The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.

CVE-2021-24434

The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.

CVE-2021-24581

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.

CVE-2022-3894

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta,  pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.

CVE-2023-5426

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.

The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US.

Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement.

Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike.

At one point in 2021, according to Crowdstrike, Danabot was used in a software supply-chain attack that hid the malware in a javascript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial service, transportation, technology, and media industries.

That scale and the wide variety of its criminal uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint.

More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity.

Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.

All of that makes DanaBot a particularly clear example of how cybercriminal malware has allegedly been adopted by Russian state hackers, Proofpoint's Larson says. “There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,” says Larson. The case of DanaBot, she says, “is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.”

In the criminal complaint, DCIS investigator Elliott Peterson—a former FBI agent known for his work on the investigation into the creators of the Mirai botnet—alleges that some members of the DanaBot operation were identified after they infected their own computers with the malware. Those infections may have been for the purposes of testing the trojan, or may have been accidental, according to Peterson. Either way, they resulted in identifying information about the alleged hackers ending up on DanaBot infrastructure that DCIS later seized. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on DanaBot servers, including data that helped identify members of the DanaBot organization,” Peterson writes.

The operators of DanaBot remain at large, but the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike.

“Every time you disrupt a multiyear operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,” Meyers says. “But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.”

Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying

A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

**Related Articles**

Product Affected

Pulse Connect Secure

Problem

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment.

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for our End of Engineering (EOE) and End of Life (EOL) policies.

The table below provides details of the vulnerability:

**CVE**

**CVSS Score (V3.1)**

**Summary**

**Product Affected**

CVE-2021-22893

10 Critical  
3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Multiple use after free in Pulse Connect Secure before 9.1R11.4 allows a remote unauthenticated attacker to execute arbitrary code via license services.

  
PCS 9.0R3/9.1R1 and Higher  
 

CVE-2021-22894

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows a remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.

PCS:  
9.1Rx  
9.0Rx

CVE-2021-22899

9.9 Critical CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Command Injection in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated users to perform remote code execution via Windows File Resource Profiles.

PCS:  
9.1Rx  
9.0Rx

CVE-2021-22900

7.2 High  
3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

PCS:  
9.1Rx  
9.0Rx

Solution

**The solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.** 

**IMPORTANT NOTE:**  The latest Integrity Checker Utility found here must be run PRIOR to upgrading your PCS appliance to ensure your appliance has not been impacted.     

If the PCS version is installed:

Then deploy this version (or later) to resolve the issue:

Expected Release

Notes (if any)

Pulse Connect Secure 9.0RX & 9.1RX

Pulse Connect Secure 9.1R11.4

Available Now

**Known cert issue for browser clients if upgrading from any version below 9.1R8.  See** **KB44781**

_Document History:_  
April 20, 2021 - Initial advisory posted and workaround files posted under Download Centre.  
May 3, 2021 - Added 3 (CVE-2021-22894, CVE-2021-22899, CVE-2021-22900) additional CVE's and software posted to the Download Centre.  
May 25, 2021 - Highlighted upgrade process including running the Integrity Checker Utility prior to upgrade.

**LEGAL DISCLAIMER**

*   THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HERE FROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
*   A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.

Workaround

**CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 can be mitigated by importing the Workaround-2104.xml file.**

**Impact:** XML File disables the following features under PCS appliance.

*   Windows File Share Browser
*   Pulse Secure Collaboration

We are using the blacklisting feature to disable the URL-Based Attack.

**Download**

Download (Download Center at https://my.pulsesecure.net)

**Note:**

*   XML file is the zipped format, please unzip and then import the XML file.
*   Import of this XML into any one node of a Cluster is enough.

Customers can download and import the file under the following location:  
Go to Maintenance > Import/Export > Import XML. Import the file. 

*   This disables the Pulse Collaboration & Windows File Share browser functionality.
*   If there is a load balancer in front of the PCS, this may affect the Load Balancer.
    *   If your load balancer is using round-robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.

Disable the Windows File Browser and Pulse Collaboration on the Admin UI following the steps below,

*   Navigate to User > User Role > Click Default Option >> Click on General 
*   Under the Access Feature, make sure the "Files, Window" & "Meetings" options are not checked.
*   Go to Users > User Roles
*   Click on each role in turn and ensure under the Access Feature of each role, the **File, Windows** & **Meetings** options are not enabled.

