Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

**Impact**

Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several exploits including a stored XSS vulnerability and can be used by an unprivileged user.

The general process is (using the example of setting an intro video as the payload):

*   Create a session as a low-priviledged user with a crafted authorization header
*   Upload an executable that contains a malicious plugin inline via /ClientLog/Document
*   (Admin hovers over our device in dashboard -> XSS payload gets triggered)
*   XSS Payload tries to set encoder path to our uploaded "log" file via /System/MediaEncoder/Path
*   The request fails, but in the process our executable actually runs (I guess for verifying if the path points to a valid ffmpeg version)
*   The executable will create a plugin folder and place the inlined plugin DLL inside it
*   The XSS payload shuts down the server via /System/Shutdown (separate CVE in jellyfin-web)
*   After (manually) starting the server, the plugin gets loaded and will:
    *   write a new video into the Jellyfin temp folder and register it
    *   register this video as the new intro
    *   and finally provide a malicious endpoint that simply executes system commands and sends back the results

The ability to write arbitrary content to log files was added in #5918 to allow flexibility to client logging.

The following two sections detail Frederic's exact determinations regarding the two vulnerabilities.

**Directory traversal and file write**

I've been reading the codebase here and there for a couple of days and found a directory traversal inside the ClientLogController, specifically /ClientLog/Document.

The GetRequestInformation method retrieves the name and version of the client from the HttpContext.User object.

Those values are attacker controlled when authenticating against the API. Both values are interpolated into a string, which ultimately ends up as an argument to Path.Combine().

Setting a client name to the relative path "........\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\test" will write a file with completely attacker controlled content to the executing user's autostart directory.

However, because the attacker only partially controls the filename, exploitation proves to be tricky. That's because the resulting file will always end in ".log", which means putting something in the autostart directory is only going to open notepad on startup. I mean, we can at least insult the user :^).

Anyway, the next logical step would be to write into Jellyfin's plugins directory, but the sub-directories there (of which the already existing configurations directory conveniently counts as one!) are only getting scanned for ".dll" files.

This stops an attacker from providing malicious DLLs that implement the correct interfaces in order to be recognized as legitimate plugins.

On Linux, there might be more options. Running as the standard root user inside a container, an attacker could of course write anywhere. There's the very interesting "/etc/cron.d" directory, where an attacker can place cron jobs that get picked up automatically. Those files, however, can't contain a dot. Moreover, inside the container the cronjobs are probably not being executed, as the Jellyfin process should be only one running.

For the stored XSS component, see GHSA-89hp-h43h-r5pq

**Patches**

10.8.10

**Workarounds**

N/A

**References**

N/A

CVE-2023-30626: Directory traversal + file write causing arbitrary code execution

JumpCloud integrates with Google Workspace to extend enterprise-quality security capabilities to small and midsize organizations.

**SUNNYVALE, Calif.****,** **April 24, 2023** **/PRNewswire/ --** Google Cloud today announced a series of new security alliances to bring more choice, capability, and simplicity to enterprise and public sector IT teams tasked with managing hybrid work at scale.

Google Workspace comes with industry-leading security built into its cloud-native, zero trust architecture. These capabilities combine threat defenses powered by Google AI, client-side encryption, data privacy controls, and simple access to Google Cloud cybersecurity products like BeyondCorp Enterprise and Chronicle Security Operations, to automatically stop the vast majority of online threats before they emerge—while also supporting customers' regulatory and sovereignty needs. Through its ecosystem of cybersecurity partners, Google Workspace can extend these capabilities further by combining them with tools from the industry's leading security companies, enabling customers to adopt comprehensive, secure collaboration solutions to meet their specific security needs as part of a single Google Workspace offering. 

"Global enterprises want to provide their workforces with more effective and secure ways of collaborating, with tools that increase productivity and avoid the vulnerabilities of legacy productivity solutions," said Sunil Potti, VP and GM of cloud security, Google Cloud. "Through its growing ecosystem of security partners, Google Workspace offers the most enterprise-ready platform for hybrid work, providing organizations with confidence and flexibility to work securely."

**Securing Enterprise Workforces with Okta and VMware**

Today, Google Cloud is extending the built-in identity, device, and access management capabilities of Google Workspace through new alliances with **Okta** and **VMware,** enabling large-scale businesses and public sector organizations to provide their workforces with FedRAMP-authorized collaboration and communication tools. Google Workspace works seamlessly with the enterprise-grade identity and access management capabilities in Okta Workforce Identity Cloud and the device and application management capabilities in VMware Workspace ONE, providing organizations with more choice and flexibility in how they enable safer collaboration for their workforce.

*   **Okta's Workforce Identity Cloud** brings Okta's leading identity and access management capabilities to Google Workspace customers, securely connecting employees, contractors, and business partners from any device and any location. Workforce Identity Cloud's flexible rules and policies ensure employees have just the right level of access they need to get their work done. With Okta, employees can use their Google Workspace credentials across more than 7,000 pre-built apps in the Okta Integration Network to reduce password sprawl for increased security.
*   **VMware Workspace ONE** extends VMware's industry-leading unified endpoint management and zero trust access capabilities to Google Workspace. IT teams can manage all Google Workspace apps through VMware's comprehensive platform, which provides users with quick and easy access to business applications and makes it simple for administrators to onboard devices, change configurations, push automated OS updates, and more, without requiring a combination of disjointed third-party solutions. Workspace ONE administrators can also access a collection of device-health dashboards and reports, along with multi-tenancy for management across geographies, organizations, and use cases.

"Identity is the connective tissue between a business's ecosystem of people and the technologies they need to be successful in hybrid and remote work," said Arnab Bose, chief product officer, Workforce Identity Cloud at Okta. "This partnership allows us to bring identity-powered security to Google Workspace customers while giving them an easy button to optimize their employee experiences and increase operational efficiency."

"The rapid shift to hybrid work has highlighted the need for IT teams to do more with less, while simultaneously balancing the increasing demands of security and productivity," said Renu Upadhyay, VP of product marketing, End-User Computing, VMware. "This VMware and Google Cloud partnership unlocks a transformative approach to end-user computing by creating an automated, unified, and secure experience across all endpoints, apps, and enterprise services, no matter where employees work."

**Helping Small and Midsize Organizations Replace Legacy Directory Services with JumpCloud**

**JumpCloud Open Directory Platform** provides customers with an alternative directory service to replace aging Microsoft Active Directory servers that is a modern, cloud-based solution. The platform works seamlessly with Google Workspace, enabling identity workflows and synchronization to thousands of applications, HRIS systems, and cloud infrastructure. It also combines these features with desktop and mobile device fleet management capabilities to ensure secure, frictionless access to applications and other resources from any operating system or location an employee chooses to work from.

"IT teams are looking for solutions that centralize access, device, and identity management. They need easier and more effective ways to secure how work happens," said Greg Keller, CTO and co-founder, JumpCloud. "The Google Cloud and JumpCloud solution gives IT teams a modern and affordable option to securely manage today's work on-prem, in the cloud or on the go. This offering provides IT teams, and channel IT solution providers, a more affordable, best in class alternative to expensive, legacy Microsoft packages."

**Google Workspace's Flexible, Secure Ecosystem**

Google Workspace is committed to offering more choice by providing organizations of any size with the ability to combine purpose-built security tools from its ecosystem of cybersecurity partners. New updates with JumpCloud, Okta, and VMware will build on existing offerings with CrowdStrike, which extends endpoint protection and Zero Trust through the CrowdStrike Falcon platform, and Palo Alto Networks, which extends endpoint protection and Zero Trust through Prisma Access and Cortex XDR. Over the coming year, deeper technical integrations with these partners will expand the joint capabilities available to Google Workspace customers, making it even easier to adopt Google Workspace for organizations with the most rigorous security and regulatory requirements.

Interested customers can learn more here.

**About Google Cloud**

Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology – all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

_VMware and Workspace ONE are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in_ the United States _and other jurisdictions._

SOURCE Google Cloud

Google Workspace Extends Enterprise-Grade Security and Device Management for Hybrid Work With Okta and VMware

Getting a handle on the new risks facing AppSec by low-code/no-code development patterns

As low-code and no-code application development platforms gain more currency among business groups seeking speedy workarounds to long development backlogs, concerns about application security loom.

The low-code movement increases software engineering agility by speeding up the work of developers and enabling nontechnical business users to create their own applications and add new features to existing tools without needing to engage the engineering team. Low-code development offers the kind of elegant simplicity that’s irresistible to executives with big digital transformation aspirations.

But that kind of "it just works" opacity sends shudders down the spines of cybersecurity veterans. Any security professional with experience with emerging tech cycles instinctually understands that there be dragons in the waters that lie ahead for low-code/no-code — even if they’ve not yet mapped out exactly what kind of monsters they’re dealing with or where they are just yet.

Michael Bargury, author of the Low-Code/No-Code OWASP Top 10, will explain the exact nature of some of low-code/no-code's biggest security risks at the RSA Conference in San Francisco. Chief among them are patterns of permissioning that could throw many of the investments that organizations have made in role-based access control and identity management right out the window.

**Low-Code's Expected Explosion**

Low-code and no-code technologies provide graphical user interface (GUI) environments that make it possible to design and deploy applications and new features for fast-evolving business use cases without intensive hand-coding. These technologies include low-code application platforms (LCAP), robotic process automation (RPA), and business process automation (BPA), among others. Recent forecasting by Gartner shows that by next year the LCAP market will have doubled its revenue from 2021 and the broader low-code segment will reach nearly $32 billion.

These low-code technologies are being used by development teams to speed up and scale their work, by teams of developers and business stakeholders to improve collaboration on fast-moving digital initiatives, and by a new class of citizen developers who create their own apps without waiting for development resources.

It's that last group that’s fueling the explosion of low-code and no-code platforms and the use of low-code functionality within broader software-as-a-service (SaaS) application ecosystems. Gartner predicts that the overall low-code market will increase by 19.6% in 2023, with the fastest-growing segment being citizen automation development platforms, which are set to increase by over 30%. Analysts with the firm say that developers outside of formal IT departments already make up well over 60% of the low-code user base, and by 2026 citizen developers and other nontraditional application designers are going to make up 80% low-code users.

"Business technologists and citizen technologist personas are developing lightweight solutions to meet business unit needs for enhanced productivity, efficiency, and agility — often as fusion teams," said Jason Wong, distinguished VP analyst for Gartner in a recent low-code forecast by the firm.

**Low-Code's IAM Bombshell**

In the face of all this growth in low-code technology, Bargury is on a mission to warn security executives of the risks it poses to application security and cybersecurity postures in the near- and long-term. One of the biggest risks is the fact that these platforms are rampantly sharing credentials in order to work around strict access controls built by organizations over the years, says Bargury, co-founder and CTO of Zenity, a startup focused on low-code/no-code security.

"Let's say that you already have a SaaS platform and you've built this low-code platform on top of SaaS. Now business users can create their own applications and share those applications with their teams and other employees to use as well. So what would be the number one thing that would stop them from being able to do that in the enterprise?" Bargury says. "The answer is permissions."

As he explains, if a business user wants to create their own app, they need to get permissions granted to that app to give it access to data stores and to get it to integrate with other systems. And to get that, these citizen developers would traditionally need to wait for somebody from IT to grant that. Not only would these app designers probably hear a lot of "nos" from these teams, but just waiting for the provisioning process to run its course would essentially neutralize the whole agility value proposition of using low-code in the first place.

So, to get around this problem, many low-code/no-code platforms allow business users to build applications using their own credentials and identities. When they share those applications to other users for broader use, those credentials are shared by everyone.

"Let's say I work in finance. I build an application, and I implicitly embed my own identity within that application, and now I'm sharing that application with you," Bargury says. "You are using the app and everything works, and it's fine, you have access to data. But the underlying application is actually still using my identity to provide that access. I call this credential-sharing-as-a-service."

And as he puts it, this is a feature that low-code development platforms are proud of and actively marketing because they enable productivity. But obviously from a security perspective it can quickly turn into a nightmare. It could undermine the integrity of role-based access controls, throw off user and entity behavioral analytics, and create huge compliance risks in the future, says Morey Haber, CSO for privileged access management firm BeyondTrust

"Credential-sharing-as-a-service would impact an organization's ability to accurately provide attestation reporting for all identities utilizing the service," Haber says. "Accounts present from a low-code development platform environment would provide an unknown for accurately who has access, including foreign identities."

Chris Hughes, CISO and co-founder of Aquia, says he has a hard time seeing how low-code platforms that handle permissions in this way could possibly be used in secure coding environments.

"They are just not compatible," he says. "In fairness, this is a new risk that is now being exposed for these solutions, and now that this information is public, it needs to be amplified for all organizations to measure the risk and determine if they are violating any laws by using this type of software."

**Yet Another BYOD Scenario**

For his part, Bargury doesn't believe that blocking low-code development is the answer to these risks.

Security professionals who were around during the advent of the iPhone and other consumer-class devices and cloud services will understand that this wave of low-code development will mirror the same challenges they faced in the first days of bring-your-own-device hype. While AppSec pros have to seek ways to effectively manage these risks, there is no way that they're going to do that by stopping the low-code freight train.

"It's like when people started using mobile, and security teams were like, 'Yeah, nobody will ever use mobile with our company data.' We tried to block it, but it didn't work," says Bargury.

Low-code/no-code technology is already more pervasive in the enterprise than many security professionals even realize, he adds

"There are multiple vendors that are pushing this space forward, but some of them are the SaaS vendors, which are building low-code/no-code into their existing offerings," explains Bargury, pointing to vendors like ServiceNow, Salesforce, Microsoft, and many others that have already pushed these features into their enterprise offerings. "This is a crucial point because it means that nobody gets to choose if they will have low-code/no-code or not because it's already there."

Not to mention the fact that business users and executive sponsors love low-code technologies. Low-code platforms are helping them overcome lengthy application feature request backlogs that have plagued their digital transformation efforts for years. The agility and ROI of low-code is something that security practitioners cannot discount. Just like with BYOD, this is a political battle they can't win, Bargury says.

Much of Bargury's talk at RSA Conference will focus on helping AppSec practitioners understand the kinds of security guardrails they can institute around low-code platforms to make them more compatible with broader security and compliance needs of the business.

This includes better vetting of which low-code technologies are in use within the organization, more scrupulous development of policies and configuration around how low-code platforms orchestrate the provisioning of access within the applications they produce, and more robust black-box testing of applications produced by low-code technology.

"I think the worst approach would be to try and block low code because people will just use something else," he says. "The best approach would be to say, 'Here's a few approved platforms. You can do whatever you want in them. There are automated guidelines to help protect you. We got your back. Don't think about security. You are in finance, you are in sales, do your thing.' That's something that we as security practitioners need to be proactive about."

Are Low-Code Apps a Ticking Access Control Time Bomb?

Businesses can now standardize their end-to-end cybersecurity programs on the industry's most secure infrastructure, while retaining choice and vendor optionality.

**SUNNYVALE, Calif.****,** **April 24, 2023** **/PRNewswire/ --** Announced today at RSA Conference, Google Cloud and Mandiant are combining their cybersecurity partner ecosystems to offer the industry's most open, comprehensive, and intelligent platform for customers' end-to-end cybersecurity needs.

The combined ecosystem brings together expertise and technology from Google Cloud, Mandiant, and integrations with more than 100 leading cybersecurity vendors. From incident response through proactive defense, Google Cloud gives organizations the choice and breadth to stay ahead of security threats and eliminate common gaps that plague legacy networks, infrastructure, and tools. Google Cloud is expanding these capabilities even further with new partner integrations that help customers better protect against breaches across cloud environments, and respond more quickly to cybersecurity events when they occur.

"Google Cloud remains fundamentally committed to growing its open cloud ecosystem, ensuring that customers on any cloud platform can protect their businesses with the industry's most advanced security tools," said Sunil Potti, VP and GM of security, Google Cloud. "With Mandiant, we can now build end-to-end security programs that unify our leading threat intelligence and technology with the capabilities of our partners, providing customers with comprehensive solutions that are tailored to their security needs."

"As an organization that's been on the frontlines of some of the most impactful breaches, we recognize that the fight against persistent, global adversaries requires a united defense," said Kevin Mandia, CEO of Mandiant, Google Cloud. "Working alongside our combined, growing network of elite security partners accelerates our ability to help customers around the world to strengthen their security posture and proactively defend against emerging threats."  

**Extending generative AI to partners with Google Cloud Security AI Workbench**  
Google Cloud today announced Security AI Workbench, an industry-first platform that enables security partners to extend generative AI to their products. The platform combines a new, security-specific large language model (LLM) from Google Cloud, Sec-PaLM, with Mandiant's leading frontline intelligence and encompasses vulnerabilities, malware, threat indicators, and more. Partners can easily integrate with the platform via an API (application programming interface) to bring threat intelligence, workflows, and other critical functionality to customers, while retaining enterprise-grade data protections and sovereignty. Security AI Workbench will power new partner offerings that help customers address key security challenges across threats, toilsome tools, and the talent gap.

Learn more about Google Cloud Security AI Workbench here.

**Announcing Accenture managed security services for enterprises**

Google Cloud's ecosystem of global consulting partners provide implementation and managed cybersecurity services for enterprise customers. At RSA, **Accenture** announced that its managed detection and response (MxDR) security service will be enhanced by technologies from Google Cloud, bringing customers a comprehensive security service inclusive of Chronicle security operations and Mandiant Intelligence and Consulting offerings, delivered by thousands of Accenture specialists with expertise building end-to-end security programs for enterprise customers. Accenture will also be the first partner to utilize Security AI Workbench.

**Enhancing incident response and detection with Mandiant and partners**

Mandiant offers the world's most advanced threat intelligence, with industry-leading expertise to help businesses and governments quickly detect, understand, and address security breaches. Now, customers can easily accompany Mandiant's capabilities with purpose-built security solutions from partners including **Crowdstrike**, **SentinelOne**, and**Trellix**, which are fully integrated with Google Cloud. As a result, organizations can deploy the right technology for their needs to proactively protect critical assets after a cybersecurity event.

**Strengthening threat-informed defense across the Mandiant partner ecosystem**

Today, Mandiant also introduced the next phase of its Cyber Alliance program. **Corelight, Nozomi Networks**, **SentinelOne**, and **SnapAttack** are all expanding their capabilities through deeper integrations and unified offerings, enabling Mandiant's security experts to offer the most comprehensive security solutions to customers and help them proactively defend against threats critical to their organization. **Crowdstrike** also announced the general availability of CrowdStrike Falcon for Mandiant Incident Response, which will operationalize endpoint detection to help customers stop and defend against breaches.

**Bringing enterprise-grade identity and device management to Google Workspace**

Google Workspace enables organizations to securely collaborate with embedded, invisible security through client-side encryption, data privacy controls, and integrations with BeyondCorp Enterprise and Chronicle SecOps that automatically block the vast majority of cyber threats. Now, Google Workspace is adding new identity and device management support from **Okta** and **VMware**, enabling large-scale and public sector organizations to adopt FedRAMP-authorized collaboration solutions in a single offering. **JumpCloud** is also offering customers an alternative to Microsoft Active Directory, with centralized identity, access, and device management.

**About Google Cloud**

Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology – all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

SOURCE Google Cloud

Google Cloud Announces New Security AI Workbench and Ecosystem Expansion at RSAC 2023

**SAN FRANCISCO****,** **April 24, 2023** **/PRNewswire/ --** **RSA CONFERENCE 2023 --** Cisco (NASDAQ: CSCO), the leader in enterprise networking and security, unveiled the latest progress towards its vision of the Cisco Security Cloud, a unified, AI-driven, cross-domain security platform. Cisco's new XDR solution and the release of advanced features for Duo MFA will help organizations better protect the integrity of their entire IT ecosystem.

**Threat Detection and Response****

Cisco's XDR strategy converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution. Now in Beta with General Availability coming in July 2023, Cisco XDR simplifies investigating incidents and enables security operations centers (SOCs) to immediately remediate threats. The cloud-first solution applies analytics to prioritize detections and moves the focus from endless investigations to remediating the highest priority incidents with evidence-backed automation.

"The threat landscape is complex and evolving. Detection without response is insufficient, while response without detection is impossible. With Cisco XDR, security operations teams can respond and remediate threats before they have a chance to cause significant damage," said Jeetu Patel**, Executive Vice President and General Manager of Security and Collaboration at Cisco.** "Cisco continues to ensure that 'if it's connected, you're also protected.' We are uniquely positioned to deliver integrated solutions that simplify securing today's increasingly complex, hybrid multi-cloud environments without compromising user experience."

While traditional Security Information and Event Management (SIEM) technology provides management for log-centric data and measures outcomes in days, Cisco XDR focuses on telemetry-centric data and delivers outcomes in minutes. It natively analyzes and correlates the six telemetry sources that Security Operations Center (SOC) operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS. On the endpoint specifically, Cisco XDR leverages insight from 200 million endpoints with Cisco Secure Client, formerly AnyConnect, to provide process-level visibility of where the endpoint meets the network.

"The true measure of XDR is its ability to deliver actual security outcomes, real and measurable benefit to organizations — early detection, impact prioritization, and effective and efficient response," said Frank Dickson**, Group Vice President, Security & Trust, IDC.** "True results need to be quantifiable numerically and not just qualitatively described with words. Cisco XDR delivers a clear framework for enabling organizations to achieve such tangible outcomes."

In addition to Cisco's native telemetry, Cisco XDR integrates with leading third-party vendors to share telemetry, increase interoperability, and deliver consistent outcomes regardless of vendor or technology. The initial set of out-of-the-box integrations at general availability include:

*   **Endpoint Detection and Response (EDR)**: CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity, Trend Vision One
*   **Email Threat Defense:** Microsoft Defender for Office, Proofpoint Email Protection
*   **Next-Generation Firewall (NGFW):** Check Point Quantum, Palo Alto Networks Next-Generation Firewall
*   **Network Detection and Response (NDR):** Darktrace DETECT™ and Darktrace RESPOND™,  ExtraHop Reveal(x)
*   **Security Information and Event Management (SIEM):** Microsoft Sentinel

"Throughout Logicalis' decades-long pursuit to becoming a world class integrator; we have recognized the impact extensibility can have on the viability and efficacy of any solution," said Brad Davenport**, Vice President of Technical Architecture, Logicalis**. "With the launch of Cisco XDR, we can finally provide our customers with XDR outcomes as a solution or managed offering. We see this as a natural progression for us along the security maturity journey. Logicalis is very excited to put our combined expertise to work for our clients and offer Cisco XDR to help them achieve their business outcomes."

**Zero Trust and Access Management**

As attackers increasingly target gaps in weaker multi-factor authentication (MFA) implementations, Cisco is redefining what is essential for access management. Every business needs three key pillars for its access management strategy: enforcing strong authentication, verifying devices, and reducing the number of passwords in use. This is why, beginning on May 1st, Cisco is adding Trusted Endpoints to all its paid Duo Editions. Previously just available in Duo's highest tier, Trusted Endpoints allows only registered or managed devices to access resources. By delivering Trusted Endpoints alongside Single Sign On, MFA, Passwordless, and Verified Push within the entry-level Duo Essentials edition, Cisco is delivering the most secure, cost-effective, and user-friendly access management solution on the market.

To learn more, visit Cisco.com/go/security.   

**Supporting Quotes**

"Darktrace DETECT and RESPOND, parts of the Darktrace Cyber AI Loop, can quickly contain and disarm threats, whether known or unknown, and with a high degree of fidelity. Our collaboration with Cisco will provide our mutual customers with added visibility into security incidents and actions across cloud, network and OT," said Mattheus Bovbjerg**, Vice President of Integrations, Darktrace.** We look forward to expanding this collaboration to additional coverage areas including email and SaaS applications in the future."

"As organizations embrace the network as the essential source for cybertruth, our partnership with Cisco offers enterprises the ability to integrate ExtraHop with best-of-breed products for a more comprehensive view of their IT environments," said Jesse Rothstein**, Chief Technology Officer and Co-Founder, ExtraHop**. "Joint customers will benefit from ExtraHop's enterprise-grade, high–fidelity detections with network decryption and support for more than 80+ protocols, while also seamlessly integrating with log and endpoint solutions to achieve more streamlined investigations."

"SentinelOne is excited to team with Cisco to deliver market-leading solutions that allow our joint customers to push the boundaries of security," said Akhil Kapoor**, Vice President of Technology Partnerships and Business Development, SentinelOne**. "We look forward to integrating our EDR and Cloud Workload Protection (CWPP) solutions with Cisco to help organizations of all sizes secure tomorrow today."

"Our vision for XDR is to provide customers with a comprehensive, consolidated view of their security posture, enabling them to respond to threats quickly and effectively," said Mike Gibson**, Senior Vice President of Global Services and Customer Success, Trend Micro**. "The integration with Cisco XDR is a significant step forward in the evolution of cybersecurity. By leveraging the strength of both solutions, we are able to offer our customers a unified solution that expands telemetry insights to gain a greater perspective of their security environment enabling them to detect threats faster and respond more effectively."

**Additional Resources**

*   **Blog**: XDR and the Importance of Cross-Domain Correlated Telemetry
*   **Blog**: Simplify Your Security Operations with Cisco XDR, Launching at RSAC
*   **Blog**: Raising the Bar: Duo Redefines What is Essential for Access Management 

**About Cisco** 

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter at @Cisco. 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 

SOURCE Cisco Systems, Inc.

**

Cisco Unveils Solution to Rapidly Detect Advanced Cyber Threats and Automate Response

Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
"The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying

Endpoint Security / BYOVD

Threat actors are employing a previously undocumented "defense evasion tool" dubbed **AuKill** that's designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.

"The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system," Sophos researcher Andreas Klopsch said in a report published last week.

Incidents analyzed by the cybersecurity firm show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp.

The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms.

By using legitimate, exploitable drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

"The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges," Sophos researchers noted. "The threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means."

This is not the first time the Microsoft-signed Process Explorer driver has been weaponized in attacks. In November 2022, Sophos also detailed LockBit affiliates' use of an open source tool called Backstab that abused outdated versions of the driver to terminate protected anti-malware processes.

Then earlier this year, a malvertising campaign was spotted utilizing the same driver to distribute a .NET loader named MalVirt to deploy the FormBook information-stealing malware.

The development comes as the AhnLab Security Emergency response Center (ASEC) revealed that poorly managed MS-SQL servers are being weaponized to install the Trigona ransomware, which shares overlaps with another strain referred to as CryLock.

It also follows findings that the Play ransomware (aka PlayCrypt) actors have been observed using custom data harvesting tools that make it possible to enumerate all users and computers on a compromised network and copy files from the Volume Shadow Copy Service (VSS).

Grixba, a .NET-based information stealer, is designed to scan a machine for security programs, backup software, and remote administration tools, and exfiltrate the gathered data in the form of CSV files that are then compressed into ZIP archives.

Also used by the cybercriminal gang, tracked by Symantec as Balloonfly, is a VSS Copying Tool written in .NET that makes use of the AlphaVSS framework to list files and folders in a VSS snapshot and copy them to a destination directory prior to encryption.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Play ransomware is notable for not only utilizing intermittent encryption to speed up the process, but also for the fact that it's not operated on a ransomware-as-a-service (RaaS) model. Evidence gathered so far points to Balloonfly carrying out the ransomware attacks as well as developing the malware themselves.

Grixba and VSS Copying Tool are the latest in a long list of proprietary tools such as Exmatter, Exbyte, and PowerShell-based scripts that are used by ransomware actors to establish more control over their operations, while also adding extra layers of complexity to persist in compromised environments and evade detection.

Another technique increasingly adopted by financially-motivated groups is the use of the Go programming language to develop cross-platform malware and resist analysis and reverse engineering efforts.

Indeed, a report from Cyble last week documented a new GoLang ransomware called CrossLock that employs the double-extortion technique to increase the likelihood of payment from its victims, alongside taking steps to sidestep event tracing for Windows (ETW).

"This functionality can enable the malware to avoid detection by security systems that depend on event logs," Cyble said. "CrossLock Ransomware also performs several actions to reduce the chances of data recovery while simultaneously increasing the attack's effectiveness."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Is Elon Musk's "maximum truth-seeking AI" achievable? Overcoming bias in artificial technologies is crucial for cybersecurity, but doing it could be a challenge.

Concerns over bias in emerging artificial intelligence (AI) tools received a fresh airing recently when billionaire Elon Musk talked about his plans to create a "maximum truth-seeking AI" as an alternative to OpenAI's Microsoft-backed ChatGPT and Google's Bard technologies. 

In an interview with Fox News' Tucker Carlson earlier this month, Musk expressed concern over what he described as ChatGPT being trained to lie and to be politically correct, among other things. He described a so-called "TruthGPT" as a third option that would be unlikely "annihilate humans," and would offer the "best path to safety" compared with the other generative AI tools.

Musk has offered no timetable for his planned chatbot. But he has already established a new AI firm called X.AI, and has reportedly begun hiring AI staff from ChatGPT creator OpenAI as well as from Google and its parent, Alphabet.

Meanwhile, of course, AI bias affects cybersecurity risk as well. 

**Surfacing a Familiar Concern**

Musk's comments to Carlson echoed some of the sentiments that he and hundreds of other tech leaders, ethicists, and academicians expressed in an open letter to AI companies in March. The letter urged organizations involved in AI research and development to pause their work for at least six months, so policymakers have an opportunity to put some guardrails around the use of the technology. In making their argument, Musk and the others pointed to the potential for biased AI tools flooding "our information channels with propaganda and untruth" as one of their main concerns.

Suzannah Hicks, data strategist and scientist at the International Association of Privacy Professionals (IAPP) says the fundamental problem with bias in AI and machine learning is that it stems from human decision-making. All AI models learn from extremely large data sets and are not programmed explicitly to respond in specific ways. Typically, bias happens in the data that humans choose to input into the model.

"If biased data is entered into the model, then the output will likely contain bias as well," Hicks says. "Bias can also be introduced through data omission or by data scientists choosing a variable as a proxy for something other than what the data element is," she says. As an example, Hicks points to a machine learning algorithm that might take the number of "clicks" a user makes when browsing Netflix as a proxy for a positive indicator. "I may be clicking on movies to read their description and decide I don’t like it, but the model may misinterpret the click as an indicator of a 'like,'" she says.

Similarly, a lending service that uses AI to determine credit eligibility might end up denying a disproportionately high number of loans to people in a high-crime ZIP code if the ZIP code was part of the data set in the AI tool's learning model. "In this case, the ZIP code is being used as a proxy for human behavior, and by doing so produces a biased result," Hicks says.

Andrew Barratt, vice president at Coalfire, says his own testing of a text-to-image generation tool provided one example of the bias that exists in emerging AI technologies. When he asked the tool to generate a photorealistic image of a happy man enjoying the sun, the tool only generated Caucasian skin tones and features, though the input he provided contained no racial context. He says one concern going forward is that providers of AI platforms seeking to monetize their technologies could introduce bias into their models in a way that is favorable to advertisers or platform providers.

Whenever you monetize a service, you typically want to maximize the monetization potential with any further evolution of that service, says Krishna Vishnubhotla, vice president of product strategy at Zimperium. Often that evolution can start deviating from the original goals or evolution path — a concern that Musk vocalized about ChatGPT in his interview with Carlson. "Herein lies the issue that Elon talks about," Vishnubhotla says.

**Cybersecurity Bias in Artificial Intelligence**

While Musk et al didn't specifically call out the implications of AI bias on cybersecurity, that's been a topic for some time, and it's worth revisiting in the era of ChatGPT. As Aarti Borkar, a former IBM and Microsoft executive and now with a venture capital fund, noted in a groundbreaking column for Fast Company in 2019, with AI becoming a prime security tool, bias is a form of risk.

"When AI models are based on false security assumptions or unconscious biases, they do more than threaten a company’s security posture," Borkar wrote. "AI that is tuned to qualify benign or malicious network traffic based on non-security factors can miss threats, allowing them to waltz into an organization’s network. It can also over-block network traffic, barring what might be business-critical communications."

With ChatGPT being enthusiastically introduced into cybersecurity products, the risk of faulty hidden bias could contribute even more to false positives, abuse of privacy, and cyber defense that has gaping holes. And to boot, cybercriminals could also poison the AI to influence security outcomes.

"If the AI were to be hacked and manipulated to provide information that’s seemingly objective but is actually well-cloaked biased information or a distorted perspective, then the AI could become a dangerous … machine," according to the Harvard Business Review.

So the question becomes whether there really can be completely unbiased AI, and what it would take to get there.

**Eliminating Bias in AI**

The first step to eliminating data bias is to understand the potential for it in AI and machine learning, Hicks says. This means understanding how and what data variables get included in a model.

Many so-called "black-box" models, such as neural networks and decision trees, are designed to independently learn patterns and make decisions based on their data sets. They don't require the user or even the developer to fully understand how it might have arrived at a particular conclusion, she says. 

"AI and machine leaning rely on black-box models a great deal, because they can handle vast amounts of data and produce very accurate results," Hicks notes. "But it’s important to remember they are exactly that — black boxes — and we have no understanding of how they come to the result provided."

The authors of a World Economic Forum blog post last October argued that open source data science (OSDS) — where stakeholders collaborate in a transparent way — might be one way to counter bias in AI. Just as open source software transformed software, OSDS can open up the data and models that AI tools use, the authors said. When data and AI models are open, data scientists would have an opportunity to "identify bugs and inefficiencies, and create alternate models that prioritize various metrics for different use cases," they wrote.

**The EU's Proposed AI Risk Classification Path**

The European Union's proposed Artificial Intelligence Act is taking another approach. It calls for an AI classification system in which AI tools are classified based on the level of risk they present to health, safety, and an individual's fundamental rights. AI technologies that present an unacceptably high risk, such as real-time biometrics ID systems, would be banned. Those deemed as presenting limited or minimal risk, such as video games and spam filters, would be subject to some basic oversight. High-risk AI projects, such as autonomous vehicles, would be subject to rigorous testing requirements and show evidence of adherence to specific data quality standards. Generative AI tools such as ChatGPT would be subject to some of these requirements as well.

**The NIST Approach**

In the US, the National Institute of Standards and Technology (NIST) has recommended that stakeholders broaden the scope of where they look when searching for sources of bias in AI. In addition to machine learning processes and the data used in training AI tools, the industry should consider the societal and human factors, NIST said in a special publication on the need for standards to identify and manage bias in AI. 

"Bias is neither new nor unique to AI and it is not possible to achieve zero risk of bias in an AI system," NIST noted. To mitigate some of the risk, NIST will develop standards for "identifying, understanding, measuring, managing, and reducing bias."

Rethinking Safer AI: Can There Really Be a 'TruthGPT'?

A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.
"It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to

A new "all-in-one" stealer malware named **EvilExtractor** (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.

"It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server."

The network security company said it has observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer.

Sold by an actor named Kodex on cybercrime forums like Cracked since October 22, 2022, it's continually updated and packs in various modules to siphon system metadata, passwords and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their "account details."

The "Account\_Info.exe" binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

"EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware," Lin said. "Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability."

The findings come as Secureworks Counter Threat Unit (CTU) detailed a malvertising and SEO poisoning campaign used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.

Bumbleebee, documented first a year ago by Google's Threat Analysis Group and Proofpoint, is a modular loader that's primarily propagating through phishing techniques. It's suspected to be developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The use of SEO poisoning and malicious ads to redirect users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers has witnessed a spike in recent months after Microsoft began blocking macros by default from Office files downloaded from the internet.

In one incident described by the cybersecurity firm, the threat actor used the Bumblebee malware to obtain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software like AnyDesk and Dameware. The attack was ultimately disrupted before it proceeded to the final ransomware stage.

"To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites," Secureworks said. "Users should not have privileges to install software and run scripts on their computers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web

Pumpkin Sandstorm. Spandex Tempest. Charming Kitten. Is this really how we want to name the hackers wreaking havoc worldwide?

Hackers—particularly state-sponsored ones focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit—are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world's most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.

So why, when I write about these organized hacker groups as a cybersecurity reporter, do I find myself referring to them with cute pet names like Fancy Bear, Refined Kitten, and Sea Turtle?

Why, when I interview different cybersecurity firms about a particular unit of Russian military intelligence hackers, do I have to internally translate that this company refers to Fancy Bear as Pawn Storm, while this one calls them Iron Twilight? Why, when I wrote a news piece earlier this week about a North Korea–linked hacking team that has spied on their South Korean neighbors, stolen millions in cryptocurrency to fund the totalitarian regime of Kim Jong-un, and corrupted the software distributed by multiple companies to spread malicious code worldwide, did I find myself referring to them as "the hacker group known as Kimsuky, Emerald Sleet, or Velvet Chollima"? It is all, frankly, a little embarrassing—and to the average reader, lends reporting about cyber conflict about as much gravity as the play-by-play of a Pokémon card game.

A few days ago, Microsoft's cybersecurity division announced it was changing the entire taxonomy of names it uses for the hundreds of hacker groups that it tracks. Instead of its previous system, which gave those organizations the names of elements—a fairly neutral, scientific-sounding system as these things go—it will now give hacker groups two-word names, including in their description a weather-based term indicating what country the hackers are believed to work on behalf of, as well as whether they're state-sponsored or criminal.

That means Phosphorous, an Iranian group that Microsoft reported this week has been targeting US critical infrastructure like seaports, energy companies, and transit systems, now has the less-than-fearsome name Mint Sandstorm. Iridium, Russia's most aggressive and dangerous cyberwar-focused military hacker unit more commonly known as Sandworm—responsible for multiple blackouts in Ukraine and the most destructive malware in history—now has the whimsical title of Seashell Blizzard. Barium, a team of Chinese hackers that's carried out more software-supply-chain attacks than perhaps any group worldwide, is now Brass Typhoon—a phrase that, I confess, I have a hard time separating from flatulence.

Many of the new names sounded so absurd that I actually double-checked Microsoft hadn't published the new labeling system on April 1. Periwinkle Tempest. Pumpkin Sandstorm. Spandex Tempest. Gingham Typhoon. “These names are just really silly,” says Rob Lee, the founder and CEO of industrial-control-system cybersecurity firm Dragos. “I mean, talk about not being taken seriously as a profession.”

Goofiness aside, the new system is counterproductive for actual cybersecurity analysis, Lee argues. Given that Microsoft's threat intelligence is some of the best in the world, analysts and customers across the industry will have to actually revise their databases—and even some of their products—to match Microsoft's new naming scheme, he says. And the revised system now locks in educated guesses about the national loyalties of hackers with no indication of the analysts' degree of confidence in those assessments, Lee adds.f

What if a hacker group thought to be part of a nation’s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily conscripted to work on behalf of a government? “Assessments change over time,” Lee says. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the fuck?” (Lee’s own firm, Dragos, admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)

When I reached out to Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the rationale behind the change: Microsoft's new names are more distinct, memorable, and searchable. In contrast to Lee's point about choosing neutral names, the Microsoft team _wanted_ to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, he notes.)

Microsoft's team was also just running out of elements—there are, after all, only 118 of them. “We liked weather because it's a pervasive force, it's disruptive, and there's a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,” says Lambert. “That's cybersecurity defenders' world, too.” As for the adjectives preceding those meteorological terms—often the real source of the names' inadvertent comedy—they're chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacker group, and sometimes they're random. “There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”

There's a certain, stubborn logic behind the cybersecurity industry's ever-growing sprawl of hacker group handles. When a threat intelligence firm finds evidence of a new team of network intruders, they can't be sure they're seeing the same group that another company has already spotted and labeled, even if they do see familiar malware, victims, and command-and-control infrastructure between the two groups. If your competitor isn't sharing everything they see, it's better to make no assumptions and track the new hackers under your own name. So Sandworm becomes Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and—_sigh_—Seashell Blizzard, as every company's analysts get a different glimpse of the group's anatomy.

But, sprawl aside, did these names have to be quite so on-their-face ridiculous? To some degree, it may be wise to give names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, for instance, are not likely to be happy with Microsoft's rebranding them as Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers that seeks to penetrate crucial elements of US civilian infrastructure Mint Sandstorm, as if they're an exotic flavor of air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly not any better.) Did the Israeli hacker-for-hire mercenaries known as Candiru, who have sold their services to governments targeting journalists and human rights activists, really need to be renamed Caramel Tsunami, a brand befitting a Dunkin’ beverage, and one that's already taken by a strain of cannabis?

Kevin Mandia, one of the original hacker hunters and the founder and CEO of the cybersecurity firm Mandiant, captured this problem in a speech at the Cybersecurity Threat Intelligence Summit in 2018. “I’ve always wondered, how do you get into a boardroom and say, ‘Sir, I know you’re breached. You’re in the headlines. And you were hacked by Fluffy Snuggle Duck,’” Mandia said. “It just doesn’t work.”

Mandia concedes today that in the five years since his Fluffy Snuggle Duck comment, he's become more inured to the silly hacker group names. “I don't care what they're called, I just want to make sure we have the catalog right. Do we have the fingerprints for them, do we have defenses for them?” he says.

In our interview, though, he still seemed to be genuinely tripped up by the labeling scheme of his competitor Crowdstrike, which names hackers after different animals based on their nationality. “Bear is Russia … or is it?” Mandia pondered out loud. “Panda is China. But that’s a bear. I’m confused already.”

Mandia and Lee both dream of a day when a government body—say, the US National Institute of Standards and Technology—comes up with a hacker group naming convention that can be adopted across the industry. But they both also say that companies would never stick to it. Marketing aside, the fog of war in cybersecurity research means analysts at different companies will never be sure they're looking at the same entities—unless they all agree to openly share every scrap of their closely guarded intelligence.

Until then, well, just watch out for Periwinkle Tempest. Last year, Periwinkle Tempest launched crippling ransomware attacks across the entire nation of Costa Rica, leading the country's government to declare a national emergency. Periwinkle Tempest are some of the most dangerous hackers in the world. Periwinkle Tempest. Seriously.

Hacker Group Names Are Now Absurdly Out of Control

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Tag

#microsoft