Accelerates the safe recovery from ransomware attacks.

**SANTA CLARA, Calif., and PUNE, India, Oct. 31, 2022 /PRNewswire/** — Persistent Systems (BSE: PERSISTENT) (NSE: PERSISTENT), a global Digital Engineering provider, today announced the launch of a trailblazing solution that enables organizations to recover more quickly from cyberattacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber-recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace.

Hackers are increasing the frequency and scale of ransomware attacks. They are using continually evolving and sophisticated techniques, which makes recovery from attacks more challenging. These attacks may lead to sensitive data leakage, loss of business, and damage to brand reputation. It is crucial for organizations to not only focus on protection against cyber-attacks but also strengthen their recovery process.

Traditional backup and Disaster Recovery (DR) solutions are not designed for recovery from cyber-attacks. Persistent Intelligent Cyber Recovery includes tailored recovery plans, Persistent IP for finding and remediating malware, and the optional managed services to administer the recovery process. Persistent's solution integrates with Google Cloud to provide a secure recovery environment and Google Cloud Backup and DR for protecting the server images.

Persistent Intelligent Cyber Recovery offers the following benefits:

\-- Reduction in data loss  
\-- Decreased risk of recurrent attacks through the removal of malware  
\-- Faster recovery from ransomware and zero-day attacks (from weeks/months  
to hours/days)  
\-- Potential cyber insurance cost reduction  
\-- Scalable solution depending on enterprise size challenges  
Nitha Puthran, Senior Vice President - Cloud, Infrastructure and Security,  
Persistent:

"The digital environment today is constantly evolving and so are the risks associated with it. We are leveraging our strong relationship with Google Cloud and our product engineering expertise to create an industry-leading solution that allows enterprises to recover faster from cyber-attacks, thereby reducing the impact on their business.

"Persistent Intelligent Cyber Recovery combines strategic planning and the creation of playbooks, integration with Google Cloud services and our own IP to find anomalies that indicate malware, remove the malware, and use automation to set up test and production environments to scale. It takes a services and product mindset to create a solution like Persistent Intelligent Cyber Recovery and Persistent is uniquely positioned in the market to deliver both."

Dai Vu, Managing Director, Marketplace and ISV GTM Programs, Google: "As cyber threats become more prevalent, customers need solutions that can help them quickly address and recover from cyber-attacks. With the Persistent's Intelligent Cyber Recovery (PiCR) solution available on Google Cloud Marketplace, customers can quickly deploy PiCR to their Google Cloud environment and utilize it alongside Google Cloud technologies and capabilities to address cyber-attacks quickly and securely."  
**SOURCE:** Persistent Systems

Persistent Launches Cyber-Recovery Solution With Google Cloud

When looking at the scale and scope of worldwide cybercrime, password attacks are the most commonly observed type of threat in a given 60-second period.

Cybercrime is big and still growing bigger. It is often difficult to fully grasp the impact online attacks have had over the past decades. We used data from various Microsoft-owned properties and a mix of external sources to illustrate the scale and scope of worldwide cybercrime. Our comprehensive report on malicious activity highlights what is happening around the world within any given 60-second window.

**Cyberattacks Vary By Type and Focus**

If we’ve learned anything from our examination of last year’s online attacks, it’s that security teams need to be prepared to defend against a wide variety of threats at all times. According to RiskIQ, acquired by Microsoft in 2021, password attacks were far and away the most commonly observed type of threat, clocking in at 34,740 per minute. However, we also saw 1,902 Internet of Things (IoT) attacks and 1,095 distributed denial-of-service (DDoS) attacks during the same 60-second time period.

The threat picture gets even more complex the deeper we dive into internal Microsoft security data. We most commonly blocked email threats, identity threats, and brute-force authorization attacks for our customers.

When we examined a broad range of market data, we uncovered even more attacks. In 2021, seven phishing attacks occurred every minute, one SQL injection attack every two minutes, one new threat infrastructure detection every 35 minutes, one supply chain attack every 44 minutes, and one ransomware attack every 195 minutes. All of this comes together to create a tangled cybercrime landscape that security teams have to contend with.

**What Is the True Cost of Cybercrime?**

Cybercrime is a highly disruptive force, estimated to cause trillions of dollars in damages globally every year. The cost of cybercrime comes from damage done to data and property, stolen assets — including intellectual property — and the disruption of business systems and productivity.

Here’s a breakdown of how much cybercriminals cost businesses and consumers in 2021 per minute:

*   Worldwide economic impact of cybercrime: $1,141,553

*   Global cybersecurity spend: $285,388

*   E-commerce payment fraud losses: $38,052

*   Global ransomware damages: $38,051

*   Total cost of business email compromise: $4,566

*   Amount lost to cryptocurrency scams: $3,615

*   Average cost of breach: $8

*   Average cost of malware attacks: $5

How should enterprises guard against the disruptions and financial losses that come with a cybersecurity breach? They should start by understanding the full scope of the digital landscape that needs to be protected.

**What Should Organizations Expect?**

Threat actors are getting savvier about the tools and methods they use for evading detection, bypassing security systems, and perpetrating attacks. In 2021 there were 79,861 new hosts and 7,620 new IoT devices every minute. Likewise, we discovered 150 new domains, 53 new active LetsEncrypt SSL certificates, and 23 new mobile apps created in the same time period. Each of these additions can potentially act as a doorway for threat actors.

Cloud migrations, new digital initiatives, and shadow IT all widen the attack surface. At the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations, in turn, must track. Organizations need to ensure they’re one step ahead by creating a more holistic cybersecurity strategy that protects their operations on all fronts.

To gain control of this dynamic threat landscape, security teams must keep a pulse on new and emerging threats, the latest cybercrime tactics, and the leading tools at their disposal. Microsoft tracks more than 43 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly. Our customers can access this intelligence directly to create a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

A Cyber Threat Minute: Cybercrime’s Scope in 60-Second Snapshots

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between cmm_open() and cm4000_detach().

From: Hyunwoo Kim <imv4bel@gmail.com>
To: Arnd Bergmann <arnd@arndb.de>,
	laforge@gnumonks.org, gregkh@linuxfoundation.org
Cc: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
	linux-kernel@vger.kernel.org,
	"Dominik Brodowski" <linux@dominikbrodowski.net>,
	"Paul Fulghum" <paulkf@microgate.com>,
	akpm@osdl.org, imv4bel@gmail.com
Subject: Re: \[PATCH\] pcmcia: synclink\_cs: Fix use-after-free in mgslpc\_ioctl()
Date: Wed, 14 Sep 2022 19:08:34 -0700	\[thread overview\]
Message-ID: <20220915020834.GA110086@ubuntu> (raw)
In-Reply-To: <a8a9fd74-4ee5-4619-8492-be7139e6d48e@www.fastmail.com\>

The previous mailing list is here:
https://lore.kernel.org/lkml/20220913052020.GA85241@ubuntu/#r

There are 3 other pcmica drivers in the path "drivers/char/pcmcia/synclink\_cs.c", 
the path of the "synclink\_cs.c" driver I reported the UAF to.
A similar UAF occurs in the "cm4000\_cs.c" and "cm4040\_cs.c" drivers. 
(this does not happen in scr24x\_cs.c)

The flow of UAF occurrence in cm4040\_cs.c driver is as follows:
\`\`\`
                cpu0                                                cpu1
       1. open()
          cm4040\_open()
                                                             2. reader\_detach()
                                                                reader\_release()
                                                                cm4040\_reader\_release()
                                                                while (link->open) { ...
       3. link->open = 1;
                                                             4. kfree(dev);
                                                                device\_destroy()
       5. read()   <- device\_destroy() was called, but read() can be called because fd is open
          cm4040\_read()
          int iobase = dev->p\_dev->resource\[0\]->start;   <- UAF
\`\`\`
In cm4040\_open() function, link->open is set to 1.
And in the .remove callback reader\_detach() function, if link->open is 1, 
cm4040\_close() is called and wait()s until link->open becomes 0.
However, if the above race condition occurs in these two functions, 
the link->open check in reader\_detach() can be bypassed.
After that, you can call read() on the task that acquired fd to raise a 
UAF for the kfree()d "dev".


The flow of UAF occurrence in cm4000\_cs.c driver is as follows:

\`\`\`
                cpu0                                                cpu1
       1. open()
          cmm\_open()
                                                             2. cm4000\_detach()
                                                                stop\_monitor()
                                                                if (dev->monitor\_running) { ...
       3. start\_monitor()
          dev->monitor\_running = 1;
                                                             4. cm4000\_release()
                                                                cmm\_cm4000\_release()
                                                                while (link->open) { ...
       5. link->open = 1;
                                                             6. kfree(dev);
                                                                device\_destroy()
       7. read()   <- device\_destroy() was called, but read() can be called because fd is open
          cmm\_read()
          unsigned int iobase = dev->p\_dev->resource\[0\]->start;   <- UAF
\`\`\`
In the cm4000\_cs.c driver, the race condition flow is tricky because of 
the start/stop\_monitor() functions.

The overall flow is similar to cm4040\_cs.c.
Added one race condition to bypass the "dev->monitor\_running" check.


So, should the above two drivers be removed from the kernel like the synclink\_cs.c driver?

Or should I submit a patch that fixes the UAF?


Best Regards,
Hyunwoo Kim.

next prev parent reply	other threads:\[~2022-09-15  2:08 UTC|newest\]

**Thread overview:** 10+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
2022-09-13  5:20 \[PATCH\] pcmcia: synclink\_cs: Fix use-after-free in mgslpc\_ioctl() Hyunwoo Kim
2022-09-13 14:59 \` Arnd Bergmann
2022-09-13 15:14   \` Paul Fulghum
2022-09-13 15:43     \` Hyunwoo Kim
**2022-09-15  2:08   \` Hyunwoo Kim \[this message\]**
2022-09-15  7:35     \` Arnd Bergmann
2022-09-15  8:02       \` Dominik Brodowski
2022-09-15  9:00         \` Hyunwoo Kim
2022-09-16  5:03         \` Hyunwoo Kim
2022-09-15 14:05       \` Harald Welte

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220915020834.GA110086@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=akpm@osdl.org \\
    --cc=arnd@arndb.de \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=ilpo.jarvinen@linux.intel.com \\
    --cc=laforge@gnumonks.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux@dominikbrodowski.net \\
    --cc=paulkf@microgate.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-44032: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl()

An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().

