Gentoo Linux Security Advisory 202411-4 - A vulnerability has been discovered in EditorConfig Core C library, which may lead to arbitrary code execution. Versions greater than or equal to 0.12.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: EditorConfig core C library: arbitrary stack write  
     Date: November 06, 2024  
     Bugs: #905308  
       ID: 202411-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in EditorConfig Core C library,  
which may lead to arbitrary code execution.

Background  
==========

EditorConfig core library written in C (for use by plugins supporting  
EditorConfig parsing)

Affected packages  
=================

Package                       Vulnerable    Unaffected  
----------------------------  ------------  ------------  
app-text/editorconfig-core-c  < 0.12.6      >= 0.12.6

Description  
===========

A vulnerability has been discovered in EditorConfig Core C library.  
Please review the CVE identifier referenced below for details.

Impact  
======

Please review the referenced CVE identifier for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All EditorConfig core C library users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/editorconfig-core-c-0.12.6"

References  
==========

[ 1 ] CVE-2023-0341  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0341

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-04

Gentoo Linux Security Advisory 202411-3 - A vulnerability has been discovered in Ubiquiti UniFi, which can lead to local privilege escalation. Versions greater than or equal to 8.5.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Ubiquiti UniFi: Privilege Escalation  
     Date: November 06, 2024  
     Bugs: #941922  
       ID: 202411-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Ubiquiti UniFi, which can lead to  
local privilege escalation.

Background  
==========

Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi  
APs.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-wireless/unifi  < 8.5.6       >= 8.5.6

Description  
===========

A vulnerability has been discovered in Ubiquiti UniFi. Please review the  
CVE identifier referenced below for details.

Impact  
======

The vulnerability allows a malicious actor with a local operational  
system user to execute high privilege actions on UniFi Network Server.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Ubiquiti UniFi users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/unifi-8.5.6"

References  
==========

[ 1 ] CVE-2024-42028  
      https://nvd.nist.gov/vuln/detail/CVE-2024-42028

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-03

Gentoo Linux Security Advisory 202411-2 - A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape. Versions greater than or equal to 1.4.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Sandbox Escape  
     Date: November 06, 2024  
     Bugs: #937936  
       ID: 202411-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Flatpak, which can lead to a  
sandbox escape.

Background  
==========

Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.4.10      >= 1.4.10

Description  
===========

A vulnerability has been discovered in Flatpak. Please review the CVE  
identifier referenced below for details.

Impact  
======

A malicious or compromised Flatpak app using persistent directories  
could  
read and write files in locations it would not normally have access to.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.4.10"

References  
==========

[ 1 ] CVE-2024-42472  
      https://nvd.nist.gov/vuln/detail/CVE-2024-42472

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-02

Ubuntu Security Notice 7088-3 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-3November 06, 2024linux-aws-5.4, linux-oracle-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2021-47212, CVE-2024-44965, CVE-2024-46676, CVE-2024-41091,CVE-2024-44946, CVE-2024-43894, CVE-2024-26668, CVE-2024-42259,CVE-2024-42295, CVE-2024-46685, CVE-2024-46722, CVE-2024-45028,CVE-2024-46815, CVE-2024-41081, CVE-2024-41022, CVE-2024-44948,CVE-2024-42301, CVE-2024-43914, CVE-2024-46771, CVE-2024-42289,CVE-2024-43841, CVE-2024-41042, CVE-2024-44999, CVE-2024-43893,CVE-2024-46758, CVE-2024-46828, CVE-2024-36484, CVE-2024-26669,CVE-2024-44952, CVE-2024-42265, CVE-2024-42311, CVE-2024-43880,CVE-2024-41070, CVE-2024-46829, CVE-2024-42292, CVE-2024-46719,CVE-2024-41020, CVE-2024-41015, CVE-2024-42283, CVE-2024-46744,CVE-2024-46679, CVE-2024-46800, CVE-2024-46777, CVE-2024-43835,CVE-2024-42271, CVE-2024-43882, CVE-2024-41072, CVE-2024-35848,CVE-2024-43860, CVE-2024-38611, CVE-2024-26607, CVE-2024-47663,CVE-2024-46780, CVE-2024-46675, CVE-2024-45003, CVE-2024-44969,CVE-2024-42244, CVE-2024-43856, CVE-2024-46755, CVE-2024-42286,CVE-2024-41063, CVE-2024-41068, CVE-2024-46743, CVE-2024-43839,CVE-2024-41065, CVE-2023-52531, CVE-2024-41090, CVE-2024-46747,CVE-2023-52614, CVE-2024-43853, CVE-2024-46737, CVE-2024-45021,CVE-2024-41012, CVE-2024-41064, CVE-2024-26800, CVE-2024-42246,CVE-2024-43908, CVE-2024-46723, CVE-2024-42310, CVE-2024-46781,CVE-2023-52918, CVE-2024-42313, CVE-2024-45006, CVE-2024-43890,CVE-2024-44954, CVE-2024-43858, CVE-2024-41098, CVE-2024-41071,CVE-2024-26641, CVE-2024-42280, CVE-2024-46673, CVE-2024-43846,CVE-2024-46721, CVE-2024-47667, CVE-2024-26885, CVE-2024-42304,CVE-2024-46745, CVE-2024-26640, CVE-2024-43861, CVE-2024-42287,CVE-2024-44998, CVE-2024-40929, CVE-2024-41073, CVE-2024-46689,CVE-2024-44944, CVE-2024-46756, CVE-2024-42305, CVE-2024-42284,CVE-2024-42281, CVE-2024-42288, CVE-2024-41011, CVE-2024-47668,CVE-2024-43830, CVE-2024-46740, CVE-2024-46677, CVE-2024-43867,CVE-2024-46783, CVE-2024-46844, CVE-2024-43854, CVE-2024-42297,CVE-2024-46738, CVE-2024-46739, CVE-2024-44947, CVE-2024-43883,CVE-2024-43884, CVE-2024-46798, CVE-2024-46757, CVE-2024-43879,CVE-2024-47659, CVE-2024-46817, CVE-2024-45008, CVE-2024-47669,CVE-2024-43871, CVE-2024-44960, CVE-2024-27051, CVE-2024-44988,CVE-2024-46840, CVE-2024-41059, CVE-2024-46822, CVE-2024-42276,CVE-2024-45026, CVE-2024-46761, CVE-2024-44995, CVE-2024-44987,CVE-2024-26891, CVE-2024-46782, CVE-2024-42309, CVE-2024-42131,CVE-2024-46759, CVE-2024-42229, CVE-2024-46714, CVE-2024-42290,CVE-2024-44935, CVE-2024-42285, CVE-2024-38602, CVE-2024-43829,CVE-2024-42306, CVE-2024-41017, CVE-2024-45025, CVE-2024-46818,CVE-2024-46750)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-5.4.0-1134-oracle   5.4.0-1134.143~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1135-aws      5.4.0-1135.145~18.04.1          Available with Ubuntu Pro  linux-image-aws                 5.4.0.1135.145~18.04.1          Available with Ubuntu Pro  linux-image-oracle              5.4.0.1134.143~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-3  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669

Ubuntu Security Notice USN-7088-3

Gentoo Linux Security Advisory 202411-1 - A vulnerability has been discovered in Neat VNC, which can lead to authentication bypass. Versions greater than or equal to 0.8.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Neat VNC: Authentication Bypass  
     Date: November 06, 2024  
     Bugs: #937140  
       ID: 202411-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Neat VNC, which can lead to  
authentication bypass.

Background  
==========

Neat VNC is a liberally licensed VNC server library that's intended to  
be fast and neat.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
gui-libs/neatvnc  < 0.8.1       >= 0.8.1

Description  
===========

Neat VNC allows remote attackers to bypass authentication via a request  
in which the client specifies an insecure security type such as "Type 1  
- None", which is accepted even if it is not offered by the server, as  
originally demonstrated using a long password.

Impact  
======

A remote attacker can opt not to use any authentication method and  
access the VNC server.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Neat VNC users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=gui-libs/neatvnc-0.8.1"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-01

Red Hat Security Advisory 2024-8935-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8935.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:8935-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8935Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-6119====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* openssl: Possible denial of service in X.509 name checks (CVE-2024-6119)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6119References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2306158

Red Hat Security Advisory 2024-8935-03

An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi.
"Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to

SaaS Security / Threat Detection

An ongoing threat campaign dubbed **VEILDrive** has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi.

"Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware," Israeli cybersecurity company Hunters said in a new report.

"This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems."

Hunters said it discovered the campaign in September 204 after it responded to a cyber incident targeting a critical infrastructure organization in the United States. It did not disclose the name of the company, instead giving it the designation "Org C."

The activity is believed to have commenced a month prior, with the attack culminating in the deployment of a Java-based malware that employs OneDrive for command-and-control (C2).

The threat actor behind the operation is said to have sent Teams messages to four employees of Org C by impersonating an IT team member and requesting remote access to their systems via the Quick Assist tool.

What made this initial compromise method stand out is that the attacker utilized a user account belonging to a potential prior victim (Org A), rather than creating a new account for this purpose.

"The Microsoft Teams messages received by the targeted users of Org C were made possible by Microsoft Teams' 'External Access' functionality, which allows One-on-One communication with any external organization by default," Hunters said.

In the next step, the threat actor shared via the chat a SharePoint download link to a ZIP archive file ("Client\_v8.16L.zip") that was hosted on a different tenant (Org B). The ZIP archive came embedded with, among other files, another remote access tool named LiteManager.

The remote access gained via Quick Assist was then used to create scheduled tasks on the system to periodically execute the LiteManager remote monitoring and management (RMM) software.

Also downloading is a second ZIP file ("Cliento.zip") using the same method that included the Java-based malware in the form of a Java archive (JAR) and the entire Java Development Kit (JDK) to execute it.

The malware is engineered to connect to an adversary-controlled OneDrive account using hard-coded Entra ID (formerly Azure Active Directory) credentials, using it as a C2 for fetching and executing PowerShell commands on the infected system by using the Microsoft Graph API.

It also packs in a fallback mechanism that initializes an HTTPS socket to a remote Azure virtual machine, which is then utilized to receive commands and execute them under the context of PowerShell.

This is not the first time the Quick Assist program has been used in this manner. Earlier this May, Microsoft warned that a financially motivated cybercriminal group known as Storm-1811 misused Quick Assist features by pretending to be IT professionals or technical support personnel to gain access and drop Black Basta ransomware.

The development also comes weeks after the Windows maker said it has observed campaigns abusing legitimate file hosting services like SharePoint, OneDrive, and Dropbox as means of evading detection.

"This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses," Hunters said. "With zero obfuscation and well-structured code, this malware defies the typical trend of evasion-focused design, making it unusually readable and straightforward."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

INTERPOL with global law enforcement and Group-IB, successfully dismantled a vast network of malicious IP addresses and servers.…

INTERPOL with global law enforcement and Group-IB, successfully dismantled a vast network of malicious IP addresses and servers. This coordinated effort targeted cybercriminals involved in phishing, ransomware, and information theft.

In a high-profile global operation, INTERPOL, in collaboration with law enforcement agencies from 95 countries and cybersecurity firm Group-IB, has successfully dismantled a vast network of malicious IP addresses and servers. 

This coordinated effort, known as Operation Synergia II, targeted cybercriminals involved in phishing, ransomware, and information-stealing activities. From April to August 2024, law enforcement agencies and cybersecurity experts worked tirelessly to identify and neutralize cyber threats. Hong Kong, Mongolia, Macau, Madagascar, and Estonia played key roles in identifying/disabling malicious servers and arresting suspects.

Officers from the Hong Kong Police Force raided the suspects’ premises, taking over 1,037 servers linked to malicious activities offline. Image credit: INTERPOL and the Hong Kong Police Force (Via Group-IB)

Through this effort, over 22,000 malicious IP addresses and 59 servers were taken down, crippling the infrastructure used by cybercriminals. Authorities seized around 43 electronic devices, including laptops, mobile phones, and hard drives, which could contain crucial evidence. They arrested 41 individuals, and investigations are ongoing for 65 others suspected of involvement in cybercrime.

INTERPOL’s Gateway Partner Group-IB’s advanced threat intelligence and digital forensics capabilities also played a crucial role in tracking/disrupting malicious infrastructure. Group-IB’s analysts discovered over 2,500 IP addresses linked to 5,000 phishing websites and 1,300 IP addresses linked to various malware activities across 84 countries.

The company’s CEO, Dmitry Volkov, appreciated the operation’s success, stating that closer collaboration between the public and private sectors is essential to effectively combat cybercrime and safeguard the information and data of clients and society globally.

For your information, Operation Synergia II, is the successor of Operation Synergia, in which Group-IB’s Threat Intelligence and High-Tech Crime Investigation teams identified over 500 IP addresses hosting phishing sites and 1,900 IP addresses used by ransomware, Trojan, and other malware operators. The malicious resources were found in over 50 countries, with malicious infrastructure distributed across 200+ web hosting providers worldwide.

INTERPOL’s Cybercrime Directorate, led by Neal Jetton, has played a crucial role in dismantling cybercrime networks by sharing intelligence, facilitating cooperation, and providing technical expertise, helping law enforcement agencies globally to address such complex challenges effectively.

Last year, Interpol’s HAECHI IV operation, in collaboration with the South Korean government, blocked 82,112 suspicious bank accounts and seized $199 million in cash and $101 million worth of crypto assets.

The six-month operation targeted seven types of scams, including voice phishing, romance scams, sextortion, investment fraud, and money laundering. Now Operation Synergia II’s success shows the usefulness of international collaboration in combating cybercrime.

“INTERPOL is proud to bring together a diverse team of member countries to fight this ever-evolving threat and make our world a safer place,” Jetton stated.

1.  AI-Powered Scams Fuel Global Cybercrime Surge: INTERPOL
2.  Op Narsil – INTERPOL Busts Decade-Old Child Abuse Network
3.  INTERPOL Dismantles ’16shop’ Phishing-as-a-Service Platform
4.  Interpol arrests Moroccan hacker over phishing, malware scam
5.  Interpol Busts Human Traffickers Luring Victims with Fake Job Ads

INTERPOL Arrests 41, Takes Down 22,000 Malicious IPs and 59 Servers

A sophisticated malware called Winos4.0 is being disguised as harmless gaming applications to infiltrate Windows-based systems. Learn about…

A sophisticated malware called Winos4.0 is being disguised as harmless gaming applications to infiltrate Windows-based systems. Learn about the multi-stage attack, data theft risks, and how to protect yourself from this emerging threat.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a new malicious campaign leveraging game-related applications to target Microsoft Windows users and deliver Winos4.0, a new and advanced malware framework similar to Cobalt Strike and Sliver.

Once downloaded and executed, these apps act as Trojan horses, downloading and installing the Winos4.0 framework.

The company’s findings shared with Hackread.com ahead of publishing on Wednesday, Nov 6, identified multiple samples of this malware hidden within gaming-related applications, including installation tools, speed boosters, and optimization utilities. By analyzing the decoded DLL file, they learned about the potential targeting of the education sector, as indicated by its file description, “校园政务” (Campus Administration).

Winos4.0 framework offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints. It is rebuilt from Gh0stRat, a powerful remote access trojan created by the Chinese hacking group C. Rufus Security Team in 2008. Moreover, it includes several modular components, each handling distinct functions. Given its capabilities, Winos4.0 has already been deployed in multiple attack campaigns like Silver Fox.

This multi-stage attack starts with retrieving a fake BMP file from a remote server, which is then XOR-decoded, extracting a DLL file named “you.dll”. This file is loaded through its export function “you” to proceed to the next stage.

“You.dll” downloads three files from a remote path after creating a folder with a random name, extracts one to reveal clean files (u72kOdQ.exe, MSVCP140.dll, and VCRUNTIME140.dll), and another to reveal the main malicious file, “libcef.dll”. The extracted files then load “libcef.dll” to inject shellcode and decode another file using an XOR key.

The injected shellcode loads APIs and retrieves configuration data to establish a connection using TCP protocol, sending a string to the C2 server, which responds with encrypted data. The data is decrypted using XOR, and a module is executed. The module (上线模块.dll) downloads data from the C2 server and records its address in the registry, setting the stage for the attack’s final phase. 

The last stage launches the 登录模块.dll file, which performs tasks like enabling crash restart, recording clipboard content, checking window title bar for specific applications, collecting system information, checking for crypto wallet extensions, checking for anti-virus appliances, sending login messages, and maintaining connection to its C2server with heartbeats.

Attack flow and some of the malicious gaming apps involved in the campaign (Via FortiGuard Labs)

The capabilities of Winos4.0 show that it is a powerful framework that can be used to easily control compromised systems. Researchers recommend that users should be aware of the source of any new application and only download software from qualified sources.

Therefore, refrain from downloading applications and software from third-party app stores and websites. Before executing them, scan URLs and downloaded files on VirusTotal. Regularly scan your devices, especially after downloading new files. In office environments, block systems from downloading apps on workstations.

1.  Android Malware Poses as WhatsApp and Instagram to Steal Data
2.  TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App
3.  Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones
4.  SideWinder hackers hit Android users with malware apps on Play Store
5.  New BingoMod Android Malware Posing as Security Apps, Wipes Data

New Winos4.0 Malware Targeting Windows via Fake Gaming Apps

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

Adam Meyers, Senior Vice President of Counter Adversary Operations, CrowdStrike

November 6, 2024

5 Min Read

Source: Andrey Khokhlov via Alamy Stock Photo

COMMENTARY

Throughout the past year, we've seen a sharp uptick in cross-domain threats. This activity spans multiple domains within an organization's IT architecture, including identity, cloud, and endpoint. These attacks leave minimal footprints in each domain, like separate puzzle pieces, making them harder to detect. 

While cross-domain intrusions vary in complexity, my team and I are increasingly observing attacks that leverage stolen credentials to breach cloud environments and move laterally across endpoints. This activity is fueled by sophisticated phishing techniques and the proliferation of infostealers. Once adversaries obtain or steal credentials, they can gain direct access to poorly configured cloud environments and bypass heavily defended endpoints. With this access, they often deploy remote monitoring and management (RMM) tools instead of malware, making these attacks particularly hard to detect and disrupt. 

**Scattered Spider: A Master of Cross-Domain Tradecraft**

One of the most proficient adversaries in cross-domain attacks is the prolific e-crime group Scattered Spider. Throughout 2023 and 2024, Scattered Spider demonstrated sophisticated cross-domain tradecraft within targeted cloud environments, frequently using spear-phishing, policy modification, and access to password managers. 

In May 2024, CrowdStrike observed Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) instance via a cloud service VM management agent. The adversary compromised existing credentials through a phishing campaign to authenticate to the cloud control plane. Once inside, they established persistence.  

This attack spanned three operational domains: email, cloud management, and within the VM itself. As a result, the detectable footprint in any single domain was minimal and difficult to identify with traditional signature-based detection methods. Identifying this attack relied on extensive threat intelligence and prior knowledge of Scattered Spider's tactics. By correlating telemetry from the cloud control plane with detections within the virtual machine, threat hunters were able to recognize and stop the intrusion in progress. 

**A Massive Insider Scheme: DPRK's Famous Chollima**

North Korea-nexus adversary Famous Chollima presented a unique challenge to threat hunters with a highly sophisticated attack campaign expanding beyond technology boundaries. In this massive insider threat scheme, malicious actors obtained contract or full-time positions using falsified or stolen identity documents to bypass background checks. Their résumés often listed employment at prominent companies, with no gaps, making them appear legitimate.  

In April 2024, CrowdStrike responded to the first of several incidents where Famous Chollima targeted more than 30 US-based companies, including those in the aerospace, defense, retail, and technology sectors. Leveraging data from a single incident, threat hunters developed a scalable plan to hunt this emerging insider threat and identified over 30 additional affected customers within two days. 

In many cases, the adversary attempted to exfiltrate data and install RMM tools using company network credentials to facilitate unauthorized access. CrowdStrike threat hunters searched for RMM tools paired with suspicious network connections to uncover additional data and identify suspicious behaviors. By mid-2024, the US Department of Justice indicted several individuals involved in this scheme, which likely enabled North Korean nationals to raise funds for the DPRK government and its weapons programs. CrowdStrike's coordinated efforts with law enforcement and the intelligence community were instrumental in bringing these malicious activities to light and disrupting the massive threat. 

**Putting the Puzzle Pieces Together: Stopping Cross-Domain Attacks**

Countering sophisticated cross-domain threats requires constant awareness of behavioral and operational shifts, making intelligence-driven hunting essential. Stopping these novel attacks takes a multipronged approach involving people, process, and technology. For organizations to protect against these attacks they should adopt the following approaches:  

*   Full visibility: Unified visibility across the enterprise (cloud, endpoints, and identities) is essential to detect and correlate cross-domain attacks. This approach prevents adversaries from moving laterally through environments, improves response time, and reduces the likelihood of incidents escalating into breaches. 
    

*   Integrate cross-domain hunting: 24/7 real-time threat hunters can proactively search across security planes for malicious behavior. By continuously monitoring employee activity, they can detect deviations from normal behavior, such as abnormal use of RMM tools.  
    

*   Focus on identity: Identity is one of the fastest-growing threat vectors. To mitigate risks, businesses must implement advanced identity verification processes, such as multifactor authentication and biometric check. In addition to establishing strong authentication procedures, identity protection should be implemented to catch anomalous authentication events before they turn into a breach. 
    

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough. As these stealthy threats operate across identity, cloud, and endpoint, they require a blend of advanced technology, the irreplaceable insights of human expertise, and cutting-edge telemetry to inform proactive decision making. Threat hunters and intelligence analysts, working in tandem with cutting-edge tools, are essential for identifying, understanding, and neutralizing these ever-evolving dangers before they can cause harm. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now! 

**About the Author**

Senior Vice President of Counter Adversary Operations, CrowdStrike

As CrowdStrike's senior vice president of counter adversary operations, Adam Meyers leads the Threat Intelligence line of business for the company. Meyers directs a geographically dispersed team of cyber threat experts tracking criminal, state-sponsored, and nationalist cyber adversary groups around the globe and producing actionable intelligence to protect customers. He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work in combining human intelligence and intelligence derived from technology continues to transform cybersecurity. 

Meyers works closely with other departments within CrowdStrike to ensure the smooth and speedy integration of intelligence into CrowdStrike’s entire lineup of products and services. His team brings unprecedented insights into the activities of cyber threat actors, providing strategic and technical guidance to Fortune 100 businesses, major financial institutions, key government agencies, and other CrowdStrike customers.

Tag

#mac