A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.

** PSIRT Advisories**

**FortiAnalyzer - CSV injection in macro name**

**Summary**

An improper neutralization of formula elements vulnerability (CWE 1236) in FortiAnalyzer may allow a local authenticated privileged attacker to execute arbitrary code on the end-user's host via inserting spreadsheet formulas in the macro names. This is achieved once the user downloads and opens the CSV report files.

**Affected Products**

FortiAnalyzer version 7.2.0 through 7.2.1  
FortiAnalyzer version 7.0.0 through 7.0.5  
FortiAnalyzer 6.4 all versions

**Solutions**

Please upgrade to FortiAnalyzer version 7.2.2 or above  
Please upgrade to FortiAnalyzer version 7.0.6 or above

**Acknowledgement**

Fortinet is pleased to thank Andrea Acampa for reporting this vulnerability under responsible disclosure

CVE-2023-25611: Fortiguard

An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4 and 6.4.0 through 6.4.10 may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer

** PSIRT Advisories**

**FortiAnalyzer -- the log-fetch client request password is shown in clear text in the heartbeat response**

**Summary**

An exposure of sensitive information to an unauthorized actor \[CWE-200\] vulnerability in FortiAnalyzer may allow a remote authenticated  attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer  
 

**Affected Products**

FortiAnalyzer version 7.2.0 through 7.2.1  
FortiAnalyzer version 7.0.0 through 7.0.4  
FortiAnalyzer version 6.4.0 through 6.4.10

**Solutions**

Please upgrade to FortiAnalyzer version 7.2.2 or above  
Please upgrade to FortiAnalyzer version 7.0.5 or above  
Please upgrade to FortiAnalyzer version 6.4.11 or above

CVE-2023-23776: Fortiguard

By Waqas
Currently, in its cyber espionage campaign, Sharp Panda hackers are targeting government entities in Asia.
This is a post from HackRead.com Read the original post: Chinese Sharp Panda Group Unleashes SoulSearcher Malware

****It is currently unclear whether a single actor is responsible for the Soul framework, but it is confirmed that it is attributed to a Chinese group.****

The cybersecurity researchers at Check Point have shared their findings of a campaign discovered in late 2020 in which the initial infection vector is the same as previously associated with a **Chinese APT group** dubbed Sharp Panda.

In their latest campaign, government entities in Southeast Asia have been the target. Researchers state that Sharp Panda has been involved in multiple campaigns targeting Southeast Asian countries including Vietnam, Thailand, and Indonesia.

**Chinese Espionage Group Drop SoulSearcher Loader**

The group has changed their tactics in this campaign, as instead of using VictoryDll, they are using the new version of SoulSearcher loader to load the Soul modular framework. This framework was previously observed in another spying campaign targeting ICT, defense, and healthcare sectors in **Southeast Asia**.

It is currently unclear whether a single actor is responsible for the Soul framework, but it is confirmed that it is attributed to a Chinese group. In this ongoing surveillance operation, Sharp Panda specifically targeted Southeast Asian government entities using **spear-phishing emails** through which they gained initial access to their targets’ networks.

**Email Analysis**

According to Check Point researchers, these emails contain a Word document with government-themed lures. The attackers leveraged a remote template for downloading and executing a malicious RTF document equipped with the **RoyalRoad kit**.

Once it has invaded the network, it initiates a string of in-memory loaders, comprising a custom DLL downloader the researchers named “5.t Downloader,” and another 2nd-stage loader that delivers the final payload.

The final payload previously seen in Sharp Panda campaigns was VictoryDll, which enabled remote access and data theft. In this campaign, the attackers targeted a government entity with a geo-fenced C2 server that delivered a new version of the SoulSearcher loader, which can download, decrypt, and load different modules of the Soul modular backdoor in memory.

**How Does the Attack Work?**

In a **blog post**, researchers wrote that, the downloader is dropped by RoyalRoad RTF as res6.a onto the disk and executed by a scheduled task with rundll32.exe, Start A, the functionality of which is consistent with previous Sharp Panda activities. The C2 servers of the attackers return payloads to requests from the IP addresses of their target locations due to being geofenced.

