Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.
"Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.

"Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is not the case, and the attacker only seems to be capitalizing on LockBit's notoriety to further tighten the noose on their victims."

The ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate data exfiltration to the cloud, a sign that adversaries are increasingly weaponizing popular cloud service providers for malicious schemes.

The AWS account used in the campaign is presumed to be either their own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts have been suspended.

Trend Micro said it detected more than 30 samples with the AWS Access Key IDs and the Secret Access Keys embedded, signaling active development. The ransomware is capable of targeting both Windows and macOS systems.

It's not exactly known how the cross-platform ransomware is delivered to a target host, but once it's executed, it obtains the machine's universal unique identifier (UUID) and carries out a series of steps to generate the master key required for encrypting the files.

The initialization step is followed by the attacker enumerating the root directories and encrypting files matching a specified list of extensions, but not before exfiltrating them to AWS via S3 Transfer Acceleration (S3TA) for faster data transfer.

"After the encryption, the file is renamed according to the following format: <original file name>.<initialization vector>.abcd," the researchers said. "For instance, the file text.txt was renamed to text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd."

In the final stage, the ransomware changes the device's wallpaper to display an image that mentions LockBit 2.0 in a likely attempt to compel victims into paying up.

"Threat actors might also disguise their ransomware sample as another more publicly known variant, and it is not difficult to see why: the infamy of high-profile ransomware attacks further pressures victims into doing the attacker's bidding," the researchers said.

The development comes as Gen Digital released a decryptor for a Mallox ransomware variant that was spotted in the wild from January 2023 through February 2024 by taking advantage of a flaw in the cryptographic schema.

"Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant," researcher Ladislav Zezula said. "The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware."

It should be mentioned that an affiliate of the Mallox operation, also known as TargetCompany, has been discovered using a slightly modified version of the Kryptina ransomware – codenamed Mallox v1.0 – to breach Linux systems.

"The Kryptina-derived variants of Mallox are affiliate-specific and separate from other Linux variants of Mallox that have since emerged, an indication of how the ransomware landscape has evolved into a complex menagerie of cross-pollinated toolsets and non-linear codebases," SentinelOne researcher Jim Walter noted late last month.

Ransomware continues to be a major threat, with 1,255 attacks claimed in the third quarter of 2024, down from 1,325 in the previous quarter, according to Symantec's analysis of data pulled from ransomware leak sites.

Microsoft, in its Digital Defense Report for the one-year period from June 2023 to June 2024, said it observed a 2.75x increase year-over-year in human-operated ransomware-linked encounters, while the percentage of attacks reaching the actual encryption phase has decreased over the past two years by threefold.

Some of the major beneficiaries of LockBit's decline following an international law enforcement operation targeting its infrastructure in February 2024 have been RansomHub, Qilin (aka Agenda), and Akira, the last of which has shifted back to double extortion tactics after briefly flirting with data exfiltration and extortion attacks alone in early 2024.

"During this period, we began to see Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of their ESXi encryptor, iteratively building on the payload's functions while moving away from C++ and experimenting with different programming techniques," Talos said.

Attacks involving Akira have also leveraged compromised VPN credentials and newly disclosed security flaws to infiltrate networks, as well as escalate privileges and move laterally within compromised environments as part of efforts designed to establish a deeper foothold.

Some of the vulnerabilities exploited by Akira affiliates are listed below -

*   CVE-2020-3259
*   CVE-2023-20263
*   CVE-2023-20269
*   CVE-2023-27532
*   CVE-2023-48788
*   CVE-2024-37085
*   CVE-2024-40711, and
*   CVE-2024-40766

"Throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors," Talos researchers James Nutland and Michael Szeliga said.

"Akira may be transitioning from the use of the Rust-based Akira v2 variant and returning to previous TTPs using Windows and Linux encryptors written in C++."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

PRESS RELEASE

Kuala Lumpur, Malaysia – 22 Oct. 2024 –  SoftwareOne Holding AG, a leading global software and cloud solutions provider, has launched a SoftwareOne Cloud Competency Centre in collaboration with Amazon Web Services (AWS) in Kuala Lumpur, Malaysia. 

Serving businesses across Southeast Asia, this new centre will provide clients with local expertise and support in AWS cloud services, including generative artificial intelligence (AI) tools Amazon Bedrock, a fully managed service that provides a single API to access and utilise high-performing foundation model from leading AI companies, and Amazon Q, a generative AI-powered assistant for business and developers, to drive digital transformation. By establishing the SoftwareOne Cloud Competency Centre in Malaysia, SoftwareOne further expands its global delivery network across fast-growing technology markets to help local businesses innovate with the latest technology advancements. The SoftwareOne Cloud Competency Centre opening follows AWS’s own recent announcement of cloud infrastructure expansion in Malaysia.  

"As an AWS Premier Tier Services Partner, we are thrilled to continue our collaboration with AWS through the opening of our new SoftwareOne Cloud Competency Centre in Malaysia,” said David Tan, Regional Services Leader, APAC at SoftwareOne. "This is strategically aligned with AWS's commitment to Asia and will make SoftwareOne’s global expertise and resources readily accessible to local clients. Businesses of all types will be able to accelerate their digital journeys more efficiently, benefiting from on-the-ground support in cloud migration, application modernisation, end-user computing, and FinOps.” 

“AWS is committed to enabling global organisations across industries with the world’s most comprehensive and broadly adopted cloud, and AI technologies to innovate, scale, and achieve their business and digital transformation objectives with efficiency and resilience. The recent launch of our AWS Region in Malaysia deepens that resolve,” said Peter Murray, Country Manager, AWS Malaysia. “As a Premier Tier AWS Partner, SoftwareOne is well-positioned to help businesses adopt and optimise their AWS use. Establishing the SoftwareOne Cloud Competency Centre in Malaysia aligns our goals of expanding cloud accessibility and compliance capabilities locally for customers.” 

The SoftwareOne Cloud Competency Centre experts will guide clients in implementing the SoftwareOne Landing Zone for AWS, a comprehensive pre-configured and automated framework that provides a foundation for building a secure, multi-account AWS environment. Featuring cloud infrastructure, policies, and guardrails, including centrally managed services, it is designed to help organisations quickly set up a secure and scalable environment with a consistent set of AWS best practices.  

Leveraging industry-leading infrastructure as code tool Terraform, SoftwareOne’s Landing Zone for AWS gets clients up and running from a zero footprint to AWS workload deployment within days. It also helps clients improve the operational efficiency of their AWS environments with SoftwareOne’s ongoing management and expertise in implementing patching and updates. 

“Our cloud journey involves migrating and modernising complicated and legacy workloads with stringent timelines, and we need a partner who is agile, understands such complex environments and can work closely with our internal team,” said Daniel Anand, Head of Technology Infrastructure and Architecture, Sun Life Malaysia. “SoftwareOne is helping us implement best-in-class solutions tailored to our needs, ensuring a seamless transition to the cloud while maintaining compliance with us in building the detailed business case for board approval and aligning with Sun Life global cloud framework and compliance.” 

“The launch of the regional SoftwareOne Cloud Competency Centre demonstrates SoftwareOne’s continued dedication to empowering digital transformation globally,” said Sean Pope, Global Leader, SoftwareOne Centre of Excellence for AWS. “This Centre will be a cornerstone in our global portfolio development, enhancing our ability to deliver cutting-edge solutions and support to businesses in SEA. The innovations and best practices we establish here will also be pillars upon which to build, benefitting other regions by enhancing our global AWS service offerings.” 

For more information about the SoftwareOne Cloud Competency Centre in SEA and its support of digital transformation initiatives, please visit www.softwareone.com. 

About SoftwareOne  

SoftwareOne is a leading global software and cloud solutions provider that is redefining how organizations build, buy and manage everything in the cloud. By helping clients to migrate and modernize their workloads and applications – and in parallel, to navigate and optimize the resulting software and cloud changes – SoftwareOne unlocks the value of technology. The company’s ~9,300 employees are driven to deliver a portfolio of 7,500 software brands with sales and delivery capabilities in over 60 countries. Headquartered in Switzerland, SoftwareOne is listed on the SIX Swiss Exchange under the ticker symbol SWON. Visit us at www.softwareone.com.

SoftwareOne Launches Cloud Competency Centre in Malaysia

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.

*   Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  
*   The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  
*   Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. 
*   We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

**Victimology **

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

 

 

**Actor uses Gophish to send phishing emails **

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex\[.\]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex\[.\]ru resolves to the IP address 34\[.\]236\[.\]234\[.\]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165\[.\]compute-1\[.\]amazonaws\[.\]com, during our analysis. We also observed that the same server 34\[.\]236\[.\]234\[.\]165 was reverse resolving to another domain e-connection\[.\]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34\[.\]236\[.\]234\[.\]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34\[.\]236\[.\]234\[.\]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

**Multi-modular Campaign delivers PowerRAT and DCRAT  **

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

**Maldoc-based infection delivers PowerRAT **

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document's default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine's current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” with the value “C:\\Users\\<Username>\\UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

**PowerRAT expands the attack vector for further infections  **

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32\_volume class of WMIobject.  The collected data is written to memory in the format <Computername\_Username\_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94\[.\]103\[.\]85\[.\]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5\[.\]252\[.\]176\[.\]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim's environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 - 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

**HTML-based infection delivers DCRAT **

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

**GOLoader downloads and runs the DCRAT **

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\\” and the folder “C:\\Users\\$user\\Desktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath 'C:\\Users\\$user\\Desktop'

powershell -Command Add-MpPreference -ExclusionPath 'C:\\'

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

**Threat actor delivers DCRAT **

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

*   Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  
*   It has the capability of downloading and executing other files on the victim's machine. 
*   With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.  
*   The RAT can take screenshots and capture the keystrokes on the victim's machine. 
*   We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:\\Users\\admin\\Desktop\\zaHrebVC.log

C:\\Users\\admin\\Desktop\\HQLYdHol.log

C:\\Users\\admin\\Desktop\\qJutJUJW.log

C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\taskhostw.exe

C:\\ProgramData\\dllhost.exe

C:\\Users\\Default\\Pictures\\csrss.exe

C:\\Users\\Default\\Saved Games\\winlogon.exe

*   It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /f

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /f

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\Public\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\\Users\\All Users\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /f

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 13 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /f

schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 9 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

*   The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp\[://\]cr87986\[.\]tw1\[.\]ru/L1nc0In\[.\]php”.  

Sample of DCRAT configuration file. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

**IOCs **

IOCs for this research can be found in our GitHub repository here.

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

These types of "long-lived" credentials pose a risk for users across all major cloud service providers, and must meet their very timely ends, researchers say.

Source: Artur Marciniec via Alamy Stock Photo

Almost half of organizations have users with "long-lived" credentials in cloud services, making them more likely to be victimized in a data breach.

Long-lived credentials are authentication tokens or keys in the cloud that remain for a long period of time — sometimes valid and sometimes not — ultimately causing major data breaches where attackers have a lengthy open window to compromise credentials.

In Datadog's 2024 "State of Cloud Security" report, the researchers found that long-lived credentials are a widespread issue across all major cloud services, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. Not just that, but many of these are even unused, and often are leaked in source code, where they can open access to images and build logs and application artifacts, never expiring and becoming major security risks. 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications have an access key older than one year, the researchers found.

Ultimately, organizations struggle to manage these types of credentials, especially at scale, so the researchers at Datadog recommend that long-lived credentials be avoided altogether in order to mitigate this issue. 

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog. "To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."

**About the Author**

Unmanaged Cloud Credentials Pose Risk to Half of Orgs

The networking company confirms that cyberattackers illegally accessed data belonging to some of its customers.

Source: Sergiy Palamarchuk via Shutterstock

Cisco has disabled public access to one of its DevHub environments after threat actors downloaded some customer data from the site and put it up for sale on a cybercrime forum.

The compromised data included source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP.

**Data Heist From Public-Facing Environment**

News of the breach first surfaced a week ago, when researchers spotted three threat actors using the monikers IntelBroker, EnergyWeaponUser, and zjj, putting up the data for sale on BreachForums. IntelBroker is a known Serbian entity that began operations in 2022 and is linked to several major data heists, including ones at Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

Cisco announced it was investigating the incident on Oct. 15. Three days later, the company confirmed the security incident in an update that offered little detail on the kind of data that the attackers managed to access and download.

Cisco's own systems appear not to have been affected in the incident. "We have determined that the data in question is on a public-facing DevHub environment — a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," Cisco's advisory noted. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."

The company said that, at the moment, there is no evidence the attackers illegally accessed any personal identity data or financial information, but it added that it was still investigating that possibility. "Out of an abundance of caution, we have disabled public access to the site while we continue the investigation," the company said.

In their BreachForums post, the threat actors claimed the data they downloaded from Cisco's DevHub site included GitHub and GitLab projects, source code, Jira tickets, container images, data from AWS storage buckets, and at least some confidential Cisco information.

**Reminder: The Need to Secure Public-Facing Assets**

The Cisco incident is a reminder why organizations need to protect public-facing environments with measures like input validation to protect against injection attacks, strong authentication tools and processes, and regular vulnerability assessments, says Jason Soroko, senior fellow at Sectigo.

Common mistakes organizations make when it comes to securing their public-facing assets include neglecting OWASP guidelines, underestimating security risks, failing to update systems regularly, and not prioritizing secure coding practices, Soroko says: "Don't forget to back up your website code and practice restoring it. Malware detection tools are available that make it easy to regularly scan."

Organizations can sometimes tend to perceive their public-facing assets as less critical when, in reality, they can expose sensitive information that attackers could use for future intrusions, he adds. The data that the attackers obtained in the Cisco incident, for instance, included source code, API tokens, certificates, and credentials that attackers could potentially leverage in a significant way in a future campaign.

Eric Schwake, director of cybersecurity strategy at Salt Security, says various factors contribute to sensitive data ending up on an organization's public-facing environments. "This can occur due to accidental misconfigurations of access controls, human errors in code or file management, inadequate security testing before deployment, or the compromise of third-party services," he says. These oversights can lead to the exposure of sensitive data and create potential entry points for attackers.

Schwake recommends that organizations implement a multilayered security strategy to reduce this risk. "This involves enforcing strict access controls, promoting secure coding practices, conducting thorough security testing, building posture governance standards, and performing regular security assessments," he says. "Using secrets management solutions and continuous monitoring tools can further improve security and protect against unauthorized access to sensitive information."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Disables DevHub Access After Security Breach

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk…

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk API tokens. The organization faces reputational damage and risks to user data.

The Internet Archive, a non-profit organization founded by Brewster Kahle to preserve the Internet’s history, has been experiencing a series of cyberattacks throughout October 2024. It all started on October 9th with a dual attack: a data breach and a Distributed Denial-of-Service (DDoS) attack, which were **promptly reported by Hackread.com**.

The attack was revealed with a message displayed on the Internet Archive’s website (archive.org), with the hackers themselves, taunting the organization’s security vulnerabilities and announcing the stolen data on a website called “Have I Been Pwned?” (HIBP). 

Reportedly, the hackers exploited a GitLab token, compromising the Archive’s source code and stealing user data from 31 million accounts. This exposed sensitive information, including Bcrypt-hashed passwords and email addresses.

A Pro-Palestinian group SN\_BlackMeta launched another DDoS attack around the same time, temporarily knocking the site offline, including the Wayback Machine, which collects snapshots of hundreds of billions of web pages. While these attacks coincided, they were likely conducted by separate entities.

On October 18, Kahle **confirmed** that stored data is safe and that “Wayback Machine, Archive-It, scanning, and national library crawls have resumed.” He also stated that the organization is taking a cautious approach to rebuilding and strengthening defences.

However, the Internet Archive experienced another security breach on 20 October 2024, where hackers exploited unrotated Zendesk API tokens to access its support platform. The breach exposed thousands of support tickets dating back to 2018, potentially containing personal identification documents, and highlighted a critical lapse in the Archive’s security practices, leading to a failure to rotate access tokens regularly.

According to online malware repository VX-Underground, “The Internet Archive users are reporting to have received this e-mail. It appears that the person(s) who compromised The Internet Archive still maintain some form of persistent access and are trying to send a message.”

****What Now for the Internet Archive?****

The Archive suffered multiple breaches due to vulnerabilities in its infrastructure, allowing attackers to access user data. It is speculated that the attacks were motivated by reputation rather than financial gain, with hackers seeking recognition within hacker communities. Although no ransom demands were made, the stolen data poses risks like **phishing attacks and identity theft**.

The Internet Archive hasn’t yet commented on the recent breach. Nevertheless, considering that it serves as a crucial repository of historical digital information, the series of attacks raise concerns about the long-term safety of this digital treasure trove and signifies the importance of strong cybersecurity measures. Regular security audits, secure coding practices, and prompt responses to vulnerabilities are essential for protecting user data and critical infrastructure. 

1.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
2.  **Archive of Our Own Website Suffering Massive DDoS Attacks**
3.  **Examining the US Government’s DDoS Protection Guidance Update**
4.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**
5.  **Misconfigured AWS bucket exposed 421GB of Artwork Archive data**

Internet Archive (Archive.org) Hacked for Second Time in a Month

The future of application security is no longer about reacting to the inevitable — it's about anticipating and preventing attacks before they can cause damage.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

In my years managing security in complex environments, I've seen how threats and defenses evolve, but application security has proven a very tough nut to crack. What excites me today is the significant progress we're making in closing long-standing gaps in AppSec, and I would argue that application detection and response (ADR) is leading the charge. 

**A Fresh Take on an old Problem**

Historically, application security has been reactive. Tools like firewalls, endpoint protection, and network monitoring have been crucial, but they've often missed the critical component of the application layer itself. As our applications have transformed into interconnected ecosystems, it's become clear that traditional security measures aren't measuring up. 

The paradigm shift of ADR, which hinges on transforming AppSec from reactive to proactive security, is finally moving the needle. Instead of just detecting threats, new ADR solutions are providing deep insights into application behavior in real-time, allowing us to get ahead of potential issues. It offers unprecedented visibility and response capabilities across distributed architectures, enabling continuous monitoring of runtime behaviors, anomaly detection, and rapid incident response. This shift not only enhances our ability to identify and address threats promptly but also significantly reduces incident response times. 

**Real-Time Visibility Is a Game Changer**

One of the most frustrating aspects of securing modern applications has always been the lack of real-time visibility. Traditional tools offer only a snapshot of an application's security at a specific moment, leaving us blind to what's happening during runtime. ADR integrations are changing this dynamic by utilizing data that's already being collected and turning it into actionable insights. 

It is now possible to continuously map out applications as they evolve, monitoring data flows, API interactions, and third-party integrations. This offers new capabilities to identify potential vulnerabilities and misconfigurations in real-time as applications scale or change in production environments. For instance, the discovery of the ALBeast vulnerability, a critical weakness in AWS's Application Load Balancers (ALBs), was made possible by real-time configuration analysis. This is yet another critical issue that would have otherwise gone unnoticed without ADR tools.

**Proactive, Not Reactive**

Previously, security often meant reacting to issues after they occurred. ADR allows us to get ahead of threats, providing security teams with context about how applications behave and where weaknesses may lie. It doesn't just stop at identifying anomalies, it helps us understand why those anomalies matter and how to address them effectively. 

What excites me most about this is how today's ADR pioneers are complementing existing security measures, like Web application firewalls (WAFs) or authentication controls. These tools often generate large volumes of alerts, many of which turn out to be false positives. With ADR tech, we can cut through that noise, prioritizing threats based on application-specific context and focusing on what really matters. The pragmatist in me is also thrilled to see how ADR enhances the effectiveness of these tools, ensuring that every part of a security stack operates at its full potential. 

**Securing Distributed, Cloud-Native Applications**

As we build more distributed and cloud-native applications, the complexity of these systems will continue to grow. These architectures provide incredible flexibility and scalability, but every integration also opens new attack surfaces. ADR is a field built for this environment, by capitalizing on the wealth of insights provided by runtime behavior across microservices, APIs, and third-party integrations. Application performance and identifying misconfigurations or vulnerable code paths can now be found within a moment. 

**Why Now?**

The timing for the budding ADR market couldn't be better. As the threat landscape continues to evolve, adversaries are getting more sophisticated, targeting weaknesses at the application layer that traditional tools can't catch. We're seeing new types of attacks that exploit the growing complexity of our applications, and ADR allows us to address these threats head-on. By integrating ADR tools and principles into our strategies, we not only respond more quickly, we also enhance overall security across the industry. 

I would also be remiss to downplay another key role of ADR — facilitating better collaboration between development and security teams. With real-time visibility into both the development and runtime phases, security doesn't have to feel like a roadblock anymore. Instead, it's becoming a continuous process that extends throughout the application life cycle. 

**Looking Forward**

While no solution is a silver bullet, ADR represents a significant step forward. By offering a clear window into how applications behave at every stage, we can finally move away from reactive, best-effort security to data-driven, proactive protection. 

For those of us responsible for securing today's complex environments, ADR signifies a much-needed evolution. The future of application security is no longer about reacting to the inevitable; it's about anticipating and preventing attacks before they can cause damage. 

As a chief information security officer, that's a future I'm genuinely excited about. 

**About the Author**

Vice President & CISO, Paychex

Bradley Schaufenbuel is the vice president and chief information security officer at Paychex, a recognized leader in the payroll, human resource, and benefits outsourcing industry.  

With more than 20 years of industry experience, Bradley is a recognized security professional with significant expertise in information security management, IT compliance, fraud examination, IT audit, computer forensics, ethical hacking, business continuity planning, project management, cloud security, and process improvement.  

Prior to Paychex, Bradley served as vice president and chief information security officer at Paylocity. Previously, he served as Director of Information Security at Midland States Bank, senior vice president and chief information security and privacy officer at Midwest Bank, senior manager of IT risk and security at Zurich Financial Services, and held senior security positions at Experian and Arthur Andersen. He is licensed to practice law in Illinois and is a member of the United States Supreme Court Bar.

Why I'm Excited About the Future of Application Security

Ubuntu Security Notice 7073-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7073-1October 16, 2024linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp,linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4,linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Memory management;  - Network traffic control;(CVE-2024-27397, CVE-2024-38630, CVE-2024-45016, CVE-2024-26960)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1053-xilinx-zynqmp  5.4.0-1053.57  linux-image-5.4.0-1081-ibm      5.4.0-1081.86  linux-image-5.4.0-1094-bluefield  5.4.0-1094.101  linux-image-5.4.0-1101-gkeop    5.4.0-1101.105  linux-image-5.4.0-1118-raspi    5.4.0-1118.130  linux-image-5.4.0-1122-kvm      5.4.0-1122.130  linux-image-5.4.0-1133-oracle   5.4.0-1133.142  linux-image-5.4.0-1134-aws      5.4.0-1134.144  linux-image-5.4.0-1138-gcp      5.4.0-1138.147  linux-image-5.4.0-198-generic   5.4.0-198.218  linux-image-5.4.0-198-generic-lpae  5.4.0-198.218  linux-image-5.4.0-198-lowlatency  5.4.0-198.218  linux-image-aws-lts-20.04       5.4.0.1134.131  linux-image-bluefield           5.4.0.1094.90  linux-image-gcp-lts-20.04       5.4.0.1138.140  linux-image-generic             5.4.0.198.196  linux-image-generic-lpae        5.4.0.198.196  linux-image-gkeop               5.4.0.1101.99  linux-image-gkeop-5.4           5.4.0.1101.99  linux-image-ibm-lts-20.04       5.4.0.1081.110  linux-image-kvm                 5.4.0.1122.118  linux-image-lowlatency          5.4.0.198.196  linux-image-oem                 5.4.0.198.196  linux-image-oem-osp1            5.4.0.198.196  linux-image-oracle-lts-20.04    5.4.0.1133.126  linux-image-raspi               5.4.0.1118.148  linux-image-raspi2              5.4.0.1118.148  linux-image-virtual             5.4.0.198.196  linux-image-xilinx-zynqmp       5.4.0.1053.53Ubuntu 18.04 LTS  linux-image-5.4.0-1081-ibm      5.4.0-1081.86~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1118-raspi    5.4.0-1118.130~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1133-oracle   5.4.0-1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1134-aws      5.4.0-1134.144~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1138-gcp      5.4.0-1138.147~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-198-generic   5.4.0-198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-198-lowlatency  5.4.0-198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-aws                 5.4.0.1134.144~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1138.147~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1081.86~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oracle              5.4.0.1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-raspi-hwe-18.04     5.4.0.1118.130~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.198.218~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7073-1  CVE-2024-26960, CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-198.218  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1134.144  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1094.101  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1138.147  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1101.105  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1081.86  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1122.130  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1133.142  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1118.130  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1053.57

Ubuntu Security Notice USN-7073-1

Ubuntu Security Notice 7072-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7072-1October 16, 2024linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15,linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1037-xilinx-zynqmp  5.15.0-1037.41  linux-image-5.15.0-1054-gkeop   5.15.0-1054.61  linux-image-5.15.0-1064-ibm     5.15.0-1064.67  linux-image-5.15.0-1064-raspi   5.15.0-1064.67  linux-image-5.15.0-1066-intel-iotg  5.15.0-1066.72  linux-image-5.15.0-1066-nvidia  5.15.0-1066.67  linux-image-5.15.0-1066-nvidia-lowlatency  5.15.0-1066.67  linux-image-5.15.0-1068-kvm     5.15.0-1068.73  linux-image-5.15.0-1069-oracle  5.15.0-1069.75  linux-image-5.15.0-1070-gcp     5.15.0-1070.78  linux-image-5.15.0-1071-aws     5.15.0-1071.77  linux-image-5.15.0-124-generic  5.15.0-124.134  linux-image-5.15.0-124-generic-64k  5.15.0-124.134  linux-image-5.15.0-124-generic-lpae  5.15.0-124.134  linux-image-5.15.0-124-lowlatency  5.15.0-124.134  linux-image-5.15.0-124-lowlatency-64k  5.15.0-124.134  linux-image-aws-lts-22.04       5.15.0.1071.71  linux-image-gcp-lts-22.04       5.15.0.1070.66  linux-image-generic             5.15.0.124.124  linux-image-generic-64k         5.15.0.124.124  linux-image-generic-lpae        5.15.0.124.124  linux-image-gkeop               5.15.0.1054.53  linux-image-gkeop-5.15          5.15.0.1054.53  linux-image-ibm                 5.15.0.1064.60  linux-image-intel-iotg          5.15.0.1066.66  linux-image-kvm                 5.15.0.1068.64  linux-image-lowlatency          5.15.0.124.112  linux-image-lowlatency-64k      5.15.0.124.112  linux-image-nvidia              5.15.0.1066.66  linux-image-nvidia-lowlatency   5.15.0.1066.66  linux-image-oracle-lts-22.04    5.15.0.1069.65  linux-image-raspi               5.15.0.1064.62  linux-image-raspi-nolpae        5.15.0.1064.62  linux-image-virtual             5.15.0.124.124  linux-image-xilinx-zynqmp       5.15.0.1037.41Ubuntu 20.04 LTS  linux-image-5.15.0-1054-gkeop   5.15.0-1054.61~20.04.1  linux-image-5.15.0-1064-ibm     5.15.0-1064.67~20.04.1  linux-image-5.15.0-1066-intel-iotg  5.15.0-1066.72~20.04.1  linux-image-5.15.0-1069-oracle  5.15.0-1069.75~20.04.1  linux-image-5.15.0-1070-gcp     5.15.0-1070.78~20.04.1  linux-image-5.15.0-1071-aws     5.15.0-1071.77~20.04.1  linux-image-5.15.0-124-generic  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-generic-64k  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-generic-lpae  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-lowlatency  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-lowlatency-64k  5.15.0-124.134~20.04.1  linux-image-aws                 5.15.0.1071.77~20.04.1  linux-image-gcp                 5.15.0.1070.78~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-generic-hwe-20.04   5.15.0.124.134~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-gkeop-5.15          5.15.0.1054.61~20.04.1  linux-image-ibm                 5.15.0.1064.67~20.04.1  linux-image-intel               5.15.0.1066.72~20.04.1  linux-image-intel-iotg          5.15.0.1066.72~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-oem-20.04           5.15.0.124.134~20.04.1  linux-image-oem-20.04b          5.15.0.124.134~20.04.1  linux-image-oem-20.04c          5.15.0.124.134~20.04.1  linux-image-oem-20.04d          5.15.0.124.134~20.04.1  linux-image-oracle              5.15.0.1069.75~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.124.134~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7072-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-124.134  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1071.77  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1070.78  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1054.61  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1064.67  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1066.72  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1068.73  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-124.134  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1066.67  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1064.67  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1037.41  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1071.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1070.78~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1054.61~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-124.134~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1064.67~20.04.1 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1066.72~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-124.134~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1069.75~20.04.1

Ubuntu Security Notice USN-7072-1

Ubuntu Security Notice 7071-1 - A security issue was discovered in the Linux kernel. An attacker could possibly use this to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7071-1October 16, 2024linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-hwe-6.8,linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia,linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle,linux-oracle-6.8, linux-raspi vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:The system could be compromised under certain conditions.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-nvidia-lowlatency: Linux low latency kernel for NVIDIA systems- linux-oem-6.8: Linux kernel for OEM systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-6.8: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-6.8: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-6.8: Linux hardware enablement (HWE) kernel- linux-lowlatency-hwe-6.8: Linux low latency kernel- linux-nvidia-6.8: Linux kernel for NVIDIA systems- linux-oracle-6.8: Linux kernel for Oracle Cloud systemsDetails:A security issue was discovered in the Linux kernel.An attacker could possibly use this to compromise the system.This update corrects flaws in the following subsystems:  - Network traffic control;(CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1013-raspi    6.8.0-1013.14  linux-image-6.8.0-1014-ibm      6.8.0-1014.14  linux-image-6.8.0-1014-oem      6.8.0-1014.14  linux-image-6.8.0-1014-oracle   6.8.0-1014.14  linux-image-6.8.0-1014-oracle-64k  6.8.0-1014.14  linux-image-6.8.0-1015-nvidia   6.8.0-1015.16  linux-image-6.8.0-1015-nvidia-64k  6.8.0-1015.16  linux-image-6.8.0-1015-nvidia-lowlatency  6.8.0-1015.16.1  linux-image-6.8.0-1015-nvidia-lowlatency-64k  6.8.0-1015.16.1  linux-image-6.8.0-1016-gcp      6.8.0-1016.18  linux-image-6.8.0-1017-aws      6.8.0-1017.18  linux-image-6.8.0-47-generic    6.8.0-47.47  linux-image-6.8.0-47-generic-64k  6.8.0-47.47  linux-image-6.8.0-47-lowlatency  6.8.0-47.47.1  linux-image-6.8.0-47-lowlatency-64k  6.8.0-47.47.1  linux-image-aws                 6.8.0-1017.18  linux-image-gcp                 6.8.0-1016.18  linux-image-generic             6.8.0-47.47  linux-image-generic-64k         6.8.0-47.47  linux-image-generic-64k-hwe-24.04  6.8.0-47.47  linux-image-generic-hwe-24.04   6.8.0-47.47  linux-image-generic-lpae        6.8.0-47.47  linux-image-ibm                 6.8.0-1014.14  linux-image-ibm-classic         6.8.0-1014.14  linux-image-ibm-lts-24.04       6.8.0-1014.14  linux-image-kvm                 6.8.0-47.47  linux-image-lowlatency          6.8.0-47.47.1  linux-image-lowlatency-64k      6.8.0-47.47.1  linux-image-nvidia              6.8.0-1015.16  linux-image-nvidia-64k          6.8.0-1015.16  linux-image-nvidia-lowlatency   6.8.0-1015.16.1  linux-image-nvidia-lowlatency-64k  6.8.0-1015.16.1  linux-image-oem-24.04           6.8.0-1014.14  linux-image-oem-24.04a          6.8.0-1014.14  linux-image-oracle              6.8.0-1014.14  linux-image-oracle-64k          6.8.0-1014.14  linux-image-raspi               6.8.0-1013.14  linux-image-virtual             6.8.0-47.47  linux-image-virtual-hwe-24.04   6.8.0-47.47Ubuntu 22.04 LTS  linux-image-6.8.0-1014-oracle   6.8.0-1014.14~22.04.1  linux-image-6.8.0-1014-oracle-64k  6.8.0-1014.14~22.04.1  linux-image-6.8.0-1015-nvidia   6.8.0-1015.16~22.04.1  linux-image-6.8.0-1015-nvidia-64k  6.8.0-1015.16~22.04.1  linux-image-6.8.0-1016-gcp      6.8.0-1016.18~22.04.1  linux-image-6.8.0-1017-aws      6.8.0-1017.18~22.04.1  linux-image-6.8.0-47-generic    6.8.0-47.47~22.04.1  linux-image-6.8.0-47-generic-64k  6.8.0-47.47~22.04.1  linux-image-6.8.0-47-lowlatency  6.8.0-47.47.1~22.04.1  linux-image-6.8.0-47-lowlatency-64k  6.8.0-47.47.1~22.04.1  linux-image-aws                 6.8.0-1017.18~22.04.1  linux-image-gcp                 6.8.0-1016.18~22.04.1  linux-image-generic-64k-hwe-22.04  6.8.0-47.47~22.04.1  linux-image-generic-hwe-22.04   6.8.0-47.47~22.04.1  linux-image-lowlatency-64k-hwe-22.04  6.8.0-47.47.1~22.04.1  linux-image-lowlatency-hwe-22.04  6.8.0-47.47.1~22.04.1  linux-image-nvidia-6.8          6.8.0-1015.16~22.04.1  linux-image-nvidia-64k-6.8      6.8.0-1015.16~22.04.1  linux-image-oem-22.04           6.8.0-47.47~22.04.1  linux-image-oem-22.04a          6.8.0-47.47~22.04.1  linux-image-oem-22.04b          6.8.0-47.47~22.04.1  linux-image-oem-22.04c          6.8.0-47.47~22.04.1  linux-image-oem-22.04d          6.8.0-47.47~22.04.1  linux-image-oracle              6.8.0-1014.14~22.04.1  linux-image-oracle-64k          6.8.0-1014.14~22.04.1  linux-image-virtual-hwe-22.04   6.8.0-47.47~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7071-1  CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-47.47  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1017.18  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1016.18  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1014.14  https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-47.47.1  https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1015.16  https://launchpad.net/ubuntu/+source/linux-nvidia-lowlatency/6.8.0-1015.16.1  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1014.14  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1014.14  https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1013.14  https://launchpad.net/ubuntu/+source/linux-aws-6.8/6.8.0-1017.18~22.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-6.8/6.8.0-1016.18~22.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-6.8/6.8.0-47.47~22.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-47.47.1~22.04.1  https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1015.16~22.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-6.8/6.8.0-1014.14~22.04.1

Tag

#aws