There is no need to reboot or restart services under the Pulse Secure Appliance.

The URIs are as follows in case you want to block them at your network edge using an inline load balancer doing SSL decryption:

^/+dana/+meeting  
^/+dana/+fb/+smb  
^/+dana-cached/+fb/+smb  
^/+dana-ws/+namedusers  
^/+dana-ws/+metric

This is only possible if there is an inline load balancer that does SSL decryption.  

**NOTE:** When you apply the 9.1R11.4 release fix, please remove the workaround with the following steps:

*   Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
*   Restore the previous settings for "Files, Windows" & "Meetings".

**Limitations:**

*   Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.
*   The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions. 

Implementation

**Frequently Asked Questions (FAQ):**

**Question 1: Why do I need to run the latest version of the Integrity Checker Tool prior to upgrading to the latest PCS release?**  
Answer: Running the Integrity Checker Tool against unsupported PCS versions will not return scan results. Please see the ICT KB for details on the expected output.  To validate the supported versions of the Integrity Checker Tool against the supported PCS versions please visit KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

**Question 1: What if I upgraded to 9.1r11.4 without running, or ran an unsupported version, of the Integrity Checker Tool?**  
Answer: Pulse Secure recommends rolling back to the previous version using the administrator console to run the latest version of Integrity Checker Tool given the nature of the threat actors ability to allow persistency throughout upgrade.  

1.  Take system offline 
    

2.  Roll back to previous version 
    

3.  Run ICT on previous version 
    

4.  If clean, then upgrade again 
    

5.  If file additions/mismatches are found follow the mitigation steps mentioned here:  KB44764 - Customer FAQ: PCS Security Integrity Tool Enhancements
    

NOTE: Only one rollback version is stored in the rollback partition.  I.E. if you upgraded from 9.1r11 to 9.1r11.3 then to 9.1r11.4 you will only be able to rollback to 9.1r11.3.    

**Question 3: I've already applied the XML do I need to install 9.1R11.4?**  
Answer: If you are on 9.1R9 or above and have applied the XML we are still recommending moving to 9.1R11.4 to fully patch against the latest vulnerabilities. 

If you are running any version below 9.1R9 even with the applied XML you are susceptible to old vulnerabilities so we highly recommend upgrading to 9.1R9 or R10 code branches with the applied XML or 9.1R11.4.

**Question 4: Will the device reboot after importing the XML File?**  
Answer: No, the Workaround-2104.xml file does not reboot or restart services under the Pulse Secure Appliance.

**Question 5: We are using A/A or A/P Cluster, do we need to import the XML file individually on each node?**  
**Answer:** No, we need to import Workaround-2104.xml under one node, the cluster will sync the configuration between nodes.

**Question 6:** ****How do I **upgrade Pulse Connect Secure** to resolve this vulnerability?****  
Answer:  Download a fixed version of the Pulse Connect Secure available from the Licensing & Download Center at https://my.pulsesecure.net.  For upgrade documentation, please refer to:

*   Upgrade PCS Cluster
*   Upgrade PCS Standalone Device

**Question 7:  I do not have access to my.pulsesecure.net to download the recommended PCS version?**  
Answer: Please refer KB40031 to Onboarding at my.pulsesecure.net. If you face any issues, please contact Pulse Secure Global Support Center.

**Question 8:  How we can restore File Share & Meeting functionality post-upgrade to the 9.1R11.4 PCS version?**  
Answer: Post upgrade to PCS 9.1R11.4, Please import the remove-workaround-2104.xml to restore the settings.

*   Download the remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
    *   \# Once redirected to my.pulsesecure.net  
        \# Login to my.pulsesecure.net  
        \# Click Software Licensing and Download  
        \# Select Pulse License and Download Center  
        \# Software Download (LEFT)  
        \# Select the Product Line and Product Type as Pulse Connect Secure >>  
        \# Click on Download for "Pulse Connect Secure SA44784 Workaround XML"  
        \# Accept to compliance and Agreement  
        \# Select View detail under "ps-pcs-sa-44784-remove-workaround-2104.xml.zip"  
        \# Scroll down and click on Download.
*   Go to Maintenance > Import/Export > Import XML. Import the **remove-workaround-2104.xml.**
*   It will restore **Pulse Collaboration** & **Windows File Share** browser functionality.

