Texas and Maryland this week joined three other states in prohibiting accessing the popular social media app from state-owned devices.

Texas this week become the fifth US state to ban the TikTok app on government-owned devices over concerns about the social media app harvesting sensitive data from user devices and potentially making it available to the Chinese government.

The question now is whether private companies will implement similar restrictions on use of the popular social media app on devices that employees use to access enterprise data and applications.

**Unacceptable Risk**

Texas Gov. Greg Abbott on Wednesday said he had ordered all state agencies to ban TikTok on any state-issued devices effective immediately. Abbott said he has also given each state agency until Feb. 15, 2023 to implement their own policies regarding the use of TikTok on personal devices belonging to employees — subject to approval by the Texas Department of Public Safety.

"TikTok harvests vast amounts of data from its users' devices — including when, where, and how they conduct internet activity — and offers this trove of potentially sensitive information to the Chinese government," Abbott said, echoing concerns that many others have expressed recently.

Abbott pointed to China's 2017 National Intelligence Law, which obligates Chinese companies and individuals to assist in state intelligence-gathering activities, and a recent warning from FBI Director Christopher Wray about TikTok's use in influence operations, as reasons for his decision.

Abbott's order came just one day after Maryland Gov. Larry Hogan issued an emergency directive prohibiting the use of TikTok and other Chinese and Russian-influenced products on state-issued devices, citing the "unacceptable" cybersecurity risk they presented to the state.

His order applies to TikTok, Huawei Technologies, ZTE Corp., Tencent Holdings products including WeChat, Alibaba products including AliPay, and Kaspersky. Hogan's directive requires all Maryland state agencies to remove these products from state networks within 14 days and to implement network-based restrictions preventing access to these services.

Like Abbott, Hogan also cited Wray's warning about TikTok presenting a national security threat in his statement, as well as a recent NBC News report about Chinese hackers stealing millions of dollars in COVID-related benefits.

The three other states that have issued similar directives over similar concerns are South Dakota, South Carolina, and Nebraska. In addition, the US Departments of Defense, State, and Homeland Security have all banned TikTok on federally issued devices. This July, members of the Senate Select Committee on Intelligence sent a letter to the chair of the Federal Trade Commission urging the agency to investigate what it claimed were deceptive practices by TikTok with regard to its data privacy practices.

**Concerns Mount Despite TikTok's Assurances**

The growing number of bans on the use of TikTok on state and federal devices and networks is sure to encourage other state governments, federal agencies, and private companies to weigh the security and privacy implications of using the social media app.

In a Senate hearing earlier this year, TikTok COO Vanessa Pappas maintained that TikTok does not operate inside China and the app is not available there. She has described the company as incorporated in the US and compliant with US laws. Though TikTok does have employees based in China, the company has strict access control over what data those employees can access and where TikTok stores the data, Pappas testified. Earlier this year, the company also announced it has launched an initiative called Project Texas designed to bolster confidence in the safeguards the company has put in place and will put in place to protect US user data and national security interests. TikTok now stores 100% of US user data in the US in Oracle's cloud environment and is working with Oracle to implement advanced data security controls, TikTok CEO Shou Zi Chew said at the time.

In an emailed comment to Dark Reading, TikTok spokesperson Jamal Brown expressed disappointment over the recent developments. "We believe the concerns driving these decisions are largely fueled by misinformation about our company," Brown says. "We are happy to continue having constructive meetings with state policymakers to discuss our privacy and security practices. We are disappointed that many state agencies, offices, and universities will no longer be able to use TikTok to build communities and connect with constituents."

Despite such assurances, the fact that a China-based entity called ByteDance Ltd owns TikTok and that the Chinese government owns at least a partial stake in one of its subsidiaries continues to be a major source of concern for many. Recent reports about threat actors using the platform to distribute malware have not helped matters.

"The specific situation with TikTok being based in China and being subject to Chinese law, which can give the Chinese Communist Party (CCP) access to user data, is giving many people pause," says Mike Parkin, senior technical engineer at Vulcan Cyber.

Social media applications like TikTok can be problematic for organizations as well. "They are immensely popular, especially with the generations that have grown up with social media," he says. It’s entirely reasonable that organizations would restrict what apps get installed on their organization-provided devices and recommend their employees don’t install it on any personal systems they use to access enterprise systems, Parkin says.

On devices provided by organizations, a ban on TikTok would be absolutely enforceable, he says. But the same wouldn't be true of personally owned and unmanaged devices, he notes. "The organization can lay out the requirements, but enforcing them becomes much more challenging both ethically and legally," Parkin says.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says the rapid proliferation of BYOD policies and distributed remote work environments has contributed to an exponential increase in risk to endpoints and applications for both public and private sector entities. "This puts organizations in a precarious situation, as they must weigh the convenience and cost-savings of BYOD policies with the significant cybersecurity risk," Tiquet says. "Banning specific apps may seem like a simple and straightforward approach to ensuring security, but with a BYOD policy, it is difficult to enforce."

TikTok Banned on Govt. Devices; Will Private Sector Follow Suit?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 2 to December 9

Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows

Skip to content

Open Issue created Sep 27, 2022 by **myrdyr@myrdyr**

**Crash in USB-HID dissector on Windows**

**Summary**

When dissecting a PCAP with USB-HID data, a crash can happen if the string "Keyboard 5 and %" is loaded from https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-usb-hid.c#L827. On Windows, the spurious '%' is treated as a format string identifier and crashes further down the line.

**Steps to reproduce**

Using version 3.6.8 (64-bit) on Windows 10:

tshark.exe -V -r minimal.pcap

OR

wireshark.exe minimal.pcap

**What is the current bug behavior?**

Tshark parses the first 5 frames, but crashes silently before finishing to output the 5th frame. Frame 6 doesn't get printed. Wireshark will crash without any error message or error report.

**What is the expected correct behavior?**

Some weird, but somewhat valid, dissected USB-HID data. The example is minimized from a much larger file in order to reproduce. Wireshark should not crash.

**Sample capture file**

minimal.pcap

**Relevant logs and/or screenshots**

    gdb: unknown target exception 0xc0000409 at 0x7ffeee4a1208
    
    Thread 1 received signal ?, Unknown signal.
    0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
    (gdb) info stack
    #0  0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
    #1  0x00007ffeee4524b1 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
    #2  0x00007ffeee452379 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
    #3  0x00007ffeee4829fc in ucrtbase!.intrinsic_setjmpex () from Windows/System32/ucrtbase.dll
    #4  0x00007ffeee441b49 in ucrtbase!_wtol () from Windows/System32/ucrtbase.dll
    #5  0x00007ffeee442304 in ucrtbase!_wctomb_s_l () from Windows/System32/ucrtbase.dll
    #6  0x00007ffeee442ed1 in ucrtbase!.stdio_common_vsprintf_s () from Windows/System32/ucrtbase.dll
    #7  0x00007ffee9356c4b in wmem_strdup_vprintf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
    #8  0x00007ffee9356bad in wmem_strdup_printf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
    #9  0x00007ffe21146d33 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #10 0x00007ffe211484f2 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #11 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #12 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #13 0x00007ffe205d4c0d in libwireshark!dissector_try_uint_new () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #14 0x00007ffe211575fe in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #15 0x00007ffe21154b2b in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #16 0x00007ffe21152d89 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #17 0x00007ffe21151c2d in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #18 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #19 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #20 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #21 0x00007ffe20a04d85 in libwireshark!dissect_e212_utf8_imsi () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #22 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #23 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #24 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #25 0x00007ffe205d15e7 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #26 0x00007ffe205d2a23 in libwireshark!deregister_depend_dissector () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    #27 0x00007ffe205c76e0 in libwireshark!epan_dissect_run_with_taps () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
    

**Build information**

The crash initially happened on v3.6.8-0-gd25900c51508 Backtrace above is from Version 3.6.6 (v3.6.6-0-g7d96674e2a30)

    3.6.6 (v3.6.6-0-g7d96674e2a30)
    
    Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.31, build 31107),
    with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua
    5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT
    Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4,
    with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with
    QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
    SpeexDSP (using bundled resampler), with Minizip.
    
    Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Core(TM)
    i7-10750H CPU @ 2.60GHz (with SSE4.2), with 65281 MB of physical memory, with
    GLib 2.66.4, with Qt 5.15.2, without Npcap or WinPcap, with c-ares 1.17.0, with
    GnuTLS 3.6.3, with Gcrypt 1.8.3, with nghttp2 1.44.0, with brotli 1.0.9, with
    LZ4 1.9.3, with Zstandard 1.4.0, with AirPcap 4.1.0 build 1622, with light
    display mode, without HiDPI, with LC_TYPE=Norwegian Bokmål_Norway.utf8, binary
    plugins supported (21 loaded).

CVE-2022-3724: Crash in USB-HID dissector on Windows (#18384) · Issues · Wireshark Foundation / wireshark · GitLab

By Waqas
As seen by Hackread.com, a hacker is selling access to the CloudSEK infrastructure on multiple cybercrime forums.
This is a post from HackRead.com Read the original post: Cyber Security Firm CloudSEK Points Finger at Rival Over Breach

An Indian cyber security firm, CloudSEK, became the victim of a **cyber security incident** when an unknown threat actor managed to access its Confluence server.

According to CloudSEK’s blog post on the incident, its founder and CEO Rahul Sasi wrote that the hacker used stolen credentials from one of CloudSEK employees’ Jira accounts. Rahul further stated that the threat actor (s) compromised the employee’s Jira password to access the company’s Confluence pages.

Moreover, the hacker accessed some internal data such as three customer names with their purchase orders, **bug reports**, product dashboard screenshots, and Schema Diagrams obtained from the Confluence wiki.

Image credit: Hackread.com

CloudSEK also confirmed that server or database access wasn’t compromised. An investigation into the incident was quickly launched. Outlining possible suspects, Sasi claimed that another cyber security firm having a reputation for tracking dark web happenings could be responsible.

> “We suspect a notorious Cyber Security company that is into Dark web monitoring behind the attack. The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past.”
> 
> Rahul Sasi

**Hacker’s Claims**

Around the same time when CloudSEK discovered the attack, that is on 6th December, Tuesday, Cyble Research & Intelligence Labs (CRIL) cyber security experts noticed a threat actor using the nick’ sedut’ who claimed to have breached the security of CloudSEK Info Security Pvt Ltd. The actor posted about hacking into the Indian firm on multiple cybercrime forums.

Cyble researchers suspect it was a targeted attack on CloudSEK and that the attacker’s objective was to negatively impact the company’s reputation within the digital threat intelligence fraternity. Revealing the attacker’s claims, Cyble researchers wrote in their **blog post** that the attacker had multiple accesses and was openly offering the data to buyers on these forums.

The data on sale included:

1.  Pre-sales info.
2.  VPN credentials.
3.  Purchase orders.
4.  Company credentials.
5.  Extensive clientele data.
6.  Project-related databases.
7.  Confidential source codes.
8.  Sensitive infrastructure details.
9.  Engineering products-related data.

Moreover, the threat actor claimed to have had access to CloudSEK’s ecosystem for several months. He supported this claim by sharing multiple screenshots and videos confirming they had access to the company’s internal servers.

Image credit: Cyble

As shown in the first screenshot, the hacker also leaked images that contained account usernames and passwords of accounts used for scraping the XSS and Breached hacking forums, and instructions on using different website crawlers, among other data.

The database is for sale for $10,000, and the engineering/employee product files are $8000 each.

**How Did it Occur?**

Sasi revealed that the hacker used the stolen Jira account credentials to access internal documents, training docs, open-source automation scripts, and Confluence pages, as these were attacked to the account.

CloudSEK also confirmed that the Jira user didn’t use a password but only SSO; his email was also protected by **MFA (multi-factor authentication)**. So, the Jira password and the user’s email account weren’t compromised.

Instead, the company believes the threat actor compromised the session cookies of the Jira user, allowing them to take over the account. How the attacker got hold of the session cookies is currently under investigation.

**Google Buys Cyber Security Firm Mandiant for $5.4 Billion**

**Cyber Security giant FireEye hacked by a foreign government**

**US Lists Kaspersky to Firms Posing Threat to National Security**

**Cyber Security Firm Mandiant Denies Being Hacked By LockBit**

**Amnesty Intl. accuses Indian cyber security firm of spyware attacks**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Cyber Security Firm CloudSEK Points Finger at Rival Over Breach

A new report helps companies understand an ever-changing threat landscape and how to strengthen their defenses against emerging cybersecurity trends.

The "Microsoft Digital Defense Report" is a compilation of insights from 43 trillion daily security signals that provides organizations with a high-level picture of the threat landscape and current state of cybersecurity. This annual report aggregates security data from organizations and consumers across the cloud, endpoints, and the intelligent edge to help better predict what attackers will do next.

Keep reading for a high-level overview of our findings, and click here to access the full report.

**The State of Cybercrime**

2022 saw a significant increase in indiscriminate phishing and credential theft to gain information for targeted ransomware, data exfiltration and extortion, and business email compromise attacks. Human-operated ransomware was the most prevalent type of ransomware attack observed, with one-third of targets successfully compromised and 5% ransomed. The evolving cybercrime-as-a-service (CaaS) economy is also a concern, as Microsoft blocked 2.75 million site registrations successfully to get ahead of criminal actors that planned to use them to engage in global cybercrime.

During ransomware recovery engagements, 93% of Microsoft investigations revealed insufficient privilege access and lateral movement controls. The most effective defense against ransomware includes multifactor authentication (MFA), frequent security patches, and zero-trust principles across network architecture.

**The Nature of Nation-State Threats**

Nation-state cyber threat groups have shifted from exploiting the software supply chain to exploiting the IT services supply chain. Oftentimes they target cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors.

Nation-state actors are also getting savvier, pursuing new and unique tactics to deliver attacks and evade detection in response to strengthened cybersecurity postures. Zero-day vulnerabilities are particularly key for initial exploitation. On average, it takes only 14 days for an exploit to become available in the wild after a vulnerability is publicly disclosed. These zero-day exploits are often discovered by other actors and reused broadly in a short period of time, leaving unpatched systems at risk.

**Attacks on Devices and Infrastructure**

Did you know that 68% of "Microsoft Digital Defense Report" respondents believe that adopting Internet of Things/operations technology (IoT/OT) is critical to their strategic digital transformation? Yet 60% of those same respondents recognize that IoT/OT security is one of the least secured aspects of their infrastructure. Attacks against remote management devices are on the rise, with more than 100 million attacks observed in May 2022 — a fivefold increase in the past year.

Accelerating digital transformation has increased the cybersecurity risk to critical infrastructure and cyber/physical systems. Likewise, growing IoT solutions have increased the number of attack vectors and the exposure risk of organizations. While policymakers are seeking to build trust in critical infrastructure cybersecurity through increased regulations, the public and private sector must collaborate to find a balance between compliance and truly effective cybersecurity practices.

**Tackling Cyber Influence Operations**

Democracy needs trustworthy information to flourish, yet we’ve observed a 900% year-over-year increase in the proliferation of deepfakes since 2019. AI-enabled media creation and manipulation make it easier than ever for cybercriminals to create highly realistic synthetic images, videos, audio, and text. This false content can then be optimized and disseminated to target audiences, challenging our collective understanding of the truth.

In response, governments, the private sector, and civil society must work together to increase transparency of these influence campaigns and to expose and disrupt their operations. We recommend implementing strong digital hygiene practices and considering ways to reduce any unintended enabling of cyber influence campaigns by your employees or your business practices. Business should support information literacy campaigns, civic engagement campaigns, and industry-specific counter-influence groups to help defend against propaganda and foreign influence.

**The Path to Cyber Resilience**

Nation-state actors have escalated their use of offensive cyber operations to destabilize governments and impact global trade operations. As these threats increase and evolve, it’s crucial to build cyber resilience into the fabric of the organization.

Basic security hygiene still protects against 98% of attacks, yet many threat actors succeed simply because these foundational security practices have not been followed. In fact, more than 90% of accounts that were compromised by password-based attacks did not have strong authentication practices in place. Organizations should enable MFA, apply zero-trust principles, implement modern anti-malware software, ensure all systems are kept up to date, and protect data by knowing where important information is located and whether the right systems are implemented.

Download the full "Microsoft Digital Defense Report" to better understand today’s cyber threat landscape. For even more details, check out our recent webinar, "Build Cyber Resilience by Leveraging Microsoft Experts' Digital Defense Learnings."

Explore more threat intelligence insights on Microsoft Security Insider.

43 Trillion Security Data Points Illuminate Our Most Pressing Threats

The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed "Drokbk" to attack a variety of US organizations, using GitHub as a "dead-drop resolver."

According to MITRE, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.

In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.

"The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware," the report noted.

The Drokbk malware is written in .NET, and it's made up of a dropper and a payload.

Typically, it's used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.

According to the report from the Secureworks Counter Threat Unit (CTU), Drokbk surfaced in February after an intrusion at a US local government network. That attack began with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

"This group has been observed conducting broad scan-and-exploit activity against the US and Israel, so in that sense any organization with vulnerable systems on their perimeter are potential targets," says Rafe Pilling, Secureworks principal researcher and thematic lead for Iran.

He explains Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. It's also a relatively unknown piece of malware.

"There may be organizations out there with this running on their networks right now, undetected," he adds.

Fortunately, using GitHub as a dead-drop resolver is a technique that cyber defenders can look for on their networks.

"Defenders might not be able to view TLS-encrypted traffic flows, but they can see which URLs are being requested and look for unusual or unexpected connections to GitHub APIs from their systems," Pilling notes.

**Dead-Drop Resolver Technique Offers Flexibility**

The dead-drop resolver technique provides a degree of flexibility to malware operators, allowing them to update their C2 infrastructure and still maintain connectivity with their malware.

"It also helps the malware blend in by making use of a legitimate service," Pilling says.

**Robust Patching Is Critical Defense Strategy**

Pilling advises organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell have been favored by this group.

"In general, this group and others will quickly adopt the latest network vulnerabilities that have reliable exploit code, so having that robust patching process in place is key," he says.

He also recommends organizations hunt through security telemetry for the indicators provided in the report to detect Cobalt Mirage intrusions, ensure an antivirus solution is widely deployed and up to date, and deploy EDR and XDR solutions to provide comprehensive visibility across networks and cloud systems.

**Iran-Backed Threat Groups Evolving, Attacks on the Rise**

The CTU also noted Cobalt Mirage appears to have two distinct groups operating within the organization, which Secureworks has labeled Cluster A and Cluster B.

"The initial similarity in tradecraft resulted in the creation of a single group, but over time and multiple incident-response engagements we found we had two distinct clusters of activity," Pilling explains.

Going forward, the established groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. He adds that the increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.

"Email and social media-based phishing are preferred methods, and we may see some incremental improvement in sophistication," he explains.

In a joint advisory issued Nov. 17, cybersecurity agencies in the United States, United Kingdom, and Australia warned attacks from groups linked to Iran are on the rise. Cobalt Mirage is hardly on its own.

"Over the last two years we've seen multiple group personas emerge — Moses' Staff, Abraham's Ax, Hackers of Savior, Homeland Justice, to name a few — primarily targeting Israel, but more recently Albania and Saudi Arabia, conducting hack-and-leak style attacks combined with information operations," Pilling says.

The US Treasury Department has already moved to sanction the Iranian government for its cybercrime activities, which the department alleges have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

Iranian APT Targets US With Drokbk Spyware via GitHub

Intel Data Center Manager's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL injection attack when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Versions 4.1 and below are affected.

    RCE Security Advisoryhttps://www.rcesecurity.com1. ADVISORY INFORMATION=======================Product:        Intel Data Center ManagerVendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.htmlType:           SQL Injection [CWE-89]Date found:     2022-01-21Date published: 2022-12-01CVSSv3 Score:   9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)CVE:            CVE-2022-212252. CREDITS==========This vulnerability was discovered and researched by Julien Ahrens fromRCE Security.3. VERSIONS AFFECTED====================Intel Data Center Manager 4.1 and below4. INTRODUCTION===============Energy costs are the fastest rising expense for today’s data centers. Intel® DataCenter Manager (Intel® DCM) provides real-time power and thermal consumption data,giving you the clarity you need to lower power usage, increase rack density, andprolong operation during outages.(from the vendor's homepage)5. VULNERABILITY DETAILS========================Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" isvulnerable to an authenticated, blind SQL Injection when user-supplied input tothe HTTP POST parameter "dataName" is processed by the web application.Since the application does not properly validate and sanitize this parameter, anattacker can inject arbitrary SQL commands against the PostgreSQL backenddatabase server of the web application.Successful exploits can allow an authenticated attacker (the lowest possibleauthorization level "Guest" is sufficient) to read and modify database contentsand execute any system commands on the underlying operating system. This way,the attacker can compromise the system's entire confidentiality, integrity, andavailability.6. PROOF OF CONCEPT===================POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1Host: [ip-address]Cookie: JSESSIONID=[session-id]Content-Length: 153Accept: application/json, text/plain, */*Content-Type: text/plainUser-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Connection: close{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}(see the referenced blog post for more details)7. SOLUTION===========Update at least to version 5.0.0.46307.8. REPORT TIMELINE==================2022-01-21: Discovery of the vulnerability2022-01-21: Reported to vendor via their bug bounty program2022-01-21: Vendor response: Sent to "appropriate reviewers"2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.82022-02-16: I don't accept the rating because the vendor downplayed it2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix2022-08-09: Vendor releases advisory INTEL-SA-006622022-12-01: Public disclosure9. REFERENCES==============https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.htmlhttps://github.com/MrTuxracer/advisories

Intel Data Center Manager 4.1 SQL Injection

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Intel Data Center Manager  
Vendor URL:     https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html  
Type:           Incorrect Use of Privileged APIs [CWE-648]  
Date found:     2022-07-16  
Date published: 2022-12-07  
CVSSv3 Score:   7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)  
CVE:            -

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Intel Data Center Manager 5.1 (latest) and below

4. INTRODUCTION  
===============  
Energy costs are the fastest rising expense for today’s data centers. Intel® Data  
Center Manager (Intel® DCM) provides real-time power and thermal consumption data,  
giving you the clarity you need to lower power usage, increase rack density, and  
prolong operation during outages.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The latest version (5.1) and all prior versions of Intel's DCM are vulnerable to a  
local privileges escalation vulnerability using the application user "dcm" used to  
run the web application and the rest interface. An attacker who gained RCE using  
this dcm user (i.e., through Log4j) is then able to escalate their privileges to  
root by abusing a weak Sudo configuration for the "dcm" user:

dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool  
dcm ALL=(ALL) NOPASSWD:/usr/bin/cp  
dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod

The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the  
Data Center Manager to be vulnerable. Successful exploits can allow an authenticated  
attacker to execute commands as root. In this way, the attacker can compromise the  
victim system's entire confidentiality, integrity, and availability, thereby allowing  
to persist within the attached network.

6. PROOF OF CONCEPT  
===================  
Just one way of exploitation is by replacing the current sudoers configuration:

1.Create a new sudoers configuration file using the compromised "dcm" user in i.e. /tmp/  
2.sudo chmod 440 /tmp/sudoers  
3.sudo cp sudoers /etc/sudoers  
4.sudo /bin/bash

7. SOLUTION  
===========  
None. Intel thinks that this is not a vulnerability and therefore does also not assign  
a CVE for it.

8. REPORT TIMELINE  
==================  
2022-07-16: Discovery of the vulnerability  
2022-07-16: Reported to vendor via their bug bounty program  
2022-07-18: Vendor response: Sent to "appropriate reviewers"  
2022-07-26: Vendor states that the vulnerability "depends on something that does not exist (eg; RCE)."  
2022-07-26: Sent a clarification that a compromise of the "dcm" account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)  
2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC  
2022-09-22: Sent a clarification about the PoC  
2022-09-22: Vendor states that the report "does not clearly demonstrate a vulnerability in DCM" and the report will be closed.  
2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM  
2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM  
2022-10-10: Made clear that Log4shell is not the point about the report  
2022-10-11: Vendor states "We do not clearly see a a vulnerability demonstrated in DCM"  
2022-10-12: [Back and forth about the provided PoCs]  
2022-10-12: I'm giving up.  
2022-12-07: Public disclosure

9. REFERENCES  
==============  
https://github.com/MrTuxracer/advisories

Intel Data Center Manager 5.1 Local Privilege Escalation

Are you thinking about uploading some selfies and buying a pack of ‘Magic Avatars’? Consider these expert tips first.

Has the stale selfie that’s served as your profile picture gone a little _too_ long without a refresh? You’ve likely seen friends using the Lensa AI app to create colorful, custom cartoon images of themselves as ethereal fairies or stern astronauts. Prisma Labs, the company behind Lensa, went viral back in 2016 with a similar (albeit less powerful) app that turned smartphone pics into paintings.

The release of Lensa’s “magic avatars” feature is a global hit for the company. Recent advancements in generative artificial intelligence allow the app to produce more impressive and varied results than its predecessor. According to preliminary estimates provided by Sensor Tower, over 4 million people worldwide downloaded the app during the first five days of December. In that same time period, users spent over $8 million in the app.

AI-generated profile pictures have always raised questions about digital privacy, however. If you’re curious whether it’s a good idea to use Lensa, here’s what you should consider before spending money and uploading your selfies.

Always Read the Privacy Policy

Before diving in, take a minute to browse through the privacy policy and the terms of use to get a better understanding of what the app does with your data. “We always have to be aware when our biometric data is being used for any purpose. This is sensitive data. We should be extra cautious with how that data is being used,” says David Leslie, a director of ethics and responsible innovation research at The Alan Turing Institute and professor at the Queen Mary University of London.

Andrey Usoltsev, the CEO and cofounder of Prisma Labs, claimed the company is working to update the privacy policy in an email to WIRED. “Lensa uses a copy of the Stable Diffusion model and teaches it to recognize the face on the uploaded images in each particular case. This means there is a separate model for each individual user,” writes Usoltsev. “The user’s photos are deleted from our servers as soon as the avatars are generated. The servers are located in the US.”

Although it’s impossible to know exactly how a company is using and storing your data without an independent assessment, this statement is a move in the right direction. With that in mind, however, uploads are only a small part of the larger equation.

The Security Implications Beyond Your Uploaded Pics

While biometrics might be your initial concern, it’s also crucial to understand just how much additional data is automatically collected from your smartphone. Lensa may use third-party analytics, log file information, device identifiers, and registered user information to gather data on you. Go to section 3 of the privacy policy to check it out in detail. 

Any user can opt out of that data collection by contacting the company at privacy@lensa-ai.com. If you use an iOS device, you have the option to opt out by going into your privacy settings. To be fair, it’s not just Lensa: Every app on your phone is probably collecting more data than you realize. Even if you decide to trust Lensa with your personal data, it’s quite possible for the data to change hands if the company is acquired in the future. “That especially happens when it goes into bigger companies that are much more adept at bullshitting around how they talk about it,” says Ben Winters, a lead on the AI and human rights projects at the Electronic Privacy Information Center.

Don’t Import Pictures of Children or Nudity

It goes against the terms of use to insert images of children or nudity to generate images on Lensa. But even if you don’t input nudes, women may receive hypersexual results; “the app not only generates nudes but also ascribes cartoonishly sexualized features, like sultry poses and gigantic breasts, to their images. I, for example, received several fully nude results despite uploading only headshots,” writes WIRED contributor Olivia Snow. The app generated disturbing imagery when Snow uploaded her childhood photos, changing what would have been stylized mementos into dehumanizing imagery. “Since the feature is not designed for minors, we advise against using any images of children,” writes Usoltsev.

Lensa can also produce sexual images of adults without their consent. “It’s a potential instance where insufficient forethought has been put into protecting the dignity of individuals,” says Leslie. “When technologies can harm, we’re on the hook to do all that we can to anticipate those impacts.”

Be Prepared for Odd or Offensive Results

It’s not just funky fingers and second heads, you may also receive results that are racist or sexist when you interact with generative AI. “The internet is filled with a lot of images that will push AI image generators toward topics that might not be the most comfortable, whether it’s sexually explicit images or images that might shift people’s AI portraits toward racial caricatures,” says Grant Fergusson, an Equal Justice Works fellow at EPIC. 

Consider the Larger Impact for Real Artists

Some artists are embracing the potential for generative AI to produce fascinating results. Others are much more hesitant about the technology’s potential repercussions. “The commercialization of these image generators will have an impact on the ability for artists to keep sort of sustaining themselves in the long term,” says Leslie. 

Although it’s a more expensive route, those who are able to should consider commissioning smaller artists to create digital pieces for their new profile picture, phone wallpaper, or portrait. Instagram and Twitter are full of artists who work in a variety of styles that you could never get from generative AI, and many of them are eager for commissions. For a nominal fee, you can get something truly unique and personal. You could even ask around at your community art center and support a local artist.

Try Deleting the App Afterward

Let’s say you’ve considered everything above and still decided to spend a couple of bucks to get a pack of “magic avatars.” After you’ve saved the colorful creations, check out the photo- and video-editing capabilities on Lensa. Is this something you want to use often or is it just another app that’ll collect digital dust on your smartphone? “Control the settings, delete after use, and exercise any and all rights that they offer you,” recommends Winters to anyone worried about data collection.

Lensa AI and ‘Magic Avatars’: What to Know Before Using the App

The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.
"The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the

The subgroup of an Iranian nation-state group known as **Nemesis Kitten** has been attributed as behind a previously undocumented custom malware dubbed **Drokbk** that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.

"The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the traffic to GitHub is encrypted, meaning defensive technologies can't see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions."

The Iranian government-sponsored actor's malicious activities came under the radar earlier in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.

Nemesis Kitten is tracked by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It's also a sub-cluster of the Phosphorus group, with Microsoft giving it the designation DEV-0270.

It is also said to share tactical overlaps with another adversarial collective dubbed Cobalt Illusion (aka APT42), a Phosphorus subgroup that's "tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government."

Subsequent investigations into the adversary's operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering.

Microsoft, Google Mandiant, and Secureworks have since unearthed evidence tracing Cobalt Mirage's origins to two Iranian front companies Najee Technology and Afkar System that, according to the U.S. Treasury Department, are affiliated with the Islamic Revolutionary Guard Corps (IRGC).

Drokbk, the newly identified malware, is associated with Cluster B and is written in .NET. Deployed post-exploitation as a form of establishing persistence, it consists of a dropper and a payload that's used to execute commands received from a remote server.

"Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network," the cybersecurity company said in a report shared with The Hacker News.

This attack entailed the compromise of a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary by means of a compressed ZIP archive hosted on a file transfer service.

As a detection evasion measure, Drokbk uses a technique called dead drop resolver to determine its command-and-control (C2) server. Dead drop resolver refers to the use of a legitimate external Web service to host information that points to additional C2 infrastructure.

In this instance, this is achieved by leveraging an actor-controlled GitHub repository that hosts the information within the README.md file.

"Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok," Pilling said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel