**PRESS RELEASE**

**TEMPE, Ariz.** **& PRAGUE****,** **Oct. 19, 2023** **/PRNewswire/ --** Norton, a consumer Cyber Safety brand of Gen™ (NASDAQ: GEN), today unveiled new features included with Norton Password Manager and Norton AntiTrack. Norton Password Manager offers a premium password management experience that continues to be available at no cost, and a new Private Email feature now available in Norton AntiTrack helps consumers quickly and easily take back control of their online privacy.

"Our enhancements to Norton Password Manager and Norton AntiTrack exemplify our passion for constantly improving our products and services to help our customers protect their online privacy and stay one step ahead of threats to their security," said Leena Elias, Chief Product Officer at Gen. "Free password managers are traditionally basic, difficult to access on different devices, and lack multi-layered security. With Norton Password Manager, you no longer have to choose between conveniently accessing your accounts and having excellent password protection. And, our addition of Private Email as part of Norton AntiTrack allows you to easily take steps to protect your online privacy when you're engaging with the digital world and protect your personal email address, which is often the gateway to your personal information and accounts. We are committed to helping our customers safeguard their online privacy through the launch of these solutions."

Accessible via the web, and available as a browser extension or mobile app, Norton Password Manager has been rebuilt with improvements to password security and privacy and redesigned to provide a seamless, intuitive customer experience.

Norton Password Manager now delivers greater convenience, security, and privacy with the following upgrades:

*   **Strengthened Vault Security and Recovery:** We notify you if your vault password needs to be strengthened and monitor the dark web for your vault password to help keep your passwords secure. New vault access recovery helps you recover the vault password if it's forgotten without compromising security.
*   **Improved Password Assessment:** Password strength is automatically assessed. If a weak password is detected, it's now easier to change it to be more complex and difficult to crack.
*   **Easy to Use:** A modern look and feel that's simple to set up and access the most used features from more locations; auto-filling and credential saving options appear seamlessly as you browse the web to provide quick access to accounts.

In addition to Norton Password Manager enhancements, Private Email is now available in Norton AntiTrack on Windows PCs. Private Email improves email privacy by masking your personal email addresses so they're unrecognizable, and removes hidden trackers often found in sent emails that can be used to gather private, personally identifiable information, including location, device usage, interests, and shopping behaviors.

Norton Password Manager is compatible with Windows PC, Mac, Android, and iOS, and available as a browser extension on Chrome, Firefox, Microsoft Edge, Safari, as well as browsers from Gen brands, Norton, Avast and Avira. For more information and to download Norton Password Manager, visit us.norton.com/products/norton-password-manager. Norton AntiTrack with Private Email is available to download at https://norton.com/products/norton-antitrack.

**About Norton**

Norton is a leader in Cyber Safety, and part of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom with a family of trusted consumer brands. Norton empowers millions of individuals and families with award-winning protection for their devices, online privacy, and identity. Norton products and services are certified by independent testing organizations including AV-TEST, AV-Comparatives, and SE Labs. Norton is a founding member of the Coalition Against Stalkerware. Learn more at www.norton.com.

Norton Boosts Security and Privacy With Enhanced Password Manager and AntiTrack

**PRESS RELEASE**

**AUSTIN, Texas** – **Oct. 10, 2023** – SailPoint Technologies, Inc., a leader in enterprise identity security, today released the findings from the 2023 edition of its annual research report, ‘The Horizons of Identity Security,’ at Navigate 2023. Produced in collaboration between SailPoint and Accenture, a leading global professional services company, the report is based on insights from more than 375 global cybersecurity executives across the Americas, Europe and Asia. The goal was to examine the current state and future direction of the identity security market.

With 90% of cybersecurity breaches being identity related, identity security is the most important security aspect that every organization must get right. Yet, findings from the Horizons of Identity Security report show that 44% of companies are still at the beginning of their identity journeys. And, concerningly, even mature companies cover less than 70% of the identities in their organizations through foundational governance capabilities. However, respondents noted that communicating the business value of identity security to executives is a key challenge. This underscores the need for identity security advocates to build executive-friendly business cases that are tailored to their audiences’ strategic priorities and value-driven mindset.

A worrying 77% of respondents indicate that “limited executive sponsorship or focus” is a primary obstacle to investment in identity security, second only to budgetary constraints (91%). However, report findings clearly demonstrate that a strong identity security program can power business agility and innovation, risk mitigation, efficiency gains, and advancement of tech initiatives. For example, it can accelerate organizational change by as much as 30% through quicker integration of identities, applications, data and infrastructure. 

“A strong identity security program can generate real value for today’s organizations, but that value isn’t always obvious to business stakeholders,” said Matt Mills, President of Worldwide Field Operations, SailPoint. “In today’s threat landscape, stopping just one breach can save millions of dollars in lost revenue, regulatory fines, and reputational damage. It’s important for security teams to have the information they need to communicate their needs in an outcomes-based way. Focusing on the business value that identity security drives is going to resonate best with executives and help them understand the pressing need to accelerate their identity maturity if they want to avoid becoming the next major victim.”

Identity ecosystems are becoming increasingly complex and a preferred attack vector for threat actors. According to the report findings, on average more than 30% of the identities in an organization are not properly covered by identity solutions, with particular gaps around third-party identities, machine identities and data. Bringing those identities under the umbrella of a strong identity management program is essential for breach avoidance. Foundational security capabilities accelerate incident response, prevent bad actors from authenticating into internal systems and limit excessive access rights for employees — which survey respondents selected as the most common security deficiency enabling breaches.

Among other notable findings in the report was the fact that AI-based solutions have proven to be a potent accelerator, helping businesses add advanced new capabilities and drive greater agility. Encouragingly, the report shows a growing number of organizations are exploring AI-backed dynamic trust models to evolve access based on user behavior. The findings also show that companies leveraging SaaS, AI and automation scale a notable 10-30% faster and get more value for their security investment through increased capability utilization. More specifically, an identity platform leveraging automation and AI enables companies to scale identity-related capabilities up to 37% faster than companies without AI enablement. 

“Organizations are facing unprecedented challenges when it comes to managing their complex identity environments and massive data sets,” said Damon McDougald, the global Security Digital Identity lead at Accenture. “While advanced technologies like artificial intelligence and generative AI are making it easier to expedite, manage and scale identity security initiatives many organizations are still at the start of their journeys. Organizations should view this as an opportunity to accelerate their identity maturity timetable and establish a foundation for a secure digital transformation.”

**Adoption Assessment tool**

SailPoint is launching a new adoption assessment tool that can help organizations assess their current capabilities, as well as how they stack up against their peers. The tool can help businesses identify what their greatest barriers to stronger identity security are, and how they can generate greater business value by investing in identity. To access the adoption assessment tool, click here. 

SailPoint’s flagship ‘Navigate: Identity Security Accelerated’ conference kicks off in Austin, Texas on October 9th, and will be followed by a series of global events in London, Singapore, Sydney, Washington DC, Toronto and São Paulo. To register, visit the Navigate website.

**2023 Horizons of Identity Security Resources**

*   To download a copy of the 2023 Horizons of Identity Report, click here. 
*   Read more about the report’s top findings in this SailPoint blog. 
*   For a snapshot of the report’s key findings, click here. 
*   To reference the 2022 Horizons of Identity Report or take the maturity assessment, click here. 

**About SailPoint**

SailPoint is a leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Unveils Annual 'Horizons of Identity Security' Report

By Deeba Ahmed
It is unclear how long Cisco will take to release a patch.
This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

The US had the most compromised devices (4,659) with a backdoor installed as a result of the Cisco Web UI vulnerability followed by the Philippines (over 3,200).

