Gentoo Linux Security Advisory 202409-10 - Multiple vulnerabilities have been discovered in Xen, the worst of which could lead to privilege escalation. Versions greater than or equal to 4.17.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Xen: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #918669, #921355, #923741, #928620, #929038  
       ID: 202409-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Xen, the worst of which  
could lead to privilege escalation.

Background  
==========

Xen is a bare-metal hypervisor.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-emulation/xen  < 4.17.4      >= 4.17.4

Description  
===========

Multiple vulnerabilities have been discovered in Xen. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Xen users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4"

References  
==========

[ 1 ] CVE-2022-4949  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4949  
[ 2 ] CVE-2022-42336  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42336  
[ 3 ] CVE-2023-28746  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28746  
[ 4 ] CVE-2023-34319  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34319  
[ 5 ] CVE-2023-34320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34320  
[ 6 ] CVE-2023-34321  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34321  
[ 7 ] CVE-2023-34322  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34322  
[ 8 ] CVE-2023-34323  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34323  
[ 9 ] CVE-2023-34324  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34324  
[ 10 ] CVE-2023-34325  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34325  
[ 11 ] CVE-2023-34327  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34327  
[ 12 ] CVE-2023-34328  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34328  
[ 13 ] CVE-2023-46835  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46835  
[ 14 ] CVE-2023-46836  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46836  
[ 15 ] CVE-2023-46837  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46837  
[ 16 ] CVE-2023-46839  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46839  
[ 17 ] CVE-2023-46840  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46840  
[ 18 ] CVE-2023-46841  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46841  
[ 19 ] CVE-2023-46842  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46842  
[ 20 ] CVE-2024-2193  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2193  
[ 21 ] CVE-2024-31142  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31142  
[ 22 ] XSA-431  
      https://xenbits.xen.org/xsa/advisory-431.html  
[ 23 ] XSA-432  
      https://xenbits.xen.org/xsa/advisory-432.html  
[ 24 ] XSA-436  
      https://xenbits.xen.org/xsa/advisory-436.html  
[ 25 ] XSA-437  
      https://xenbits.xen.org/xsa/advisory-437.html  
[ 26 ] XSA-438  
      https://xenbits.xen.org/xsa/advisory-438.html  
[ 27 ] XSA-439  
      https://xenbits.xen.org/xsa/advisory-439.html  
[ 28 ] XSA-440  
      https://xenbits.xen.org/xsa/advisory-440.html  
[ 29 ] XSA-441  
      https://xenbits.xen.org/xsa/advisory-441.html  
[ 30 ] XSA-442  
      https://xenbits.xen.org/xsa/advisory-442.html  
[ 31 ] XSA-447  
      https://xenbits.xen.org/xsa/advisory-447.html  
[ 32 ] XSA-449  
      https://xenbits.xen.org/xsa/advisory-449.html  
[ 33 ] XSA-450  
      https://xenbits.xen.org/xsa/advisory-450.html  
[ 34 ] XSA-451  
      https://xenbits.xen.org/xsa/advisory-451.html  
[ 35 ] XSA-452  
      https://xenbits.xen.org/xsa/advisory-452.html  
[ 36 ] XSA-453  
      https://xenbits.xen.org/xsa/advisory-453.html  
[ 37 ] XSA-454  
      https://xenbits.xen.org/xsa/advisory-454.html  
[ 38 ] XSA-455  
      https://xenbits.xen.org/xsa/advisory-455.html

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-10

Gentoo Linux Security Advisory 202409-9 - A vulnerability has been discovered in Exo, which can lead to arbitrary code execution. Versions greater than or equal to 4.17.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Exo: Arbitrary Code Execution  
     Date: September 22, 2024  
     Bugs: #851201  
       ID: 202409-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Exo, which can lead to arbitrary  
code execution.

