Gentoo Linux Security Advisory 202407-25 - Multiple vulnerabilities have been discovered in Buildah, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.35.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-25  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Buildah: Multiple Vulnerabilities  
     Date: July 10, 2024  
     Bugs: #923650, #927499, #927502  
       ID: 202407-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Buildah, the worst of  
which could lead to privilege escalation.

Background  
==========

Buildah is a tool that facilitates building Open Container Initiative  
(OCI) container images

Affected packages  
=================

Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
app-containers/buildah  < 1.35.3      >= 1.35.3

Description  
===========

Please review the referenced CVE identifiers for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Buildah users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-containers/buildah-1.35.3"

References  
==========

[ 1 ] CVE-2024-1753  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1753  
[ 2 ] CVE-2024-23651  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23651  
[ 3 ] CVE-2024-23652  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23652  
[ 4 ] CVE-2024-23653  
      https://nvd.nist.gov/vuln/detail/CVE-2024-23653  
[ 5 ] CVE-2024-24786  
      https://nvd.nist.gov/vuln/detail/CVE-2024-24786

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-25

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-25

Gentoo Linux Security Advisory 202407-24 - A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service. Versions greater than or equal to 7.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-24  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: HarfBuzz: Denial of Service  
     Date: July 10, 2024  
     Bugs: #905310  
       ID: 202407-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in HarfBuzz, which can lead to a  
denial of service.

Background  
==========

HarfBuzz is an OpenType text shaping engine.

Affected packages  
=================

Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-libs/harfbuzz  < 7.1.0       >= 7.1.0

Description  
===========

Multiple vulnerabilities have been discovered in HarfBuzz. Please review  
the CVE identifiers referenced below for details.

Impact  
======

hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2)  
growth via consecutive marks during the process of looking back for base  
glyphs when attaching marks.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All HarfBuzz users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-7.1.0"

References  
==========

[ 1 ] CVE-2023-22006  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22006  
[ 2 ] CVE-2023-22036  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22036  
[ 3 ] CVE-2023-22041  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22041  
[ 4 ] CVE-2023-22044  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22044  
[ 5 ] CVE-2023-22045  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22045  
[ 6 ] CVE-2023-22049  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22049  
[ 7 ] CVE-2023-25193  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25193

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-24

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-24

Ubuntu Security Notice 6887-1 - Philippos Giavridis, Jacky Wei En Kung, Daniel Hugenroth, and Alastair Beresford discovered that the OpenSSH ObscureKeystrokeTiming feature did not work as expected. A remote attacker could possibly use this issue to determine timing information about keystrokes.

    ==========================================================================Ubuntu Security Notice USN-6887-1July 09, 2024openssh vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:OpenSSH could be made to expose timing information over the network.Software Description:- openssh: secure shell (SSH) for secure access to remote machinesDetails:Philippos Giavridis, Jacky Wei En Kung, Daniel Hugenroth, and AlastairBeresford discovered that the OpenSSH ObscureKeystrokeTiming feature didnot work as expected. A remote attacker could possibly use this issue todetermine timing information about keystrokes.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   openssh-client                  1:9.6p1-3ubuntu13.4   openssh-server                  1:9.6p1-3ubuntu13.4In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6887-1   CVE-2024-39894Package Information:   https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.4

