Gentoo Linux Security Advisory 202407-27 - Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 12.42 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-27  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ExifTool: Multiple vulnerabilities  
     Date: July 24, 2024  
     Bugs: #785667, #791397, #803317, #832033  
       ID: 202407-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in ExifTool, the worst of  
which could lead to arbitrary code execution.

Background  
==========

ExifTool is a platform-independent Perl library plus a command-line  
application for reading, writing and editing meta information in a wide  
variety of files.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-libs/exiftool  < 12.42       >= 12.42

Description  
===========

Multiple vulnerabilities have been discovered in ExifTool. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All ExifTool users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/exiftool-12.42"

References  
==========

[ 1 ] CVE-2021-22204  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22204  
[ 2 ] CVE-2022-23935  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23935

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-27

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-27

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

**SIM Wisuda 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

SIM Wisuda version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 7fed84c74a95aca63927ebf377895e9a07606b145886012809d45f932101a348

Download | Favorite | View

**SIM Wisuda 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : SIM Wisuda v1.0 IDOR Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://academic.uii.ac.id/wisuda/                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /login/apps/?menu=Lulusan[+] https://www/127.0.0.1/wisuda.uika-bogor.ac.id/login/apps/?menu=LulusanGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

SIM Wisuda 1.0 Insecure Direct Object Reference

Gentoo Linux Security Advisory 202407-26 - A vulnerability has been discovered in Dmidecode, which can lead to privilege escalation. Versions greater than or equal to 3.5 are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202407-26- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal    Title: Dmidecode: Privilege Escalation     Date: July 24, 2024     Bugs: #905093       ID: 202407-26- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========A vulnerability has been discovered in Dmidecode, which can lead toprivilege escalation.Background==========Dmidecode reports information about your system's hardware as describedin your system BIOS according to the SMBIOS/DMI standard (see a sampleoutput). This information typically includes system manufacturer, modelname, serial number, BIOS version, asset tag as well as a lot of otherdetails of varying level of interest and reliability depending on themanufacturer. This will often include usage status for the CPU sockets,expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and thelist of I/O ports (e.g. serial, parallel, USB).Affected packages=================Package             Vulnerable    Unaffected------------------  ------------  ------------sys-apps/dmidecode  < 3.5         >= 3.5Description===========Dmidecode -dump-bin can overwrite a local file. This has securityrelevance because, for example, execution of Dmidecode via sudo isplausible.Impact======Please review the referenced CVE identifier for details.Workaround==========There is no known workaround at this time.Resolution==========All Dmidecode users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=sys-apps/dmidecode-3.5"References==========[ 1 ] CVE-2023-30630      https://nvd.nist.gov/vuln/detail/CVE-2023-30630Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202407-26Concerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License=======Copyright 2024 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-26

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

Posted Jul 24, 2024

Authored by indoushka

Webdenim AppUI version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 3418251e6b23a29fe38369d103a67d4c4c7e084f78a767a8b4660ce397493457

Download | Favorite | View

**Webdenim AppUI 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Webdenim AppUI v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codentheme.com/item/appui-free-responsive-html-vuejs-angularjs-admin-dashboard/                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/listandrelaxcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,109)
*   Arbitrary (16,828)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,779)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,997)
*   Encryption (2,389)
*   Exploit (53,065)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,167)
*   Local (14,774)
*   Magazine (586)
*   Overflow (13,149)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,613)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,271)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,588)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,900)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,505)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,383)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,686)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Webdenim AppUI 1.0 Insecure Direct Object Reference

Red Hat Security Advisory 2024-4757-03 - An update for libvirt is now available for Red Hat Enterprise Linux 9. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4757.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libvirt security updateAdvisory ID:        RHSA-2024:4757-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4757Issue date:         2024-07-23Revision:           03CVE Names:          CVE-2024-4418====================================================================Summary: An update for libvirt is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) offers a full virtualization solution forLinux on numerous hardware platforms. The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM.The packages also provide APIs for managing and interacting with the virtualized systems.Security Fix(es):* libvirt: stack use-after-free in virNetClientIOEventLoop() (CVE-2024-4418)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4418References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2278616

Red Hat Security Advisory 2024-4757-03

Cybersecurity researchers have spotted a 3,000-account network on GitHub that is manipulating the platform and spreading ransomware and info stealers.

A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.

Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers' work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.

Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages. These actions—which are loosely similar to liking, sharing, and subscribing, respectively—help make the pages appear popular and genuine. The more stars, the more realistic a page looks. “The malicious repositories appeared really legitimate,” Terefos says.

“The way he has developed it is really smart, taking advantage of how GitHub operates,” Terefos says of the person behind the persona. While cybercriminals have been abusing GitHub for years, uploading malicious code and adapting legitimate repositories, Terefos says he has not previously seen a network of fake accounts operating in this way on the platform. The buying and selling of repositories and starring is coordinated on a cybercrime-linked Telegram channel and criminal marketplaces. WIRED previously reported on other GitHub black markets.

The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe's Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.

The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.

“We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” says Alexis Wales, vice president of security operations at GitHub. “We have teams dedicated to detecting, analyzing, and removing content and accounts that violate these policies.”

GitHub has more than 100 million users who have contributed over 420 million repositories on the platform. Given the breadth of the platform, it’s unsurprising that cybercriminals and hackers are attempting to abuse it. In recent years, researchers have been mapping instances of fake stars, spotting dangerous code hidden in projects, facing growing supply-chain attacks against open source software, and seeing comments being used to spread malware.

The Stargazer Goblin threat actor identified by Check Point sells their services through ads on cybercrime forums and also through a Telegram account. A posts on a Russian-language cybercrime forum advertises 100 stars for $10 and 500 for $50 and says they can provide clones of existing repositories and trusted accounts. “For GitHub, the process looks organic,” one translated post says. The Check Point research says the network could have started operating as early as August 2022 and may have made as much as $100,000—from mid-May to mid-June this year, they estimate the operator made around $8,000.

Terefos says, in some instances, he has seen a legitimate code repository being changed by the threat actor, potentially using stolen credentials, and turned into a malicious one. If legitimate users fork a malicious repository, it has the potential to spread the code, Terefos says. The reverse malware engineer adds that he has automated the search for accounts linked to the network and is able to identify them based on common features, such as repositories using similar templates and tags. Some of the repositories seen by WIRED use variations on "instagram-follower" and "youtube-views" tags, with the names changed based on the software the page alleges to offer.

“Users of GitHub, and especially inexperienced users, can easily download malicious code, which can often be the result of fictitious reviews and starring,” says Jake Moore, global cybersecurity adviser at security firm Eset. “Telltale signs of malicious code on GitHub could also be unexpected or suspicious code changes, code that accesses external resources, and specific hard-coded credentials or API keys.”

Terefos says the activity of the network—staring and watching pages—is likely automated, as he saw repositories being acted upon in quick succession. “I don't think they're clicking, doing like manual work.” For GitHub, Terefos says, it may be difficult to identify this activity, as the behavior of the accounts is intended to look like a genuine GitHub user. Wales, from GitHub, says the company uses a combination of manual reviews and “at-scale detections” that use machine learning to identify suspicious activity

The Check Point engineer also says he identified one YouTube “ghost” account that was sharing malicious links via video, indicating that the network could be more encompassing. “I think this is not the whole picture,” Terefos says.

A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub

A former Google engineer has built a search engine, webXray, that aims to find illicit online data collection and tracking—with the goal of becoming “the Henry Ford of tech lawsuits.”

This is, incidentally, how he plans to fund the operation—the basic version of webXray will be available to all, but Libert will offer a specialized tier for litigators, regulators, and businesses looking to keep their digital presences compliant with the law. He will also offer consulting services and serve as an expert witness in lawsuits.

I gave the keys to the site to digital rights activist Cory Doctorow, who took a quick look under the hood, and gave the idea a thumbs up. “I think the way to go here is class action,” Doctorow says, noting that this could lead to a trove of class action lawsuits against big tech companies. “So long as this is just exposing the API calls that produces evidence that Google is getting data that it doesn’t have lawful consent to receive or hold, this is the right move. I think it’s really a smoking gun,” he says.

Libert, for his part, concurs. “Yeah, I wanna be the Henry Ford of tech lawsuits—turn this into a factory assembly line.”

He’s already started. Three months after leaving Google, Libert served as an expert witness in a trial, testifying that websites were allegedly leaking data in violation of the law—against Google. His former employer tried to have him disqualified, arguing, somewhat ironically, that he knew too much. On Google’s policy and internal standards team, the company’s court records say, “Dr. Libert became the go-to person for all things related to cookies.” (On Monday, a judge dismissed that lawsuit, pending appeal.)

