The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.

The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It's also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.

BianLian, first discovered last July, hasn't deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.

However, the swiftness with which the group's command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.

"BianLian has discovered that they don't need to actually encrypt victim networks to get paid," Adam Flatley, vice president of intelligence at Redacted, says.

This shift to focus on data-leak extortion is "extremely dangerous," because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.

"BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on," Flatley says.

BianLian's motivation for changing its encryption strategy is likely a response to Avast's release of an encryption tool for organizations that have been targets of the group to unlock their files, the researchers noted.

Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organization's stolen data online if a ransom wasn't paid by a certain deadline — the group decided to skip the encryption step and go right to extortion, according to Redacted.

**Maturing As a Cyberattack Business**

This shift is part of BianLian's overall evolution and maturation as a business, the researchers said. While from its inception the group has had "a high level of operational security and skill in network penetration," they now appear to be hitting their stride in terms of the actual business of running a cybercriminal extortion gang.

Indeed, moving away from the unique encryption method that it displayed in early attacks is a smart business move, Flatley says, particularly as an evasion tactic. Because data theft does not cause network nor business disruption, it calls less attention to BianLian's activity, "which means their operations can fly more under the radar," he says.

"When business services are disrupted, it's very hard to keep an event quiet because customers and business partners start to notice that services are down, for example," Flatley says.

Another thing the group has going for it to achieve success with this new strategy is a faster time to deploy a backdoor on a network once they've gained initial access, the researchers said. This speed is linked to BianLian's strong C2 server game, with the group bringing close to 30 new ones online each month, each with a typical lifetime of about two weeks, they said.

Once BianLian establishes a C2 connection to a victim network, it now deploys its backdoor in mere minutes — which means that by the time security administrators discover a BianLian C2, "it is highly likely that the group has already established a solid foothold into a victim's network," the researchers said.

While it's difficult to know how many victims BianLian has compromised, as of March 9, the group has detailed 116 victim organizations on its leak site, the researchers noted. Of those victims, healthcare organizations represent the single largest industry vertical victimized by the group — a shift from early attacks, which focused mainly on the media and entertainment sector.

**Shoring Up Cyber Defense Against Data Theft & Extortion**

With BianLian and other ransomware group's pivoting to pure extortion tactics, enterprises must also make changes to how they defend against these attacks, the researchers said.

"They will need to focus even more on techniques that can help them avoid having to pay the ransom in double-extortion scenarios," Flatley says.

Some of those techniques include a stronger prevention strategy against easily thwarted attacks, as well as quicker detection of "unpreventable" network intrusions, he says. This can be done by "following best practices on passwords and multifactor authentication, aggressively patching your systems in a prioritized and enforced regime, and providing security training for your employees," Flatley wrote in a blog post on how organizations can avoid paying a ransom.

Shoring up incident response as well as having a plan ahead of an attack to prepare for ransom demands can also help organizations avoid the worst outcome of extortion-based attacks, Flatley says.

As part of the former, Flatley notes in his post that organizations should ensure that they have good system backups, that those backups are secured effectively so an attacker can't access them, and that the restoration process is fully tested to ensure it works correctly.

BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs** 

**CVE Description**

**More information**

CVE-2023-24571

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  
See NVD (http://nvd.nist.gov/) for individual scores for each CVE.  
 

**Proprietary Code CVEs** 

**CVE Description**

**More information**

CVE-2023-24571

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  
See NVD (http://nvd.nist.gov/) for individual scores for each CVE.  
 

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**BIOS Update Version**

**BIOS Release Date**

Embedded Box PC 3000

1.18.0

03/10/2023

**NOTE**: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Product**

**BIOS Update Version**

**BIOS Release Date**

Embedded Box PC 3000

1.18.0

03/10/2023

**NOTE**: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Keinoja ongelman kiertämiseen tai lieventämiseen**

None

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-03-15

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

15 maalisk. 2023

CVE-2023-24571: DSA-2023-046: Dell Client Platform Security Update for BIOS Vulnerabilities

Here is a cautionary tale of what happens if side-projects or sections of the website becomes obsolete. If you don't remove them, someone might hijack your subdomain.

Here is a cautionary tale of what happens if side-projects or sections of the website becomes obsolete. If you don't remove them, someone might hijack your subdomain.

