x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-26363,CVE-2022-26364 / XSA-402 version 4 x86 pv: Insufficient care with non-coherent mappings UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. IMPACT ====== Malicious x86 PV guest administrators can escalate privilege so as to control the whole system. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 PV guests can trigger this vulnerability. Only x86 PV guests configured with access to devices (e.g. PCI Passthrough) can trigger the vulnerability. Only CPUs which can issue non-coherent memory accesses are impacted. CPUs which enumerate the SelfSnoop feature are not impacted, except as noted in errata. Therefore, we believe that Xen running on Intel IvyBridge or later CPUs is not impacted by the vulnerability. MITIGATION ========== Not passing devices through to untrusted x86 PV guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. Furthermore, the XSA-402 patches depend logically on the XSA-401 patches, and will not function safely without XSA-401 in place first. xsa402/xsa402-?.patch xen-unstable xsa402/xsa402-4.16-?.patch Xen 4.16.x xsa402/xsa402-4.15-?.patch Xen 4.15.x xsa402/xsa402-4.14-?.patch Xen 4.14.x xsa402/xsa402-4.13-?.patch Xen 4.13.x $ sha256sum xsa402\* xsa402\*/\* 3572a7bf70f372707705eec7e24ec6737d41dde906d82b4197597480df557b0c xsa402.meta ce956e3b24b34b10034d6cc219f616e96e5b7b3a391f6d9a97d96694579e86b3 xsa402/xsa402-1.patch 8faaae88b7d88a3ef66ebd9db7d5fbfa600ab1216b38954a7a8b44822a32b87e xsa402/xsa402-2.patch 344c76e842e830ef209427359d2b566d6b54f8862c16662ca628c459680614d7 xsa402/xsa402-3.patch 210e8312f351f1b26b58e5f24479381371ddfbae4b1d3b7233a9ed909a3d08cd xsa402/xsa402-4.13-1.patch 5d9e6cb667d47f58f1b85c02844510673f9bfa5a94a74847bfe641bc9722dc67 xsa402/xsa402-4.13-2.patch 176bbd997d163cfb17811065e084ee118ba272e02302c0237dcfeca7d261943d xsa402/xsa402-4.13-3.patch 0ee1adac14c185c3b928f8384c6f5749ecf1c028eb65e17ad54de5be0773b40b xsa402/xsa402-4.13-4.patch 366a79734861535818c54e3d831c7349de11fbd761ee04ced712590e50a149ed xsa402/xsa402-4.13-5.patch 487227003630a70a640e434c6b0125f73c8d7affc9c90297de737a29a0cf0c7e xsa402/xsa402-4.14-1.patch 328dd4090ecb6bd13696a9a69d098476d14ccde4d78e0127c2512569c73aa01a xsa402/xsa402-4.14-2.patch 739263e622620e95c03118d3ea9d4f96ea3ce83d17ae6d06ca596cbe3d7c6035 xsa402/xsa402-4.14-3.patch f35a7c0282efe0271517fe6407f2d36f97455710041fa3bce72a61bc3733b556 xsa402/xsa402-4.14-4.patch ba4b84e95fbad023c1db21b677b166e09a4a2c0c4346ecb4612a32ee97f37efe xsa402/xsa402-4.14-5.patch ccdcbebcef9b84dce82c95f6faaa85f73f137c47c54aa891ee350e90cf1e8ceb xsa402/xsa402-4.15-1.patch 51d6875b097ba9913620e827cc1d634e6d3506fb6ab8ab7ac763e46634d7b67c xsa402/xsa402-4.15-2.patch 58b02bd665366c235534c58bc0f040863f3b1083551541c2b6de090c5d0caf6c xsa402/xsa402-4.15-3.patch 457cb2be1425948589cd0b7084087f6b995df29af289c10f9e9011df6f704cc0 xsa402/xsa402-4.15-4.patch 808cb71f43ab64ac6e992ffc081790292e014b7476304502caaee0f2d8e92b6d xsa402/xsa402-4.15-5.patch d90732dd1ef85c6d33471f83a707245e4bff3b737110ba4b8533c549b06175cc xsa402/xsa402-4.16-1.patch f68ad7dd8f68f688bb2f42664af8c7eeecc4888b84afe8e102e96518c22ceb2c xsa402/xsa402-4.16-2.patch 96f0c356281c59cc90894c0160121469096c3076cc4e1b52e81a521da10e9d76 xsa402/xsa402-4.16-3.patch 27aeb50651bfde461b84c98a897062e261b9ac84b6e07e9afbaae4c20c61a963 xsa402/xsa402-4.16-4.patch d65c84f2cf1f75d96c1853ffeeb8eed793e6382d21795af04871ead07f6b330c xsa402/xsa402-4.16-5.patch 5b472eda637ff59b0b7dff85a7869d7197f728b581581ce97b1617c2dcb62397 xsa402/xsa402-4.patch 15741042b7e6c04deff2edcbd21f1c4649d58790919fa18d4b131b53d68a124f xsa402/xsa402-5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: deployment of the mitigation (i.e., switching guests from passed-through devices to virtual devices) is \*not\* permitted during the embargo, as it could be seen by an attacker and potentially give them a hint about the nature of the vulnerability. Futhermore, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmKh4lkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZWi0H/3qjj6TwK57IN/QXxMxnPf/Z8w1C4J64dHXXksXz epUV7NAUMhZMiL1TDRXORLCcUEC9ErwBb3xdz+rSy/3oyqVNL2vERu7LtXKriIgi WZYvk/19QzBNVTrGUbXmLFER/0hGo6r3wW3VPhziAoTc71f2PW4wIWbvGOzvHpSU PuRhScXNMdJsu6dh5mNahqQE2nxRSOY/B9D8KDZTCJ4GwMKqZGuwRu5FuoHhXDa/ iOy4kUt6SOJ46L7Za1ULdYe6wdYWzJJtVaoojgjU/gqwtT3uXLa3eqsUqXjGynxj iGGOMFTypAMhMXqEgKzUEbJOYvvaLmC/D/bbVZ7U80Nya18= =bGG4 -----END PGP SIGNATURE-----

CVE-2022-26363

AI works best when security professionals and AI are complementing each other.

Artificial intelligence has advanced greatly in the past decade. On my phone, I'm reading Apple and Google news that is well-tailored to me, thanks to AI recommendation models. Self-driving cars are already picking up passengers for rides in downtown San Francisco.

The same transformation is happening in the cybersecurity world too. However, questions remain: Will AI replace security professionals? Or will AI still be as useful in the zero-trust era given that access is tightened to the minimum already?

AI was introduced to the center stage of the cybersecurity industry a few years ago, originally to tackle malware detection and anomaly detection use cases. We have come a long way to better understand both the usefulness and the limitations of applying AI to cybersecurity, especially in the zero-trust era.

**AI Is Still Needed**

First, a zero-trust architecture doesn't remove the need for AI. Though zero trust eliminates the attack surface and reduces the chance for the anomaly to happen, zero trust demands AI more.

Today, an enterprise user's security policy is typically that person's department security policy. Whether users are in a big or a small department, they all follow very similar, if not the same, security policy, including access control policy.

In the zero-trust era, we need a personalized, contextual, dynamic, and granular security policy — which is exactly what zero trust is about. Access control, for instance, is no longer based on simple rules but a set of complex policies based on your identity, your device, your posture, your intention, your risks, your content, and a lot of rich data points.

However, generating such complex, granular, and personalized policy _at scale_ can be very time-consuming if relying on human rules and heuristics. Different employees will use different applications and such application usage may need to evolve fast in a short period of time. AI is a critical technology to make such an intelligent and personalized security policy recommendation at scale.