The infection chain (Image credit: Checkpoint)

Contrary to the attackers’ previous tactics of sending encrypted data using RC4 with base64 encoding, in the new campaign the payload request is issued to the same PHP path with the host parameter specified and both MD5- hashed and in clear-text. The new version is a simpler version of string encryption, with a loop **XORing** an encrypted character.

**What Data is Stolen?**

The downloader collects sensitive device data such as the OS name, hostname, version, username, system type (32- or 64-bit), MAC addresses of the networking adapters, and antivirus software information. If the device is promising enough, the server contains the next stage executable in an encrypted format and its MDS checksum.

1.  **Chinese hackers hide malware in Windows logo**
2.  **Chinese hackers hit Windows, Linux and macOS**
3.  **Chinese hackers hit Group-IB cybersecurity firm**
4.  **Chinese state hackers exploiting Log4j vulnerability**
5.  **Backdoor into FortiOS: Chinese hackers utilize 0-day**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Chinese Sharp Panda Group Unleashes SoulSearcher Malware

Attackers use phishing emails that appear to come from reputable organizations, dropping the payload using public cloud servers and an old Windows UAC bypass technique.

A phishing campaign targeting organizations in Eastern Europe is leveraging an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), to perform cyber espionage across the region, researchers have found.

The campaign uses emails that appear to come from legitimate and highly regarded institutions in the targeted country to lure victims, researchers from SentinelOne revealed in a recent blog post. If successful in getting users to click on a malicious link, attackers leverage the DBatLoader malware loader, which abuses a technique identified more than two years ago to set up mock trusted folders to bypass Windows UAC and drop the RAT, the researchers said.

DBatLoader is known for using public cloud infrastructure to host its malware staging component, the SentinelOne researchers said. In the case of this campaign, they have observed download links to Microsoft OneDrive and Google Drive sites that have been used for this purpose, one of which was active for more than a month, they said.

"When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location," SentinelOne senior threat researcher Aleksandar Milenkoski wrote in the post.

The executable in this case is the Remcos RAT, a malware that threat actors with cybercriminal and espionage motivations widely use to take over computers and collect keystrokes, audio, video, screenshots, and system information as well as deliver other malware, the researchers noted.

Indeed, the campaign observed by SentinelOne is likely linked to reports by the Ukrainian CERT of "phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments," which also deliver the RAT, Milenkoski wrote.

**Reputation-Based Phishing Lures**

Rather than use socially engineered messages in the campaign, attackers rely solely on the reputations of the purported organizations from which the messages are sent to trick victims into taking the bait, the SentinelOne researchers said.

In fact, the messages generally contain no text at all but merely the malicious attachment, they said. In the cases that the messages do include text, it's written in the language of the target’s country, the researchers added. Further, attackers typically send the emails to the sales departments of the targets or publicly available contact email addresses for the organizations. The emails include attachments in the form of tar.lzarchives that typically masquerade as financial documents, such as invoices or tender documentation that appear to originate from institutions or business organizations related to the target. Some attachments purport to be Microsoft Office, LibreOffice, or PDF documents and use double extensions and/or application icons to fool victims.

"Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based," Milenkoski wrote.

"We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations, which are supposedly sending the email," Milenkoski added.

**Abusing Windows UAC Bypass**

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from an aforementioned public cloud location, which then creates and executes an initial Windows batch script in the %Public%\\Libraries directory, the researchers said.

This script abuses a previously identified method for bypassing Windows UAC that involves the creation of mock trusted directories, such as %SystemRoot%\\System32; this allows attackers to conduct activities with elevated privileges without alerting users, the researchers said. Security researcher Daniel Gebert discovered and subsequently revealed the UAC bypass in a July 2020 post on his security blog.

The bypass occurs through a combination of the mock trusted directories and DLL hijacking, which together cause Windows to automatically elevate the process without issuing an UAC prompt, Milenkoski wrote.

The resulting bypass allows DBatLoader to establish persistence across system reboots, by copying itself in the %Public%\\Libraries directory and creating an autorun registry key that points to an Internet Shortcut file, he explained in the post. This executes the DBatLoader executable in the mock directory, which in turn executes the Remcos RAT through process injection.

Researchers observed a wide variety of Remcos RAT configurations on victim systems, most of which were configured for keylogging and screenshot-theft capabilities, "as well as 'duckdns' dynamic DNS domains for command-and-control purposes," Milenkoski wrote.

**Reducing Cyber-Risk & Avoiding Compromise**

Researchers made a number of recommendations to security administrators to dodge the campaign, particularly given its use of DBatLoader coming through on the public cloud.

First and foremost, they advised vigilance against malicious network requests to public cloud instances, noting that attackers' use of public cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate and thus harder for organizations to detect. "This tactic is popular amongst cybercriminals and espionage threat actors," Milenkoski observed.

Researchers also recommended that administrators monitor for suspicious file creation activities in the %Public%\\Library directory, and process-execution activities that involve filesystem paths with trailing spaces, especially \\Windows \\. "The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%\\System32," Milenkoski wrote.

Another tactic for avoiding compromise that administrators should consider is configuring Windows UAC to "always notify," which will always alert users when a program attempts to make changes to computers across a business network, he added.

Researchers also enforced general advice for avoiding phishing compromise in any form by ensuring that administrators and employees alike are aware of what malicious emails look like and how to avoid engaging with them.

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Adds New features for its Privilege Manager and DevOps Secrets Vault

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

National defense and security experts long predicted that future warfare would not be waged by firearms but with code designed to disable services people depend on for daily life.

In May 2021, security experts' worst fears came true, when a ransomware attack struck the Colonial Pipeline. Gas delivery to most of the US Northeast halted almost overnight. Although systems were eventually restored, the event still lives in infamy today and reminds us of the destructive potential cyberattacks can have when levied against critical infrastructure. Since then, similar infrastructure attacks have dominated headlines across most of the world and are increasingly carried out by non-state-sponsored actors.

In our "Q2/Q3 Ransomware Index Update," Securin (formerly Cyber Security Works) researchers mapped out the impact of ransomware on industrial control systems (ICS) deployed in critical infrastructure establishments. They identified the three most at-risk sectors: healthcare, energy, and manufacturing. Our researchers also examined 16 ransomware vulnerabilities and the bad actors who exploit them, such as Ryuk, Conti, WannaCry, and Petya. We have included a table at the end of the article with the full list of vulnerabilities and impacted vendors.

With each successful attack, ransomware groups grow bolder and target industries that can cause the most pain to exploit the crises for maximum extortion. Understanding the threat actors and their methods is the key to protecting critical industries and maintaining smooth operations.

    

Ransomware CVEs affecting ICS products yet to be included in the CISA KEVs (as on date of publishing the report).

**Healthcare**

Cybersecurity and Infrastructure Security Agency (CISA) advisories to healthcare providers come in the aftermath of ongoing attacks by ransomware groups such as Black Basta, Quantum, and MountLocker. The impact of unpatched critical vulnerabilities in this sector could be potentially life threatening.

Public health and healthcare systems are affected by the majority of vulnerabilities — nine out of the 16 identified — because they are dependent on other sectors for the continuity of their service delivery and operations. Philips Healthcare, a technology-based company that develops advanced visualization software for crucial imaging equipment, is the most affected vendor, clocking in eight vulnerabilities found in its IntelliSpace Portal 9.0. Vulnerabilities CVE-2017-0144 and CVE-2017-0147 should be patched immediately for their high ransomware family associations used in real-world attacks.

**Energy**

An attack on an energy provider can result in grid failure or inconsistent energy output to homes, commercial buildings, or other critical service providers. The energy sector is plagued by six vulnerabilities that organizations must watch, particularly those found in Schneider Electric's products.

CVE-2017-6032 and CVE-2017-6034 affect Schneider Electric's Modicon Modbus Protocol, an open communications standard that is used across critical infrastructure, which can lead to chain reaction attacks. However, vulnerabilities CVE-2019-18935 and CVE-2020-10713 found in Hitachi ABB Power Grid systems and Hitachi Energy Transformer Asset Performance Management (APM) Edge, respectively, pose just as much risk. They should be treated as serious by network security administrators.

**Manufacturing**

The critical manufacturing sector can be divided into four core subindustries: transportation equipment; machinery manufacturing; electrical equipment, appliance and component manufacturing; and primary metals manufacturing.

A quarter of the vulnerabilities included in our analysis affect vendors in the manufacturing sector, including Exacq Technologies, Sensormatic Electronics, and Schneider Electric.