Ubuntu Security Notice USN-6887-1

Red Hat Security Advisory 2024-4425-03 - An update for openstack-cinder, openstack-glance, and openstack-nova is now available for Red Hat OpenStack Platform 16.1.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4425.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: Red Hat OpenStack Platform 16.1.9 security updateAdvisory ID:        RHSA-2024:4425-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4425Issue date:         2024-07-09Revision:           03CVE Names:          CVE-2024-32498====================================================================Summary: An update for openstack-cinder, openstack-glance, and openstack-nova is now available for Red Hat OpenStack Platform 16.1 (Train).Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.Description:Cinder is the replacement of nova-volume in Folsom and beyond, use d forblock storage.OpenStack Image Service (code-named Glance) providesdiscovery,registration, and delivery services for virtual disk images. TheImage Service API server provides a standard REST interface for queryinginformation about virtual disk images stored in a variety of back-endstores, including OpenStack Object Storage. Clients can register newvirtual disk images with the Image Service, query for information onpublicly available disk images, and use the Image Service's client libraryfor streaming virtual disk images.OpenStack Compute (codename Nova) is open source software designedto provision and manage large networks of virtual machines,creating aredundant and scalable cloud computing platform. It gives you the software,control panels, and APIs required to orchestrate a cloud, including runninginstances, managing networks, and controlling access through users andprojects.OpenStack Compute strives to be both hardware and hypervisoragnostic, currently supporting a variety of standard hardwareconfigurations and seven major hypervisors.Security Fix(es):* malicious qcow2/vmdk images (2024-emu CVE-2024-32498)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32498References:https://access.redhat.com/security/updates/classification/#criticalhttps://bugzilla.redhat.com/show_bug.cgi?id=2278663

Red Hat Security Advisory 2024-4425-03

Red Hat Security Advisory 2024-4420-03 - An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.10.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4420.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: virt:rhel and virt-devel:rhel security updateAdvisory ID:        RHSA-2024:4420-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4420Issue date:         2024-07-09Revision:           03CVE Names:          CVE-2024-4467====================================================================Summary: An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.10Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) offers a full virtualization solution forLinux on numerous hardware platforms. The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.Security Fix(es):* qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write (CVE-2024-4467)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4467References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2278875

Red Hat Security Advisory 2024-4420-03

Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments.

Wednesday, July 10, 2024 08:00

*   Cisco Talos has spotted several malicious email campaigns over the past few months that disguise JavaScript code within HTML email attachments, a technique commonly known as “HTML Smuggling.”
*   Cisco Talos has noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least. 
*   A wide range of evasion techniques has been identified from the senders of these emails, finding ways to get around email gateways and even more advanced detections. These techniques range from various encoding mechanisms to encryption and obfuscation. 
*   These adversaries use simple methods to increase their chances of success, like playing around with email attachments, as well as more advanced techniques by combining different evasion methods or employing a single evasion method multiple times. 
*   Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments. This may assist in creating automation to process and identify such emails for more effective long-term security measures. 

**Introduction to HTML smuggling **

HTML smuggling is a technique used by attackers to embed encoded or encrypted JavaScript code within HTML attachments or web pages. This technique has been used extensively in spear phishing email campaigns over the past few months. HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScript, and it leverages different forms of encoding and encryption. 

Threat actors start by sending one or more emails with URLs or HTML attachments to their targets. When the recipient clicks on the URL or opens the attachment, the browser decodes and runs all encoded JavaScript code automatically, which will eventually download and deliver the malware to the victim’s device, or alternatively, redirect the user to the final phishing page. In some cases, the code for the malware is embedded in the HTML attachment, and the JavaScript code simply reconstructs and runs it without needing additional downloads. 

**Reversing the HTML attachments **

Security researchers should continuously monitor changes in threat actors’ techniques and update their detection logic and/or processes to make sure customers stay protected. Reverse engineering tools could be helpful for several reasons because they help security analysts better understand attackers’ techniques, especially those that are used to help them stay under the radar. They could be used to update the logic in detection rules or feature extraction processes for more advanced detection solutions that rely on machine learning.  

By sharing the insights gained from reverse engineering with the broader cybersecurity community, organizations can contribute to collective threat intelligence efforts, helping others to prepare for and defend against similar attacks. 

CyberChef is a powerful open-source web application developed by Government Communications Headquarters (GCHQ) that facilitates the decoding and decryption of JavaScript code in HTML attachments. It provides a variety of modules (or functions) for decoding and decryption that can be combined to build up a “recipe.” These recipes can then be exported in different formats and loaded later to be used elsewhere. A snippet of an HTML attachment is shown below.  

A snippet of an HTML attachment with base64-encoded string within a script tag. 

This attachment contains an encoded string in JavaScript that can be decoded using a base64-decoding function. The URL is defanged to avoid being opened by the readers by mistake.  

An encoded string and its decoded equivalent using the “From Base64” function in CyberChef. 

Talos is releasing new recipes that security researchers can use to reverse encoded and/or encrypted JavaScript code in HTML attachments. Alternatively, these recipes could be integrated into automated feature extraction processes to improve the detection of emails containing HTML attachments. We will also share recipes that are not referenced in this blog post but have been used frequently to reverse HTML attachments. The combinations captured by these recipes show which evasion techniques threat actors use most often. 

**A dive into evasion techniques **

Talos has been closely monitoring email campaigns that leverage HTML smuggling over the past several months. Various evasion techniques have been identified, which threat actors use to bypass email gateways, ranging from different encoding mechanisms to encryption. In some instances, evasion techniques are chained together, but in others, a single method is employed multiple times to increase the challenge of detection. Additionally, obfuscation has been applied to the encoded JavaScript code to further complicate their detection. 

**Playing around with attachments **

Talos has witnessed various attempts by threat actors to manipulate email attachments to take advantage of software engineering oversights and evade detection systems. 

One common technique involves using alternative or similar file extensions for attachments to bypass message filtering mechanisms. For example, XHTML, an older and stricter version of HTML that follows XML syntax, has been frequently used in HTML smuggling. SHTML, an extension of HTML that allows for the inclusion of dynamic content, has also been used in the wild. 

Instead of using alternative file extensions, a frequent pattern has been identified where dots are added to the end of HTML file extensions (e.g., “html.”, “htm.”, “htm…”). This attempt aims to bypass email parsers that rely on the Content-Type header to determine the type of an email attachment. By adding at least one dot to the end of the file extension, the Content-Type of an email attachment changes from text/html to application/octet-stream (see the examples below). 

The Content-Type of the HTML attachment of an example email. 

The Content-Type of the ”htm.” attachment of an example email. 

In some cases, the attachment’s file extension is repeated multiple times, or the attachment lacks any file extension (see the examples below). We have also observed attempts to combine different file extensions (e.g., “.pdf.html” or “xls.html”), which may confuse the file type identification logic of the detection code. This can affect how files are passed to downstream modules for further assessment.

An example email with ”.html .html” file extension.

A snippet of the HTML attachment of the above email with JavaScript code. 

An example email with an HTML attachment that lacks the file extension.

A snippet of the HTML attachment of the above email with JavaScript code.

Other popular techniques frequently observed include enclosing HTML attachments in ZIP archives and attaching multiple similar HTML attachments to a single email. The latter method has been identified as an attempt to increase the chances of success. The following email provides an example in which multiple SHTML attachments with identical content have been attached to a spear phishing email. The goal of the threat actors is to offer multiple employment benefits and trick the victim into engaging with any one of them. The more attractive these benefits are to an employee, the higher the chance of success for the attackers.

A spearphishing example email with multiple SHTML attachments.

A snippet of the SHTML attachment of the above email with JavaScript code, and the decoded phishing URL.

**Obfuscation **

Code obfuscation is used extensively in HTML smuggling attacks to make their detection more challenging and expensive. One of the most popular techniques that is often applied to JavaScript code is identifier renaming, which changes the key identifiers of the code such as variable and function names to some meaningless strings. This technique is popular because it’s offered by most free and open-source obfuscators and doesn’t change the logic of the code. Two examples are provided below. In the first example, the phishing URL is an array of integers and is stored in an obfuscated variable, which is then decoded on the fly, followed by a “click” method that redirects the victim to the phishing page.

A spear phishing example email with obfuscated JavaScript within HTML attachment.