Source: Ron Bull via Alamy Stock Photo

**Question: What are the risks of letting domains and subdomains expire? How do attackers hijack them?**

**Answers provided by Jossef Harush, head of software supply chain, Checkmarx:** It’s ridiculous how easy it is to find and take over an abandoned domain, says Harush.

Subdomain hijacking is a type of cyber-attack where an attacker takes control of a subdomain of a legitimate domain and uses it to host their malicious content or to launch further attacks.

Here is an example: CocoaPods is a popular dependency manager for iOS and MacOS projects used by developers to add third-party code to their applications. The company had a subdomain, _cdn2.cocoapods.org,_ which had been used years ago but was no longer in use. However, the DNS records for the subdomain still pointed to GitHub Pages, where presumably the pages for this subdomain had been hosted at one point.

Since this subdomain was no longer linked to a GitHub Pages project, attackers created their own project --a casino site -- and the existing DNS record meant users looking for that subdomain were directed to that fishy-looking site. This kind of subdomain hijacking works as long as the subdomain is unoccupied by another GitHub Pages project, Harush says.

When an organization no longer needs a subdomain or domain, it is not enough to take the relevant pages down. There needs to be an action item to delete the subdomain records from DNS. In short, the DNS entry needs to reflect the fact that _example.com_ and _a.example.com_ are still in use, but that _b.example.com_ is not.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How Do Attackers Hijack Old Domains and Subdomains?

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Wednesday, March 15, 2023 19:03

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.

Microsoft released a patch for the privilege escalation vulnerability on Tuesday as part of its monthly security update. Along with the patch, Microsoft released a security advisory detailing the targeted, but limited attacks they saw leveraging this particular vulnerability.

Microsoft subsequently assessed that the activity was associated with Russian based actors and used in limited, targeted attacks against a small number of organizations. The Computer Emergency Response Team of Ukraine first reported the vulnerability to Microsoft.

CVE-2023-23397 does not affect non-Windows versions of Outlook such as apps for Android, iOS, Mac, as well as Outlook on the web and other Microsoft 365 services. However, the CVSS attack complexity is rated “Low”. An attacker can exploit this vulnerability simply by sending the victim a specially crafted email. The vulnerability is triggered when the Outlook client retrieves and processes the message. According to Microsoft, “This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

As of Wednesday evening, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.

Users should implement the patch as soon as possible. Additionally, Talos has released Snort rules 61478 and 61479, and Snort 3 signature 300464 to detect the exploitation of this vulnerability.

**Vulnerability details**

CVE-2023-23397 affects all Microsoft Outlook products on the Windows operating system. It is a critical escalation of privilege vulnerability via NTLM credential theft. Attackers can create a specially crafted email message, calendar invite, or task containing the extended MAPI property “PidLidReminderFileParameter.”

The “PidLidReminderFileParameter” property specifies the “filename of the sound that a client should play when the reminder for that object becomes overdue.” Inside the PidLidReminderFileParameter property, the attacker specifies a Universal Naming Convention (UNC) path to an SMB share controlled by the attacker. This leads a vulnerable system to send the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.

**Mitigations**

The ideal course of action to address this vulnerability is to install the patch provided by Microsoft. If, for some reason, your organization cannot apply this particular patch, Microsoft also provided a few mitigation options including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network. For full details, see the advisory linked above.

Microsoft also released a script intended to help administrators audit their Exchange server for messaging items (mail, calendar and tasks) that have a PidLidReminderFileParameter property populated with a Universal Naming Convention (UNC) path.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2023-23397  
SIDs:  
Snort 3: 300464  
Snort 2: 61478-61479

Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild

Broken access control in Advanced Authentication versions prior to 6.4.1.1 and 6.3.7.2

March 2023

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes enhancements, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote for the ideas of enhancement requests in the Ideas forum.

For more information about this release and the latest release notes, see the NetIQ Advanced Authentication Documentation page.

If you have suggestions for documentation improvements, click at the bottom of the specific page in the HTML version of the documentation posted at the NetIQ Advanced Authentication Documentation page.