“When I did that first lawsuit, and used webXray for that, they lost it,” Libert says of Google’s reaction. “When you look at those legal filings, there’s one thing that’s driving that—fear. They’re afraid of this data being available, because they know it affects the bottom line. And it scares them.”

“One of the tragedies of Google is they used to lead by example in a positive way, and I think especially in the past three to five years, they’re not leading by positive example, they’re systematically leading by negative example,” Libert says. “And I think that’s burning down the web—the most powerful company doing things like recommending you put glue on your pizza. It’s not just that _a website_ is doing that, it’s that _the_ website, _the_ advertising platform is doing that, and that was part of my frustration.”

Google of course disagrees with this characterization of its tools and operations. “We design and build our products with strong security and privacy protections, including easy-to-use controls for managing and deleting data,” Bryant, the company spokesperson, says. “When it comes to advertising, Google was the first company to build a tool that lets people see and adjust their ads settings and even opt out of personalized ads entirely.”

Despite Libert’s gloomy view of the current state of online privacy, he is actually an optimist. He believes webXray will help speed up a shift to a better, more private, more secure web—the path to which Google and the other tech giants are currently blocking. And it’s no coincidence, perhaps, that there’s been an exodus from Google’s privacy teams in the last few months: The announcement of Keith Enright, Google’s privacy chief, exiting the company came in June, and the position “will not be replaced.” Libert says his colleagues are getting fired en masse. To Libert, it seems that Google is deprioritizing privacy at the very moment when users are calling for stronger policies.

“The problem we had 10 to 15 years ago is that there weren’t any laws. Now lots of countries have passed laws—the vast majority of people on the planet are protected by data privacy laws, but enforcement hasn’t caught up,” he says. “It’s going to catch up. I think we can speed it up.” Because people _want_ privacy; it’s that simple. It’s why he imagines law offices, government offices, and businesses turning to his new search engine to help root out the scourge of privacy violations across the web.

It’s why, perhaps, webXray’s tagline is simple and idealistic: “Privacy is inevitable.”

I guess we’ll find out.

_Updated 7/24/2024, 1:50 pm: Clarified the launch date of webXray, which was officially released publicly on Wednesday._

This Machine Exposes Privacy Violations

Relive some of the major cybersecurity incidents and events that have shaped Talos over the past 10 years.

Wednesday, July 24, 2024 06:00

A lot has happened in Talos’ 10 years of existence. And to celebrate our birthday, we wanted to look back on some of the major moments in Talos’ history. Here’s an overview of some of the major events, cyber attacks, research breakthroughs and more that truly make Talos _Talos_. We hope this walk down memory lane inspires good times reminiscing, provides lessons learned from cyber attacks past, or PTSD from those late nights — whether you worked at Talos or not.

*   **2001:** Martin Roesch, the creator of Snort, founds Sourcefire.
*   **July 2013:** Cisco Systems announces an agreement to buy Sourcefire for $2.7 billion.
*   **April 2014:** Stakeholders from Sourcefire, Cisco Threat Research, Analysis and Communications (TRAC), and Security Applications (SecApps) start meeting to discuss the formation of Talos — including what the name would be!
*   **August 2014:** Talos is formally launched at the BlackHat cybersecurity conference.
*   **March 2015:** Talos publishes breaking research on the POSeidon point-of-sale malware, one of the first major coordinated cyber attacks found under the Talos banner.
*   **Oct. 2015:** Talos helped to shut down the Angler exploit kit by shutting down access for customers by updating Cisco products to stop redirects to the Angler proxy servers, and releasing new Snort rules to detect and block checks from the exploit kit. At the time, we estimated that Angler was targeting more than 90,000 users a day and generating $30 million annually.     
*   **May 2017:** WannaCry, which to this day is one of the largest ransomware attacks ever, hits several notable victims, including FedEx and the National Health Service in the U.K. Attackers exploited the NSA-created EternalBlue exploit.

*   **May 2017:** The first-ever episode of Beers with Talos goes live.
*   **June 2017:** EternalBlue pops up again, this time with the Nyetya ransomware attack. The attackers primarily deployed the malware via a fake update to the Ukrainian-made MeDoc tax software.
*   **June 2017:** A team of Talosians comes first in the Fake News Challenge after creating a tool that uses advanced machine learning and artificial intelligence technology to detect fake headlines and misleading “facts.”
*   **Feb. 2018:** Talos’ discovered samples of malware used to disrupt various technologies at the Olympic Games in Japan, including ticket-taking operations during the Opening Ceremony. OlympicDestroyer would have ripple effects for months as we tried to figure out who exactly was (or wasn’t) behind the attack.
*   **May 2018:** Talos publishes our findings on VPNFilter, a massive malware campaign from Russian state-sponsored actors. At the time of publishing, we estimated that VPNFilter affected more than 500,000 internet-connected devices.

