Red Hat Security Advisory 2022-1645-01 - Twisted is a networking engine written in Python, supporting numerous protocols. It contains a web server, numerous chat clients, chat servers, mail servers and more. Issues addressed include a HTTP request smuggling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 16.2 (python-twisted) security update  
Advisory ID:       RHSA-2022:1645-02  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1645  
Issue date:        2022-04-28  
CVE Names:         CVE-2022-24801  
====================================================================  
1. Summary:

An update for python-twisted is now available for Red Hat OpenStack  
Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - ppc64le, x86_64

3. Description:

Twisted is a networking engine written in Python, supporting numerous  
protocols. It contains a web server, numerous chat clients, chat servers,  
mail servers and more.

Security Fix(es):

* possible http request smuggling (CVE-2022-24801)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2073114 - CVE-2022-24801 python-twisted: possible http request smuggling

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:  
python-twisted-16.4.1-20.el8ost.src.rpm

ppc64le:  
python-twisted-debugsource-16.4.1-20.el8ost.ppc64le.rpm  
python3-twisted-16.4.1-20.el8ost.ppc64le.rpm  
python3-twisted-debuginfo-16.4.1-20.el8ost.ppc64le.rpm

x86_64:  
python-twisted-debugsource-16.4.1-20.el8ost.x86_64.rpm  
python3-twisted-16.4.1-20.el8ost.x86_64.rpm  
python3-twisted-debuginfo-16.4.1-20.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-24801  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYmu7FNzjgjWX9erEAQhxtQ//UlvSrTbA7tD0YMy0oiex2Uvbjgl586PE  
t7A2LB0Q6wPQeA+42j6aoty6/inusb+h0ob11gukM9akZDEZUt36aqQpBZxNBULI  
kI+8k0RjpR3bp/BjylcwE9hrYfNvHqBsZrS/4llZH/YE2NOYUs2YQaRo2Lh2oFGw  
iCgjXk2SxE3NFGwrjsgAd87tq+hLmaIkjNLNGTKNYyy94mWMSyVJidTbYzoGt+1T  
kwFf9aUYiIz4RnBFavWOCoqGInV64jzKQSuCDij5htbNG9t9Vjvntv5u0HCjF/Ot  
DXKzzk4WlWc+P5bMNLkWnIKZJcXdr9pgMdZBWwzy35zG3YHvGMTuBdJicMkq8hTP  
jdu2zhb1d2EQKiWPwAOdCZzySBI4myyJBTHxZKj6fQ5CIWLJzes0SIbVNAebac+p  
0aMOjQ+M1GOE1O9wxhn+Daqo4AkdDWRvfQk554JNIQCwtfmPL23rfThZzze+I08f  
HI/zrToHbMvXNwiOSf9eM8SzpoeIP92cq2P9OULP3tLxggq/4S8RbaDn/jiakUQk  
OnMaqJzJn///xdwpM6iKtGo6v3X9/+rIAkXpIivUI0t4Tbk6n6HmZQRrwjZT5i4t  
KBFTqncZagZlIa0yD87wJcwcxgoAdZ6vJUoUqhk+8oLh5kh3P00bZyDlt/71RYvd  
DTSkkumsGJUjP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-1645-01

Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.

Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Oracle’s April 2022 Critical Patch Update

In mid-April, Oracle released its quarterly Critical Patch Update, including a whopping 520 security fixes. Some of the issues fixed in the update are serious—300 of them can be exploited remotely without authentication, and 75 security issues are rated as critical severity. Some of the Oracle patches address CVE-2022-22965, aka Spring4Shell, a remote code execution (RCE) flaw in the spring framework.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

WordPress Plugin Elementor Version 3.6.3 

The Elementor website builder plug-in for WordPress has received a big security fix in April for a critical-rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.

Found by researchers at Plugin Vulnerabilities, the flaw was introduced in the plug-in in version 3.6.0, released on March 22. “We would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers said.

Although the attacker must be authenticated to exploit the issue, it’s still pretty serious because anyone logged into an affected website can exploit it. The update for Elementor’s 5 million users, version 3.6.3, should be applied as soon as possible.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

You Need to Update iOS, Android, and Chrome Right Now

Beyond accusations of rampant user copyright infringement, film companies have begun accusing VPNs of enabling a slew of more serious illegal activity.

A group of over two dozen film studios has repeatedly taken popular VPN providers to court, sometimes extracting judgements worth millions of dollars in damages. While piracy remains the central issue, recent legal arguments employed by Hollywood studios have surpassed accusations of copyright infringement and delved into dirtier waters.

Filmmakers attempting to recoup revenue lost to piracy have long alleged that VPN companies both encourage online privacy and have clear-cut evidence that their customers are abusing the privacy and security provided by virtual private networks. But court records show that studios’ legal teams have also accused VPN providers of enabling illegal activity far beyond copyright infringement and, legal experts say, are challenging the notion that VPNs should exist at all.

In March, 26 film companies brought allegations against ExpressVPN and Private Internet Access (PIA), popular “no-log” VPN companies owned by Kape Technologies. The plaintiffs include production companies like Millennium, Voltage, and others behind a slate of popular films. The lawsuit centers on allegations of user privacy. However, court documents reviewed by WIRED reveal plaintiffs arguing that these VPN providers refuse to prevent users from using their services to commit serious illegal acts and run marketing campaigns that openly “boast” that law enforcement is unable to extract any information about their users.

Generally speaking, VPNs give users greater privacy protections by encrypting their online activity and rerouting it through the company’s servers, concealing their IP addresses. Many VPN providers, including ExpressVPN and PIA, claim to maintain “no logs” of their users’ internet activities. This means VPN providers can’t access data to turn over to police or comply with copyright infringement claims. Similar to arguments against comprehensive encryption, the film companies paint VPN providers as culpable in any crimes committed while using their services.

“Emboldened by Defendants’ promises that their identities cannot be disclosed, Defendants’ end users use their VPN services not only to engage in widespread movie piracy, but other outrageous criminal conduct such as harassment, illegal hacking and murder,” reads the lawsuit, filed in US District Court in Colorado. “When these crimes become public, Defendants use these tragic incidents as opportunities to boast about their VPN services.”

The VPN companies responded in court filings that the “inflammatory topics” plaintiffs evoked are irrelevant to copyright infringement. Allegations as far afield as “hacking, stalking, bomb threats, political assassinations, child pornography, and anonymous online message board posts full of hate speech and appearing to encourage violence and murder” are a ploy to portray the VPNs in “a cruelly derogatory light," argue the VPNs’ legal teams.

Beyond vague examples of heinous crimes, the court filing mentions an Express VPN subscriber admitting to downloading child sexual abuse material (CSAM). The film companies also call out the personal political views or activities of those employed by the VPN companies. Specifically, they focus on Rick Falkvinge, who’s known for his political views and arguments that CSAM should be legal. Falkvinge is PIA’s Head of Privacy and creator of the political Pirate Party. He has repeatedly advocated for reforms to copyright laws, calling “copying and sharing” a “natural right.”

PIA’s attorney argues that these allegations must be stricken from the case because they are completely irrelevant and “serve only to inflame emotions in a misguided attempt to prejudice the Court and the public against the defendants by false association with the non-parties whose conduct is described in these paragraphs.”

ExpressVPN and PIA further denied these allegations in statements to WIRED. An ExpressVPN spokesperson also emphasized that the “operation of ExpressVPN’s service has not been changed or otherwise impacted in any way relevant to the parties’ dispute.”

PIA maintained that this litigation jeopardizes user privacy and that it will therefore keep fighting in court. “We assert that the use of VPNs is a legitimate way to protect one’s online privacy—a fundamental human right, which is increasingly in jeopardy of infringement,” the company said.

Legal counsel representing the movie studios did not respond to WIRED’s request for comment.

While Hollywood has waged legal battles around the globe for years, its fights against the VPN industry in the US ramped up last year. VPN company TorGuard, for example, landed in legal hot water with the same group of plaintiffs who successfully forced the VPN provider into blocking BitTorrent traffic for its US users. And in October 2021, VPN.ht also “settled” with these filmmakers, agreeing to not only block BitTorrent but also to log traffic on its US servers. Hollywood studios have also taken providers like Surfshark, VPN Unlimited, and Zenmate to court.

Film company Voltage, which is among the group of companies regularly suing VPN providers, goes a step further, mailing letters to internet customers demanding fines for alleged piracy and threatening them with legal action.

In March 2021, some of the same production companies suing ExpressVPN and PIA also sued no-log VPN provider LiquidVPN for “encouraging and facilitating” piracy. Later, the film companies demanded $10 million in damages from the company. A judge issued a default judgment against LiquidVPN this March, ordering it to pay the studios $14 million.

That lawsuit largely centered around LiquidVPN’s fiery marketing practices and claimed that the VPN is “optimized for torrenting” and lets you “unblock ISP banned streams.” These tactics, the studios argued, encouraged illicit use of the service by those willing to bypass legal restrictions around accessing online content. They might be right.

According to the Electronic Frontier Foundation (EFF), an internet civil liberties group, Hollywood’s demands are “extreme and not supported by law.” But VPNs are also treading into dangerous territory through their marketing tactics.

“The studios argued that a VPN provider _and its hosting company_ should have had a legal responsibility to monitor what their customers were doing with the service, to see if copyright infringement was going on,” says Mitch Stoltz, a senior staff attorney at EFF. “Not only is that not the law, it would undermine the whole purpose of a VPN service, which is to protect people’s internet communications against eavesdropping.” 

Stoltz warns, however, that bold marketing language used by VPNs, such as LiquidVPN’s “optimized for torrenting” claim, can very well be considered “inducement” in a legal context and incur liability for copyright infringement. Fearing the possibility of heavy monetary damages, VPN providers may instead choose to shut down some of their services or settle out of court.

“In contrast, a VPN that doesn’t advertise or encourage infringing uses generally won’t be liable in court even if some users do infringe,” says Stoltz. “That’s an important legal protection for VPN providers, who provide an important service that would be undermined if they were faced with broad monitoring and blocking requirements.”

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Hollywood’s Fight Against VPNs Turns Ugly

Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection.

Press Releases | 24 March 2022

**HTML Injection vulnerability found in Turtl Notes, disclosed by Cyber Citadel researchers, could affect iOS and Android users**.

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed an HTML Injection vulnerability found in the Turtl Notes application, which could lead to a potential RCE and NTLMv2 hash disclosure via abusing the arbitrary URI schemes.

Turtl Notes user interface

**Turtl Notes**

Turtl Notes is a cross-platform application that focuses on note-taking collaboration. The online service provides users with a notebook sharing platform that allows notes to be organised easily, synchronised across devices, shared with other Turtl users and shared via email. The application has been downloaded 10,000+ times on Google Play and an unknown number of times from the Turtl’s website for Windows, OSX, Linux, Android and iOS.

While Turtl encrypts user data, with an impressive 2,048-bit key encryption system, and boasts the implementation of high-grade firewalls, that protect from DDoS attacks, the HTML Injection vulnerability, found by Rafay Baloch and Muhammad Samak, has exposed a critical flaw in Turtl’s software.

Turtl remote code execution POC

Evidence of Turtle RCE vulnerability

Evidence of Turtle RCE vulnerability

**Response from Vendors**

Vendor

Service

Version

Platform

Reported Date

Fixed

CVE

Turtl

Turtl Notes

0.7.2.6

Windows, Mac, Linux, Android

11/12/2021

N/A

Processing

CVE-2022-28101: HTML Injection Leading to RCE in Turtl - Cyber Citadel

GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.

GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.

GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories.

“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats,” said Mike Hanley, chief security officer, GitHub.

The OAuth (Open Authorization) is an open standard authorization framework or protocol for token-based authorization on the internet. It enables the end-user account information to be used by third-party services, such as Facebook and Google.  

OAuth doesn’t share credentials instead uses the authorization token to prove identity and acts as an intermediary to approve one application interacting with another.

Incidents of stolen or found OAuth tokens commandeered by adversaries are not uncommon.

Microsoft suffered an OAuth flaw in December 2021, where applications (Portfolios, O365 Secure Score, and Microsoft Trust Service) were vulnerable to authentication issues that enables attackers to takeover Azure accounts. In order to abuse, the attacker first registers their malicious app in the OAuth provider framework with the redirection URL points to the phishing site. Then, the attacker would send the phishing email to their target with a URL for OAuth authorization.

****Analysis of The Attacker’s Behavior** **

GitHub analysis the incident include that the attackers authenticated to the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added, most most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories,” Hanley said. “GitHub believes these attacks were highly targeted,” he added.

GitHub said it is in the process of sending the final notification to its customer who had either Travis CI or Heroku OAuth apps integrated into their GitHub accounts.

****Initial Detection of The Malicious Activity****

GitHub began the investigation into the stolen tokens on April 12, when the GitHub Security first identified unauthorized access to the NPM (Node Package Management) production infrastructure using a compromised AWS API key. These API keys were acquired by attackers when they downloaded a set of private NPM repositories using stolen OAuth token.

The NPM is a tool used to download or publish node packages via the npm package registry.

The OAuth token access is revoked by Travis CI, Heroku, and GitHub after discovering the attack, and the affected organizations are advised to monitor the audit logs and user account security logs for malicious activity.

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021.

That's according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021.

That's according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.

Other frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server (CVE-2020-0688), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure (CVE-2019-11510), and a path traversal defect in Fortinet FortiOS and FortiProxy (CVE-2018-13379).

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.

"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities," the agencies said in a joint advisory.

"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors."

To mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

Emotet malware attacks are back after a 10-month “spring break” – with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. That new approach includes more targeted phishing attacks, different from the previous spray-and-pray campaigns, according to new research.

Proofpoint analysts linked this activity to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a Tuesday report.

Emotet, once dubbed “the most dangerous malware in the world” is being leveraged in its most recent campaign to deliver ransomware. Those behind distributing the malware have been in law enforcement’s crosshairs for years.  In  January  2021, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The latest activity observed by researchers occurred while Emotet was on a “spring break.” Efforts were lowkey and likely an attempt to test new tactics without drawing attention. Now, researchers say TA542 has ramped up attacks to typical high-volume threat campaigns. “The threat actor has since resumed its typical activity,” Proofpoint said.

Cybersecurity researchers from AdvIntel, Crypolaemus confirmed Proofpoint’s observations, both observing the Emotet’s return after a 10-months gap. According to those researchers, attackers behind the malware have sent millions of phishing emails designed to infect the devices with malware and can be controlled by botnets.

> 2021-11-14: 🔥The "#Emotet partner ($) loader" program appears resorcing from existing #TrickBot infections.
> 
> 📌TrickBot launched what appears to be the newer Emotet loader.  
> 👇https://t.co/nVugStaAvE https://t.co/GHupFlENaQ
> 
> — Vitali Kremez (@VK\_Intel) November 15, 2021

****New Phase of Emotet****

In its report, Proofpoint researchers noted that this new testing of phishing emails could be the result of Microsoft’s actions to disable specific macros associated with Office apps in February 2022. At the time Microsoft said it was changing defaults for five Office apps that run macros.  This prevents attackers from targeting documents with automation services to execute the malware on victims’ systems.

According to cybersecurity researchers at Proofpoint, the new techniques observed in recent campaigns appeared to be tested on a smaller scale, as a test for potential be used for a larger campaign.

The new campaigns use compromised email accounts to send out spam-phishing emails with a one-word headline. Common terms in phishing attacks included “salary” are used to encourage users to click out of curiosity, found by the ProofPoint cybersecurity researchers.

The message body contains a OneDrive URL. This URL hosts Zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line.

If these XLL files are opened and executed, Emotet will infect the machine with malware. Further, it can steal the information or create a backdoor for deploying other malwares to compromise the Windows system.

According to cybersecurity researchers at Proofpoint, the use of OneDrive URLs and XLL makes this campaign distinct from previous ones. Earlier Emotet attempted to spread itself via Microsoft Office attachments or phishing URLs. Those malicious payloads included Word and Excel documents containing Visual Basics for Applications (VBA) scripts or macros.

The attacks associated with this new campaign took place between April 4, 2022 and April 19, 2022, when other widespread Emotet campaigns were put on hold, researchers said.

“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added.

“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable” DeGrippo explained.

In another development malware, authors patched the issue, which prevented potential victims from getting compromised upon clicking on the malicious email attachments.  

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Emotet is Back From ‘Spring Break’ With New Nasty Tricks

Red Hat Security Advisory 2022-1546-01 - The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: polkit security update  
Advisory ID:       RHSA-2022:1546-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1546  
Issue date:        2022-04-26  
CVE Names:         CVE-2021-4115   
=====================================================================

1. Summary:

An update for polkit is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The polkit packages provide a component for controlling system-wide  
privileges. This component provides a uniform and organized way for  
non-privileged processes to communicate with privileged ones.

Security Fix(es):

* polkit: file descriptor leak allows an unprivileged user to cause a crash  
(CVE-2021-4115)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2007534 - CVE-2021-4115 polkit: file descriptor leak allows an unprivileged user to cause a crash

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
polkit-0.115-13.el8_5.2.src.rpm

aarch64:  
polkit-0.115-13.el8_5.2.aarch64.rpm  
polkit-debuginfo-0.115-13.el8_5.2.aarch64.rpm  
polkit-debugsource-0.115-13.el8_5.2.aarch64.rpm  
polkit-devel-0.115-13.el8_5.2.aarch64.rpm  
polkit-libs-0.115-13.el8_5.2.aarch64.rpm  
polkit-libs-debuginfo-0.115-13.el8_5.2.aarch64.rpm

noarch:  
polkit-docs-0.115-13.el8_5.2.noarch.rpm

ppc64le:  
polkit-0.115-13.el8_5.2.ppc64le.rpm  
polkit-debuginfo-0.115-13.el8_5.2.ppc64le.rpm  
polkit-debugsource-0.115-13.el8_5.2.ppc64le.rpm  
polkit-devel-0.115-13.el8_5.2.ppc64le.rpm  
polkit-libs-0.115-13.el8_5.2.ppc64le.rpm  
polkit-libs-debuginfo-0.115-13.el8_5.2.ppc64le.rpm

s390x:  
polkit-0.115-13.el8_5.2.s390x.rpm  
polkit-debuginfo-0.115-13.el8_5.2.s390x.rpm  
polkit-debugsource-0.115-13.el8_5.2.s390x.rpm  
polkit-devel-0.115-13.el8_5.2.s390x.rpm  
polkit-libs-0.115-13.el8_5.2.s390x.rpm  
polkit-libs-debuginfo-0.115-13.el8_5.2.s390x.rpm

x86_64:  
polkit-0.115-13.el8_5.2.x86_64.rpm  
polkit-debuginfo-0.115-13.el8_5.2.i686.rpm  
polkit-debuginfo-0.115-13.el8_5.2.x86_64.rpm  
polkit-debugsource-0.115-13.el8_5.2.i686.rpm  
polkit-debugsource-0.115-13.el8_5.2.x86_64.rpm  
polkit-devel-0.115-13.el8_5.2.i686.rpm  
polkit-devel-0.115-13.el8_5.2.x86_64.rpm  
polkit-libs-0.115-13.el8_5.2.i686.rpm  
polkit-libs-0.115-13.el8_5.2.x86_64.rpm  
polkit-libs-debuginfo-0.115-13.el8_5.2.i686.rpm  
polkit-libs-debuginfo-0.115-13.el8_5.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-4115  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYmjDstzjgjWX9erEAQhoTg/9FUrtS4lsoCL5Gy1dcC1dhvJn0S4iOb+5  
djcCXm3UYIzG8nGvUq/wTzDmcWHgMBbTkyyiiX8b5oye7KET/MyCFuVb+1M9SbR9  
xq47m1xwdoMNk0OzXfL+jA5avFmXxaW/s5uedFKbEr4FQ+MCyJu0fpCJjFH93w1+  
QrFZXgm9XcNnUrRQZTr5DcT3XnA3dyp2U87cmr9GFUHsln0Xlmn7K8bmDy9jEPWJ  
2Fkiy/ttOokZy+bftzTvTF7lnXN3UQEGJu65ptDw4ttXb7alKo9R4tow/u+UcwC4  
Ks+PCfJXwTHWHwO3lN+qGJGlq/pXaopiH0DBVOI2OIKGRcsBT8ADyd/h7vOoKO70  
DreK+n8TdBsmQMKHx2zNQ5T3eGmZd/UyYdpv+IPVDWbEvS506aIOSRfk07KKiks9  
RcuRD/Ykum+0bPBmGPCJUK7pKdlPoBNnWVtkOEHGdNPdMs0dmUokir4rhb2Wt5s4  
Jy9jmdcbHBR3EfDYsd7a3BUadeNNQMWSKJEcP3lrUUPy+0CUWcEpAd7Saaqq2Jon  
ofRZ+1jlBXorHonkEuW+8YyAqE+AhjkYSEImw3yU8vekFjde4XA/p4I8KouAk8LR  
0cB/YY8/cbpuH1MjK/6CyeNMITiVdTsfkS2vhpyg0eULoDF6QRYZdhg4rnUzWkUW  
AWhxKLGHSWw=  
=BreN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-1546-01

IBM QRadar SIEM 7.3, 7.4, and 7.5 in some senarios may reveal authorized service tokens to other QRadar users. IBM X-Force ID: 210021

CVE-2021-38919: Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

Tag

#ios