Background  
==========

Exo is an Xfce library targeted at application development, originally  
developed by os-cillation. It contains various custom widgets and APIs  
extending the functionality of GLib and GTK. It also has some helper  
applications that are used throughout the entire Xfce desktop to manage  
preferred applications and edit .desktop files.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
xfce-base/exo  < 4.17.2      >= 4.17.2

Description  
===========

A vulnerability has been discovered in Exo. Please review the CVE  
identifiers referenced below for details.

Impact  
======

Exo executes remote desktop files which may lead to unexpected arbitrary  
code execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Exo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2"

References  
==========

[ 1 ] CVE-2022-32278  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32278

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-09

Gentoo Linux Security Advisory 202409-8 - Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Versions greater than or equal to 2.6.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202409-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: OpenVPN: Multiple Vulnerabilities  
     Date: September 22, 2024  
     Bugs: #835514, #917272  
       ID: 202409-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in OpenVPN, the worst of  
which could lead to information disclosure.

Background  
==========

OpenVPN is a multi-platform, full-featured SSL VPN solution.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-vpn/openvpn  < 2.6.7       >= 2.6.7

Description  
===========

Multiple vulnerabilities have been discovered in OpenVPN. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All OpenVPN users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7"

References  
==========

[ 1 ] CVE-2022-0547  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0547  
[ 2 ] CVE-2023-46849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46849  
[ 3 ] CVE-2023-46850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202409-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202409-08

The internet has made breaking up a lot harder. The Modern Love Digital Breakup Checklist can help you separate locations, accounts, and more.

Breaking up is hard to do. The internet has made it harder.

With couples today regularly sharing access to one another’s email accounts, streaming services, social media platforms, online photo albums, and more, the risk of a bad breakup isn’t just heartache. Equipped with unfettered access into sensitive, shared online accounts, a vindictive ex could track someone who is actively using services like DoorDash, Uber, or Airbnb, spy on someone through a Ring doorbell, raise the temperature on a Nest thermostat, or shout obscenities through a baby monitor.

As every relationship is different, there’s no one-size-fits-all solution to safely disentangling your digital life from your ex, but there are a few rules that can make the process easier.

And, because this can be a lot of work, here are a few things that can help you along the way:

*   A password manager that will help you create and store unique passwords for each online account.
*   The use of multifactor/two-factor authentication on every sensitive account that allows it.
*   A friend who can go through these exercises side-by-side with you.

Further down is a more comprehensive checklist of many considerations you can take in separating your digital life from your ex, but, here’s a quick, handy guide:

It’s important to remember that this work won’t be completed in a day. That’s entirely okay. Instead of trying to accomplish everything in one weekend, prioritize the most sensitive work—cutting off access to email accounts, online banking, shared photo albums, social media, and any services or apps that can reveal your location.

As Malwarebytes recently discovered in research conducted this year, 56% of people in committed relationships in the United States agreed that they “would like to see more guidance on how to handle shared logins, accounts, and apps in a relationship or during a breakup,” and 45% agreed that they “would have a hard time knowing where to begin if I no longer wanted to share location-based apps or services with my partner or in the event of a breakup.”

We hope this digital breakup checklist, which is not comprehensive, can provide some of that guidance.

Here is the Modern Love Digital Breakup Checklist.

*   Log out of personal accounts on shared devices, including laptops, tablets, e-readers, smartphones, smart TVs, and Internet of Things devices. This includes:
    
    *   Email, social media, and online banking accounts on shared tablets, computers, and smartphones.
    
    *   Email, social media, and online banking accounts on the shared devices of children/the entire family.
    *   Entertainment accounts (Hulu, Netflix, Disney+, Spotify, etc.) on smart TVs and streaming devices such as Roku, Google Chromecast, Apple TV, etc.
*   Remove your ex’s accounts from any device you share that you will maintain ownership of after the breakup. Here’s are guides on how to remove someone from:
    
    *   Windows device
    
    *   Mac device
    *   Android devices

*   For shared accounts where you and your ex had one set of login credentials, log out of those shared accounts on your own device.
*   If you want to continue using those services, create a new personal account with a unique password.