**How to Stay Protected**

We encourage organizations to stay aware of vendor advisories of the products they utilize and take steps to organize vulnerability enumeration according to severity. Most of the vulnerabilities in this article take advantage of legacy setups comprising out-of-date software and, sometimes, unsupported end-of-life components. Here are key insights to keep your system and industry safe:

*   **Improper input validation** is the most prevalent weakness powering ICS ransomware CVEs. Proper input screening can prevent bad actors from infiltrating databases and locking admins out of the system.
*   **Six vulnerabilities** are missing from the CISA Known Exploited Vulnerability (KEV) catalog and should be patched: CVE-2018-5391, CVE-2018-10115, CVE-2017-6034, CVE-2017-6032, CVE-2017-7494, and CVE-2020-10713.
*   **Performing simulated** **penetration tests** of your systems can identify hidden entry points that criminals would otherwise use. Finding where you are most exposed can help set patch priorities and build defenses before attackers can leverage them.

The US economy depends on an interconnected infrastructure of energy, health, and manufacturing. Hospitals need the energy to function and render life-saving services, and oil and natural gas refineries deliver necessary fuel to power domestic manufacturing — it's a marvelous system to appreciate, but a rather precious one as well, and we should take steps to protect it.

CVE ID

Impacted Vendors

CVSS v3 Score

Action

CVE-2021-44228

Exacq Technologies, a subsidiary of Johnson Controls, Inc.; Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc.

10

Vendor patch

CVE-2020-10713

Hitachi Energy

8.2

Vendor patch

CVE-2019-18935

Hitachi ABB Power Grids

9.8

Vendor patch

CVE-2019-0708

Spacelabs

9.8

Vendor patch

CVE-2018-5391

Siemens

7.5

Vendor patch

CVE-2018-10115

Philips

7.8

Update to latest version

CVE-2017-7494

Schneider Electric

9.8

Vendor advisory

CVE-2017-6034

Schneider Electric

9.8

ICS advisory

CVE-2017-6032

Schneider Electric

5.3

ICS advisory

CVE-2017-0199

Philips

7.8

Vendor patch

CVE-2017-0148

Philips

8.1

Vendor patch

CVE-2017-0147

Philips

5.9

Vendor patch

CVE-2017-0146

Philips

8.1

Vendor patch

CVE-2017-0145

Philips

8.1

Vendor patch

CVE-2017-0144

Philips

8.1

Vendor patch

CVE-2017-0143

Baxter, Philips

8.1

Vendor patch

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

Securin Inc. will provide tech-enabled security solutions, vulnerability
intelligence and deep domain expertise.

**ALBUQUERQUE, N.M., March 7, 2023 /PRNewswire-PRWeb/ --** Cyber Security Works Inc., a leading security company, today announced that it is rebranding as  
Securin Inc. due to the evolution of its service capabilities and offerings.  
Under the new identity, it will provide tech-enabled security solutions to  
continuously improve customers' security posture and help them gain resilience  
against evolving threats.

CSW offers flagship services such as vulnerability management and penetration  
testing to customers around the globe. In 2020, CSW became a CVE Numbering  
Authority (CNA) to help the Department of Homeland Security (DHS) and MITRE  
validate newly discovered zero-day vulnerabilities.  

In 2022, CSW acquired Securin, an automated platform with solutions such as  
attack surface management (ASM) and vulnerability intelligence (VI). Since its  
launch, Securin ASM has been providing many leading tech companies with an  
outside-in view of their expanding attack surface from an adversary's  
perspective and helping them to prioritize and remediate their most dangerous  
exposures. Securin VI offers an entire spectrum of vulnerability intelligence  
powered by 700+ authentic intelligence feeds that continuously measure a  
vulnerability's risk. Through its artificial intelligence (AI) & machine  
learning (ML) models, Securin's VI platform warns its customers about  
vulnerabilities that will likely be exploited soon, enabling them to prioritize  
and patch proactively.  

After this rebrand, Securin will combine its offerings to provide customers with  
a comprehensive suite of security solutions such as ASM, VI, Vulnerability  
Management, and Penetration Testing to level up their security. Securin has  
grown to 250+ employees globally and will continue to operate from its offices  
in Albuquerque, New Mexico and Chennai, India.  