A snippet of the HTML attachment of the above email with JavaScript variables that are obfuscated via identifier renaming method, and the decoded phishing URL.

In the second example, the function name is also obfuscated. Here, an obfuscated string is initially decoded through a series of replacements. Subsequently, the decoded string is passed to the “eval” method, which executes it.

An example email with obfuscated JavaScript within HTML attachment.

A snippet of the HTML attachment of the above email with JavaScript variables and functions that are obfuscated via the identifier renaming method.

**Using a single evasion technique multiple times **

The following case provides an example in which one of our customers received an email with an "html." attachment in October 2023. In this instance, threat actors leveraged the base64 encoding method twice, a technique also known as double encoding, to evade detection systems that likely rely on single-stage decoding procedures before analyzing scripts. 

A spear phishing example email with an HTML attachment that contains double encoded JavaScript string variables.

The content of the HTML attachment is shown in the figure below. This attachment contains four hidden input fields. Hidden input fields are not visible on the webpage, but they can still hold values that are sent to the server when the form is submitted. Initially, the JavaScript code retrieves the values of these hidden input fields. It then uses the "substr" method to extract substrings from the values and concatenates them. Finally, two URLs are generated from these hidden fields on the fly (the values of the hidden fields and next variables can be decoded via this recipe: Base64\_Decode\_DecimalUnicode2String\_Base64\_Decode recipe). 

A snippet of the HTML attachment of the above email with double encoded JavaScript string variables.

The final phishing page (https\[:\]//dompr\[.\]arrogree\[.\]park/login.php), constructed on the fly and stored in the 'trc' variable, is automatically shown to the victim once the HTML page is fully loaded, using the 'onload' method. As soon as the user enters the credentials, the 'SFiegrt' method will send them to another remote server (https\[:\]//cpsvr\[.\]hiominsa\[.\]com/POST/genofcatch.php) using an asynchronous HTTP POST request.

A snippet of the HTML attachment of the above email with double-encoded JavaScript string variables and the decoded URLs.

**Chaining different evasion techniques**

Talos has observed continuous efforts to combine different encoding and/or encryption techniques in HTML attachments by email campaigns to evade detection. In addition, threat actors typically obfuscate the embedded JavaScript code to increase their chances of success.

In the example below, you can find an email with an "htm" attachment that was sent to one of our customers in December 2023.

A spear phishing example email with an HTML attachment that combines identifier renaming obfuscation, base64 encoding and Caesar encryption to bypass detection.

The embedded JavaScript code is shown in the figure below. This email was clearly tailored for a specific recipient (see the masked email address).

A snippet of the HTML attachment of the above email with obfuscated JavaScript variables and a base64-encoded string variable. 

The script block contains an obfuscated variable named '\_0x5da6a8' that holds a base64-encoded string. When decoded (via the Base64\_Decode\_2 recipe), it yields the main JavaScript code, which includes the final phishing URL and the de-obfuscation function. The de-obfuscation function takes the "link" string variable as input, iterates over its characters, converts each character to its Unicode equivalent, subtracts five from the decimal value of each character, converts the resulting decimal value back to a Unicode character, and converts the Unicode value back to a string. Under the hood, this function effectively replicates the functionality of a Caesar cipher decryption method (see the Caesar\_Decrypt recipe).

The decoded JavaScript code of the above base64-encoded string variable, the Caesar decryption function, and the phishing URL.

So, threat actors have used encoding, Caesar encryption and obfuscation altogether in this case to evade detection.

The example email below shows how threat actors have combined encoding and AES encryption in an HTML attachment to evade detection. 

A spear phishing example email with an HTML attachment that combines base64 encoding and AES encryption to bypass detection.

A snippet of the HTML attachment of the above email with a base64-encoded input field that is hidden.

As can be seen from the HTML attachment snippet, there is a base64-encoded string in this file. This string is first decoded using the 'atob' method (or the Base64\_Decode\_1 recipe). Once decoded, it yields a JSON string with four keys (a-d), as shown below. The value of the 'a' key is the encrypted string, which is decrypted on the fly. The values of the 'b' and 'd' keys are the passphrase and salt, respectively, for the PBKDF2 key derivation function used to create the decryption key. The value of the 'c' key is the Initialization Vector (IV) for the AES decryption function.  

The decoded JSON string is obtained from the encoded input field in the above HTML attachment. 

With the above values, the decryption key is derived on the fly (using the Derive\_Key\_PBKDF2 recipe). Then, with this key and the IV parameter, the value of 'a' is decrypted (using the Base64\_Decode\_AES\_CBC\_Decrypt recipe) to retrieve the URL, as shown below. Note that the inner URL is in HEX format (which can be decoded using the Hex\_Decode recipe).  

The final phishing URL is obtained from AES decryption.

Once this URL is created, a fetch request with a POST method is sent to it, with a JSON body containing "{ "lettuce": "friendliness" }". Then, the response from the fetch request is read as text. The text is decrypted again by calling the pea function, and finally, the second decrypted result is written to the document using "document.write", replacing all current content. The walkthrough above gives an idea of how threat actors combine different evasion techniques and how challenging it is for defenders to detect such threats.

**HTML smuggling in the wild **

The number of unique emails that used HTML smuggling between Oct. 1, 2023, and May 31, 2024.

The above chart indicates that we observed a peak in the number of emails leveraging this technique on Feb. 2, 2024, particularly those employing advanced encoding and obfuscation in their HTML attachments. The subsequent pie chart shows that our American customers were targeted significantly more than our European customers by email threats utilizing this technique. 

The percentage of emails that used HTML smuggling against customers in different geographical regions.

We noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least.

The number of convictions for email threats that used HTML smuggling across different industry verticals.

Our observation shows that the ".shtml" file extension, followed by ".htm" and ".html", were the most used in email threats that leveraged the HTML smuggling technique. The fourth and fifth most widely used file extensions were ".htm...." and ".xhtml". The other file extensions we found interesting included ".pdf.shtml", ".pdf.htm", and ".xlsx.html". We have identified these as potential techniques to exploit software engineering oversights and bypass detection mechanisms.

Top HTML attachment file extensions observed in email campaigns that used HTML smuggling.

**How to protect against email threats that use HTML Smuggling? **

As outlined earlier, HTML smuggling poses significant challenges to traditional security solutions and rule-based detection engines. The extensive deployment of encoding, encryption, and obfuscation renders the detection of emails utilizing this technique challenging, necessitating enhancements in various aspects of defense. Several of these areas are detailed below.

**Multi-layered defense **

Swiftly blocking an attack minimizes its potential impact on our customers' business operations. Thus, it is advantageous to neutralize threats at initial stages, such as at the email gateway and web filtering level. However, if a message passes through these perimeter security controls and lands in a user’s inbox, retrospective detections and endpoint protection controls should either detect these messages at later stages and pull them out of the user’s inbox or prevent the execution of such malicious JavaScript on the victim’s device. 

**Improved security engineering**

Despite typically having insufficient information about the architecture and inner workings of commercial security solutions, threat actors occasionally exploit software engineering oversights to bypass detection mechanisms. A notable instance of this is their manipulation of email attachments to evade scrutiny. Therefore, monitoring these evasion techniques and revising the code accordingly could improve the efficacy of existing detection engines significantly. Talos monitors changes in adversaries’ techniques precisely and makes sure our customers stay protected.  

**Advanced detection methods **

The HTML smuggling technique enables emails to effectively evade traditional perimeter security measures, including email gateways and presents significant detection challenges for rule-based systems. Consequently, the deployment of more sophisticated message processing and security solutions is imperative. Additionally, enhancing endpoint security measures to prevent the execution of such scripts on user devices is essential.  

Talos continuously monitors the changes in attackers' techniques and updates our detection capabilities to ensure our customers stay protected. Learn more about Cisco Security Email Threat Defense here.

**Indicators of compromise (IOCs)**

Indicators of compromise (IOCs) associated with this blog post can be found here.

Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling

The Problem
The “2024 Attack Intelligence Report” from the staff at Rapid7 [1] is a well-researched, well-written report that is worthy of careful study. Some key takeaways are: 

53% of the over 30 new vulnerabilities that were widely exploited in 2023 and at the start of 2024 were zero-days.
More mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities.

****The Problem****

The "2024 Attack Intelligence Report" from the staff at Rapid7 \[1\] is a well-researched, well-written report that is worthy of careful study. Some key takeaways are:

1.  53% of the over 30 new vulnerabilities that were widely exploited in 2023 and at the start of 2024 were _zero-days_.
2.  More mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities.
3.  Nearly a quarter of widespread attacks were zero-day attacks where a single adversary compromised dozens to hundreds of organizations simultaneously.
4.  Attackers are moving from initial access to exploitation in minutes or hours rather than days or weeks.

So the conventional patch and put strategy is as effective as a firetruck showing up after a building has burned to the ground! Of course, patch and put could prevent future attacks, but taking into account that patch development takes from days to weeks \[2\] and that the average time to apply critical patches is 16 days \[3\], devices are vulnerable for a long time after the zero-day has become public knowledge. This allows smaller actors to get their share of the meat, much like the vultures they are. In view of Rapid7's report, something different must be done to protect IoT and other vulnerable devices.

****How Firmware Comes To Be****

"Software Bills of Materials for IoT and OT devices" by IoTSF is another excellent read. I was surprised to learn that "Modern software is rarely created from scratch but rather it integrates a relatively small amount of new code with tens, hundreds, or even thousands of pre-existing components …". In the old days (circa 2015) we wrote our own firmware, but not anymore. Now, according to the authors, IoT firmware is assembled from mostly open source components that are riddled with vulnerabilities. This is not a step forward for device security!

According to the IoTSF authors, components bring in more components, each with more vulnerabilities. Also according to them, creating accurate SBOMs is difficult, and identifying all of the vulnerabilities in an SBOM is even more difficult. So security teams are faced with inadequate SBOMs and the task of deciding which vulnerabilities are exploitable, then fixing those vulnerabilities. According to other reports, the number of vulnerabilities and the complexity of IoT firmware are growing rapidly year by year. Keeping up with patches seems to be a hopeless treadmill. No wonder security teams are getting burned out.

****Chilling Exploits****

Zero-days are especially concerning because many state actors have inventories of them that are ready to be used as weapons \[4\]. We tend to think of exploits as data exfiltrations or ransomware attacks. However, these are not the whole story. In 2007 at Idaho National Laboratory it was decided to test if malware could damage a full-size electricity generator \[5\]. The malware controlled a relay that connected or disconnected the generator from the power grid. By exercising a sequence of connects and disconnects, the malware was able to cause the generator to destroy itself.

The result was not repairable damage, but rather scrap metal that could only be melted down to manufacture a new generator. The generator was destroyed in under a minute. Thus malware running on a tiny MCU was able to destroy a large machine. What if a bad actor could destroy 10% of the electricity generators in the U.S.? How long would it take to manufacture and install replacement generators? What would happen in the meantime?

****We Need a Better Solution****

We must recognize that patching and putting is not sufficient to deal with emerging new threats and the weaponized threats detailed above.

Isolating vulnerable firmware is the better solution. This is amply demonstrated by Green Hills's Integrity for aerospace, BlackBerry's QNX for automotive, and several "separation kernels" by other companies. However, the problem with these solutions is that they require power-hungry processors, and isolation is at the process level using memory management units (MMUs). IoT devices generally require low-power microcontrollers (MCUs), their firmware is normally comprised of but a single process and they are limited to memory protection units (MPUs). What is needed is more granular isolation (i.e. at the task level) that works for MCUs.

****We Have Such a Solution****

We have demonstrated that isolated partitioning is practical for Cortex-M based MCUs (which comprise about 80% of all MCUs in production). In addition, the _pmode barrier_ provided by this architecture provides additional protection for mission-critical and other trusted code. Such code needs only minimal modification for partitioning. The following figure illustrates the basics of Cortex-M partitioning and how it fits into the overall security picture:

As shown, mission-critical firmware, security firmware, and handler mode (hmode) firmware are protected by the pmode barrier and run in privileged mode (pmode) or hmode. Vulnerable application firmware, SOUP, and middleware are above the pmode barrier and run in unprivileged mode (umode). Firmware in umode can access pmode or hmode only via exceptions caused by faults or via the SVC exception, which is used for system service calls. The pmode barrier is enforced by hardware and thus it is impenetrable from umode.

As shown in the figure, umode firmware is divided into isolated partitions. If a hacker penetrates one umode partition, he cannot access data or code in other partitions. Communication between partitions is via portals, which preserve isolation. As a consequence a hacker may disable the functionality of one umode partition, but not others. In addition, pmode and umode code are doubly-protected by the pmode barrier. Thus the device is able to continue performing its primary functions and most secondary functions when attacked. During an attack, the breached partition can be stopped, the malware exorcised, and the partition rebooted to resume normal operation.

It should be noted that isolated partitioning is as effective against zero-days as it is against unpatched vulnerabilities. It doesn't matter how the attacker got into the partition; he is sandboxed. In addition, partitioning enables siloing, which can mitigate insider threats (another growing attack vector), and provides hardware enforcement of certain good programming practices, which might lead to more on-time deliveries!

For those interested, we have posted demos and an ebook at www.smxrtos.com/securesmx. May the good guys win!

****References:****

1.  "2024 Attack Intelligence Report", Caitlin Condon, Stephen Fewer, Christiaan Beek, Rapid7, 2024
2.  "The Top Cybersecurity Threats of 2022", LMG Security, 2022.
3.  "Patch management best practices: A detailed guide". ManageEngine, 2021.
4.  "This is How They Tell Me the World Ends: The Cyberweapons Arms Race", Nicole Perlroth, 2/2021.
5.  "IT/OT Cybersecurity: The Great Divide" Industrial Cybersecurity Pulse, 6/2021

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Smash-and-Grab Extortion

It’s the age of identity security. The explosion of driven ransomware attacks has made CISOs and security teams realize that identity protection lags 20 years behind their endpoints and networks. This realization is mainly due to the transformation of lateral movement from fine art, found in APT and top cybercrime groups only, to a commodity skill used in almost every ransomware attack. The

Endpoint Security / Identity Security

It's the age of identity security. The explosion of driven ransomware attacks has made CISOs and security teams realize that identity protection lags 20 years behind their endpoints and networks. This realization is mainly due to the transformation of lateral movement from fine art, found in APT and top cybercrime groups only, to a commodity skill used in almost every ransomware attack. The lateral movement uses compromised credentials for malicious access – a critical blind spot that existing XDR, network, and SIEM solutions fail to block.

Identity Threat Detection and Response (ITDR) has emerged in the last couple of years to close this gap. This article breaks down the top five ITDR capabilities and provides the key questions to ask your ITDR vendor. Only a definitive 'YES' to these questions can ensure that the solution you evaluate can indeed deliver its identity security promise.

**Coverage For All Users, Resources, and Access Methods****Why is it important?**

Partial protection is as good as no protection at all. If identity is the name of the game, then the ITDR protection should range across all user accounts, on-prem and cloud resources, and no less importantly – all access methods.

**What questions to ask:**

1.  Does the ITDR also cover non-human identities, such as Active Directory (AD) service accounts?

1.  Can the ITDR analyze the full authentication trail of users, across on-prem resources, cloud workloads and SaaS apps?

1.  Would the ITDR detect malicious access over command line access tools such as PsExec or PowerShell?

**Real-Time (Or As Close As You Can Get)****Why is it important?**

In-threat detection speed matters. In many cases, it could be the difference between spotting and mitigating a threat at an early stage or investigating a full-size active breach. To deliver that, the ITDR should apply its analysis on authentications and access attempts as close to their occurrence as possible.

**What questions to ask:**

1.  Does the ITDR solution integrate directly with on-prem and cloud Identity Providers to analyze authentications as they happen?

1.  Does the ITDR query the IDP to detect changes in account configuration (for example OU, permissions, associated SPN, etc.)?

**Multi-Dimensional Anomaly Detection****Why is it important?**

No detection method is immune to false positives. The best way to increase accuracy is to search for multiple different types of anomalies. While each by itself might occur during legitimate user activity, the mutual occurrence of several would increase the likelihood that an actual attack was detected.

**What questions to ask:**

1.  Can the ITDR solution detect anomalies in the authentication protocol (for example, hash usage, ticket placement, weaker encryption, etc.)?

1.  Does the ITDR solution profile users' standard behavior to detect access to resources that were never accessed before?

1.  Does the ITDR solution analyze access patterns that are associated with lateral movement (for example, accessing multiple destinations in a short period of time, moving from machine A to machine B and subsequently from B to C, etc.)?

> Need an ITDR solution to secure the identity attack surface of your on-prem and cloud environments? **Learn how Silverfort ITDR works** and **request a demo to see how we can address your specific needs**.

**Chain Detection with MFA and Access Block****Why is it important?**

Accurate detection of threats is the starting point, not the end of the race. As we've mentioned above, time and accuracy are the key to efficient protection. Just like an EDR that terminates a malicious process, or an SSE that blocks malicious traffic, the ability to trigger automated blocking of malicious access attempts is imperative. While the ITDR itself cannot do that, it should be able to communicate with other identity security controls to achieve this goal.

**What questions to ask:**

1.  Can the ITDR follow up detection of suspicious access by triggering a step-up verification from an MFA solution?

1.  Can the ITDR follow up on the detection of suspicious access by instructing the Identity Provider to block access altogether?

**Integrate with XDR, SIEM, and SOAR****Why is it important?**

Threat protection is achieved by the conjoint operation of multiple products. These products might specialize on a certain facet of malicious activity, aggregate signals to a cohesive contextual view, or orchestrate a response playbook. On top of the capabilities that we've listed above, ITDR should also integrate seamlessly with the security stack already in place, preferably in an automated manner as possible.

**What questions to ask:**

1.  Can the ITDR solution send the XDR user risk signals and import risk signals on processes and machines?

1.  Does the ITDR share its security findings with the SIEM in place?

1.  Can the ITDR's detection of malicious user access trigger SOAR playbook on the user and the resources it's logged in to?

**Silverfort ITDR**

Silverfort's ITDR is part of a consolidated identity security platform that includes, among other capabilities, MFA, privileged access security, service account protection, and authentication firewalls. Built on native integration with AD, Entra ID, Okta, ADFS, and Ping Federate, Silverfort ITDR analyzes every authentication and access attempt in the hybrid environment and applies multiple, intersecting risk analysis methods to detect malicious user activity and trigger real-time identity security controls.

Learn more on Silverfort ITDR here or schedule a demo with one of our experts.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

True Protection or False Promise? The Ultimate ITDR Shortlisting Guide

All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.

**Note:**
By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.

**images vulnerable to Denial of Service**

High severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 10, 2024

GHSA-vjpv-x8p9-7p85: images vulnerable to Denial of Service

All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the Speaker object makes it possible to reach an assert macro. Exploiting this vulnerability can lead to a process crash.

**speaker vulnerable to Denial of Service**

High severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 10, 2024

Tag

#mac