CVSS Score

10 Critical 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Alert Type

SA - Security Advisory

CVE-2021-22894: Public KB - SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

CVE-2021-22893: Public KB - SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4

In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package.

Thursday, March 21, 2024 14:00

Whether you want to call them “catfishing,” “pig butchering” or just good ‘old-fashioned “social engineering,” romance scams have been around forever.  

I was first introduced to them through the MTV show “Catfish,” but recently they seem to be making headlines as the term “pig butchering” enters the public lexicon. John Oliver recently covered it on “Last Week Tonight,” which means everyone my age with an HBO account heard about it a few weeks ago. And one of my favorite podcasts going, “Search Engine,” just covered it in an episode. 

The concept of “pig butchering” scams generally follows the same chain of events: 

*   An unknown phone number texts or messages a target with a generally harmless message, usually asking for a random name disguised as an “Oops, wrong number!” text. 
*   When the target responds, the actor tries to strike up a conversation with a friendly demeanor. 
*   If the conversation persists, they usually evolve into “love bombing,” including compliments, friendly advice, ego-boosting, and saying flattering things about any photos the target has sent. 
*   Sometimes, the relationship may turn romantic. 
*   The scammer eventually “butchers” the “pig” that has been “fattened up” to that point, scamming them into handing over money, usually in the form of a phony cryptocurrency app, or just straight up asking for the target to send the scammer money somehow. 

There are a few twists and turns along the way based on the exact scammer, but that’s generally how it works. What I think is important to remember is that this specific method of separating users from their money is not actually new.  

The FBI seems to release a renewed warning about romance scams every Valentine’s Day when people are more likely to fall for a stranger online wanting to make a real connection and then eventually asking for money. I even found a podcast from the FBI in 2015 in which they warned that scammers “promise love, romance, to entice their victims online,” estimating that romance-related scams cost consumers $82 million in the last half of 2014.  

The main difference that I can tell between “pig butchering” and past romance scams is the sheer scale. Many actors running these operations are relying on human trafficking and sometimes literal imprisonment, forcing these people against their will to send these mass blocks of messages to a variety of targets indiscriminately. Oftentimes in these groups, scammers who are less “successful” in luring victims can be verbally and physically harassed and punished. That is, of course, a horrible human toll that these operations are taking, but they also extend far beyond the world of cybersecurity. 

In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. Instead, it relies on user education and the involvement of law enforcement agencies and international governments to ensure these farms can’t operate in the shows. The founders who run them are brought to justice. 

It’s never a bad thing that users become more educated on these scams, because of that, but I also feel it’s important to remember that romance-related scams, and really any social engineering built on a personal “relationship,” has been around for years, and “pig butchering” is not something new that just started popping up. 

These types of scams are ones that our culture has kind of just accepted as part of daily life at this point (who doesn’t get surprised when they get a call about their “car’s extended warranty?), and now the infrastructure to support these scams is taking a larger human toll than ever. 

**The one big thing **

Talos has yet another round of research into the Turla APT, and now we’re able to see the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclsions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service. 

**Why do I care? **

Turla, and this recently discovered TinyTurlaNG tool that Talos has been writing about, is an international threat that’s been around for years, so it’s always important for the entire security community to know what they’re up to. Most recently, Turla used these tactics to target Polish non-governmental organizations (NGOs) and steal sensitive data.  

**So now what? **

During Talos’ research into TinyTurla-NG, we’ve released several new rounds of detection content for Cisco Secure products. Read our past two blog posts on this actor for more.  