*   **Nov. 2018:** DNSpionage, a previously undiscovered malware, makes headlines for targeting a Lebanese airline and companies in the United Arab Emirates. Adversaries set up fake job application phishing pages hoping to infect targets with malicious Microsoft Word applications.
*   **Feb. 2019:** Talos releases our 3-D printed model of an oil pumpjack into the wild to demonstrate how an attacker could overload it if it exploits the human-machine interface the pump relies on.

*   **Oct. 2019:** Cisco Talos Incident Response is officially launched. Merging Incident Response from Cisco’s CX organization with Talos’ threat intelligence, Talos IR offers proactive and reactive assistance to customers around the world.
*   **May 2020:** Talos’ Vulnerability Research team takes part in the Microsoft Azure Sphere Research Challenge, eventually discovering 16 security vulnerabilities in the popular application platform. Talos was one of only a handful of teams selected for the challenge. Specifically, a vulnerability the team discovered made headlines for potentially allowing an adversary to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context.
*   **Nov. 2020:** The infamous “pig couch” goes viral after a fake Craigslist ad for it spreads on social media. This somehow ended up with the Snort Twitter account also going viral, and Marty Roesch making it into The New York Times.

Via Craigslist

*   **Dec. 2020:** Capping off a string of major supply chain attacks, adversaries compromise the legitimate SolarWinds Orion IT management software to deploy malware via a fake software update.
*   **Jan. 2021:** Snort 3, the first major release for Snort in more than a decade, goes open-source.
*   **Dec. 2021:** Just days before the winter holidays, the internet nearly catches on fire with the infamous Log4shell vulnerability in Log4j.

*   **Feb. 2022:** The Russian military launches an offensive assault against Ukraine. Talos immediately responds to assist Ukraine, capitalizing on yearslong partnerships to help keep critical infrastructure online and users protected from a barrage of cyber attacks. We would also assist Talos teammates in staying protected, supporting them in moving to other countries.
*   **May 2022:** ClamAV, Sourcefire’s original anti-virus detection solution, turns 20 (and will finally go 1.0 a few months later!)
*   **April 2023:** Cisco and Talos help to launch the Network Resilience Coalition, a group of technology companies working to ensure users and companies upgrade and update their network infrastructure. The effort was launched after the discovery of JaguarTooth, a massive campaign targeting unpatched wireless routers.
*   **May 2023:** Talos enters the world of private sector offensive actors (PSOAs) by disclosing new technical details about the Predator spyware and its creator, Intellexa. Spyware from these so-called “mercenary groups” is still spreading, often being used to target potentially sensitive users like journalists, activists and politicians.
*   **December 2023:** Talos discloses the details of Project PowerUp, a cross-team effort to help protect Ukraine’s power grid and the GPS positioning it relies on. Spearheaded by Joe Marshall, the multi-national, multi-company global team of power grid security practitioners, who had never worked together before, built a device to help Ukraine keep the lights on.

*   **March 2024:** Talos releases SnortML, a machine learning-based detection engine for the Snort Intrusion prevention system.
*   **August 2024:** Talos celebrates its 10th anniversary — cheers to many more!

A (somewhat) complete timeline of Talos’ history

Cybersecurity firm CrowdStrike on Wednesday blamed an issue in its validation system for causing millions of Windows devices to crash as part of a widespread outage late last week.
"On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques," the company

Software Update / IT Outage

Cybersecurity firm CrowdStrike on Wednesday blamed an issue in its validation system for causing millions of Windows devices to crash as part of a widespread outage late last week.

"On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques," the company said in its Preliminary Post Incident Review (PIR).

"These updates are a regular part of the dynamic protection mechanisms of the Falcon platform. The problematic Rapid Response Content configuration update resulted in a Windows system crash."

The incident impacted Windows hosts running sensor version 7.11 and above that was online between July 19, 2024, 04:09 UTC and 05:27 UTC and received the update. Apple macOS and Linux systems were not affected.

CrowdStrike said it delivers security content configuration updates in two ways, one via Sensor Content that's shipped with Falcon Sensor and another through Rapid Response Content that allows it to flag novel threats using various behavioral pattern-matching techniques.

The crash is said to have been the result of a Rapid Response Content update containing a previously undetected error. It's worth noting that such updates are delivered in the form of Template Instances corresponding to specific behaviors – that are mapped to specific Template Types – for enabling new telemetry and detection.

The Template Instances, in turn, are created using a Content Configuration System, after which they are deployed to the sensor over the cloud through a mechanism dubbed Channel Files, which are ultimately written to disk on the Windows machine. The system also encompasses a Content Validator component that carries out validation checks on the content before it is published.

"Rapid Response Content provides visibility and detections on the sensor without requiring sensor code changes," it explained.

"This capability is used by threat detection engineers to gather telemetry, identify indicators of adversary behavior and perform detections and preventions. Rapid Response Content is behavioral heuristics, separate and distinct from CrowdStrike's on-sensor AI prevention and detection capabilities."

These updates are then parsed by the Falcon sensor's Content Interpreter, which then facilitates the Sensor Detection Engine to detect or prevent malicious activity.

While each new Template Type is stress tested for different parameters like resource utilization and performance impact, the root cause of the problem, per CrowdStrike, could be traced back to the rollout of the Interprocess Communication (IPC) Template Type on February 28, 2024, that was introduced to flag attacks that named pipes.

The timeline of events is as follows -

*   **February 28, 2024** - CrowdStrike releases sensor 7.11 to customers with new IPC Template Type
*   **March 5, 2024** - The IPC Template Type passes the stress test and is validated for use
*   **March 5, 2024** - The IPC Template Instance is released to production via Channel File 291
*   **April 8 - 24, 2024** - Three more IPC Template Instances are deployed in production
*   **July 19, 2024** - Two additional IPC Template Instances are deployed, one of which passes validation despite having problematic content data

"Based on the testing performed before the initial deployment of the Template Type (on March 05, 2024), trust in the checks performed in the Content Validator, and previous successful IPC Template Instance deployments, these instances were deployed into production," CrowdStrike said.

"When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSoD)."

In response to the sweeping disruptions caused by the crash and preventing them from happening again, the Texas-based company said it has improved its testing processes and enhanced its error handling mechanism in the Content Interpreter. It's also planning to implement a staggered deployment strategy for Rapid Response Content.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CrowdStrike Explains Friday Incident Crashing Millions of Windows Devices

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).
The high-severity

Malvertising / Threat Intelligence

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza.

Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).

The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024.

"Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file," security researcher Cara Lin said. "The LNK file then downloads an executable file containing an \[HTML Application\] script."

The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector that, in turn, either leads to the deployment of Meduza Stealer or Hijack Loader, which subsequently launches ACR Stealer or Lumma.

ACR Stealer, assessed to be an evolved version of the GrMsk Stealer, was advertised in late March 2024 by a threat actor named SheldIO on the Russian-language underground forum RAMP.

"This ACR stealer hides its \[command-and-control\] with a dead drop resolver (DDR) technique on the Steam community website," Lin said, calling out its ability to siphon information from web browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers.

It's worth noting that recent Lumma Stealer attacks have also been observed utilizing the same technique, making it easier for the adversaries to change the C2 domains at any time and render the infrastructure more resilient, according to the AhnLab Security Intelligence Center (ASEC).

The disclosure comes as CrowdStrike has revealed that threat actors are leveraging last week's outage to distribute a previously undocumented information stealer called Daolpu, making it the latest example of the ongoing fallout stemming from the faulty update that has crippled millions of Windows devices.

The attack involves the use of a macro-laced Microsoft Word document that masquerades as a Microsoft recovery manual listing legitimate instructions issued by the Windows maker to resolve the issue, leveraging it as a decoy to activate the infection process.

The DOCM file, when opened, runs the macro to retrieve a second-stage DLL file from a remote that's decoded to launch Daolpu, a stealer malware equipped to harvest credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based browsers.

It also follows the emergence of new stealer malware families such as Braodo and DeerStealer, even as cyber criminals are exploiting malvertising techniques promoting legitimate software such as Microsoft Teams to deploy Atomic Stealer.

"As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines," Malwarebytes researcher Jérôme Segura said. "Users have to navigate between malvertising (sponsored results) and SEO poisoning (compromised websites)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac