Members of the Trickbot and Conti cybercrime gangs have been sanctioned in an unprecedented wave of action against the country’s hackers.

For years, Russia-based ransomware gangs have launched crippling attacks against businesses, hospitals, and public sector bodies, extorting hundreds of millions of dollars from victims and causing untold disruption. And they’ve done so with impunity—but no more. Today, as part of a push to shut down ransomware gangs, the UK and US governments have unmasked some of the criminals behind the attacks. 

In a rare move, officials have sanctioned seven alleged members of notorious ransomware gangs and published their real-world names, dates of birth, email addresses, and photos. All seven of the named cybercriminals are said to belong to the Conti and Trickbot ransomware groups, which are linked and often jointly referred to as Wizard Spider. Moreover, the UK and US are now explicitly calling out links between Conti and Trickbot and Russia’s intelligence services.

“By sanctioning these cybercriminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” UK foreign secretary James Cleverly said in a statement on Thursday. “These cynical cyberattacks cause real damage to people’s lives and livelihoods.”

The seven gang members named by the two governments are: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. All the members have online handles, such as Baget and Tropa, that they used to communicate with each other without using their real-world identities.

On Thursday, the UK’s National Cyber Security Center (NCSC) said it is “highly likely” that members of the Conti group have links to “the Russian Intelligence Services” and that those agencies have “likely” directed some of the gang’s actions. NCSC is part of the UK intelligence agency GCHQ, and this is the first time the UK has sanctioned ransomware criminals.

Similarly, the US Department of the Treasury has concluded that Trickbot Group members are “associated with Russian Intelligence Services.” It added that the group’s actions in 2020 were aligned with Russia’s international interests and “targeting previously conducted by Russian Intelligence Services.”

According to the US Treasury, these members were involved in malware and ransomware development, money laundering, fraud, injection of malicious code into websites to steal login details, and managerial roles. As part of the sanctions, the UK froze assets belonging to the ransomware actors and imposed travel bans on them. The US District Court for the District of New Jersey also unsealed an indictment charging Vitaliy Kovalev with conspiracy to commit bank fraud and eight counts of bank fraud against US financial institutions in 2009 and 2010.

Governments have struggled to get a handle on the growing ransomware threat, in large part because many of the criminal groups operate in Russia. The Kremlin has provided a safe haven for these bad actors—as long as they don’t target Russian companies. Last year, following a string of particularly aggressive and disruptive attacks on US and UK targets, Russian law enforcement did arrest more than a dozen alleged members of the notorious ransomware gang REvil. But Russia has continued to be the origin point for an array of cybercriminal activity, including ransomware attacks.

Alex Holden, the founder of security firm Hold Security, has tracked the Conti and Trickbot groups for the better part of a decade, mapping out their members and activities. Holden says that “unmasking” the criminals can make a difference to their actions. “Ransomware gang members should be afraid of their real names being made public, as they will be forced to run and hide even if they can’t be brought to justice in our legal system,” he says.  

The unmasking of Conti and Trickbot members follows two huge leaks from the criminal gangs in early 2022. After Vladimir Putin’s full-scale invasion of Ukraine in February 2022, members of the Conti gang declared their support for Russia. A Ukrainian cybersecurity researcher who had infiltrated the group reacted by leaking more than 60,000 of its internal chat messages, revealing key details about members and their hacking activities. This was followed by a second leak from Trickbot, weeks later. It is likely that these details have helped law enforcement agencies track down and identify members of the gangs.

Researchers have long concluded that cybercriminals working in Russia have amorphous but crucial connections to the Kremlin, but there has been little clear information, and officials have often been vague about the dynamic. 

Kimberly Goody, a senior manager in cybercrime analysis at the Google-owned security company Mandiant, says details from the leaked chatlogs in early 2022 are consistent with the US and UK linking some elements of the groups to Russian intelligence services. 

The Conti chatlog leak also revealed some potential links between Conti members and the Russian state. The logs show Conti members working on “government topics” for their hacking and illustrate their knowledge of the prominent Kremlin-sponsored hacking group Cozy Bear. Members of Conti also discussed whether they could hack someone linked to open source investigative journalism unit Bellingcat.

The cybercrime group was “inarguably not flying below the radar,” Goody says. “Russia knew about it, and they \[Russia\] have a history of tapping into their community of cyber criminals when it suits them—we saw that with the Dridex sanctions too.” Goody adds that the leaked chats show that other Trickbot members, who were not named in the most recent sanctions, may also have received instructions from people outside Trickbot.

In the summer of 2022, Google’s Threat Analysis Group and IBM’s X-Force both said Trickbot and Conti had shifted focus to attack Ukraine, a move that clearly appeared aligned with Russian interests. The IBM security researchers said they had not seen the group previously targeting Ukraine and called it an “unprecedented shift.”

Over the past decade, governments have increasingly called out state-backed hacking efforts from Russia, China, and other nations, occasionally even revealing the identities of individual government hackers. But researchers say that the focus on naming individual cybercriminals represents an important shift. “We’re now seeing these methods increasingly used with ransomware actors, reflecting the growing priority of cybercrime on national security agendas,” says Jamie Collier, a senior threat intelligence advisor at Mandiant.

But the long-term impact of unmasking ransomware groups is unclear. While the Conti group, for example, disbanded in June 2022 after hacking the government of Costa Rica, its members are thought to have continued their criminal activities, seemingly joining the Quantum, Royal, and Black Basta ransomware groups. But for victims who have faced the disruption and financial devastation of cybercrime, aggressive new action from world governments can’t come soon enough.

Russia’s Ransomware Gangs Are Being Named and Shamed

AI and phishing-as-a-service (PaaS) kits are making it easier for threat actors to create malicious email campaigns, which continue to target high-volume applications using popular brand names.

Phishing is having a moment, with a massive spike in campaign volumes in the latter half of 2022. In fact, total phishing emails increased by 61% in the second half, according to an analysis this week. That could also be set to accelerate, as the rise of ChatGPT and other new tools are making their mark on the sector too. 

That's according the "Q4 2022 Phishing and Malware Report" from email security firm Vade, published Feb. 9. Phishing volumes increased 36% between the third and fourth quarters, with researchers tracking 278.3 million unique phishing emails in the last three months of the year, according to the report.

Malware volumes overall also increased, 12% quarter for quarter, with Vade detecting 58.9 million emails in the fourth quarter of 2022 that included malware, the researchers found.

Email remains the top channel for distributing phishing and malware, giving hackers a convenient, scalable, and efficient vehicle for exploiting users and compromising accounts, Todd Stansfield, content marketing manager, noted in the report.

"Email threat activity continues to increase, creating the need for organizations of all sizes to fortify their cybersecurity," he wrote.

Breaking down the numbers by the month, phishing volumes remained relatively stable through the first half of the fourth quarter, with 62.3 million phishing emails tracked in October and 47 million in November, according to the report.

Then, as is typical during the annual holiday season — in which phishers use a range of year-end and holiday-themed lures to try to snare victims — December saw a big jump in phishing emails with 169 million, representing a 260% month-over-month increase, the researchers found. This pattern is similar to what happened in the fourth quarter of 2021, they said.

**Reliable Targets & Tactics**

In terms of who they target and how they do it, phishing threat actors aren't getting especially creative given the current way enterprise users work and collaborate.

Facebook remained the top brand in terms of impersonation for the second consecutive quarter, with researchers observing 6,700 unique phishing URLs impersonating the social networking giant in the fourth quarter of 2022, they reported. The company was followed by Microsoft, PayPal, Google, and Netflix in descending order as the brands that threat actors prefer to impersonate.

In terms of targets threat actors continued to find value in campaigns targeting productivity applications, for which they have a wide pool of corporate users and are most likely to find success, the researchers found. Microsoft 365, which has more than 345 million users, and Google Workspace, the second-most popular productivity suite, continued to be the top targets for phishers in the second half of 2022, according to Vade.

"With the growing popularity of productivity suites, users are increasingly using email to access and use productivity apps such as file sharing and instant messaging," Stansfield wrote, adding that threat actors have taken notice and are crafting phishing campaigns to target the specific behavior of corporate productivity-suite users.

**AI & New Tools Bolster Phishing**

While some things remained the same in terms of phishing campaigns, changes are afoot in other aspects of this type of threat, the researchers found. In particular, new tools have emerged that can make anyone, even with limited skills, a phishing threat actor thanks to more sophisticated phishing-as-a-service (PaaS) kits, and the meteoric rise in popularity of the AI platform ChatGPT.

"By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets," Stansfield acknowledged.

One recent enhancement to these kits is the ability to automatically localize phishing pages based on a victim's native language, a handy tool that allows threat actors to target various regions quickly without being multilingual themselves, the researchers said.

The feature works by identifying the language settings of the targeted user's browser and leveraging it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns, according to Vade.

ChatGPT — the chatbot that can assist anyone in producing instantaneous, high-volume content that's already become notorious for its cybersecurity implications since its November release by OpenAI — also is becoming a phisher's best friend, according to Vade analysts.

Hackers can weaponize ChatGPT to produce sophisticated phishing kits efficiently by using commands that empower the AI tool to write phishing emails and malicious code in seconds, they said.

**Protecting the Enterprise From Phishing**

With phishing showing no sign of letting up despite being one of the oldest forms of cybercriminal activity, it's clear enterprises need to roll with the changes in the technology landscape just as attackers are.

"In the past year, nearly seven out of 10 businesses experienced a serious data breach that bypassed their email security," Stansfield noted, citing previous research from Vade.

Moreover, the problem with phishing is that it doesn't just end with an attacker giving up credentials, but ultimately, they can use these credentials as a way into corporate networks to steal data, distribute ransomware and other malware, and engage in other nefarious activity.

Enterprises need to move beyond traditional email security solutions and adopt ones that can respond to the more sophisticated tactics of attackers, the researchers said. Specifically, collaborative and AI-enhanced solutions that can provide "predictive defense against known and unknown threats using the latest threat intelligence and a core set of AI technologies," are the way forward, Stansfield said.

Indeed, just as AI is empowering attackers through technology like ChatGPT, it also can empower enterprises with new types of security, Adrien Gendre, co-founder and chief tech and product officer at Vade, tells Dark Reading.

"On the flip side, we use AI to detect anomalies in email, from the content itself to the behavior of files that might be included in those emails," he says. "There will be a battle between what you might call good and bad AI."

If phishing emails do slip through an organization's security protections, training employees to identify phishing emails before they click on them can also be a reliable way to prevent credential or malware compromise before it occurs, Scott Caveza, senior research manager at cyber exposure management firm Tenable, tells Dark Reading.

"Phishing attacks continue to be successful as they target our weakest link in security, humans," he says. "Regardless of the author of the email, be it AI or an actual human, organizations need to invest in and develop mature security programs where security awareness training, including specific training on spotting phishing attacks, are priorities for the organization."

Phishing Surges Ahead, as ChatGPT & AI Loom

By Habiba Rashid
The stolen Weee! database has been leaked on the infamous BreachForums and Russian-speaking cybercrime forums.
This is a post from HackRead.com Read the original post: Weee! Grocery Service Hacked, 1.1m Accounts Leaked

In total, hackers managed to steal 11.3 million order details, including 1.1 million email addresses belonging to Weee! customers.

A data breach affecting the US-based online grocery delivery platform, Weee!, has resulted in 1.1 million customers’ data being leaked online. On Monday, a threat actor named IntelBroker posted the database on BreachForums.

It is worth noting that BreachForums is a hacker and cybercrime forum that surfaced as an alternative to the popular and **now-seized Raidforums**.

Hacker announcing the breach (Screenshot: Hackread.com)

“Weee!” is particularly popular amongst Asian and Hispanic communities, delivering food across 48 states in the USA via warehouses spread throughout the country. Its delivery app has been downloaded over 2.6M times. 

The breach forum post reads, “In February 2023, a database of 11 million customers belonging to Sayweee was stolen by hackers.”

However, security researcher Troy Hunt of Have I Been Pwned, a data breach notification service, confirmed that the leaked data only includes 1.1 million unique email addresses. The additional entries are likely due to multiple orders placed by the same customer.

The leak contains information such as Weee! customers’ first and last names, email addresses, phone numbers, device type (iOS, PC, Android), order notes, dates, and other data the delivery platform uses.

Sample data as seen by Hackread.com

Some of the logs also included delivery notes that customers of Weee! left for couriers, such as codes to enter residential or office buildings.

The company’s spokesperson stated that “Weee! is aware that a data breach has affected some of its customers.” They also confirmed that the breach did not impact user financial data, as the online grocery delivery platform does not retain any payment details.

“For customers that placed an order between July 12, 2021, and July 12, 2022, information such as name, address, email addresses, phone number, order number, and order comments may have been impacted,” the company’s representative said.

“We have notified all customers of the issue and will be notifying all impacted customers individually if their information was exposed,” Weee!’s spokesperson explained.

“Security is a top priority for us and we are undertaking a thorough review to ensure we continue to deliver on the trust the Weee! Community places in us.”

The personally identifiable information (PII) in the leak can be abused by hackers in numerous ways. Exposed home addresses put users at a heightened risk of targeted scams and spear phishing campaigns, tracking, and unwanted contact.

On the other hand, leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud. In extreme cases, PII information could be used by attackers to attempt identity fraud. 

1.  Uber Eats User records leaked on Dark Web
2.  Google-funded delivery service Dunzo hacked
3.  Chowbus food delivery service suffers breach
4.  Instant Checkmate and TruthFinder Data Leaked
5.  Foodora data breach 700k users in 14 countries affected

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Weee! Grocery Service Hacked, 1.1m Accounts Leaked

Red Hat Security Advisory 2023-0560-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include bypass, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: OpenShift Container Platform 4.10.51 security update  
Advisory ID:       RHSA-2023:0560-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0560  
Issue date:        2023-02-08  
CVE Names:         CVE-2020-7692 CVE-2022-25857 CVE-2022-30946   
                   CVE-2022-30952 CVE-2022-30953 CVE-2022-30954   
                   CVE-2022-36882 CVE-2022-36883 CVE-2022-36884   
                   CVE-2022-36885 CVE-2022-43401 CVE-2022-43402   
                   CVE-2022-43403 CVE-2022-43404 CVE-2022-43405   
                   CVE-2022-43406 CVE-2022-43407 CVE-2022-43408   
                   CVE-2022-43409 CVE-2022-45047 CVE-2022-45379   
                   CVE-2022-45380 CVE-2022-45381   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.10.51 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.10 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43401)  
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:  
Groovy Plugin (CVE-2022-43402)  
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43403)  
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43404)  
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in  
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)  
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in  
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)  
* google-oauth-client: missing PKCE support in accordance with the RFC for  
OAuth 2.0 for Native Apps can lead to improper authorization  
(CVE-2020-7692)  
* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections (CVE-2022-25857)  
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be  
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)  
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)  
* jenkins-plugin/script-security: Whole-script approval in Script Security  
Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)  
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin  
(CVE-2022-45380)  
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability  
in Pipeline Utility Steps Plugin (CVE-2022-45381)  
* Jenkins plugin: CSRF vulnerability in Script Security Plugin  
(CVE-2022-30946)  
* Jenkins plugin: User-scoped credentials exposed to other users by  
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)  
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)  
* Jenkins plugin: missing permission checks in Blue Ocean Plugin  
(CVE-2022-30954)  
* jenkins-plugin: Cross-site Request Forgery (CSRF) in  
org.jenkins-ci.plugins:git (CVE-2022-36882)  
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
(CVE-2022-36883)  
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
(CVE-2022-36884)  
* jenkins plugin: Non-constant time webhook signature comparison in GitHub  
Plugin (CVE-2022-36885)  
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be  
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)  
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:  
Supporting APIs Plugin (CVE-2022-43409)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization  
2116840 - CVE-2022-36882 jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git  
2119643 - CVE-2022-30946 Jenkins plugin: CSRF vulnerability in Script Security Plugin  
2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin  
2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin  
2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin  
2119656 - CVE-2022-36883 jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
2119657 - CVE-2022-36884 jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
2119658 - CVE-2022-36885 jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin  
2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin  
2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin  
2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin  
2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin  
2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin  
2143086 - CVE-2022-45380 jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin  
2143089 - CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin  
2143090 - CVE-2022-45379 jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions  
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

6. Package List:

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el7.src.rpm

x86_64:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.src.rpm  
jenkins-2-plugins-4.10.1675144701-1.el8.src.rpm

aarch64:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64.rpm

noarch:  
jenkins-2-plugins-4.10.1675144701-1.el8.noarch.rpm

ppc64le:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le.rpm

s390x:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x.rpm

x86_64:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7692  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-30946  
https://access.redhat.com/security/cve/CVE-2022-30952  
https://access.redhat.com/security/cve/CVE-2022-30953  
https://access.redhat.com/security/cve/CVE-2022-30954  
https://access.redhat.com/security/cve/CVE-2022-36882  
https://access.redhat.com/security/cve/CVE-2022-36883  
https://access.redhat.com/security/cve/CVE-2022-36884  
https://access.redhat.com/security/cve/CVE-2022-36885  
https://access.redhat.com/security/cve/CVE-2022-43401  
https://access.redhat.com/security/cve/CVE-2022-43402  
https://access.redhat.com/security/cve/CVE-2022-43403  
https://access.redhat.com/security/cve/CVE-2022-43404  
https://access.redhat.com/security/cve/CVE-2022-43405  
https://access.redhat.com/security/cve/CVE-2022-43406  
https://access.redhat.com/security/cve/CVE-2022-43407  
https://access.redhat.com/security/cve/CVE-2022-43408  
https://access.redhat.com/security/cve/CVE-2022-43409  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/cve/CVE-2022-45379  
https://access.redhat.com/security/cve/CVE-2022-45380  
https://access.redhat.com/security/cve/CVE-2022-45381  
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+QTVdzjgjWX9erEAQgHxxAAmUboUHNQ9M5CgissfKumBufrMEUuzGFP  
ZO6+GFZCQurdJh5b+Lz4paVoAuHUWXvMRZD9+qXXDGYzygmV+oHyV4wg+NhJOtxH  
DgS4ycst/Y+8jAQca3sSD5odomDFihjv+/kF2RUVq5/TvaYoJQnwyvBDt5ZDd0h5  
HkulLaK6hzdpFbTtK4ghDEcWIs+CMfitIiXeHg9GReFC4aOLsaOSyjec3VOA+3YY  
tWOaIV1x4XZkadyLsMTau9OAojbrk5rg1xh9itD/WzoAWvO0cTIA4NzyOYL4BuAf  
Sf7VNdHkdL0f0M++nlNZ6MWk3aZHkQ3JDlrHLLmT5olNC709accibk4cwbOqqKto  
5ClfAJiD1qgVUEKI+MwEp0hxuBeNOPcWH3y6jn9BFkUVGE5U6FQkKfbFUSrRMj04  
564ZuOg0ZPSA3Byd6jvJmoIOa+yyI2sJAWC0baIdS58Yk/G+EoHEziwcia73zH5k  
HzbeXwvL8NATXXQuDNE+Y9UUV8uXOhVZ8R1KVFMA3qUQ2aoR5AC7+QT0BtYTmnr8  
zPczSDrv/pAdOnEeO/+J9PWU8xXQ2miFmO8RT6vLKsXvAD1hB219obMhHFSyr1Fe  
zxzurEtRn8kB5N4Y4rC6+clvoma8hoM8L6jHYbEMXRYwzNqXOOrS+Y0eBofYqJW5  
IASUN1Di0QY=  
=I8d3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0560-01

CKSource CKEditor5 version 35.4.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Cross Site Scripting in CKSource's CKEditor5 35.4.0# Google Dork: N/A# Date: February 09, 2023# Exploit Author: Manish Pathak# Vendor Homepage: https://cksource.com/# Software Link: https://ckeditor.com/ckeditor-5/download/# Version: 35.4.0# Tested on: Linux / Web# CVE : CVE-2022-48110CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting(XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data.An attacker can execute arbitrary script in the browser in the context ofthe affected site. This can allow the attacker to steal cookie-basedauthentication credentials and launch other attacks.CKEditor5 version 35.4.0 is tested & found to be vulnerable.Documentation avaiable athttps://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#securitySecurity Docs Says """The HTML embed feature does not currently executecode in <script> tags. However, it will execute code in the on* andsrc="javascript:..." attributes."""Payload:<div class="raw-html-embed">    <script>alert(456)</script></div>

CKSource CKEditor5 35.4.0 Cross Site Scripting

An active defense posture, where the defenders actively use threat intelligence and their own telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt threat actors.

Thursday, February 9, 2023 08:02

**Active defense a key approach to protecting against major threats**

Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malicious activities before they can fully accomplish their goals.  

Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware. This is the time window when an active defense strategy can make the most impact, by looking from the inside out: The perimeter was already compromised, no relevant alerts were raised, and the attackers have already begun to carry out their malicious activities within the victim’s network.  

Conducting periodic threat hunting exercises increases the chances of detection. However, despite the potential benefits of threat hunting, the odds are against defenders, as the hunter has limited time and resources, their target is unknown, and the type of activity the defender is searching for is often undefined. As threat hunting becomes more routine and as the hunter becomes more familiar with the environment, this exercise will become more efficient, the findings and analysis will become more useful, and the defender’s visibility of the environment will improve.  

Besides the possible detection results, there are two important outcomes of threat hunting:  

*   **Identifying weak spots in the organization’s overall defense.** By analyzing successful detections at a deeper level, defenders can understand what failed and on which levels.  
    
*   **Exposing the blindspots in defenders’ network visibility.** Threat hunting is about analyzing the available information and searching for what shouldn't be there as well as identifying potentially useful data that we don’t have access to.  This type of assessment provides valuable information on what can be improved in the visibility of the environment.  
    

There is no “one size fits all” approach or “magic bullet” solution that will get organizations to their best defense posture. Rather, it's an iterative process that greatly improves with repetition. Threat hunting supports—and can dramatically improve—active defense, particularly when hunt results can be leveraged to  improve the environment. In the next sections, we introduce some of the quick wins that can help organizations implement an effective active defense approach.  

**Monitor DNS queries**

Monitoring the domain name system (DNS) queries provides a unique view into what is going on in the network. Analyzing the DNS query logs and singling out the systems that resolved recently created domains provides a good starting point. The analysis of known malicious domains should also be done, as that would provide visibility into the effectiveness of the first line of defense. Keep in mind that this is about searching for what was not detected, as known malicious domains should already be blocked.  

On the other hand, If a compromise did occur, the DNS query logs may also provide a good source of information about the adversary’s actions and the extent of their malicious activities on the network.

**Create high-priority alerts**

Implement high-priority triggers with near-zero false positive alerts. No organization has unlimited resources to monitor security events, as alert fatigue is a real problem in security operation centers. High-priority triggers won’t eliminate security incidents, but they will help focus on critical events.There are two types of these triggers: generic and intelligence-driven.  

The generic triggers are those that are designed to alert in the event of abnormal behavior usually triggered by attackers while trying to establish a foothold or while in search of relevant information. Here are a couple of examples of such triggers:  

*   Canary accounts - Accounts that are not used by the organization but are instead intended to lure malicious actors to use in their operations. Create triggers to events regarding these accounts’ usage.  
    
*   Monitor and raise alerts on administrative accounts - Newly created accounts where privileges are added, or password changes on already existing accounts are good events to monitor.  
    
*   Domain controllers contacting unknown systems - Communications on the domain controllers should be well known. Any communication starting from a domain controller to an unknown system should be targeted for in-depth analysis.  
    
*   Profile key systems’ dual usage tools executions - Attackers often hide their actions by using dual-use tools. Starting with the critical systems, profile the execution of such tools so that abnormal usage can be detected and investigated.  
    
*   Remote administration tools - Having a well-known usage pattern of such tools allows defenders to monitor for  unusual or anomalous usage.  
    

Intelligence-driven triggers, by comparison, are created by analyzing the dynamic tactics, techniques, and procedures (TTPs). Therefore, these triggers should alert on adversaries’ behaviors rather than more static indicators of compromise (IOCs), such as known lists of IPs or domains. Such activity should be detected by basic cyber security tools that are already in place, and these triggers should cover the TTPs generically used by threat actors that are applicable to one's organization. For example, if your organization doesn't use ConnectWise, TeamViewer or Anydesk, create a trigger in your monitoring system that will generate a high-priority alert whenever those tools are executed, as they are commonly used by threat actors. If a defender concludes that there is no way to create such an alert, then a blindspot has been found. The resolution of such an issue should be prioritized based on that organization’s resources and other competing issues that require attention.

**Perform root cause analysis on deep alerts**

The most important question a threat hunter must try to answer while doing detection systems log analysis is, “How did the malware get to the endpoint?” Deep alerts like this, that come from the most inner layer of the security architecture, need to be analyzed.  

Most organizations have a multi-layered, in-depth security architecture. When an endpoint defense system detects and blocks some malicious software, this is good news for the defenders. It's also an opportunity for the threat hunter to identify and improve the security in the organization. Having a multi-layered and in-depth architecture means that there are several security systems between the production systems and the untrusted environments. If a threat was detected and stopped in an organization’s most inner systems, then some outer layer defense failed.  

Conducting a root cause analysis is essential to determining what failed and how, as this will provide invaluable information to the continuous improvement process.  There can be multiple explanations for initial infection. For example, an endpoint can be compromised somewhere else and then connected to the organization’s environment, or credentials can be compromised and used to establish a malicious VPN connection.

**Monitor communications on critical systems**

Critical systems’ communications patterns can be the first high-priority alert indicating the potential exfiltration of information. Organizations don’t have infinite resources, and not all systems have the same value.  For example, a file server will have communications from a lot of systems, but not all systems/endpoints will transfer an abnormal quantity of information in a short amount of time. Or, if all the systems in the environment must use a local DNS server if a system attempts to contact Google or Cloudflare DNS servers, those systems should probably be reviewed. Having a list of critical systems is one of the basic steps that organizations with a mature security posture can take to help detect malicious activity early.  

**Improve your visibility**

Having good visibility into what is happening in the defender's environment is the first step to  performing threat hunting. However, the mere exercise of threat hunting will also show defenders if there are any blindspots, thus providing opportunities for improvement. Visibility should also be seen as a powerful source of information when recovering from a compromise. Organizations often don’t have the means to implement a complete, comprehensive detection system on their entire environment. However, that does not mean that some kind of logging should not be performed. Logs may be extremely relevant during the recovery phase of a compromise. Knowing how and when a compromise occurred, even after the fact, is crucial. Proper logging can be extremely useful in determining this information, especially when analyzed from a threat hunter’s point of view, so that they can also provide information that leads to the development of proper detections.  

**Deploy tiered accounts**

Have administration accounts that are only used on specific systems. Not all systems need to contact all the systems or the internet, and, likewise, not all accounts need to be used on all systems, especially if they are high-privilege accounts. Have specific domain administrator accounts, which are only used on domain controllers, complemented by second-tier administrator accounts. This tiering is done at the functional level and not at the privilege level. These two different account tiers may ultimately have the same privileges, but by tiering their access based on their functions,  it’s possible to set high-priority alerts to trigger when they behave abnormally.

Beyond the basics: Implementing an active defense

The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason.
The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.
"The threat actor

Threat Intelligence / Malware

The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason.

The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.

"The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours," Cybereason said in an analysis published February 8, 2023.

Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads.

The shift in tactics was first uncovered by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files that are served through compromised WordPress sites ranked higher in search engine results through poisoning techniques.

The attack chain relies on luring victims searching for agreements and contracts on DuckDuckGo and Google to the booby-trapped web page, ultimately leading to the deployment of Gootloader.

The latest wave is also notable for concealing the malicious code within legitimate JavaScript libraries such as jQuery, Chroma.js, Sizzle.js, and Underscore.js, which is then used to spawn a secondary 40 MB JavaScript payload that establishes persistence and launches the malware.

In the incident examined by Cybereason, the Gootloader infection is said to have paved the way for Cobalt Strike and SystemBC to conduct lateral movement and possible data exfiltration. The attack was ultimately foiled.

The disclosure comes amid the ongoing trend of abusing Google Ads by malware operators as an intrusion vector to distribute a variety of malware such as FormBook, IcedID, RedLine, Rhadamanthys, and Vidar.

The evolution of Gootloader into a sophisticated loader is further reflective of how threat actors are constantly seeking new targets and methods to maximize their profits by pivoting to a malware-as-a-service (MaaS) model and selling that access to other criminals.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

By Deeba Ahmed
Kubernetes' creator ARMO announced the integration in a blog post on February 7th, 2023.
This is a post from HackRead.com Read the original post: ARMO integrates ChatGPT to secure Kubernetes

ARMO Custom Controls Powered by ChatGPT enables users to quickly create custom controls based on Open Policy Agent (OPA) to solve their unique security needs.

The creator of the open-source Kubernetes security platform Kubescape, ARMO, has announced the integration of **ChatGPT AI** into the platform. This is achieved by building Open Policy Agent (OPA) based custom controls.

With ARMO Custom Controls powered by ChatGPT, users can address their security needs, such as securing Kubernetes clusters and **CI/CD pipelines**, ensuring they are configured correctly, and following security policies.

For your information, OPA is a standard for security policies constructed using the Rego declarative language. However, Rego is not a widely known or used language, and users may find it confusing and complicated.

Kubernetes clusters, on the other hand, have been under malware attacks over the years. This includes **cryptomining malware**, as well as malware like **Siloscape**.

**What are the Benefits of Integrating AI?**

ARMO Custom Controls will pre-train **ChatGPT** to comply with Rego and additional aspects to utilize and harness the full power of AI, producing custom-made controls via natural language.

The user will get the complete OPA rule that ChatGPT produces, a natural language description of the rule, and a recommended remediation process for quickly fixing the failed control without needing to learn a new language.

This allows users to run the new AI-generated control locally and use it live. They will soon be able to save it as an ARMO Platform custom control. These custom controls can be submitted as pull requests to the public registry library of Kubescape so that all Kubescape users can benefit from them.

Shauli Rozen, founder and CEO of ARMO, **stated** that the Kubernetes custom controls are the ideal use case for generative AI.

“By giving ChatGPT some important background and context first, ARMO Platform users can harness it to create custom controls and policies in seconds, complete with descriptions and suggested remediations.”

**Google and Microsoft Also Announce AI Integration**

It is worth noting that all mainstream tech firms are gearing up to integrate AI into their frameworks. On Tuesday, Microsoft **announced** a new version of Bing and Edge featuring a copilot and chat powered by the next-gen OpenAI language model, which is considered more powerful than ChatGPT. According to Microsoft, the new features will help optimize the web search experience for the user.

As **reported by Hackread.com**, Google has also launched its own AI-powered chatbot, dubbed Bard, to compete against ChatGPT. Bard is yet to be rolled out to the public, as it is undergoing a testing phase.

ARMOS’s integration with ChatGPT highlights the chatbot’s potential for helping security teams deploy security controls across the cloud in containerized network environments.

1.  **How to use AI in cybersecurity?**
2.  **11 Best Types of Legal Software For Law Firms**
3.  **AI-Powered Glasses Give Deaf Power of Speech**
4.  **AI-based Model to Predict Extreme Wildfire Danger**
5.  **This AI Generates Unique and Free Bored Ape NFTs**

ARMO integrates ChatGPT to secure Kubernetes

In the cloud-first world, the security goal is to ensure only qualified users can access information across clouds.

The rise of multicloud environments brings with it the need to understand how to implement security policies across each cloud provider. The fact that each of the big three — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — uses different nomenclature and configurations makes it that much more complicated to create a seamless and secure virtual network.

A pair of researchers shared their practical advice on how to secure one piece, identity and access management (IAM), at Black Hat USA 2022.

"If there is one thing we would like you to take from this specific session, it is that IAM is the backbone service. It is the core service. It is the gateway that controls every access to your cloud resources, and it must be protected," said Igal Gofman, Ermetic's head of security, who presented "IAM the One Who Knocks" with Noam Dahan, Ermetic's research lead.

**Multiple Strategies for Multiple Clouds**

Organizations have several reasons for using multiple clouds, as Gofman listed off: adding in redundancy for better stability, reducing costs, taking advantage of multiple vendors' marquee features, and having conflicting platform requirements from different projects. But when you split resources among various clouds, he added, you need to be aware of and accommodate for the differences between how the platforms function.

"It's hard enough to be an expert on one cloud platform," Gofman said. "But often we copy features and routines from one platform to another. And those may work differently from what we expect at the beginning."

Dahan then drilled down on the ins and outs of logging features from Azure, AWS, and GCP. Besides using logging for detection and incident response, he said it is good for improving the permissions process.

"In order to know whether you can take permissions away from someone, what you would usually do is try to examine the logs and see what they're actually using, a sort of 'use it or lose it' philosophy," he explained.

There are two main approaches to issuing permissions, Dahn said: sculpting from marble or sculpting from clay. Marble means starting with a full raft of permissions and then chipping away until you reach minimum necessary permissions; this can end up too permissive because you don't want to remove too much. Clay means building up permissions until you have enough. Security staff likes this model, Dahan said, but developers hate it because they don't know what permissions they will need down the road. He recommended a hybrid approach of starting with a smaller hunk of permissions and then building up in places as needed.

**Who's at the Door?**

The title of the talk comes from the TV series _Breaking Bad_, when science-teacher-turned-meth-kingpin Walter White reacts to a friend warning him that he's in danger of someone coming to his door and killing him. White, incensed, asserts that he is the dangerous one by saying, "I am the one who knocks." Perhaps IAM is the stand-in for White — it looks basic and unassuming, but underestimating its power is dangerous. Or maybe it's just a turn of phrase.

Building Up IAM in a Multicloud World

Bosch Security Systems B420 firmware 02.02.0001 employs IP based authorization in its authentication mechanism, allowing attackers to access the device as long as they are on the same network as a legitimate user.

Product: B420 Firmware Version: 02.02.0001 IP Stack Version: 1.3.2 AES Lib Version: 01.00.0000 Vendor: Bosch Security Systems Vulnerability: Improper Access Control Description: An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can access gain access to the same panel without requiring any sort of authorization. Severity CVSS 3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H \[High 7.8\] References: https://resources-boschsecurity-cdn.azureedge.net/public/documents/Installation\_Manual\_all\_4674592907.pdf https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i\_?usp=sharing

Tag

#google