Research from Malwarebytes reveals an enormous, coronavirus-fuelled surge in malware detections in 2021.
The post How COVID-19 fuelled a surge in malware appeared first on Malwarebytes Labs.

2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs (PUPs). It didn’t matter what the computers were used for or what operating system they ran—across business and home computers, on Windows and on Mac, detections went up, enormously.

Detections of malware on Windows business machines were 143% higher in 2021 than in 2020, and 65% higher on consumer machines.

Windows malware detection totals 2019-2021

Detections of malware, adware, and PUPs on macOS increased almost 220%.

Mac malware, adware and PUP detection totals 2019-2021

The background to this extraordinary jump in detections is the coronavirus pandemic, so we call this surge in detections the “Covid bounce”.

**The Covid bounce**

In 2020, the recently-discovered novel coronavirus, and the restrictions put in place to slow its progress, caused trillions of dollars of lost economic activity and a mass migration of knowledge workers from offices to homes.

Almost all forms of business suffered—even illegal ones like cybercrime. Crooks were just as likely to get COVID-19 as anyone else, and the targets they preyed upon changed beyond recognition.

Many businesses wound down or folded, and those that didn’t had to upend their IT infrastructure overnight to support working from home. How people worked, where they worked, the tools they used, and the things they cared about were all in flux.

No wonder then, that in 2020, malware detections on Windows business machines fell 24%.

The effect was not spread evenly across all types of malware though. Detections of Emotet and TrickBot collapsed by 89% and 69% respectively, leading some to speculate that while these highly sophisticated forms of malware were extremely effective at permeating corporate networks they may be poorly adapted to exploit the work-from-home environment.

Meanwhile, detections of hacking tools, information stealers, and other malware that could help criminals better understand the transformation in their victims’ environments, increased considerably.

In 2021, as restrictions lifted gradually around the world, and as organisations and the criminals preying on them adapted to remote and hybrid work, detection numbers climbed precipitously.

And they didn’t simply return to the pre-Covid status quo, they soared past 2019’s numbers. In 2021, the detection numbers for business threats were 85% higher than in 2019, and consumer threat detections were 47% higher.

Cryptocurrency values soared in 2021 and, to nobody’s surprise, detections of malware that mines cryptocurrencies increased more than 300 precent.

Adware, spyware, and worms all displayed an enormous bounce back in 2021, climbing 200%, and detections of email threats showed a considerable “Covid bounce” too. But while the old guard of Emotet and TrickBot remained, they were not the presence of old as several new pretenders jostled for position.

It is impossible to say why detections bounced back so alarmingly last year, but the plain fact is that the world now is not the world of 2019. Events like the coronavirus pandemic have far-reaching effects that go far beyond the immediate, obvious and tragic health consequences, affecting all walks of life, even the security of your servers, laptops, and remote workers.

The pandemic accelerated the transition from a bricks-and-mortar to online existence, and for many businesses and services there is no going back.

After a period of adjustment and uncertainty in 2020, cybercrime seems to have emerged supremely well adapted to this new reality.

You can learn more about the Covid bounce and how it changed the outlook for cyberthreats into 2022 and beyond in the Malwarebytes 2022 Threat Review.

How COVID-19 fuelled a surge in malware

Microsoft's May Patch Tuesday update is triggering authentication errors.

Microsoft’s May Patch Tuesday update is triggering authentication errors.

Microsoft is alerting customers that its May Patch Tuesday update is causing authentications errors and failures tied to Windows Active Directory Domain Services. In a Friday update, Microsoft said it was investigating the issue.

The warning comes amid shared reports of multiple services and policies failing after installing the security update. “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.”  posted an admin to a Reddit thread on the topic.

According to Microsoft, the issue has been caused after installing the updates released on May 10, 2022.

“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Microsoft reported.

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft added.

The domain controller is a server that is responsible for responding to authentication requests as well as verifying the user on a computer network, and the active directory is a type of directory service that stores the information about objects on a network and makes this information readily available for the users.

Microsoft added a note that the update will not affect the client’s Windows devices and non-domain controller windows servers, and will only cause issues for the server acting as a domain controller.

“Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects installation of May 10, 2022, updates installed on servers used as domain controllers.” Microsoft explains.

****Authentication Failure Caused by Security Update****

Microsoft releases another document, explaining further details related to the authentication problem caused by the security update addressing the privilege escalation vulnerabilities in Windows Kerbose and its Active Directory Domain Service.

The vulnerabilities are tracked as CVE-2022-26931 in Windows Kerberos with a high severity CVSS rating of 7.5 and CVE-2022-26923 (discovered by security researcher Oliver Lyak) in Microsoft’s Active Directory Domain Services. It has a CVSS score of 8.8 and is rated as high. An attacker can exploit the vulnerability if left unpatched and escalate the privilege to that of the domain admin.

****Workarounds****

The Domain administrators are advised by Microsoft to manually map the certificates to a user in Active Directory until the official updates are available.

“Domain administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the user’s Object,” Microsoft added.

“If the preferred mitigation will not work in your environment, please see ‘KB5014754—Certificate-based authentication changes on Windows domain controllers’ for other possible mitigations in the SChannel registry key section,” reported by Microsoft.

As per Microsoft any other mitigation method might not provide adequate security hardening.

According to Microsoft, the May 2022 update is allowing all authentication attempts unless the certificate is older than the user, this is because the updates automatically set the StrongCertificateBindingEnforcement registry key, “which changes the enforcement mode of the KDC to Disabled Mode, Compatibility Mode, or Full Enforcement Mode” Microsoft explains.

One Window Admin that spoke to _Bleepingcomputer_ said that the only way they were able to get some of the users log in with the following installation of the patch was to disable the  StrongCertificateBindingEnforcement key by settings its value to 0.

By changing the REG\_DWORD DataType value to 0, the admin can disable the strong certificate mapping check and can create the key from the scratch. This method is not recommended by Microsoft, but it’s the only way to allow all users to log in.

The issues are properly investigated by Microsoft and a proper fix should be available soon.

Microsoft also recently releases the 73 new patches of May’s monthly update of security fixes.

Microsoft’s May Patch Tuesday Updates Cause Windows AD Authentication Errors

An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot.
What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the

An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot.

What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the latest features, it also employs a Telegram Bot that enables the purchasers to build the binary.

"The \[threat actors\] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies," researchers from Cyble said in a report published last week.

Each of the modules can be leased separately and provides paid access to a wide variety of functions -

*   **Eternity Stealer** ($260 for an annual subscription) - Siphon passwords, cookies, credit cards, browser cryptocurrency extensions, crypto wallets, VPN clients, and email apps from a victim's machine and sends them to the Telegram Bot

*   **Eternity Miner** ($90 as an annual subscription) - Abuse the computing resources of a compromised machine to mine cryptocurrency

*   **Eternity Clipper** ($110) - A crypto-clipping program that steals cryptocurrency during a transaction by substituting the original wallet address saved in the clipboard with the attacker's wallet address.

*   **Eternity Ransomware** ($490) - A 130kb ransomware executable to encrypt all of the users' files until a ransom is paid

*   **Eternity Worm** ($390) - A malware that propagates through USB Drives, local network shares, local files as well as via spam messages broadcasted on Discord and Telegram.

*   **Eternity DDoS Bot** (N/A) - The feature is said to be currently under development.

Cyble pointed out there are indications that the malware authors may be repurposing existing code related to DynamicStealer, which is available on GitHub, and trading it under a new moniker for profit.

It's worth noting that Jester Stealer, another malware that came to light in February 2022 and has since been put to use in phishing attacks against Ukraine, also utilizes the same GitHub repository for downloading TOR proxies, indicating possible links between the two threat actors.

The cybersecurity firm also said it "has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where \[threat actors\] sell their products without any regulation."

Just last week, BlackBerry exposed the inner workings of a remote access trojan called DCRat (aka DarkCrystal RAT) that's available for sale at cheap prices on Russian hacking forums and uses a Telegram channel for sharing details regarding software and plugin updates.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of "Eternity Project" Malware Service Being Sold via Telegram

Gitea before 1.16.7 does not escape git fetch remote.

_Mon May 2, 2022_ by **jolheiser**

We are proud to present the release of Gitea version 1.16.7.

We highly encourage users to update to this version for some important bug-fixes.

We have merged 20 pull requests to release this version.

We would like to give a special thanks to E99p1ant and Li4n0 from **Vidar-Team** and thanks to @6543 for submitting the security patch for this release.

You can download one of our pre-built binaries from our downloads page - make sure to select the correct platform! For further details on how to install, follow our installation guide.

We would also like to thank all of our supporters on Open Collective who are helping to sustain us financially.

**Have you heard? We now have a swag shop! 👕 🍵**

**Changelog****1.16.7 - 2022-05-02**

*   SECURITY
    *   Escape git fetch remote (#19487) (#19490)
*   BUGFIXES
    *   Don’t overwrite err with nil (#19572) (#19574)
    *   On Migrations, only write commit-graph if wiki clone was successful (#19563) (#19568)
    *   Respect DefaultUserIsRestricted system default when creating new user (#19310) (#19560)
    *   Don’t error when branch’s commit doesn’t exist (#19547) (#19548)
    *   Support hostname:port to pass host matcher’s check (#19543) (#19544)
    *   Prevent intermittent race in attribute reader close (#19537) (#19539)
    *   Fix 64-bit atomic operations on 32-bit machines (#19531) (#19532)
    *   Prevent dangling archiver goroutine (#19516) (#19526)
    *   Fix migrate release from github (#19510) (#19523)
    *   When view \_Siderbar or \_Footer, just display once (#19501) (#19522)
    *   Fix blame page select range error and some typos (#19503)
    *   Fix name of doctor fix “authorized-keys” in hints (#19464) (#19484)
    *   User specific repoID or xorm builder conditions for issue search (#19475) (#19476)
    *   Prevent dangling cat-file calls (goroutine alternative) (#19454) (#19466)
    *   RepoAssignment ensure to close before overwrite (#19449) (#19460)
    *   Set correct PR status on 3way on conflict checking (#19457) (#19458)
    *   Mark TemplateLoading error as “UnprocessableEntity” (#19445) (#19446)

CVE-2022-30781: Gitea 1.16.7 is released - Blog

xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.

elvadisas

**Posts:** 6

**Joined:** Mon Apr 25, 2022 11:21 pm

**allocator is out of memory(OOM in pdftoppm)**

Hello,  
i had a crash when i did a fuzzing test in xpdf.  
Description:  
Memory Allocation with Excessive Size Value  
run poc:  
/home/elva/fuzzing\_xpdf/install/bin/pdftoppm ./poc /home/elva/fuzzing\_xpdf/out

asan :  
Syntax Error (8241): Too few (1) args to 'c' operator  
Syntax Error (8252): Too few (4) args to 'c' operator  
Syntax Error (8267): Too few (5) args to 'cm' operator  
Syntax Error (8274): Unknown operator 'rg69122'  
Syntax Error (8274): Unknown operator 'c464.34084'  
Syntax Error (8274): Too few (1) args to 'c' operator  
Syntax Error (8274): Unknown operator 'T'  
Syntax Error (8274): Unknown operator 'T000069127.734.3436812812.3000085.rg'  
Syntax Error (8274): Unknown operator 'T'  
Syntax Error (8274): Arg #0 to 'J' operator is wrong type (real)  
Syntax Error (8277): Too few (2) args to 'c' operator  
Syntax Error (8277): Unknown operator 'c46978425992'  
Syntax Error (8277): Arg #0 to 'Tf' operator is wrong type (real)  
Syntax Error (8277): Unknown operator 'E25992'  
Syntax Error (8277): Too few (1) args to 'c' operator  
Syntax Error (8277): Arg #0 to 'Tf' operator is wrong type (integer)  
Syntax Error (8277): Too few (2) args to 'rg' operator  
Syntax Error (8277): Too few (4) args to 'c' operator  
Syntax Error (8277): Too few (1) args to 'cm' operator  
Syntax Error (8277): Too few (1) args to 'c' operator  
Syntax Error (8293): Unknown operator 'q5685700398103000'  
Syntax Error (8328): Unknown operator 'T252000'  
Syntax Error (8344): Too few (5) args to 'c' operator  
Syntax Error (8355): Too few (1) args to 'c' operator  
Syntax Error (8367): Unknown operator 'T'  
Syntax Error (8397): Too few (1) args to 'c' operator  
Syntax Error (8408): Unknown operator 'BT831'  
Syntax Error (8439): Unknown operator 'm0'  
Syntax Error (8442): Too few (0) args to 'c' operator  
Syntax Error (8456): Unknown operator 'cm1184'  
\=================================================================  
\==486377==ERROR: AddressSanitizer: requested allocation size 0x26bfff68a20 (0x26bfff69a20 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)  
#0 0x4ce7cd in malloc (/home/elva/fuzzing\_xpdf/install/bin/pdftoppm+0x4ce7cd)  
#1 0x7fe487 in gmalloc64(unsigned long) /home/elva/fuzzing\_xpdf/xpdf-4.04/goo/gmem.cc:271:13  
#2 0x7fe487 in gmallocn64(int, unsigned long) /home/elva/fuzzing\_xpdf/xpdf-4.04/goo/gmem.cc:288:10

\==486377==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1  
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/elva/fuzzing\_xpdf/install/bin/pdftoppm+0x4ce7cd) in malloc  
\==486377==ABORTING

POC is in ATTACHMENT.  
Thank you.

Attachments

poc.rar

(31 KiB) Downloaded 17 times

derekn

**Posts:** 740

**Joined:** Wed Apr 05, 2017 6:57 pm

**Re: allocator is out of memory(OOM in pdftoppm)**

Post by **derekn** » Wed May 11, 2022 10:26 pm

I've tried with gcc 5.5.0 and gcc 11.2.0 (that's what I have on my dev machines), with asan, and I'm still not seeing a crash.

What was your cmake command to configure xpdf before compiling?

elvadisas

**Posts:** 6

**Joined:** Mon Apr 25, 2022 11:21 pm

**Re: allocator is out of memory(OOM in pdftoppm)**

Post by **elvadisas** » Thu May 12, 2022 2:18 am

Hello,derekn

you can reproduced the bug by the following steps:

mkdir build\_asan  
cd build\_asan

cmake -DCMAKE\_BUILD\_TYPE=Debug $HOME/fuzzing\_xpdf/xpdf-4.04 -DCMAKE\_INSTALL\_PREFIX=$HOME/fuzzing\_xpdf/install/ -DCMAKE\_CXX\_COMPILER=afl-clang-fast++

AFL\_USE\_ASAN=1 make  
sudo AFL\_USE\_ASAN=1 make install

$HOME/fuzzing\_xpdf/install/bin/pdftoppm –f 1 $HOME/fuzzing\_xpdf/poc $HOME/fuzzing\_xpdf/output

POC file and more screenshots are in the ATTACHMENTS.

My Testing Enviroments:  
\--Tested on Ubuntu 20.04.2 LTS x86\_64,AFL++  
\--gcc version 9.3.0  
\--xpdf version xpdf 4.04  
https://dl.xpdfreader.com/xpdf-4.04.tar.gz

you can try it:-)

Attachments

screenshot.rar

(76.09 KiB) Downloaded 8 times

poc.rar

(31 KiB) Downloaded 10 times

CVE-2022-30775: allocator is out of memory(OOM in pdftoppm)

1.  Releases
2.  v1.22.0

Compare

Choose a tag to compare

Latest

Latest

 github-actions released this

· 1 commit to master since this release

v1.22.0

5b2a402

Compare

Choose a tag to compare

*   Prohibit negative size argument to table/new.
*   Add module/value.
*   Remove file/popen. Use os/spawn with the :pipe options instead.
*   Fix bug in peg thru and to combinators.
*   Fix printing issue in doc macro.
*   Numerous updates to function docstrings
*   Add defdyn aliases for various dynamic bindings used in core.
*   Install janet.h symlink to make Janet native libraries and applications  
    easier to build without jpm.

**Assets**8

*   janet-1.22.0-windows-x64-installer.msi
    
    1.63 MB
    
*   janet-v1.22.0-linux-x64.tar.gz
    
    1.26 MB
    
*   janet-v1.22.0-macos-x64.tar.gz
    
    1.35 MB
    
*   janet.c
    
    2.22 MB
    
*   janet.h
    
    79.6 KB
    
*   shell.c
    
    31 KB
    
*   Source code (zip)
    
*   Source code (tar.gz)
    

2 people reacted

0 Join discussion

CVE-2022-30763: Release Janet 1.22.0 · janet-lang/janet

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 6 to May 13

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server. IBM X-Force ID: 222078.

**Security Bulletin**

  

**Summary**

IBM WebSphere Application Server Liberty is vulnerable to an information disclosure with the adminCenter-1.0 feature enabled. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22393  
**DESCRIPTION:**   IBM WebSphere Application Server Liberty, with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server.  
CVSS Base score: 3.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222078 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server Liberty

17.0.0.3-22.0.0.5

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH45086. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. 

**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.5 using the adminCenter-1.0 feature:**   
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH45086  
\--OR--  
· Apply Liberty Fix Pack 22.0.0.6 or later (targeted availability 2Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

12 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Liberty","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"},{"code":"PF017","label":"Mac OS"}\],"Version":"Liberty","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}\]

Tag

#mac