**3\. **Review personal accounts****

*   Before resetting passwords, check the recovery settings on your personal account to ensure that any attempts to reset your password will be sent to your personal email account and not to an email account owned by your ex.
*   Before resetting passwords, consider using a password manager to help create, store, and remember unique passwords for each account.
*   Reset and create unique passwords for sensitive accounts, including:
    
    *   Email accounts
    
    *   Online banking and financial accounts (Chase, Wells Fargo, Venmo, PayPal, Zelle, Cash App, etc.)
    *   Online shopping accounts (Amazon, Etsy, Shein, Temu, etc.)
    *   Social media accounts (TikTok, Instagram, Facebook, etc.)
    *   Shared cloud accounts for photos (Google Photos, iCloud)
    *   Shared cloud accounts for file storage (Dropbox, Box, etc.)
    *   Streaming entertainment accounts (Netflix, Disney+, Hulu, Spotify, Apple Music, etc.)
    *   Parental monitoring apps (Life360, Bark, Qustodio)
    *   Online forums and chat services (Reddit, Discord, etc.)
*   Reset and create unique passwords for accounts that can expose your location to users who are logged into the same account, including:
    
    *   Food and grocery delivery apps (Uber Eats, DoorDash, Postmates, etc.)
    
    *   Ride-sharing apps (Uber, Lyft, etc.)Vacation rental apps (Airbnb, Vrbo, etc.)
    *   Health and fitness tracking apps (FitBit, Strava, etc.)
    *   Connected apps for modern cars with anti-theft location tracking
*   Enable multifactor authentication on sensitive accounts and accounts that can expose your location, when provided as an option.

**4\. **Review/remove your signed-in devices****

*   Check your security settings in your online accounts to review what devices are currently logged into the same account. If you see a device that does not belong to you, force that device to be logged out.
    
    *   If you take this step after successfully resetting your password, those devices will be required to use the new password (which only you should know).
    
    *   These settings can often be found in “security” or “privacy and security” tabs in most apps.

**5\. **Review the location settings of your device****

*   Your device provides a way to comprehensively turn off **all** location services that apps rely on to function. With this feature turned off, location-based apps (such as Uber, Uber Eats, Airbnb, Yelp, Maps, etc.) will still function, but you will need to input your address and location manually each time you use the service.
    
    *   You can review location sharing settings on iPhone here.
    
    *   You can review location sharing settings on Android here.

**6\. **Review “Find My/Find My Device” settings****

*   Modern devices come pre-installed with anti-theft services called “Find My” on iPhones and “Find My Device” on Android phones. These are the same services that many couples use to track one another’s location, and turning these services off will shut off access that other people (including exes, friends, and family) have to your location.
    
    *   Alternatively, you can turn off location sharing with one person only rather than turning off location sharing all together. You can review location sharing settings on iPhone here.
    
    *   You can review location sharing settings on Android here.

**7\. **Review the location settings of individual apps****

*   If you want to keep location sharing on for convenience, you can review individual apps on your device and select how you would like your location to be accessed by those apps.
    
    *   iPhones allow you to choose one of several options for how frequently apps will access and use your location: Never, Ask Next Time Or When I Share, While Using the App, or Always. You can review location sharing settings on iPhone here.
    
    *   Android phones allow you to choose one of several options for how frequently apps will access and use your location: Allowed all the time, Allowed only while in use, and Not allowed.
    *   You can review location sharing settings on Android here.

**8\. **Maintain your ongoing security and privacy****

*   If you find it safe and necessary, block your ex on certain social media platforms, messaging apps, etc.
*   Review the privacy settings of social media apps to ensure that your posts are not inadvertently shared with an ex.
    *   Consider whether your ex could see your posts because you have mutual friends who may reveal your posts to your ex.
*   Review automatic cloud backups for photos you take with your smartphone.
    *   If your ex compromises your iCloud or Google Photos account—and your photos are automatically backed up to those accounts—they could retrieve sensitive photos that you want to keep private.
*   When entering a new relationship, have a conversation about consensually and safely sharing your location (or choosing not to).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Relationship broken up? Here&#8217;s how to separate your online accounts 

Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.
PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in

Software Security / Supply Chain

Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign.

PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in attacks related to the 3CX supply chain compromise last year.

Some of these attacks are part of a persistent cyber attack campaign dubbed Operation Dream Job, wherein prospective targets are lured with enticing job offers in an attempt to trick them into downloading malware.

"The attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of open-source Python packages," Unit 42 researcher Yoav Zemah said, linking the activity with moderate confidence to a threat actor called Gleaming Pisces.

The adversary is also tracked by the wider cybersecurity community under the names Citrine Sleet, Labyrinth Chollima, Nickel Academy, and UNC4736, a sub-cluster within the Lazarus Group that's also known for distributing the AppleJeus malware.

It's believed that the end goal of the attacks is to "secure access to supply chain vendors through developers' endpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents."

The list of malicious packages, now removed from the PyPI repository, is below -

*   real-ids (893 downloads)
*   coloredtxt (381 downloads)
*   beautifultext (736 downloads)
*   minisound (416 downloads)

The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server.

Further analysis of PondRAT has revealed similarities with both POOLRAT and AppleJeus, with the attacks also distributing new Linux variants of POOLRAT.

"The Linux and macOS versions \[of POOLRAT\] use an identical function structure for loading their configurations, featuring similar method names and functionality," Zemah said.

"Additionally, the method names in both variants are strikingly similar, and the strings are almost identical. Lastly, the mechanism that handles commands from the \[command-and-control server\] is nearly identical."

PondRAT, a leaner version of POOLRAT, comes with capabilities to upload and download files, pause operations for a predefined time interval, and execute arbitrary commands.

"The evidence of additional Linux variants of POOLRAT showed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms," Unit 42 said.

"The weaponization of legitimate-looking Python packages across multiple operating systems poses a significant risk to organizations. Successful installation of malicious third-party packages can result in malware infection that compromises an entire network."

The disclosure comes as KnowBe4, which was duped into hiring a North Korean threat actor as an employee, said more than a dozen companies "either hired North Korean employees or had been besieged by a multitude of fake resumes and applications submitted by North Koreans hoping to get a job with their organization."

It described the activity, tracked by CrowdStrike under the moniker Famous Chollima, as a "complex, industrial, scaled nation-state operation" and that it poses a "serious risk for any company with remote-only employees."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New PondRAT Malware Hidden in Python Packages Targets Software Developers

The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.

Source: kb-photodesign via Shutterstock

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The group uses public cloud services for hosting malicious files, and appears not to be connected to other known advance persistent threat (APT) groups, although at least one analysis has found overlap between APT41 — also known as Wicked Panda and Brass Typhoon.

The majority of the group's infrastructure is based in China, and its attacks target nations of Chinese national interest, says Ted Lee, a threat researcher with Trend Micro.

"In recent campaigns, their primary targets are government agencies and other critical infrastructures — \[such as\] telecommunication — in the APAC region," he says. "In addition, we also found the decoy documents they used to lure victims are related to some significant conferences or international meetings."

The attack comes as China appears to be ramping up its attacks on governments and companies in the Asia-Pacific region. Operation Crimson Palace, a collection of three Chinese APT groups working in concert, has successfully compromised more than a dozen targets in Southeast Asia, including government agencies. In another recent case, a Chinese espionage group used a malicious fake document in an attempt to compromise systems at the US-Taiwan Business Council, prior to its 23rd US-Taiwan Defense Industry Conference.

**Spear-Phishing, With a Side of GeoServer**

The latest attacks primarily employ spear-phishing, either sending a file or a link, using regional conferences as a lure.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," Trend Micro stated in its analysis. "Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected."

In a limited number of cases, Trend Micro has noticed that the threat group uses a known flaw in the open source geospatial sharing service GeoServer to gain a beachhead within an organization. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

Whether it uses a vulnerability or spear-phishing, the next step is to use one of two techniques, dubbed GrimResource and AppDomainManager injection, to further compromise targeted systems.

Discovered in June, GrimResource uses a cross-site scripting (XSS) flaw to execute JavaScript on the victim's machine and, together with a second exploit, gain arbitrary code execution. AppDomainManager injection is an older — but still not widely known — technique that can be used to load run malicious code and is starting to be abused by state-backed groups, NTT Security stated in an analysis (via Google Translate).  
"Since this method is not widely known at this time, it is clear that it is a unilateral advantage for the attackers," the translated analysis stated. "As a result, there is concern about the possibility that such attacks will expand in the future."

**All Roads Lead to Cobalt Strike?**

Compromise in any case leads either to a custom backdoor known as EagleDoor, or the installation of an implant by a pirated version of the red-team tool Cobalt Strike, whose use is common among cybercriminal and cyber-espionage groups because of its powerful lateral movement and command-and-control (C2) capabilities.

In addition, the commonness of the tool means investigators gain no attribution information from its use, Trend Micro's Lee says.

"While its use can be a red flag, attackers often modify its components to evade detection," he says. "On the other hand, it’s difficult for analysts to finish group attribution based on Cobalt Strike because it is a shared tool used by many different groups."

The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, which allows communication over DNS, HTTP, TCP, and Telegram. The commands are used to exfiltrate data from the victim's system and installing additional payloads, Trend Micro stated in its analysis.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions…

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions and frustration as vendors scramble to find solutions. Learn about the affected software, potential workarounds, and the latest updates on this ongoing issue.

Apple’s latest macOS update, macOS Sequoia (version 15), is reportedly causing issues with security tools from major providers like CrowdStrike, SentinelOne, ESET, and Microsoft. The update appears incompatible with several popular security tools, rendering them inoperable. The issue, which affects macOS users and enterprises, has caused frustration among those working with macOS-focused security tools. 

For your information, Apple officially launched its AI-focused macOS Sequoia on Monday. It is a new operating system, first revealed at WWDC 2024, offering exclusive features like Apple Intelligence, which uses Apple silicon to create language, images, and actions across apps, leveraging users’ personal context. 

However, the update has raised concerns for certain security-related products and applications as several security researchers and users on social media, Reddit, and a Mac-focused Slack channel reported issues with these security tools after installing Sequoia.

On Mastodon, security researcher Will Dormann reported firewall-related and DNS issues in macOS Sequoia, noting that blocking incoming connections within the macOS Sequoia firewall can also block replies to DNS requests, causing problems.

Dormann also noted a related issue affecting Chrome and Chromium-based browsers on macOS Sequoia, where blocking incoming connections for Google Chrome in the macOS firewall causes large downloads to stall.

Meanwhile, Apple has not yet addressed the concerns regarding Sequoia’s compatibility with security software such as ESET Endpoint Security and CrodStrike Falcon, and the full scope of the compatibility issues with Sequoia remains unclear.  

Most companies have advised users not to update the OS until the issue is resolved, as they are unable to support macOS Sequoia. CrowdStrike confirmed the issue and announced a delay in supporting Sequoia.

The company is waiting for Apple to release a fix before updating their software.  Similarly, ESET acknowledged network connection problems after the update but later clarified that their products are compatible with Sequoia. 

While SentinelOne initially advised users against upgrading to Sequoia, they later clarified that full support was available. However, some users still reported problems with other functionalities like firewalls and DNS configurations. 

A potential workaround shared by security researcher Wacław Jacek on his blog involves using command-line tools to adjust firewall settings for specific applications. According to Jacek, to modify firewall settings, use the CLI tool /usr/libexec/ApplicationFirewall/socketfilterfw.

This will allow your browser to access the internet again, but other software may still not function. To disable the entire firewall, open the terminal app, find the path to your web browser, run ls -l, and add your browser to the firewall using /usr/libexec/ApplicationFirewall/socketfilterfw.

Until the situation is resolved, please proceed with caution when considering the Sequoia update, especially if you rely heavily on third-party security software.

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit, shared his concern over the situation with Hackread.com stating, “With the release of new operating systems, all security vendors must test and qualify their releases. It is a good thing that security vendors have been proactive in this situation and have already sent out steps to take in case their systems are facing issues with the latest Mac update.”

Mayuresh highlighted that “From the looks of it, the networking stack – or the macOS Sequoia firewall to be specific – has changed because the security tools that use it to provide security are not able to do so. Not just security tools, VPNs are also having a difficult time getting a DNS resolution.”

He also suggested the following to the security teams responsible for securing Macs:

1.  Avoid updating to macOS Sequoia unless their security vendor has officially certified it for use.
2.  Turn off auto-updates to major OS releases before internal certification.
3.  Internally certify new operating system releases by installing Dev, and Beta builds of operating systems with certified software before organization-wide deployments.

Nevertheless, the importance of comprehensive testing before deploying major updates in production environments should not be ignored. It also highlights the need for organizations to have proper backup plans and alternative security measures in place. Developing a multi-layered security approach that doesn’t rely solely on a single tool or vendor can enhance overall stability.

1.  **CrowdStrike Update Causes Havoc By Disrupting Businesses**
2.  **Webroot Marked Facebook as Phishing Site, Windows as Malware**
3.  **Apple mistakenly approved malware hidden as Adobe Flash Player**
4.  **Microsoft Releases Tool to Fix CrowdStrike-Caused Windows Chaos**
5.  **Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware**

Apple’s macOS Sequoia Update Breaks Security Tools

Plus: The FBI dismantles the largest-ever China-backed botnet, the DOJ charges two men with a $243 million crypto theft, Apple’s MacOS Sequoia breaks cybersecurity tools, and more.

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country's government agencies have commented.

In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people's most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.

Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country's military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump political campaigns, and that it had successfully stolen emails from the Trump campaign that were later shared with reporters. Now the FBI has chimed in with the added revelation that the same hackers also sent those stolen Trump communications to the Democrats, too—though for now there's no sign that the Democrats solicited those emails from the Iranians or necessarily even received the Iranians' message.

Republicans were nonetheless quick to compare the news to accusations that the Trump campaign “colluded” with the Russian hackers, part of the Kremlin's GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hack-and-leak operation. In a statement, the Trump campaign demanded that the Democrats “must come clean on whether they used the hacked material.” The Harris campaign told CNN that it has cooperated with law enforcement and that it was “not aware of any material being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” Morgan Finkelstein, the national security spokesperson for the Harris campaign, told CNN.

**FBI Dismantles the Largest-Ever Chinese State-Sponsored Botnet**

The FBI announced this week that it had taken down a network of hacked machines being secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, made up of 260,000 routers and internet-of-things devices, was allegedly being run by a Chinese contractor known as the Beijing Integrity Technology Group, a rare instance of a known, publicly traded company operating essentially a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack government agencies, defense contractors, telecoms, and other US and Taiwanese targets. At the time of its takedown, the botnet still encompassed 60,000 machines, making it the largest Chinese state-sponsored botnet ever, according to Black Lotus Labs.

**Two Men Charged With Stealing $243M in Cryptocurrency Using Social Engineering Scam**

On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars of cryptocurrency and spent the earnings on luxury cars, watches, jewelry, and designer handbags. In an unsealed indictment, the US Department of Justice charged Malone Lam, 20, known online as “Anne Hathaway” and Jeandiel Serrano, 21, aka “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds through mixing services to conceal the origin.

CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.

