted house, the worst thing you can do is decide to just live with it. Yet in every horror movie, there's always that one person — usually the father — who doesn't want to leave. Plates are flying off the shelves, blood is erupting from the sink, and Dad is ignoring all of it while pruning the ficus in the living room. 

Dad doesn't last long in those movies, and it's because he's ignoring one universal truth: Denying that a threat is real won't protect you from it. 

You'd think security-minded organizations would have learned that lesson by now. Unfortunately, many are just like Dad, resigned to an IT infrastructure that's lousy with ghosts. 

Here's one ghost we can vanquish right now: obsolete software. End-of-life (EOL) software is surprisingly common; nearly two-thirds of companies still rely on applications that no longer receive security updates from their vendors. This leaves critical systems exposed, making it a problem no business can afford to ignore. 

**The Terrors of EOL**

So, if EOL software is so scary, why is it so pervasive? Before we start berating companies — like a horror movie audience yelling at the characters onscreen to make better choices — let's try and understand what makes obsolete software so challenging to manage.  

**Cost**

Budget is undoubtedly the biggest reason companies use unsupported legacy applications. Sometimes, this is understandable — for instance, plenty of healthcare providers simply can't afford to replace their very expensive and specialized legacy tools. 

But let's be honest: A lot of companies just don't want to pony up the cash needed to maintain their tech stack properly. Updating or replacing software can be costly and disruptive. Who wants to take on that challenge, especially when the danger of inaction seems hypothetical?  

But this logic is (fatally) flawed. Any money you save by clinging to EOL software will be swallowed by the inevitable cost of a data breach. And that cost is likely to be higher if you're running outdated software, with no support to get your compromised systems back online.  

**Shadow IT**

EOL software has such a long afterlife that admins frequently aren't aware of it.  

Occasionally, vendors fail to adequately communicate when software is no longer supported ("Why … that program's been dead for over 40 years."). And sometimes, EOL software takes the form of shadow IT.  

Our 2023 study showed that 47% of companies allow employees to access resources from unmanaged devices. That means any individual user could have EOL (or simply unpatched) software on their device, and admins would have no way of knowing.  

**Put EOL Software to Rest**

Hopefully, by now, you're convinced that EOL software is a problem and you're sharpening stakes and smelting silver bullets.  

But while it's straightforward enough to update the legacy systems you know about, what are you supposed to do about all the EOL software you don't know about? How do you fight what you can't see? 

**Monitor EOL Status**

Start with a complete audit of all the work-related software in your organization. That includes not just the company-wide, big-ticket items but every end user's device (even BYOD). If you find a user still running, say, Big Sur, stop them from accessing company resources until they update to a supported version.  

Manually, keeping up with EOL dates is a tall order. But there are tools, like this API from endoflife.date, that can alert you when software becomes obsolete. A purpose-built agent like osquery can help discover the presence of installed EOL software across your fleet. 

From there, you need to establish ownership of EOL remediation so it's not just a game of whack-a-mole for the security team. Instead, make it a part of your existing patch management and compliance strategy and check in regularly. 

**Banish EOL Software From Your Systems**

Anyone dreading the approach of Windows 10 EOL in 2025 knows that these transitions require a lot of care and planning, and you can expect resistance from leadership and end users alike.  

The only way to overcome the fears around EOL software is to face them through clear communication. That starts by getting leadership buy-in and extends to communicating with end users when you find EOL shadow IT. Once you've set a policy, use a device trust solution to block devices running EOL software. But use blocking as a chance to explain the dangers of this software. Then, instruct users on how to fix the problem themselves. 

Everyone knows that in horror movies "Let's split up, gang!" is a recipe for disaster. When you're fighting to clear up a companywide problem, you need collaboration at a companywide level. So when you start diving into the scary world of EOL software, my advice is: Don't go it alone. 

**About the Author**

Vice President of Product, 1Password

Jason Meller is a Vice President of Product at 1Password and the founder of Kolide. He is the author of "honest.security" and has spent his career building tools and products that turn everyday people into the greatest resource available to security teams to solve the industry's most nuanced problems. Jason began his security and product career at GE's elite computer incident response team defending the organization from state-sponsored targeted attacks. From there, he moved to Mandiant, quickly working his way up from an entry-level analyst position to becoming the Chief Security Strategist in 2015. He later founded and served as the CEO of Kolide, a successful VC-backed authentication security company, until its acquisition by 1Password in 2024.

Put End-of-Life Software to Rest

The building management system suffers from an unauthenticated building/project name exposure.

ABB Cylon Aspect 3.08.01 (getApplicationNamesJS.php) Building/Project Name Exposure

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.
The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers

Malware / Threat Intelligence

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.

The Datadog Security Research team is monitoring the activity under the name **Tenacious Pungsan**, which is also known by the monikers CL-STA-0240 and Famous Chollima.

The names of the malicious packages, which are no longer available for download from the package registry, are listed below -

*   passports-js, a backdoored copy of the passport (118 downloads)
*   bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
*   blockscan-api, a backdoored copy of etherscan-api (124 downloads)

Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious packages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.

This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.

The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that's common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.

Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.

Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker's trust and urgency when applying for opportunities online.

The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.

"Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem," Datadog said. "These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.

Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.

While state-backed actors were emboldened following Russia's meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.

The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED's requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.

“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure."

According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.

In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn't inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.

The report cites an incident from March, for example, in which an unnamed US county “experienced a ransomware attack that forced it to purchase new network devices and reconnect to the state-level election system.” If such an attack occurred on or around Election Day, it could meaningfully disrupt voting.

More broadly, domestic security concerns in connection with the 2024 election have skyrocketed, fostering what DHS calls a “heightened threat environment.” Reporting by WIRED this month revealed that the agency has been issuing warnings to law enforcement across the US since summer, alarmed by the efforts of some extremists to mobilize and commit actual violence against elected officials, while targeting US voter ballots for destruction.

Other warnings show that concern is mounting over propaganda calling for Americans to engage in “civil war,” a narrative that DHS fears is raising the risk of domestic attacks. Threats tied to what the government calls “immigration-related grievances”—including the false narrative of “migrant invasion,” which is core to Donald Trump’s reelection efforts—have escalated this year, while expanding to ensnare federal judges and US border patrol officers deemed “traitors” among some antigovernment groups.

“Targeted violence and terrorism associated with ideologically motivated individuals will continue to be a threat through the 2024 election cycle,” says another intelligence report also obtained by WIRED. It warns, meanwhile, that “insider threats” affiliated with US election systems will “likely be an issue.”

Latest News