Ram Movva, Co-Founder and Chairman of Securin, said, "In the past few years, we  
have added many new capabilities to our offerings. With the shifting  
cybersecurity landscape and evolving threats, it is critical to implement tools  
and solutions that can provide actionable and timely intelligence to prevent  
cybersecurity breaches before they happen. As we forge ahead, we want to become a tech-enabled solution organization focused on increasing the security posture of our customers through our suite of offerings. We believe Securin, as our  
overall brand name, embodies our vision to secure organizations to build  
resilience against emerging threats."  

Expanding on Movva's comments, Aaron Sandeen, CEO of Securin, said, "We are very excited to rebrand as Securin. CSW has seen amazing growth in the past two years and evolved beyond recognition. We have been providing our customers with a full suite of capabilities, such as vulnerability management and penetration testing, bundled with ASM & VI. Rebranding into Securin is the next step in our business evolution, which will enable us to focus on our vision to improve security posture and reduce the attack surface of our customers."  

Sandeen added, "By combining our services - vulnerability management and  
penetration testing with products like Securin ASM and Securin VI, we will be  
offering customers a powerful suite of solutions that will manage and shrink  
their expanding attack surface and also keep them a step ahead of the bad guys."  
After the rebrand, Securin will continue to act as a CVE Numbering Authority  
(CNA) and help MITRE validate zero days and expedite their entry in the National  
Vulnerability Database (NVD).  
To learn more, visit http://www.securin.io.**About Securin**  
Securin is a leading provider of tech-enabled cybersecurity services, helping  
hundreds of customers worldwide gain resilience against emerging threats.  
Powered by accurate vulnerability intelligence, human expertise, and automation,  
its products and services have enabled enterprises to make critical security  
decisions to manage their expanding attack surface.

Cyber Security Works to Rebrand As Securin Inc.

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-2964: A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.
* CVE-2022-4269: A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.
* CVE-2022-41222: A use-after-free flaw was found in the Linux kernel’s mm/mremap memory address space accounting source code in how a race condition happens between rmap walk and mremap. This flaw allows a local user to crash or potentially escalate their privileges on the system.


RHSA-2023:1130: Red Hat Security Advisory: kernel security and bug fix update

Once praised for its generous social safety net, the country now collects troves of data on welfare claimants.

ILLUSTRATION: KATHERINE LAM

Once praised for its generous social safety net, the country now collects troves of data on welfare claimants.

**I Am Not a Number**

Unprecedented access to one of the world’s most sophisticated welfare fraud algorithms has revealed a deeply flawed and discriminatory system.

In a sparsely decorated corner office of the Danish Public Benefits Administration sits one of Denmark’s most quietly influential people. Annika Jacobsen is the head of the agency’s data mining unit, which, over the past eight years, has conducted a vast experiment in automated bureaucracy. Blunt, and with a habit of completing others’ sentences, Jacobsen is clear about her mission: “I’m here to catch cheaters.”

Denmark’s Public Benefits Administration employs hundreds of people who oversee one of the world's most well-funded welfare states. The country spends 26 percent of its GDP on benefits—more than Sweden, the United States, and the United Kingdom. It’s been hailed as a leading example of how governments can support their most vulnerable citizens. Bernie Sanders, the US senator, called the Nordic nation of 6 million people a model for how countries should approach welfare.

But over the past decade, the scale of Denmark’s benefits spending has come under intense scrutiny, and the perceived scourge of welfare fraud is now at the top of the country’s political agenda. Armed with questionable data on the amount of benefits fraud taking place, conservative politicians have turned Denmark’s famed safety net into a polarizing political battleground. 

It has become an article of faith among the country’s right-wing politicians that Denmark is losing hundreds of millions of euros to benefits fraud each year. In 2011, KMD, one of Denmark’s largest IT companies, estimated that up to 5 percent of all welfare payments in the country were fraudulent. KMD’s estimates would make the Nordic nation an outlier, and its findings have been criticized by some academics. In France, it’s estimated that fraud amounts to 0.39 percent of all benefits paid. A similar estimate made in the Netherlands in 2016 by broadcaster RTL found the average amount of fraud per benefit payment was €‎17 ($18), or just 0.2 percent of total benefits payments.

The perception of widespread welfare fraud has empowered Jacobsen to establish one of the most sophisticated and far-reaching fraud detection systems in the world. She has tripled the number of state databases her agency can access from three to nine, compiling information on people’s taxes, homes, cars, relationships, employers, travel, and citizenship. Her agency has developed an array of machine learning models to analyze this data and predict who may be cheating the system.

Documents obtained by Lighthouse Reports and WIRED through freedom-of-information requests show how Denmark is building algorithms to profile benefits recipients based on everything from their nationality to whom they may be sleeping next to at night. They reveal a system where technology and political agendas have become entwined, with potentially dangerous consequences.

Danish human rights groups such as Justitia describe the agency’s expansion as “systematic surveillance” and disproportionate to the scale of welfare fraud. Denmark's system has yet to be challenged under EU law. Whether the country’s experiments with machine learning cross a legal line is a question that could be answered by the European Union’s landmark Artificial Intelligence Act, proposed legislation that aims to safeguard human rights against emerging technologies.

The debate about welfare in Denmark changed in October 2012, when officials asked residents to send in photos of suspected welfare cheats in their local area. The call led some left-leaning commentators to warn of a “war on welfare,” and arrived as the far-right Danish People’s Party—which criticized the government for “luring” immigrants with welfare benefits—rose up in opinion polls. 

Within a year, consulting firm Deloitte released an audit of welfare fraud controls in Denmark, finding them inadequate to detect fraud in an increasingly digitized welfare system. The auditors, commissioned by the Danish finance ministry, estimated the “short-term savings” of a new “risk-scoring infrastructure” to be €126 million.

Deloitte’s vision was realized in February 2015 with a bill that overhauled the Danish welfare state. It proposed a massive expansion of the Public Benefit Administration’s powers, including the ability to store and collect data on millions of people, access other authorities’ databases, and even request data from foreign governments. Largely unnoticed at the time, it also called for the creation of a “data mining unit” to “control for social benefits fraud.”

The bill was backed by all of the major political parties in Denmark and became law in April 2015. That month, Jacobsen left an IT job in the financial sector to become Denmark’s first head of data mining and fraud detection. 

As Jacobsen got to work, conservative politician Troels Lund Poulsen took office in June 2015 as Denmark’s new employment minister. He implemented random airport checks to catch welfare recipients taking undeclared vacations, and proposed giving the new data mining unit access to welfare recipients’ electricity and water bills in order to detect where they were living. He was joined by a growing chorus of supporters, with one municipality reportedly asking for data from cell towers to track where welfare recipients were staying. “It’s about politics,” Poulsen said in March 2018. “It is important for me to send a clear signal that we will not accept social cheating and fraud.”

Jacobsen’s critics have accused her unit of conducting mass surveillance, but she argues that there are clear safeguards that prevent overreach. Jacobsen says her algorithms don’t actually cancel benefits—they only flag people as suspicious. Ultimately, it is up to a human fraud investigator to make the final call, and citizens have the right to appeal their decisions. “You are not guilty just because we point you out. There will always be a person that looks into your data,” she says.

The majority of Danish residents flagged for investigation are found innocent. Of the nearly 50,000 cases selected by the data mining unit in 2022, 4,000, or 8 percent, resulted in some form of punishment. In the cases where wrongdoing was found, the data mining unit has managed to recover €‎23.1 million—a significant return on its annual budget of €‎3.1 million.

But the scale and reach of Denmark's data collection has been criticized by the Danish Institute of Human Rights, an independent human rights watchdog, and the Danish Data Protection Authority, a public body that enforces privacy regulations. Justitia has compared the Public Benefits Administration to the National Security Agency in the US, and claimed that its digital monitoring of millions of Danish residents violates their privacy rights.

Jacobsen says the agency’s use of data is proportional under European data protection laws, and that preventing error and fraud is important to maintain trust in the welfare state. The Public Benefits Administration is also looking to have its algorithms check citizens earlier in the process, when they first apply for benefits, to avoid situations where they have to repay large sums of money. “Most citizens are honest; however, there will always be some citizens who try to get welfare benefits that they are not entitled to,” Jacobsen says. 

