Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon,…

Aftermath of MOVEit vulnerability: Data vigilante ‘Nam3L3ss’ leaks nearly 8 million employee records from industry giants like Amazon, 3M, HP, and Delta, exposing cybersecurity flaws across major firms.

A “Data Vigilante” using the alias Nam3L3ss has leaked millions of employee records from global industry giants, in connection with the widespread **MOVEit vulnerability**. For your information, the MOVEit flaw is a security vulnerability in the MOVEit file transfer software, which many organizations use to share sensitive data.

Nam3L3ss, who denies being a hacker, began leaking the data on Friday, November 8, 2024. So far, sensitive and non-sensitive records from 27 companies, totalling 7,952,414 employee records, have been exposed. This includes 2,861,111 records from Amazon employees, a breach acknowledged by the company.

“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” Amazon spokesperson Adam Montgomery told Hackread.com. “The only Amazon information involved was employee work contact information, for example, work email addresses, desk phone numbers, and building locations.”

****Data Analysis****

The Hackread.com research team conducted an in-depth analysis of each file leaked by Nam3L3ss, revealing that the data includes full names, email addresses, phone numbers, office addresses, residential addresses, company names, location coordinates, and more.

****List of Affected Companies and Employee Counts****

    3M: 48,630 employees
    
    HP: 104,119 employees
    
    Delta: 57,317 employees
    
    MetLife: 585,130 employees
    
    Amazon: 2,861,111 employees
    
    McDonald's: 3,295 employees
    
    Lenovo: 45,522 employees
    
    TIAA: 2,464,625 employees
    
    CalSTRS: 422,311 employees
    
    BT: 15,347 employees
    
    URBN: 17,553 employees
    
    Leidos: 52,610 employees
    
    UBS: 20,462 employees
    
    HSBC: 280,693 employees
    
    Firmenich: 13,248 employees
    
    U.S. Bank: 114,076 employees
    
    Canada Post: 69,860 employees
    
    Westinghouse: 18,193 employees
    
    Rush University: 15,853 employees
    
    Omnicom Group: 37,320 employees
    
    Charles Schwab: 49,356 employees
    
    City National Bank: 9,358 employees
    
    Applied Materials: 53,170 employees
    
    Cardinal Health: 407,437 employees
    
    Bristol-Myers Squibb: 37,497 employees
    
    TIAA (additional listing): 23,857 employees
    
    Fidelity Investments: 124,464 employees

List of targeted companies (Screenshot credit: Hackread.com)

****Nam3L3ss’s Manifesto: Motivation and Methodology****

In a post on Breach Forums, Nam3L3ss outlined their “manifesto” to explain who they are and why they’re leaking data. According to the post, they monitor misconfigured and unsecured cloud databases across various services, including AWS Buckets, Azure, Digital Ocean, Google, and FTP and MongoDB servers, to extract and make this data public.

Nam3L3ss also claims to monitor ransomware groups, analyze stolen data, clean it by removing duplicates and irrelevant information, and then release it online. For example, the leaked MetLife employee directory originated from MetLife, a global financial services firm that suffered a ransomware attack in 2023.

Nam3L3ss intro and Manifesto (Screenshot credit: Hackread.com)

The Cl0p ransomware gang exploited MOVEit extensively, targeting hundreds of organizations worldwide. They even **created clear web websites to leak** the stolen data in July 2024.

**Ferhat Dikbiyik**, chief research and intelligence officer at Black Kite, weighed in on the recent Amazon data breach, explaining, that Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities.

“Amazon’s recent data breach traced back to a third-party vendor’s use of the MOVEit tool, is another wake-up call for the supply chain’s hidden vulnerabilities. The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third and even fourth-party vendors,” Ferhat said.

“We’ve identified over 600 MOVEit servers that were likely caught in this “spray” attack—leaving a vast field of potential targets,” he explained. “CL0P ransomware, the group exploiting this flaw, named 270 victims within three months, and the count is still rising.”

“With 200 to 400 organizations speculated to have paid ransoms, the real impact stretches far beyond these numbers. This breach emphasizes that ransomware risk doesn’t stop at your company’s doorstep. In today’s ecosystem, exposure management must extend across the entire supply chain to truly defend against the next big attack.”

****Data Vigilante?****

Although the term Data Vigilante is debatable, Nam3L3ss expresses frustration with companies and government institutions for failing to secure their networks. By leaking this data, they aim to raise awareness about data security and encourage better cybersecurity practices.

****Implications of the Data Leak and Advice to Employees****

Although passwords and financial details weren’t included in the leaked files, the exposure poses significant risks to companies and employees. Threat actors, especially state-sponsored groups like **North Korea’s Lazarus Group**, are known to exploit such data to initiate phishing scams, steal cryptocurrency, and access financial information that could aid their **country’s economy**.

If you work for one of the affected companies, be on the lookout for phishing scams via email, SMS phishing (smishing), and voice phishing (vishing) attempts, as attackers may try to exploit this data for further scams.

1.  Hacker Leaks Thousands of Microsoft and Nokia Employee Details
2.  Hackers Calling Employees to Steal VPN Credentials from US Firms
3.  Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore

Data Vigilante Leaks 8 Million Employee Records from Amazon, HP and Others

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

The Power of the Purse: How to Ensure Security by Design

Donald Trump has vowed to deport millions and jail his enemies. To carry out that agenda, his administration will exploit America’s digital surveillance machine. Here are some steps you can take to evade it.

The WIRED Guide to Protecting Yourself From Government Surveillance

Privacy advocates worry banning masks at protests will encourage harassment, while cops’ high-tech tools render the rules unnecessary.

“There are lots of different tools that are available to law enforcement. Facial recognition is one of those tools that it's about expediency,” said Nicole Napolitano, director of research at the Center for Policing Equity. But it’s not without its pitfalls. Like PimEyes, tools like Clearview AI can make mistakes and incorrectly identify people, leading to erroneous arrests. “Police have become increasingly reliant on and then biased by what the model tells them,” said Napolitano.

“There's no constitutional right to cover your face in public,” charged Meyers, the Manhattan Institute’s policing director.

Indeed, the legal landscape surrounding how law enforcement can use surveillance technologies has been hazy, explained Beth Haroules, a staff attorney for the New York branch of the American Civil Liberties Union, largely because the law hasn’t kept up with the pace with technological development.

For Haroules, the potential for omnipresent surveillance means people never really have a reasonable expectation of privacy—an important historic legal standard. “\[Surveillance\] cameras aren't just the eyes of a police officer,” she said. “They are being monitored, perhaps 24/7, in real time. They're feeding images into artificial intelligence, aided by algorithms that then kick out and match you to a number of faces and places that you've been.”

That legal haze, though, may finally be starting to clear.

This summer, a federal appeals court judge declared that geofence warrants were violations of the Constitution’s protections against unreasonable searches and seizures, though this decision only holds in Texas, Mississippi, and Louisiana. Similarly, a New York judge ruled warrantless phone searches at border crossings are unconstitutional. While the ruling only applies to a portion of New York, it does cover John F. Kennedy International Airport, one of the country’s busiest airports.

Phone manufacturers have also been making strides with regard to technological solutions to subvert surveillance methods. Google announced changes to how it stores users’ location data, making it unable to comply with future geofence warrants.

Even so, determining when police use surveillance technology can be difficult. Tushar Jois, a City College of New York professor studying the intersection of privacy, technology, and censorship, said that police departments “would routinely drop evidence in their cases rather than share data” about their surveillance technology use.

Beryl Lipton, a senior investigative researcher at the Electronic Frontier Foundation, a tech-focused civil liberties nonprofit, said that many of the things law enforcement officials used to only dream of are now increasingly possible.

“I think there's been a big shift in how we need to think about what it means to have an expectation of privacy in a public space,” Lipton said.

Half a century ago, Lipton explained, you'd potentially be able to see someone following you down the street, listening to your conversation. Now, that type of surveillance isn't so obvious.

“That's something we, as a country, really need to reevaluate,” she added. “We don't want to be in a position, either as protesters, or just as regular individuals, trying to live a life where we're essentially being followed and listened to all the time.”

The Real Problem With Banning Masks at Protests

Ubuntu Security Notice 7100-1 - Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7100-1November 11, 2024linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm,linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle,linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, andShweta Shinde discovered that the Confidential Computing framework inthe Linux kernel for x86 platforms did not properly handle 32-bitemulation on TDX and SEV. An attacker with access to the VMM could usethis to cause a denial of service (guest crash) or possibly executearbitrary code. (CVE-2024-25744)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PowerPC architecture;  - RISC-V architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - ARM SCMI message protocol;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - I3C subsystem;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - Thunderbolt and USB4 drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Host Controller drivers;  - USB Type-C Connector System Software Interface driver;  - USB over IP driver;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - NTFS3 file system;  - Proc file system;  - SMB network file system;  - Core kernel;  - DMA mapping infrastructure;  - RCU subsystem;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - Ethernet bridge;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Landlock security;  - Simplified Mandatory Access Control Kernel framework;  - FireWire sound drivers;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-43817, CVE-2024-42304, CVE-2024-46756, CVE-2024-42318,CVE-2024-41090, CVE-2024-41063, CVE-2024-44987, CVE-2024-46844,CVE-2024-46677, CVE-2024-44988, CVE-2024-42297, CVE-2024-26893,CVE-2024-46673, CVE-2024-26800, CVE-2024-42305, CVE-2024-46731,CVE-2024-41091, CVE-2024-46810, CVE-2024-41072, CVE-2022-48666,CVE-2024-38602, CVE-2024-46780, CVE-2024-46750, CVE-2024-43858,CVE-2024-41020, CVE-2024-46755, CVE-2024-46829, CVE-2024-41068,CVE-2024-45003, CVE-2024-42280, CVE-2024-42283, CVE-2024-43873,CVE-2024-46746, CVE-2024-44969, CVE-2024-46807, CVE-2024-41081,CVE-2024-44971, CVE-2024-26607, CVE-2024-43880, CVE-2024-42281,CVE-2024-42274, CVE-2024-43908, CVE-2024-42267, CVE-2024-47665,CVE-2024-45011, CVE-2024-46707, CVE-2024-42310, CVE-2024-42309,CVE-2024-44965, CVE-2024-46747, CVE-2024-42259, CVE-2024-46804,CVE-2024-46679, CVE-2024-45007, CVE-2024-45009, CVE-2024-46771,CVE-2024-46739, CVE-2024-41060, CVE-2024-46676, CVE-2024-46822,CVE-2024-42272, CVE-2024-41059, CVE-2024-43839, CVE-2024-46817,CVE-2024-47669, CVE-2024-44999, CVE-2024-42285, CVE-2024-44986,CVE-2024-43828, CVE-2024-43879, CVE-2024-44998, CVE-2024-46724,CVE-2024-41015, CVE-2024-45025, CVE-2024-43849, CVE-2024-46818,CVE-2024-43830, CVE-2024-46725, CVE-2024-43834, CVE-2024-42302,CVE-2024-36484, CVE-2024-43853, CVE-2024-46782, CVE-2024-46740,CVE-2024-46732, CVE-2024-43869, CVE-2024-42312, CVE-2024-42292,CVE-2024-43884, CVE-2024-44934, CVE-2024-44995, CVE-2024-43894,CVE-2024-46675, CVE-2024-43870, CVE-2024-44990, CVE-2024-42287,CVE-2024-41065, CVE-2024-42301, CVE-2024-42290, CVE-2024-46702,CVE-2024-46719, CVE-2024-46745, CVE-2024-46758, CVE-2024-46757,CVE-2024-44935, CVE-2024-42276, CVE-2024-43890, CVE-2023-52918,CVE-2024-41077, CVE-2024-43905, CVE-2024-38611, CVE-2024-42269,CVE-2024-42284, CVE-2024-41073, CVE-2024-46722, CVE-2024-41017,CVE-2024-47667, CVE-2024-45021, CVE-2024-43867, CVE-2024-41098,CVE-2024-43909, CVE-2024-46723, CVE-2024-45026, CVE-2024-42114,CVE-2024-44944, CVE-2024-43835, CVE-2024-44982, CVE-2024-43907,CVE-2024-46828, CVE-2024-43856, CVE-2024-46832, CVE-2024-44954,CVE-2024-43846, CVE-2024-41070, CVE-2024-43892, CVE-2024-44985,CVE-2024-42306, CVE-2024-43889, CVE-2024-44958, CVE-2024-46798,CVE-2024-44989, CVE-2024-42313, CVE-2024-46737, CVE-2024-42289,CVE-2024-43829, CVE-2024-46744, CVE-2023-52889, CVE-2024-46689,CVE-2024-47663, CVE-2024-46791, CVE-2024-43863, CVE-2024-43893,CVE-2024-43841, CVE-2024-46777, CVE-2024-46800, CVE-2024-45028,CVE-2024-44952, CVE-2024-43883, CVE-2024-44946, CVE-2024-43882,CVE-2024-44960, CVE-2024-38577, CVE-2024-46814, CVE-2024-42288,CVE-2024-44947, CVE-2024-41071, CVE-2024-41042, CVE-2024-41064,CVE-2024-42311, CVE-2024-42270, CVE-2024-43861, CVE-2024-46752,CVE-2024-42296, CVE-2024-41022, CVE-2024-42246, CVE-2024-43871,CVE-2024-42265, CVE-2024-43854, CVE-2024-41019, CVE-2024-46815,CVE-2024-46743, CVE-2024-42126, CVE-2024-26661, CVE-2024-41012,CVE-2024-46761, CVE-2024-45008, CVE-2024-46805, CVE-2024-45006,CVE-2024-42295, CVE-2024-46783, CVE-2024-42286, CVE-2024-46714,CVE-2024-42299, CVE-2024-46781, CVE-2024-43914, CVE-2024-44966,CVE-2024-44974, CVE-2024-45018, CVE-2024-46840, CVE-2024-46819,CVE-2024-40915, CVE-2024-46759, CVE-2024-43860, CVE-2024-47668,CVE-2024-39472, CVE-2024-47660, CVE-2024-47659, CVE-2024-46795,CVE-2024-43875, CVE-2024-46738, CVE-2024-42271, CVE-2024-26669,CVE-2024-44983, CVE-2024-41078, CVE-2024-46685, CVE-2024-46713,CVE-2024-46721, CVE-2024-46763, CVE-2024-41011, CVE-2024-43902,CVE-2024-42277, CVE-2024-44948)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1038-xilinx-zynqmp  5.15.0-1038.42  linux-image-5.15.0-1055-gkeop   5.15.0-1055.62  linux-image-5.15.0-1065-ibm     5.15.0-1065.68  linux-image-5.15.0-1065-raspi   5.15.0-1065.68  linux-image-5.15.0-1067-nvidia  5.15.0-1067.68  linux-image-5.15.0-1067-nvidia-lowlatency  5.15.0-1067.68  linux-image-5.15.0-1069-gke     5.15.0-1069.75  linux-image-5.15.0-1069-kvm     5.15.0-1069.74  linux-image-5.15.0-1070-oracle  5.15.0-1070.76  linux-image-5.15.0-1071-gcp     5.15.0-1071.79  linux-image-5.15.0-125-generic  5.15.0-125.135  linux-image-5.15.0-125-generic-64k  5.15.0-125.135  linux-image-5.15.0-125-generic-lpae  5.15.0-125.135  linux-image-5.15.0-125-lowlatency  5.15.0-125.135  linux-image-5.15.0-125-lowlatency-64k  5.15.0-125.135  linux-image-gcp-lts-22.04       5.15.0.1071.67  linux-image-generic             5.15.0.125.124  linux-image-generic-64k         5.15.0.125.124  linux-image-generic-lpae        5.15.0.125.124  linux-image-gke                 5.15.0.1069.68  linux-image-gke-5.15            5.15.0.1069.68  linux-image-gkeop               5.15.0.1055.54  linux-image-gkeop-5.15          5.15.0.1055.54  linux-image-ibm                 5.15.0.1065.61  linux-image-kvm                 5.15.0.1069.65  linux-image-lowlatency          5.15.0.125.113  linux-image-lowlatency-64k      5.15.0.125.113  linux-image-nvidia              5.15.0.1067.67  linux-image-nvidia-lowlatency   5.15.0.1067.67  linux-image-oracle-lts-22.04    5.15.0.1070.66  linux-image-raspi               5.15.0.1065.63  linux-image-raspi-nolpae        5.15.0.1065.63  linux-image-virtual             5.15.0.125.124  linux-image-xilinx-zynqmp       5.15.0.1038.42Ubuntu 20.04 LTS  linux-image-5.15.0-1055-gkeop   5.15.0-1055.62~20.04.1  linux-image-5.15.0-1065-ibm     5.15.0-1065.68~20.04.1  linux-image-5.15.0-1070-oracle  5.15.0-1070.76~20.04.1  linux-image-5.15.0-1071-gcp     5.15.0-1071.79~20.04.1  linux-image-5.15.0-1072-aws     5.15.0-1072.78~20.04.1  linux-image-5.15.0-125-generic  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-generic-64k  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-generic-lpae  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-lowlatency  5.15.0-125.135~20.04.1  linux-image-5.15.0-125-lowlatency-64k  5.15.0-125.135~20.04.1  linux-image-aws                 5.15.0.1072.78~20.04.1  linux-image-gcp                 5.15.0.1071.79~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-generic-hwe-20.04   5.15.0.125.135~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-gkeop-5.15          5.15.0.1055.62~20.04.1  linux-image-ibm                 5.15.0.1065.68~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.125.135~20.04.1  linux-image-oem-20.04           5.15.0.125.135~20.04.1  linux-image-oem-20.04b          5.15.0.125.135~20.04.1  linux-image-oem-20.04c          5.15.0.125.135~20.04.1  linux-image-oem-20.04d          5.15.0.125.135~20.04.1  linux-image-oracle              5.15.0.1070.76~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.125.135~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7100-1  CVE-2022-48666, CVE-2023-52889, CVE-2023-52918, CVE-2024-25744,  CVE-2024-26607, CVE-2024-26661, CVE-2024-26669, CVE-2024-26800,  CVE-2024-26893, CVE-2024-36484, CVE-2024-38577, CVE-2024-38602,  CVE-2024-38611, CVE-2024-39472, CVE-2024-40915, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41022, CVE-2024-41042, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41063, CVE-2024-41064, CVE-2024-41065,  CVE-2024-41068, CVE-2024-41070, CVE-2024-41071, CVE-2024-41072,  CVE-2024-41073, CVE-2024-41077, CVE-2024-41078, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42114,  CVE-2024-42126, CVE-2024-42246, CVE-2024-42259, CVE-2024-42265,  CVE-2024-42267, CVE-2024-42269, CVE-2024-42270, CVE-2024-42271,  CVE-2024-42272, CVE-2024-42274, CVE-2024-42276, CVE-2024-42277,  CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,  CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,  CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,  CVE-2024-42296, CVE-2024-42297, CVE-2024-42299, CVE-2024-42301,  CVE-2024-42302, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42312,  CVE-2024-42313, CVE-2024-42318, CVE-2024-43817, CVE-2024-43828,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43834, CVE-2024-43835,  CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43849,  CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43858,  CVE-2024-43860, CVE-2024-43861, CVE-2024-43863, CVE-2024-43867,  CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873,  CVE-2024-43875, CVE-2024-43879, CVE-2024-43880, CVE-2024-43882,  CVE-2024-43883, CVE-2024-43884, CVE-2024-43889, CVE-2024-43890,  CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43902,  CVE-2024-43905, CVE-2024-43907, CVE-2024-43908, CVE-2024-43909,  CVE-2024-43914, CVE-2024-44934, CVE-2024-44935, CVE-2024-44944,  CVE-2024-44946, CVE-2024-44947, CVE-2024-44948, CVE-2024-44952,  CVE-2024-44954, CVE-2024-44958, CVE-2024-44960, CVE-2024-44965,  CVE-2024-44966, CVE-2024-44969, CVE-2024-44971, CVE-2024-44974,  CVE-2024-44982, CVE-2024-44983, CVE-2024-44985, CVE-2024-44986,  CVE-2024-44987, CVE-2024-44988, CVE-2024-44989, CVE-2024-44990,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45007, CVE-2024-45008, CVE-2024-45009,  CVE-2024-45011, CVE-2024-45018, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46702, CVE-2024-46707, CVE-2024-46713,  CVE-2024-46714, CVE-2024-46719, CVE-2024-46721, CVE-2024-46722,  CVE-2024-46723, CVE-2024-46724, CVE-2024-46725, CVE-2024-46731,  CVE-2024-46732, CVE-2024-46737, CVE-2024-46738, CVE-2024-46739,  CVE-2024-46740, CVE-2024-46743, CVE-2024-46744, CVE-2024-46745,  CVE-2024-46746, CVE-2024-46747, CVE-2024-46750, CVE-2024-46752,  CVE-2024-46755, CVE-2024-46756, CVE-2024-46757, CVE-2024-46758,  CVE-2024-46759, CVE-2024-46761, CVE-2024-46763, CVE-2024-46771,  CVE-2024-46777, CVE-2024-46780, CVE-2024-46781, CVE-2024-46782,  CVE-2024-46783, CVE-2024-46791, CVE-2024-46795, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46804, CVE-2024-46805, CVE-2024-46807,  CVE-2024-46810, CVE-2024-46814, CVE-2024-46815, CVE-2024-46817,  CVE-2024-46818, CVE-2024-46819, CVE-2024-46822, CVE-2024-46828,  CVE-2024-46829, CVE-2024-46832, CVE-2024-46840, CVE-2024-46844,  CVE-2024-47659, CVE-2024-47660, CVE-2024-47663, CVE-2024-47665,  CVE-2024-47667, CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-125.135  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1071.79  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1055.62  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1065.68  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1069.74  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-125.135  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1067.68  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1070.76  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1065.68  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1038.42  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1072.78~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1071.79~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1055.62~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-125.135~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1065.68~20.04.1  https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-125.135~20.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1070.76~20.04.1

Ubuntu Security Notice USN-7100-1

A list of topics we covered in the week of November 4 to November 10 of 2024

November 8, 2024 - The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

November 7, 2024 - Consumer group Which? found privacy issues in connected air fryers. How smart do we want and need our appliances to be?

November 7, 2024 - We have great news to share: Malwarebytes has acquired AzireVPN, a privacy-focused VPN provider.

November 6, 2024 - Consumers are being swamped by Google ads claiming to be eBay's customer service.

November 6, 2024 - Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

 A week in security (November 4 &#8211; November 10) 

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While...

The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods.

After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer.

In this blog post, we detail how criminals are targeting their victims and what final malware payload they are delivering post initial infection. The incident was found and reported to Google on the same day as this publication.

**Google Ads distribution**

Last time we saw FakeBat was on July 25 2024, via a malicious ad for Calendly, a popular online scheduling application. In that instance, FakeBat’s command and control infrastructure ran from _utd-gochisu\[.\]com_.

Fast forward to November 8, 2024, and we have an ad appearing at the top of a Google search for ‘notion’. That sponsored result looks entirely authentic, with an official logo and website. We already know that criminals are able to impersonate any brand of their liking by simply using a click tracker — or tracking template — in order to bypass detection.

Below is the network traffic from the ad URL to the payload. We can see the use of the tracking template (_smart.link_), followed by a cloaking domain (_solomonegbe\[.\]com_), before landing on the decoy site (_notion\[.\]ramchhaya.com_):

Why does this work and bypasses Google? Likely because if the user is not an intended victim, the tracking template would redirect them to the legitimate _notion.so_ website.

**FakeBat drops LummaC2 stealer**

After extracting the payload, we recognize the classic first stage FakeBat PowerShell:

Security researcher and long time FakeBat enthusiast RussianPanda was kind enough to give us a hand by looking at this installer in closer detail.

After some fingerprinting to avoid sandboxes, we get this second stage PowerShell:

Of note, the threat actors are still using the same old RastaMouse AMSI bypass script from April 2024:

The loader is obfuscated with .NET Reactor, where it decrypts the embedded resource with AES and then injects it into _MSBuild.exe_ via process hollowing:

The decrypted payload is LummaC2 Stealer with user ID: 9zXsP2.

**Conclusion**

While malicious ads delivering malware payloads have been a little more rare for the past several weeks, today’s example shows that threat actors can and will make a comeback whenever the time is right.

Brand impersonation via Google ads remains problematic, as anyone can leverage built-in features to appear legitimate and trick users into downloading malware.

We appreciate and would like to thanks RussianPanda‘s quick analysis on the payload, as well as security researcher Sqiiblydoo for reporting the malicious certificate used to sign the installer.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising chain

solomonegbe\[.\]com  
notion\[.\]ramchhaya.com

Malicious Notion installer

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

FakeBat C2

ghf-gopp1rip\[.\]com

1.jar (PaykRunPE)

373cd164bb01f77ad1e37df844010ee5

LummaC2 (decrypted payload)

3e8c406831a0021f76f02c704b68ee60

JwefqUQWCg (encrypted resource)

497dc11a77a4898b6b5e3cc28a586a38

Malicious URLs

furliumalerer\[.\]site/1.jar  
pastebin\[.\]pl/view/raw/a58044c5

LummaC2 Stealer C2s:

rottieud\[.\]sbs  
relalingj\[.\]sbs  
repostebhu\[.\]sbs  
thinkyyokej\[.\]sbs  
tamedgeesy\[.\]sbs  
explainvees\[.\]sbs  
brownieyuz\[.\]sbs  
slippyhost\[.\]cfd  
ducksringjk\[.\]sbs

 Hello again, FakeBat: popular loader returns after months-long hiatus 

Large language models (LLMs) can help app security firms find and fix software vulnerabilities. Malicious actors are on to them too, but here's why defenders may retain the edge.

Source: vs148 via Shutterstock

Security researchers and attackers are turning to AI models to find vulnerabilities, a technology whose use will likely drive the annual count of software flaws higher, but could eventually result in fewer flaws in public releases, experts say.

On Nov. 1, Google said its Big Sleep large language model (LLM) agent discovered a buffer-underflow vulnerability in the popular database engine, SQLite. The experiment shows both the peril and the promise of AI-powered vulnerability discovery tools: The AI agent searched through the code for variations on a specific vulnerability, but identified the software flaw in time for Google to notify the SQLite project and work with them to fix the issue.

Using AI just for software-defect discovery could result in a surge in vulnerability disclosures, but introducing LLM agents into the development pipeline could reverse the trend and lead to fewer software flaws escaping into the wild, says Tim Willis, head of Google's Project Zero, the company's effort to identify zero-day vulnerabilities.

"While we are at an early stage, we believe that the techniques we develop through this research will become a useful and general part of the toolbox that software developers have at their disposal," he says.

Google is not alone in searching for better ways to find — and fix — vulnerabilities. In August, a group of researchers from Georgia Tech, Samsung Research, and other firms — collectively known as Team Atlanta — used an LLM bug-finding system to automatically find and patch a bug in SQLite. And just last month, cybersecurity firm GreyNoise Intelligence revealed it had used its Sift AI system to analyze honeypot logs leading to the discovery and patching of two zero-day vulnerabilities affecting Internet-connected cameras used in sensitive environments.

Overall, companies are gaining more ways to automate vulnerability discovery, and — if they are serious about security — will be able to drive down the number of vulnerabilities in their products by using the tools in development, says Corey Bodzin, chief product officer at GreyNoise Intelligence.

"The exciting thing is we do have technology that allows people who \[care about\] security to be more effective," he says. "Sadly ... there are not many companies where that is ... a primary driver, but even in companies where \[security is\] purely viewed as a cost" can benefit from using these tools.

**Only the First Steps**

Currently, Google's custom approach is still bespoke and requires work to adapt to specific vulnerability-finding tasks. The company's Big Sleep agent does not to look for completely new vulnerabilities, but uses details from a previously discovered vulnerability to look for similar issues. The project has looked at smaller programs with known vulnerabilities as test cases, but the SQLite experiment is the first time they found vulnerabilities in production code, the Google Project Zero and Google DeepMind researchers stated in Google's blog post describing the research.

While specialized fuzzers would likely have found the bug, tuning those tools to perform well is a very manual process, says Google's Willis.

"One promise of \[L\]LM agents is that they might generalize across applications without the need for specialized tuning," he says. "Additionally, we're hopeful that \[L\]LM agents will be able to uncover a different subset of vulnerabilities than those typically found through fuzzing."

The use of AI-based vulnerability discovery tools will be a race between attackers and defenders. Manual code review is a viable way of finding bugs for attackers, who only need a single exploitable vulnerability or short chain of vulnerabilities. But defenders need a scalable way of finding and fixing applications, Willis says. While bug-finding tools can be a force multiplier for both attackers and defenders, the ability to scale up to analyze code will likely be a greater benefit for defenders, Willis says.

"We expect that advances in automated vulnerability discovery, triage, and remediation will disproportionately benefit defenders," he says.

**Focus AI on Finding and Fixing Bugs**

Companies that focus on using AI to generate secure code and fix bugs when found will deliver higher quality code from developers, says Chris Wysopal, co-founder and chief security evangelist at Veracode, an application security firm. He argues that automating bug finding and bug fixing are two completely different problems. Finding vulnerabilities is a very large data problem, whIle fixing bugs usually deals with perhaps a dozen lines of code.

"Once you know the bug is there — if you found it through fuzzing, or through an LLM, or using human code review — and you know what kind of bug it is, fixing it is relatively easy," he says. "So, LLMs favor defenders, because having access to source code and fixing issues is easy. So I'm kind of bullish that we can eliminate whole classes of vulnerabilities, but it's not from finding more, it's from being able to fix more."

Companies that require developers to run automated security tools before code check-in will find themselves on a path to paying down their security debt — the collection of issues that they know about, but have not had time to fix, he says. Currently, about half (46%) of organizations have security debt in the form of persistent critical flaws in applications, according to Veracode's 2024 State of Software Security report.

"The idea that you're committing code that has a problem in it, and it's not fixed, will become the exception, not the rule, like it is today," Wysopal says. "Once you can start to automate this fixing — and we're always getting better at automating finding \[vulnerabilities\] — I think that's how things change."

Yet, the technology will still have to overcome companies' focus on efficiency and productivity over security, says Bob Rudis, vice president of data science and security research at GreyNoise Intelligence. He points to the fixing of the two security vulnerabilities that GreyNoise Intelligence found and responsibly disclosed. The company only fixed the issues in two product models, but not others — despite the fact that the other products likely had similar issues, he says.

Google and GreyNoise Intelligence proved that the technology will work, but whether companies integrate AI into the development pipelines to eliminate bugs is still an open question.

Rudis has doubts.

"I'm sure a handful of organizations are going to deploy it — it's going to make like seven C files a little bit safer across a bunch of organizations, and maybe we'll get like a tick more security for the ones that can actually deploy it properly," he says. "But ultimately, until we actually change the incentive structure around how software vendors build and deploy things, and how consumers actually purchase and deploy and configure things, we are not going to see any benefit."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI &amp; LLMs Show Promise in Squashing Software Bugs

A significant amount of vulnerabilities in the Linux kernel have been resolved that include use-after-free and race conditions.

    Linux kernel vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives:-   Ubuntu 20.04 LTS-   Ubuntu 18.04 LTS-   Ubuntu 16.04 LTS-   Ubuntu 22.04 LTS-   Ubuntu 14.04 LTSSummarySeveral security issues were fixed in the kernel.Software Description-   linux - Linux kernel-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems-   linux-azure - Linux kernel for Microsoft Azure Cloud systems-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems-   linux-gke - Linux kernel for Google Container Engine (GKE) systems-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems-   linux-ibm - Linux kernel for IBM cloud systems-   linux-oracle - Linux kernel for Oracle Cloud systemsDetailsIn the Linux kernel, the following vulnerability has been resolved:inet: inet_defrag: prevent sk release while still in use ip_local_out()and other functions can pass skb->sk as function argument. If the skb isa fragment and reassembly happens before such function call returns, thesk must not be released. This affects skb fragments reassembled vianetfilter or similar modules, e.g. openvswitch or ct_act.c, when run aspart of tx pipeline. Eric Dumazet made an initial analysis of this bug.Quoting Eric: Calling ip_defrag() in output path is also implyingskb_orphan(), which is buggy because output path relies on sk notdisappearing. A relevant old patch about the issue was : 8282f27449bf(“inet: frag: Always orphan skbs inside ip_defrag()”) [..net/ipv4/ip_output.c depends on skb->sk being set, and probably to aninet socket, not an arbitrary one. If we orphan the packet in ipvlan,then downstream things like FQ packet scheduler will not work properly.We need to change ip_defrag() to only use skb_orphan() when reallyneeded, ie whenever frag_list is going to be used. Eric suggested tostash sk in fragment queue and made an initial patch. However there is aproblem with this: If skb is refragmented again right after,ip_do_fragment() will copy head->sk to the new fragments, and sets updestructor to sock_wfree. IOW, we have no choice but to fix up sk_wmemaccouting to reflect the fully reassembled skb, else wmem willunderflow. This change moves the orphan down into the core, to lastpossible moment. As ip_defrag_offset is aliased with sk_buff->sk member,we must move the offset into the FRAG_CB, else skb->sk gets clobbered.This allows to delay the orphaning long enough to learn if the skb hasto be queued or if the skb is completing the reasm queue. In the formercase, things work as before, skb is orphaned. This is safe because skbgets queued/stolen and won’t continue past reasm engine. In the lattercase, we will steal the skb->sk reference, reattach it to the head skb,and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)In the Linux kernel, the following vulnerability has been resolved:af_unix: Fix garbage collector racing against connect() Garbagecollector does not take into account the risk of embryo getting enqueuedduring the garbage collection. If such embryo has a peer that carriesSCM_RIGHTS, two consecutive passes of scan_children() may see adifferent set of children. Leading to an incorrectly elevated inflightcount, and then a dangling pointer within the gc_inflight_list. socketsare AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listeningin-flight socket bound to addr, not in fdtable V’s fd will be passed viasendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]);close(V) __unix_gc() —————- ————————- ———– NS = unix_create1() skb1 =sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L)unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 =sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // Vcount=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidatecondition met for u in gc_inflight_list: if (total_refs ==inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u ingc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not// reachable from L yet, so V’s // inflight remains unchanged__skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates:if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1inflight=2 (!) If there is a GC-candidate listening socket, lock/unlockits state. This makes GC wait until the end of any ongoing connect() tothat socket. After flipping the lock, a possibly SCM-laden embryo isalready enqueued. And if there is another embryo coming, it can notpossibly carry SCM_RIGHTS. At this point, unix_inflight() can not happenbecause unix_gc_lock is already taken. Inflight graph remainsunaffected. (CVE-2024-26923)In the Linux kernel, the following vulnerability has been resolved: mm:swap: fix race between free_swap_and_cache() and swapoff() There waspreviously a theoretical window where swapoff() could run and teardown aswap_info_struct while a call to free_swap_and_cache() was running inanother thread. This could cause, amongst other bad possibilities,swap_page_trans_huge_swapped() (called by free_swap_and_cache()) toaccess the freed memory for swap_map. This is a theoretical problem andI haven’t been able to provoke it from a test case. But there has beenagreement based on code review that this is possible (see link below).Fix it by using get_swap_device()/put_swap_device(), which will stallswapoff(). There was an extra check in _swap_info_get() to confirm thatthe swap entry was not free. This isn’t present in get_swap_device()because it doesn’t make sense in general due to the race between gettingthe reference and swapoff. So I’ve added an equivalent check directly infree_swap_and_cache(). Details of how to provoke one possible issue(thanks to David Hildenbrand for deriving this): –8<—–__swap_entry_free() might be the last user and result in “count ==SWAP_HAS_CACHE”. swapoff->try_to_unuse() will stop as soon as soon assi->inuse_pages==0. So the question is: could someone reclaim the folioand turn si->inuse_pages==0, before we completedswap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio inthe swapcache. Only 2 subpages are still references by swap entries.Process 1 still references subpage 0 via swap entry. Process 2 stillreferences subpage 1 via swap entry. Process 1 quits. Callsfree_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted inthe hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). ->count == SWAP_HAS_CACHE Process 2 goes ahead, passesswap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap().__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->put_swap_folio()->free_swap_slot()->swapcache_free_entries()->swap_entry_free()->swap_range_free()-> … WRITE_ONCE(si->inuse_pages,si->inuse_pages - nr_entries); What stops swapoff to succeed afterprocess 2 reclaimed the swap cache but before process1 finished its callto swap_page_trans_huge_swapped()? –8<—– (CVE-2024-26960)In the Linux kernel, the following vulnerability has been resolved:Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When thesco connection is established and then, the sco socket is releasing,timeout_work will be scheduled to judge whether the sco disconnection istimeout. The sock will be deallocated later, but it is dereferencedagain in sco_sock_timeout. As a result, the use-after-free bugs willhappen. The root cause is shown below: Cleanup Thread | Worker Threadsco_sock_release | sco_sock_close | __sco_sock_close |sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait atime) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE TheKASAN report triggered by POC is shown below: [ 95.890016================================================================== [95.890496] BUG: KASAN: slab-use-after-free insco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addrffff88800c388080 by task kworker/0:0/7 … [ 95.890755] Workqueue: eventssco_sock_timeout [ 95.890755] Call Trace: [ 95.890755][ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755]print_address_description+0x78/0x390 [ 95.890755print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [95.890755] process_one_work+0x561/0xc50 [ 95.890755worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [95.890755 ret_from_fork_asm+0x11/0x20 [ 95.890755][ 95.890755] [ 95.890755 Allocated by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755 __kasan_kmalloc+0x86/0x90 [95.890755] __kmalloc+0x17f/0x360 [ 95.890755 sk_prot_alloc+0xe1/0x1a0 [95.890755] sk_alloc+0x31/0x4e0 [ 95.890755 bt_sock_alloc+0x2b/0x2a0 [95.890755] sco_sock_create+0xad/0x320 [ 95.890755]bt_sock_create+0x145/0x320 [ 95.890755 __sock_create+0x2e1/0x650 [95.890755] __sys_socket+0xd0/0x280 [ 95.890755__x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30[ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [95.890755] sco_sock_release+0x232/0x280 [ 95.890755]sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755]task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [95.890755 arch_do_signal_or_restart+0x3f/0x520 [ 95.890755syscall_exit_to_user_mode+0x55/0x120 [ 95.890755]do_syscall_64+0xd1/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Thebuggy address belongs to the object at ffff88800c388000 [ 95.890755]which belongs to the cache kmalloc-1k of size 1024 [ 95.890755 The buggyaddress is located 128 bytes inside of [ 95.890755] freed 1024-byteregion [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755]The buggy address belongs to the physical page: [ 95.890755 page:refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0nr_pages_mapped:0 pincount:0 [ 95.890755] ano —truncated—(CVE-2024-27398)In the Linux kernel, the following vulnerability has been resolved:watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_triggerWhen the cpu5wdt module is removing, the origin code uses del_timer() tode-activate the timer. If the timer handler is running, del_timer()could not stop it and will return directly. If the port region isreleased by release_region() and then the timer handlercpu5wdt_trigger() calls outb() to write into the region that isreleased, the use-after-free bug will happen. Change del_timer() totimer_shutdown_sync() in order that the timer handler could be finishedbefore the port region is released. (CVE-2024-38630)Update instructionsThe problem can be corrected by updating your kernel livepatch to thefollowing versions:Ubuntu 20.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gkeop - 107.1    gkeop - 107.2    ibm - 107.1    ibm - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 18.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 16.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2Ubuntu 22.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gke - 107.2    ibm - 107.1    ibm - 107.2    oracle - 107.1Ubuntu 14.04 LTS    generic - 107.1    lowlatency - 107.1Support InformationLivepatches for supported LTS kernels will receive upgrades for a periodof up to 13 months after the build date of the kernel.Livepatches for supported HWE kernels which are not based on an LTSkernel version will receive upgrades for a period of up to 9 monthsafter the build date of the kernel, or until the end of support for thatkernel’s non-LTS distro release version, whichever is sooner.References-   CVE-2024-26921-   CVE-2024-26923-   CVE-2024-26960-   CVE-2024-27398-   CVE-2024-38630

Kernel Live Patch Security Notice LSN-0107-1

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.
The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.

The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week.

"ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications," the Israeli company said.

ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.

Its malware arsenal includes tools for compromising Windows, Android, and Linux devices. The increased targeting of Linux machines is motivated by the Indian government's use of a custom Ubuntu fork called Maya OS since last year.

Infection chains are initiated by Control Panel (CPL) files likely distributed via spear-phishing techniques. As many as three distinct campaigns employing the RAT have been observed between December 2023 and August 2024, each using Slack, Google Drive, and a virtual private server (VPS) for command-and-control (C2).

ApoloStealer is designed to gather files matching several extensions (e.g., DOC, XLS, PPT, TXT, RTF, ZIP, RAR, JPG, and PNG) from the compromised host and exfiltrate them to a remote server.

In January 2024, the threat actor is said to have tweaked the modus operandi to include a dropper component that ensures the smooth functioning of ElizaRAT. Also observed in recent attacks is an additional stealer module codenamed ConnectX that's engineered to search for files from external drives, such as USBs.

The abuse of legitimate services widely used in enterprise environments heightens the threat as it complicates detection efforts and allows threat actors to blend into legitimate activities on the system.

"The progression of ElizaRAT reflects APT36's deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities," Check Point said. "Introducing new payloads such as ApolloStealer marks a significant expansion of APT36's malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment."

**IcePeony Goes After India, Mauritius, and Vietnam**

The disclosure comes weeks after the nao\_sec research team revealed an advanced persistent threat (APT) group it calls IcePeony has targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam since at least 2023.

"Their attacks typically start with SQL Injection, followed by compromise via web shells and backdoors," security researchers Rintaro Koike and Shota Nakajima said. "Ultimately, they aim to steal credentials."

One of the most noteworthy tools in its malware portfolio is IceCache, which is designed to target Microsoft Internet Information Services (IIS) instances. An ELF binary written in the Go programming language, it's a custom version of the reGeorg web shell with added file transmission and command execution features.

The attacks are also characterized by the use of a unique passive-mode backdoor referred to as IceEvent that comes with capabilities to upload/download files and execute commands.

"It seems that the attackers work six days a week," the researchers noted. "While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google