Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function.

Copy link

Contributor

** **ruokeqx** commented Sep 4, 2022 •**

**What type of PR is this?**

fix: A bug fix

**Check the PR title.**

*   This PR title match the format: (optional scope):
    
*   The description of this PR title is user-oriented and clear enough for others to understand.
    

**(Optional) Translate the PR title into Chinese.**

修复目录穿越漏洞

**(Optional) More detail description for this PR(en: English/zh: Chinese).**

en: fix by simply replace all backslashes with forward slashes  
zh(optional): 将反斜杠全部改成正斜杠

**Which issue(s) this PR fixes:**

Fixes #228

Currently hertz has no restriction on backslash in normalizePath function.

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// remove duplicate slashes
	b := dst
	bSize := len(b)
	for {
		n := bytes.Index(b, bytestr.StrSlashSlash)
		if n < 0 {
			break
		}
		b \= b\[n:\]
		copy(b, b\[1:\])
		b \= b\[:len(b)\-1\]
		bSize\--
	}
	dst \= dst\[:bSize\]

	// remove /./ parts
	b \= dst
	for {
		n := bytes.Index(b, bytestr.StrSlashDotSlash)
		if n < 0 {
			break
		}
		nn := n + len(bytestr.StrSlashDotSlash) \- 1
		copy(b\[n:\], b\[nn:\])
		b \= b\[:len(b)\-nn+n\]
	}

	// remove /foo/../ parts
	for {
		n := bytes.Index(b, bytestr.StrSlashDotDotSlash)
		if n < 0 {
			break
		}
		nn := bytes.LastIndexByte(b\[:n\], '/')
		if nn < 0 {
			nn \= 0
		}
		n += len(bytestr.StrSlashDotDotSlash) \- 1
		copy(b\[nn:\], b\[n:\])
		b \= b\[:len(b)\-n+nn\]
	}

	// remove trailing /foo/..
	n := bytes.LastIndex(b, bytestr.StrSlashDotDot)
	if n \>= 0 && n+len(bytestr.StrSlashDotDot) \== len(b) {
		nn := bytes.LastIndexByte(b\[:n\], '/')
		if nn < 0 {
			return bytestr.StrSlash
		}
		b \= b\[:nn+1\]
	}

	return b
}

After:

func normalizePath(dst, src \[\]byte) \[\]byte {
	// replace all backslashes with forward slashes
	for {
		n := bytes.Index(src, bytestr.StrBackSlash)
		if n < 0 {
			break
		}
		src\[n\] \= '/'
	}
	...
}

**Codecov Report**

> Merging #229 (4ecd30e) into develop (8751608) will **decrease** coverage by 0.02%.  
> The diff coverage is 0.00%.

@@             Coverage Diff             @@
#\#           develop     #229      +/-   ##
===========================================
\- Coverage    59.19%   59.17%   -0.03%     
===========================================
  Files           79       79              
  Lines         8105     8110       +5     
===========================================
+ Hits          4798     4799       +1     
\- Misses        2953     2957       +4     
  Partials       354      354              

Impacted Files

Coverage Δ

pkg/protocol/uri.go

70.34% <0.00%> (-0.72%)

⬇️

pkg/network/standard/buffer.go

81.08% <0.00%> (-0.50%)

⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Copy link

Contributor Author

****ruokeqx** commented Sep 4, 2022**

Copy link

Contributor Author

****ruokeqx** commented Sep 4, 2022**

> When checking other http framework source code, I find that fasthttp community fix the same bug six months ago. Maybe we can borrow some code.
> 
> valyala/fasthttp#1226 valyala/fasthttp@6b5bc7b

They just repeat the logic, there is no need to write duplicate code.  
The point is that backslash also work in windows. So, essentially, we just need to replace the backslash with forward slash, by which we, to some extent, limit the separator.  
In my limited point of view, my fix is better.

@@ -480,6 +480,15 @@ func splitHostURI(host, uri \[\]byte) (\[\]byte, \[\]byte, \[\]byte) {

}

  

func normalizePath(dst, src \[\]byte) \[\]byte {

// replace all backslashes with forward slashes

for {

n := bytes.Index(src, bytestr.StrBackSlash)

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

1.  Seems it will double check for bytes that have been replaced, is this an performance issue on long paths?
2.  I'm not sure it's a good idea to replace src in place, maybe it's hard to understand that if normalizePath has a return value and also modifies the input parameters.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

> 1.  Seems it will double check for bytes that have been replaced, is this an performance issue on long paths?
> 2.  I'm not sure it's a good idea to replace src in place, maybe it's hard to understand that if normalizePath has a return value and also modifies the input parameters.

maybe this one would be better

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// replace all backslashes with forward slashes
	if filepath.Separator \== '\\\\' {
		for i := range dst {
			if dst\[i\] \== '\\\\' {
				dst\[i\] \= '/'
			}
		}
	}
	...
}

BTW: echo use function filepath.ToSlash

https://github.com/labstack/echo/blob/master/context\_fs.go#L33

func ToSlash(path string) string {
	if Separator \== '/' {
		return path
	}
	return strings.ReplaceAll(path, string(Separator), "/")
}

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

bytes.IndexByte will do a SIMD accelerate in some platforms. Not sure which one is better.

And since the bug only happens in Windows? Maybe add a if filepath.Separator == '\\' { to filter the platform?

The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum

Copy link

Contributor Author

****ruokeqx** commented Sep 5, 2022 •**

> The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum

this version solve the problem

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// replace all backslashes with forward slashes
	if filepath.Separator \== '\\\\' {
		for i := range dst {
			if dst\[i\] \== '\\\\' {
				dst\[i\] \= '/'
			}
		}
	}
	...
}

before the if judgment  
src = "/..%5c..%5cgo.sum"  
dst = "//..\\..\\go.sum"

curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
\*   Trying 127.0.0.1:8888...
\* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
\> GET /..%5c..%5cgo.sum HTTP/1.1
\> Host: 127.0.0.1:8888
\> User-Agent: curl/7.83.1
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 404 404 Page not found
< Date: Mon, 05 Sep 2022 09:10:07 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 26
<
Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact

> > The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum
> 
> this version solve the problem
> 
> func normalizePath(dst, src \[\]byte) \[\]byte {
> 	dst \= dst\[:0\]
> 	dst \= addLeadingSlash(dst, src)
> 	dst \= decodeArgAppendNoPlus(dst, src)
> 
> 	// replace all backslashes with forward slashes
> 	if filepath.Separator \== '\\\\' {
> 		for i := range dst {
> 			if dst\[i\] \== '\\\\' {
> 				dst\[i\] \= '/'
> 			}
> 		}
> 	}
> 	...
> }
> 
> before the if judgment src = "/..%5c..%5cgo.sum" dst = "//....\\go.sum"
> 
> curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
> \*   Trying 127.0.0.1:8888...
> \* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> \> GET /..%5c..%5cgo.sum HTTP/1.1
> \> Host: 127.0.0.1:8888
> \> User-Agent: curl/7.83.1
> \> Accept: \*/\*
> \>
> \* Mark bundle as not supporting multiuse
> < HTTP/1.1 404 404 Page not found
> < Date: Mon, 05 Sep 2022 09:10:07 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 26
> <
> Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact

Good job! As for the performance part, maybe do a bench test to see the answer.

Copy link

Contributor Author

****ruokeqx** commented Sep 5, 2022**

> > > The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum
> > 
> > this version solve the problem
> > 
> > func normalizePath(dst, src \[\]byte) \[\]byte {
> > 	dst \= dst\[:0\]
> > 	dst \= addLeadingSlash(dst, src)
> > 	dst \= decodeArgAppendNoPlus(dst, src)
> > 
> > 	// replace all backslashes with forward slashes
> > 	if filepath.Separator \== '\\\\' {
> > 		for i := range dst {
> > 			if dst\[i\] \== '\\\\' {
> > 				dst\[i\] \= '/'
> > 			}
> > 		}
> > 	}
> > 	...
> > }
> > 
> > before the if judgment src = "/..%5c..%5cgo.sum" dst = "//....\\go.sum"
> > 
> > curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
> > \*   Trying 127.0.0.1:8888...
> > \* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> > \> GET /..%5c..%5cgo.sum HTTP/1.1
> > \> Host: 127.0.0.1:8888
> > \> User-Agent: curl/7.83.1
> > \> Accept: \*/\*
> > \>
> > \* Mark bundle as not supporting multiuse
> > < HTTP/1.1 404 404 Page not found
> > < Date: Mon, 05 Sep 2022 09:10:07 GMT
> > < Content-Type: text/plain; charset=utf-8
> > < Content-Length: 26
> > <
> > Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact
> 
> Good job! As for the performance part, maybe do a bench test to see the answer.

I did some simple benchmarks, when there are backslashes in path, for-range option is faster, when there is no backslash in path, IndexByte option is faster.

Choose IndexByte maybe more reasonable since most normal URLs don't have backslashes in them.

var benchDstBackslashShort \= \[\]byte("/..\\\\foo")
var benchDstBackslashLong \= \[\]byte("/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\foo")
var benchDstNoBackslashShort \= \[\]byte("/../foo")
var benchDstNoBackslashLong \= \[\]byte("/../../../../../../../../../../foo")

func BenchmarkForrange(b \*testing.B) {
	for i := 0; i < b.N; i++ {
		for i := range benchDstNoBackslashShort {
			if benchDstNoBackslashShort\[i\] \== '\\\\' {
				benchDstNoBackslashShort\[i\] \= '/'
			}
		}
		benchDstNoBackslashShort \= \[\]byte("/../foo")
	}
}

func BenchmarkIndexByte(b \*testing.B) {
	for i := 0; i < b.N; i++ {
		for {
			n := bytes.IndexByte(benchDstNoBackslashShort, '\\\\')
			if n < 0 {
				break
			}
			benchDstNoBackslashShort\[n\] \= '/'
		}
		benchDstNoBackslashShort \= \[\]byte("/../foo")
	}
}

environment

goos: windows
goarch: amd64
pkg: github.com/cloudwego/hertz/pkg/protocol
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz

benchDstBackslashShort

BenchmarkForrange-12     	57650732	        19.92 ns/op	       8 B/op	       1 allocs/op
BenchmarkIndexByte-12    	43823608	        27.97 ns/op	       8 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.521s

benchDstBackslashLong

BenchmarkForrange-12     	21818498	        52.70 ns/op	      48 B/op	       1 allocs/op
BenchmarkIndexByte-12    	 9185786	       130.1 ns/op	      48 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.941s

benchDstNoBackslashShort

BenchmarkForrange-12     	53754288	        19.66 ns/op	       8 B/op	       1 allocs/op
BenchmarkIndexByte-12    	61503766	        19.34 ns/op	       8 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.379s

benchDstNoBackslashLong

BenchmarkForrange-12     	21096711	        49.30 ns/op	      48 B/op	       1 allocs/op
BenchmarkIndexByte-12    	32403181	        37.07 ns/op	      48 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.724s

PTAL. There may have a side effect which lead to a failure of existing UT

Copy link

Contributor Author

****ruokeqx** commented Sep 6, 2022 •**

My fault. Since we add if filepath.Separator == '\\' {, backslashes were replaced when running UT in my windows laptop. However, linux would not replace them.  
We can pass the the UT by modifying the code like below.

if filepath.Separator \== '\\\\' && string(parsedPath) != expectedPath {
    t.Fatalf("Unexpected Path: %q. Expected %q", parsedPath, expectedPath)
}

Also, github action can not check windows path.

CVE-2022-40082: fix: fix path-traversal bug by ruokeqx · Pull Request #229 · cloudwego/hertz

A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through

A new, multi-functional Go-based malware dubbed **Chaos** has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.

"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks," researchers from Lumen's Black Lotus Labs said in a write-up shared with The Hacker News.

A majority of the bots are located in Europe, specifically Italy, with other infections reported in China and the U.S., collectively representing "hundreds of unique IP addresses" over a one-month time period from mid-June through mid-July 2022.

Written in Chinese and leveraging China-based infrastructure for command-and-control, the botnet joins a long list of malware that are designed to establish persistence for extended periods and likely abuse the foothold for nefarious purposes, such as DDoS attacks and cryptocurrency mining.

If anything, the development also points to a dramatic uptick in threat actors shifting to programming languages like Go to evade detection and render reverse engineering difficult, not to mention targeting several platforms at once.

Chaos (not to be confused with the ransomware builder of the same name) lives up to its name by exploiting known security vulnerabilities to gain initial access, subsequently abusing it to conduct reconnaissance and initiate lateral movement across the compromised network.

What's more, the malware has versatility that similar malware does not, enabling it to operate across a wide range of instruction set architectures from ARM, Intel (i386), MIPS, and PowerPC, effectively allowing the threat actor to broaden the scope of its targets and swiftly accrue in volume.

On top of that, Chaos further has the ability to execute as many as 70 different commands sent from the C2 server, one of which is an instruction to trigger the exploitation of publicly-disclosed flaws (CVE-2017-17215 and CVE-2022-30525) defined in a file.

Chaos is also believed to be an evolution of another Go-based DDoS malware named Kaiji that has previously targeted misconfigured Docker instances. The correlations, per Black Lotus Labs, stem from overlapping code and functions based on an analysis of over 100 samples.

A GitLab server located in Europe was one among the victims of the Chaos botnet in the first weeks of September, the company said, adding it identified a string of DDoS attacks aimed at entities spanning gaming, financial services, and technology, media and entertainment, and hosting providers. Also targeted was a crypto mining exchange.

The findings come exactly three months after the cybersecurity company exposed a new remote access trojan dubbed ZuoRAT that has been singling out SOHO routers as part of a sophisticated campaign directed against North American and European networks.

"We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. "Chaos poses a threat to a variety of consumer and enterprise devices and hosts."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems

The "single pane of glass" that gathers and correlates all the information security professionals need doesn't exist, so it's up to us to create it.

When the Bloomberg Terminal was introduced in 1982, it changed Wall Street forever. The Terminal was a computing marvel, aggregating and correlating more data than ever imagined. From market data to global currencies, commodities and real estate to policy and politics, investors and traders had for the first time a centralized data platform for real-time, multidimensional visibility and analysis. 

After seeing the field differently, users developed new proprietary strategies that led to an explosion in new products, such as index options and mortgage-backed securities. Data analysis kicked off an age of discovery, and it made Wall Street the place to be in the 1980s and beyond.

Today, data analysis is a critical component of any cybersecurity program. Security teams must sift through a dizzying array of inputs and issues in order to separate the signals and noise. They must differentiate between legitimate and malicious activity and prioritize where to take action to mitigate risk and battle adversaries to protect their businesses and customers.

One could argue that artificial intelligence (AI) and machine learning (ML) are leading the much-needed age of advancement in cybersecurity. But thousands of companies are using AI and ML to develop thousands of cybersecurity solutions. Siloed implementations by vendors that have little incentive to collaborate have created massive complexity that ultimately still leaves businesses vulnerable to attacks and exploits. 

The Bloomberg Terminal for cybersecurity — the "single pane of glass" that gathers and correlates all the relevant information security professionals need to do their jobs efficiently — doesn't yet exist. So enterprises are left grappling with where they should begin.

**Protect the Most Critical Asset First**

The approach we have been using to reduce business risk and protect critical assets is not working or scaling to meet the complexity of today's environment or the attack landscape. The focus has been on protecting the infrastructure, the data center, and the devices using a complex web of barriers to limit access. Despite the attention that zero-trust security architectures have received, it seems that as an industry, we struggle to turn the rhetoric into architecture. Businesses are encouraged to move away from moats and castles and toward securing access and applications, but practitioners still tend to focus on building fences around their most critical assets instead of securing the assets themselves.

Yet data is arguably the enterprise's most important asset. Data breaches exposed 21 billion records in 2021. This is why cybercriminals target it and governments around the world regulate it. The business consequences of a data breach have never been higher. According to the 2022 "Cost of a Data Breach" report from IBM and Ponemon, the average cost of a data breach rose to a record $4.35 million in 2022.

As the enterprise transitions to the cloud, this shift dramatically increases the threat surface of an organization, since much of this activity is outside the visibility of the security teams. "The cloud" no longer means a public cloud vendor or two. The modern enterprise environment involves on-prem services, multiple cloud services, software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) all securing managed and unmanaged devices, with hybrid employees and third parties all requiring access to business assets. Security professionals have no way to see it all, certainly not in a dashboard view.

**Protect the Whole Enterprise**

Few organizations speak with more CISOs than Gartner. According to "Gartner Predicts 2022," consolidated security platforms are the future:

_Vendors are increasingly divided into 'platform' and 'portfolio' camps, with the former integrating tools to make a whole that's greater than the sum of the parts, and the latter packaging products with little integration. Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas._

The Bloomberg Terminal for cybersecurity may never exist in the way security professionals dream about, so it'll be up to them to envision and create their own version. This is harder than it might seem, as evidenced by the increasing disillusionment security practitioners feel with their security information and management (SIEM) implementations — where big data leads to big bills but not deep insights — and the growth of more specialized event management and extended detection and response (XDR) solutions. This will require a review of that sea of options to select the tools that make the most sense for each layer of the enterprise.

Could we end up with a handful of platforms built on open standards? For the sake of enterprise risk, and the people doing the work, let's hope so.

When Will Cybersecurity Get Its Bloomberg Terminal?

Malwarebytes achieves 250% year-over-year MSP partner growth, introduces new modules to enhance protection, detection, and resolution of threats for SMBs.

**SANTA CLARA, Calif., Sept. 27, 2022 / PRNewswire/ —** MalwarebytesTM, a global leader in real-time cyber protection, continues to expand its OneView platform capabilities as well as rapidly grow the company's Managed Service Provider (MSP) program. In addition to best-in-class endpoint security, MSPs can now access vulnerability assessment, patch management, and Domain Name System (DNS) filtering from Malwarebytes OneView.

"At Malwarebytes, we aim to serve the underserved, which is what our MSP partners are doing every day for SMBs," said Brian Thomas, Vice President of Worldwide MSP & Channel Programs at Malwarebytes. "I joined Malwarebytes with ambitious plans that are coming to life through our amazing team and unwavering commitment to help both new and existing MSP partners keep their clients safe while catapulting their businesses to new heights."

Delivering high-quality cybersecurity services and keeping customer environments free from malware requires a skilled team that can provide 24x7 coverage. Yet, many MSPs face constrained staff resources, skyrocketing costs and complexities of managing multiple solutions to uncover hidden threats. Today's MSPs require streamlined and simplified solutions to help them keep pace.

The Malwarebytes OneView platform empowers MSPs to deliver enterprise-class endpoint security products that drastically reduce customer malware infections and ransomware exposure. The easy-to-manage platform allows security analysts of all skill levels to be effective from a centralized cloud-based console. With different levels of protection capabilities and threat prevention modules, MSPs can offer the right product or service to each customer, tailored to their specific needs.

This quarter, Malwarebytes has continued to build upon OneView, adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation:

*   **Vulnerability and Patch Management**, which enables MSPs to take control of their full patching process, helping ensure defenses are up to date across their clients' environments.
*   **DNS Filtering**, which empowers organizations to regulate access to websites and other content on company-managed networks, which in turn reinforces the security of company data.
*   **Vulnerability Assessment**, which helps users understand exposure, identify vulnerabilities, and prioritize actions to update defenses across device and server operating systems and a wide range of third-party applications.

"The continued expansion of the OneView platform empowers us to help our customers with enhanced protection modules and expert support, reducing investments in time and resources needed to protect their organizations against increasingly complex vulnerabilities," said Daniel Mitchell, CEO of Alt-Tech. "Our partnership with Malwarebytes means stronger and simpler protection for our SMB customers, helping them successfully navigate potential threats."

Malwarebytes' initial MSP Program and OneView showed significant traction, resulting in over 250% YOY growth, with more than 2,700 new global MSP partners and strategic partnerships with Addigy, Atera, ConnectWise, Datto, GCN Group, Kaseya, Sherweb, TeamViewer and regional partner Soft Solutions. Based on business demand and future growth projections, Malwarebytes added more than 30 employees in the last six months across the MSP team, including Nadia Karatsoreos, who is dedicated to empowering MSPs to profitably grow their businesses. The company plans to continue expanding the MSP Program with further product innovation as well as additional resources and training.

"I am thrilled to be joining the Malwarebytes team during this pivotal time," said Nadia Karatsoreos, Senior MSP Growth Strategist at Malwarebytes. "MSPs have been tasked with keeping their clients safe from cyber threats, which is not an easy feat. They not only need the tools but also a supportive vendor so they can confidently sell and serve their customers. I'm so excited that I get to continue to help MSPs grow their businesses."

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok, and Twitter.

**About Malwarebytes  
**Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, that mission has expanded to provide cyber protection for everyone. Malwarebytes provides consumers and organizations with device protection, privacy, and prevention through effective, intuitive, and inclusive solutions in the home, on-the-go, at work, or on campus. A world-class team of threat researchers and security experts enable Malwarebytes to protect millions of customers and combat existing and never-before-seen threats using artificial intelligence and machine learning to catch new threats rapidly. These capabilities have been lauded by independent third parties including, among others, MITRE Engenuity, MRG Effitas, AV-TEST (consumer and business), G2 Crowd and CNET. With threat hunters and innovators across the world, the company is headquartered in California with offices in Europe and Asia. For more information, visit https://www.malwarebytes.com.

**SOURCE:** Malwarebytes

Malwarebytes Expands OneView Platform for MSPs

By Waqas
According to the breach notification, 369 Elbit Systems employees got their information stolen by the attackers.
This is a post from HackRead.com Read the original post: US branch of Israeli defense contractor Elbit hit by data breach

Elbit Systems of America, which is the US branch of an Israeli defense contractor, Elbit, has confirmed that its network was targeted by cybercriminals in early June 2022. Resultantly, the personal data of its employees was stolen.

The Texas-based firm hasn’t shared many details on the data breach, but it did reveal that the attack disrupted its ‘cyber operations.’

**Incident Details**

According to the breach notification issued by the Maine attorney general’s office, the American arm of Elbit’s network has suffered a data breach. Around 369 Elbit Systems employees got their information stolen by the attackers.

As per the company, exposed data includes employee names, dates of birth, addresses, ethnicity, direct deposit information, and Social Security Numbers. The company’s spokesperson in America and any representative from its parent organization in Israel haven’t commented on the incident yet.

**Who is the Attacker?**

As per Elbit Systems of America, the investigation is still going on. At the moment, it is difficult to attribute this attack to a specific hacker, cybercrime gang, or nation-state. The company is also unsure about the objective behind this attack.  

1.  Iran-linked hackers hit Israeli, US, and EU defense tech firm
2.  Dark web hacker leaks sensitive Indian defense contractor data
3.  Meet SockDetour fileless backdoor targeting U.S. Defense contractors
4.  Hackers Posing as Women to Con Israeli Officials into Installing Malware
5.  Unknown TA2541 group attacking aviation and defense sectors since 2017

**About Elbit**

For your information, Elbit Systems is an electronics and defense tech firm. It mainly builds unmanned aerial drones, intelligence gathering, espionage, and surveillance-related systems for governments and militaries, electronic warfare systems, and similar equipment and sells it worldwide.

The company also creates surveillance software. It acquired Nice Systems’ cyber and intelligence unit in 2015 for a whopping $160 million and renamed it Cyberbit. 

As noted by TechCrunch, internet watchdog Citizen Lab’s research found that Cyberbit’s commercial spyware was used for espionage activities against Ethiopian dissidents in the USA and the UK.

This spyware could steal users’ private data from the targeted device, including passwords, screenshots, and emails. However, it is also suspected that the Ethiopian government itself ordered the spying activity.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

US branch of Israeli defense contractor Elbit hit by data breach

TCP-based, DNS water-torture, and carpet-bombing attacks dominate the DDoS threat landscape, while Ireland, India, Taiwan, and Finland are battered by DDoS attacks resulting from the Russia/Ukraine war.

**WESTFORD, Mass.,** **September 27, 2022** — NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) today announced findings from its 1H2022 DDoS Threat Intelligence Report. The findings demonstrate how sophisticated cybercriminals have become at bypassing defenses with new DDoS attack vectors and successful methodologies.

"By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies," said Richard Hummel, threat intelligence lead, NETSCOUT. "In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised a new attack vector called TP240 PhoneHome, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications."

NETSCOUT's Active Level Threat Analysis System (ATLAS™) compiles DDoS attack statistics from most of the world's ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in over 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT's ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report. Key findings from the 1H2022 NETSCOUT DDoS Threat Intelligence Report include:

*   There were 6,019,888 global DDoS attacks in 1st half of 2022.
*   TCP-based flood attacks (SYN, ACK, RST) remain the most used attack vector, with approximately 46% of all attacks continuing a trend that started in early 2021.
*   DNS water-torture attacks accelerated into 2022 with a 46% increase primarily using UDP query floods, while carpet-bombing attacks experienced a big comeback toward the end of the second quarter; overall, DNS amplification attacks decreased by 31% from 2H2021 to 1H2022.
*   The new TP240 PhoneHome reflection/amplifications DDoS vector was discovered in early 2022 with a record-breaking amplification ratio of 4,293,967,296:1; swift actions eradicated the abusable nature of this service.
*   Malware botnet proliferation grew at an alarming rate, with 21,226 nodes tracked in the first quarter to 488,381 nodes in the second, resulting in more direct-path, application-layer attacks.

**Geopolitical Unrest Spawns Increased DDoS Attacks**

As Russian ground troops entered Ukraine in late February, there was a significant uptick in DDoS attacks targeting governmental departments, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms, as previously documented. However, the ripple effect resulting from the war had a dramatic impact on DDoS attacks in other countries including:

*   Ireland experienced a surge in attacks after providing service to Ukrainian organizations.
*   India experienced a measurable increase in DDoS attacks following its abstention from the UN Security Council and General Assembly votes condemning Russia's actions in Ukraine.
*   On the same day, Taiwan endured its single-highest number of DDoS attacks after making public statements supporting Ukraine, as with Belize.
*   Finland experienced a 258% increase in DDoS attacks year-over-year, coinciding with its announcement to apply for NATO membership.
*   Poland, Romania, Lithuania, and Norway were targeted by DDoS attacks linked to Killnet; a group of online attackers aligned with Russia.
*   While the frequency and severity of DDoS attacks in North America remained relatively consistent, satellite telecommunications providers experienced an increase in high-impact DDoS attacks, especially after providing support for Ukraine's communications infrastructure.
*   Russia experienced a nearly 3X increase in daily DDoS attacks since the conflict with Ukraine began and continued through the end of the reporting period.

Similarly, as tensions between Taiwan, China, and Hong Kong escalated in 1H2022, DDoS attacks against Taiwan regularly occurred in concert with related public events.

**Unparalleled** **Intelligence**

No other vendor sees and knows more about DDoS attack activity and best practices in attack protection than NETSCOUT. In addition to publishing the DDoS Threat Intelligence Report, NETSCOUT also presents its highly curated real-time DDoS attack data on its Omnis Threat Horizon portal to give customers visibility into the global threat landscape and understand the impact on their organizations. This data also fuels NETSCOUT's ATLAS Intelligence Feed (AIF) which continuously arms NETSCOUT's Omnis and Arbor security portfolio. Together with AIF, the Omnis and Arbor products automatically detect and block threat activity for enterprises and service providers worldwide.

Visit our interactive website for more information on NETSCOUT's semi-annual DDoS Threat Intelligence Report. You can also find us on Facebook, LinkedIn, and Twitter for threat updates and the latest trends and insights.

**About NETSCOUT**

NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. Powered by our pioneering deep packet inspection at scale, we serve the world's largest enterprises, service providers, and public sector organizations. Learn more at www.netscout.com or follow @NETSCOUT on LinkedIn, Twitter, or Facebook.

Adversaries Continue Cyberattacks with Greater Precision and Innovative Attack Methods According to NETSCOUT Report

The Ukrainian government on Monday warned of "massive cyberattacks" by Russia targeting critical infrastructure facilities located in the country and that of its allies.
The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said.
"By the cyberattacks, the enemy will try to increase the effect of missile strikes on

The Ukrainian government on Monday warned of "massive cyberattacks" by Russia targeting critical infrastructure facilities located in the country and that of its allies.

The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said.

"By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine," the agency said in a brief advisory.

GUR also cautioned of intensified distributed denial-of-service (DDoS) attacks aimed at the critical infrastructure of Ukraine's closest allies, chiefly Poland and the Baltic states of Estonia, Latvia, and Lithuania.

It's not immediately clear what prompted the intelligence agency to issue the notice, but Ukraine has been at the receiving end of disruptive and destructive cyberattacks since the onset of the Russo-Ukrainian war earlier this February.

Even prior to that, a Russian state-sponsored group tracked as Sandworm (aka Voodoo Bear) orchestrated the 2015 and 2016 targeting of the Ukrainian power grids, causing over 225,000 Ukrainians to lose electricity during the month of December.

While the first attack involved the use of a revamped variant of a malware called BlackEnergy, the December 2016 intrusions notably made use of a custom malware known as Industroyer (aka CrashOverRide) that's specifically designed to sabotage critical infra systems.

In the aftermath of the Russian military invasion of Ukraine, the Computer Emergency Response Team (CERT-UA) disclosed in April that it had fielded an attack targeting an unnamed energy provider that utilized an updated version of the Industroyer malware.

Sandworm, for its part, has been most recently observed masquerading as Ukrainian telecom operators such as Datagroup and EuroTransTelecom to deliver payloads like Colibri loader and Warzone RAT.

Microsoft, in June, also notified of rising Russian cyberattacks, stating that threat actors were not only going after government systems, but also prioritizing other sectors as part of its espionage efforts, including think tanks, IT firms, and energy companies.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Ukraine Says Russia Planning Massive Cyberattacks on its Critical Infrastructures

The fun-loving cybercriminals blamed for breaches of Uber and Rockstar are exposing weaknesses in ways others aren't.

After suffering a breach earlier this month, the ride-share platform Uber said last week that it believes the infamous hacking group Lapsus$ was behind the attack. The incident was in line with the group's track record of using phishing to gain access to corporate accounts that can then be parlayed into broader access. Then on September 23, police in the United Kingdom said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in connection to Lapsus$ in March.

Lapsus$, which may also have breached the _Grand Theft Auto_ developer Rockstar in this latest hacking spree, has established itself in the pantheon of memorable hacking groups for breaching a slew of massive tech companies, including Microsoft, Nvidia, Okta, Samsung, and Ubisoft. They did so to make money, sure, but they also apparently wanted to take the digital-teen joyride of a lifetime. Researchers say that this wild and unpredictable streak is an important key to the group's success that should not be overlooked.

“Lapsus$ probably aren’t causing as much destruction as other actors with different motivations could, and I think that's the answer—they aren’t entirely motivated by money,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “They, therefore, attempt things that purely financially motivated cybercriminals wouldn’t. They are more likely to be adventurous and to try things—that may not have a payoff—just for the fun of it.”

This creative enthusiasm and flair for the dramatic is an important case study. While Lapsus$ seems to perpetrate crimes of opportunity rather than working under a mandate to target certain entities or achieve specific results, the way nation-state actors often do, their seemingly boundless success reveals just how many weaknesses are lurking in organizations around the world that have gone unexposed only because they weren't immediately useful to state-backed actors or cybercriminals. 

“I find the Lapsus$ group significant, because they have highlighted systemic problems in real-world implementations of single sign-on and multifactor authentication,” says independent security researcher Bill Demirkapi. “The techniques that they've used in their attacks are nothing new, but what we're seeing is the widespread abuse of these weaknesses and a wakeup call to organizations.”

Lapsus$ breached Uber by targeting an individual contractor whose username and password had been compromised by another entity through a malware infection and was sold on the dark web, the company said. Lapsus$ repeatedly sent the victim multifactor authentication login notifications until they mistakenly approved access. In a previous, unrelated attack, Lapsus$ breached a contractor working with the authentication company Okta in an attempt to compromise organizations through the identity management provider. The tactics in both instances show that there are weaknesses in some multifactor authentication strategies and they highlight a downside to “single sign-on” schemes in which one carefully protected authentication process grants access to a slew of services. The benefit to organizations is that there's only one account to protect and manage instead of many, and this cuts down on weaknesses like password reuse. The drawback, though, is that if an attacker compromises a single-sign-on account, they gain access to multiple internal services within an organization at once.

“At the end of the day, the flexibility of how you can abuse corporate accounts to move laterally and pivot over to other applications in the cloud—there are just so many different ways that attackers can use enterprise credentials,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “That's why phishing is so extremely popular with cybercriminals, because of that return on investment.”

There are stronger ways to implement two-factor authentication, and the new generation of “password-less” login schemes or “Passkeys” from the industry FIDO2 standard promise a much less phishable future. But organizations need to actually start implementing these more robust protections so they're in place when a ransomware actor (or restless teen) starts poking around.

“Phishing is obviously a huge problem, and most of the things that we normally think of as multifactor authentication, like using a code generator app, are at least somewhat phishable, because you can trick someone into revealing the code,” says Jim Fenton, an independent identity privacy and security consultant. “But with push notifications, it’s just too easy to get people to click ‘accept.’ If you have to plug something directly into your computer to authenticate or use something integrated with your endpoint, like a biometric sensor, those are phishing-resistant technologies."

Keeping attackers from clawing their way into an organization through phishing isn't the only problem, though. As the Uber incident showed, once Lapsus$ had compromised one account to gain access, they were able to burrow deeper into Uber's systems, because they found credentials for internal tools lying around unprotected. Security is all about raising the barrier to entry, not eliminating all threats, so strong authentication on external-facing accounts would certainly have gone a long way toward stopping a group like Lapsus$. But organizations must still implement multiple lines of defense so there's a fallback in case one is breached. 

In recent weeks, former Twitter security chief Peiter “Mudge” Zatko has publicly come out as a whistleblower against Twitter, testifying before a US Senate committee that the social media giant is woefully insecure. Zatko's claims—which Twitter denies—illuminate how high the cost could be when a company's internal defenses are lacking.

For its part, Lapsus$ may have a reputation as an outlandish and oddball actor, but researchers say that the extent of its success in compromising massive companies is not just remarkable but also disturbing.

“Lapsus$ has highlighted that the industry must take action against these weaknesses in common authentication implementations,” Demirkapi says. “In the short term we need to start by securing what we currently have, while in the longer term we must move toward forms of authentication that are secure by design.”

No wakeup call ever seems sufficiently dire to produce massive investment and quick, ubiquitous implementation of cybersecurity defenses, but with Lapsus$ organizations may have an additional motivation now that the group has shown the world just how much is possible if you're talented and have some time on your hands. 

“Cybercriminal enterprises are exactly the same as legitimate businesses in the sense that they look at what other people are doing and emulate the strategies that prove successful,” Emsisoft's Callow says. “So the ransomware gangs and other operations will absolutely be looking at what Lapsus$ has done to see what they can learn.”

