ntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3).

Skip to content

Open Issue created Jul 22, 2023 by **Richard Laager@rlaager**Maintainer

**segfault in libcrypto.so**

A Debian bug was filed regarding a crash in NTPsec 1.2.2.

His ntp.conf is the (Debian) stock ntp.conf. With comments removed, it is:

    driftfile /var/lib/ntpsec/ntp.drift
    leapfile /usr/share/zoneinfo/leap-seconds.list
    tos maxclock 11
    tos minclock 4 minsane 3
    pool 0.debian.pool.ntp.org iburst
    pool 1.debian.pool.ntp.org iburst
    pool 2.debian.pool.ntp.org iburst
    pool 3.debian.pool.ntp.org iburst
    restrict default kod nomodify nopeer noquery limited
    restrict 127.0.0.1
    restrict ::1

The ntpsec version of ntpd starts as expected, but randomly crashes in a few hours. It reports the following information to the kern.log file:

    2023-06-17T01:12:52.873519+00:00 karita kernel: [258683.650167] ntpd[23269]: segfault at 10 ip 00007f6d3ece0ab3 sp 00007ffc9c364830 error 4 in libcrypto.so.3[7f6d3ecc5000+278000] likely on CPU 1 (core 0, socket 1)
    2023-06-17T01:12:52.873554+00:00 karita kernel: [258683.650185] Code: 1f 84 00 00 00 00 00 48 83 ec 08 48 c7 c0 ff ff ff ff 48 85 ff 0f 84 63 04 00 00 48 85 d2 0f 84 5a 04 00 00 41 ba 00 08 00 10 <0f> 10 07 0f 57 e4 44 23 15 e4 fa 39 00 48 8d 42 10 81 fe 00 01 00

Here's a backtrace from the latest ntpsec coredump.

    root@karita:/var/lib/systemd/coredump# export
    DEBUGINFOD_URLS="https://debuginfod.debian.net"
    root@karita:/var/lib/systemd/coredump# coredumpctl debug                
                      PID: 61726 (ntpd)
               UID: 110 (ntpsec)
               GID: 117 (ntpsec)
            Signal: 11 (SEGV)
         Timestamp: Fri 2023-06-30 02:33:27 UTC (59min ago)
      Command Line: /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf
    -g -N -u ntpsec:ntpsec
        Executable: /usr/sbin/ntpd
     Control Group: /system.slice/ntpsec.service
              Unit: ntpsec.service
             Slice: system.slice
           Boot ID: 0e943a6b0cfe4fdd9e032c3d91c9d58d
        Machine ID: 0e50b80b858599a4a8aa8383662e5bb4
          Hostname: karita
           Storage:
    /var/lib/systemd/coredump/core.ntpd.110.0e943a6b0cfe4fdd9e032c3d91c9d58d.61726.1688092407000000.zst
    (present)
      Size on Disk: 775.6K
           Message: Process 61726 (ntpd) of user 110 dumped core.
    
                    Module libnss_systemd.so.2 from deb
    systemd-252.6-1.amd64
                    Stack trace of thread 61726:
                    #0  0x00007f280d4e0ab3 aesni_set_encrypt_key
    (libcrypto.so.3 + 0xe0ab3)
                    #1  0x00007f280d6f3d45 cipher_hw_aesni_initkey
    (libcrypto.so.3 + 0x2f3d45)
                    #2  0x00007f280d7397fb cipher_generic_init_internal
    (libcrypto.so.3 + 0x3397fb)
                    #3  0x00007f280d7398cb ossl_cipher_generic_einit
    (libcrypto.so.3 + 0x3398cb)
                    #4  0x00007f280d60993b EVP_CipherInit_ex (libcrypto.so.3
    + 0x20993b)
                    #5  0x0000560b2e1246f3 AES_SIV_Init (ntpd + 0x4c6f3)
                    #6  0x0000560b2e1255df AES_SIV_Decrypt (ntpd + 0x4d5df)
                    #7  0x0000560b2e10f40d nts_unpack_cookie (ntpd +
    0x3740d)
                    #8  0x0000560b2e10f85b extens_server_recv (ntpd +
    0x3785b)
                    #9  0x0000560b2e0f78ce receive (ntpd + 0x1f8ce)
                    #10 0x0000560b2e0ed8ea read_network_packet (ntpd +
    0x158ea)
                    #11 0x0000560b2e0ef3cf input_handler (ntpd + 0x173cf)
                    #12 0x0000560b2e0e819f mainloop (ntpd + 0x1019f)
                    #13 0x00007f280d16718a __libc_start_call_main (libc.so.6
    + 0x2718a)
                    #14 0x00007f280d167245 __libc_start_main_impl (libc.so.6
    + 0x27245)
                    #15 0x0000560b2e0e84e1 _start (ntpd + 0x104e1)
                    ELF object binary architecture: AMD x86-64
    