****_KEY FINDINGS_****

**Cisco released a security advisory on October 16 to warn users about a critical zero-day privilege escalation vulnerability in its IOS XE Web UI software.**

**As per Censys, the company tracking the vulnerability, by October 18 the number of infections had increased from the previously reported 34,140 to 41,983 hosts, while 34,140 had backdoor installed**

**It is tracked as CVE-2023-20198 and has been used to exploit tens of thousands of devices.**

**The US had the highest number of compromised devices followed by the Philippines.**

A critical cybersecurity threat disclosed by Cisco has resulted in mass exploitation of its devices, with the number of impacted systems surpassing 40,000 hosts worldwide. Nonprofit security group Shadowserver has detected over 32,800 devices compromised so far.

On the other hand, Censys has been tracking this vulnerability and in its blog post, the company explained that due to active exploitation of this security flaw tens of thousands of devices could be affected.

The company scanned the impacted Cisco devices and found that most belonged to telecom firms offering internet services to business and home users, including AT&T. The US had the highest number of compromised devices with a backdoor installed (4,659) followed by the Philippines (over 3,200).

Hackread.com had reported that the vulnerability, tracked as CVE-2023-20198, was discovered in the Cisco IOS XE software’s Web UI feature. Cisco warned customers about the vulnerability affecting Cisco RV320 and RV325 routers, explaining that it allows a remote unauthorized attacker to create an account on the compromised system with privilege level 15 access and go on to gain full control of the device. 

The vulnerability affects the IOS XE Software Web UI feature because it is enabled by default in the devices. Cisco recommends users disable the HTTP server feature on every internet-connected system to prevent exploitation. Attackers exploiting this flaw are hijacking routers from telecom firms. Cisco has confirmed that since at least mid-September, threat actors have been exploiting it as a zero-day.

The vulnerability was first discovered in March 2023, and an uptick in attacks exploiting it was observed from mid-September. Moreover, a highly sophisticated actor is suspected to be exploiting it, which hints at the launch of a targeted and coordinated campaign while Cisco is still working on a patch to fix it.

In its threat advisory published on October 16th, 2023, Cisco stated that the actor exploited the old, already patched vulnerability (CVE-2021-1435) to install the implant after obtaining access to the device.

> _“We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as-of-yet undetermined mechanism.”_
> 
> CISCO

It is a serious security threat as the vulnerability has the highest criticality score of 10. The IOS XE software is an essential component of Cisco switches, wireless controller products, and routers. The vulnerability is critical enough to enable a complete takeover of Cisco devices, granting threat actors the ability to effortlessly monitor network traffic or present phishing pages loaded with harmful malware.

Reportedly, 469 of the compromised devices were registered at AT&T for residential and business clients. The company uses enterprise-grade Cisco XE routers, so small-sized organizations and individuals would likely be vulnerable to this threat instead of large corporations.

The risks posed by the vulnerability are wide-ranging, as attackers can leverage access to compromised devices to disrupt network operations, steal sensitive data, and launch new attacks against other systems on the network.

It is unclear how long Cisco will take to release a patch. Meanwhile, users must scan their devices for infection and disable the HTTP server feature, implement network segmentation, and monitor network traffic for suspicious activity.

****_RELATED ARTICLES_****

1.  Cisco’s new tool will detect malware in encrypted traffic
2.  New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
3.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
4.  Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
5.  Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks

Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

CVE-2022-47583: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

The state-sponsored threat actors (aka APT34, Crambus, Helix Kitten, or OilRig) spent months seemingly taking whatever government data they wished, using never-before-seen tools.

The Iranian state-aligned advanced persistent threat (APT) known as MuddyWater used an arsenal of new custom malware tools to spy on an unnamed Middle Eastern government for eight months, in just the latest of its many campaigns in the region.

That's according to Symantec, which describes a, at times, daily effort to steal sensitive government data by MuddyWater, which Symantec tracks as "Crambus." The group is also known variously as APT34, Helix Kitten, and OilRig. 

Despite penetrating a dozen computers, deploying half a dozen different hacking tools, and stealing passwords and files, the campaign managed to stay under the radar, lasting from February until September before being disrupted.

"They accessed quite a broad range of computers on the network, so it seems to be a more general attack, rather than going after anything specific," assesses Dick O'Brien, principal intelligence analyst for Symantec.

**MuddyWater's Malware Arsenal**

MuddyWater's latest campaign began on Feb. 1, when an unknown PowerShell script was executed from a suspicious directory on a targeted machine.

In the months that followed, the group deployed four custom malware tools, three previously unknown to the cybersecurity community.

First there's Backdoor.Tokel, for downloading files and executing arbitrary PowerShell commands. Trojan.Dirps is also used for PowerShell commands, and enumerating files in a directory. Infostealer.Clipog is, as the name would suggest, infostealer malware capable of keylogging, logging processes where keystrokes are entered, and copying clipboard data.

Finally there's Backdoor.PowerExchange, discovered but not specifically attributed to MuddyWater back in May. The PowerShell-based tool logs into Microsoft Exchange Servers with hardcoded credentials, using them for command-and-control (C2), and monitoring for emails sent by the attackers. Mail with "@@" in the subject line conceal instructions for writing and stealing files, or executing arbitrary PowerShell commands.

Alongside its own weaponry, MuddyWater also utilized two popular open source hacking tools: Mimikatz for credential dumping, and Plink for remote shell capabilities.

According to O'Brien, the group's months long staying power can be attributed to its choice of weaponry:

"If you introduce new tools, and if you're using legitimate tools, there are no automatic red flags. \[As an analyst\] you kind of have to wait until there's a notification of potentially malicious activity, and start pulling the threads from there."

**MuddyWater Is Back**

MuddyWater has been around since at least 2014, according to Mandiant. A few years back, though, it was written off. "Crambus was one of those groups that we thought might go away because they were heavily exposed in a leak, seemingly by a former contractor or team member," O'Brien points out.

Now, he adds, "they're definitely back."

Over the years, its spying campaigns have spread throughout most of the Middle East – Saudi Arabia, Israel, Turkey, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, and the United Arab Emirates (as well as the United States) – touching the financial, energy, telecommunications, chemical, government, and critical infrastructure sectors. The APT has been the subject of US sanctions for its cyber espionage activity; and most recently, that activity has included cyberattacks on Saudi Arabia that featured another fresh malware, known as Menorah; and a supply chain attack on the UAE.

Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months

A Path Traversal vulnerability exists in PaperCut NG before 22.1.1 and PaperCut MF before 22.1.1. Under specific conditions, this could potentially allow an attacker to achieve read-only access to the server's filesystem.

*   **CVE(s):** CVE-2023–31046
*   **Vendor:** PaperCut
*   **Product:** PaperCut MF/NG
*   **Version(s) affected:** < 22.1.1
*   **Fixed version:** 22.1.1

**Background #**

An Authenticated Arbitrary File Download vulnerability was found in PaperCut NG/MF. PaperCut is a popular Print Management product that’s used globally by over 80,000 organisations. Its application server component is written in Java. The majority of customers run their servers behind firewalls, however a number of larger customers like universities may have it hosted on more open servers. As part of my research I found this vulnerability and I worked with PaperCut Software to report, advise and validate a fix. The latest release of PaperCut NG/MF which can be found at http://www.papercut.com/ has the vulnerability addressed and upgrading is the recommended mitigation.

Arbitrary File Download/Read vulnerabilities can occur when an application allows files to be included in an unsafe way on a local machine, often through Directory Traversal techniques (being the root cause) whereby the application directory structure can be traversed to reach areas not originally intended by the developer.

In the case of PaperCut, the application server defines a servlet that can be accessed, with authentication (testing determined this could be the lowest level of authentication available), allowing for a crafted HTTP request to be sent that retrieves files from the underlying filesystem.

Within the web.xml configuration file for the PaperCut application software, the static-content-files servlet exists to allow for static content to be retrieved / displayed to the user.