At the same time, it is impossible for AI to capture or comprehend all the nuances and contexts of any complex environment, so AI may make recommendations that are suboptimal from experts' eyes. With ongoing human feedback, we can improve the AI model and its effectiveness.

**Threat Detection**

Second, zero trust gives the enterprise much tighter protection than it has had in the past, but no matter how tightened things are, there is always a weak link somewhere. Therefore, we want AI to assist with evasive and unknown threat detection and prevention.

Some evasive threats are undetected in time by conventional signature-based or sandbox technology. The SolarWinds supply chain attack is a good example. This global attack turned the SolarWinds Orion software into a weapon, subsequently gaining access to several government systems and thousands of private systems around the world. There was no involvement from any malware by the traditional definition, and it was hard to rely on any single layer of the conventional technology to detect such an attack ahead of time.

AI has a good potential to be the technology to do a better job with unknown threat detection because it can "predict" threats that have never been seen before.

Practically, we will want to layer multiple security technologies along with AI. For instance, in the case of malware, the tried-and-true approach of signature matching and sandbox will continue to play a key role. AI will complement greatly, but not displace, the conventional technology.

**Easily Understood**

Third, enterprise customers want to utilize AI in a way that is easily understood and digestible by security professionals. The "explainable AI" may not improve the AI model efficacy on the surface, but it will increase the adoption of AI significantly.

For instance, AI may be able to detect an unknown threat, but SecOps teams may want to see which family the threat belongs to before taking an action. For another example, AI may be able to generate intelligent and relevant security policy recommendations, but SecOps teams may still want to know the context of why certain recommendations are made before accepting them.

**Conclusion**

The cybersecurity industry needs AI to help reduce unknown attacks at scale and come up with granular and contextual security policies at scale to reduce the attack surface. We want the result to be explainable too.

AI-powered security tools and products are an amazing digital assistant to SecOps professionals. And professionals are assisting AI technology to advance, too, as we will need humans to verify many of the outputs and/or provide feedback for the AI model to improve.

AI is useful to scale the enterprise security functions, like more-intelligent policies and more-intelligent threat detection as discussed above. AI works best when security professionals and AI are complementing each other. In the end, AI is an assistant to security professionals and will not be a replacement for human effort for a long time to come.

How AI Is Useful — and Not Useful — for Cybersecurity

BAE Systems' Peder Jungck joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the importance of collaboration.

Information sharing and collaboration are essential to security practitioners, says Peder Jungck, VP and general manager of BAE Systems Inc.'s Intelligence Solutions business unit. And the power of that shared data is compounded when shared across companies and industry sectors, he adds. Jungck also discusses how sharing and collaboration work in cloud environments, and shares tools, processes, and organizations that can improve collaboration both internally and with partners, suppliers, and customers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Want Better Security? Up Your Collaboration Game

John Leyden 09 June 2022 at 15:18 UTC

APTs hammering unpatched vulnerabilities

Chinese state-sponsored attackers are placing a heavy reliance on known but commonly unpatched vulnerabilities to “establish a broad network of compromised infrastructure”, a US federal security agency warns.

While previously unknown (zero-day) vulnerabilities and novel exploits usually grab the most headlines, a joint advisory from the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warns that attacking “publicly known” flaws has become a mainstay of Chinese cyber-espionage.

**Hit list**

The advisory offers a list of network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.

Flaws in small business-focused routers, SSL VPNs, and Network Attached Storage (NAS) devices from the likes of Cisco, Fortinet, Netgear and QNAP feature heavily on the list.

Some of the main attacks in play can achieve remote code execution (RCE) against unpatched systems while others achieve their aims by achieving authentication bypass or privilege elevation.

Catch up on the latest cyber-attack news and analysis

Chinese state-backed attackers are using publicly available exploit codes against virtual private network (VPN) services or public facing applications to hack into major telecommunications companies and network service providers, creating a platform for follow-up attacks.