    GNU gdb (Debian 13.1-3) 13.1
    Copyright (C) 2023 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <https://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /usr/sbin/ntpd...
    Reading symbols from
    /usr/lib/debug/.build-id/8b/c6f9398efb6b8c446b2d719831f5738d563c84.debug...
    [New LWP 61726]
    
    This GDB supports auto-downloading debuginfo from the following URLs:
      <https://debuginfod.debian.net>
    Enable debuginfod for this session? (y or [n]) y
    Debuginfod has been enabled.
    To make this setting permanent, add 'set debuginfod enabled on' to
    .gdbinit.
    Downloading separate debug info for
    /lib/x86_64-linux-gnu/libnss_systemd.so.2
    Downloading separate debug info for /lib/x86_64-linux-gnu/libgcc_s.so.1
    Downloading separate debug info for system-supplied DSO at
    0x7ffc94772000
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library
    "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Core was generated by `/usr/sbin/ntpd -p /run/ntpd.pid -c
    /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec'.
    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  aesni_set_encrypt_key () at crypto/aes/aesni-x86_64.s:4104
    Download failed: Invalid argument.  Continuing without source file
    ./build_shared/crypto/aes/aesni-x86_64.s.
    4104    crypto/aes/aesni-x86_64.s: No such file or directory.
    (gdb) bt
    #0  aesni_set_encrypt_key () at crypto/aes/aesni-x86_64.s:4104
    #1  0x00007f280d6f3d45 in cipher_hw_aesni_initkey (dat=0x560b2f082b50,
        key=<optimized out>, keylen=<optimized out>)
        at ../providers/implementations/ciphers/cipher_aes_hw_aesni.inc:37
    #2  0x00007f280d7397fb in cipher_generic_init_internal
    (ctx=0x560b2f082b50,
        key=0x10 <error: Cannot access memory at address 0x10>, keylen=16,
    iv=0x0,
        ivlen=0, params=0x0, enc=1)
        at ../providers/implementations/ciphers/ciphercommon.c:218
    #3  0x00007f280d7398cb in ossl_cipher_generic_einit (vctx=<optimized
    out>,
        key=<optimized out>, keylen=<optimized out>, iv=<optimized out>,
        ivlen=<optimized out>, params=<optimized out>)
        at ../providers/implementations/ciphers/ciphercommon.c:228
    #4  0x00007f280d60993b in EVP_CipherInit_ex (ctx=<optimized out>,
        cipher=<optimized out>, impl=impl@entry=0x0, key=<optimized out>,
        iv=iv@entry=0x0, enc=enc@entry=1) at ../crypto/evp/evp_enc.c:412
    #5  0x00007f280d60995b in EVP_EncryptInit_ex (ctx=<optimized out>,
        cipher=<optimized out>, impl=impl@entry=0x0, key=<optimized out>,
        iv=iv@entry=0x0) at ../crypto/evp/evp_enc.c:450
    #6  0x0000560b2e1246f3 in AES_SIV_Init (ctx=ctx@entry=0x560b2f01e5b0,
        key=key@entry=0x0, key_len=<optimized out>)
        at ../../libaes_siv/aes_siv.c:329
    #7  0x0000560b2e1255df in AES_SIV_Decrypt (ctx=0x560b2f01e5b0,
        out=out@entry=0x7ffc94695850 "\001",
    out_len=out_len@entry=0x7ffc94695848,
        key=key@entry=0x0, key_len=<optimized out>,
        nonce=nonce@entry=0x560b2ef65364
    "t\347CoA\av\236TA\022\200xge\270r\302\027\020\234\215\262\210\rv\324wtM벧\264\230pC\356@4:\336g",
    nonce_len=16,
        ciphertext=0x560b2ef65374
    "r\302\027\020\234\215\262\210\rv\324wtM벧\264\230pC\356@4:\336g",
    ciphertext_len=80, ad=0x560b2ef65360 "", ad_len=20)
        at ../../libaes_siv/aes_siv.c:582
    #8  0x0000560b2e10f40d in nts_unpack_cookie (cookie=0x560b2ef65360 "",
        cookielen=100, aead=aead@entry=0x7ffc94695962,
        c2s=c2s@entry=0x560b2ef663e8 "", s2c=s2c@entry=0x560b2ef66428 "",
        keylen=keylen@entry=0x560b2ef663e4) at ../../ntpd/nts_cookie.c:428
    #9  0x0000560b2e10f85b in extens_server_recv (
        ntspacket=ntspacket@entry=0x560b2ef66394,
        pkt=pkt@entry=0x560b2ef65308 "#", lng=<optimized out>)
        at ../../ntpd/nts_extens.c:182
    #10 0x0000560b2e0f78ce in receive (rbufp=rbufp@entry=0x560b2ef652c0)
        at ../../ntpd/ntp_proto.c:800
    #11 0x0000560b2e0ed8ea in read_network_packet (fd=fd@entry=19,
        itf=itf@entry=0x560b2ef6de60) at ../../ntpd/ntp_io.c:2243
    #12 0x0000560b2e0ef3cf in input_handler (fds=0x7ffc94696bf0)
        at ../../ntpd/ntp_io.c:2373
    #13 io_handler () at ../../ntpd/ntp_io.c:2280
    #14 0x0000560b2e0e819f in mainloop () at ../../ntpd/ntpd.c:940
    #15 main (argc=9, argv=<optimized out>) at ../../ntpd/ntpd.c:881
    (gdb)

