An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

**CVE-2023-35794-WebSSH-Hijacking**

Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

CVE ID: CVE-2023-35794  
Vendor: Cassia Networks  
Product: Access Controller  
Version: Cassia-AC-2.1.1.2303271039

Vulnerability: Incorrect Access Control  
Affected: web ssh, gateways  
Decription: WebSSH session can be hijacked  
Status: Confirmed by vendor, Fixed  
Version Patched: Cassia-AC-2.1.1.2308181707

**Details**

Cassia uses WebSSH2 by billchurch to initiate SSH sessions from AC to Gateways. WebSSH2 Is a web SSH Client which uses ssh2, socket.io, xterm.js, and express. A bare bones example of an HTML5 web-based terminal emulator and SSH client. It uses SSH2 as a client on a host to proxy a Websocket/Socket.io connection to a SSH2 server.

When a session of WebSSH is established with Gateway Device any external user can hijack it without any authentication and authorization.

Session establishment is done via GET request to proper /ap/remote/<mac>?ssh_port=<ac-rev-ssh-port> Gateway then receiving request through MQTT (or CAPWAP) channel and establishes SSH tunnel with local port forwarding to Access Controller. Then Access-Controller binds to the forwarded port with SSH Web Session. The user who invoked the web ssh session is redirected to /ssh/host but the session cookie is not validated. The new WebSSH2 cookie is provided with 401 error.  In fact a user is being asked for providing Basic auth.  Obtained Basic authentication credentials are sent in next requests and potentially consumed by webssh2.bundle.js as credentials used to authenticate to the choosen device.   This allows unathorized to Access Controller portal User to hijack already existing SSH session with only knowing SSH username and password (note that this commonly may be default cassia:cassia-<last-mac-6-digits>).

**Exploitation**

An attacker may use CVE-2023-35793 to trick any athenticated user to initiate a session to any device connected to the AC (note that the user does not need to login into the gateway, the session itself will be initiated with only exploiting CVE-2023-35793 CSRF). Then using this vulnerability and knowing the MAC address an attacker may easily obtain access to the device through WebSSH.

Lets assume an attacker triggered someone and the session is established to the gateway where the default credentials are used.

1.  Attacker just opens the web browser and enters default credentials for known device. 
2.  Attacker knowing which device were triggered provides default credentials (commonly these are not being changed) 
3.  Attacker is authenticated to device LXC container as a user which has root rights by default 

**Remediation**

*   Patch to the highest possible version availaible on Cassia Networks

CVE-2023-35794: GitHub - Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking: Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "ff86ff28cf82124f8e65833a2dd8c319aea08945", "tree": "524d68215696fbfe5584e2a97f296e20904941a2", "parents": \[ "86c8421c1181816b6cb333eb62a78e32290c4b17" \], "author": { "name": "Eric Biggers", "email": "ebiggers@google.com", "time": "Fri Jul 28 22:03:03 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "RESTRICT AUTOMERGE: SettingsProvider: exclude secure\_frp\_mode from resets\\n\\nWhen RescueParty detects that a system process is crashing frequently,\\nit tries to recover in various ways, such as by resetting all settings.\\nUnfortunately, this included resetting the secure\_frp\_mode setting,\\nwhich is the means by which the system keeps track of whether the\\nFactory Reset Protection (FRP) challenge has been passed yet. With this\\nsetting reset, some FRP restrictions went away and it became possible to\\nbypass FRP by setting a new lockscreen credential.\\n\\nFix this by excluding secure\_frp\_mode from resets.\\n\\nNote: currently this bug isn\\u0027t reproducible on \\u0027main\\u0027 due to ag/23727749\\ndisabling much of RescueParty, but that is a temporary change.\\n\\nBug: 253043065\\nTest: With ag/23727749 reverted and with my fix to prevent\\n com.android.settings from crashing \*not\* applied, tried repeatedly\\n setting lockscreen credential while in FRP mode, using the\\n smartlock setup activity launched by intent via adb. Verified\\n that although RescueParty is still triggered after 5 attempts,\\n secure\_frp\_mode is no longer reset (its value remains \\"1\\").\\nTest: Verified that secure\_frp\_mode still gets changed from 1 to 0 when\\n FRP is passed legitimately.\\nTest: atest com.android.providers.settings.SettingsProviderTest\\nTest: atest android.provider.SettingsProviderTest\\n(cherry picked from commit 9890dd7f15c091f7d1a09e4fddb9f85d32015955)\\n(changed Global.SECURE\_FRP\_MODE to Secure.SECURE\_FRP\_MODE,\\n needed because this setting was moved in U)\\n(removed static keyword from shouldExcludeSettingFromReset(),\\n needed for compatibility with Java 15 and earlier)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8c2d2c6fc91c6b80809a91ac510667af24d2cf17)\\nMerged-In: Id95ed43b9cc2208090064392bcd5dc012710af93\\nChange-Id: Id95ed43b9cc2208090064392bcd5dc012710af93\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "a6edb0f0e2e35722ff118876f3098934a38b0f76", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java", "new\_id": "2e04cdae2a30420eb8a7aa41adf5dd5ef4dbf661", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java" }, { "type": "modify", "old\_id": "eaf0dcb9b4e797a07e5c2c058c3bbfe260b5024a", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java", "new\_id": "1c6d2b08136c3bda2fee087466e44ee105ce8ec4", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java" } \] }

CVE-2023-40117

An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

For a strategic solution you seek:

*   Cost reduction & risk reduction
*   Efficiency optimisation
*   Embedded regulatory change management
*   Straight through process control
*   Senior management certification obligations
*   Regulatory reporting certainty, globally
*   Machine-readable regulatory reporting readiness

**SaaS**

Reduce your TCO. Let VERMEG handle the IT complexity​

**AGILE MI**

Gain valuable insights from your regulatory data​​

**AGILE Assure**

Bring the DataOps revolution to your regulatory data management ​​

​​

**Digital Transformation**

Extend, customise and innovate with AGILE Design Studio and Veggo ​​

**AGILE Reporter value for our clients**

Calculation & allocation: Comprehensive calculations from Basel III risks to national statistical allocations

Ratios: Credit & Market Risk, Leverage, Liquidity Coverage, Large Exposures, IRFS standard computations, integration of models and own analysis reporting

International reporting: Coverage including EBA & ECB (COREP, AnaCredit etc), and multiple international regulators in EU, UK, US, and MAS, HKMA, APRA and others

Added value: Capital utilisation, CFO & management information, dashboard status, threshold alerts, key performance metrics

Change management: VERMEG regulatory change management includes horizon management, impact analyses, data deltas and reporting update service

Workflow and maximised automation: Validations, variance, trend and other sanity checks achieve optimised straight-through processing

Process control: Enjoy ‘exceptions only’ intervention & instantly traceable attestation & approval audit trail

Sized & delivered to suit you: Choose from enterprise-wide full automation, or local last mile, on premise, in the cloud or Regulatory-Reporting-As-A-Service

Download our brochure about AGILE Reporter (PDF).

Granular Data Reporting – a new paradigm of innovation in regulatory reporting or just new challenges?

**Download the Whitepaper**

**Client stories**

**Client 1  
Tier 1 Domestic Bank**

**Challenge**

*   To find a Regulatory Reporting solution capable of integrating with external calculation and processing capabilities
*   To reduce operational risk
*   To increase reporting consistency and transparency
*   To facilitate accelerated regulatory change management

**Client 2  
Neobank growing from start-up**

**Challenge**

*   To find a partner for its Finance team to assist with regulatory reporting requirements in the immediate term and the future as the organisation evolves and scales to a fully fledged bank.
*   The need for a solution/system that minimises the resource requirements of bank’s teams in the areas of Solution Delivery
*   To find a vendor to provide not just a solution but also subject matter expertise to complement the in house team, and to ensure all new regulatory reporting requirements can be met.

**Solution**

*   Provision of AGILE Reporter’s out of the box integration to Oracle’s OFSAA (Oracle Financial Services Analytical Applications) platform.
*   Improved Straight Through Processing (STP) achieved from direct coupling of outputs from OFSAA Results data to AGILE Reporter.
*   VERMEG Subject Matter Expertise around the interpretation of client requirements and business for reporting purposes and the delivery of the operational process to fulfil these.
*   Ability to incorporate data from sources outside of OFSAA into regulatory reporting workflow to ensure completeness of automated reporting coverage.

**Solution**

*   Full scope automated AGILE Reporter deployment
*   VERMEG regulatory expertise to provide guidance on current and future regulatory requirements
*   Analysis Module to facilitate Bank scrutiny of Regulatory Data
*   Hosted on VERMEG cloud platform (Amazon Web Services)

**Results**

*   Streamlined overall Regulatory Reporting workflow while minimising manual intervention in the process
*   Increased accuracy of reporting results through use of the consolidated platform
*   Transparency of process by providing lineage of reporting data from source to regulatory return

**Results**

*   Automated, end-to-end solution providing population of regulatory returns from source data without manual intervention or work arounds
*   Flexible data mapping that meets the needs of a growing business and an evolving IT Architecture
*   Consistent data lineage from source through to final returns
*   Comprehensive validation checks ensure integrity of regulator submissions
*   Cloud solution minimises burden on Bank’s technical resources with regard to both delivery and ongoing maintenance

****Awards & Certifications****

**VEREMG is delighted to share that we were recently awarded ‘Best Vendor Solution for APRA APS 220′ AND ‘Best MAS 610 Solution’ by the RegTech Insight APAC Awards 2022 for our AGILE Reporter solution.**

Read More

CVE-2022-34834: AgileReporter | Regulatory Reporting Solution by VERMEG

In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used instead of \r\n.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46853: Comparing 1.6.21...1.6.22 · memcached/memcached

baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0.


*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-29009: Release basercms 4.8.0 リリース · baserproject/basercms

As Israel increases its ground operation in Gaza, the last remaining internet and mobile connections have gone dark.

For more than three weeks, Gaza has faced an almost total internet blackout. The cables, cell towers, and infrastructure needed to keep people online have been damaged or destroyed as Israel launched thousands of missiles in response to Hamas attacking Israel and taking hundreds of hostages on October 7. Then, this evening, amid reports of heavy bombing in Gaza, some of the last remaining connectivity disappeared.

In the days after October 7, people living in Gaza have been unable to communicate with family or friends, leaving them unsure whether loved ones are alive. Finding reliable news about events has become harder. Rescue workers have not been able to connect to mobile networks, hampering recovery efforts. And information flowing out of Gaza, showing the conditions on the ground, has been stymied.

As the Israel Defense Forces said it was expanding its ground operations in Gaza this evening, internet connectivity fell further. Paltel, the main Palestinian communications company, has been able to keep some of its services online during Israel’s military response to Hamas’ attack. However, at around 7:30 pm local time today, internet monitoring firm NetBlocks confirmed a “collapse” in connectivity in the Gaza Strip, mostly impacting remaining Paltel services.

“We regret to announce a complete interruption of all communications and internet services within the Gaza Strip,” Paltel posted in a post on its Facebook page. The company claimed that bombing had “caused the destruction of all remaining international routes.” An identical post was made on the Facebook page of Jawwal, the region’s biggest mobile provider, which is owned by Paltel. Separately, Palestinian Red Crescent, a humanitarian organization, said on X (formerly Twitter) that it had lost contact with its operation room in Gaza and is “deeply concerned” about its ability to keep caring for people, with landline, cell, and internet connections being inaccessible.

“This is a terrifying development,” Marwa Fatafta, a policy manager focusing on the Middle East and North Africa at the digital rights group Access Now, tells WIRED. “Taking Gaza completely off the grid while launching an unprecedented bombardment campaign only means something atrocious is about to happen.”

A WIRED review of internet analysis data, social media posts, and Palestinian internet and telecom company statements shows how connectivity in the Gaza Strip drastically plummeted after October 7 and how some buildings linked to internet firms have been damaged in attacks. Photos and videos show sites that house various internet and telecom firms have been damaged, while reports from official organizations, including the United Nations, describe the impact of people being offline.

Damaged Lines

Around the world, the internet and telecoms networks that typically give web users access to international video calls, online banking, and endless social media are a complicated, sprawling mix of hardware and software. Networks of networks, combining data centers, servers, switches, and reams of cables, communicate with each other and send data globally. Local internet access is provided by a mix of companies with no clear public documentation of their infrastructure, making it difficult to monitor the overall status of the system as a whole. In Gaza, experts say, internet connectivity is heavily reliant on Israeli infrastructure to connect to the outside world.

Amid Israel’s intense bombing of Gaza, physical systems powering the internet have been destroyed. On October 10, the United Nations’ Office for the Coordination of Humanitarian Affairs (OCHA), which oversees emergency responses, said air strikes “targeted several telecommunication installations” and had destroyed two of the three main lines of communications going into Gaza.

The Destruction of Gaza’s Internet Is Complete

Preventative security should be driven by data and risk assessment, not compliance.

As organizations increasingly move their data and workloads to the cloud, securing cloud identities has become paramount. Identities are the keys to accessing cloud resources, and, if compromised, they enable attackers to gain access to sensitive data and systems.

Most attacks we see today are client-side attacks, in which attackers compromise someone's account and use their privileges to move laterally and access sensitive data and resources. To prevent this, you need visibility into your cloud's identity infrastructure. Unless you know the identity of all the people and objects that are accessing systems, their permissions, and their relationships, you won't have the context necessary to effectively assess your risk and take preventative measures.

A number of high-profile attacks illustrate this problem. A compromised cloud identity gave attackers access to SolarWinds' Orion software, where they deployed malicious code to thousands of their customers, including government agencies and Fortune 500 companies. Another example is the Microsoft Exchange attack, in which attackers exploited a vulnerability in Exchange to gain access to email accounts. From there, they stole sensitive data and sent phishing emails in an attempt to compromise other accounts.

For securing the cloud, I advise implementing an approach known as applied risk, which allows security practitioners to make decisions about preventative actions based on contextual data about the relationship between identities and what the downstream impacts of threats are in their specific environments. Here are some practical tips for adopting applied risk.

**Treat Cloud Protection as a Security Project, Not a Compliance Exercise**

For starters, shift your mindset. Gone are the simple days of client-server computing. The cloud environment is a complicated system of data, users, systems, and interactions between all of them.

Checking a series of boxes won't bring greater security if you don't understand how everything works together. Most teams take an unguided approach to preventive security, putting blind faith in the prioritization and remediation strategy put in place years ago. Yet security requires a bespoke approach tailored to every security team based on the organization's broader risk exposure. Not every "critical" alert from a security vendor is necessarily the biggest risk to that specific environment.

To accurately prioritize remediation and reduce risk, you must consider the entire attack surface. Understanding the relationships between exposures, assets, and users help you to determine which issues pose the greatest risk. When you take into account additional context, the "critical" finding may not be the biggest issue.

**Get Visibility Into Your Cloud Identity Infrastructure**

Next, visibility is key. To credibly identify the applied risk, you should do a comprehensive audit of all the identities and access control points in your cloud identity infrastructure. You need to know what resources you have in your environment, whether they're in the cloud or on-premises, how they're provisioned and configured, and other variables.

When securing the cloud, you can't only look at how cloud-specific resources are configured — you have to audit the identity aspect: virtual machines (VMs), serverless functions, Kubernetes clusters, and containers, for instance. One admin may have an account tied to AWS, an Active Directory account with a different role to log into their local systems, an account on GitHub, a Salesforce account, etc. You also have to consider things like the hygiene of the machines that the developers, DevOps, and IT teams are using. A successful phishing attack on a DevOps engineer can have a massive impact on the security posture of your cloud environments.

From there, you should map the relationships between identities and the systems they access. This is an important part of understanding your attack surface. Cloud-native application protection platforms (CNAPPs) are designed to help with this. Having a strong CNAPP platform gives the security team the ability to detect abnormal behavior around a particular identity and detect when configurations start to drift.

**Align Your Different Teams**

Once you have the identities and the relationships mapped out, you need to tie them to vulnerabilities and misconfigurations to determine where you are most vulnerable and start quantifying the applied risk. You can't create an effective remediation strategy without that.

But data and strategy will take you only so far. Teams tend to operate in silos, and each follows prioritization actions based on the specific software they are using, without communication with other teams or alignment on a holistic vision for minimizing risk. Because not every attack surface is the same, you need to structure the organization so that different skill sets can take mitigative action based on the variables specific to their environment.

When teams are coupled more closely, organizational risk drops. Let's say you have a cross-site scripting vulnerability in one of your Web applications. Wouldn't it make sense to prioritize any security or configuration issue associated with the infrastructure running that application? The inverse is also true. Does it not make more sense to address the vulnerability that is running in production or sitting on the Internet versus a vulnerability running in a dev environment with no chance of exploitation?

A large part of the reason security teams work in these silos is because the vendor landscape has kind of forced them to work this way. Until recently, there hasn't been a way to do the things I'm proposing here — at least not for anyone but the 1% of organizations that have vast security budgets and built in-house tools and teams.

To sum up, protecting identities — cloud and otherwise — requires adopting a mindset shift from compliance to a holistic security, applied risk approach that involves gaining visibility into your cloud infrastructure with CNAPP and aligning different teams on prioritizing remediation.

Securing Cloud Identities to Protect Assets and Minimize Risk

### Impact
List endpoints on Flyte Admin has a SQL vulnerability where a malicious user can send a REST requests with custom SQL statements as list filters.

### Workarounds
The attacker needs to have access to the flyteadmin installation (typically either behind a VPN or authentication).

### References
https://owasp.org/www-community/attacks/SQL_Injection#


**Package**

gomod github.com/flyteorg/flyteadmin (Go)

**Affected versions**

< 1.1.124

**Patched versions**

1.1.124

**Description**

**Impact**

List endpoints on Flyte Admin has a SQL vulnerability where a malicious user can send a REST requests with custom SQL statements as list filters.

**Workarounds**

The attacker needs to have access to the flyteadmin installation (typically either behind a VPN or authentication).

**References**

https://owasp.org/www-community/attacks/SQL\_Injection#

**References**

*   GHSA-r847-6w6h-r8g4
*   flyteorg/flyteadmin@b3177ef

 eapolinario published to flyteorg/flyteadmin

Oct 27, 2023

Published to the GitHub Advisory Database

Oct 27, 2023

Reviewed

Oct 27, 2023

GHSA-r847-6w6h-r8g4: Flyte Admin SQL Injection in List Filters

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. 

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-46604

**Apache ActiveMQ is vulnerable to Remote Code Execution**

Critical severity GitHub Reviewed Published Oct 27, 2023 to the GitHub Advisory Database • Updated Oct 30, 2023

**Package**

maven org.apache.activemq:activemq-client (Maven)

**Affected versions**

< 5.15.16

\>= 5.16.0, < 5.16.7

\>= 5.17.0, < 5.17.6

\>= 5.18.0, < 5.18.3

**Patched versions**

5.15.16

5.16.7

5.17.6

5.18.3

maven org.apache.activemq:activemq-openwire-legacy (Maven)

\>= 5.8.0, < 5.15.16

\>= 5.16.0, < 5.16.7

\>= 5.17.0, < 5.17.6

\>= 5.18.0, < 5.18.3

5.15.16

5.16.7

5.17.6

5.18.3

**Description**

Published to the GitHub Advisory Database

Oct 27, 2023

Last updated

Oct 30, 2023

GHSA-crg9-44h2-xw35: Apache ActiveMQ is vulnerable to Remote Code Execution

The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.
The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for

The North Korea-aligned **Lazarus Group** has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.

The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for victim profiling and payload delivery.

"The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park said. "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques."

The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the 3CX supply chain attack.

The Lazarus Group "continued to exploit vulnerabilities in the company's software while targeting other software makers," Park added. As part of the latest activity, a number of victims are said to have been singled out as of mid-July 2023.

The victims, per the company, were targeted through a legitimate security software designed to encrypt web communications using digital certificates. The name of the software was not disclosed and the exact mechanism by which the software was weaponized to distribute SIGNBT remains unknown.

Besides relying on various tactics to establish and maintain persistence on compromised systems, the attack chains employ an in-memory loader that acts as a conduit to launch the SIGNBT malware.

The main function of SIGNBT is to establish contact with a remote server and retrieve further commands for execution on the infected host. The malware is so named for its use of distinctive strings that are prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications -

*   SIGNBTLG, for initial connection
*   SIGNBTKE, for gathering system metadata upon receiving a SUCCESS message from the C2 server
*   SIGNBTGC, for fetching commands
*   SIGNBTFI, for communication failure
*   SIGNBTSR, for a successful communication

The Windows backdoor, for its part, is armed with a wide range of capabilities to exert control over the victim's system. This includes process enumeration, file and directory operations, and the deployment of payloads such as LPEClient and other credential-dumping utilities.

Kaspersky said it identified at least three disparate Lazarus campaigns in 2023 using varied intrusion vectors and infection procedures, but consistently relied on LPEClient malware to deliver the final-stage malware.

One such campaign paved the way for an implant codenamed Gopuram, which was used in cyber assaults targeting cryptocurrency companies by leveraging a trojanized version of the 3CX voice and video conferencing software.

The latest findings are just the latest example of North Korean-linked cyber operations, in addition to being a testament to the Lazarus Group's ever-evolving and ever-expanding arsenal of tools, tactics, and techniques.

"The Lazarus Group remains a highly active and versatile threat actor in today's cybersecurity landscape," Park said.

"The threat actor has demonstrated a profound understanding of IT environments, refining their tactics to include exploiting vulnerabilities in high-profile software. This approach allows them to efficiently spread their malware once initial infections are achieved."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git