**Top security headlines of the week **

**The Biden administration issued a renewed warning to public water systems and operators this week,** saying state-sponsored actors could carry out cyber attacks soon, citing ongoing threats from Iran and China. The White House and U.S. Environmental Protection Agency sent a letter to every U.S. governor this week warning them that cyber attacks could disrupt access to clean drinking water and “impose significant costs on affected communities.” The letter also points to the U.S. Cyber and Infrastructure Security Agency’s list of known exploited vulnerabilities catalog, asking the managers of public water systems to ensure their systems are patched against these vulnerabilities. The EPA pointed to Volt Typhoon, a recently discovered Chinese APT that has reportedly been hiding on critical infrastructure networks for an extended period. A meeting among federal government leaders from the EPA and other related agencies is scheduled for March 21 to discuss threats to public water systems and how they can strengthen their cybersecurity posture. (Bloomberg, The Verge) 

**UnitedHealth says it's still recovering from a cyber attack that’s halted crucial payments to health care providers across the U.S.,** but has started releasing some of those funds this week, and expects its payment processing software to be back online soon. The cyber attack, first disclosed in February, targeted Change Healthcare, a subsidiary of United, that handles payment processing and pharmaceutical orders for hospital chains and doctors offices. UnitedHealth’s CEO said in a statement this week that the company has paid $2 billion to affected providers who spent nearly a month unable to obtain those funds or needing to switch to a paper billing system. A recently published survey from the American Hospital Association found that 94 percent of hospitals that responded experienced financial disruptions from the Change Healthcare attack, and costs at one point were hitting $1 million in revenue per day. (ABC News, CNBC) 

**Nevada’s state court system is currently weighing a case that could undo end-to-end encryption across the U.S.** The state’s Attorney General is currently suing Meta, the creators of Facebook, Instagram and WhatsApp, asking the company to remove end-to-end encryption for minors on the platform, with the promise of being able to catch and charge users who abuse the platform to lure minors. However, privacy advocates are concerned that any rulings against Meta and its encryption policies could have larger ripple effects, and embolden others to challenge encryption in other states. Nevada is arguing that Meta’s Messenger a “preferred method” for individuals targeting Nevada children for illicit activities. Privacy experts are in favor of end-to-end encryption because it safeguards messages during transmission and makes it more difficult for other parties to intercept and read them — including law enforcement agencies. (Tech Policy Press, Bloomberg Law) 

**Can’t get enough Talos? **

*   The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions 
*   Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know 
*   Talos Takes Ep. #176: Why no one should be relying on passive security in 2024 
*   Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word 
*   Netgear wireless router open to code execution after buffer overflow vulnerability 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86   
**Typical Filename:** endpoint.query   
**Claimed Product:** Endpoint-Collector   
**Detection Name:** W32.File.MalParent 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years

JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.

****How to fix******Cloud Environments**

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

**Self Hosted Environments**

**To fix this issue, there is required action**.  
  
Upgrade your version of Artifactory or Edge to one of the versions listed below:

****Workarounds and Mitigations****

You can mitigate the impact of this issue by following best practices and disabling anonymous access to the JFrog Platform. Please review the best practices for disabling anonymous access in the JFrog knowledge base.  

Anonymous Access is disabled by default for new Artifactory and Edge installations starting from versions 6.12.0 and 7.0.0.

****Exploitation Status****

JFrog is not aware of publicly available exploits and malicious exploitation attempts.

****Weakness Type****

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

****Acknowledgements****

This issue was discovered and reported by a JFrog customer.

****We Are Here For Your Questions (JFrog Support Team)****

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.

*   No labels

CVE-2021-3860: CVE-2021-3860: Artifactory Low Privileged Blind SQL Injection - JFrog

Product: AndroidVersions: Android SoCAndroid ID: A-277775870

_Published June 5, 2023 | Updated June 7, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-06-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-06-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-06-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21127

A-275418191

RCE

Critical

11, 12, 12L, 13

CVE-2023-21126

A-271846393 \[2\] \[3\]

EoP

High

13

CVE-2023-21128

A-272042183

EoP

High

11, 12, 12L, 13

CVE-2023-21129

A-274759612 \[2\]

EoP

High

11, 12, 12L, 13

CVE-2023-21131

A-265015796

EoP

High

11, 12, 12L, 13

CVE-2023-21139

A-271845008 \[2\] \[3\]

EoP

High

13

CVE-2023-21105

A-261036568

ID

High

11, 12, 12L, 13

CVE-2023-21136

A-246542285

DoS

High

11, 12, 12L, 13

CVE-2023-21137

A-246541702

DoS

High

11, 12, 12L, 13

CVE-2023-21143

A-268193777

DoS

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21108

A-239414876

RCE

Critical

11, 12, 12L, 13

CVE-2023-21130

A-273502002

RCE

Critical

13

CVE-2023-21115

A-258834033

EoP

High

11, 12, 12L

CVE-2023-21121

A-205460459

EoP

High

11, 12

CVE-2023-21122

A-270050191

EoP

High

11, 12, 12L, 13

CVE-2023-21123

A-270050064

EoP

High

11, 12, 12L, 13

CVE-2023-21124

A-265798353 \[2\] \[3\] \[4\]

