pdftojson commit 94204bb was discovered to contain a stack overflow via the component Stream::makeFilter(char*, Stream*, Object*, int).

**pdftojson**

using XPDF, pdftojson extracts text from PDF files as JSON, including word bounding boxes.

**Compile**

On MacOS, you might need to specify libpng and libfreetype locations, e.g.

    ./configure --with-libpng-library=/usr/local/Cellar/libpng/1.6.16/lib/  --with-libpng-includes=/usr/local/Cellar/libpng/1.6.16/include/ --with-freetype2-library=/usr/local/lib/ --with-freetype2-includes=/usr/local/include/freetype2/
    

You will find pdftojson inside the directory xpdf/pdftojson

**Usage**

    pdftojson <input.pdf> <output.json>
    

**File format**

The JSON produced looks like: \[ { "pages":14, "number":1, "width":612, "height":792, "text":\[ \[115,162,41,14,0,"What "\], ... \] }, { "pages":14, "number":2, "width":612, "height":792, "text":\[ \[115,162,41,14,0,"Here "\], ... \] }, ... \];

For each page, the text array contains: \[top,left,width,height,0,text\]

CVE-2022-44109: GitHub - ldenoue/pdftojson: using XPDF, pdftojson extracts text from PDF files as JSON, including word bounding boxes.

Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.

Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla."

The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises.

Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.

**DarkTortilla Delivery Via Phishing Sites**

Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.

Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named "GnammanlyInstaller.zip" when they click on the "Get Grammarly" button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system's memory, where it executes a variety of malicious activities, Cyble said.

The Cisco phishing site meanwhile looks like a download page for Cisco's Secure Client VPN technology. But when a user clicks on the button to "order" the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.

Cyble's analysis of the payload showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.

Cyble's researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system's Startup folder and creates Run/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named "system\_update.exe" on the infected system and copies itself into the folder.

**Sophisticated & Dangerous Malware**

DarkTortilla's fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.

"The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild," Cyble researchers said in a Monday advisory. "The files downloaded from the phishing sites exhibit different infection techniques, indicating that the \[threat actors\] have a sophisticated platform capable of customizing and compiling the binary using various options."

DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks' Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.

They also identified some adversaries using the malware in targeted attacks to deliver Cobalt Strike and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) last year.

Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla's main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.

Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages

Risk is no longer a single entity, but rather an interconnected web of resources, assets, and users.

Within the first few hours of the FTX implosion, investors and crypto bulls were working through the Kübler-Ross model's five stages of grief: denial, anger, bargaining, depression, and acceptance. As more details came out about the inner workings of FTX, I realized that truth really is stranger than fiction.

The 30-year-old founder of FTX, Sam Bankman-Fried, was known simply as SBF — a single moniker that put him in the company of Madonna or LeBron. His firm seemingly came out of nowhere to establish itself as the de facto standard for crypto exchanges. The firm and the founder were surrounded by all the trappings of success and legitimacy — a fawning press, famous and powerful friends, and sycophantic politicians.

Who would ever suspect fraud with such a veneer of respectability? The obvious comparison was Theranos and its CEO, Elizabeth Holmes. When stories emerged that FTX's potential losses totaled $50 billion, comparisons to another fraudster — Bernie Madoff — emerged.

However, there is one huge difference between SBF and Madoff: Madoff was a singular figure orchestrating a massive Ponzi scheme. The funds that came to Madoff didn't go into other investments. In fact, they didn’t go into any investments. They were used to keep existing clients happy while new clients were brought in. All of the risk for Madoff clients was represented in Madoff himself.

In the case of FTX, SBF lent Alameda Capital — the firm's in-house investing arm — more than $8 billion in client funds. It is patently illegal to mix client funds in an exchange with outside investments. Most shocking of all is what SBF and Alameda were doing with that money. They thew the money into more than 400 different investments in the emerging crypto market, from failing exchanges to worthless coins. Investors who parked their money, and their crypto, at the FTX exchange had no idea the risks they were facing.

**Know Your Attack Surface**

The threat surface for FTX clients wasn't just about protecting their FTX passwords or hoping the exchange wouldn't get hacked like the Mt. Gox bitcoin exchange and so many others did. Instead, their portfolios were at risk of implosions over assets and investments they had never heard of.

That is the definition of risk: having your hard-earned money and investments merged with a toxic mix of super-risky sludge. That’s a helpless place to be.

After more than 20 years in cybersecurity, it is difficult not to think about risk exposure and threat management in a case like this. Security teams are dealing with something much more akin to SBF than Madoff. There is no singular threat facing an enterprise today. Instead, it is a constellation of assets, devices, data, clouds, applications, vulnerabilities, attacks, and defenses.

Security teams' biggest weakness is that they are being asked to secure what they can neither see nor control. Where is our critical data? Who is accessing it, and who needs access? Every day in cybersecurity, the landscape of what needs to be protected changes. Applications are updated. Data is stored or in transit among multiple clouds. Users change. Every day represents new challenges.

Security starts with visibility. That’s why discovery is all the rage these days. From the cloud to data to external assets, security teams are digging into discovery tools that help them understand exactly what they have to secure, where it is, and who is accessing it. There is an urgent need to understand the connections among users, partners, devices, and applications. The FTX crypto investment scenario I've described could just as easily be interconnected enterprise resources, and internal and external users.

I feel terrible for anyone caught up in this FTX mess. For cybersecurity professionals, it is yet another reminder that it is not just the resources and employees of your organization that impact security; it is a web of connections that grows every day. We live in the age of discovery for a reason.

Rethinking Risk After the FTX Debacle

Revived levels of holiday spending have caught the eye of threat actors who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

As the holiday season barrels to a conclusion, malicious actors are attempting to take advantage of harried consumers by ramping up the volume of spam and phishing attacks in the form of unsolicited emails and email-based threats — and businesses stand to suffer.  

A report from Bitdefender Antispam Lab found the volume of Christmas-themed spam has increased consistently since Nov. 27, with spikes in unsolicited correspondence observed between Dec. 6 and Dec. 9.

Scammers are employing the tried-and-true tactics of bogus surveys, online holiday dating opportunities, adult content offers, and discount shopping for designer goods.

Major corporations, including Netflix and Lowes, have been among the spoof subjects, enticing consumers with exclusive offers and cash giveaways — the catch being they must first enter credit card numbers or banking information, of course.

A recent study found more than a third of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result.

Alina Bizga, security analyst at Bitdefender, explains that threat actors are savvy when it comes to targeting. The holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities.

"They update their tactics, and lures, and take note of consumer behaviors, timing their social engineering attacks to catch users off guard and steal sensitive personal data and money or compromise their devices and financial accounts," she says.

**Ramifications for Legitimate Businesses**

Bizga adds that when threat actors mimic a legitimate business to trick consumers into giving out their personal information or money, organizations may also suffer financial losses and reputational damages.

"Scams leveraging popular trade names that are proliferated via large-scale spam campaigns can impact both consumers and employees, and organizations need to have a clear action plan to minimize potential damages in the aftermath of a phishing scam," she says.

This includes identifying fraudulent communications, gathering information on the scope of the attacks, and notifying consumers and law enforcement.

Sam Curry, Cybereason chief security officer, says the annual glut of seasonal spam makes legitimate marketing for businesses much harder.

"When the bad guys try to look like legitimate marketing, legitimate marketing becomes less trusted and tolerated," he says. "If your email queue goes up to 200 junk emails a day, and you get tired of hitting delete 170 times, then you're more likely to hit delete on the buried legitimate marketing content than not."

For retailers, the fight against spam and phishing is twofold: protecting the customer and protecting the organization.

Curry points out now is the time when many retailers go into the black.

"They may make more in a few days than in some months in the rest of the year, which is why they freeze IT and changes and focus on servicing customers at scale," he says.

That means any hiccups now are even more painful as a result.

"In security, we measure risk in terms of likelihood and impact, and during the holiday season, impact goes up dramatically," he says. "That in turn changes the responses and contingencies of businesses, making them more likely to pay a ransom or to take drastic measures to fix issues and problems."

**Threat Actors Look for Quick, Easy Wins**

Bizga says that although cybercriminals are regularly adapting their tactics, techniques, and procedures (TTPs), the most common attack vectors seen throughout the holiday season include phishing, exploiting vulnerabilities and human error and misconfigurations.