**1.0 What’s New?**

Advanced Authentication 6.4 Service Pack 1 Patch 1 provides the following:

*   Enhancements
    
*   Security Improvement
    

**1.1 Enhancements**

Advanced Authentication 6.4 Service Pack 1 Patch 1 includes the following enhancements:

*   FIDO2 Improvements
    
*   Ability to Add Twilio Subaccounts in the SMS Sender Policy
    
*   An Option to Allow Third-Party Service Providers to Select the Chain for Any Client
    

**FIDO2 Improvements**

The following enhancements have been added to the FIDO2 method:

*   Ability to Enroll Resident Credentials
    
    The administrator can allow users to enroll the FIDO2 method and store the Resident Credentials (security key) on the FIDO2-compliant device (YubiKey). With Resident Credentials, users can experience seamless login without specifying their username and password.
    
*   Username-less Login Support
    
    Advanced Authentication extends the FIDO2 method to support the username-less authentication to the Web Authentication events. The enrolled FIDO2 card contains the username. When the user taps the card, the username is filled in the respective field automatically. To configure the username-less authentication, three options have been introduced in the FIDO2 method.
    
*   Ability to Disable the PIN Prompt
    
    Advanced Authentication facilitates the administrator to mandate or hide the PIN prompt when users enroll, test and authenticate with the FIDO2 method.
    
    For more information, see FIDO2 in the Advanced Authentication - Administration guide.
    

**Ability to Add Twilio Subaccounts in the SMS Sender Policy**

This release provides ability to add the subaccounts of Twilio Parent account. With subaccounts, you can add Country Codes based on the customer’s (SMS receivers) geographic location. The subaccounts distinguish the usage based on team, customer or product, and provides clear billing data. Also, allows resource (phone number) mapping.

For more information, see SMS Sender in the Advanced Authentication - Administration guide.

**An Option to Allow Third-Party Service Providers to Select the Chain for Any Client**

This release introduces the option in the policy to allow the third-party service providers to select a preferred chain for any client, such as Windows Client, Mac OS X Client, and Linux PAM Client workstation. Then, route users to the selected chain during authentication.

For more information, see Enabling the Client Chain Selection in the Advanced Authentication - Administration guide.

**1.2 Security Improvement**

Advanced Authentication 6.4 Service Pack 1 Patch 1 release addresses CVE-2023-24468.

**2.0 Resolved Issues**

This release includes the following software fixes:

Component

Description

Administration

When a user sets to in the policy, then the list in the does not display all the available chains.

Administration

On the , enrollment of the U2F method fails on the following browser:

*   Google Chrome
    
*   Microsoft Edge
    
*   Mozilla Firefox
    

Administration

The option is modified to in the policy.

Administration

The option is modified to in the method.

Smartphone

When a user tries to authenticate with the method, a prompt to specify the PIN (User Verification) is not displayed on the Android devices.

Smartphone

When a user attempts to authenticate with the NetIQ Advanced Authentication iOS smartphone application by using the facial recognition, the application does not identify the face and prompts the user to re-authenticate. Users are experiencing infinite authentication loop.

Smartphone

When a user sets the option to in the NetIQ Advanced Authentication iOS smartphone application settings for face recognition authentication. Later, the user is unable to set the option to .

Smartphone

When a user sets the smartphone language to Arabic, the NetIQ Advanced Authentication iOS smartphone application stops working.

Windows Client

While connecting to the remote desktop on the Windows Client, the Advanced Authentication Credential Provider does not display the chains that require Device Service for the elevated access.

**3.0 Upgrading**

You can directly upgrade to Advanced Authentication 6.4 Service Pack 1 Patch 1 from 6.4.1.

_NOTE:_The following is the recommended upgrade sequence:

1.  Advanced Authentication servers
    
2.  Plug-ins
    
3.  Client components
    
    Any change in the upgrade sequence is not supported.
    

_NOTE:_The RAM requirements of Advanced Authentication have been changed in 6.4 as follows:

*   Minimum: 8 GB per server.
    
*   Recommended: 12 GB per server
    

Before upgrading your Advanced Authentication cluster to 6.4, ensure that the environment complies with the new requirements.

For more information, see Advanced Authentication System Requirements.

**4.0 Known Issue**

Advanced Authentication 6.4 Service Pack 1 Patch 1 does not have any known issue.

**5.0 Contact Information**

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

**6.0 Legal Notice**

© Copyright 2023 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.