EoP

High

11, 12, 12L, 13

CVE-2023-21135

A-260570119 \[2\]

EoP

High

11, 12, 12L, 13

CVE-2023-21138

A-273260090

EoP

High

11, 12, 12L, 13

CVE-2023-21095

A-242704576

ID

High

12L, 13

CVE-2023-21141

A-262244249

ID

High

11, 12, 12L, 13

CVE-2023-21142

A-262243665

ID

High

11, 12, 12L, 13

CVE-2023-21144

A-252766417

DoS

High

11, 12, 12L, 13

**2023-06-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-06-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

    

CVE

References

Severity

Subcomponent

CVE-2022-22706  

A-225040268 \*

High

Mali

CVE-2022-28349  

A-278616909 \*

High

Mali

CVE-2022-46781  

A-267242697 \*

High

Mali

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

    

CVE

References

Severity

Subcomponent

CVE-2021-0701  

A-277775870 \*

High

PowerVR-GPU

CVE-2021-0945  

A-278156680 \*

High

PowerVR-GPU

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-48390  

A-278796976  
U-2055602 \*

High

Android

CVE-2022-48392  

A-278775990  
U-2193456 \*  
U-2056224 \*

High

Android

CVE-2022-48438  

A-278801630  
U-2179935 \*

High

Kernel/Android

CVE-2022-48391  

A-278775987  
U-2055602 \*

High

Android

**Widevine DRM**

These vulnerabilities affect Widevine DRM components and further details are available directly from Widevine DRM. The severity assessment of these issues is provided directly by Widevine DRM.

    

CVE

References

Severity

Subcomponent

CVE-2023-21101  

A-258189255 \*

High

widevine

CVE-2023-21120  

A-258188673 \*

High

Hardware DRM

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33292  

A-250627197  
QC-CR#3152855

High

Kernel

CVE-2023-21656  

A-271879673  
QC-CR#3346781

High

WLAN

CVE-2023-21657  

A-271880369  
QC-CR#3344305

High

Audio

CVE-2023-21669  

A-271892276  
QC-CR#3346764

High

WLAN

CVE-2023-21670  

A-276750663  
QC-CR#3425942 \[2\] \[3\]

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33257  

A-245402340 \*

Critical

Closed-source component

CVE-2022-40529  

A-261470065 \*

Critical

Closed-source component

CVE-2022-22060  

A-261470067 \*

High

Closed-source component

CVE-2022-33251  

A-245403689 \*

High

Closed-source component

CVE-2022-33264  

A-245611823 \*

High

Closed-source component

CVE-2022-40516  

A-261468731 \*

High

Closed-source component

CVE-2022-40517  

A-261470729 \*

High

Closed-source component

CVE-2022-40520  

A-261468681 \*

High

Closed-source component

CVE-2022-40521  

A-261471027 \*

High

Closed-source component

CVE-2022-40523  

A-261468047 \*

High

Closed-source component

CVE-2022-40533  

A-261470447 \*

High

Closed-source component

CVE-2022-40536  

A-261468732 \*

High

Closed-source component

CVE-2022-40538  

A-261468697 \*

High

Closed-source component

CVE-2023-21628  

A-268059669 \*

High

Closed-source component

CVE-2023-21658  

A-271879161 \*

High

Closed-source component

CVE-2023-21659  

A-271879660 \*

High

Closed-source component

CVE-2023-21661  

A-271880271 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-06-01 or later address all issues associated with the 2023-06-01 security patch level.
*   Security patch levels of 2023-06-05 or later address all issues associated with the 2023-06-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-06-01\]
*   \[ro.build.version.security\_patch\]:\[2023-06-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-06-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-06-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-06-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

June 5, 2023

Bulletin Published

1.1

June 7, 2023

Bulletin revised to include AOSP links

Search

lenovo warranty check/lookup | check warranty status | lenovo support us