Jacobsen also argues that machine learning is fairer than analog methods. Anonymous tips about potential welfare cheats are unreliable, she claims. In 2017, they made up 14 percent of the cases selected for investigation by local fraud officials, whereas cases from her data unit amounted to 26 percent. That means her unit is more effective than anonymous tips, but nearly half of the cases local investigators decide to take on come from their own leads. Random selection is also unfair, she claims, because it means burdening people when there are no grounds for suspicion. “\[Critics\] say that when the machine is looking at data, it is violating the citizen, \[whereas\] I might think it’s very violating looking at random citizens,” Jacobsen says. “What is a violation of the citizen, really? Is it a violation that you are in the stomach of the machine, running around in there?”

Denmark isn’t alone in turning to algorithms amid political pressure to crack down on welfare fraud. France adopted the technology in 2010, the Netherlands in 2013, Ireland in 2016, Spain in 2018, Poland in 2021, and Italy in 2022. But it’s the Netherlands that has provided the clearest warning against technological overreach. In 2021, a childcare benefits scandal, in which 20,000 families were wrongly accused of fraud, led to the resignation of the entire Dutch government. It came after officials interpreted small errors, such as a missing signature, as evidence of fraud, and forced welfare recipients to pay back thousands of euros they’d received as benefits payments.

As details of the Dutch scandal emerged, it was found that an algorithm had selected thousands of parents—nearly 70 percent of whom were first or second generation migrants—for investigation. The system was abandoned after the Dutch Data Protection Authority found that it had illegally used nationality as a variable, which Amnesty International later compared to “digital ethnic profiling.” 

The EU’s AI Act would ban any system covered by the legislation that “exploits the vulnerabilities of a specific group,” including those who are vulnerable because of their financial situation. Systems like Jacobsen’s, which affect citizens’ access to essential public services, would also likely be labeled as “high risk” and subject to stringent requirements, including transparency obligations and a requirement for “high levels of accuracy.”

The documents obtained by Lighthouse Reports and WIRED appear to show that Denmark’s system goes beyond the one that brought down the Dutch government. They reveal how Denmark’s algorithms use variables like nationality, whose use has been equated with ethnic profiling.

One of Denmark's fraud detection algorithms attempts to work out how someone might be connected to a non-EU country. Heavily redacted documents show that, in order to do this, the system tracks whether a welfare recipient or their “family relations” have ever emigrated from Denmark. Two other variables record their nationality and whether they have ever been a citizen of any country other than Denmark.

Jacobsen says that nationality is only one of many variables used by the algorithm, and that a welfare recipient will not be flagged unless they live at a “suspicious address” and the system isn’t able to find a connection to Denmark. 

The documents also show that Denmark’s data mining unit tracks welfare recipients’ marital status, the length of their marriage, who they live with, the size of their house, their income, whether they’ve ever lived outside Denmark, their call history with the Public Benefits Administration, and whether their children are Danish residents. 

Another variable, “presumed partner,” is used to determine whether someone has a concealed relationship, since single people receive more benefits. This involves searching data for connections between welfare recipients and other Danish residents, such as whether they have lived at the same address or raised children together. 

“The ideology that underlies these algorithmic systems, and \[the\] very intrusive surveillance and monitoring of people who receive welfare, is a deep suspicion of the poor,” says Victoria Adelmant, director of the Digital Welfare and Human Rights Project. 

For all the complexity of machine learning models, and all the data amassed and processed, there is still a person with a decision to make at the hard end of fraud controls. This is the fail-safe, Jacobsen argues, but it’s also the first place where these systems collide with reality.

Morten Bruun Jonassen is one of these fail-safes. A former police officer, he leads Copenhagen's control team, a group of officials tasked with ensuring that the city’s residents are registered at the correct address and receive the correct benefits payments. He's been working for the city’s social services department for 14 years, long enough to remember a time before algorithms assumed such importance—and long enough to have observed the change of tone in the national conversation on welfare.

While the war on welfare fraud remains politically popular in Denmark, Jonassen says only a “very small” number of the cases he encounters involve actual fraud. For all the investment in it, the data mining unit is not his best source of leads, and cases flagged by Jacobsen’s system make up just 13 percent of the cases his team investigates—half the national average. Since 2018, Jonassen and his unit have softened their approach compared to other units in Denmark, which tend to be tougher on fraud, he says. In a case documented in 2019 by DR, Denmark’s public broadcaster, a welfare recipient said that investigators had trawled her social media to see whether she was in a relationship before wrongfully accusing her of welfare fraud.

While he gives credit to Jacobsen’s data mining unit for trying to improve its algorithms, Jonassen has yet to see significant improvement for the cases he handles. “Basically, it’s not been better,” he says. In a 2022 survey of Denmark’s towns and cities conducted by the unit, officials scored their satisfaction with it, on average, between 4 and 5 out of 7.

Jonassen says people claiming benefits should get what they’re due—no more, no less. And despite the scale of Jacobsen’s automated bureaucracy, he starts more investigations based on tips from schools and social workers than machine-flagged cases. And, crucially, he says, he works hard to understand the people claiming benefits and the difficult situations they find themselves in. “If you look at statistics and just look at the screen,” he says, “you don’t see that there are people behind it.” 

_Additional reporting by Daniel Howden, Soizic Penicaud, Pablo Jiménez Arandia, and Htet Aung. Reporting was supported by the Pulitzer Center’s AI Accountability Fellowship and the Center for Artistic Inquiry and Reporting._

*   The lie detector was never good at telling the truth
    

*   China is relentlessly hacking its neighbors
    

*   Amazon’s HQ2 is on pause
    

Gabriel Geiger is an investigative reporter at Lighthouse Reports, covering technology and surveillance.

How Denmark’s Welfare State Became a Surveillance Nightmare

Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is… 
Continue reading → Persistence – Event Log Online Help

Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. Microsoft in order to assist administrators to retrieve direct information for a particular event ID over the web has embedded a functionality which is called Event Log Online Help.

The Event Log Online Help redirects the users to a Microsoft URL and is controlled from the following registry location.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer

Three registry keys could be modified if local administrator access has been achieved in order to execute arbitrary payloads once the Event Log Online Help is clicked by the user. These keys can be found below:

*   MicrosoftRedirectionProgram
*   MicrosoftRedirectionProgramCommandLineParameters
*   MicrosoftRedirectionURL

A very trivial proof of concept is to trigger a message box.

#include <windows.h>
#pragma comment (lib, "user32.lib")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
  MessageBox(NULL, "pentestlab.blog", "Pentestlab", MB\_OK);
  return 0;
}

The code above could be compiled using MinGW in order to generate an executable.

    x86_64-w64-mingw32-g++ -O2 messagebox.cpp -o messagebox.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings 
    -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

The registry key “_MicrosoftRedirectionProgram”_ could be modified to contain the location of the compiled executable. Clicking the Event Log Online Help will display the message box indicating that code has been executed.

Event Log Online Help – MessageBox

In similar manner “_msfvenom_” could be used to generated a payload.

msfvenom – Payload Generation

Modification of the registry key below to map to the location on the disk of the previously generated payload will execute the payload.

Microsoft Redirection Program – Registry Key

When the Event Log Online Help is clicked a connection will be established.

Event Log Online Help – Meterpreter

The second registry key “_MicrosoftRedirectionProgramCommandLineParameters_” allows the user modify the data value in order to execute commands. A very common living off the land binary such as “regsvr32” can be utilized to execute a fileless payload.

Microsoft Redirection Program Command Line Parameters

Once the Event Log Online Help is clicked the command will be executed and a communication channel will established.

Meterpreter – regsvr32

The last registry key is the “_MicrosoftRedirectionURL_” which by default it points out to a Microsoft location. The registry value could be changed to point either to a malicious URL or to a payload which is dropped on the disk.

Microsoft Redirection URL

In all of the above scenarios the following condition will be created:

*   Parent Process (mmc.exe) –> Child Process (Payload)

MMC – Parent Process

EDR’s should flag when mmc tries to spawn non trusted processes. Furthermore, monitoring of the above registry keys for changes could create a detection opportunity. As access to Windows graphical interface is required and considering the fact that the average user would not typically open event viewer and click on the Windows Event Log Online Help it is unlikely that this technique will gain popularity. However, in an assumed breach or malicious insider scenarios it could be used as a trivial method to maintain an active connection over a C2 channel.

**References**

*   https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/

**Post navigation**

Tag

#mac