CVE-2023-24468: Advanced Authentication 6.4 Service Pack 1 Patch 1 Release Notes

Patched earlier this month, a code-execution vulnerability is the latest FortiOS weakness to be exploited by attackers, who see the devices as well-placed targets for initial access operations.

In early March, a customer called in Fortinet's incident response team when multiple FortiGate security appliances stopped working, entering an error mode after the firmware failed an integrity self test.

It was a cyberattack, which led to the discovery of the latest vulnerability in Fortinet devices, a medium severity but highly exploitable bug (CVE-2022-41328) that allows a privileged attacker to read and write files. The threat group, which Fortinet labeled as an "advanced actor," appeared to be targeting government agencies or government-related organizations, the company stated in a recent analysis of the attack.

Yet the incident also shows that attackers are giving Fortinet devices significant attention. And the attack surface is wide: So far this year, 60 vulnerabilities in Fortinet products have been assigned CVEs and published in the National Vulnerability Database, double the rate at which flaws were disclosed in Fortinet devices in the previous peak year, 2021. Plenty are critical, too: Earlier this month, Fortinet revealed that a critical buffer underwrite vulnerability in FortiOS and FortiProxy (CVE-2023-25610) could allow a remote unauthenticated attacker to run any code on a variety of appliances.

Interest is high, as well. In November, for example, one security firm warned that a cybercriminal group was selling access to compromise FortiOS devices on a Russian Dark Web forum. But whether the vulnerabilities have spurred attention, or vice versa, is moot, says David Maynor, senior director of threat intelligence at Cybrary, a security training firm.

"Attackers smell blood in the water," he says. "The number and frequency of remotely exploitable vulnerabilities over the last two years has increased at a breakneck speed. If there is a nation-state group that isn't integrating Fortinet exploits, they are slouching on the job."

Like other network security appliances, Fortinet devices inhabit the critical point between the Internet and internal networks or applications, making them a valuable target to compromise for attackers looking for a foothold into corporate networks, the research team from threat intelligence firm GreyNoise Research said in an email interview with Dark Reading.

"A large majority of Fortinet devices are edge devices, and as a result are commonly Internet facing," the team said. "This is true of all edge devices. If an attacker is going to go through the effort of an exploitation campaign the volume of edge devices make\[s\] for a valuable target."

The researchers also warned that Fortinet is not likely alone in the crosshairs of attackers.

"All edge devices from any vendors will have vulnerabilities sooner or later," GreyNoise Research said.

**Fortinet Attack Detailed**

Fortinet described the attack on its customers' devices in some detail in its advisory. The attackers had used the vulnerability to modify the device firmware and add a new firmware file. The attackers gained access to the FortiGate devices via the FortiManager software and modified the devices' start-up script to maintain persistence.

The malicious firmware could have allowed for data exfiltration, the reading and writing of files, or given the attacker a remote shell, depending on the command the software received from the command-and-control (C2) server, Fortinet stated. More than a half dozen other files were modified as well.

The incident analysis, however, lacked several critical pieces of information, such as how the attackers gained privileged access to the FortiManager software and the date of the attack, among other details. 

When contacted, the company issued a statement in response to an interview request: "We published a PSIRT advisory (FG-IR-22-369) on March 7 that details recommended next steps regarding CVE-2022-41328," the company said. "As part of our ongoing commitment to the security of our customers, Fortinet shared additional detail and analysis in the March 9 blog post and continue to advise customers to follow the guidance provided."

Overall, by finding and disclosing the vulnerability, and publishing an analysis of their incident response, Fortinet is doing the right things, the GreyNoise Research team told Dark Reading.

"They published a detailed analysis two days later including an executive summary, as well as a massive \[number\] of accurate details about the nature of the vulnerability and the activity of the attacker, providing defenders \[with\] actionable intelligence," the team stated. "Fortinet chose to clearly, timely, and accurately communicate about this vulnerability."

Cyberattackers Continue Assault Against Fortinet Devices

The new malware was discovered targeting three banks in Brazil.

Another Android banking Trojan with the capability to make instant unauthorized money transfers is targeting Brazilian banks as part of a growing trend among threat actors to exploit a new automated payment system in Latin America.

The new GoatRAT — like BraxDex, Senomorphy, and PixPirate before it — steals the Pix key of the mobile devices it targets to make instant payments from compromised accounts, researchers from Cyble revealed in a blog post. Attackers behind GoatRAT use that key to access the Pix payment platform, created and operated by the Brazil Central Bank for users to make instant mobile payments across Latin America using a variety of banks.

So far, the Cyble researchers have observed the RAT — which they said was created first as an Android remote administration tool to take control over victims' devices — targeting three Brazilian banks: NUBank, Banco Inter, and PagBank.

Making automated transfers appears to be the sole aim of the Trojan, which unlike similar malware doesn't include the ability to steal authentication codes or incoming SMS messages, according to the findings.

The malware is part of a growing trend by threat actors over the last six months to create more sophisticated banking malware that includes an automatic transfer system (ATS) framework, "allowing attackers to conduct unauthorized money transfers on infected devices," the Cyble researchers wrote.

"This new variant highlights that in the current technological landscape, there is an elevated risk of cyber attacks that do not require multiple permissions or many banking trojan functionalities to execute financial fraud," the report said.

Indeed, mobile banking Trojan deployment overall is on the rise, with nearly 200,000 new variants of this malware emerging in 2022, according to Kaspersky's "Mobile Threats in 2022" report. This number represents a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

**How GoatRAT Makes Instant Transfers**

GoatRAT typically uses a four-step process to perform automated transfers once it infects a user's device. The researchers outlined the system used specifically for the Banco Inter mobile banking application; however, the Trojan also has incorporated similar functions to carry out automatic transfers for the other banking applications, such as NUBank and PagBank, that it targets, they said.

GoatRAT first abuses the Accessibility Service on an Android device to verify that the name of the active package matches one of a list of targeted application package names, and then deploys a further infection.

Once the targeted app is identified, the malware creates a fake banking overlay window that appears above the legitimate application to hide its malicious activity from the victim. This and another covert process allow the Trojan to enter an amount of money to transfer as well as the device's Pix key into the legitimate banking app without alerting the victim, the researchers said.

The malware also introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons of the legitimate banking app to complete the instant money transfer. Once this transfer is complete, it removes the overlay window from the top of the legitimate banking app and the malicious process is concluded.

**Defending Against ATS Trojans**

Researchers made several security recommendations that go along with typical best practices for downloading and using mobile applications to keep devices free of infection from Trojans and other malware that not only can steal funds but also spread to enterprise networks through connected devices.

Mobile device users should only download and install software from official app stores like Google Play Store or the iOS App Store, and use a reputed antivirus and Internet security software package on all connected devices, including not only mobile but also on PCs and laptops, the researchers advised.

They also recommended users never share details for payment cards with untrusted sources and use strong passwords and enforce multifactor authentication (MFA) on mobile devices wherever possible. Further, implementing biometric security features such as fingerprint or facial recognition for unlocking their mobile devices wherever possible, is key, the researchers said.

Other commonsense security rules that researchers advised but which users often ignore are to keep devices, operating systems, and apps updated, and avoid opening links received via SMS or emails delivered to mobile devices. Users should take care when enabling any permissions on devices, and ensure that Google Play Protect is enabled on Android devices, the Cyble researchers added.

GoatRAT Android Banking Trojan Targets Mobile Automated Payment System

Red Hat Security Advisory 2023-1202-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:1202-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1202  
Issue date:        2023-03-14  
CVE Names:         CVE-2022-3564 CVE-2022-4269 CVE-2022-4378   
                   CVE-2022-4379 CVE-2023-0179 CVE-2023-0266   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading  
to remote Denial of Service attack (CVE-2022-4379)

* kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan  
(CVE-2023-0179)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
(CVE-2022-4269)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RHEL9:[P10] With Guest Secure Boot and lockdown enabled, DLPAR operations  
can't be done (Rainier) (BZ#2107480)

* [RHEL 9.0] LTP Test failure and crash at fork14 on Sapphire Rapids  
Platinum 8280+ (BZ#2133084)

* RHEL9.0 - boot: Add secure boot trailer (BZ#2151529)

* 'date' command shows wrong time in nested KVM s390x guest (BZ#2158816)

* Kernel FIPS-140-3 requirements - part 3 - AES-XTS (BZ#2160176)

* RHEL 9.0.0 soft quota cannot exceed more the 5 warns which breaks timer  
functionality (BZ#2164263)

* In FIPS mode, the kernel should reject SHA-224, SHA-384, SHA-512-224, and  
SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after  
2023-05-16 (BZ#2165131)

* [RHEL 9] FIPS: deadlock between PID 1 and "modprobe  
crypto-jitterentropy_rng" at boot, preventing system to boot. (BZ#2167762)

Enhancement(s):

* [Intel 9.2 FEAT] [SPR] CPU: AMX: Improve the init_fpstate setup code  
(BZ#2168383)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150272 - CVE-2022-4269 kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
2152807 - CVE-2022-4379 kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack  
2161713 - CVE-2023-0179 kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.49.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kernel-5.14.0-70.49.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.49.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.49.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.49.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.49.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.49.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-4379  
https://access.redhat.com/security/cve/CVE-2023-0179  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBCPddzjgjWX9erEAQiUYA//eHB1lFUQOziIVT+e7Eveh/CxB+oBYKQd  
qahqIC8RGCNzfhKszn/E76Pp9nCmuajBUWStb6f07R+vwQaGe/cQ2SS8Zfhj7Fo0  
MS5bW3udIWqqSIoSD6zHKQn8rouFzsJ2PuP1nomV3w7C+/nWk8G2y7ulWvuRIQxw  
anWwsA2FI3m/ymDkqDhwF/zF4cfosOvd/XARC6PL0+uyJHigp4egLr6XBqlY9Gh6  
P36zjfZdTyZ8MfqgFj7K4wEOr41HLaIPEeelPSmsOj+rx4IsXm+T5wu20oFoSVwr  
E9RX72wKxAblHUvVlCMBIGLeATbfO2XmqU1392+WUFysTjGTPib836+STh2PPK+p  
c6NA/rr90g59PFyTpdHCR54GZLjTrOPYNDiinvXDFiyTbkwWIZq5Qm1LoVOSUuUi  
DA+NpnB09Kglx1taqnknbt0o1G+0nkcblajZhC0LnqcqMBUfI1rQvedT7JOGlJhy  
a7W9JgIaFc5qTh1MR2dhBEbxAwbxVJaaFUmD3HASCfxJviED915IOdOM+SjkLKS1  
RPW2SmxZ8lWk46GyQLN/xHIsAL4ucntjP9SMLhwM+KDTjDRYgEjqiVUvgMgYNn7o  
miFyM1PT3sALFo2EGb+AyqXHlW8MyI0dJtEv5EV2PMegCDCf54ISQiUlMY4EKcFJ  
IwHZx9iW7VY=  
=yYLi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1202-01

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild.
Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks.
The

Patch Tuesday / Software Update

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild.

Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks.

The two vulnerabilities that have come under active attack include a Microsoft Outlook privilege escalation flaw (CVE-2023-23397, CVSS score: 9.8) and a Windows SmartScreen security feature bypass (CVE-2023-24880, CVSS score: 5.1).

CVE-2023-23397 is "triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server," Microsoft said in a standalone advisory.

A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and processed by the Outlook client for Windows. As a result, this could lead to exploitation without requiring any user interaction and before even the message is viewed in the Preview Pane.

Microsoft credited the Computer Emergency Response Team of Ukraine (CERT-UA) with reporting the flaw, adding it is aware of "limited targeted attacks" mounted by a Russia-based threat actor against government, transportation, energy, and military sectors in Europe.

CVE-2023-24880, on the other hand, concerns a security bypass flaw that could be exploited to evade Mark-of-the-Web (MotW) protections when opening untrusted files downloaded from the internet.

It is also the consequence of a narrow patch released by Microsoft to resolve another SmartScreen bypass bug (CVE-2022-44698, CVSS score: 5.4) that came to light last year and which was exploited by financially motivated actors to deliver Magniber ransomware.

"Vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants," Google Threat Analysis Group (TAG) researcher Benoit Sevens said in a report.

"Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug."

TAG said it observed over 100,000 downloads of malicious MSI files signed with malformed Authenticode signature since January 2023, thereby permitting the adversary to distribute Magniber ransomware without raising any security warnings. A majority of those downloads have been associated with users in Europe.

The disclosure also comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two flaws to the Known Exploited Vulnerabilities (KEV) catalog and announced a new pilot program that aims to warn critical infrastructure entities about "vulnerabilities commonly associated with known ransomware exploitation."

Also closed out by Microsoft are a number of critical remote code execution flaws impacting HTTP Protocol Stack (CVE-2023-23392, CVSS score: 9.8), Internet Control Message Protocol (CVE-2023-23415, CVSS score: 9.8), and Remote Procedure Call Runtime (CVE-2023-21708, CVSS score: 9.8).

Other notable mentions include patches for four privilege escalation bugs identified in the Windows Kernel, 10 remote code execution flaws affecting Microsoft PostScript and PCL6 Class Printer Driver, and a WebView2 spoofing vulnerability in the Edge browser.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Elsewhere, Microsoft also closed out two information disclosure flaws in Microsoft OneDrive for Android, one spoofing vulnerability in Office for Android, one security bypass bug in Microsoft OneDrive for iOS, and one privilege escalation issue in OneDrive for macOS.

Rounding off the list are patches for two high-severity vulnerabilities in the Trusted Platform Module (TPM) 2.0 reference library specification (CVE-2023-1017 and CVE-2023-1018, CVSS scores: 8.8) that could lead to information disclosure or privilege escalation.

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   IBM
*   Jenkins
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall
*   Sophos
*   Synology
*   Trend Micro
*   Veeam
*   Zoho, and
*   Zoom

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Rolls Out Patches for 80 New Security Flaws — Two Under Active Attack

Categories: Exploits and vulnerabilities
Categories: News
Tags: patch Tuesday

Tags:  March

Tags:  2023

Tags:  Microsoft

Tags:  Adobe

Tags:  Fortinet

Tags:  Android

Tags:  SAP

Tags:  CVE-2023-23397

Tags:  CVE-2023-24880

Tags:  CVE-2023-26360

Tags:  CVE-2022-41328

This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one.



(Read more...)




The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.

Posted: March 15, 2023 by

Microsoft, and other vendors, have released their monthly updates. In total Microsoft has fixed a total of 101 vulnerabilities for several titles (including Edge), with two of them being actively exploited zero-days. On top of that, Adobe has fixed an actively exploited vulnerability in ColdFusion.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the actively exploited vulnerabilities patched in these updates are:

**CVE-2023-23397**: a critical **Microsoft Outlook** Elevation of Privilege (EoP) vulnerability. External attackers could send specially crafted emails to cause a connection from the victim to an external UNC location of attackers' control. This would leak the Net-NTLMv2 hash of the victim to the attacker who could then relay this to another service and authenticate as the victim. The mail would be triggered automatically when retrieved and processed by the Outlook client, which could result in exploitation even before the email is viewed in the Preview Pane.

This means this vulnerability could be used to obtain a hashed token, which could then be used in a so-called “pass-the-hash” attack.  Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then returns the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that mathematical operation required to gain access. The authentication process does not require the plaintext password. The hash is enough.

**CVE-2023-24880**: a moderate **Windows SmartScreen** Security Feature Bypass vulnerability. An attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Reportedly, this vulnerability was used in ransomware related attacks.

MOTW, the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet makes another comeback. The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a Restricted Zone. When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. And, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3, which means that the file was downloaded from the internet, the SmartScreen does a reputation check.

**CVE-2023-26360**: classified as a priority 1 vulnerability in **Adobe ColdFusion** due to critical deserialization of untrusted data. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers.

Adobe says it is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.

Adobe recommends updating your ColdFusion versions 2021 and 2018 JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide
*   ColdFusion 2021 Lockdown Guide

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

*   **Adobe** has released security updates to address vulnerabilities in other products. Commerce APSB23-17, Experience Manager APSB23-18, Illustrator APSB23-19, Dimension APSB23-20, Creative Cloud Desktop Application APSB23-21, Substance 3D Stager APSB23-22, and Photoshop APSB23-23.

*   **Fortinet** published its March 2023 security advisories which address a high-severity security vulnerability (CVE-2022-41328) in FortiOS, that allowed threat actors to execute unauthorized code or commands.

*   **SAP** has released security updates for 19 vulnerabilities, five of which were rated as critical.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Tag

#ios