    <servlet-mapping>
        <servlet-name>static-content-files</servlet-name>
        <url-pattern>/content/*</url-pattern>
    </servlet-mapping>
    

The affected Java code is available within the getStaticContent() function inside the UIContentResource.class:

      @GET
      @Path("static/{asset:.*}")
      @CacheControlHeader("max-age=600,public")
      public Response getStaticContent(@PathParam("asset") String asset) {
        try {
          File page = getResourceAsFile("/ui/static/" + asset);
          String contentType = MimeTypeUtils.getMimeTypeStringFromFileName(page.getName());
          return Response.ok(page, contentType).build();
        } catch (Exception e) {
          return Response.status(Response.Status.NOT_FOUND).build();
        } 
      }
      
      private File getResourceAsFile(String resourcePath) {
        String docroot = this._servletContext.getRealPath("/");
        return new File(docroot, resourcePath);
      }
    

As shown above within the code-block above, the @PathParam("asset") excerpt refers to the portion of the URL that is controllable by an authenticated user, which can be manipulated without further sanitisation being performed on the input. Once the crafted parameter has been passed into the getResourceAsFile() function, a new file object is created containing the contents of the requested file.

In this case, anything related to the application such as API keys (within /papercut/server/data/), as well as anything accessible on the filesystem such as /etc/passwd, /proc/self/environ can be downloaded by an attacker.

    GET /ui/static/..//..//..//..//..//..//..//etc//passwd HTTP/1.1
    Host: papercut:9192
    Cookie: <..omitted..>
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://papercut:9192/ui/static
    Sec-Fetch-Dest: font
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    

The HTTP response of the above request will contain the requested /etc/passwd file contents.

Depending on the user that the papercut application server is running as, the available files will vary - however at the very minimum files that lie within the papercut application server directories will be disclosed including API secrets (allowing for authenticated API calls to be made).

**Recommendations #**

Mitigations were discussed with the PaperCut Software security team and they’ve provided me with following guidance for inclusion within this public disclosure.

“We feel the best course of action for customers is for them to upgrade to the latest release of PaperCut NG/MF which contains fixes for this issue. We will make this clear through our release notes and our check-for-updates feature. We feel the mitigation put into the code is very effective and a good outcome. It has both a mix of your suggestions and the ideas that our security team came up with. Good security comes through a diversity of thought, and we really wanted to call out this as a great example. It’s been amazing working with you, sharing ideas, on how to address this both efficiently and quickly. Often security CVE reports are very one-way. Your collaboration on both mitigation and validation has been a standout. It really demonstrates the importance of ISVs and Infosec providers working together. This aspect is often understated in security research and uplift.”

**Timeline #**

Here’s a disclosure timeline:

1.  **Initial Attempt to Contact Vendor**
    
    28 March 2023
    
    Contacted the PaperCut Support Team.
    
2.  **Initial Contact with Security Team**
    
    28 March 2023
    
    Received response from PaperCut Support within 20 minutes.
    
3.  **Vulnerability Disclosure Response**
    
    30 March 2023
    
    PaperCut Support advised that several fixes had been proposed and a hotfix was available to test.
    
4.  **Vendor Update**
    
    3 April 2023
    
    Test build of the fix was provided by PaperCut for us to validate proposed fixes.
    
5.  **Vendor Update**
    
    4 April 2023
    
    PaperCut requested 120 day disclosure timeline as well as discussed other security bulletin related information.
    
6.  **Aura Update**
    
    4 April 2023
    
    Confirmed that a delayed disclosure was not a problem at all. Vendor's active responses and development updates were showing considerable thought was being put in place around resolving the issue.
    
7.  **Proposed fixes**
    
    24 April 2023
    
    Further vendor communications around improving the overall effectiveness of proposed fixes.
    
8.  **CVE Assignment: CVE-2023-31046**
    
    24 April 2023
    
    The vendor had requested a CVE on our behalf: CVE-2023-31046.
    
9.  **Patches!**
    
    7 June 2023
    
    Vendor released patches, along with public security bulletin: https://www.papercut.com/kb/Main/SecurityBulletinJune2023.
    
10.  **Public Disclosure**
    
    14 August 2023
    
    CVE disclosure via MITRE and blog posted.
    

**Disclaimer #**

The information in this article is provided for research and educational purposes only. Aura Information Security does not accept any liability in any form for any direct or indirect damages resulting from the use of or reliance on the information contained in this article.

CVE-2023-31046: Authenticated Arbitrary File Download (Path Traversal)

Gentoo Linux Security Advisory 202310-13 - A vulnerability has been discovered in Mailutils where escape sequences are processed in a context where this may lead to RCE. Versions greater than or equal to 3.12-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Mailutils: unexpected processsing of escape sequences  
     Date: October 19, 2023  
     Bugs: #802867  
       ID: 202310-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Mailutils where escape sequences  
are processed in a context where this may lead to RCE.

Background  
=========  
GNU Mailutils is a collection of mail-related utilities, including an  
IMAP4 server (imap4d) and a Mail User Agent (mail).

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-mail/mailutils  < 3.12-r3     >= 3.12-r3

Description  
==========  
A vulnerability has been discovered in GNU Mailutils. Please review the  
CVE identifier referenced below for details.

Impact  
=====  
mail(1) from mailutils would process escape sequences (like ~!  
shellcommand) in message bodies piped/redirected in. This creates an RCE  
if some part of the message body is under an attacker's control.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mailutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-mail/mailutils-3.12-r3"

References  
=========  
[ 1 ] CVE-2021-32749  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32749

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-13

An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023.
"The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows

An updated version of a sophisticated backdoor framework called **MATA** has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023.

"The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser," Kaspersky said in a new exhaustive report published this week.

"Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit."

CVE-2021-26411 (CVSS score: 8.8) refers to a memory corruption vulnerability in Internet Explorer that could be triggered to execute arbitrary code by tricking a victim into visiting a specially crafted site. It was previously exploited by the Lazarus Group in early 2021 to target security researchers.

The cross-platform MATA framework was first documented by the Russian cybersecurity company in July 2020, linking it to the prolific North Korean state-sponsored crew in attacks targeting various sectors in Poland, Germany, Turkey, Korea, Japan, and India since April 2018.

The use of a revamped version of MATA to strike defense contractors was previously disclosed by Kaspersky in July 2023, although attribution to the Lazarus Group remains tenuous at best due to the presence of techniques used by Five Eyes APT actors such as Purple Lambert, Magenta Lambert, and Green Lambert.

That said, a majority of the malicious Microsoft Word documents created by the attackers feature a Korean font called Malgun Gothic, suggesting that the developer is either familiar with Korean or works in a Korean environment.

Russian cybersecurity company Positive Technologies, which shared details of the same framework late last month, is tracking the operators under the moniker Dark River.

"The group's main tool, the MataDoor backdoor, has a modular architecture, with a complex, thoroughly designed system of network transports and flexible options for communication between the backdoor operator and an infected machine," security researchers Denis Kuvshinov and Maxim Andreev said.

"The code analysis suggests that the developers invested considerable resources into the tool."

The latest attack chains begin with the actor sending spear-phishing documents to targets, in some cases by impersonating legitimate employees, indicating prior reconnaissance and extensive preparation. These documents include a link to an HTML page that embeds an exploit for CVE-2021-26411.

A successful compromise leads to the execution of a loader that, in turn, retrieves a Validator module from a remote server to send system information and download and upload files to and from the command-and-control (C2) server.

The Validator is also designed to fetch MataDoor, which, according to Kasperksy, is MATA generation 4 that's equipped to run a wide range of commands capable of gathering sensitive information from compromised systems.

The attacks are further characterized by the use of stealer malware to capture content from clipboard, record keystrokes, take screenshots, and siphon passwords and cookies from the Windows Credential Manager and Internet Explorer.

Another noteworthy tool is a USB propagation module that allows for sending commands to the infected system via removable media, likely enabling the threat actors to infiltrate air-gapped networks. Also employed is an exploit called CallbackHell to elevate privileges and bypass endpoint security products so as to achieve their goals without attracting attention.

Kaspersky said it also discovered a new MATA variant, dubbed MATA generation 5 or MATAv5, that's "completely rewritten from scratch" and "exhibits an advanced and complex architecture making use of loadable and embedded modules and plugins."

"The malware leverages inter-process communication (IPC) channels internally and employs a diverse range of commands, enabling it to establish proxy chains across various protocols - also within the victim's environment," the company added.

In total, the MATA framework and its cocktail of plugins incorporate support for over 100 commands pertaining to information gathering, event monitoring, process management, file management, network reconnaissance, and proxy functionality.

"The actor demonstrated high capabilities of navigating through and leveraging security solutions deployed in the victim's environment," Kaspersky said.

"Attackers used many techniques to hide their activity: rootkits and vulnerable drivers, disguising files as legitimate applications, using ports open for communication between applications, multi-level encryption of files and network activity of malware, \[and\] setting long wait times between connections to control servers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Sophisticated MATA Framework Strikes Eastern European Oil and Gas Companies

Google has announced an update to its Play Protect with support for real-time scanning at the code level to tackle novel malicious apps prior to downloading and installing them on Android devices.
"Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats," the tech giant said.
Google Play Protect is a

Mobile Security / Technology

Google has announced an update to its Play Protect with support for real-time scanning at the code level to tackle novel malicious apps prior to downloading and installing them on Android devices.

"Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats," the tech giant said.

Google Play Protect is a built-in, free threat detection service that scans Android devices for any potentially harmful apps downloaded from the Play Store as well as other external sources. In extreme cases, an app may be blocked from being installed.

The check expands on previous existing protections that alerted users when it identified an app known to be malicious from existing scanning intelligence or was identified as suspicious from heuristics gathered via on-device machine learning.

With the latest safeguards, important signals from the app are extracted and sent to the Play Protect backend infrastructure for a code-level evaluation in real-time to determine if it's safe to install or it's malicious in nature.

"This enhancement will help better protect users against malicious polymorphic apps that leverage various methods, such as AI, to be altered to avoid detection," Google said, adding the feature is being rolled out in select countries, starting with India.

The security improvement comes as threat actors continue to find different ways to propagate Android malware, often through links to deceptive apps or APK files sent on messaging apps.

It also follows a revision to the Android Security Paper, which "provides a comprehensive overview of the platform's built-in, proactive security across hardware, anti-exploitation, Google Security Services and the range of management APIs available for businesses and governments alike."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Play Protect Introduces Real-Time Code-Level Scanning for Android Malware

The Iran-linked OilRig threat actor targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign.
The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News

Cyber Attack / Cyber Espionage

The Iran-linked OilRig threat actor targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign.

The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

The cybersecurity firm is tracking the activity under the name **Crambus**, noting that the adversary used the implant to "monitor incoming mails sent from an Exchange Server in

order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers."

Malicious activity is said to have been detected on no less than 12 computers, with backdoors and keyloggers installed on a dozen other machines, indicating a broad compromise of the target.

The use of PowerExchange was first highlighted by Fortinet FortiGuard Labs in May 2023, documenting an attack chain targeting a government entity associated with the United Arab Emirates.

The implant, which monitors incoming emails to compromised mailboxes after logging into a Microsoft Exchange Server with hard-coded credentials, enables the threat actor to run arbitrary payloads and upload and download files from and to the infected host.

"Mails received with '@@' in the subject contain commands sent from the attackers, which allows them to execute arbitrary PowerShell commands, write files, and steal files," the company explained. The malware creates an Exchange rule (called 'defaultexchangerules') to filter these messages and move them to the Deleted Items folder automatically."

Also deployed alongside PowerExchange were three previously undiscovered pieces of malware, which are described below -

*   **Tokel**, a backdoor to execute arbitrary PowerShell commands and download files
*   **Dirps**, a trojan capable of enumerating files in a directory and executing PowerShell commands, and
*   **Clipog**, an information stealer designed to harvest clipboard data and keystrokes

While the exact mode of initial access was not disclosed, it's suspected to have involved email phishing. Malicious activity on the government network continued until September 9, 2023.

"Crambus is a long-running and experienced espionage group that has extensive expertise in carrying out long campaigns aimed at targets of interest to Iran," Symantec said. "Its activities over the past two years demonstrate that it represents a continuing threat for organizations in the Middle East and further afield."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac