In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.

**Mozilla Foundation Security Advisory 2022-13**

Announced

April 5, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 99

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potentially exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28283: Missing security checks for fetching sourceMapURL**

Reporter

Gijs

Impact

moderate

**Description**

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible.

**References**

*   Bug 1754066

**#CVE-2022-28284: Script could be executed via svg's use element**

Reporter

Leo Balter

Impact

moderate

**Description**

SVG's <use> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs.

**References**

*   Bug 1754522

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-28287: Text Selection could crash Firefox**

Reporter

Aryan Sinha

Impact

low

**Description**

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash.

**References**

*   Bug 1741515

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98 and Firefox ESR 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

**#CVE-2022-28288: Memory safety bugs fixed in Firefox 99**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99

CVE-2022-28287: Security Vulnerabilities fixed in Firefox 99

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

**Mozilla Foundation Security Advisory 2022-15**

Announced

April 5, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.8

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-1197: OpenPGP revocation information was ignored**

Reporter

Thunderbird user Johannes König

Impact

moderate

**Description**

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.

**References**

*   Bug 1754985

**#CVE-2022-1196: Use-after-free after VR Process destruction**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1750679

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.8

CVE-2022-1196: Security Vulnerabilities fixed in Thunderbird 91.8

Mozilla developers Timothy Nikkel, Ashley Hale, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 106.

**Mozilla Foundation Security Advisory 2022-44**

Announced

October 18, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 106

This advisory was updated December 13, 2022 to add CVE-2022-46881 and CVE-2022-46885. Both fixes were included in the original release of Firefox 106, but did not appear in the advisory published at that time.

**#CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs**

Reporter

James Lee

Impact

high

**Description**

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries().

**References**

*   Bug 1789128

**#CVE-2022-42928: Memory Corruption in JS Engine**

Reporter

Samuel Groß and Carl Smith of Google V8 Security

Impact

high

**Description**

Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1791520

**#CVE-2022-46881: Memory corruption in WebGL**

Reporter

Karl and an Anonymous ASAN Nightly User

Impact

high

**Description**

An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.  
_Note_: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106.

**References**

*   Bug 1770930

**#CVE-2022-42929: Denial of Service via window.print**

Reporter

Andrei Enache

Impact

moderate

**Description**

If a website called window.print() in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings.

**References**

*   Bug 1789439

**#CVE-2022-42930: Race condition in DOM Workers**

Reporter

Armin Ebert

Impact

moderate

**Description**

If two Workers were simultaneously initializing their CacheStorage, a data race could have occurred in the ThirdPartyUtil component.

**References**

*   Bug 1789503

**#CVE-2022-42931: Username saved to a plaintext file on disk**

Reporter

Sergey Galich

Impact

low

**Description**

Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk.

**References**

*   Bug 1780571

**#CVE-2022-42932: Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4

**#CVE-2022-46885: Memory safety bugs fixed in Firefox 106**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers Timothy Nikkel, Ashley Hale, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 106

CVE-2022-46885: Security Vulnerabilities fixed in Firefox 106

When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 103.

Sorry, I can't find "_1759951?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-36317: Invalid Bug ID

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox < 103.

**Mozilla Foundation Security Advisory 2022-28**

Announced

July 26, 2022

Impact

moderate

Products

Firefox

Fixed in

*   Firefox 103

**#CVE-2022-36319: Mouse Position spoofing with CSS transforms**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed.

**References**

*   Bug 1737722

**#CVE-2022-36317: Long URL would hang Firefox for Android**

Reporter

Irwan

Impact

moderate

**Description**

When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1759951

**#CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters**

Reporter

Gijs Kruitbosch

Impact

moderate

**Description**

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected.

**References**

*   Bug 1771774

**#CVE-2022-36314: Opening local <code>.lnk</code> files could cause unexpected network loads**

Reporter

akucybersec

Impact

moderate

**Description**

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.  
This bug only affects Firefox for Windows. Other operating systems are unaffected.\*

**References**

*   Bug 1773894

**#CVE-2022-36315: Preload Cache Bypasses Subresource Integrity**

Reporter

Hiroshige Hayashizaki

Impact

low

**Description**

When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata.

**References**

*   Bug 1762520

**#CVE-2022-36316: Performance API leaked whether a cross-site resource is redirecting**

Reporter

Jannis Rautenstrauch

Impact

low

**Description**

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect.

**References**

*   Bug 1768583

**#CVE-2022-36320: Memory safety bugs fixed in Firefox 103**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103

**#CVE-2022-2505: Memory safety bugs fixed in Firefox 103 and 102.1**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 103 and 102.1

CVE-2022-36316: Security Vulnerabilities fixed in Firefox 103

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via <code>performance.getEntries()</code>. This vulnerability affects Thunderbird < 102.4, Firefox ESR < 102.4, and Firefox < 106.

**Mozilla Foundation Security Advisory 2022-46**

Announced

October 18, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 102.4

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-42927: Same-origin policy violation could have leaked cross-origin URLs**

Reporter

James Lee

Impact

high

**Description**

A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via performance.getEntries().

**References**

*   Bug 1789128

**#CVE-2022-42928: Memory Corruption in JS Engine**

Reporter

Samuel Groß

Impact

high

**Description**

Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1791520

**#CVE-2022-42929: Denial of Service via window.print**

Reporter

Andrei Enache

Impact

moderate

**Description**

If a website called window.print() in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings.

**References**

*   Bug 1789439

**#CVE-2022-42932: Memory safety bugs fixed in Thunderbird 102.4**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 102.4

CVE-2022-42927: Security Vulnerabilities fixed in Thunderbird 102.4

Lilith >_> of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.
OpenImageIO is an image processing library useful for

Thursday, December 22, 2022 10:12

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.

OpenImageIO is an image processing library useful for conversion and processing, as well as image comparison. This library is utilized by 3D-processing software from AliceVision (including Meshroom) and is also used by Blender for reading Photoshop .psd files.

Vulnerabilities were found in the way OpenImageIO processed .tif, .psd, .dds and other files and metadata types.

Several of the vulnerabilities are rated CVSS 9.8, high priority arbitrary code execution risks.

*   TALOS-2022-1626 (CVE-2022-41794)
*   TALOS-2022-1630 (CVE-2022-38143)
*   TALOS-2022-1634 (CVE-2022-41838)
*   TALOS-2022-1636 (CVE-2022-41837)
*   TALOS-2022-1633 (CVE-2022-41639)
*   TALOS-2022-1628 (CVE-2022-41981)

TALOS-2022-1655 (CVE-2022-43597-CVE-2022-43598) concerns multiple memory corruption vulnerabilities. A specially crafted ImageOutput Object can lead to arbitrary code execution.  Multiple code execution vulnerabilities also exist, outlined in TALOS-2022-1656 (CVE-2022-43599-CVE-2022-43602). An attacker can provide malicious input to trigger these vulnerabilities.

Several vulnerabilities can cause denial of service. An attacker can provide malicious input or files to trigger these vulnerabilities.

*   TALOS-2022-1632 (CVE-2022-41684)
*   TALOS-2022-1635 (CVE-2022-41999)
*   TALOS-2022-1652 (CVE-2022-43593)
*   TALOS-2022-1653 (CVE-2022-43594-CVE-2022-43595)
*   TALOS-2022-1657 (CVE-2022-43603)

Talos also discovered these five lower-scoring CVE sensitive information disclosure vulnerability advisories:

*   TALOS-2022-1627 (CVE-2022-41977)
*   TALOS-2022-1629 (CVE-2022-36354)
*   TALOS-2022-1631 (CVE-2022-41649)
*   TALOS-2022-1643 (CVE-2022-41988)
*   TALOS-2022-1651 (CVE-2022-43592)
*   TALOS-2022-1654 (CVE-2022-43596)

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Project OpenImageIO master-branch-9aeece7a, v2.3.19.0 and v2.4.4.2. Talos tested and confirmed these versions of OpenImageIO could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60735-60736, 60766-60767, 60733-60734, 60713-60720, 60730-60731, 60796-60799. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service

Our growing interconnectedness poses almost as many challenges as it does benefits.

The number of cyberattacks around the world jumped 28% in the third quarter of 2022. Such a figure is not surprising because recent years have brought more and bigger attacks on almost every sector. The coming year will no doubt also be filled with attacks and risks, despite companies spending even more on solutions and both governments and the private sector taking further steps to prioritize security.

While many of the current trends will continue, there also will be significant changes and developments in the year ahead. The increasingly efficient and business-minded manner of both cybercriminals and state-backed attackers will drive many of these growing trends and new challenges.

**Expect More Disruptive Attacks**

Business disruption due to cyberattacks is on track to become a bigger problem. During the past 12 months, 93% of organizations have suffered a data-related business disruption, and 43% reported permanent data loss, according to a recent survey. This comes as attackers move away from ransomware attacks, which hold data hostage for money and have fallen by 8% in recent months, and carry out attacks simply to disrupt services and activities, sometimes by erasing data, rather than to raise money. 

Political motivations are often behind such purely disruptive attacks, including Russia-linked or Russia-backed hackers who have targeted businesses in Ukraine, or those that support Ukraine. The public nature of these disruptive attacks, including denial-of-service (DoS) attacks, is also an effective way for hacking groups to build up their brands. This public relations effort is important as more groups, including the infamous Conti group that shut down several government websites and services for months in Costa Rica, seek affiliates to work with on attacks.

**Signs Are Pointing to a Catastrophic Attack**

We will not likely get through the coming year without some sort of catastrophic attack on a very strategic and important network or service provider like Gmail, WhatsApp, or Microsoft. We have long known — and it became even more clear from Twitter whistleblower and former head of security Peiter Zatko, who exposed lax data security practices at the social media giant — that the biggest tech companies, with the biggest security budgets, still have severe challenges. 

If a global software provider or communication platform is attacked it could lead to significant disruption of business and communication, and put the personal data of billions at risk. It would be a worldwide event with lasting economic, social, and political consequences.

**Supply Chain Attacks Will Persist — and Grow**

Supply chain attacks, in which bad actors gain access to organizations through third parties, enabling one attack to include hundreds of victims, will continue to increase as hacking groups become more business-oriented and concerned with efficiency. These types of attacks have already increased by nearly eightfold over the past three years. Many of the largest and most threatening groups are no longer operating alone. In addition to working with affiliates, they are working with states. States are hiring them, funding them, or simply providing them a safe harbor from which to operate. With more at stake, including funding from government or affiliates, these groups are under pressure to accomplish more damage in shorter amounts of time, in the most efficient way possible.

These bad actors are evolving into a modern form of organized crime, and as long as efficiency and results remain important to them, they will pursue supply chain attacks. Such attacks put every sort of organization that uses any type of cloud software at risk, meaning every company must embrace intelligence and be prepared for attacks from sophisticated criminal gangs or state-backed attackers.

**Personalized Attacks Will Target Executives and Their Friends and Family**

We will see more personalization of attacks, including bad actors using tactics like demanding money or network access credentials in return for not releasing valuable or sensitive data they already have. A growing related tactic is "sextortion," or threatening to release embarrassing information, photos, or videos unless the victim gives over money, information, or network credentials. In other cases, attackers offer to pay money in return for passwords or other information that can help them carry out a future cyberattack. 

What all of these attacks have in common is that they are very personal in nature, especially those that rely on sextortion. They can affect business executives, public figures, and anyone else who has a public profile or access to confidential or valuable data and information. But in addition, these types of attacks also often involve friends or family members of their ultimate victims. For example, in one case my company dealt with, a teenager received emails threatening to reveal that he was gay — something his family did not know — unless he installed some files on his home network. Acting out of fear, he installed the files, and this eventually gave a cyberattacker potential access to his mother, an executive at a large company.

With attackers growing more sophisticated and more focused on efficiency, it is more important than ever for businesses to understand and improve their security posture. In the constantly evolving threatscape, no organization can consider itself immune to attacks by the biggest hacking groups, including those backed or sheltered by governments. We are entering a new era in which interconnectedness poses almost as many challenges as it does benefits.

'Sextortion,' Business Disruption, and a Massive Attack: What Could Be in Store for 2023

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

Debian Linux Security Advisory 5305-1 - An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5305-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 21, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libksbaCVE ID         : CVE-2022-47629An integer overflow flaw was discovered in the CRL signature parser inlibksba, an X.509 and CMS support library, which could result in denialof service or the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 1.5.0-3+deb11u2.We recommend that you upgrade your libksba packages.For the detailed security status of libksba please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libksbaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOjfbNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TZeA/+NmgALkjZhrkd2BixzJp2eAe5ocLW5B0g9lB93NIyUORM2A3CgX0MsF+UbYrehbBdQosJOMko5E4St7ETC6H4eVknHj+snuP0j0MY/KQspoTTZfE/28y28734oXiBTuaOmEItHWlpuvreTPOzeNaWck/osiSLaBIWCKooGDnpUrTYAV+AQ7l8pyBU7iaZfOV1hR+ndTYdp/JK1Rl0FgPazCe4UQP1EAhMOE8XqVNKZ/MSh2U5JaSPUzTt+sgJWunB9ysBHbSuKFJ1cli7nqFf8urDmKYYU4gZtKFl4AJV0Oe39UTxjOwQkVhz8buLUVwLtXfSxu8jBTQXGLuwQJrr9W1S5mny3wxMgOOqNozdyoFuYNoIFY4+84dTG4H+L0sWbFCWVHY8gCKwPSa6ZK0eP4UQ9dxgmUfK5K6Ldo8gi0iX1v1Ub3OYz7JzeIfkUKTx82yLmFcFisQNgeXe6lMN+Tzu7WTs3w8Y3OA7a65nKb79PDJFZ/Hiw+p06L+C7SkhfcItMbKwqU3IdfsVrGxTK4VbdYZEoMv0+43zBypLDUF+eVC4E3MJSB0k+qAiyLzr6qbaVZp4m04/B2puqnBACIIc3Vm9BUKQCWYx4R6C8rqfxtOfD2Xmz4xGcNZfr342Kig4QNbkc1zatx72maEX1KGt2x9BmqtSvebuw/EwkBQ=9jlL-----END PGP SIGNATURE-----

Tag

#dos