Hacked systems “serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities”, according to the CISA’s advisory, which builds on previous US intel agency reporting.

By building a network of compromised systems that act as a platform for follow-up assaults, Chinese APTs are hiding or obfuscating the source of attacks, making detection and response more challenging.

Industry experts said that CISA’s latest advisory is designed to hammer home the importance of prompt patching.

**Slow patching peril**

Andrew Kahl, CEO of BackBox, commented: “Last month CISA released a joint advisory (PDF) that recommended prioritizing the patching of software containing known vulnerabilities.

“These two advisories within a month of each other indicates threat actors are increasingly targeting known vulnerabilities, because they understand many organizations are slow to implement patches.”

Kahl added: “One of the most common vectors for attackers is through known vulnerabilities that otherwise could have been patched. In fact, 87% of organizations have experienced an attempted exploit of an already-known, existing vulnerability.”

**Hiding in plain sight**

Terry Olaes, director of sales engineering at Skybox, said that CISA’s alert pointed towards a need to adapt enterprise vulnerability remediation strategies to provide better coverage for less severe but actively exploited vulnerabilities.

Prompt triage would help organizations to protect themselves against attacks from a wide range of potential adversaries.

“Cybercriminals are increasingly targeting known vulnerabilities hiding in plain sight and turning them into backdoors to deploy complex attacks that are increasing at record rates,” Olaes said.

“If organizations only rely on conventional approaches to vulnerability management, they may only move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS).”

Olaes concluded: “Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.”

RELATED Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks

Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

RSA CONFERENCE 2022 — "Nice to see you all again," Bruce Schneier told the audience at his keynote for the in-person return of RSA Conference, taking off his trademark cap. "It's kinda neat. Kinda a little scary." 

Schneier is a security technologist, researcher, and lecturer at Harvard Kennedy School. He has a long list of publications, including books from as early as 1993 and as recent as 2019's _We Have Root_, with a new one launching in January 2023. But he's best known for his long-running newsletter Crypto-Gram and blog Schneier on Security. And his upcoming book is about hacking.

To Schneier, hacking does not necessarily mean computer systems. "Think about the tax code," he said. "It's not computer code, but it's code. It's a series of algorithms with inputs and outputs."

Because the tax code is a system, it can be hacked, Schneier said. "The tax code has vulnerabilities. We call them tax loopholes. The tax code has exploits. We call them tax avoidance strategies. And there's an entire industry of black-hat hackers — we call them tax accountants and tax attorneys," he added, to audience laughter.

He defined hacking as "a clever, unintended exploitation of a system, which subverts the rules of the system at the expense of some other part of the system." He noted that any system can be hacked, from the tax code to professional hockey, where a player — it's contested just who — started using a curved stick to improve their ability to lift the puck. That player hacked the hockey system.

"Even the best-thought-out sets of rules will be incomplete or inconsistent," Schneier said. "It'll have ambiguity. It'll have things the designers haven't thought of. And as long as there are people who want to subvert the goals of the system, there will be hacks. 

"What I want to talk about here is what happens when AIs start hacking."

**Rise of the Machines**

When AIs start hacking human systems, Schneier said, the impact will be something completely new. 

"It won't just be a difference in degree but a difference in kind, and it'll culminate in AI systems hacking other AI systems and us humans being collateral damage," he said, then paused. "So that's a bit of hyperbole, probably my back-cover copy, but none of that requires any far-future science- fiction technology. I'm not postulating a singularity. I'm not assuming intelligent androids. I'm actually not even assuming evil intent on the part of anyone.

"The hacks I think about don't even require major breakthroughs in AI. They'll improve as AI gets more sophisticated, but we can see shadows of them in operation today. And the hacking will come naturally as AIs become more advanced in learning, understanding, and problem-solving."

He traced the evolution of AI hackers using examples of competitions. Technically it's the human developers who compete in events like DARPA's 2016 Cyber Grand Challenge or China's Robot Hacking Games, but the AIs operate autonomously once set into motion.

"We know how this goes, right?" he asked. "The AIs will improve in capability every year, and we humans stay about the same, and eventually the AIs surpass the humans."

While he acknowledged that bad actors might set up AI systems to hack financial systems for profit or mayhem, Schneier also posited that an AI might hack human systems independently and without intent. 

"\[That\] is more dangerous because we might never know it happened. And this is because of the explainability problem," he said, "which I will now explain."

**Explaining the Explainability Problem**

Schneier set up the discussion of explainability with a literary reference. In Douglas Adams' _Hitchhiker's Guide to the Galaxy_, a race of superintelligent beings called the Magratheans "build the universe's most powerful computer — Deep Thought — to answer the ultimate question to life, the universe, and everything. And the answer is?" he queried. An audience member obliged by answering "42."

The Magratheans were naturally not happy with this opaque answer, and they asked the computer to explain what it meant. "Deep Thought was unable to explain its answer or even tell you what the question was," Schneier said. "That's the explainability problem."

He added: "Modern AIs are essentially black boxes. Data goes in one end, an answer comes out the other. And it can be impossible to understand how the system reached its conclusion even if you're a programmer and look at the code."  

Schneier then discussed Deep Patient, a medical AI meant to analyze patient data and predict diseases. While the system performed well, he said, it doesn't give the doctors any explanation to help them see why it predicted a disease.

Reward hacking refers to an AI achieving a goal in a way its designer didn't intend. The audience enjoyed Schneier's description of an evolution simulator that "instead of building bigger muscles or longer legs, it actually grew taller so it could fall over a finish line faster than anybody could run."

He also used the examples of King Midas and genies to underscore the human problem of poor specification, where the granting of wishes too literally leads to misery. 

"But here's the thing," he said. "There's no way to outsmart the genie. Whatever you wish for, he will always be able to grant it in a way that you wish he hadn't. The genie will always be able to hack your wish."

And because of how the human mind works, "any goal we specify will necessarily be incomplete," he said. "We can't completely specify goals to an AI, and AIs won't be able to completely understand context."

Schneier then used the 2015 Volkswagen emissions scandal to set up an example of an AI hack that we wouldn't be able to detect because of the explainability problem. He said he imagines having an AI system design engine software to be both efficient and able to pass an emissions test. In such a system, the AI might hit on the same solution the Volkswagen engineers did — that is, fudge the emissions data by turning on emission controls only during testing — while not telling humans how it accomplished its goals. Thus the company might celebrate their great new design without even realizing that it's a hack and a fraud.

He expanded that to the real-world example of recommendation algorithms that push extremist content "because that's what people respond to." And that's an example that has real-world effects, radicalizing vulnerable people and causing them to entrench in false beliefs and sometimes even take drastic actions.

Schneier talked about research into how to avoid such negative unintended effects. One solution, value alignment, attempts to teach systems to respect human moral code. "Good luck" specifying human values or allowing an AI to learn them by self-training, he said.

In defending against AI hacking, he said, "what matters is the amount of ambiguity in the system." AIs are not able to work well with ambiguity. But that seems to be a limited solution that AIs could evolve to surmount.

**AI Hacks and the Real World**

Partly because of their lucrative nature and partly because of the structured code, Schneier expects financial systems to be one of the first real-world systems affected by AI hacks. Talking about the tax code, for example, he asked, "How many loopholes will it find that we don't know about?"

Even worse might be the AI message bots that could be infesting your Twitter time line already, pushing messages and interacting realistically. "It will influence what we think is normal, and what we think others think," Schneier warned. "That's a scale change."

But perhaps the most fraught element is the role AI is already playing in people's lives. 

"AIs are making parole decisions \[about\] who receives bank loans, helps screen job candidates \[and\] applicants for college, people who apply for government services," he noted. Because we can't tell why an AI made the decision, it will not seem fair to those denied — and indeed, it might well be unfair and based on unwarranted or underanalyzed parameters like a ZIP code.

And as with so much, he pointed out, it will be the powerful who benefit and the masses who suffer. "It's not that we \[gestures around the room\] are going to discover hacks in the tax codes," Schneier said. "It's going to be the investment bankers."  

He closed on a note of hope, though. While AI can certainly be used to find and exploit software vulnerabilities, he pointed out that they can also be used to find and _fix_ those vulnerabilities. 

"It identifies all the vulnerabilities and then it patches them" before the software gets released, he suggested. "You could imagine \[this AI\] being built into the software development tools. It's part of the compiler.

"We can imagine a world in which software vulnerabilities are a thing of the past," he added. "Kinda weird, but that's what would happen."

Schneier cautioned that during the transition period in which old vulnerable codes — computer or human — were still open and the new ones were still being vetted, black-hat AIs would still have a rich opening. However, he said, "While AI hackers can be employed by the offense and the defense, in the end it favors the defense. We need to be able to quickly and efficiently respond to hacks," though.

Human systems need to have the same agility as software, he said.

"The overarching solution is people," he said. "We're much better off as a society if we decide as people what technology's role in our future should be."

Why AIs Will Become Hackers

ReliaQuest CTO Joe Partlow joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss extended detection response — and acquisition news.

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. And in that same vein, Partlow describes points to the company’s planned acquisition of threat intel vendor Digital Shadows as a central move to reducing risk and improving resilience for customers. The combined entity will create a force multiplier for aiding the detection, investigation, and response to potential breaches, Partlow adds.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ReliaQuest Bolsters Extended Detection With Threat Intelligence

Organizations can no longer rely on traditional responses to ransomware.

Imagine the scene: A devastating ransomware attack has immobilized a large manufacturing company. It's not possible to ship or sell any products, or to contact the company's customers. The whole supply chain has been compromised. To make matters worse, two backup locations are also inaccessible. Unfortunately, this is not a what-if scenario. It happened, despite the best efforts of the company's security and business operations teams. Even though the organization had a Plan A _and_ a Plan B, it wasn't enough to deal with modern-day ransomware.

Too often, a traditional response to a ransomware attack is focused solely on a technical investigation. However, the ripple effects of ransomware go far beyond a system reboot and security housekeeping. As our manufacturing company's predicament highlights, there's often a gap between what needs to be done and shared across the enterprise and current incident response plans. Organizations' leaders must recognize that ransomware is a business risk, not simply a cybersecurity problem, and they should take the right steps in the right order to handle any crisis.

**Ransomware Motivations Evolve**

Although ransomware has been around a long time, threat actor tactics and motivations have recently changed. Following Russia's invasion of Ukraine, threat actors on Dark Web Russian language forums — particularly ones associated with ransomware — are sometimes choosing targets based on political motives rather than just financial gains. The ideological divide has led many underground actors to call for the return of ransomware groups to the mainstream underground and to reinstate the targeting of Western entities, especially in the resources, government, banking, and critical infrastructure sectors.

**New Tactics Open the Door**

We’re also seeing new threat actors introducing fresh ideas and evolving tactics. For example, some attacks are more destructive than disruptive, involving deleting or damaging backups. This destroys Plan B and makes it harder for a compromised target to get back up and running. It can also damage a business's brand and reputation.

Making life easier for threat actors is access to "plug-and-play" tools, such as ransomware-as-a-service products that can be easily purchased on the Dark Web and just as easily deployed. And there is also the growing interest in network access sales — when cybercriminals offer sophisticated and accomplished threat actors a shortcut to a compromised network for a price. For example, in February the Accenture threat intelligence team found that an underground site user, "GodLevel," was advertising access to a subdomain belonging to an identified Ukrainian agricultural exchange. An attacker could potentially use compromised system access to elevate user privileges and make use of associated domains to obtain personally identifiable information (PII) and payment card data, resell exfiltrated data, and deploy malicious software such as ransomware.

When it comes to ransomware tactics, one of the new flavors is extortion, where threat actors initiate a public business disinformation campaign aimed at eroding confidence and public trust in a business.

We're even seen threat actors directly contacting individuals whose data has been stolen from a company when the company refuses to pay a ransom. So, while companies are trying to deal with cyber complexities and get their business back up and running, they may also have to defend themselves against an extended ecosystem of stakeholders.

Disruptive times have resulted in a surge in attacks, and it is possible that Russia's invasion of Ukraine could continue this trend. Recent analysis from the Accenture cyber-incident forensic response team, based on engagements conducted between January and December 2021, shows a year-on-year increase of 107% in ransomware and extortion attacks and 33% in intrusion volume from ransomware and extortion. These growing threats put pressure on a traditional crisis response and accentuate the vital role of coordinated planning and communications.

**Closing the Communications Gap**

When all areas of the enterprise work together — driven from the top — the whole business benefits. Here are some steps to consider to help close the gaps that open the door to ransomware and extortion:

*   **Lead with leaders:** Cybersecurity professionals often run tabletop exercises, but they should evolve such exercises to include executive-level simulations. This enables organizations to test their defenses against a typical ransomware attack directly with business leaders — while simulating the risk and adrenalin of a "real-life" attack scenario.
*   **Avoid the domino effect:** Taking an uncoordinated first step can lead an organization down a path that can hinder its recovery. By creating a playbook and having a clear plan for the whole business, overseen by the C-suite, organizations can avoid the domino effect of "wrong place, wrong time" actions.
*   **Report with rigor:** The devil is in the details. To protect against ransomware, maintain standard cybersecurity patching hygiene practices and incorporate an intelligence-driven approach to vulnerability and attack surface management programs. To be resilient, organizations should better understand internal reporting obligations and act with full transparency, in a thoughtful and factual way.

**Conclusion**

By understanding — and preparing for — the full implications of a ransomware attack on an organization, recovery can be faster and easier. However, business leaders are often ill-prepared, especially when it comes to the essential communications needed to inform and instruct all stakeholders affected by an attack. It's time for business leaders to look with fresh eyes at how they handle ransomware and extortion. And the emphasis should be on prioritizing effective crisis management across the enterprise.

How Poor Communication Opens the Door to Ransomware and Extortion

BlackBasta, a newish ransomware group that is somehow linked to Conti, has a new Linux variant of its malware that targets VMware ESXi virtual machines.
The post BlackBasta is the latest ransomware to target ESXi virtual machines on Linux appeared first on Malwarebytes Labs.

BlackBasta, an alleged subdivision of the ransomware group Conti, just began supporting the encryption of VMware’s ESXi virtual machines (VM) installed on enterprise Linux servers. Because more and more organizations have begun using VMs for cost-effectiveness and easier management of devices, this change in tactic makes sense.

An ESXi VM is a bare-metal hypervisor software. Software can be characterized as “bare metal” if installed directly onto the physical machine, between the hardware and the operating system.

Siddharth Sharma and Nischay Hegde, threat researchers from Uptycs, were the first to spot and reveal BlackBasta’s tactical change in a report.

**On Linux: BlackBasta 101**

BlackBasta first appeared in April 2022 after the group ramped up their attacks against dozens of organizations. Although the brand seems relatively new, the way the group quickly accumulates victims, as well as their negotiation tactics, betray a level of experience not seen in fledgling and inexperienced online criminal gangs. This is probably why many cybersecurity communities associate them with known ransomware actors, particularly Conti.

Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumes folder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable.

If it cannot find this folder, however, the ransomware exits.

BlackBasta ransomware uses ChaCha20, a cryptographic algorithm known for its speed, to encrypt files. This is run in parallel with multithreading to make encryption faster, further avoid detection, and increase ransomware throughput.

Once files are encrypted, the extension .basta is appended at the end of all affected files. BlackBasta also drops the ransom note, readme.txt, which contains a unique ID and a URL to a chat support channel accessible only using Tor.

Contents of the readme.txt ransom note dropped in every subfolder in volumes. (Source: Uptycs)

A section of the ransom note reads:

    Your data are stolen and encrypted
    The data will be published on TOR website if you do not pay the ransom
    You can contact us and decrypt one file for free on this TOR site
    (you should download and install TOR browser first https://torproject.org)
    {URL redacted}

**Protect your Linux ESXi VM against ransomware attacks**

Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM:

*   Harden the SSH (Secure Shell) access to allow only a specific user to use it.
*   Disable SSH if it’s not needed, or only make it available from a specific network/IP address via a firewall configuration.
*   Ensure that you are following VMWare’s general security recommendations for ESXi.

Organizations also have the option of using a free, open-sourced tool called Lynis, which is an auditing tool.

BlackBasta is the latest ransomware to target ESXi virtual machines on Linux

Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems.
Dubbed Symbiote by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a parasite.

Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems.

Dubbed **Symbiote** by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a parasite.

The operators behind Symbiote are believed to have commenced development on the malware in November 2021, with the threat actor predominantly using it to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa.

"Symbiote's main objective is to capture credentials and to facilitate backdoor access to a victim's machine," researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker News. "What makes Symbiote different from other Linux malware is that it infects running processes rather than using a standalone executable file to inflict damage."

It achieves this by leveraging a native Linux feature called LD\_PRELOAD — a method previously employed by malware such as Pro-Ocean and Facefish — so as to be loaded by the dynamic linker into all running processes and infect the host.

Besides hiding its presence on the file system, Symbiote is also capable of cloaking its network traffic by making use of the extended Berkeley Packet Filter (eBPF) feature. This is carried out by injecting itself into an inspection software's process and using BPF to filter out results that would uncover its activity.

Upon hijacking all running processes, Symbiote enables rootkit functionality to further hide evidence of its presence and provides a backdoor for the threat actor to log in to the machine and execute privileged commands. It has also been observed storing captured credentials encrypted in files masquerading as C header files.

This is not the first time a malware with similar capabilities has been spotted in the wild. In February 2014, ESET revealed a Linux backdoor called Ebury that's built to steal OpenSSH credentials and maintain access to a compromised server.

"Since the malware operates as a user-land level rootkit, detecting an infection may be difficult," the researchers concluded. "Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not 'infected' by userland rootkits."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Symbiote: A Stealthy Linux Malware Targeting Latin American Financial Sector

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

*   Product
*   Community
*   Partners
*   News
    **news***   Insights & Updates
        *   ownCloud News
    *   Forum
        *   ownCloud Central
    *   Events
        *   Upcoming Events
        *   Past Events / Recordings
    *   Social Media
        *   Facebook
        *   Twitter
        *   LinkedIn
    
    **Latest Posts**
    
    Whether it's files containing personal data (GDPR), intellectual property or sensitive corporate data from HR, finance or …
    
    Read more
    
    We recently released the beta for Infinite Scale. And, there's more: The alpha releases of the desktop …
    
    Read more
    
*   Pricing

*   Risk: medium
*   CVSS v3 Base Score: 5.7
*   CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
*   CWE ID: CWE-212
*   CWE Name: Improper Removal of Sensitive Information Before Storage or Transfer
*   CVE: CVE-2022-31649

**Description**

The settings page and some API responses of a few ownCloud apps contained plaintext credentials.

**Affected**

*   ownCloud server < 10.10.0

**Action taken**

Remove the sensitive values from the HTML and API responses.

Tag

#intel