"In addition, supply chain attacks can exploit access of third parties such as suppliers, distributors, or contractors to their ecosystem," she notes. "For example, breaching a small supplier may result in access to their much larger customer or entire customer base."

Michael DeBolt, chief intelligence officer at Intel 471, says cyber threat actors are always looking for quick and easy wins that result in considerable profit with a low degree of risk and effort.

"The end-of-year holiday period presents a unique window of opportunity for threat actors to increase illicit profits due to the surge in online activity as retailers and consumers transact goods and services, log into online accounts, ship and receive products, and more," he says.

**Keeping Alert Across the Organization**

DeBolt says retail organizations need to be aware of the latest spam and phishing campaigns targeting their customers.

Armed with this information, organizations can employ directed awareness campaigns warning customers of potential threats and how to avoid them.

He notes that security and fraud teams can take mitigating measures by adjusting controls within the environment to defend against account takeover (ATO) attacks.

"The same malware spam campaigns that target consumers can be used to target employees within organizations as well," he adds.

An infected machine belonging to an employee can include login information to remote network accesses or credentials to sensitive data storage, which can lead to theft of company information or as a foothold for a ransomware deployment into the company’s network.

"Perhaps the most important takeaway is that information security needs to be practiced and understood across the entire organization, not just \[by\] the network defenders," he says.

In the fight against spam and holiday season phishing, retailers need to give their customers proper information and channels through which they can report suspicious correspondence sent in their name.

Bizga says businesses should also establish seasonal awareness campaigns to inform consumers about any ongoing spam/phishing campaigns and notify the applicable domain name registrar to report fraudulent activity.

"Additional remedial efforts should include notifying law enforcement and legal bodies that can assist with legal actions and advise against malicious actors," she says.

**The Perils of Losing Customer Trust**

Patrick Harr, CEO at SlashNext, explains that bad actors leverage the brand recognition of major retailers and other businesses to lure their victims into a false sense of security.

"When a victim realizes they have been duped, it can cause them to lose trust in the brand, even though they of course had nothing to do with the actual scam," he says. "As we all know, losing consumer trust can lead to significant decreases in revenue," Harr says.

He advises retailers to deploy a strong brand protection service that checks for brand impersonation instances.

Once a scam or impersonation has been identified, a request must be filed, along with evidence to prove that it is illegitimate.

"This can take quite some time, however, so retailers should adopt an automated service that is continuously scanning and reporting these impersonations," Harr says. "It won't stop impersonations altogether, but companies that fight back make themselves less of a target for future impersonations."

Holiday Spam, Phishing Campaigns Challenge Retailers

Gentoo Linux Security Advisory 202212-3 - Multiple vulnerabilities have been discovered in Oracle Virtualbox, the worst of which could result in privilege escalation from a guest to the host. Versions less than 6.1.40 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Oracle VirtualBox: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #877601  
       ID: 202212-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Oracle Virtualbox, the  
worst of which could result in privilege escalation from a guest to the  
host.

Background  
=========  
VirtualBox is a powerful virtualization product from Oracle.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-emulation/virtualbox         < 6.1.40              >= 6.1.40  
  2  app-emulation/virtualbox-modules < 6.1.40              >= 6.1.40

Description  
==========  
Multiple vulnerabilities have been discovered in Oracle VirtualBox.  
Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Oracle VirtualBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.40"

All Oracle VirtualBox modules users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-modules-6.1.40"

References  
=========  
[ 1 ] CVE-2022-21620  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21620  
[ 2 ] CVE-2022-21621  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21621  
[ 3 ] CVE-2022-21627  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21627  
[ 4 ] CVE-2022-39421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39421  
[ 5 ] CVE-2022-39422  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39422  
[ 6 ] CVE-2022-39423  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39423  
[ 7 ] CVE-2022-39424  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39424  
[ 8 ] CVE-2022-39425  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39425  
[ 9 ] CVE-2022-39426  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39426

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-03

Gentoo Linux Security Advisory 202212-5 - Multiple vulnerabilities have been discovered in NSS, the worst of which could result in arbitrary code execution. Versions less than 3.79.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Network Security Service (NSS): Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #827946, #836386, #848984, #877169  
       ID: 202212-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in NSS, the worst of which  
could result in arbitrary code execution.

Background  
=========  
The Mozilla Network Security Service is a library implementing security  
features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,  
S/MIME and X.509 certificates.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/nss               < 3.79.2                    >= 3.79.2

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Network  
Security Service (NSS). Please review the CVE identifiers referenced  
below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Network Security Service (NSS) users should upgrade to the  
latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/nss-3.79.2"

References  
=========  
[ 1 ] CVE-2021-43527  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43527  
[ 2 ] CVE-2022-1097  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1097  
[ 3 ] CVE-2022-3479  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3479  
[ 4 ] MFSA-2021-51

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-05

Gentoo Linux Security Advisory 202212-1 - Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. Versions less than 7.86.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: curl: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365  
       ID: 202212-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in curl, the worst of which  
could result in arbitrary code execution.

Background  
=========  
A command line tool and library for transferring data with URLs.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/curl              < 7.86.0                    >= 7.86.0

Description  
==========  
Multiple vulnerabilities have been discovered in curl. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All curl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0"

References  
=========  
[ 1 ] CVE-2021-22922  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22922  
[ 2 ] CVE-2021-22923  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22923  
[ 3 ] CVE-2021-22925  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22925  
[ 4 ] CVE-2021-22926  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22926  
[ 5 ] CVE-2021-22945  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22945  
[ 6 ] CVE-2021-22946  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22946  
[ 7 ] CVE-2021-22947  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22947  
[ 8 ] CVE-2022-22576  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22576  
[ 9 ] CVE-2022-27774  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27774  
[ 10 ] CVE-2022-27775  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27775  
[ 11 ] CVE-2022-27776  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27776  
[ 12 ] CVE-2022-27779  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27779  
[ 13 ] CVE-2022-27780  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27780  
[ 14 ] CVE-2022-27781  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27781  
[ 15 ] CVE-2022-27782  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27782  
[ 16 ] CVE-2022-30115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30115  
[ 17 ] CVE-2022-32205  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32205  
[ 18 ] CVE-2022-32206  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32206  
[ 19 ] CVE-2022-32207  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32207  
[ 20 ] CVE-2022-32208  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32208  
[ 21 ] CVE-2022-32221  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32221  
[ 22 ] CVE-2022-35252  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35252  
[ 23 ] CVE-2022-35260  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35260  
[ 24 ] CVE-2022-42915  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42915  
[ 25 ] CVE-2022-42916  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42916

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-01

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-01

Gentoo Linux Security Advisory 202212-4 - A vulnerability has been discovered in LibreOffice which could result in arbitrary script execution via crafted links. Versions less than 7.3.6.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LibreOffice: Arbitrary Code Execution  
     Date: December 19, 2022  
     Bugs: #876869  
       ID: 202212-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in LibreOffice which could result in  
arbitrary script execution via crafted links.

Background  
=========  
LibreOffice is a powerful office suite; its clean interface and powerful  
tools let you unleash your creativity and grow your productivity.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-office/libreoffice     < 7.3.6.2                  >= 7.3.6.2  
  2  app-office/libreoffice-bin < 7.3.6.2                  >= 7.3.6.2

Description  
==========  
LibreOffice links using the vnd.libreoffice.command scheme could be  
constructed to call internal macros with arbitrary arguments. Which when  
clicked on, or activated by document events, could result in arbitrary  
script execution without warning.

Impact  
=====  
An attacker able to coerce a victim into opening a crafted LibreOffice  
document and execute certain actions with it could achieve remote code  
execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LibreOffice users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-office/libreoffice-7.3.6.2"

All LibreOffice binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-office/libreoffice-bin-7.3.6.2"

References  
=========  
[ 1 ] CVE-2022-3140  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3140

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-04

Gentoo Linux Security Advisory 202212-2 - Multiple vulnerabilities have been discovered in Unbound, the worst of which could result in denial of service. Versions less than 1.16.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Unbound: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #872209, #866881  
       ID: 202212-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Unbound, the worst of  
which could result in denial of service.

Background  
=========  
Unbound is a validating, recursive, and caching DNS resolver.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-dns/unbound            < 1.16.3                    >= 1.16.3

Description  
==========  
Multiple vulnerabilities have been discovered in Unbound. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Unbound users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-dns/unbound-1.16.3"

References  
=========  
[ 1 ] CVE-2022-3204  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3204  
[ 2 ] CVE-2022-30698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30698  
[ 3 ] CVE-2022-30699  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30699

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-02

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-02

Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.
The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.
"The global

Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.

The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.

"The global surveillance-for-hire industry continues to grow and indiscriminately target people – including journalists, activists, litigants, and political opposition – to collect intelligence, manipulate and compromise their devices and accounts across the internet," the company noted in a report published last week.

The networks that were found to engage in coordinated inauthentic behavior (CIB) originated from 68 countries. More than 100 nations are said to have been targeted by at least one such network, either foreign or domestic.

With 34 operations, the U.S. emerged as the most frequently targeted nation during the five-year period, followed by Ukraine (20) and the U.K. (16).

The top three geographic sources of CIB networks during the same timeframe were Russia (34), Iran (29), and Mexico (13). On top of that, an Iranian network disrupted by Meta in April 2020 focused on 18 countries at a time, indicating the scope of foreign interference in these campaigns.

"Notably, both our first takedown and our 200th takedown were of CIB networks originating from Russia," Meta's Ben Nimmo and David Agranovich said. "The latter takedown targeted Ukraine and other countries in Europe."

The activity, the details of which the company first disclosed in September 2022, has since been attributed as the work of two companies, Structura National Technologies and Social Design Agency (Агентство Социального Проектирования), located in the country.

That said, CIB networks run across the world have often been found targeting people in their own country, not to mention have a cross-platform presence that go beyond Facebook and Instagram to encompass Twitter, Telegram, TikTok, Blogspot, YouTube, Odnoklassniki, VKontakte, Change\[.\]org, Avaaz, and LiveJournal.

Meta further highlighted a "rapid rise" in the use of profile pictures created through artificial intelligence techniques like generative adversarial networks (GAN) since 2019 in a bid to pass off rogue accounts as more authentic and evade detection.

****Tackling Platform Abuse by Spyware Entities****

In a related report on surveillance-for-hire operations, the Menlo Park-based company said it removed a network of 130 accounts created by an Israeli company named Candiru that used these fake accounts to test phishing capabilities by sending malicious links designed to deploy malware.

A second set of 250 accounts on Facebook and Instagram linked to another Israeli company called QuaDream was found "engaged in a similar testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation."

Both Candiru and QuaDream are founded by former employees of NSO Group, a controversial cyber intelligence firm that has come under fire for selling its invasive technology, Pegasus, to governments with poor human rights records.

What's more, Meta said it removed more than 5,000 accounts belonging to companies such as Social Links, Cyber Globes, Avalanche, and an unattributed entity in China that used the fraudulent accounts to scrape publicly available information and market "web intelligence services."

Nearly 3,700 of those Facebook and Instagram accounts were linked to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.

Besides relying on fake accounts, spyware vendors have also been caught relying on other legitimate tools to conceal their origin and conduct malicious activities. One such example is the Indian hack-for-hire firm CyberRoot, which utilized a marketing solution known as Branch to create, manage, and track phishing links.

Nearly 3,700 of those Facebook and Instagram accounts were attributed to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.

CyberRoot has also been estimated to operate over 40 fictitious accounts that impersonated journalists, business executives, and media personalities to gain the trust of targets and send phishing links spoofing services like Gmail, Zoom, Facebook, Dropbox, Yahoo, OneDrive, and Outlook to steal their credentials.

Law firms, cosmetic surgery clinics, real estate companies, investment and private equity firms, pharmaceuticals, media houses, activist groups, and gambling entities are believed to have been targeted by the mercenary actor.

CyberRoot is the second Indian surveillance-for-hire firm to come under the radar after BellTroX, whose accounts were flagged and disbanded by the company in 2021. Coincidentally, it's also said to have been assisted by BellTroX in the past.

"These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable," Meta said.

"In a sense, this industry 'democratizes' these threats, making them available to government and non-government groups that otherwise wouldn't have these capabilities to cause harm."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac