<p><em>The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way.</em></p>

<div class="rc-cta-primary"><a href="https://www.redhat.com/en/email-preferences?newsletter=RH-shares&amp;intcmp=7013a0000034h0bAAA">Subscribe to Red Hat Shares</a></div>

<hr />
<div class="rc-title-emphasis">FROM THE EDITOR</div>

<h3>De

_The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way._

FROM THE EDITOR

**Detect and deter threats faster with security automation**

When a mobile game platform loosened security procedures to accommodate more users, it exposed players to a theft of US$615 million in cryptocurrency. Ransomware that gained entry to an oil pipeline’s digital systems via an unprotected password led to widespread fuel shortages, panic buying and multimillion-dollar losses. Again and again, cybercriminals exploit vulnerabilities in people and systems, causing damage to finances, reputations and everyone connected to the targets.

With human error accounting for 95% of security breaches and costs associated with cybercrime predicted to reach US$8 trillion globally in 2023 according to Cybersecurity Ventures, **manual detection and responses aren’t enough**. The threat landscape has grown too complex; having to process and prioritize potentially thousands of security data points at any given moment can overwhelm even the most capable IT teams. According to a 2022 IBM report, it takes nine months on average “to identify and contain a breach.” 

Security automation—the use of technology, tools and processes to automate security tasks—offers greater protection against increasingly sophisticated strikes and can reduce response times from days to hours. The IBM report notes that breaches for "organizations using AI and automation” were 74 days shorter and an average of US$3 million less costly.

Technologies like Red Hat Ansible Automation Platform (recently made available on Google Cloud) provide rapid intelligence and defense. But effectively implementing systemwide security automation also requires a shift in strategy, skills and mindset.

IT leaders seem to be making that shift. Red Hat’s 2023 Global Tech Outlook survey identifies security automation as the top automation priority. E.G. Nadhan, Global Chief Architect Leader at Red Hat, says “forward-thinking enterprises who have a laser focus on proactive remediation will bring automation … into enterprise security to further reduce risk.” 

In this issue of Red Hat Shares, learn about why you should consider security automation; tips for thinking through cost, design and implementation; how Emory University mitigated a security threat with a Red Hat automation solution and more. Plus, get links to a few ways to test out Ansible Automation Platform at no cost.

**First, see why now is the time to prioritize security automation:**

**Security automation: What does it mean, and how do I get there?**

Securing system architecture through automation requires new skills and new ways of thinking.

_You may also be interested in “Security automation: 3 key benefits.”_

**Security automation: 4 factors to consider**

Before you talk strategy, you need to talk numbers. The cost conversation dictates how organizations use automation—or whether they use it at all.

_You may also be interested in “Security automation: 3 priorities for CIOs.”_

**5 ways to improve security automation**

Consider these tips when designing security solutions to make them as effective and painless as possible.

**IT solutions and security integration in changing environments**

Fully deploying security automation can reduce the average cost of a security breach by 95%. In this on-demand webinar, learn how Ansible Automation Platform can contribute to investigation enrichment, threat hunting and incident response.

**Build a foundation of security with Zero Trust and automation**

With growing threats and attack vectors, implementing Zero Trust across your organization is a must. But that’s only the beginning—especially in large organizations with multiple sites and a mix of on-premise, cloud and edge systems. Scaling Zero Trust architecture requires enterprise-level automation.

CUSTOMER SPOTLIGHT

**Emory University mitigates sudo threat with Red Hat**

Find out how, after discovering a security vulnerability that needed to be addressed quickly, the university used Ansible Automation Platform to remediate across more than 500 servers in four hours instead of up to two weeks.

**Experiment with Red Hat Ansible Automation Platform at no cost**

**2 events in 1: AnsibleFest is happening at Red Hat Summit**

Our premier events will be held together, giving you more ways to explore what’s next in open source and automation.

May 23-25, 2023 | Boston, Massachusetts, USA

Register now

_Did you miss our special end-of-year edition? Check it out. Or browse all past issues of Red Hat Shares._

_Questions or comments about Red Hat Shares? It’s your turn to share. Email us._

_Did a friend forward this email to you? Get your own subscription._

Red Hat Shares – Security automation

FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode.

The Vector Packet Processor

FD.io’s Vector Packet Processor (VPP) is a fast, scalable layer 2-4 multi-platform network stack. It runs in Linux Userspace on multiple architectures including x86, ARM, and Power architectures.

VPP’s high performance network stack is quickly becoming the network stack of choice for applications around the world.

VPP is continually being enhanced through the extensive use of plugins. The Data Plane Development Kit (DPDK) is a great example of this. It provides some important features and drivers for VPP.

VPP supports integration with OpenStack and Kubernetes. Network management features include configuration, counters, sampling and more. For developers, VPP includes high-performance event-logging, and multiple kinds of packet tracing. Development debug images include complete symbol tables, and extensive consistency checking.

Some VPP Use-cases include vSwitches, vRouters, Gateways, Firewalls and Load-Balancers, to name a few.

For more details click on the links below or press next.

About VPP

*   Scalar vs Vector packet processing
*   The Packet Processing Graph
*   Network Stack Features
*   Host Stack
*   Additional features
*   Supported archs and OS
*   Performance
*   Release notes
*   VPP Supported Features

Use Cases

*   VPP with Containers
*   VPP with Iperf3 and TRex
*   VPP in the Cloud
*   VPP with Virtual Machines
*   VPP with VMware/Vmxnet3
*   VPP as a Home Gateway
*   Access Control Lists with VPP
*   Generating traffic with VPP
*   Web applications with VPP
*   Simulating networks with VPP
*   Stateless Traffic Gen with VPP
*   IKEv2 with VPP
*   VPP in kubernetes (Contiv/Deprecated)
*   VPP Container Test Bench

Getting started

*   Downloading and Installing VPP
    *   Installing on Ubuntu / Debian OS Distros
    *   Package Descriptions
*   Running VPP
    *   Usergroup
    *   Systemd File vpp.service
    *   Huge Pages
*   Progressive VPP Tutorial
    *   Setting up your environment
    *   Running VPP
    *   Creating an Interface
    *   Using the trace command
    *   Connecting Two FD.io VPP Instances
    *   Routing
    *   Switching
*   Troubleshooting
    *   CPU Load/Usage
    *   Google Sanitizers
    *   Memory leaks

Developer Documentation

*   Build, Run & Debug
    *   Building VPP
    *   Running VPP
    *   Testing VPP
    *   GDB Examples
    *   Cross compilation on MacOS
*   Core Architecture
    *   Software Architecture
    *   VPPINFRA (Infrastructure)
    *   VLIB (Vector Processing Library)
    *   VNET (VPP Network Stack)
    *   Feature Arcs
    *   Buffer Metadata
    *   Multi-architecture support
    *   Bounded-index Extensible Hashing (bihash)
    *   Build System
    *   VPP mem preload
    *   Multi-threading in VPP
*   Core Features
    *   The FIB
    *   Segment routing
    *   Punting Packets
    *   IPSec (IP Security)
    *   BFD module
    *   IP Reassembly
    *   IPFIX support
    *   Switched Port Analyzer
    *   MTU in VPP
    *   Generic Segmentation Offload
    *   Syslog protocol support
    *   Event-logger
    *   Statistics
    *   SELinux - VPP Custom SELinux Policy
    *   Policing
*   Adding a new plugin or feature
    *   Adding a plugin
    *   Sample plugin for VPP
    *   Handoff queue in a plugin
*   Plugins
    *   QUIC HostStack
    *   Cloud NAT
    *   Linux Control Plane Integration
    *   SRv6 Plugins
    *   Marvell device plugin
    *   LLDP Protocol
    *   Stateful NAT64
    *   Active-Passive NAT HA
    *   NAT44-ED: NAT44 Endpoint Dependent
    *   PNAT 1:1 match & rewrite NAT
    *   Load Balancer plugin
    *   LACP Protocol
    *   IPFIX flow record plugin
    *   MAP and Lw4o6
    *   Buffer metadata change tracker
    *   DHCPv6 prefix delegation
    *   Inband OAM (iOAM)
    *   Wireguard vpp-plugin
    *   SRTP Protocol
    *   Multicore support for ACL plugin
    *   ACL plugin constant-time lookup
    *   ACL Lookup contexts
    *   Buffers monitoring plugin
*   Device drivers
    *   Intel AVF device driver
    *   RDMA (ibverb) device driver
    *   VMWARE vmxnet3 device driver
    *   AF\_XDP device driver
*   VPP Test Framework
    *   Overview
    *   Anatomy of a test case
    *   Logging
    *   Parallel test execution
    *   Test temporary directory and VPP life cycle
    *   Virtual environment
    *   Naming conventions
    *   Automatically generated addresses
    *   Packet flow in the VPP Test Framework
    *   Test framework objects
    *   How VPP APIs/CLIs are called
    *   Utility methods
    *   Example: how to add a new test
*   VPP extra tools
    *   Code coverage with lcov
    *   VPP Snap Build
    *   Strongswan Testing Tool
    *   VPP configuration utility
    *   VPP interface stats client
    *   VPP stats segment FUSE filesystem
    *   VPP Top Installation
    *   LD\_PRELOAD the VCL
    *   Host stack test framework

Interfacing with VPP

*   The binary API
    *   VPP API module
    *   VPP API Language
    *   Writing API handlers
*   C api client
*   C++ api client
*   Go api (govpp)
    *   Components involved
    *   Getting started
    *   Launch VPP
    *   Connecting to VPP
*   Rust api client
*   Memif library (libmemif)
    *   Shared Memory Packet Interface (memif) Library
    *   Build Instructions
    *   Getting started
    *   Libmemif Examples

Contributing

*   Getting a Patch Reviewed
    *   Setup
    *   Clone with ssh
    *   Git Review
*   Writing VPP Documentation
    *   Building the docs
    *   View the results
    *   Writing Docs and merging
*   Reporting Bugs
    *   Data to include in bug reports
    *   Capturing post-mortem data
    *   Core files from Private Images

Debug CLI

*   Getting Started with the debug CLI
    *   Debug and Telnet CLI
    *   CLI features
*   Interface Commands
    *   Basic Interface Commands
    *   Hardware-Interfaces Commands
    *   Create Interfaces Commands
    *   Set Interface Commands
*   Reference
    *   ARP and Loopback CLI
    *   Circular Journal
    *   Command line session
    *   DPDK Crypto
    *   DPDK and pcap tx
    *   Host Interface
    *   Image Version Information
    *   Init functions
    *   Interface
    *   Layer 2 CLI
    *   Layer 3 IP CLI
    *   Network Delay Simulator
    *   Static HTTP Server
    *   Unix Interface
    *   VLIB application library
    *   VXLAN CLI
    *   VXLAN-GBP CLI
    *   Perfmon cli reference
    *   Gbp cli reference
    *   L2e cli reference
    *   netmap
    *   Abf cli reference
    *   Acl cli reference
    *   Adl cli reference
    *   Af\_xdp cli reference
    *   Arping cli reference
    *   Avf cli reference
    *   Bufmon cli reference
    *   Builtinurl cli reference
    *   Cdp cli reference
    *   Cnat cli reference
    *   Crypto\_sw\_scheduler cli reference
    *   Ct6 cli reference
    *   Dhcp cli reference
    *   Dispatch-trace cli reference
    *   Dns cli reference
    *   Cryptodev cli reference
    *   Flowprobe cli reference
    *   Geneve cli reference
    *   Gtpu cli reference
    *   Hs\_apps cli reference
    *   Igmp cli reference
    *   Ikev2 cli reference
    *   Ila cli reference
    *   Ip6 cli reference
    *   Encap cli reference
    *   Export cli reference
    *   Export-vxlan-gpe cli reference
    *   Ip6 cli reference
    *   Lib-pot cli reference
    *   Lib-trace cli reference
    *   Lib-vxlan-gpe cli reference
    *   Udp-ping cli reference
    *   L2tp cli reference
    *   L3xc cli reference
    *   Lacp cli reference
    *   Lb cli reference
    *   Linux-cp cli reference
    *   Test cli reference
    *   Lisp-cp cli reference
    *   Lisp-gpe cli reference
    *   Test cli reference
    *   Lldp cli reference
    *   Mactime cli reference
    *   Map cli reference
    *   Pp2 cli reference
    *   Mdata cli reference
    *   Memif cli reference
    *   Mss\_clamp cli reference
    *   Det44 cli reference
    *   Dslite cli reference
    *   Nat44-ed cli reference
    *   Nat44-ei cli reference
    *   Nat64 cli reference
    *   Nat66 cli reference
    *   Pnat cli reference
    *   Nsh cli reference
    *   Nsh-md2-ioam cli reference
    *   Export-nsh-md2-ioam cli reference
    *   Oddbuf cli reference
    *   Perfmon cli reference
    *   Ping cli reference
    *   Pppoe cli reference
    *   Prom cli reference
    *   Quic cli reference
    *   Rdma cli reference
    *   Snort cli reference
    *   Stn cli reference
    *   Svs cli reference
    *   Tlsopenssl cli reference
    *   Tracedump cli reference
    *   Unittest cli reference
    *   Urpf cli reference
    *   Vhost cli reference
    *   Vmxnet3 cli reference
    *   Vrrp cli reference
    *   Wireguard cli reference
    *   Dma cli reference
    *   Pci cli reference
    *   Stats cli reference
    *   Vlibapi cli reference
    *   Vlibmemory cli reference
    *   Adj cli reference
    *   Arp cli reference
    *   Bfd cli reference
    *   Bier cli reference
    *   Bonding cli reference
    *   Classify cli reference
    *   Crypto cli reference
    *   Pipe cli reference
    *   Tap cli reference
    *   Dpo cli reference
    *   Feature cli reference
    *   Fib cli reference
    *   Flow cli reference
    *   Gre cli reference
    *   Gso cli reference
    *   Hash cli reference
    *   Interface cli reference
    *   Ip-neighbor cli reference
    *   Reass cli reference
    *   Ip6-nd cli reference
    *   Ipfix-export cli reference
    *   Ipip cli reference
    *   Ipsec cli reference
    *   Lawful-intercept cli reference
    *   Mfib cli reference
    *   Mpls cli reference
    *   Pg cli reference
    *   Policer cli reference
    *   Qos cli reference
    *   Session cli reference
    *   Span cli reference
    *   Srmpls cli reference
    *   Srv6 cli reference
    *   Syslog cli reference
    *   Tcp cli reference
    *   Teib cli reference
    *   Udp cli reference
    *   Unix cli reference
    *   Vxlan-gpe cli reference
    *   Api cli reference
    *   App cli reference
    *   Vnet cli reference
    *   vHost User

Configuration file

*   Getting started with the configuration
    *   Command-line Arguments
    *   Configuration File (startup.conf)
*   Configuration Reference
    *   The unix section
    *   The api-trace Section
    *   The api-segment Section
    *   The socksvr Section
    *   The cpu Section
    *   The buffers Section
    *   The dpdk Section
    *   The plugins Section
    *   Some Advanced Parameters:
    *   acl-plugin Section
    *   api-queue Section
    *   cj Section
    *   dns Section
    *   ethernet Section
    *   heapsize Section
    *   ip Section
    *   ip6 Section
    *   l2learn Section
    *   l2tp Section
    *   logging Section
    *   mactime Section
    *   “map” Parameters
    *   nat Section
    *   oam Section
    *   physmem Section
    *   tapcli Section
    *   tcp Section
    *   tls Section
    *   tuntap Section
    *   vhost-user Section
    *   vlib Section

About this documentation

VPP Version : 23.02\-release
Built on    : 02 March 2023

CVE-2022-46397: What is the Vector Packet Processor (VPP) — The Vector Packet Processor v23.02-0-g5516fc0f3 documentation

A novel cyber threat against macOS users is being sold for $100 a pop on the Dark Web, and activity is ramping up.

An information-stealing malware that targets Apple's macOS operating system is making the cyberrounds, siphoning off documents, iCloud keychain data-like passwords, browser cookies, and more from unwitting Apple users.

Appropriately dubbed "MacStealer," it's going for just $100 per build on the cyber underground, so it's no surprise that "more MacStealer samples have been spreading recently," according to a recent Uptycs analysis on the threat.

The malware affects the Catalina version of macOS and subsequent versions that use Intel M1 and M2 CPUs. It also uses the encrypted Telegram messaging platform for command-and-control (C2), the researchers found.

To propagate, operators are looking for low-hanging fruit, hoping to harvest victims by luring them to download .DMG files, which are containers for macOS apps. Fake apps in app stores, piracy websites, or email attachments could all be potential conduits for infection.

"The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt," Uptycs researchers explained in the post. "Once the user enters their login credentials, the stealer … \[compresses\] the data and sends it to C2 via a POST request using a Python User-Agent request. It deletes the data and ZIP file from the victim's system during a subsequent mop-up operation."

This is just the latest malware to target Macs in recent months. In February, pirated versions of Apple's Final Cut Pro video-editing software were found delivering a version of the XMRig cryptocurrency mining tool. And last year, a previously-unknown, macOS spyware called "CloudMensis" surfaced in a highly targeted campaign, exfiltrating documents, keystrokes, screen captures, and more from Apple machines.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MacStealer Malware Plucks Bushels of Data From Apple Users

Microsoft on Tuesday unveiled Security Copilot in preview, marking its continued push to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale."
Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a security analysis tool that enables cybersecurity analysts to quickly respond to threats, process signals, and

Artificial Intelligence / Cyber Threat

Microsoft on Tuesday unveiled **Security Copilot** in preview, marking its continued push to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale."

Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a security analysis tool that enables cybersecurity analysts to quickly respond to threats, process signals, and assess risk exposure.

To that end, it collates insights and data from various products like Microsoft Sentinel, Defender, and Intune to help security teams better understand their environment; determine if they are susceptible to known vulnerabilities and exploits; identify ongoing attacks their scale, and receive remediation instructions; and summarize incidents.

Users, for instance, can ask Security Copilot about suspicious user logins over a specific time period, or even employ it to create a PowerPoint presentation outlining an incident and its attack chain. It can also accept files, URLs, and code snippets for analysis.

Redmond said its proprietary security-specific model is informed by more than 65 trillion daily signals, emphasizing that the tool is privacy-compliant and customer data "is not used to train the foundation AI models."

"Today the odds remain stacked against cybersecurity professionals," Vasu Jakkal, Microsoft's corporate vice president of Security, Compliance, Identity, and Management, pointed out.

"Too often, they fight an asymmetric battle against prolific, relentless and sophisticated attackers. To protect their organizations, defenders must respond to threats that are often hidden among noise."

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Security Copilot is the latest AI push from Microsoft, which has been steadily integrating generative AI features into its software offerings over the past two months, including Bing, Edge browser, GitHub, LinkedIn, and Skype.

The development also comes weeks after the tech giant launched Microsoft 365 Copilot, integrating AI capabilities within its suite of productivity and enterprise apps such as Office, Outlook, and Teams.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.

Cybercriminal group Kimsuky has evolved into a full-fledged, persistent threat, carrying out "unusually aggressive" social-engineering attacks aimed at gathering intelligence, and stealing and laundering cryptocurrency to support the North Korean government.

Researchers from Mandiant have tracked a number of changes to the activity of the group, which they call APT43, in a series of rapid-fire attacks against targets in the US, South Korea, and Japan, they revealed in a report published today.

Kimsuky, also tracked as Thallium, has been on various researchers' radar screens since 2018, and its previous activity has been widely reported. In earlier attacks, the group mainly focused on conducting cyber espionage against research institutions, geo-political think tanks, and — particularly during the height of the pandemic — pharmaceutical companies.

The group typically used spear-phishing campaigns to lure in users and then installed various public and non-public malware, including spyware, onto targeted devices, which were often Android-based smartphones. In fact, Kimsuky was identified as recently as earlier this month leveraging malicious Chrome browser extensions and Android app-store services to target individuals conducting research on the inter-Korean conflict.

Now, however, Mandiant researchers have found that APT43 is evolving in several ways.

**New Financial & Social Tactics**

For one, the group is now following in the shoes of other North Korean APTs and branching out beyond mere cyber espionage to steal cryptocurrency, the researchers have found. In addition to using the ill-gotten currency to fund the regime of Kim Jong-un, as other groups do, APT43 also uses it to bolster its own activities, they said.

The group is even going the extra step of laundering the crypto through legitimate cloud-mining services so it comes out as clean currency and is difficult to track — an activity that might be used by other groups, but has flown under the radar until now, the researchers said.

"The washing of funds and the 'how' has been the missing piece of the equation," notes Michael Barnhart, Mandiant principal analyst at Google Cloud. "We have indications that APT43 utilizes specific hash rental services to launder these funds by mining for different cryptocurrencies."

For a small fee, these services provide hash power, which APT43 uses to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer's original payments. This allows the APT to use stolen funds to mine for a different cryptocurrency, the researchers said. By spending very little, threat actors walk away with untracked, clean currency to do as they wish, Barnhart explains.

Moreover, APT43 — while technologically unsophisticated — relies on advanced and persistent social-engineering tactics in which threat actors create convincing fake personas and exhibit patience in building relationships with targets over several weeks without using malware, the researchers said.

"I've never seen an APT quite as successful with such novel techniques," Barnhart notes. "They pretend to be subject-matter experts or reporters and ask targeted questions — often with the promise of quoting the victim in a report or news article — and successfully gain feedback."

Indeed, in some instances, attackers successfully convinced targeted victims to send over proprietary, geopolitical analysis and research without deploying malware at all, the researchers said.

This deviates from standard procedure for most threat groups, allowing APT43 to expend little effort or resources in building malware and gaining the information they are seeking in a low-fi way — by merely asking victims for it, Barnhart notes.

**High Volume Cyberattacks, Shifting Targets**

APT43 has shifted its targets, and the malware it uses, in campaigns over the years in response to the demands of the North Korean government and the cyberespionage activities it requires of the group, according to Mandiant.

"APT43 ultimately modifies its targeting and tactics, techniques, and procedures (TTPs) to suit its sponsors, including carrying out financially-motivated cybercrime as needed to support the regime," the researchers said in the report.

For example, prior to October 2020, the group primarily targeted US and South Korean government offices, diplomatic organizations, and think tank-related entities with a stake in foreign policy and security issues affecting the Korean peninsula. Over the next year, however, the group shifted its focus to COVID-19 response efforts in North Korea by targeting health-related verticals and pharmaceutical companies in South Korea, the US, Europe, and Japan.

One notable difference that has emerged between the group and other North Korean threat actors is a recent shift to expand, targeting "everyday users" based on "the sheer velocity and volume of attacks," says Joe Dobson, Mandiant principal analyst.

"By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target," he says. "Their pace of execution, combined with their success rate, is alarming."

APT43 is aiming its high-volume activity at entities and organizations in government, business services, and manufacturing as well as think tanks and organizations in education and research related to geopolitical and nuclear policy in the US, South Korea, and Japan, the researchers said.

Given its advanced social-engineering tactics and tendency to go after both specific individuals and wider-net targets, researchers advised organizations that may be at risk to share with their employees "a greater understanding of cyber hygiene and heightened awareness," Barnhart says. "It's important to make personnel aware of this threat actor's TTPs," Barnhart says.

He adds that the APT's spoofed emails are highly convincing, which makes them difficult to spot, even for savvy users; thus, organizations at risk should be on high alert.

North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43

The new tool aims to deliver the network insights and coordination that “AI” security systems have long promised.

For years now, “artificial intelligence” has been a hot buzzword in the cybersecurity industry, promising tools that spot suspicious behavior on a network, quickly figure out what's going on, and guide incident response if there's an intrusion. The most credible and useful of services, though, have actually been machine learning algorithms trained to spot characteristics of malware and other dubious network activity. Now, as generative AI tools proliferate, Microsoft says it has finally built a service for defenders that's worthy of all the hype.

Two weeks ago, the company launched Microsoft 365 Copilot, which builds on a partnership with OpenAI along with Microsoft's own work on large language models. The company is now rolling out Security Copilot, a sort of security field notebook that integrates system data and network monitoring from security tools like Microsoft Sentinel and Defender and even third-party services. 

Security Copilot can surface alerts, map out in both words and charts what may be going on within a network, and provide steps for a potential investigation. As a human user works with Copilot to map out a possible security incident, the platform tracks history and generates summaries, so if colleagues get added to the project, they can quickly come up to speed and see what's been done so far. The system will also automatically produce slides and other presentation tools about an investigation to help security teams communicate the facts of a situation to people outside their department, and particularly executives who may not have security experience but need to stay informed.   

“Over the past few years, what we’ve seen is this absolute escalation in the frequency of attacks, in the sophistication of attacks, as well as in the intensity of attacks,” says Vasu Jakkal, Microsoft’s chief vice president of security. “And there is not a lot of time for a defender to contain the escalation of an attack. The balance is right now shifted in the direction of attackers.” 

Courtesy of Microsoft

Jakkal says that while machine learning security tools have been effective in specific domains, like monitoring email or activity on individual devices—known as endpoint security—Security Copilot brings all of those separate streams together and extrapolates a bigger picture. “With Security Copilot you can catch what others may have missed because it forms that connective tissue,” she says.

Security Copilot is largely powered by OpenAI's ChatGPT-4, but Microsoft emphasizes that it also integrates a proprietary Microsoft security-specific model. The system tracks everything that's done during an investigation. The resulting record can be audited, and the materials it produces for distribution can all be edited for accuracy and clarity. If something Copilot is suggesting during an investigation is wrong or irrelevant, users can click the “Off Target” button to further train the system.

The platform offers access controls so certain colleagues can be shared on particular projects and not others, which is especially important for investigating possible insider threats. And Security Copilot allows for a sort of backstop for 24/7 monitoring. That way, even if someone with a specific skillset isn't working on a given shift or a given day, the system can offer basic analysis and suggestions to help plug gaps. For example, if a team wants to quickly analyze a script or software binary that may be malicious, Security Copilot can start that work and contextualize how the software has been behaving and what its goals may be.

Microsoft emphasizes that customer data is not shared with others and is “not used to train or enrich foundation AI models.” Microsoft does pride itself, though, on using “65 trillion daily signals” from its massive customer base around the world to inform its threat detection and defense products. But Jakkal and her colleague, Chang Kawaguchi, Microsoft's vice president and AI security architect, emphasize that Security Copilot is subject to the same data-sharing restrictions and regulations as any of the security products it integrates with. So if you already use Microsoft Sentinel or Defender, Security Copilot must comply with the privacy policies of those services.

Kawaguchi says that Security Copilot has been built to be as flexible and open-ended as possible, and that customer reactions will inform future feature additions and improvements. The system's usefulness will ultimately come down to how insightful and accurate it can be about each customer’s network and the threats they face. But Kawaguchi says that the most important thing is for defenders to start benefiting from generative AI as quickly as possible.

As he puts it: “We need to equip defenders with AI given that attackers are going to use it regardless of what we do.”

Microsoft's ‘Security Copilot’ Sics ChatGPT on Security Breaches

A spy group working for the Kim regime has been feeding stolen coins into crypto mining services in an effort to throw tracers off their trail.

In the cryptocurrency ecosystem, coins have a story, tracked in the unchangeable blockchains underpinning their economy. The only exception, in some sense, is cryptocurrency that's been freshly generated by its owner's computational power. So it figures that North Korean hackers have begun adopting a new trick to launder the coins they steal from victims around the world: pay their dirty, stolen coins into services that allow them to mine innocent new ones.

Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.

Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.

That mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal while avoiding the forensic trail of evidence that it leaves on blockchains, which can make it difficult for thieves to cash out. “It breaks the chain,” says Joe Dobson, a Mandiant threat intelligence analyst. “This is like a bank robber stealing silver from a bank vault and then going to a gold miner and paying the miner in stolen silver. Everyone's looking for the silver while the bank robber's walking around with fresh, newly mined gold.”

Mandiant says it first began seeing signs of APT43's mining-based laundry technique in August of 2022. It's since seen tens of thousands of dollars worth of crypto flow into hashing services—services like NiceHash and Hashing24, which allow anyone to buy and sell computing power to calculate the mathematical strings known as “hashes” that are necessary to mine most cryptocurrencies—from what it believes are APT43 crypto wallets. Mandiant says it has also seen similar amounts flow to APT43 wallets from mining “pools,” services that allow miners to contribute their hashing resources to a group that pays out a share of any cryptocurrency the group collectively mines. (Mandiant declined to name either the hashing services or the mining pools that APT43 participated in.)

In theory, the payouts from those pools should be clean, with no ties to APT43's hackers—that seems, after all, to be the point of the group's laundering exercise. But in some cases of operational sloppiness, Mandiant says it found that the funds were nonetheless commingled with crypto in wallets it had previously identified from its years-long tracking of APT43 hacking campaigns.

The five-figure sums Mandiant saw laundered through this mining process, the company's analysts concede, are nowhere near the size of the massive crypto heists North Korean hackers have pulled off in recent years, stealing hundreds of millions of dollars in cases like the breaches of the Harmony Bridge or Ronin Bridge services. That may be because only a small fraction of North Korea's mining-based laundering has been detected.

But it may also be because APT43 isn't primarily tasked with stealing cryptocurrency, says Mandiant analyst Michael Barnhart. Instead, the group appears to have been ordered to generate enough profits through cybercrime to fund its espionage work. As a result, it has sought to steal smaller sums of crypto from a broad number of victims, he says, with the goal of subsisting independently. “They're not going for a cash grab,” says Barnhart. “They're trying just to make ends meet.”

Cryptocurrency tracing firms, including Chainalysis and Elliptic, say they've seen criminal actors seek freshly mined cryptocurrency to fund their activities or dilute and obfuscate their profits. Elliptic says, for instance, that it's seen a group affiliated with the militant organization Hamas mine cryptocurrency as a means of what it describes as terrorist financing. But Arda Akartuna, a threat analyst at Elliptic, says paying dirty cryptocurrency into a hashing service to mine clean crypto is a particularly troubling phenomenon.

Akartuna points out that mining pools are not as regulated and scrutinized as other crypto players that are sometimes used for money laundering, such as cryptocurrency exchanges, “mixing” services designed to obfuscate the trail of users' coins, and NFT marketplaces. “But they probably should be,” he says.

“It's quite concerning that a lot of mining pools don't actually screen who participates in them,” says Akartuna. “So you could potentially have illicit actors that are contributing computing power to the mining pools, and those mining pools don't have the tools to identify them.”

That suggests government authorities seeking money launderers and criminal financiers may have to shift some of their focus away from the intermediaries of the crypto economy toward the miners that serve as the original wellspring. Not all of that fresh digital cash is quite as innocent as it might seem.

_Update 2 pm ET, March 28, 2023: Clarified the views of Eliptic's Arda Akartuna regarding APT23's crypto-laundering tactics._

North Korea Is Now Mining Crypto to Launder Its Stolen Loot

Ubuntu Security Notice 5976-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

==========================================================================  
Ubuntu Security Notice USN-5976-1  
March 27, 2023

linux-oem-5.14, linux-oem-5.17 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-5.17: Linux kernel for OEM systems  
- linux-oem-5.14: Linux kernel for OEM systems

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

It was discovered that the Intel 740 frame buffer driver in the Linux  
kernel contained a divide by zero vulnerability. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3061)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.17.0-1029-oem     5.17.0-1029.30  
   linux-image-oem-22.04           5.17.0.1029.27  
   linux-image-oem-22.04a          5.17.0.1029.27

Ubuntu 20.04 LTS:  
   linux-image-5.14.0-1059-oem     5.14.0-1059.67  
   linux-image-oem-20.04           5.14.0.1059.57  
   linux-image-oem-20.04b          5.14.0.1059.57  
   linux-image-oem-20.04c          5.14.0.1059.57  
   linux-image-oem-20.04d          5.14.0.1059.57

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5976-1  
   CVE-2022-2196, CVE-2022-3061, CVE-2022-3628, CVE-2022-36280,  
   CVE-2022-3646, CVE-2022-3649, CVE-2022-41850, CVE-2023-0394,  
   CVE-2023-0461

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1029.30  
   https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1059.67

Ubuntu Security Notice USN-5976-1

Subrion CMS version 4.2.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)# Date: 2022-08-10# Exploit Author: Sinem Şahin# Vendor Homepage: https://intelliants.com/# Version: 4.2.1# Tested on: Windows & XAMPP==> Tutorial <==1- Go to the following url. => http://(HOST)/panel/fields/add2- Write XSS Payload into the tooltip value of the field add page.3- Press "Save" button.4- Go to the following url. => http://(HOST)/panel/members/addXSS Payload ==> "<script>alert("field_tooltip_XSS")</script> Reference: ://github.com/intelliants/subrion/issues/895

Subrion CMS 4.2.1 Cross Site Scripting

IoT risk and security must get more attention from vendors and support from the marketplace.

The Internet of Things (IoT) is and always will be a contentious subject for cybersecurity. Not because of the convenience these devices add but for the risk they inject into the lives of people and businesses.

As cybersecurity professionals, we often quote cynical jokes to laugh and cope with the reality of our jobs. So stop me if you've heard this one: Did you know that the S in IoT stands for security? Half of you chuckled at it, and the other half probably took a second to realize that there is no S or security in the IoT acronym.

As cybersecurity professionals, we're often stuck between a rock and a hard place when assessing the risk these devices pose to us personally and professionally. There are more than a billion IoT devices on the Internet, each with the potential to be exploited. A business might have a compelling business imperative an IoT solution can enable, but that solution may inject an undue security risk into protecting safety and productivity. A Wi-Fi-connected security camera may give a homeowner peace of mind about securing a property, but may also expose that property to additional risk from hackers who can take control of the camera and abuse the platform.

**Market Forces vs. IoT Vendors**

So how did we get here? The easy answer is: IoT vendors continue to fail us on implementing solid cybersecurity controls. The difficult answer is: The market continues to push many IoT vendors into offering the lowest cost and most competitive products. They achieve this by sacrificing or outright neglecting cybersecurity for their solutions.

By choosing to not address security, vendors are pushing the risk to the consumers who are often oblivious to the dangers. In commercial solutions, this can have serious consequences. A medical facility that relies on IoT devices to manage patient care cannot weather an outage without endangering patients. Nor would they want patient data inadvertently exposed due to insecure IoT devices, or worse, have actual medical care disrupted.

So how did we, as consumers and dependents of IoT, get here to this untenable state of IoT risk and security? The answers, as they always seem to do, eventually lead back to money.

There are quite a few big-name players in the commercial and residential IoT space. These are name brands that most everyone can recognize: Google, Huawei, Microsoft, and others. While these companies are mature and responsive to security threats in IoT, it's the more niche companies that are more concerning.

**IoT Cost Points**

So, here's a thought experiment. Imagine you're a small IoT company and you want to develop a niche product that will enter an already crowded IoT market. What kind of costs does it take to develop the IoT product? Some cost points to consider:

**1\. Qualified development personnel are hard to come by for IoT.** You will need a solid team of hardware, networking, application design, business intelligence and automation experts to help bring your product to market.

**2\. Hardware and software costs can range from small to huge sums of money.** The more complex the device and service, the higher the cost.

**3\. What is the connection model?** Wi-Fi, Bluetooth, cellular? Each adds more to the cost, some more than others.

**4\. You must design a product UI!** If you intend to win on the merits of your product, a smooth user experience is a must.

**5\. What about security?** Do we have to use encryption? How about a secure protocol, or hardware that has secure firmware? Well, unless there's a regulatory requirement, there's no money for it. We have to keep costs down if we intend to compete.

**Best IoT Security Development Steps**

While the scenario is a generalization, it's not far from the truth. Developing an IoT product with security features adds to costs many companies either do not consider, or have deliberately chosen to neglect. Further complicating things, what if the company that makes an IoT device no longer supports it? Or what if that company simply goes out of business?

Is any of this resolvable? To an extent, yes. Companies can usually push over-the-air (OTA) updates to products that can address security issues. They can also utilize cloud service frameworks that mandate security between the device, the cloud, and the company. Vendors can also employ outside third parties to audit and evaluate the IoT solution. An outside third party can fairly evaluate and help the vendor address vulnerabilities in the hardware or software. Application developers can be trained in secure software development. The product can be designed with hardware robust enough to accommodate secure implementations.

However, all these things represent monetary investments a company has to willingly make. And the investments are continuous — with every device patch or new feature offering, the same security evaluations have to be performed again and again.

**It's Time to Step Up**

What do we do? The first step is educating the consumers. As security professionals, we must do our best to help others have situational awareness and help evaluate risk. This in turn can help for security investments that can help mitigate the vulnerabilities that some IoT devices inject into our risk models.

Helping call out insecure practices and companies can also help. We have a unique opportunity and position to help advocate for everyone who utilizes an IoT device and should use our voices to help wherever we can.

Tag

#intel