**Apple MacOS Update Breaks Some Cybersecurity Tools**

On Thursday, TechCrunch reported that Apple's latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.

A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.

**Leader of Crypto Extortion Gang Sentenced to 47 Years**

Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims' homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group's ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix's more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn't pay—or at least, not the physical kind.

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.

Source: Chronicle via Alamy Stock Photo

One of North Korea's most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.

North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. There's the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via poisoned packages typosquatting on public repositories. An impish recent trend involves contracting actual, honest labor to Western companies under false pretenses, then sending the salaries earned back to Kim's state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.

The group, which Palo Alto's Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing fake crypto platforms. Unit 42 now assesses with medium confidence that it was responsible for uploading a handful of malicious packages to the Python Package Index (PyPI) back in February. The packages have since been taken down.

**DPRK-Poisoned PyPI Packages**

Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, "What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages."

Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.

In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a remote access Trojan (RAT) called "PondRAT."

PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a "light" version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.

**No Need for Windows**

More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.

Forgoing hackers' long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces' typical audience. As Lang explains, "They're targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because that's where your target population lives."

Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while it's rare that anyone might pull an unpopular, ultra-generic package from PyPI, it's entirely likely that that same package could be quietly integrated into a broader infection chain.

"If you add a package, it could have downstream impacts, where you're actually pulling in 30, 40 other packages it may \[be connected to\]. So if I was a developer, I'd be very cognizant of what I'm installing, and try to minimize the attack surface by minimizing the number packages I'm pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation," Lang suggests.

"Like we always say," he adds, "you're one update away from malware."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Citrine Sleet Poisons PyPI Packages With Mac &amp; Linux Malware

Ubuntu Security Notice 7027-1 - It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Xi Lu discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-7027-1  
September 19, 2024

emacs, emacs24, emacs25 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Emacs.

Software Description:  
- emacs: GNU Emacs editor (metapackage)  
- emacs25: GNU Emacs editor (with GTK+ GUI support)  
- emacs24: GNU Emacs editor

Details:

It was discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04  
LTS. (CVE-2022-45939)

Xi Lu discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS  
and Ubuntu 22.04 LTS. (CVE-2022-48337)

Xi Lu discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 22.04 LTS. (CVE-2022-48338)

Xi Lu discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04  
LTS. (CVE-2022-48339)

It was discovered that Emacs incorrectly handled filename sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04  
LTS. (CVE-2023-28617)

It was discovered that Emacs incorrectly handled certain crafted files. An  
attacker could possibly use this issue to crash the program, resulting in  
a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu  
18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-30203,  
CVE-2024-30204, CVE-2024-30205)

It was discovered that Emacs incorrectly handled certain crafted files. An  
attacker could possibly use this issue to execute arbitrary commands.  
(CVE-2024-39331)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   emacs                           1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-bin-common                1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-common                    1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-el                        1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro

Ubuntu 22.04 LTS  
   emacs                           1:27.1+1-3ubuntu5.2  
   emacs-bin-common                1:27.1+1-3ubuntu5.2  
   emacs-common                    1:27.1+1-3ubuntu5.2  
   emacs-el                        1:27.1+1-3ubuntu5.2

Ubuntu 20.04 LTS  
   emacs                           1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-bin-common                1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-common                    1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-el                        1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro

Ubuntu 18.04 LTS  
   emacs25                         25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   emacs25-bin-common              25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   emacs25-common                  25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   emacs25-el                      25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   emacs24                         24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro  
   emacs24-bin-common              24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro  
   emacs24-common                  24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro  
   emacs24-el                      24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-7027-1  
   CVE-2022-45939, CVE-2022-48337, CVE-2022-48338, CVE-2022-48339,  
   CVE-2023-28617, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205,  
   CVE-2024-39331,https://launchpad.net/bugs/2070418

Package Information:  
   https://launchpad.net/ubuntu/+source/emacs/1:27.1+1-3ubuntu5.2

Tag

#mac