Edited Jul 22, 2023 by James Browning

CVE-2023-4012: segfault in libcrypto.so (#794) · Issues · NTPsec / ntpsec · GitLab

By Habiba Rashid
A new investigation by cybersecurity researcher Jeremiah Fowler from VPNmentor reveals an elaborate cryptocurrency scam that employs over 300 fake websites to steal funds from unsuspecting victims and lure new investors.
This is a post from HackRead.com Read the original post: Researcher Exposes Cryptocurrency Scam Network of 300 Domains

*   **The new investigation uncovers intricate cryptocurrency scams exploiting victims’ trust.**
*   **Scammers pose as acquaintances, directing victims to professional-looking fake websites with fabricated financial data.**
*   **Victims are enticed with minor withdrawals and encouraged to recruit friends and family into the scheme.**
*   **Withdrawal attempts lead to demands for additional fees, trapping victims in a cycle of payments.**
*   **The investigation exposes a vast network of nearly 300 websites, pointing to an international scam operation.**

In a digital age where financial opportunities and risks coexist, the world of cryptocurrency investment has become a breeding ground for fraudulent activities. As more novice investors enter the crypto market seeking substantial returns, scammers have devised increasingly sophisticated schemes to prey on their aspirations. A recent investigation by Jeremiah Fowler from VPNmentor reveals the intricate workings of these scams. 

The scam begins with social engineering tactics, exploiting victims’ trust by posing as acquaintances who have reaped benefits from the fraudulent investment scheme. Victims are provided with website links, often adorned with professional designs and fabricated graphs, projecting fake deposits and withdrawals. The illusion of legitimacy is bolstered by the inclusion of trust logos from renowned credit cards and payment methods.

Once victims invest, they may receive minor withdrawals and even modest profits, cementing their belief in the scam. The fraudsters escalate the deception by offering multi-tiered membership levels, promising exorbitant returns as high as 20%. Manipulating human psychology, they encourage victims to enlist friends and family, leveraging their established relationships to lure more investors into the scheme.

Reality strikes when victims attempt to withdraw their investments, only to be met with demands for additional fees. These fraudulent fees act as a barrier to prevent victims from accessing their funds, driving them into a nightmarish cycle of further payments. As the investigator’s account reveals, scammers are relentless in their pursuit of more money, resorting to threats and intimidation when victims refuse to comply.

According to the report shared by VPNmentor with Hackrad.com, delving into the digital footprints of these scams, the investigator uncovered a sprawling network of nearly 300 websites. While the domains were often masked by privacy protection, their investigation led to domains registered to individuals in Nigeria and the US, pointing towards an international network of scammers.

Names of hosting and domain registrars where scam domains have been provided services (1) – A victim revealing they have been scammed (2) (Screenshot via: VPNmentor)

As this exposé unravels the intricacies of these scams, it also sheds light on the industry’s need for reform. Hosting providers and domain registrars play a pivotal role in enabling these fraudulent operations to thrive.

While generating substantial revenue, these entities often lack measures to thwart cybercriminals abusing their services. Suggestions for change include the implementation of Know Your Customer (KYC) systems, akin to those used by banks, to validate the identity of domain registrants and deter anonymous registrations.

The lesson for potential investors is clear: meticulous research and scepticism are vital when considering crypto investments. To avoid falling victim to scams, investors must verify the credibility of companies, seek independent advice, and refrain from making hasty decisions under pressure.

By promoting awareness and advocating for industry regulations, stakeholders can contribute to a safer and more secure crypto landscape, sparing countless individuals from the devastating consequences of investment scams.

**RELATED ARTICLES**

1.  13 Domains Linked to DDoS-For-Hire Services Seized
2.  Scammers Netted $7.7 Billion worth of Cryptocurrency in 2021
3.  US Seizes 7 Domains used in Pig Butchering Cryptocurrency Scam
4.  170 fraudulent Android apps scamming cryptocurrency enthusiasts
5.  42,000 phishing domains discovered masquerading as popular brands
6.  Microsoft pwns domains used by hackers for large-scale cyber attacks

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Researcher Exposes Cryptocurrency Scam Network of 300 Domains

Since 2018, a dedicated team within Microsoft has attacked machine learning systems to make them safer. But with the public release of new generative AI tools, the field is already evolving.

For most people, the idea of using artificial intelligence tools in daily life—or even just messing around with them—has only become mainstream in recent months, with new releases of generative AI tools from a slew of big tech companies and startups, like OpenAI's ChatGPT and Google's Bard. But behind the scenes, the technology has been proliferating for years, along with questions about how best to evaluate and secure these new AI systems. On Monday, Microsoft is revealing details about the team within the company that since 2018 has been tasked with figuring out how to attack AI platforms to reveal their weaknesses.

In the five years since its formation, Microsoft's AI red team has grown from what was essentially an experiment into a full interdisciplinary team of machine learning experts, cybersecurity researchers, and even social engineers. The group works to communicate its findings within Microsoft and across the tech industry using the traditional parlance of digital security, so the ideas will be accessible rather than requiring specialized AI knowledge that many people and organizations don't yet have. But in truth, the team has concluded that AI security has important conceptual differences from traditional digital defense, which require differences in how the AI red team approaches its work.

“When we started, the question was, ‘What are you fundamentally going to do that’s different? Why do we need an AI red team?’” says Ram Shankar Siva Kumar, the founder of Microsoft's AI red team. “But if you look at AI red teaming as only traditional red teaming, and if you take only the security mindset, that may not be sufficient. We now have to recognize the responsible AI aspect, which is accountability of AI system failures—so generating offensive content, generating ungrounded content. That is the holy grail of AI red teaming. Not just looking at failures of security but also responsible AI failures.”

Shankar Siva Kumar says it took time to bring out this distinction and make the case that the AI red team's mission would really have this dual focus. A lot of the early work related to releasing more traditional security tools like the 2020 Adversarial Machine Learning Threat Matrix, a collaboration between Microsoft, the nonprofit R&D group MITRE, and other researchers. That year, the group also released open source automation tools for AI security testing, known as Microsoft Counterfit. And in 2021, the red team published an additional AI security risk assessment framework.

Over time, though, the AI red team has been able to evolve and expand as the urgency of addressing machine learning flaws and failures becomes more apparent. 

In one early operation, the red team assessed a Microsoft cloud deployment service that had a machine learning component. The team devised a way to launch a denial of service attack on other users of the cloud service by exploiting a flaw that allowed them to craft malicious requests to abuse the machine learning components and strategically create virtual machines, the emulated computer systems used in the cloud. By carefully placing virtual machines in key positions, the red team could launch “noisy neighbor” attacks on other cloud users, where the activity of one customer negatively impacts the performance for another customer.

The red team ultimately built and attacked an offline version of the system to prove that the vulnerabilities existed, rather than risk impacting actual Microsoft customers. But Shankar Siva Kumar says that these findings in the early years removed any doubts or questions about the utility of an AI red team. “That’s where the penny dropped for people,” he says. “They were like, ‘Holy crap, if people can do this, that’s not good for the business.’”

Crucially, the dynamic and multifaceted nature of AI systems means that Microsoft isn't just seeing the most highly resourced attackers targeting AI platforms. “Some of the novel attacks we’re seeing on large language models—it really just takes a teenager with a potty mouth, a casual user with a browser, and we don’t want to discount that,” Shankar Siva Kumar says. “There are APTs, but we also acknowledge that new breed of folks who are able to bring down LLMs and emulate them as well.”

As with any red team, though, Microsoft's AI red team isn't just researching attacks that are being used in the wild right now. Shankar Siva Kumar says that the group is focused on anticipating where attack trends may go next. And that often involves an emphasis on the newer AI accountability piece of the red team's mission. When the group finds a traditional vulnerability in an application or software system, they often collaborate with other groups within Microsoft to get it fixed rather than take the time to fully develop and propose a fix on their own. 

“There are other red teams within Microsoft and other Windows infrastructure experts or whatever we need,” Shankar Siva Kumar says. “The insight for me is that AI red teaming now encompasses not just security failures, but responsible AI failures.”

Microsoft’s AI Red Team Has Already Made the Case for Itself

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix.

While exploring the security aspects of ManageEngine ADAudit Plus I discovered a security vulnerability (CVE-2023-32783) that may have far-reaching implications for other product users.

My findings indicate that ADAudit Plus contains a vulnerability allowing Windows user accounts to remain completely invisible to ADAudit Plus. User accounts leveraging this vulnerability will be undetected by ADAudit Plus, and all audit and security events raised by that user will be missed (i.e., Windows accounts logging in successfully or unsuccessfully). This vulnerability poses a potentially significant risk to organizations relying on ADAudit Plus to perform audit, compliance, and security functions accurately.

Following responsible disclosure guidelines, I secured the CVE but withheld public disclosure of the vulnerability for 90 days, allowing ManageEngine adequate time to address the issue or work with me on a timeline. Unfortunately, despite communication attempts, I could only get them to acknowledge but couldn't get them to provide any updates or collaborate. The 90-day disclosure period has expired, and this CVE is now public.

**Steps to Reproduce**

**1\. Setup:**

*   Install ManageEngine ADAudit Plus (Version: 7.1.1) on a Windows machine designated to monitor Windows Event Log activity for user accounts (e.g., a domain controller or event forwarding server).
    
*   Access the ADAudit Plus portal page at http://localhost:8081.
    
*   Navigate to the Reports section and select "User Logon Activity" (or any other report screen that displays user activities).
    

**2\. Execution:**

*   Carry out actions that trigger the generation of Windows event logs, such as logging into machines using domain accounts, locking screens, attempting logins with incorrect passwords, etc. ADAudit Plus will successfully detect all these activities, as advertised.
    

**3\. Exploit:**

*   Create a new user account on any machine that will generate Windows Event Logs to be observed by ADAudit Plus. Ensure the user account ends with a "$" symbol (e.g., "duser$").
    

*   Log in using this new account (in this example, "duser$") and perform various actions that result in creating Windows Event Logs.
    
*   Observe that the ADAudit Plus portal does not recognize this user, and any actions taken by the user (whether successful or not) do not appear in any of the user or activity reports.
    
*   Note that any user previously observed by ADAudit Plus will become invisible if they rename their user login to end with a '$' symbol.
    

**Threat Vector**

A malicious user, whether internal or external to the org, aware of this vulnerability can create a new or rename an existing user account to have a $ suffix, and then move undetected across different machines and perform different actions that are all undetected by ADAudit Plus.

**Severity: "Medium to High"**

Rated "Medium to High" for the following reasons:

1.  This product is extensively utilized by organizations that depend on its accurate execution of audit, compliance, and security tasks.
    
2.  The simplicity of exploitation
    
3.  The potential impact on an organization's threat detection capabilities, given the possible invisibility of an adversary
    
4.  Suspected Issue and Proposed Solution
    

**Suspected Issue and Proposed Solution**

Windows Event Logs are notoriously challenging to work with, leading to a demand for products that can filter out the noise and extract meaningful information. I suspect the ADAudit Plus code may examine event properties, match the “TargetUserName,” and disregards any entry ending with a "$." and that AD Audit Plus incorrectly assumes that such entries only represent system accounts leading to the vulnerability described. Consequently, a legitimate Windows user account (non-system) would be invisible to the product.

The solution would be to avoid relying on the "$" suffix to identify system accounts to distinguish user accounts from system accounts more accurately.

CVE-2023-32783: ManageEngine ADAudit Plus  (CVE-2023-32783)

Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift support for Windows Containers 6.0.1[security update]  
Advisory ID:       RHSA-2023:4488-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4488  
Issue date:        2023-08-07  
CVE Names:         CVE-2020-24736 CVE-2022-27191 CVE-2022-30629  
                   CVE-2022-35252 CVE-2022-36227 CVE-2022-43552  
                   CVE-2023-0361 CVE-2023-1667 CVE-2023-2283  
                   CVE-2023-25173 CVE-2023-26604 CVE-2023-27535  
====================================================================  
1. Summary:

The components for Red Hat OpenShift support for Windows Containers 6.0.1  
are now available. This product release includes bug fixes and security  
update for the following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift support for Windows Containers allows you to deploy  
Windows container workloads running on Windows Server containers.

Security Fix(es):

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)  
* containerd: supplementary groups are not set up properly (CVE-2023-25173)  
* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-10418 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace  
OCPBUGS-11831 - oc adm node-logs failing in vSphere CI  
OCPBUGS-15435 - Instance configurations fails on Windows Server 2019 without the container feature  
OCPBUGS-3572 - Check if Windows defender is running doesnt work  
OCPBUGS-4247 - Load balancer shows connectivity outage during Windows nodes upgrade  
OCPBUGS-5894 - Windows nodes do not get drained (deconfigure) during the upgrade process  
OCPBUGS-7726 - WMCO kubelet version not matching OCP payload's one  
OCPBUGS-8055 - containerd version is being misreported  
WINC-818 - Investigate if the Upgradeable condition is being tested in e2e suite  
WINC-823 - Test generated community manifests in WMCO e2e

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2022-27191  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-35252  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-43552  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-25173  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk0FTNAAoJENzjgjWX9erECFMQAJK2kwpbtRBzWge5z/BMC5Bh  
vXPuB0Ga9LEbL4y9WrrRATD31Mojhw4Il19Y4fMFo2yw3lRcb1Lleg0OCqCoUwgx  
RIQm7WYmmlRs+tIb8lJAqG03/ih7G71CY9tzIyEwNPcSengxrwUZEl0UCe2r52zX  
JAEZbuK5GVkWql2rqYSxvH8O7VCxPHfwSTxvpB23kbrocUILmIvCt17bRZ8XE1nW  
pbgY+VW4sBXWRCB2kgkwgP4GHJTnOve1Mgyxln1s8MTbVdUC9aNRG2pfZSV2v+42  
VVwT1NX5OgWZTyvJfW878xYGTBoMLJlNGIlRzigwJWxcwwnHnpXbfSg41yE6PBPC  
3IhateHGCGuwQOaUkUUYbNTt+LU4huyM/fvAx1rLJgs0ONTURgLZOJPpgDrNGvSp  
zqf6+iXvgO3CAAKaLCUY2pYchVyOaKPxPiTFLirbH8y2PGbmlEne15qw0i3f5ePC  
V3/evN4L/CMkru8fAw0pp4b8SkZVTxUPub5IgDIA/FGdMLb2VtZJhKFuIzoYdSoQ  
+FC//QoMaouUqMDK9AptuON//3H3Tkk76iIqRFPv6Ve8EHZzgMrY1kaL6A6+a3k1  
Rt/Mr37y98JaonqYt40oIG4Fbtjf/6XIHUnWZMfcZwcTKuaoJfsvCjP5s2CS1d2R  
i9r21xzcEQd8TFmq5CQR  
=Rxx9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4488-01

By Habiba Rashid
Revolutionary AI Model Predicts Keystrokes Through Sound: A New Wave of Acoustic Attacks.
This is a post from HackRead.com Read the original post: AI Model Listens to Typing, Potentially Compromising Sensitive Data

1.  **Cornell researchers unveil AI model decoding keyboard inputs from audio signals.**
2.  **New attack predicts keystrokes by analyzing acoustic signatures of different keys.**
3.  **Implications for data security and emergence of acoustic cyberattacks raise concerns.**
4.  **AI model achieves 93% accuracy, setting a new record for audio-based classification systems.**
5.  **Countermeasures like noise introduction can reduce accuracy, limiting widespread malicious use.**

Researchers at Cornell University have unveiled a groundbreaking deep-learning model capable of deciphering keyboard input solely from audio signals. This pioneering advancement, led by Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad, has significant implications for data security and the emergence of acoustic cyberattacks.

In a recently published paper titled “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards,” the Cornell team introduced an Artificial intelligence (AI) model capable of accurately predicting keystrokes by analyzing the unique acoustic signatures produced by different keys on a keyboard.

The technique involves training the model to associate specific audio patterns with corresponding characters, allowing it to virtually ‘listen’ to typing and transcribe it with astonishing accuracy.

Traditional cyberattacks often exploit software vulnerabilities or rely on phishing tactics, but this new wave of attacks leverages the physical characteristics of keyboards, emphasizing the significance of sound as a potential security vulnerability. The implications are far-reaching, as this method could compromise user passwords, conversations, messages, and other sensitive information.

The team’s research indicates that the model achieves an impressive accuracy rate of 93% when trained using Zoom recordings, marking a new record for audio-based classification systems. The process of training the model involves exposing it to multiple instances of each keystroke on a specific keyboard. The researchers utilized a MacBook Pro, pressing each of its 36 keys 25 times to develop a comprehensive dataset for training.

Screenshot (Arxiv)

Despite its remarkable potential, the AI model does come with certain limitations and vulnerabilities. Changing typing styles or utilizing touch typing can significantly reduce the model’s accuracy, dropping it to a range of 40% to 64%. Additionally, countermeasures like introducing noise to the audio signal can obfuscate the keystrokes and diminish the model’s accuracy.

However, the researchers are clear that the model’s effectiveness is dependent on the specific keyboard’s sound profile. This dependence restricts the applicability of the attack to keyboards with similar acoustic characteristics, limiting its scope for widespread malicious use.

As the digital landscape evolves, the arms race between cyberattacks and defence measures continues to escalate. The development of AI-based acoustic side-channel attacks underscores the need for enhanced security measures, including innovative noise-cancellation solutions like NVIDIA’s RTX Broadcast, which can counteract these types of attacks.

For a comprehensive exploration of the Cornell team’s findings and methodologies, readers can refer to the official research paper (PDF) available for further study. As the boundaries of AI and cybersecurity continue to blur, understanding these advancements is crucial for individuals and organizations to stay ahead of potential threats.

**RELATED ARTICLES**

1.  AI-based Model to Predict Extreme Wildfire Danger
2.  Stealing data from air-gapped PC by turning RAM into Wi-Fi Card
3.  Locating malicious drone operators through deep neural networks
4.  Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables
5.  Malware can extract data from air-gapped PC through power supply

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

AI Model Listens to Typing, Potentially Compromising Sensitive Data

Coupons CMS version 6.00 suffers from an open redirection vulnerability.

**Coupons CMS 6.00 Open Redirection**

Posted Aug 7, 2023

Authored by indoushka

Coupons CMS version 6.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 6f1d614850036145fc311bc9ae50d863cc9b83863f612a7fda85ed6a6e596b35

Download | Favorite | View

**Coupons CMS 6.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v6.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,889)
*   Arbitrary (16,186)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,273)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,341)
*   DoS (23,405)
*   Encryption (2,369)
*   Exploit (51,802)
*   File Inclusion (4,221)
*   File Upload (972)
*   Firewall (821)
*   Info Disclosure (2,765)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,688)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,600)
*   Python (1,534)
*   Remote (30,742)
*   Root (3,579)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,883)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,354)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,754)
*   Web (9,655)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,919)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,807)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,382)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,683)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,797)
*   UNIX (9,286)
*   UnixWare (186)
*   Windows (6,568)
*   Other

Coupons CMS 6.00 Open Redirection

Two different North Korean nation-state actors have been linked to a cyber intrusion against the major Russian missile engineering company NPO Mashinostroyeniya.
Cybersecurity firm SentinelOne said it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed

Two different North Korean nation-state actors have been linked to a cyber intrusion against the major Russian missile engineering company NPO Mashinostroyeniya.

Cybersecurity firm SentinelOne said it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed OpenCarrot.

The breach of the Linux email server has been attributed to ScarCruft. OpenCarrot, on the other hand, is a known implant previously identified as used by the Lazarus Group. The attacks were flagged in mid-May 2022.

A rocket design bureau based in Reutov, NPO Mashinostroyeniya was sanctioned by the U.S. Treasury Department in July 2014 in connection to "Russia's continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea."

While both ScarCruft (aka APT37) and the Lazarus Group are affiliated to North Korea, it's worth noting that the former is overseen by the Ministry of State Security (MSS). Lazarus Group is part of Lab 110, which is a constituent of the Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service.

The development marks a rare convergence where two North Korea-based independent threat activity clusters have targeted the same entity, indicating a "highly desirable strategic espionage mission" that could benefit its controversial missile program.

OpenCarrot is implemented as Windows dynamic-link library (DLL) and supports over 25 commands to conduct reconnaissance, manipulate file systems and processes, and manage several communication mechanisms.

"With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination of multiple infections across a local network," security researchers Tom Hegel and Aleksandar Milenkoski said.

The exact method used to breach the email server remains unknown, although the group is known to rely on social engineering to phish victims and deliver backdoors like RokRat.

What's more, a closer inspection of the attack infrastructure has revealed two domains centos-packages\[.\]com and redhat-packages\[.\]com, which bears similarities to the names of the threat actors used in the JumpCloud hack in June 2023.

"This incident stands as a compelling illustration of North Korea's proactive measures to covertly advance their missile development objectives, as evidenced by their direct compromise of a Russian Defense-Industrial Base (DIB) organization," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Targets Russian Missile Engineering Firm

Cisco Talos is seeing an increasing number of ransomware variants emerge, since 2021,  leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

Monday, August 7, 2023 08:08

Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.

This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

**Code leaks are benefitting threat actors**

Since September 2021, we have seen actors publicly disclosing source code and builders for prominent ransomware families, including Babuk, Conti, LockBit 3.0 and Chaos. In some cases, such as LockBit 3.0’s ransomware builder, these leaks have been intentional, with affiliates posting these tools and codes to protest against broader group policies they are unhappy with. In other instances, such as the Babuk source code, the leaks were seemingly an operational error. Regardless of the cause, these leaks are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.

Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware’s behavior. It is usually complex and often requires skilled technicians to create. Therefore, having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.

Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed. The availability of such builders allows novice actors to generate their own customized ransomware variants. An example of a leaked Chaos ransomware builder V5 is shown in the picture below.

When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code. Additionally, by using leaked source code, threat actors can confuse or mislead investigators, as security professionals may be more likely to misattribute the activity to the wrong actor.

**New variants based on leaked code are becoming more common**

We have continued seeing various malicious campaigns since the start of 2023, where the threat actors have used new ransomware variants based on leaked source code or builders. Early this year, Talos discovered a new ransomware family called MortalKombat generated by the leaked Xorist ransomware builder. Xorist ransomware, which operates under the RaaS model, has a builder called “Encoder Builder v.24” that is available on underground forums. Based on our research, we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies. This campaign has a multi-stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments, a legitimate global cryptocurrency payment gateway.

In April, Talos discovered a new ransomware actor, RA Group, conducting double extortion attacks using their ransomware variant based on leaked Babuk source code. Babuk, a Russian ransomware group that emerged in 2021, has conducted a series of high-profile ransomware attacks across various industries, including government, healthcare, logistics, and professional services. Since an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, several new variants based on the leaked code have emerged, with many appearing in 2023, including ESXiArgs, Rorschach and RTM Locker, in addition to RA Group. RA Group, in its ongoing campaigns, has targeted the U.S., South Korea, Taiwan, the U.K. and India across several business verticals, including manufacturing, wealth management, insurance providers, pharmaceuticals and financial management consulting companies.

Most recently, Talos observed a surge in new ransomware strains emerging from the Yashma ransomware builder. Yashma ransomware builder, which first appeared in May 2022, is a rebranded version of the Chaos ransomware builder V5, which was leaked in April 2022. Since early 2023, we have seen several new Yashma strains emerge, including ANXZ, Sirattacker, and Shadow Men Team. Shadow Men Team — whose name we derived from a translation of their Hindi name in the ransom note — appears to be a new actor in the ransomware space. The actors appear to target victims in Kuwait, as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin.

Another new actor we discovered, seemingly of Vietnamese origin, uses a Yashma ransomware variant to target victims in Bulgaria, China, Vietnam and other countries. The campaign started in at least June 2023, and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017.

**Actors repurposing leaked code are demanding low ransom payments  
**

Cybercriminals leveraging leaked code and builders are seemingly more conservative in their ransom demands, a possible indication that they are lone wolf operators, proceeding cautiously as they test their new variants or are new players in this space. Actors behind many of these new ransomware variants, including Sirattacker, Chaos 2.0, Chaos 4.0, DCrypt, and Shadow Men Team, are demanding payments ranging from USD $3.50 to $4,390 in Bitcoin from victims. These ransom demands are significantly lower than those made by many well-known ransomware gangs like RYUK, Babuk, REvil, Conti, DarkSide, BlackMatter, BlackCat, and Yanluowang, which are typically in the millions of dollars. These more profitable groups usually operate under the RaaS model, meaning their affiliates are free to set their own (often high) ransom demands, and/or are structured so they pay their operators and developers, thereby driving up the amount of money they seek to take in during the course of their operations.

Below is a comparison of ransom demands made by actors using leaked code or builders and well-known ransomware gangs.

**Opportunities for security researchers and defenders**

While these changes in the threat landscape have largely benefitted threat actors, security researchers and defenders also have an advantage with access to the leaked code. It allows security researchers to analyze the source code and understand the attacker’s tactics, techniques and procedures (TTPs), which helps security professionals develop effective detection rules and enhance security products' capabilities in combating ransomware threats.

By analyzing the source code, researchers can identify similar patterns and techniques used by different threat actors, providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack. Security researchers can also share the intelligence information derived from the leaked code with the broader security community, thereby contributing to strengthening the cybersecurity space. By understanding the TTPs of the leaked source codes, defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors.

Code leaks are causing an influx of new ransomware actors

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.

Monday, August 7, 2023 08:08

*   Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023.
*   This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics.
*   The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

**Threat actor analysis**

Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.

Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry, your file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying “sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which could indicate the attackers themselves are Vietnamese.

We further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and created a public repository called “Ransomware” on that date, which overlaps with the compilation date of the ransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.

GitHub repository that contains ransom notes.

**Ransom note**

The actor demands the ransom payment in Bitcoins to the wallet address “bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7” and they double the ransomware price if the victim fails to pay within three days, according to our ransomware note analysis. The actor has an email address, “nguyenvietphat\[.\]n\[at\]gmail\[.\]com,” for the victims to contact them. At the time of our analysis, we had not observed any Bitcoin in the wallet, and the ransom note did not specify an amount, indicating the ransomware operation might still be in a nascent stage.

The ransom note text resembles the well-known WannaCry ransom note, possibly to obfuscate the threat actor’s identity and confuse incident responders.

The ransom note for WannaCry ransomware.

Ransom notes samples of the Yashma variant.

After encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image below. It seems that the operator downloaded this picture from www\[.\]FXXZ\[.\]com and embedded it in the Yashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the WannaCry ransomware.

Yashma variant wallpaper (left) and WannaCry wallpaper (right).

**Customized Yashma ransomware variant**

The actor deployed a variant of Yashma ransomware, which they compiled on June 4, 2023.  Yashma is a 32-bit executable written in .Net and a rebranded version of Chaos ransomware V5, which appeared in May 2022. In this variant, most of Yashma’s features remained unchanged and have been described by the security researchers at Blackberry, with the exception of a few notable modifications.

Usually, ransomware stores the ransom note text as strings in the binary. However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository. This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary.

Contents of the batch file.

Earlier versions of the Yashma ransomware established persistence on the victim machine in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant we observed also established persistence in the Run registry key. Still, it was modified to create a “.url” bookmark file in the startup folder that points to the dropped executable located at “%AppData%\\Roaming\\svchost.exe”.

A function that creates the bookmark file.

One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character “?” and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.

The code snippet shows the anti-recovery feature of the ransomware.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are **62131 - 62143 and 300633 - 300638.**

ClamAV detections are available for this threat:

Win.Ransomware.Hydracrypt-9878672-0

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**IOCs**

Indicators of Compromise associated with this threat can be found here.

Tag

#mac