Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah.
"The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy

Cyber Espionage / Malware

Sophisticated cyber actors backed by Iran known as **OilRig** have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah.

"The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy said in a Friday report.

The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia.

Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks.

The revelation builds on recent findings from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deployment of a new variant of SideTwist malware, indicating that it's under continuous development.

In the latest infection chain documented by Trend Micro, the lure document is used to create a scheduled task for persistence and drop an executable ("Menorah.exe") that, for its part, establishes contact with a remote server to await further instructions. The command-and-control server is currently inactive.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

The .NET malware, an improved version of the original C-based SideTwist implant discovered by Check Point in 2021, is armed with various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system.

"The group consistently develops and enhances tools, aiming to reduce security solutions and researchers' detection," the researchers said.

"Typical of APT groups, APT34 demonstrates their vast resources and varied skills, and will likely persist in customizing routines and social engineering techniques to use per targeted organization to ensure success in intrusions, stealth, and cyber espionage."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for September 22 to September 29

By Deeba Ahmed
Chinese hackers have struck again!
This is a post from HackRead.com Read the original post: Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Thousands of emails belonging to the US State Department were stolen in a data breach targeting Microsoft Outlook accounts.

Chinese hackers are responsible for breaching the security of Microsoft’s cloud-based Exchange email platform, which occurred in May 2023. Apart from stealing tens of thousands of emails from official accounts, the attackers obtained a list of all email accounts belonging to the State Department, Reuters reported.

As reported by Hackread.com, Microsoft revealed the breach in July 2023, explaining that threat actors breached Outlook accounts used by 25 organizations, including the US State and Commerce Departments, and other charges linked to these entities. The tech giant didn’t disclose the names of the impacted organizations and government entities.

The scope of the breach was disclosed at a Senate staff briefing on September 28, 2023. It was revealed at least 60,000 emails belonging to state department officials stationed in the Pacific, East Asia, and Europe were stolen. The compromised accounts mainly belonged to personnel focusing on Indo-Pacific diplomacy.

In a press briefing, State Department’s spokesperson Matthew Miller confirmed the data breach, explaining that “classified systems” weren’t hacked in that incident. Miller also added that the department is yet to make an attribution, but there’s no reason to doubt Microsoft’s attribution.

“Again, this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about,” Miller told reporters.

On the other hand, Senator Eric Schmitt said in his official statement that there’s a growing need to “harden” security defences against such intrusions in the future. Moreover, Schmitt believes that the federal government’s dependence on a single vendor should also be reviewed as this could be a weak link.

Microsoft has blamed the Chinese cyber-espionage group called Storm-0558 for the email breach. This group is known for infiltrating email systems of its targets to steal sensitive data.

According to a Microsoft representative, Storm-0558 accessed a Windows crash dump and obtained a consumer signing key, which could be used to compromise Exchange Online and Azure Active Directory accounts. The key was obtained by exploiting an already patched zero-day validation flaw that affected the GetAccessTokenForResourceAPI.

By exploiting this flaw, the attackers could create counterfeited signed access tokens and impersonate any account belonging to their target organizations. With this technique, Storm-0558 compromised the corporate account of a Microsoft engineer and managed to access the government email accounts.

Microsoft has revoked the stolen signing key and launched an investigation into the incident. The company has confirmed no further evidence of repeated unauthorized access to customer accounts using the same access token counterfeiting method.

Upon CISA’s insistence, Microsoft agreed to expand access to cloud logging data, which so far was only available to users having Purview Audit (Premium) logging licenses, free of charge so that network defenders can quickly identify breach attempts.

Mike Newman, CEO of My1Login, has commented on this incident, stating that this attack is crucial because hackers accessed sensitive government data from Outlook.

“Attackers appear to have accessed highly sensitive information in this breach by coupling together a number of attack vectors. These are complex and sophisticated techniques that signal Microsoft was facing a determined adversary that was highly motivated to carry out this attack.”

Newman further noted that encryption is the best defence against such incidents, and the workforce shouldn’t be allowed to access user credentials so that they cannot be lost or solved. Moreover, Microsoft shouldn’t have access to consumers’ private keys in the first place. 

“It should be mandatory for security that customer data (i.e. emails, stored credentials, documents) is encrypted using keys that are only known to the customer, meaning they cannot be accessed by the cloud software provider or an external, malicious actor.”

**RELATED ARTICLES**

1.  Chinese Group Storm-0558 Hacked European Govt Emails
2.  Chinese APT Flax Typhoon uses legit tools for cyber espionage
3.  Chinese Hackers Stole Signing Key to Breach Outlook Accounts
4.  Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
5.  Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libarchive: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #882521, #911486  
       ID: 202309-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libarchive, the worst of  
which could result in denial of service.

Background  
=========  
libarchive is a library for manipulating different streaming archive  
formats, including certain tar variants, several cpio formats, and both  
BSD and GNU ar variants.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
app-arch/libarchive  < 3.7.1       >= 3.7.1

Description  
==========  
Multiple vulnerabilities have been discovered in libarchive. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libarchive users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.7.1"

References  
=========  
[ 1 ] CVE-2022-36227  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36227

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-14

Gentoo Linux Security Advisory 202309-13 - A buffer overflow vulnerability has been found in GMP which could result in denial of service. Versions greater than or equal to 6.2.1-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GMP: Buffer Overflow Vulnerability  
     Date: September 29, 2023  
     Bugs: #823804  
       ID: 202309-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been found in GMP which could result  
in denial of service.

Background  
=========  
The GNU Multiple Precision Arithmetic Library is a library forarbitrary-  
precision arithmetic on different types of numbers.

Affected packages  
================  
Package       Vulnerable    Unaffected  
------------  ------------  ------------  
dev-libs/gmp  < 6.2.1-r2    >= 6.2.1-r2

Description  
==========  
There is an integer overflow leading to a buffer overflow when  
processing untrusted input via GMP's mpz_inp_raw function.

Impact  
=====  
Untrusted input can cause a denial of service via segmentation fault.

Workaround  
=========  
Users can ensure no untrusted input is passed into GMP's mpz_inp_raw  
function.

Resolution  
=========  
All GMP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/gmp-6.2.1-r2"

References  
=========  
[ 1 ] CVE-2021-43618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43618

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-13

Gentoo Linux Security Advisory 202309-12 - Multiple vulnerabilities have been found in sudo, the worst of which can result in root privilege escalation. Versions greater than or equal to 1.9.13_p2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: sudo: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #898510, #905322  
       ID: 202309-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in sudo, the worst of which can  
result in root privilege escalation.

Background  
=========  
sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-admin/sudo  < 1.9.13_p2   >= 1.9.13_p2

Description  
==========  
Multiple vulnerabilities have been discovered in sudo. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.13_p2"

References  
=========  
[ 1 ] CVE-2023-27320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27320  
[ 2 ] CVE-2023-28486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28486  
[ 3 ] CVE-2023-28487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28487

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-12

Gentoo Linux Security Advisory 202309-11 - Multiple vulnerabilities have been found in libsndfile, the worst of which could result in arbitrary code execution. Versions greater than or equal to 1.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsndfile: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #803065  
       ID: 202309-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libsndfile, the worst of  
which could result in arbitrary code execution.

Background  
=========  
libsndfile is a C library for reading and writing files containing  
sampled sound.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
media-libs/libsndfile  < 1.1.0       >= 1.1.0

Description  
==========  
Multiple vulnerabilities have been discovered in libsndfile. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libsndfile users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.1.0"

References  
=========  
[ 1 ] CVE-2021-3246  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3246  
[ 2 ] CVE-2021-4156  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4156

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-11

Gentoo Linux Security Advisory 202309-10 - A vulnerability was discovered in Fish when handling git repository configuration that may lead to execution of arbitrary code Versions greater than or equal to 3.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Fish: User-assisted execution of arbitrary code  
     Date: September 29, 2023  
     Bugs: #835337  
       ID: 202309-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability was discovered in Fish when handling git repository  
configuration that may lead to execution of arbitrary code

Background  
=========  
Smart and user-friendly command line shell for macOS, Linux, and the  
rest of the family. It includes features like syntax highlighting,  
autosuggest-as-you-type, and fancy tab completions that just work, with  
no configuration required.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
app-shells/fish  < 3.4.0       >= 3.4.0

Description  
==========  
A vulnerability have been discovered in Fish. Please review the CVE  
identifiers referenced below for details.

Impact  
=====  
A user may be enticed to cd into a git repository under control by an  
attacker (e.g. on a shared filesystem or by unpacking an archive) and  
execute arbitrary commands.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All fish users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-shells/fish-3.4.0"

References  
=========  
[ 1 ] CVE-2022-20001  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20001

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-10

Gentoo Linux Security Advisory 202309-9 - Multiple vulnerabilities have been found in Pacemaker, the worst of which could result in root privilege escalation. Versions greater than or equal to 2.0.5_rc2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pacemaker: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #711674, #751430  
       ID: 202309-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Pacemaker, the worst of  
which could result in root privilege escalation.

Background  
=========  
Pacemaker is an Open Source, High Availability resource manager suitable  
for both small and large clusters.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
sys-cluster/pacemaker  < 2.0.5_rc2   >= 2.0.5_rc2

Description  
==========  
Multiple vulnerabilities have been discovered in Pacemaker. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pacemaker users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-cluster/pacemaker-2.0.5_rc2"

References  
=========  
[ 1 ] CVE-2018-16877  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16877  
[ 2 ] CVE-2018-16878  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16878  
[ 3 ] CVE-2019-3885  
      https://nvd.nist.gov/vuln/detail/CVE-2019-3885  
[ 4 ] CVE-2020-25654  
      https://nvd.nist.gov/vuln/detail/CVE-2020-25654

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-09

Red Hat Security Advisory 2023-5405-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow and code execution vulnerabilities.

Tag

#mac