WordPress WPGateway plugin versions 3.5 and below suffer from an unauthenticated privilege escalation vulnerability.

    Description: Unauthenticated Privilege EscalationAffected Plugin: WPGatewayPlugin Slug: wpgatewayPlugin Developer: Jack Hopman/WPGatewayAffected Versions: <= 3.5CVE ID: CVE-2022-3180CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: N/AThe WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.We obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time we contacted the plugin vendor with our initial disclosure. We have reserved vulnerability identifier CVE-2022-3180 for this issue.As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.Indicators of compromiseIf you are working to determine whether a site has been compromised using this vulnerability, the most common indicator of compromise is a malicious administrator with the username of rangex.If you see this user added to your dashboard, it means that your site has been compromised.Additionally, you can check your site’s access logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1If these requests are present in your logs, they indicate that your site has been attacked using an exploit targeting this vulnerability, but do not necessarily indicate that it has been successfully compromised.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the WPGateway plugin.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule on September 8, 2022, protecting against this vulnerability, while sites still using the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022.If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild. Please help make the WordPress community aware of this issue.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.Our investigation is ongoing, and we will provide more information in an additional blog post when it becomes available.Special thanks to Threat Intelligence Lead Chloe Chamberland for spotting this exploit in the wild.

WordPress WPGateway 3.5 Privilege Escalation

With enough passion, intelligence, and effort, anyone can be a successful cybersecurity professional, regardless of education or background.

I've been in the tech industry for 25 years, almost all in cybersecurity. I've held security leadership positions for well over a decade, including the 18 months as head of security for an API platform with more than 20 million users.

I've had a successful career in information security, and I've done it without a college degree.

I'm just not convinced of the value of a degree for cybersecurity jobs. To be sure, some who go to school before embarking on cybersecurity careers may benefit from the education and training. But many others merely find themselves saddled with student debt, just to learn material that's often outdated or may not even be relevant to the job.

At the end of the day, with enough passion, raw intelligence, and hard work, anyone can be a successful cybersecurity professional, whether they have a degree or lack a background in IT and computer science.

Cybersecurity hiring historically has focused on a narrow candidate pool — people with the usual academic credentials, job experience, security certifications, and specific technical security skill sets. But as the demand for cybersecurity professionals keeps increasing, it is clear that the industry must get more creative in the hunt for talent.

The question on every CISO's mind is how. Here are four ideas.

**Drop College Degree Requirements**

Mandating at least a bachelor's degree for a cybersecurity job (or any tech industry job, for that matter) is obsolete thinking. Skills and personality traits like desire, curiosity, love of learning, calmness under pressure, and ambition are what really matter.

I go back to my own experience. I gave community college a try, because it's what was expected, but I was never a good student because I wasn't interested in the material.

My college turned out to be my first computer job where I spent time on the help desk, as a desktop engineer, as a systems engineer, and eventually left as a network engineer. What I learned during my four years there gave me the foundational knowledge to move to the next job/level.

I loved all technology and wanted to learn as much as I could but couldn't decide if I wanted to be on the network or systems side. I wound up in security because it was an area that allowed me to get involved in all aspects of tech.

Now, years later, I lead a combined security and IT operations team with more than 30 members, focusing on building a modern security program that supports the needs of a fast-growing business.

**Look for Talent Outside of Security**

Instead of chasing unicorns, companies should mine not only other areas of the IT department but completely different parts of the business for people with adjacent skills that could make them great cybersecurity pros.

Someone with a librarian's background, for example, could bring the strong detail orientation needed for security compliance work. A former military member may possess the grace under fire needed for hectic work in the security operations center (SOC).

Looking harder at candidates who don't fit the typical cybersecurity specialist mold necessitates a more aggressive move toward upskilling and reskilling existing employees. And beyond its benefit as a source of talent, looking inward rather than outward for help also could provide protection against the threat of recession and possible hiring freezes. Which leads to our third point…

**Train Like Crazy**

If someone has the natural skills to succeed in cybersecurity but has never even seen a SOC, who cares? Skills can be taught. That's why cybersecurity training sessions and boot camps exist.

Companies should invest in formalized training programs for individuals with nontraditional security backgrounds. They should be trained upfront and continually provided with additional training opportunities just like the rest of your team.

**Spread the Wealth**

The beauty of DevOps and DevSecOps is that they shift some security responsibility from dedicated security teams in operations to the development side, with the idea being that security should be baked in throughout the application development process.

This provides a fresh opportunity for more people throughout the organization to take on roles as security champions, security ambassadors, security advocates — pick your term. And it lessens the pressure on companies to hire for security team positions and increases the incentive to get creative in looking internally for these champions.

By following these four steps, companies can find people who have the aptitude and passion for security and who can be made into top notch professionals with a little bit of training and mentoring.

The industry has been doing the same thing over and over — hunting for the usual suspects — and it's time for new approaches.

To Ease the Cybersecurity Worker Shortage, Broaden the Candidate Pipeline

Categories: Business
Cybercriminals are more likely to target small-and-medium businesses for their perceived (and sometimes actual) lack of cyberdefenses. In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs.



(Read more...)




The post 5 technologies that help prevent cyberattacks for SMBs  appeared first on Malwarebytes Labs.

_**The intel you need to secure your business—delivered straight to your inbox**_

_From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full of the best of our business blog. Subscribe to our Business newsletter today._

Now more than ever, threat actors are trying to attack company networks. In fact, there were 50% more attack attempts per week on corporate networks globally in 2021 than in 2020.

Small-and-medium-sized businesses need to be on the lookout particularly, as cybercriminals are more likely to target them for their perceived (and sometimes actual) lack of cyberdefenses.

This article focuses on helping to prevent cyberattacks purely through technology; though of course, businesses need a combination of technology, people, and strategy to truly become cyber resilient. 

That being said, security experts advise against relying solely on a single technology or technique to protect business endpoints. Effective prevention requires a layered approach capable of addressing not only today’s threats, but preventing tomorrow’s as well. 

In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs.

**Your level of prevention is determined by how much risk you accept to take on**

There are two extremes to prevent cyberattacks: Overly permissive prevention and absolute prevention—and where you fall on that spectrum depends on the level of risk in your organization.

Let’s start over at one end of the extreme. 

In the medical industry for example, doctors in large hospitals use a virtual machine. The machine they use operates in a virtual environment, and that virtual environment is destroyed and recreated when they log back in in another room. They can't install anything or change anything. Data is kept separate. 

Moving towards the other end of the extreme, you might find startups or smaller companies with very lax prevention. Something like, “Here's a laptop. We've provided you with the basic software, call us if you have a problem.”

What’s important to note here is that, because the risk level of every organization is different, there's no “one-size-fits-all” approach to prevent cyberattacks. Your level of prevention will vary drastically depending on industry, company size, and so on.

Having said that, the average small-to-medium-sized business falls somewhere in the middle of these two extremes. At a medium level of risk, you want to find that perfect balance between too strict and too permissive.   

Remember the maxim: The cyberattacks you cannot prevent, you need to mitigate. For mitigation, we assume your business uses (outsources) endpoint detection and response—but you still need the right technology to prevent cyberattacks in the first place. Especially ransomware. 

Read Our Defender's Guide to Ransomware Resilience!

The question for any IT leader then is: What can I prevent, without slowing down my business?

**5 technologies that help prevent cyber attacks for SMBs (ranked in order of importance)**

(Note: these aren’t hard-and-fast rankings, just a good rule of thumb. They may look different for your individual business—for example, you might put 2FA first before anything else and that’s totally OK.)

**1\. Endpoint protection**

Before anything else, endpoint protection should be the first thing you set out to pair with your EDR.

Through a combination of web protection, application hardening, and more, EP provides businesses with full attack chain protection against both known and unknown malware, ransomware, and zero-hour threats. Multi-stage attack protection provides the ability to stop an attacker at every step.

Read our “Endpoint Protection Buyers Guide” for details of the core requirements to help you navigate your enterprise endpoint protection solution analysis, which provides a solution questionnaire to help you with your evaluation process.

**Read more: What is endpoint protection?****2. Vulnerability assessment AND patch management (tied) **

Hold on a sec, you’re telling me vulnerability assessment and patch management are preventative? Don’t both of these mitigate being compromised, since the vulnerability is already technically present?

Well, sure—but the only surefire way to prevent a vulnerability from being exploited is through patching it. Therefore, the process of finding vulnerabilities (and categorizing them by severity) so that you can then systematically patch them before they can be exploited, are two vital preventative measures.

And no, you don’t want to do either of these things manually if you can help it. A vulnerability assessment platform can automatically find and score vulnerabilities with the Common Vulnerability Scoring System (CVSS), while a patch management platform can help you patch those vulnerabilities automatically.

**Read more: Vulnerability response for SMBs: The Malwarebytes approach****3. DNS filtering**

The next technology you need to prevent cyberattacks is a DNS filter. But first, a little bit about what DNS (domain name system) is. 

Every time a customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter prevents you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? There are three big ones:

*   **Phishing**: If you have a DNS filter, as soon as someone in your business clicks a link to a malicious website, they’re prevented from visiting it. 
    

*   **DDoS attacks**: Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack—and with a DNS filter, you can do exactly that.
    
*   **Machine-in-the-middle attacks**: A good DNS filter uses DNS encryption, which secures the connection between your computer and the DNS resolver. That way, cybercriminals cannot sit between you and feed you spoofed DNS entries.
    

**Read more: 3 ways DNS filtering can save SMBs from cyberattacks****4. Cloud scanning**

No matter what cloud storage service you use, you likely store a lot of data: A mid-sized company can easily have over 40TB of data stored in the form of millions of files. 

Needless to say, it can be difficult to monitor and control all the activity in and out of cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. That’s where cloud storage scanning comes in.

Most cloud storage apps already have malware-scanning capabilities. However, businesses use multiple different cloud storage repositories, and due to lack of integration options, they are unable to get a centralized view of all of their scan results, across multiple repositories, in a single pane of glass.

To better prevent cyberattacks, look for a cloud scanning service that uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates. Also, look for one that provides a comprehensive view to monitor the health of all your enterprise data.

**Read more: Cloud-based malware is on the rise. How can you secure your business?****5. 2FA**

Two-factor authentication (2FA) is a cost-effective option for SMBs. 2FA adds an extra layer of protection by asking users to provide two forms of identification to prove their validity.

According to Robert Zamani, Regional Vice President, Americas Solutions Engineering at Malwarebytes, 2FA is relatively quick and easy to implement.

“2FA is simple." says Zamani. "You roll a device quickly, you enroll a device—that's something they have, which is usually a smartphone—something they know, which is a password—and then you enforce password minimum.”

**Read more: Understanding the basics of two-factor authentication****Bonus: Cyber insurance **

OK, it’s not a technology, but hear me out.

Let’s say your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

So when it comes to preventing having to pay huge out of pocket costs in the event that you’re hit with a cyberattack, cyber insurance is a must. The harsh truth is that if you don’t have cyber insurance and are hit with ransomware with no way to recover files, you will likely go out of business—especially if you're a small-and-medium-sized business. 

**Read more: 4 ways businesses can save money on cyber insurance ****A “Matryoshka approach” to cyber prevention**

Let’s recap. 

Relying solely on a single technology or technique to protect your businesses’ endpoints is a fool's errand. 

At the same time, we have to understand that each business has different needs when it comes to prevention: Your level of risk is the chief decider of what tech you ultimately employ to prevent cyberattacks. Depending on your industry and company size, you could justifiably use all of these technologies and more—or none of them.

However, most SMBs will find themselves in the middle of the risk-prevention spectrum. To that end, the following are strongly recommended: Endpoint protection, VPM, DNS filtering, cloud storage scanning, and 2FA (and cyber insurance!). 

Of course, you can't prevent 100% of threats. Therefore, you need an EDR solution to detect and respond to what _does_ get through. That is to say, you should pair any preventative technology with an EDR solution, and a good EDR can seamlessly integrate with all of the preventative technologies listed here.

Want to see what effective prevention and response look like in action? See below for a live demonstration of Malwarebytes Endpoint Detection and Response (EDR):

TAKE ME TO a LIVE DEMO OF EDR!

5 technologies that help prevent cyberattacks for SMBs 

Yurii Shchyhol gives WIRED a rare interview about running the country’s Derzhspetszviazok and the state of the online conflict with Russia.

Yurii Shchyhol doesn’t have a lot of time to spare.

The head of the Derzhspetszviazok, Ukraine’s version of the US Cybersecurity and Infrastructure Security Agency, can be forgiven for working speedily. His country is under attack—and with it, the world order. “This is the first time ever in history that we’ve had such a full-fledged cyberwar happening right now in Ukraine,” says Shchyhol, who’s tasked with keeping Ukraine’s cyber territory safe in the same way president Volodymyr Zelensky oversees the country’s physical armed forces.

Skirmishes on the internet against Russian hackers weren’t new to Shchyhol, nor to the people he oversees as part of of the Derzhspetszviazok, also known as the State Service of Special Communications and Information Protection. Before invading Ukraine on February 24, Russia had been testing the defenses of Ukraine’s cybersecurity. Mostly it was persistent, low-level attacks, but one larger attack was launched on January 14, when Russia targeted more than 20 Ukrainian government institutions. The attack, designed to disrupt government-linked websites, leeched out into the wider Ukrainian internet. “We also identified that around 90 websites were not accessible as a result of that attack,” says Shchyhol. “The goal of the Russian hackers was to sow panic among the Ukrainian population, and to demonstrate to the outside world that Ukraine is a weak state that couldn’t handle the attacks,” he says. This is why the Derzhspetszviazok rushed to relaunch the sites affected. “The longest it took us for one site was close to one week,” he says. “No data was lost, and the outcome of this attack was more psychological warfare.”

When Russian soldiers began intruding into Ukraine’s physical territory, the attacks in cyberspace stepped up. For a full month, Russia targeted communications nodes, media, logistics, and railways, says Shchyhol. “At that time, there were lots of civilians—noncombatant Ukrainians fleeing to safer places,” he adds. “That’s why the goal of those attacks was to disrupt the work of communications lines, and railways in particular.”

We’re now in the third stage of Russia’s cyberwar against Ukraine, says Shchyhol—one that’s ongoing and perpetrated “mostly against civilian infrastructure: utilities and companies that render services to civilians, since they failed to destroy in the second phase our communication lines and our ability to keep people abreast of what’s going on.” Russia’s digital war playbook is similar to its physical warfare strategy, says the cybersecurity chief. “Our attitude remains the same,” he says. “We treat them as criminals trying to destroy our country, invading it on the land but also trying to disrupt and destroy our lifestyle in cyberspace. And our job is to help defend our country.”

Ukraine’s defense of its cyber assets has surprised some, who feared Russia’s much-hyped hacker army could quickly wipe out the country digitally—just as many in the international community worried Russia’s ground invasion was a foregone conclusion. But Vladimir Putin has already played his hand when it comes to cyberattacks, says Shchyhol, and Ukraine learned lessons. A 2017 attack launched by Russia using the NotPetya virus decimated the country—and broke out into the wider world, causing chaos wherever it spread. “Afterward, there was a couple of years when they were quiet,” says Shchyhol. “We recognized that’s because they were getting themselves prepared for more active attacks against our country, so we used that pause time to get ourselves prepared for the potential attacks.” Ukraine’s success in repelling the worst of Russia’s cyberattacks in 2022 demonstrates well how much the country analyzed and learned from previous skirmishes, says the cyber chief.

One thing that helped Ukraine learn Russia’s cyber MO was creating a database of attributed Russian attacks that were specified to particular hacker groups. Shchyhol says the Derzhspetszviazok learned that most groups were sponsored by either Russia’s intelligence service—the FSB, Russia’s post-Soviet successor to the KGB—or the Russian army. Shchyhol refutes the term “hacktivist” when used in relation to Russia. “A hacktivist is a person who does it from the generosity of his heart, free of charge,” he says. “These guys are sponsored by the state and receive a mandate to perpetrate crimes.” Knowing who was behind the attacks helped, Shchyhol says. “By virtue of realizing who is attacking us, it allowed us to be better and more successfully get prepared to repel those attacks,” he says.

The database Shchyhol and his institution developed helped Ukraine repel an attack against a Ukrainian energy-generating company Russia launched earlier this year. “They used the same virus for that that they used back in 2017,” he says. Back then, Russia used the Industroyer virus; the country deployed an updated version, called Industroyer 2, earlier this year. “Since we were ready for this type of attack, we were successful in repelling it, and thus prevented damage being caused to this company,” Shchyhol says. This prevented power blackouts for 2 million people, he adds.

Ukraine’s cybersecurity lead admits that at least one Ukrainian database has been wiped as a result of Russia’s reported widespread use of wiper malware: the government’s motor insurance policy bureau, responsible for issuing coverage for Ukrainian drivers. “For two weeks, this bureau wasn’t able to issue the insurance policies to their clients,” says Shchyhol. But the bureau—like many in Ukraine—was warned about the risks and had a backup that enabled it to return to normal operations relatively quickly.

“The efficiency of any cyber combat efforts should be judged not by the fact that we make it impossible for the attackers to attack us,” says Shchyhol. “The real test of how well we perform is the \[speed\] with which services can be relaunched, and the fact no important data is stolen by perpetrators.”

Ukraine’s defenses have also been bolstered by covering fire in the cyberwarfare field by pro-Ukraine hacktivists—here, he’s more willing to use the term. “I’m talking not only about the Ukrainian IT Army,” a Telegram group set up at the start of the invasion that had at its peak more than 300,000 subscribers, “but other hacktivists worldwide that joined the effort at the beginning of the invasion.” Shchyhol says that those hacktivists have provided much-needed help—even if there’s little proof that the hacktivist army made any meaningful impact. Indeed, one recent academic analysis compared their work to breaking into a disused shopping center in a small city and spray-painting “Putin sux” on the walls.

“Being a military person, I believe anything that weakens our enemy is good for us,” he says. But Shchyhol is keen to make it clear that’s his personal opinion—wanting to avoid any suggestion of collusion or organization by the Ukrainian state. “They are a self-organized community, operating by setting their own goals,” he says. “There is no coordination of their activities coming from the government of Ukraine, and no sponsoring of their activities. We, as the government of Ukraine, are not giving them any direct order to target, for instance, infrastructure.” Even if they were to do so, Shchyhol says, Russia and its infrastructure would be lawful targets because of “all the crimes they perpetrated here.”

But rather than targeting key infrastructure for offensive attacks from hacktivists, Shchyhol suggests that targeted moves by IT businesses can cause as much damage. In July, he called for international companies servicing Russia to withdraw from the country. “Our enemy currently employs tactics like hordes did back in the Middle Ages,” he says. “Trying to attack territory and modify countries to how they want them to look using blunt force. In order for them to continue using this blunt force, they rely on continuous access to modern technologies.”

Without that access, Shchyhol says, “they will be thrown back to the Middle Ages. Any technology that comes into Russian hands, they’ll immediately try to use it for military purposes.” He estimates that 95 percent of tech companies his agency, Ukraine’s vice-president, and other government officials have approached have already withdrawn from the Russian market. Those that have include Cisco, HP, IBM, and Dell.

As for companies that haven’t, Shchyhol has a simple message. “The whole civilized world needs to recognize that the threat goes beyond Ukraine,” he says. “Cyberspace has no boundaries. If there’s any attack perpetrated against the cyberspace of one country, by default it’s affecting and attacking other countries as well.”

Ukraine’s Cyberwar Chief Sounds Like He’s Winning

Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2020-19586: CVE-2020-19586/Stored XSS in MIAdminStyles.i4 through privileges escalation.pdf at main · Deepak983/CVE-2020-19586

Cross Site Scripting (XSS) vulnerability in configMap parameters in Yellowfin Business Intelligence 7.3 allows remote attackers to run arbitrary code via MIAdminStyles.i4 Admin UI.

CVE-2020-19587

Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new "Logdatter" info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.

The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.

Researchers from Broadcom's Software's Symantec Threat Hunter team observed the ShadowPad\-related threat group using the tactic in a cyber-espionage campaign. The group's targets have so far included a prime minister's office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor's analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.

**A Well-Known Cyberattack Tactic, but Successful**

"The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region," Symantec said in a report this week. It's an attractive tactic because anti-malware tools often don't spot the malicious activity because attackers used old applications for side loading.

"Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous." says Alan Neville, threat intelligence analyst with Symantec's threat hunter team.  

The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.

Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. "The technique is mostly used by attackers focusing on Asian organizations," he adds.

Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for executing programs on remote systems to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.

"\[The programs\] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network," Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.

"They used quite an array of software, including security software, graphics software, and Web browsers," he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.  

**Logdatter, Range of Malicious Payloads**

One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.

Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.

"Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are known to have launched supply chain attacks in the past," Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.

To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications. 

"We'd also recommend taking immediate action to clean machines that exhibit any indicators of compromise," Neville advises, "... including cycling credentials and following your own organization's internal process to perform a thorough investigation."

ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Under certain conditions SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - version 430, allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted.

CVE-2022-39014

Under certain conditions, the application SAP BusinessObjects Business Intelligence Platform (Version Management System) - versions 420, 430, exposes sensitive information to an actor over the network with high privileges that is not explicitly authorized to have access to that information, leading to a high impact on Confidentiality.

CVE-2022-35295

Red Hat Security Advisory 2022-6460-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6460-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6460  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-21123 CVE-2022-21125 CVE-2022-21166   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* Incomplete cleanup of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
(CVE-2022-21125)

* Incomplete cleanup in specific special register write operations (aka  
DRPW) (CVE-2022-21166)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Bad page state in process qemu-kvm  pfn:68a74600 (BZ#2081013)

* slub corruption during  LPM of hnv interface (BZ#2081250)

* Affinity broken due to vector space exhaustion (BZ#2084646)

* 'rmmod pmt_telemetry' panics on ADL-P IOTG (BZ#2091079)

* Unable to boot RHEL-8.6 on Brazos max. config (Install is success)  
(BZ#2092241)

* kernel crash after reboot of T14/G2 AMD laptop (mt7921e module)  
(BZ#2095654)

* mt7921: free resources on pci_probe error path (BZ#2101684)

* NLM should be more defensive if underlying FS changes fl_owner  
(BZ#2102099)

* RHEL8/async-pf Guest call trace when reboot after postcopy migration with  
high stress workload (BZ#2105340)

* execve exit tracepoint not called (BZ#2106662)

* QProcess dead lock on kernel-4.18.0-358 (BZ#2107643)

* KVM fix guest FPU uABI size to kvm_xsave (BZ#2107652)

* KVM selftests fail to compile (BZ#2107655)

* Some monitor have no display with AMD W6400 when boot into OS.  
(BZ#2109826)

* Percpu counter usage is gradually getting increasing during podman  
container recreation. (BZ#2110039)

* multipath failed to recover after EEH hit on flavafish adapter on  
Denali(qla2xxx/flavafish/RHEL8.6/Denali) (BZ#2110768)

* soft lockups under heavy I/O load to ahci connected SSDs (BZ#2110772)

* trouble re-assigning MACs to VFs, ice stricter than other drivers  
(BZ#2111936)

* Intel MPI 2019.0 - mpirun stuck on latest kernel (BZ#2112030)

* Multicast packets are not received by all VFs on the same port even  
though they have the same VLAN (BZ#2117026)

* Hyper-V 2019 Dynamic Memory Problem hv_balloon (BZ#2117050)

* kernel BUG at kernel/sched/deadline.c:1561! (BZ#2117410)

* ALSA (sound) driver - update Intel SOF kcontrol code (BZ#2117732)

* bridge over bond over ice ports has no connection (BZ#2118580)

* Fix max VLANs available for VF (BZ#2118581)

* offline selftest failed (BZ#2118582)

* INTEL NVMUpdate utility ver 3.20 is failing to update firmware on  
E810-XXVDA4T (WPC) (BZ#2118583)

* VM configured with failover interface will coredump after been migrating  
from source host to target host(only iavf driver) (BZ#2118705)

* Fix max VLANs available for untrusted VF (BZ#2118707)

* Softlockup on infinite loop in task_get_css() for a CSS_DYING cpuset  
(BZ#2120776)

Enhancement(s):

* KVM Sapphire Rapids (SPR) AMX Instructions (BZ#2088287)

* KVM Sapphire Rapids (SPR) AMX Instructions part2 (BZ#2088288)

* ice: Driver Update (BZ#2102359)

* iavf: Driver Update (BZ#2102360)

* iommu/vt-d: Make DMAR_UNITS_SUPPORTED a config setting (BZ#2112983)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2090237 - CVE-2022-21123 hw: cpu: Incomplete cleanup of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: Incomplete cleanup in specific special register write operations (aka DRPW)

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
kernel-4.18.0-372.26.1.el8_6.src.rpm

aarch64:  
bpftool-4.18.0-372.26.1.el8_6.aarch64.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-core-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-libs-4.18.0-372.26.1.el8_6.aarch64.rpm  
perf-4.18.0-372.26.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
python3-perf-4.18.0-372.26.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-372.26.1.el8_6.noarch.rpm  
kernel-doc-4.18.0-372.26.1.el8_6.noarch.rpm

ppc64le:  
bpftool-4.18.0-372.26.1.el8_6.ppc64le.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-core-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-libs-4.18.0-372.26.1.el8_6.ppc64le.rpm  
perf-4.18.0-372.26.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
python3-perf-4.18.0-372.26.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm

s390x:  
bpftool-4.18.0-372.26.1.el8_6.s390x.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-core-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-core-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-372.26.1.el8_6.s390x.rpm  
perf-4.18.0-372.26.1.el8_6.s390x.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
python3-perf-4.18.0-372.26.1.el8_6.s390x.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm

x86_64:  
bpftool-4.18.0-372.26.1.el8_6.x86_64.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-core-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-libs-4.18.0-372.26.1.el8_6.x86_64.rpm  
perf-4.18.0-372.26.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
python3-perf-4.18.0-372.26.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-372.26.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-372.26.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB1NzjgjWX9erEAQjx1g/+KpIc2rESQgtzICCW50Ha+ZjaOZiuIgGV  
1wDzgsyj7JRxGOIhGY3edJp7sdtoT0+CoWTdjENZrNhQlQ9UhRSpJ+8vdGy5WooO  
fwwKBffteRMEl8YTO/U8fstclEKXK3MB93ZxEHgS0L3UQY/AUU5XqSzB4a4rV9RJ  
DpFQcnw3dHIrtMKHs4HMrm8+Q8ezq9UmVbl472ecnfmNXfHDhOmUGGlUrT22SX9p  
Zn/UXCiWZxIt+Vh2uTrIgs4hiSJPAqD/lGHjLQpaR26uciZnndLui2s4W91F7yN4  
ZifRDwrSAMtsRoln7Z8HL6H59tw4vHwAY1rD5ATwk9EqhRtaetE+v0hzM+BRBhri  
dpZnKUhMiUDNTUKqmpbBZjh4IuSKI6AkaQenFnMQWTp027B6o0EjhqpiEdLaA0R/  
pYewm2OKbulyoUeVhC5GOMX6g8ckGa5h2o4Fr+fkaptELQN1VniYEu88O7pRqaqR  
lW3MrcYIEowDxyiMLehgtIxjyawzfmi0fficXzCf8xEXm8fmqlrXu4lfhKV4g3WI  
Y9j8INFYc4inopUBsQM1zXWV00nCDxAvaYPhOYI0VjO11jxOCOcBheOlwS1sseOv  
Bjram7oqf2DuVSINeTAgbHMLMA4AGEcNMsOAN/mwdq6ZBpEYmCf48pvZwQscW7qv  
a685GRAjoyY=  
=4AwP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#intel