A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021.
To that end, it has come to light that two malware domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis

A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021.

To that end, it has come to light that two malware domains identified as hosting credit card skimmer code — "scanalytic\[.\]org" and "js.staticounter\[.\]net" — are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis.

"We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines," Jérôme Segura said. "However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits."

The earliest evidence of the campaign's activity, based on the additional domains uncovered, suggests it dates back to at least May 2020.

Magecart refers to a cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by injecting JavaScript code on e-commerce storefronts, typically on checkout pages.

This works by operatives gaining access to websites either directly or via third-party services that supply software to the targeted websites.

While the attacks gained prominence in 2015 for singling out the Magento e-commerce platform (the name Magecart is a portmanteau of "Magento" and "shopping cart"), they have since expanded to other alternatives, including a WordPress plugin named WooCommerce.

According to a report published by Sucuri in April 2022, WordPress has emerged as the top CMS platform for credit card skimming malware, outpacing Magento as of July 2021, with skimmers concealed in the websites in the form of fake images and seemingly innocuous JavaScript theme files.

What's more, WordPress websites accounted for 61% of known credit card skimming malware detections during the first five months of 2022, followed by Magento (15.6%), OpenCart (5.5%), and others (17.7%).

"Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web," Sucuri's Ben Martin noted at the time.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign

An email campaign lures users with a voicemail notification to enter their Office 365 credentials on a fake login page.
The post Watch out for the email that says “You have a new voicemail!” appeared first on Malwarebytes Labs.

A phishing campaign is using voicemail notification messages to go after victims’ Office 365 credentials.

According to researchers at ZScaler, the campaign uses spoofed emails with an HTML attachment that contains encoded javascript.

The email claims that you have a new voicemail and that you can listen to the message by clicking on the attachment. To add credibility, the name of the attachment starts with a music note character like f.e. ♫ to make it look like a sound clip. In reality, it is an HTML file with obfuscated javascript embedded.

The javascript uses the **windows.location.replace** method to redirect the target to a specially crafted phishing page. The access to the page is behind a reCAPTCHA, probably to keep out the bots, particularly any automated URL analysis tools.

**Spoofed email**

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.

In this campaign the threat actors use a name in the “From” field of the email aligned with the targeted organization’s name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.

**Targets**

The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target’s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.

The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.

**How to avoid being phished**

*   Do not open unverified email attachments. If someone you know sends you an attachment you’re not expecting, check it is really them via another contact method.
*   Do not enter your credentials before checking the actual URL of the site.
*   If you use a password manager that autofills your login details, it will not enter your credentials on a phishing site because it will have a different URL. This is a really handy giveaway that something is up.
*   Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t foolproof though, as some phishing sites will also try to steal your 2FA codes.

Stay safe, everyone!

Watch out for the email that says “You have a new voicemail!”

Most organizations still rely on virtual private networks for secure remote access.

Zero-trust initiatives may be on the security roadmap for most enterprises today, but remote-access architecture today is still highly dependent upon virtual private network (VPN) technology.

Newly published data shows that approximately 90% of organizations still utilize VPN in some capacity to secure remote access for their users. Meantime, across a broad population of IT and security practitioners, fewer than one in three say they have plans to — or have begun to — roll out zero-trust network access (ZTNA) to supplant VPN.

The results are from a survey conducted by Sapio Research on behalf of Banyan Security, which reached out to 1,025 IT respondents, focusing the bulk of the survey on the 410 who were aware of both VPN and ZTNA. The study shows that among that group, a full 97% reported that adopting a zero-trust model is a priority for them. Slightly over half of those aware of both VPN and ZTNA said they've begun to roll out zero-trust solutions.

ZTNA is a term Gartner started championing in 2019 to describe in broad strokes a range of products and services that create logical access boundaries around applications or sets of applications using a combination of identity- and context-based factors. The firm predicted at the time that by next year, 2023, approximately 60% of enterprises will start phasing out their VPNs in favor or ZTNA.

"VPNs are just a band aid on a fundamentally broken network security model. And ultimately this has to be replaced," Neil MacDonald, vice president and distinguished analyst for Gartner, said in a recent analysis of zero-trust strategies in 2022. "We need to invert the model. Instead of connecting and then worrying about authentication, we need to authenticate first, then connect. This is where you see many of the tenets of zero-trust networking coming in."

**The Problem With VPNs**

One of the biggest problems with VPN technology is the fact that it "allows for network-level access to an enterprise," explains Deloitte's Andrew Rafla, who leads the consultancy's zero-trust offering.

In contrast, ZTNA restricts remote users' access to only the specific applications and assets they need and nothing more, says Rafla. ZTNA is one important component of a broader zero-trust architecture, he says, which also should include a centralized and federated identity store, privileged access management controls, data protection, network segmentation, device security, and telemetry and analytics.

"General cyber hygiene fundamentals should not be overlooked as well; in order to realize the true benefits of the zero-trust model, an organization should have a solid grasp on its IT asset management, configuration and vulnerability management, and data classification," Rafla says.

Given these weighty requirements to truly grab the zero-trust brass ring, it should come as no surprise that many organizations can feel overwhelmed by it all. Over two-thirds of current VPN users report in this survey that implementing a ZTNA strategy is a large to very large undertaking.

The biggest constraint for VPN-dependent organizations that keep them from transitioning to ZTNA are cost/budget constraints, which was named by 62%. Approximately 13% of them say zero trust is confusing and they don’t even know where to start.

Interestingly, though, among those who have adopted ZTNA, the implementation timeframes may not be as scary as those clinging to VPN may think. The study shows that the mean time to deployment was about 11.5 months. This may be a good lesson in the fact that an organization can and should roll out zero-trust components in a phased manner, and that ZTNA for remote access may be an accessible first step in the journey.

VPNs Persist Despite Zero-Trust Fervor

ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

China-Linked ToddyCat APT Pioneers Novel Spyware

After the Raccoon Stealer Trojan disappeared, the RIG Exploit Kit seamlessly adopted Dridex for credential theft.

The cybercriminals behind the RIG Exploit Kit earlier this year traded out the credential-stealer Trojan Raccoon Stealer after its lead developer was killed in the Russian invasion of Ukraine.

According to analysts with Bitdefender, the cybercrime group behind the RIG Exploit Kit was able to quickly substitute in the tried-and-true financial Trojan Dridex, which has a range of functions, including keylogging and the ability to steal screenshots. 

"The move to Dridex was a strategic decision to save the operation," Bogdan Botezatu, director, Threat Research and Reporting at Bitdefender, tells Dark Reading. "Cybercriminals running this campaign had to move to a different option or lose the money they had already invested in renting out access to the RIG EK panel. Dridex is a powerful information-stealer that, to some extent, provides similar functionality to Raccoon. Unlike Raccoon, it is still operational and can offer 'business continuity' to the cybercriminals behind this campaign."

The RIG Exploit Kit lets cybercriminals quickly swap out payloads to avoid detection or in case of compromise, according to researchers at Bitdefender, making adaptability part of its product. 

"This once again demonstrates that threat actors are agile and quick to adapt to change," the analysts wrote in their report on the malware campaign. 

"In order to be prepared, defenders should patch the known vulnerabilities in software used across the organization and monitor for the indicators of compromise (IOCs), Botezatu counsels. "A security solution with machine-learning capabilities can detect and block the payload at various execution stages as well."

It's also worth noting that Racoon is likely to make a reappearance, Botezatu notes.

"The Raccoon group has hit a temporary stop with the death of one of its operators, but we believe the team will regroup," he says. "Usually, such groups suspend their operations when teams get arrested or when they voluntarily decide to shift to a more lucrative business. Loss of a team member is a temporary road block and we presume that they will get back online as soon as they manage to recruit a replacement."

RIG Exploit Kit Replaces Raccoon Stealer Trojan With Dridex

Artificial intelligence use is booming, but it's not the secret weapon you might imagine.

From cyber operations to disinformation, artificial intelligence extends the reach of national security threats that can target individuals and whole societies with precision, speed, and scale. As the US competes to stay ahead, the intelligence community is grappling with the fits and starts of the impending revolution brought on by AI.

The US intelligence community has launched initiatives to grapple with AI’s implications and ethical uses, and analysts have begun to conceptualize how AI will revolutionize their discipline, yet these approaches and other practical applications of such technologies by the IC have been largely fragmented.

As experts sound the alarm that the US is not prepared to defend itself against AI by its strategic rival, China, Congress has called for the IC to produce a plan for integration of such technologies into workflows to create an “AI digital ecosystem” in the 2022 Intelligence Authorization Act.

The term AI is used for a group of technologies that solve problems or perform tasks that mimic humanlike perception, cognition, learning, planning, communication, or actions. AI includes technologies that can theoretically survive autonomously in novel situations, but its more common application is machine learning or algorithms that predict, classify, or approximate empiric-like results using big data, statistical models, and correlation.

While AI that can mimic humanlike sentience remains theoretical and impractical for most IC applications, machine learning is addressing fundamental challenges created by the volume and velocity of information that analysts are tasked with evaluating today.

At the National Security Agency, machine learning finds patterns in the mass of signals intelligence collects from global web traffic. Machine learning also searches international news and other publicly accessible reporting by the CIA's Directorate of Digital Innovation, responsible for advancing digital and cyber technologies in human and open-source collection, as well as its covert action and all-source analysis, which integrates all kinds of raw intelligence collected by US spies, whether technical or human. An all-source analyst evaluates the significance or meaning when that intelligence is taken together, memorializing it into finished assessments or reports for national security policymakers.

In fact, open source is key to the adoption of AI technologies by the intelligence community. Many AI technologies depend on big data to make quantitative judgments, and the scale and relevance of public data cannot be replicated in classified environments.

Capitalizing on AI and open source will enable the IC to utilize other finite collection capabilities, like human spies and signals intelligence collection, more efficiently. Other collection disciplines can be used to obtain the secrets that are hidden from not just humans but AI, too. In this context, AI may supply better global coverage of unforeseen or non-priority collection targets that could quickly evolve into threats.

Meanwhile, at the National Geospatial-Intelligence Agency, AI and machine learning extract data from images that are taken daily from nearly every corner of the world by commercial and government satellites. And the Defense Intelligence Agency trains algorithms to recognize nuclear, radar, environmental, material, chemical, and biological measurements and to evaluate these signatures, increasing the productivity of its analysts.

In one example of the IC’s successful use of AI, after exhausting all other avenues—from human spies to signals intelligence—the US was able to find an unidentified WMD research and development facility in a large Asian country by locating a bus that traveled between it and other known facilities. To do that, analysts employed algorithms to search and evaluate images of nearly every square inch of the country, according to a senior US intelligence official who spoke on background with the understanding of not being named.

While AI can calculate, retrieve, and employ programming that performs limited rational analyses, it lacks the calculus to properly dissect more emotional or unconscious components of human intelligence that are described by psychologists as system 1 thinking.

AI, for example, can draft intelligence reports that are akin to newspaper articles about baseball, which contain structured non-logical flow and repetitive content elements. However, when briefs require complexity of reasoning or logical arguments that justify or demonstrate conclusions, AI has been found lacking. When the intelligence community tested the capability, the intelligence official says, the product looked like an intelligence brief but was otherwise nonsensical.

Such algorithmic processes can be made to overlap, adding layers of complexity to computational reasoning, but even then those algorithms can’t interpret context as well as humans, especially when it comes to language, like hate speech.

AI’s comprehension might be more analogous to the comprehension of a human toddler, says Eric Curwin, chief technology officer at Pyrra Technologies, which identifies virtual threats to clients from violence to disinformation. “For example, AI can understand the basics of human language, but foundational models don’t have the latent or contextual knowledge to accomplish specific tasks,” Curwin says.

“From an analytic perspective, AI has a difficult time interpreting intent,” Curwin adds. “Computer science is a valuable and important field, but it is social computational scientists that are taking the big leaps in enabling machines to interpret, understand, and predict behavior.”

In order to “build models that can begin to replace human intuition or cognition,” Curwin explains, “researchers must first understand how to interpret behavior and translate that behavior into something AI can learn.”

Although machine learning and big data analytics provide predictive analysis about what might or will likely happen, it can’t explain to analysts how or why it arrived at those conclusions. The opaqueness in AI reasoning and the difficulty vetting sources, which consist of extremely large data sets, can impact the actual or perceived soundness and transparency of those conclusions.

Transparency in reasoning and sourcing are requirements for the analytical tradecraft standards of products produced by and for the intelligence community. Analytic objectivity is also statuatorically required, sparking calls within the US government to update such standards and laws in light of AI’s increasing prevalence.

Machine learning and algorithms when employed for predictive judgments are also considered by some intelligence practitioners as more art than science. That is, they are prone to biases, noise, and can be accompanied by methodologies that are not sound and lead to errors similar to those found in the criminal forensic sciences and arts.

“Algorithms are just a set of rules, and by definition are objective because they’re totally consistent,” says Welton Chang, cofounder and CEO of Pyrra Technologies. With algorithms, objectivity means applying the same rules over and over. Evidence of subjectivity, then, is the variance in the answers.

“It’s different when you consider the tradition of the philosophy of science,” says Chang. “The tradition of what counts as subjective is a person's own perspective and bias. Objective truth is derived from consistency and agreement with external observation. When you evaluate an algorithm solely on its outputs and not whether those outputs match reality, that’s when you miss the bias built in.”

Depending on the presence or absence of bias and noise within massive data sets, especially in more pragmatic, real-world applications, predictive analysis has sometimes been described as “astrology for computer science.” But the same might be said of analysis performed by humans. A scholar on the subject, Stephen Marrin, writes that intelligence analysis as a discipline by humans is “merely a craft masquerading as a profession.”

Analysts in the US intelligence community are trained to use structured analytic techniques, or SATs, to make them aware of their own cognitive biases, assumptions, and reasoning. SATs—which use strategies that run the gamut from checklists to matrixes that test assumptions or predict alternative futures—externalize the thinking or reasoning used to support intelligence judgments, which is especially important given the fact that in the secret competition between nation-states not all facts are known or knowable. But even SATs, when employed by humans, have come under scrutiny by experts like Chang, specifically for the lack of scientific testing that can evidence an SAT’s efficacy or logical validity.

As AI is expected to increasingly augment or automate analysis for the intelligence community, it has become urgent to develop and implement standards and methods, which are both scientifically sound and ethical for law enforcement and national security contexts. While intelligence analysts grapple with how to match AI’s opacity to the evidentiary standards and argumentation methods required for the law enforcement and intelligence contexts, the same struggle can be found in understanding analysts’ unconscious reasoning, which can lead to accurate or biased conclusions.

The Power and Pitfalls of AI for US Intelligence

Ubuntu Security Notice 5489-1 - Alexander Bulekov discovered that QEMU incorrectly handled floppy disk emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak sensitive information. It was discovered that QEMU incorrectly handled NVME controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5489-1  
June 21, 2022

qemu vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:  
- qemu: Machine emulator and virtualizer

Details:

Alexander Bulekov discovered that QEMU incorrectly handled floppy disk  
emulation. A privileged attacker inside the guest could use this issue to  
cause QEMU to crash, resulting in a denial of service, or possibly leak  
sensitive information. (CVE-2021-3507)

It was discovered that QEMU incorrectly handled NVME controller emulation.  
An attacker inside the guest could use this issue to cause QEMU to crash,  
resulting in a denial of service, or possibly execute arbitrary code. This  
issue only affected Ubuntu 22.04 LTS. (CVE-2021-3929)

It was discovered that QEMU incorrectly handled QXL display device  
emulation. A privileged attacker inside the guest could use this issue to  
cause QEMU to crash, resulting in a denial of service, or possibly execute  
arbitrary code. (CVE-2021-4206, CVE-2021-4207)

Jietao Xiao, Jinku Li, Wenbo Shen, and Nanzi Yang discovered that QEMU  
incorrectly handled the virtiofsd shared file system daemon. An attacker  
inside the guest could use this issue to create files with incorrect  
ownership, possibly leading to privilege escalation. This issue only  
affected Ubuntu 22.04 LTS. (CVE-2022-0358)

It was discovered that QEMU incorrectly handled virtio-net devices. A  
privileged attacker inside the guest could use this issue to cause QEMU to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code. (CVE-2022-26353)

It was discovered that QEMU incorrectly handled vhost-vsock devices. A  
privileged attacker inside the guest could use this issue to cause QEMU to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code. (CVE-2022-26354)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  qemu-system                     1:6.2+dfsg-2ubuntu6.2  
  qemu-system-arm                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-mips                1:6.2+dfsg-2ubuntu6.2  
  qemu-system-misc                1:6.2+dfsg-2ubuntu6.2  
  qemu-system-ppc                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-s390x               1:6.2+dfsg-2ubuntu6.2  
  qemu-system-sparc               1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86                 1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86-microvm         1:6.2+dfsg-2ubuntu6.2  
  qemu-system-x86-xen             1:6.2+dfsg-2ubuntu6.2

Ubuntu 21.10:  
  qemu-system                     1:6.0+dfsg-2expubuntu1.3  
  qemu-system-arm                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-mips                1:6.0+dfsg-2expubuntu1.3  
  qemu-system-misc                1:6.0+dfsg-2expubuntu1.3  
  qemu-system-ppc                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-s390x               1:6.0+dfsg-2expubuntu1.3  
  qemu-system-sparc               1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86                 1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86-microvm         1:6.0+dfsg-2expubuntu1.3  
  qemu-system-x86-xen             1:6.0+dfsg-2expubuntu1.3

Ubuntu 20.04 LTS:  
  qemu-system                     1:4.2-3ubuntu6.23  
  qemu-system-arm                 1:4.2-3ubuntu6.23  
  qemu-system-mips                1:4.2-3ubuntu6.23  
  qemu-system-misc                1:4.2-3ubuntu6.23  
  qemu-system-ppc                 1:4.2-3ubuntu6.23  
  qemu-system-s390x               1:4.2-3ubuntu6.23  
  qemu-system-sparc               1:4.2-3ubuntu6.23  
  qemu-system-x86                 1:4.2-3ubuntu6.23  
  qemu-system-x86-microvm         1:4.2-3ubuntu6.23  
  qemu-system-x86-xen             1:4.2-3ubuntu6.23

Ubuntu 18.04 LTS:  
  qemu-system                     1:2.11+dfsg-1ubuntu7.40  
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.40  
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.40  
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.40  
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.40  
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.40  
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.40  
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.40

After a standard system update you need to restart all QEMU virtual  
machines to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5489-1  
  CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2021-4207,  
  CVE-2022-0358, CVE-2022-26353, CVE-2022-26354

Package Information:  
  https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.2  
  https://launchpad.net/ubuntu/+source/qemu/1:6.0+dfsg-2expubuntu1.3  
  https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.23  
  https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.40

Ubuntu Security Notice USN-5489-1

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

**01**

****About Us.****

**We provide state-of-the-art solutions based on the most recent breakthroughs in the field of semantic technologies, to enable a direct and effective management of enterprise data.**

**We support organizations in dealing with the challenges of data governance, production, and management through solutions based on the groundbreaking Ontology-based Data Management technology.**

**OBDA Systems is an innovation startup of Sapienza University of Rome, and a company of the Almawave Group.**

****02********Ontology-based Data**  
**Management********A three-level data virtualization technology that allows data access, integration, quality checking, and governance through an ontology or a knowledge graph.****

**The Ontology Layer**

**A knowledge graph that describes the business domain: a user-friendly, machine-readable model of enterprise data.**

**A high-level representation of the business domain through which the data is accessed.**

**Data access, integration, and quality checking are enhanced by exploiting automatic reasoning capabilities over the graph**.

**The Mapping Layer**

**Semantic Links between the ontology and the enterprise data sources**.

**SQL queries on the databases are connected to the ontology entities to enable virtual data access.**

**The mappings allow separation of the physical data structure from the ontology model, and bridge the semantic gap between the two.**

**The Data Layer**

**Enterprise data sources and applications.**

**No new custom databases are required. No ETL processes. Zero impact on the pre-existing enterprise data layer.**

**Pay-as-you-go model: connect new data sources to the ontology by mapping them to instantly gain integration.**

****Simple****

**Access data through simple business questions over the ontology, regardless of where and how the data is stored.**

****Efficient****

**Reduces turn-around-time for key business decisions and drops the cost of querying the data.**

**Agile**

**The virtual data-to-ontology mappings require no ETL processes or custom database restructuring.**

**Flexible**

**A pay-as-you-go approach to building the ontology and mapping the data for any business use case.**

03

****Solutions****

**Simplifying data governance, boosting information management services, and getting the best out of your data.**

**Semantic Data Access and Integration**

******The ontological representation of the enterprise data simplifies the work of the domain experts, who can use business concepts to interact with integrated data sources for the purpose of data governance and analytics.******

**Enterprise Knowledge Graphs**

****Knowledge Graphs and ontologies give meaning to enterprise data through the business language.  
OBDA Systems provides tools and expertise that help organizations build and maintain their own Enterprise Knowledge Graphs.****

**Data Quality Checking and Governance**

********The ontology provides the business rules to measure the quality of enterprise data. OBDA System’s tools leverage these rules to help identify and correct data quality issues, and improve the value and reliability of the enterprise data sources**.******

**Preparation and Publication of 5\* Linked Open Data**

************Preparation, annotation and publication of 5 star Linked Open Data through a simple query-driven pipeline. Support for W3C standards, data lineage tracing, privacy and protection management through the ontology model.************

**0**4

****Products****

****The Mastro Suite: OBDM tools for the end-user and the designer.****

****The motor behind OBDM: an ontology reasoning system with virtual query answering capabilities over enterprise data sources and automatic data quality verification with respect to the ontology business rules.****

****The Semantic Knowledge Graph Platform: Monolith is the gateway to accessing Mastro’s features, while also allowing ontology exploration, knowledge graph creation, data mapping visualization and editing.****

****An Open Source, free-to-use, completely graphical ontology editor with syntactic and semantic reasoning capabilities, to ensure quick, safe, and easy ontology creation.****

**05**

****Our Team**  
**

****Maurizio Lenzerini****

**Co-Founder & President**

****Raniero Romagnoli****

**CEO**

****Valerio Santarelli****

**Co-Founder & CTO**

****Marco Ruzzi****

**Co-Founder & Lead Developer**

****Lorenzo Lepore****

**Co-Founder & Senior R&D Engineer**

****Giacomo Ronconi****

**Senior R&D Engineer**

****Giuseppe De Giacomo****

**Co-Founder & Scientific Advisor**

****Domenico Lembo****

**Co-Founder & Scientific Advisor**

****Antonella Poggi****

**Co-Founder & Scientific Advisor**

****Domenico Fabio Savo****

****Co-Founder & Scientific Advisor****

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.

CVE-2021-40511: Home - OBDA Systems

Open source is here to stay, and it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of digital transformation.

Following the trio of the Log4J vulnerability and the more recent compromise of two open source libraries in the NPM ecosystem and one in Spring Core, supply chain security is weighing heavily on cyber defenders' minds. While the financial services sector has hardened its cyber defenses compared with other industries and become one of the earliest adopters of zero-trust security, institutions must continue to embrace open source technology while actively engaging in risk mitigation.

With so many foundational components of the global tech stack originating from open source code repositories like GitHub, recent exploits have heightened worries that this open ecosystem is inherently vulnerable to attack. This is especially true given the finance industry's finance industry's embrace of open source, as shown by Goldman Sachs contributing source code of several of its data modules as open source in 2020.

**Keeping Open Source Environments Protected**

First off, financial institutions must assume a more active role in the funding of open source foundations and direct-to-maintainer grants to help limit exposures from critical code dependencies, as illustrated by the Log4Shell debacle. To this end, public-private sector partnerships will be vital for financial institutions looking to harden their open source security postures. Confronting the inherent DevSecOps of the open source ecosystem requires a financial and strategic commitment from institutions willing to support the whole spectrum of open source maintainers — and not just the Apache Software Foundations of this world. Projects like the OpenSSF Alpha-Omega initiative are a great example of this approach.

Financial institutions also need to adopt a more robust software bill of materials (SBOMs), a key point highlighted in President Biden’s executive order from last June. Modern SBOMs deploy machine-readable processing, a technology that enables systems to ingest incoming structured report data, to autonomously analyze the state of SBOM readiness by organizations around the world. SBOMs can thus help financial institutions rapidly identify patterns across their industry and across borders, helping them spot critical risk issues before they metastasize into larger problems.

A table-stakes strategy for financial institutions to mitigate open source risks on the consumption side include the implementation of stronger internal license and IP controls and tools to track and monitor inbound open source projects. More granular strategic solutions start with financial institutions taking time to understand the defenders that are focused on securing the open source realm. Organizations like Mend, Sonatype, and Synk are key players in this world.

The broader sustainability of the open source ecosystem is another reason for financial institutions to assume a more hands-on role in the development of code repositories and other active-source artifacts. Institutions should consider offering secure coding training as part of their onboarding, something too often overlooked in academic curricula.

Encouraging in-house developers to contribute "sweat equity" to the ecosystem will increase the number of eyes on open source artifacts, thus enhancing the odds that financial institutions will be able to spot code vulnerabilities before they threaten a SolarWinds type of breach. This approach will effectively reduce the probability and blast radius of future vulnerabilities.

**Benefits of Open Source Outweigh the Risks**

Despite recent, worrisome supply chain attacks, financial institutions should not be deterred by these challenges. The global financial industry is now very seriously democratizing software through open source, not only as a cost reduction but as a powerful collaboration model that goes beyond code to be used to address challenges like data standardization and industrywide interoperable workflows. Open source is here to stay, and therefore it is no longer optional — it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of their digital transformation endeavors.

Institutions are doing more than just implementing code that another developer has updated. Financial organizations should look to invest internal developer resources to actively contribute to code repositories. Developers should be contributing code not just in their spare time, but more appropriately, while they're on the job within the expected scope of their organizational roles.

By taking a proprietary stake in the open-innovation ecosystem, financial institutions can better mitigate vulnerabilities and exposures emanating from their tech stacks. This type of risk management also requires the articulation of companywide policies, learning, and collaboration resources throughout the firm. Naturally, financial institutions need to delegate and establish leadership roles to oversee the effort.

Whether through open source foundations or direct monetary or sweat-equity contributions to projects, financial institutions must realize the importance of professional software supply chain management. They should also understand the roles that consumers must play in securing the open source IT stack, which underpins the modern digital economy.

Why Financial Institutions Must Double Down on Open Source Investments

A researcher has posted a PoC for yet another NTLM relay attack method dubbed DFSCoerce. It is high time to retire NTLM. 
The post DFSCoerce, a new NTLM relay attack, can take control over a Windows domain appeared first on Malwarebytes Labs.

A researcher has published a Proof-of-Concept (PoC) for an NTLM relay attack dubbed DFSCoerce. The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.

**Active Directory**

A directory service is a hierarchical arrangement of objects which is structured in a way that makes access easy. Windows Active Directory (AD) is a directory service provided by Microsoft and developed for Windows domains. Basically, it is a central database which gets contacted before a user is granted access to a resource or a service. Organizations primarily use AD to perform authentication and authorization.

Many large organizations depend on Windows Active Directory (AD) to maintain order in the mountain of work involved in managing users, computers, permissions, and file servers.

**NTLM**

NTLM is short for New Technology LAN Manager. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). NTLM is a protocol that uses a challenge and response method to authenticate a client.

1.  First, the client establishes a network path to the server and sends a NEGOTIATE\_MESSAGE advertising its capabilities.
2.  Next, the server responds with CHALLENGE\_MESSAGE which is used to establish the identity of the client.
3.  Finally, the client responds to the challenge with an AUTHENTICATE\_MESSAGE.

The NTLM protocol uses one or both of two hashed password values. Both passwords are also stored on the server (or domain controller). And through a lack of salting they are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

**NTLM relay attack**

NTLM relay attacks allow attackers to steal hashed versions of user passwords, and relay clients’ credentials in an attempt to authenticate to servers. They use a Machine-in-the-Middle method that allows threat actors to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources.

PetitPotam is an example of an NTLM relay attack that prompted Microsoft to send out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack. PetitPotam used the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) protocol to execute an NTLM attack.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed over an remote procedure call (RPC) interface.

_Tweet by the researcher that discovered DFSCoerce_

**Other methods**

Other methods threat actors could use include the MS-RPRN, and the MS-FSRVP protocols. And now the researcher has added MS-DFSNM to the list of applicable protocols. A list which researchers expect to grow even more. The Distributed File System Namespace Management (DFSNM) protocol is one of a collection of protocols that group shares that are located on different servers by combining various storage media into a single logical namespace. The DFS namespace is a virtual view of the share. When a user views the namespace, the directories and files in it appear to reside on a single share.

**Mitigation**

While Microsoft has issued patches for NTLM attacks in the past, it is unclear whether it will do the same for DFSNM to thwart the DFSCoerce method.

The advice for system administrators is to follow Microsoft’s advisory on how to prevent NTLM relay attacks. The Microsoft advisory, triggered by PetitPotam, will also prevent DFSCoerce and other NTLM attack methods. The recommendation basically says to disable the deprecated NTLM authentication where possible and use the Extended Protection for Authentication (EPA). Extended Protection for Authentication helps protect against MITM attacks, in which an attacker intercepts a client’s credentials and forwards them to a server.

Stay safe, everyone!

Tag

#mac