From: Hyunwoo Kim <imv4bel@gmail.com>
To: lkundrak@v3.sk
Cc: linux-kernel@vger.kernel.org, imv4bel@gmail.com, arnd@arndb.de,
	gregkh@linuxfoundation.org, linux@dominikbrodowski.net
Subject: \[PATCH v5\] char: pcmcia: scr24x\_cs: Fix use-after-free in scr24x\_fops
Date: Mon, 19 Sep 2022 03:18:25 -0700	\[thread overview\]
Message-ID: <20220919101825.GA313940@ubuntu> (raw)

A race condition may occur if the user physically removes the
pcmcia device while calling open() for this char device node.

This is a race condition between the scr24x\_open() function and
the scr24x\_remove() function, which may eventually result in UAF.

So, add a mutex to the scr24x\_open() and scr24x\_remove() functions
to avoid race contidion of krefs.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
---
v2: fixed issue using dev's member mutex which can be freed after kref\_put()
v3: fixed using "removed" member of dev that could be freed after kref\_put()
v4: fix issue referencing uninitialized dev in scr24x\_open() function
v5: Fix patch reporting email format
---
 drivers/char/pcmcia/scr24x\_cs.c | 73 +++++++++++++++++++++++----------
 1 file changed, 52 insertions(+), 21 deletions(-)

diff --git a/drivers/char/pcmcia/scr24x\_cs.c b/drivers/char/pcmcia/scr24x\_cs.c
index 1bdce08fae3d..039d44ee0ebe 100644
--- a/drivers/char/pcmcia/scr24x\_cs.c
+++ b/drivers/char/pcmcia/scr24x\_cs.c
@@ -33,6 +33,7 @@
 
 struct scr24x\_dev {
 	struct device \*dev;
+	struct pcmcia\_device \*p\_dev;
 	struct cdev c\_dev;
 	unsigned char buf\[CCID\_MAX\_LEN\];
 	int devno;
@@ -42,15 +43,31 @@ struct scr24x\_dev {
 };
 
 #define SCR24X\_DEVS 8
\-static DECLARE\_BITMAP(scr24x\_minors, SCR24X\_DEVS);
+static struct pcmcia\_device \*dev\_table\[SCR24X\_DEVS\];
+static DEFINE\_MUTEX(remove\_mutex);
 
 static struct class \*scr24x\_class;
 static dev\_t scr24x\_devt;
 
 static void scr24x\_delete(struct kref \*kref)
 {
\-	struct scr24x\_dev \*dev = container\_of(kref, struct scr24x\_dev,
-								refcnt);
+	struct scr24x\_dev \*dev = container\_of(kref, struct scr24x\_dev, refcnt);
+	struct pcmcia\_device \*link = dev->p\_dev;
+	int devno;
+
+	for (devno = 0; devno < SCR24X\_DEVS; devno++) {
+		if (dev\_table\[devno\] == link)
+			break;
+	}
+	if (devno == SCR24X\_DEVS)
+		return;
+
+	device\_destroy(scr24x\_class, MKDEV(MAJOR(scr24x\_devt), dev->devno));
+	mutex\_lock(&dev->lock);
+	pcmcia\_disable\_device(link);
+	cdev\_del(&dev->c\_dev);
+	dev->dev = NULL;
+	mutex\_unlock(&dev->lock);
 
 	kfree(dev);
 }
@@ -73,11 +90,24 @@ static int scr24x\_wait\_ready(struct scr24x\_dev \*dev)
 
 static int scr24x\_open(struct inode \*inode, struct file \*filp)
 {
\-	struct scr24x\_dev \*dev = container\_of(inode->i\_cdev,
-				struct scr24x\_dev, c\_dev);
+	struct scr24x\_dev \*dev;
+	struct pcmcia\_device \*link;
+	int minor = iminor(inode);
+
+	if (minor >= SCR24X\_DEVS)
+		return -ENODEV;
+
+	mutex\_lock(&remove\_mutex);
+	link = dev\_table\[minor\];
+	if (link == NULL) {
+		mutex\_unlock(&remove\_mutex);
+		return -ENODEV;
+	}
 
+	dev = link->priv;
 	kref\_get(&dev->refcnt);
 	filp->private\_data = dev;
+	mutex\_unlock(&remove\_mutex);
 
 	return stream\_open(inode, filp);
 }
@@ -232,24 +262,31 @@ static int scr24x\_config\_check(struct pcmcia\_device \*link, void \*priv\_data)
 static int scr24x\_probe(struct pcmcia\_device \*link)
 {
 	struct scr24x\_dev \*dev;
\-	int ret;
+	int i, ret;
+
+	for (i = 0; i < SCR24X\_DEVS; i++) {
+		if (dev\_table\[i\] == NULL)
+			break;
+	}
+
+	if (i == SCR24X\_DEVS)
+		return -ENODEV;
 
 	dev = kzalloc(sizeof(\*dev), GFP\_KERNEL);
 	if (!dev)
 		return -ENOMEM;
 
\-	dev->devno = find\_first\_zero\_bit(scr24x\_minors, SCR24X\_DEVS);
-	if (dev->devno >= SCR24X\_DEVS) {
-		ret = -EBUSY;
-		goto err;
-	}
+	dev->devno = i;
 
 	mutex\_init(&dev->lock);
 	kref\_init(&dev->refcnt);
 
 	link->priv = dev;
+	dev->p\_dev = link;
 	link->config\_flags |= CONF\_ENABLE\_IRQ | CONF\_AUTO\_SET\_IO;
 
+	dev\_table\[i\] = link;
+
 	ret = pcmcia\_loop\_config(link, scr24x\_config\_check, NULL);
 	if (ret < 0)
 		goto err;
@@ -282,8 +319,8 @@ static int scr24x\_probe(struct pcmcia\_device \*link)
 	return 0;
 
 err:
\-	if (dev->devno < SCR24X\_DEVS)
-		clear\_bit(dev->devno, scr24x\_minors);
+	dev\_table\[i\] = NULL;
+
 	kfree (dev);
 	return ret;
 }
@@ -292,15 +329,9 @@ static void scr24x\_remove(struct pcmcia\_device \*link)
 {
 	struct scr24x\_dev \*dev = (struct scr24x\_dev \*)link->priv;
 
\-	device\_destroy(scr24x\_class, MKDEV(MAJOR(scr24x\_devt), dev->devno));
-	mutex\_lock(&dev->lock);
-	pcmcia\_disable\_device(link);
-	cdev\_del(&dev->c\_dev);
-	clear\_bit(dev->devno, scr24x\_minors);
-	dev->dev = NULL;
-	mutex\_unlock(&dev->lock);
-
+	mutex\_lock(&remove\_mutex);
 	kref\_put(&dev->refcnt, scr24x\_delete);
+	mutex\_unlock(&remove\_mutex);
 }
 
 static const struct pcmcia\_device\_id scr24x\_ids\[\] = {

base-commit: 521a547ced6477c54b4b0cc206000406c221b4d6
-- 
2.25.1

                 reply	other threads:\[~2022-09-19 10:26 UTC|newest\]

**Thread overview:** \[no followups\] expand\[flat|nested\]  mbox.gz  Atom feed

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20220919101825.GA313940@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=arnd@arndb.de \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=linux@dominikbrodowski.net \\
    --cc=lkundrak@v3.sk \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2022-44034: [PATCH v5] char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops

Plus: The New York Post gets hacked, a huge stalkerware network is exposed, and the US claims China interfered with its Huawei probe.

For years, AlphaBay ruled the dark web. If you were in the market to buy drugs or stolen credit cards, the digital bazaar was the place to turn. At its peak, more than 350,000 products were listed for sale—an estimated 10 times the size of the notorious Silk Road market—and the website proved to be the ire of law enforcement the world round. That was until cops took AlphaBay offline in 2017.

This week, WIRED published the first in a six-part series detailing the hunt for Alpha02, the mastermind believed to be behind AlphaBay, and the huge international takedown operation that wiped the marketplace from the web. Each week, we’ll publish a new part of the series, excerpted from WIRED reporter Andy Greenberg’s new book, _Tracers in the Dark_.

Schools across the US have faced dozens of hoax calls about mass shootings in recent months. After a call is made, police scramble to the scene fearing the worst, only to find out there is no shooter. Now hoax phone call recordings obtained by WIRED and conversations with law enforcement officials reveal how the calls have been made and show that law enforcement officials are closing in on the alleged hoaxer. Police are looking for a male “with a heavy accent described as Middle Eastern or African” and have linked the phone calls to Ethiopia.

Elsewhere, a bug in Apple’s new macOS 13 Ventura operating system is causing problems for malware scanners and security monitoring tools. With the new software update, Apple accidentally crippled third-party security products in a way users may not notice. The company is planning to fix the bug in an upcoming software release.

We also looked at a newly discovered Chinese influence operation that is targeting US elections—although it is not having much success. And now that Elon Musk owns Twitter, here’s how you should think about your privacy and security on the bird website.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in Canada and the Netherlands are investigating allegations that Chinese police forces have operated a network of illegal police stations within their countries. According to reports that emerged this week, Chinese police forces have been operating out of clandestine bases and using their presence to track and threaten dissidents. The Dutch government has called such sites “illegal” and said it is “investigating exactly what they are doing here,” while officials in Canada said they are investigating “so-called ‘police’ stations.”

However, it is just the tip of the iceberg. Spanish civil rights group Safeguard Defenders first claimed that Chinese police forces from the cities of Fuzhou and Qingtian were running “overseas police service stations” across the West in a report published in September. Since 2018, the group claims, more than 38 police service stations have appeared in “dozens of countries” spread across five different continents. “Such overseas police ‘service stations’ have been used by police back in China to carry out such ‘persuasion to return’ operations on foreign soil, including in Europe,” the report states. Lawmakers in both England and Scotland are also planning on investigating the stations, reports say.

Chinese officials have not denied the existence of the service stations, but say they exist to provide bureaucratic services to Chinese citizens and don’t involve police operations. The Chinese embassy in Canada said the stations exist to allow Chinese citizens to complete tasks such as renewing their driving licenses: “The main purpose of the service station abroad is to provide free assistance to overseas Chinese citizens in this regard.”

If stalkerware is installed on your phone or laptop, the malicious software can send every tap, message, and photo back to the person who added it to your device. The software is often hard to find, and the insidious industry that creates it operates in the shadows. This week, a TechCrunch investigation revealed how a huge stalkerware network, with hundreds of thousands of victims, operates.

Leaked data obtained by TechCrunch shows TheTruthSpy stalkerware has been installed on more than 300,000 devices and has victims all around the world. Over a six-week period analyzed by the publication, more than 9,400 new devices were infected with the stalkerware. Thousands of calls, millions of text messages, and more than 470,000 photos and videos were collected by the app without its victims’ knowledge. And data was also likely collected from the phones of children. This tool can tell if your device was compromised.

A pair of Chinese intelligence officers attempted to bribe a US official involved in the criminal case against Huawei, the US Department of Justice claimed this week. Across three separate cases, the Justice Department charged 13 people with alleged efforts to “exert influence” in the US on behalf of the People’s Republic of China. The charges range from trying to disrupt the US government’s Huawei investigation to trying to recruit people as intelligence agents. Two people were also arrested for allegedly attempting to “cause the forced repatriation” of a Chinese national living in the US. “The actions announced today take place against a backdrop of malign activity from the government of the People’s Republic of China that includes espionage, attempts to disrupt our justice system, harassment of individuals, and ongoing efforts to steal sensitive US technology,” deputy attorney general Lisa O. Monaco said in a statement. In an unprecedented move in July, the head of the FBI and the UK’s MI5 made a joint public appearance to warn about the perceived threat from China, saying the nation is the biggest threat to economic and national security.

The website and Twitter account of the _New York Post_ were hacked this week. On Thursday, the publication’s Twitter account started sharing links to stories with offensive headlines and posts about politicians. US president Joe Biden, US representative Alexandria Ocasio-Cortez, and New York governor Kathy Hochul were all targeted. The _Post_, which is owned by News Corp, tweeted that it was investigating the incident, but very few details have been made public so far. In February this year, News Corp announced it had been hacked, with the attackers believed to have accessed journalists’ emails. The latest attack against the _Post_ echoes a recent hack of the business news website _Fast Company_. In September, the publication’s content management system (CMS) was breached and the attacker sent offensive push notifications to Apple News subscribers.

China Operates Secret ‘Police Stations’ in Other Countries

What's next for the social network is anyone's guess—but here's what to watch as you wade through the privacy and security morass.

Elon Musk is buying Twitter for $44 billion after the least sexy will-they-won't-they saga of all time. And while Musk attempted to reassure advertisers yesterday that "Twitter obviously cannot become a free-for-all hellscape, where anything can be said with no consequences," the acquisition raises practical questions about what the social network's nearly 240 million active users can expect from the platform in the future.

Chief among these concerns are questions about how Twitter's stances on user security and privacy may change in the Musk era. A number of top Twitter executives were fired last night, including CEO Parag Agrawal, the company's general counsel Sean Edgett, and Vijaya Gadde, the company's head of legal policy, trust, and safety who was known for working to protect user data from law enforcement requests and court orders. Gadde ran the committee that ousted Donald Trump from Twitter in January 2021 following the Capitol riots. Musk, meanwhile, said in May that he would want to reinstate Trump on the platform and called the former US president's removal “morally bad.” 

This afternoon, Musk wrote that “Twitter will be forming a content moderation council with widely diverse viewpoints. No major content decisions or account reinstatements will happen before that council convenes.”

Content moderation has real implications for user security on any platform, particularly when it involves hate speech and violent misinformation. But other topics, including the privacy of Twitter direct messages, protection from unlawful government data requests, and the overall quality of Twitter's security protections, will loom large in the coming weeks. This is particularly true in light of recent accusations from former Twitter chief security officer Peiter “Mudge” Zatko, who described Twitter as having grossly inadequate digital security defenses in an August whistleblower report.

“Personally, I don’t know what to do, especially when you take Mudge’s whistleblower complaint into consideration,” says Whitney Merrill, a privacy and data protection lawyer and former Federal Trade Commission attorney. “I’m just not putting any sensitive data or data I’d like to stay confidential into DMs.”

Twitter offers a tool for downloading all the data it holds in your account, and reviewing your own trove is a good first step in understanding what information the company has linked to you. It's unclear, though, exactly how much control you currently have over deleting this data, and the policies could continue to evolve under the Musk administration. Twitter DMs, for example, only offer the option to “Delete for You,” meaning delete messages from your own account but not for other users. 

More broadly, Twitter's current policy on account deactivation simply says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated.  Once permanently deactivated, all information associated with your account is no longer available in our Production Tools.” It is unclear what exactly this means in terms of long-term data retention and, again, policies may change in the future.

“It appears Twitter isn't even deleting data of end users, and private messages are kept forever or maybe until all participants delete,” Merrill says. (Twitter did not yet respond to WIRED's request for comment.)

It's worth noting that for most users, Twitter's core purpose as a public microblogging service is something of a saving grace. A lot of the things most people have done on Twitter over the years were meant to be publicly accessible. But private Twitter accounts and direct message chats are both popular Twitter features and important considerations as the company evolves.

“This is an emerging situation, but to the extent DMs were ever considered safe from inspection by staff, the threat is greater with the extensively reported rumors of staff reductions,” says Jake Williams, director of cyber-threat intelligence at the security firm Scythe and a former National Security Agency hacker. “Some of the first staff to be cut in any reorganization are personnel involved in nonfunctional activities, such as security specialists and internal policy oversight.”

Zatko, the former Twitter chief security officer, warned in both his written report and subsequent Congressional testimony of rogue insiders at Twitter, including nation-state actors, woefully inadequate access controls, and weak digital security defenses. As a result, a lack of security investment in the Musk era could pose a real danger to users over time. And Twitter has been plagued by both criminal and state-backed attacks over the years.

It's important to keep in mind, though, that the social giant is still a public company and that Musk himself would face legal liability if he or any of his appointees personally access user data or take other rogue actions like, say, leveraging the Twitter mobile application to grab user data outside of Twitter's scope.

“This all should be very concerning, but users don't need to overreact,” Williams says. “There will still be disincentives to run afoul of regulators.”

Even if many users are sticking around to see how things shake out, some are already balking at the extreme uncertainty of the situation. This evening, General Motors said it was temporarily suspending advertising on the social network.

If Musk Starts Firing Twitter's Security Team, Run

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 21 and Oct. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for October 21 to October 28

The next generation of cybersecurity pros will need to participate frequently in relevant training to expand their skills and stay engaged.

The shortage of cybersecurity professionals worldwide is a growing concern for organizations of all sizes, as threats mount and attack vectors become more difficult to defend against.

CyberSeek.org counts nearly 770,000 open jobs in cybersecurity, and the data is showing that employer demand for cybersecurity workers is growing 2.4 times faster than the overall rate across the US economy.

To adequately train the next generation of cybersecurity pros, organizations need to start thinking more collaboratively, using virtual technologies as learning tools, and turning to upskilling to offer opportunities to in-house talent.

**Teaching the Why Along With the How**

Some of the changes in training and education approaches are fundamental, argues Andrew Hay, COO at Lares Consulting, an information security consulting firm.

"We often teach people the 'how' but never the 'why' when it comes to cybersecurity training," he says. "For example, we'll show someone how to run a tool to detect a vulnerability, but we won't educate them on why the vulnerability surfaced in the first place."

He says if you don't show people how to prevent vulnerabilities from occurring, you're doomed to keep showing them how to detect them after the fact.

"We have an entire team dedicated to showing our customers how to detect, mitigate, and prevent attacks within their organization," he says. "Not only do we show effect, but we also show cause." Hay says by training people to prevent insecure configurations in the first place, you can help them reduce their attackable surface area.

He adds that cyber-range and capture-the-flag (CTF) events are fantastic learning environments to hone your skills and grow as a cybersecurity professional.

"You'll get to experience how others think about attacking a system, what tools and techniques they use, and their thought process," Hay says. "It's invaluable."

**Playing NICE**

Danielle Santos, manager of communications and operations for NIST'S National Initiative for Cybersecurity Education (NICE), says investing in cybersecurity training and education now is critical to meet this growing demand.

"We are coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals," she explains. By facilitating a mechanism whereby the educators, trainers, and employers can come together as a community, they are better positioned to have training that meets the workforce demand.

NICE is also responsible for maintaining the Workforce Framework for Cybersecurity, which describes tasks, knowledge, and skills that are needed to perform cybersecurity work. It provides a standard for training and certification providers to establish knowledge and skill requirements according to tasks in the workplace.

**Smashing Training Silos**

Mika Aalto, co-founder and CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions, says that the motivation for training today is compliance-driven, not security-driven, which leads to training implementations that can't address human cybersecurity risk.

He argues that organizations should take a risk-based view of the actual attacks employees face and focus on building the right culture and driving the adoption of the correct habits.

"When it comes to the core sins, organizations are running punitive programs that fail to capture employees' hearts and minds," he says.

Making matters worse, training frequency is occasional, and curriculum is built with a one-size-fits-all mentality. "Today's technology allows us to automatically develop and deliver individual training experiences at scale, driving behavior change rather than raising awareness," he says.

From Aalto's perspective, another core sin is that the training often gets siloed. "Awareness professionals are blind to the attacks and metrics managed by security operations," he says. "They lack the cohesive processes and technology to share intelligence and augment detection and response capabilities."

He says that modern teams should work in harmony, with effective training platforms that enable employees to hunt attacks that have infiltrated the organization and integrate that data into operations to mitigate the threats in real time.

"Extending awareness into the center of the security stack is a game-changer in how training is conducted and leveraged," he adds.

**Innovations in Training**

Santos notes that over the past several years, simulated training has shown promise as a mechanism to learn new cybersecurity skills. Training offered through cyber ranges, for example, allows learners to experience simulated real-world scenarios and demonstrate applied knowledge and skills.

"Additionally, apprenticeships, while not new to the broader workforce, but relatively new as they apply to the cybersecurity workforce, is a proven approach to expanding cybersecurity talent," she says.

She highlights the US Departments of Commerce and Labor's recent partnership on a 120-day Cybersecurity Apprenticeship Sprint to promote the Registered Apprenticeship model as a way to develop and train a skilled and diverse cybersecurity workforce.

**Moving to New Training Models**

Kelly Albrink, Bishop Fox practice director for application security, points out that cybersecurity training has historically culminated in a multiple-choice test that relies on memorization.

"With the Internet at our fingertips, memorization is far less important than problem solving," she explains. "So, training should be more focused on hands-on exercises that directly map to what real cybersecurity work looks like."

She mentions her company's Bishop Fox Academy, an internal training program to help people gain both technical skills and soft skills. "Bishop Fox is one of the few companies with actual entry-level roles for junior consultants," Albrink says. "We have a formal mentor program that matches consultants based on their interests and specializations."

She says that in earlier iterations of the mentor program, the company received a lot of feedback from both mentors and mentees that they wanted more structure and guidance on how to get the most out of the program, which led to the creation of a worksheet to help guide initial conversations. It included both "getting to know you" questions to help pairs build an immediate connection, as well as guidance on goal setting.

"We also understand that not every mentor match is the best fit so, 2-3 times a year we give people the opportunity to get a new match or extend their current pairing," she adds. "I typically encourage people to have multiple mentors and receive mentoring on more than one topic."

**The Benefits of Upskilling**

"When you upskill existing cybersecurity, staff you can cut down the learning curve within your organization and often fill gaps faster," Ron Culler, vice president cyber learning officer at CompTIA, explains.

However, it's not just existing cybersecurity staff that should be the focus — he says organizations should be looking across their workforce and at all its IT staff. "Many of these individuals have strong foundational knowledge of the organization," he says. "They can be some of the best candidates to work in cybersecurity, simply because cybersecurity encompasses all aspects of an organization."

Santos agrees that upskilling is an effective approach to filling talent gaps more quickly in an organization. "It utilizes the existing workforce, many of whom have transferrable skills that can be applied to a cybersecurity," she says.

**Cybersecurity Touches All Aspects of an Organization**

CompTIA offers education, training, and certification options for individuals interested in working in cybersecurity and those already in the profession. Four certifications are specific to cybersecurity skills at different career levels — entry, mid, and advanced. Cybersecurity is also embedded in the company's other certifications in networking, data, cloud computing, and other disciplines.

Culler points out that traditional approaches have often focused on individuals with a heavy background in technology.

"While this is still needed, cybersecurity encompasses much more than just tech," he says. "Diverse experiences and skills are needed to fill gaps in cybersecurity roles throughout organizations."

As he puts it, cybersecurity is not a technology issue, but rather something that touches every aspect of an organization.

**Training the Next Generation of Hackers**

From Albrink's perspective, you can't buy enough senior talent to meet the demands of the market. The only viable solution is to train the next generation of hackers.

"In terms of best practices, newcomers often want to learn everything and get overwhelmed," she says. "If they pick two focuses, and those two things synergize well, they'll be much better set up for success."

She adds that learning in a vacuum, like simply reading a book or watching a video, doesn't lead to good results. "I always recommend that you pick a hands-on project to apply what you're trying to learn," she says. "For example, every webapp hacker should build and deploy their own app."

She says that gives you a much better perspective on how difficult it can be to put common defensive recommendations into practice and helps you to better understand the struggles that developers face.

**More Flexibility, More Investment**

Albrink says she's seen a trend of publicly available training moving to a more on-demand subscription-based model. "This gives learners the flexibility to fit their training schedule to their busy lives," she says. "So, instead of trying to knock out a red team lab in 30, 60, or 90 days, they get access for a year."

The downside is the training has become a lot more expensive and out of reach for most people paying for it themselves.

Santos explains the US Department of Commerce supports a workforce development model, to include training, that leans on an employer-driven regional approach. "An employer-driven approach aims to ensure that the supply of cybersecurity talent is job-ready," she says.

Culler agrees it's important to invest in cybersecurity training now because cybersecurity threats aren't going away or lessening. "We need a cyber aware and cyberskilled workforce for organizations to remain competitive and thrive in the current environment and into the future," he says.

From Aalto's perspective, the key word is "invest." He points out that around 90% of breaches contain a human element, almost always initiated by a phishing attack, and yet only 3% of security budgets go to awareness.

"That imbalance tilts the advantage towards the threat actors, whose attacks get more relentless and sophisticated by the day," he says.

In a risk landscape where cybersecurity is increasingly expensive and hard to get, and where regulations tighten all the time, it's up to organizations to take a risk-based approach to protect themselves where they're most vulnerable — their people.

"It works, if your training is done right," Aalto says.

Wanted: Cybersecurity Training That Breaks Down Silos

The threat actor uses commands from legitimate IIS logs to communicate with custom tools in a savvy bid to hide traces of its activity on victim machines.

Hacking group Cranefly is using the new technique of using Internet Information Services (IIS) commands to deliver backdoors to targets and carry out intelligence-gathering campaigns.

Researchers at Symantec have observed a previously undocumented dropper Trojan called Geppei being used to install backdoors (including Danfuan and Regeorg) and other custom tools on SAN arrays, load balancers, and wireless access point (WAP) controllers that may lack appropriate security tools, according to a blog post on Oct. 28.

In examining the activity, the team noticed that Cranefly is using ISS logs to communicate with Geppei.

"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks, making it novel," Brigid O Gorman, senior intelligence analyst on Symantec’s Threat Hunter team, tells Dark Reading. "It is a clever way for the attacker to send commands to its dropper."

ISS logs record data such as webpages visited and apps used. The Cranefly attackers are sending commands to a compromised Web server by disguising them as Web access requests; IIS logs them as normal traffic, but the dropper can read them as commands, if they contain the strings Wrde, Exco, or Cllo, which don't normally appear in IIS log files.

"These appear to be used for malicious HTTP request parsing by Geppei — the presence of these strings prompts the dropper to carry out activity on a machine," Gorman notes. "It is a very stealthy way for attackers to send these commands."

The commands contain malicious encoded .ashx files, and these files are saved to an arbitrary folder determined by the command parameter and they run as backdoors (i.e., ReGeorg or Danfuan).

Gorman explains that the technique of reading commands from IIS logs could in theory be used to deliver different types of malware if leveraged by threat actors with different goals.

"In this instance, the attackers leveraging it are interested in intelligence gathering and delivering backdoors, but that doesn't mean this technique couldn't be used to deliver other types of threats in the future," she says.

In this case, to date, the Symantec threat team has found evidence of attacks against just a handful of victims.

"That is not unusual for groups focused on espionage, as these attacks tend to be focused on a small number of selected victims," Gorman explains.

**Cranefly: A Threat of Reasonable Sophistication**

Gorman explains that the development of custom malware and new techniques requires a certain level of skills and resources that not all threat actors have.

"It implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks," she says, noting the gang also takes steps to cover up its activity on victim machines.

The dropped malicious backdoors are removed from victim machines if the Wrde command is called with a specific option ("r").

"A step like that displays quite a high level of operational security by the group," she adds.

**Deploying an In-Depth Defense Strategy**

Gorman says that the typical rules apply to defending against Cranefly as they do when it comes to most types of cyberattacks: Organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.

"Organizations should also be aware of and monitor the use of dual-use tools inside their network," she says, noting that Symantec would also advise implementing proper audit and control of administrative account usage.

"We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network," she says. "Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

Cranefly Cyberspy Group Spawns Unique ISS Technique

Ubuntu Security Notice 5706-1 - It was discovered that the BPF verifier in the Linux kernel did not properly handle internal data structures. A local attacker could use this to expose sensitive information. It was discovered that an out-of-bounds write vulnerability existed in the Video for Linux 2 implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5706-1  
October 27, 2022

linux-azure-fde vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

It was discovered that the BPF verifier in the Linux kernel did not  
properly handle internal data structures. A local attacker could use this  
to expose sensitive information (kernel memory). (CVE-2021-4159)

It was discovered that an out-of-bounds write vulnerability existed in the  
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-20369)

Duoming Zhou discovered that race conditions existed in the timer handling  
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in  
use-after-free vulnerabilities. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the  
io_uring subsystem in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the  
Linux kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux  
kernel incorrectly shared unrelated data when communicating with certain  
backends. A local attacker could use this to cause a denial of service  
(guest crash) or expose sensitive information (guest kernel memory).  
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in  
the Linux kernel on ARM platforms contained a race condition in certain  
situations. An attacker in a guest VM could use this to cause a denial of  
service in the host OS. (CVE-2022-33744)

It was discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel contained a reference counting error. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2022-36879)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1092-azure-fde  5.4.0-1092.97+cvm1.1  
   linux-image-azure-fde           5.4.0.1092.97+cvm1.32

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5706-1  
   CVE-2021-4159, CVE-2022-20369, CVE-2022-2318, CVE-2022-26365,  
   CVE-2022-26373, CVE-2022-3176, CVE-2022-33740, CVE-2022-33741,  
   CVE-2022-33742, CVE-2022-33744, CVE-2022-36879

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1092.97+cvm1.1

Tag

#intel