The Dire Warnings in the Lapsus$ Hacker Joyride

Ukraine military intelligence says Russia is planning cyberattacks on the country's energy sector, as well as against allies including Poland and the Baltic states.

As protests against military conscription rage inside Russia, the country is planning to continue its offensive into Ukraine with cyberattacks on critical infrastructure. 

The Odessa Journal reported Ukrainian military intelligence has learned the first cyberattacks will soon be launched against the Ukrainian energy sector, informed by previous Russian cyberattacks on the country's electricity infrastructure in 2015 and 2016.  After energy supply operations are crippled by cyberattacks, the Russian military plans to ramp up missile strikes on those facilities to shut down the electrical service throughout the war-battered country. 

"The occupying command is convinced that this will slow down the offensive actions of the Ukrainian Defense Forces," the Odessa Journal added. 

Additional cyberattacks are being planned against Ukrainian allies Poland and the Baltic states, according to the report. 

**Russian Tactical Shift?** 

With increasing pressure to show military gains, Russian cyber threats are a potentially effective way to ramp up offensive measures without drawing military retaliation, according to John Hultquist, vice president of intelligence analysis at Mandiant said in response to the reports of anticipated cyberattacks. 

He added in the months since the occupation of Ukraine began, Russia hasn't been launching cyberattacks outside of Ukraine, indicating a potential shift in focus on cyberwarfare by the Kremlin. 

"Many of the disruptive and destructive cyberattacks we have seen thus far have been disrupted, isolated, or largely limited to Ukraine, where there is intense focus," Hultquist said. "With a few exceptions we have not seen the scaled, serious attacks we expected even before the war began."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russia Planning Cyberattacks on Ukraine's Energy Grid

CTA now has 36 members headquartered in 11 countries who follow cyber activities across the world, showing cybersecurity industry members realize the value in collaboration.

**WASHINGTON, D.C., Sept. 26, 2022 —** Cyber Threat Alliance (CTA), a nonprofit organization working to improve the cybersecurity of the global digital ecosystem, is announcing a recent growth in membership that expands our reach to a total of 36 active members across the world.

We are pleased to announce our newest members include: Blueliv, Cloudbric, DataDome, Maltiverse, Red Piranha and Trellix. Several more are in the CTA membership onboarding process and we expect to announce those companies soon. CTA now has members headquartered in 11 countries and engaged in cyber activities across much of the world. CTA's global expansion in the midst of a global pandemic, geopolitical tension, and economic disruption reinforces the high value front-line cybersecurity companies perceive in coming together to share threat intelligence and data. As cyber threats continue to evolve in sophistication, leaders in the cybersecurity industry are realizing this strength in numbers and value in collaboration.

To date, CTA members have shared over 280 million observables along with associated context, averaging around 350-400K per day. The CTA Early Share program, where members share information such as blogs, research, threat reports and more, generally 24-72 hours before public posting, has surpassed 675 early shares. As one CTA member noted, “CTA has been the single most valuable sharing alliance that we have been a member of.”

“I'm excited to welcome these new members to the Cyber Threat Alliance,” said Michael Daniel, President and CEO of the Cyber Threat Alliance. “CTA's growth over the past two years clearly demonstrates CTA's value, because members have continued to join the Alliance despite the pandemic and other disruptions. These additions make CTA stronger and more effective by increasing our diversity, reach, and expertise. I am looking forward to working with the new members and continuing CTA's growth.”

CTA's members play a crucial role in cybersecurity protection and response across all continents and critical infrastructure sectors. Members actively share timely, actionable, contextualized and campaign-based intelligence to improve our collective defenses against cyber adversaries — improving the members' products and services to better protect their customers, as well as more systematically thwarting adversaries and strengthening the security of the broader digital ecosystem. Each additional organization that joins CTA generates new avenues of data, increasing the quality of intelligence from which members draw impactful and actionable insights to apply to their customer base.

**About the Cyber Threat Alliance**

CTA was founded by Check Point Software Technologies Ltd., Cisco, Fortinet, McAfee, Palo Alto Networks, and Symantec Enterprise Division of Broadcom. Membership also includes AT&T Alien Labs, Avast, Blueliv, Cloudbric, DataDome, Dragos, Juniper Networks, K7 Computing, Maltiverse, Morphisec, NEC Corporation, NETSCOUT, NTT, OneFirewall, Panda Security (WatchGuard), Rapid7, ReversingLabs, SANDS Lab, Scitum, SecureBrain (Hitachi), SecurityScorecard, SK shieldus, SonicWall, Sophos, TEHTRIS, Telefónica Tech, Trellix, and VMware.

CTA is the industry's first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries. CTA's mission is to facilitate the sharing of actionable intelligence and situational awareness about sophisticated cyber threats to improve its members' cyber defenses, more effectively disrupt malicious cyber actors around the world and raise the level of cybersecurity throughout the Internet and cyberspace. The alliance is continuing to grow on a global basis, enriching both the quantity and quality of the information that is being shared across the platform. CTA is actively recruiting additional regional players to enhance information sharing to enable a more secure future for all. For more information about CTA, please visit: https://www.cyberthreatalliance.org/.

SOURCE: Cyber Threat Alliance

Tag

#intel