Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023.
The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell based on tooling overlaps.
"The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy

Critical Infrastructure Security

Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023.

The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed **Operation Soft Cell** based on tooling overlaps.

"The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution," researchers from SentinelOne and QGroup said in a new technical report shared with The Hacker News.

"Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities."

Operation Soft Cell, according to Cybereason, refers to malicious activities undertaken by China-affiliated actors targeting telecommunications providers since at least 2012.

The Soft Cell threat actor, also tracked by Microsoft as Gallium, is known to target unpatched internet-facing services and use tools like Mimikatz to obtain credentials that allows for lateral movement across the targeted networks.

Also put to use by the adversarial collective is a "difficult-to-detect" backdoor codenamed PingPull in its espionage attacks directed against companies operating in Southeast Asia, Europe, Africa, and the Middle East.

Central to the latest campaign is the deployment of a custom variant of Mimikatz referred to as mim221, which packs in new anti-detection features.

"The use of special-purpose modules that implement a range of advanced techniques shows the threat actors' dedication to advancing its toolset towards maximum stealth," the researchers said, adding it "highlights the continuous maintenance and further development of the Chinese espionage malware arsenal."

Prior research into Gallium suggests tactical similarities \[PDF\] with multiple Chinese nation-state groups such as APT10 (aka Bronze Riverside, Potassium, or Stone Panda), APT27 (aka Bronze Union, Emissary Panda, or Lucky Mouse), and APT41 (aka Barium, Bronze Atlas, or Wicked Panda).

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This once again points to signs of closed-source tool-sharing between Chinese state-sponsored threat actors, not to mention the possibility of a "digital quartermaster" responsible for maintaining and distributing the toolset.

The findings come amid revelations that various other hacking groups, including BackdoorDiplomacy and WIP26, have set their sights on telecom service providers in the Middle East region.

"Chinese cyber espionage threat actors are known to have a strategic interest in the Middle East," the researchers concluded.

"These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers

An issue was discovered in Veritas NetBackup before 10.0 on Windows. A vulnerability in the way the client validates the path to a DLL prior to loading may allow a lower-level user to elevate privileges and compromise the system.

**Revision History**

*   1.0: April 28, 2023 – Initial release

**Issue: Privilege Escalation**

A vulnerability in the way NetBackup Windows OS client validates the path to a DLL prior to loading may allow a lower level user to elevate privileges and compromise the system.

*   CVE ID: CVE-2023-28759
*   Severity: High
*   CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
*   Impacted Components:
    *   NetBackup Windows OS clients only, under the following conditions:
        *   Microsoft Exchange, Microsoft SharePoint, and/or Enterprise Vault workloads are being protected
        *   If these applications are installed on the client but not protected by NetBackup, the systems are not impacted
        *   NetBackup clients protecting other workloads are not impacted
*   Affected Versions: All versions prior to 10.0
*   Recommended action:
    *   NetBackup Windows OS clients: Upgrade to 10.0 or later
    *   Disable nbdisco if above mentioned workloads are not protected by NetBackup

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Acknowledgement**

Veritas would like the thank the Lockheed Martin Red Team for notifying us about this issue.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2023-28759: Security Advisory Impacting NetBackup Windows OS Clients

IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task.

**Secure Access for Active Directory Identities, Anywhere**

With MFA, SSO and session management, UserLock can protect all employee access to corporate networks and cloud applications, whether on-site or remote.

Start a Free Trial Book a demo

**One On-Premise Active Directory Identity For secure On-Site, Cloud and Remote Access**

 

**Single Sign-On**

Secure and frictionless access to Microsoft 365 and Cloud applications using only your AD credentials, from anywhere.

Learn more

**Contextual Access Management**

Set rules to authorize, deny or limit any login (including remote access), based on contextual factors:

*   **Origin:** Computer (Windows & Mac), device & location restrictions (such as country, IP address, department, and OU)
*   **Time:** Logon hour restrictions, maximum session length and session time quota
*   **Session type:** Workstation, terminal, Wi-Fi, VPN and IIS sessions
*   **Simultaneous connections:** Limit concurrent logins and initial access points

Learn more

 

**User Login Reporting**

A centralized hub to produce and audit reports on all Active Directory user login events and attempts. Meet regulatory compliance standards, support forensics and track down threats.

Learn more

 

« UserLock offers a level of protection that small, medium and large business should be implementing as part of their security roadmap »

Ricky Magalhaes  
Information Security Analyst

**MFA and Access Management. The Easy Way.**

Easy-to-Use, Enterprise-Caliber Security for On-Premise and Hybrid Active Directory Environments of Any Size

****Protect All AD** User Credentials**

Stop unauthorized access from compromised credentials. Secure AD accounts with strong authentication and granular access policies, before damage is done.

****Manage All AD** User Sessions**

Get real-time visibility and a centralized audit trail on all access events across the hybrid network. Monitor and interact remotely with any session directly from the UserLock console.

****Get Compliant** on Securing Access**

Satisfy regulatory and insurance requirements by proving that all access and usage of data is identifiable, audited and attributed to an individual user.

**Simple to Use**

UserLock is quick to deploy, intuitive to manage, and scales effortlessly for any number of users, to ease the burden on IT.

**Non-Disruptive**

UserLock works seamlessly alongside your existing Active Directory infrastructure, reducing complexity and frustration.

**Easily Adopted**

UserLock’s granular controls allow for customized restrictions that protects access without unnecessarily impeding employees.

**Cost Effective**

Building on your investment in Active Directory, UserLock offers additional, effective and affordable security that stops threats, before damage is done.

**Trusted by over 3400 Organizations**

A proven solution for both small to medium-sized businesses (SMBs) and large organizations,  
including some of the most regulated and security-conscious in the world.

*   MSP & SMBs
*   Government  
    & Defense
*   Finance
*   Healthcare
*   Education
*   Manufacturing  
    & Transportation

UserLock is the best 2FA solution I’ve seen. It’s affordable, easy to install and maintain – an IT Manager’s dream.

**Bill Hopkins**  
Network Administrator at City of Keizer, Oregon

     

We found UserLock very easy to implement and will recommend it to other branches within the bank.

**IT Officer**  
Branch of a Multinational Banking Group, Hong Kong

      

Once we set up UserLock, it was easy to deploy and use. UserLock does what I want it to do and it works.

**Meadville Medical Center**  
Lead Support Tech, Meadville Medical Center

     

UserLock is the ideal solution that helps us meet our network access objectives effectively.

**Don Manning**  
Server Administrator at Albany City School District, New York, United States

      

UserLock MFA is a high quality, full-featured product that performs as advertised.

**Michael Commons**  
System Administrator at Dobbs Peterbilt

      

**Client  
**Testimonials****

 Review by Bill Hopkins - City of Keizer  

**Affordable, Easy to Use With Active Directory**

UserLock allows us to have one single 2FA solution for all of our users. It integrates easily with Active Directory, and is simple to install and maintain. It’s basically an IT Manager’s dream.

 Review by Andreas L.  

**Simple and Reliable**

I've tested several 2FA software. In the end, I stuck with UserLock because it requires no administrative effort. I really like the reports and the control of who is connected to which device.

 Review by Bob B.  

**An Administrators Premier Management Tool!**

In a flash, I can control my users’ login experience, find/identify users computers and remote in for support. It’s just always there for me. I can’t imagine working without it now.

 Review by Gov't Network Tech  

**Awesome Tool For Securing Logons**

Userlock has been a great tool and helped us tighten up our user security. It's used in conjunction with Active Directory and Group Policy to secure all logon types in the domain.

**Expert **Reviews****

« UserLock's solution makes implementing multi-factor authentication (MFA) extremely easy. »

Read the Review

« The MFA for RDP significantly enhances security, especially today with a boom in remote working. »

Read the Review

« The perfect access security partner for Windows Active Directory environments. »

Read the Review

« UserLock is a powerful product that focuses on preventing the internal and external threats related to compromised credentials. »

Read the Review

**Start a free trial now**

30-day full version with no user limits

**MSP Console****The **Licensing Management**  
Platform for UserLock**

The new console for managed service providers (MSPs) is a web-based platform that lets you administer UserLock licenses for all your customers.

Read more

**What's new in UserLock**

**2FA Push Notifications with the UserLock Push App**

Quickly respond to 2FA push notifications from your smartphone

*   Enable Push notifications as a **main or additional MFA method**
*   Easily onboard users with **quick self-enrollment**
*   Choose between **one-tap push approval or a TOTP code**
*   Ensure users **approve the correct request** with location, device, and login attempt info

UserLock Push notifications are a **subscription-only feature**.

Learn more

**New features in the UserLock Web App**

Monitor and respond to network sessions quickly, easily, and from anywhere – and access all-new reporting capabilities.

*   Review key user and session **monitoring** insights
*   Simplify daily **management** and widen UserLock access for IT
*   Manage custom **MFA parameters** and help requests
*   View **MFA configuration** methods per user
*   Get drill-down **reporting** capabilities with improved filtering
*   **Export reports** easily
*   **Apply filters** on admin action reports

Learn more

**UserLock VPN Connect**

Simplify MFA on VPN connections with the new UserLock VPN Connect tool. Simply select your VPN, enter your password, and complete MFA – all in one easy-to-use interface.

Learn more

**MFA for Cloud connections with SSO**

Use existing on premise AD identities for secure and seamless MFA on employee access to Microsoft 365 and cloud applications.

Learn more

**Secure Remote Access with UserLock Anywhere**

Enable UserLock Anywhere to protect remote access when employees aren't connected to the corporate network.

Learn more

**Request a personalized demo now**

Discover how UserLock can help you meet your needs.

**Download UserLock**

*   Latest version
*   Beta version

The trial version offers:

*   30-day full version
*   no user limits
*   free technical support

Supported systems

Please read the Beta Testing Procedure before installing this version.

The beta version includes:

*   30-day full version
*   no user limits
*   free technical support

CVE-2023-23192: Protect Active Directory Identities with 2FA and SSO | UserLock

Image-editing tools from Google and Microsoft contain the “aCropalypse” bug, which can reveal information users intentionally removed.

At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. Though now fixed, the vulnerability is significant because Pixel users have for years been making, and in many cases presumably sharing, cropped images that may still contain the private or sensitive data the user was attempting to eliminate. But it gets worse.

The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were stunned to discover this week that a very similar version of the vulnerability is also present in other photo-cropping utilities from a totally separate yet equally ubiquitous codebase: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in cases where a user takes a screenshot, saves it, crops the screenshot, and then saves the file again. Photos cropped with Markup, meanwhile, retained too much data even when the user applied the crop before first saving the photo. 

Microsoft told WIRED on Wednesday that it is “aware of these reports” and that it is “investigating,” adding, “we will take action as needed.”

“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”

Now that the vulnerabilities are out in the open, researchers have started uncovering old discussions on programming forums where developers noticed the odd behavior of the cropping tools. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.

“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.

Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. In short, there is a population of photos out there that contain more information than they should—specifically, information that someone intentionally tried to remove.

Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.

“As part of their existing compression process, apps and websites that recompress images, like Twitter, Instagram, or Facebook, delete extra data automatically from images uploaded. Images posted to sites like these are not at risk,” Google spokesperson Ed Fernandez says in a statement.

The researchers point out, though, that this is not true of all platforms, including Discord.

As a Discord user, Buchanan say he kept seeing people posting cropped screenshots, and it was really hard to not say anything before the vulnerability was publicly disclosed.

Steven Murdoch, a professor of security engineering at University College London, notes that in 2004 he discovered a vulnerability in which an older version of an image was stored in the thumbnail data for the image even after it had been altered.  

“This isn’t the first time I’ve seen this sort of vulnerability,” Murdoch says. “And I think the reason is because when software is written, it’s tested to make sure that the thing you expect is there. You save an image, you can open the image, and then you’re done. What is not checked is whether there is accidentally extra data stored.”

The thumbnail vulnerability Murdoch found in 2004 was conceptually similar to aCropalypse from a data privacy standpoint but had very different technical underpinnings because of issues in application programming interface design. And Murdoch emphasizes that while he sees aCropalypse as a problem for users whose affected photos are already out in the world, its biggest impact may come from the discussions it has raised about how to promote better security practices in API development and implementation.

“This has triggered some interesting conversations about API design and what do you do to teach people to avoid this sort of vulnerability in the future? This is not something that we train people to deal with,” Murdoch says. “It’s not one of these ‘sky is falling’ vulnerabilities, but it’s not good.”

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data

A cross-site scripting (XSS) vulnerability in MiroTalk P2P before commit f535b35 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the settings module.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

l4rm4nd opened this issue

Feb 17, 2023

· 14 comments

Closed

**Multiple Cross-Site Scripting (XSS) #139**

l4rm4nd opened this issue

Feb 17, 2023

· 14 comments

**Comments**

**Describe the bug**

The mirotalk web application is susceptible to XSS.

If two participants joined a web meeting, one participant can change their name, which is then reflected for all other meeting participants. Since no input validation takes place; or output filtering to sanitize maliciously choosen names, the payload of an attacker is executed in the browser of other victims.

This can introduce various problems and attack vectors, such as:

*   Hijacking of user sessions
*   Defacing of the web site
*   Inserting malicious content into the response
*   Redirect users to malicious pages
*   Hijack the user’s browser using malware

**To Reproduce**

Steps to reproduce the behavior:

1.  Go to https://p2p.mirotalk.com/ and create a new room. Join the room yourself.
2.  Start a second private browser window to simulate another user. Join the same room via invite link e.g.
3.  After joining the meeting, change your name via settings to <img src="x" onerror=alert(document.domain)>
4.  Verify a JavaScript popup in both browser meeting rooms. You successfully XSS'd other users.

**Expected behavior**

A meeting participant's name should always be sanitized before being displayed or embedded into the website's content.

**Screenshots**

**Desktop - Mobile**

Please complete the following information:

*   Device or OS: Windows 10
*   Browser: Microsoft Edge, likely any other browser affected too
*   Version: 110.0.1587.46

**Additional context**

*   https://owasp.org/www-community/attacks/xss/
*   https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_Prevention\_Cheat\_Sheet.html

**Recommendation**

*   Sanitize untrusted user inputs.
*   Define a security policy for this github repo to gain information on how to reach out to you about security issues

Other from that, many thanks for this projects. Really, really cool!

Copy link

Contributor Author

BTW, the file upload function (share a file) is also susceptible.

Any user can upload a file with a XSS payload in the filename. For example Sun'><img src=x onerror=alert(1)>set.jpg.

As the filename is reflected at multiple locations in the web application (e.g. in the chat screen or upload popup), this again can XSS other meeting participants.

 l4rm4nd changed the title Stored Cross-Site Scripting (XSS) Multiple Stored Cross-Site Scripting (XSS)

Feb 17, 2023

 l4rm4nd changed the title Multiple Stored Cross-Site Scripting (XSS) Multiple Cross-Site Scripting (XSS)

Feb 18, 2023

Hello @l4rm4nd,

Thanks so much for reporting this to me, it should be fixed now.  
XSS no longer runs in the participants room, it is blocked before it is sent.

> Other from that, many thanks for this projects. Really, really cool!

Thank you so much, I'm very happy you like it!

Join with us on Discord and Have a good weekend.

Copy link

Contributor Author

Hi @miroslavpejic85,

many thanks for the fast reply and fix.

Your fix works as intended on the client side. Malicious names or filenames are not transfered to other participants but blocked before sending.

However, this validation only happens on the client side via JS. An attacker can easily intercept a valid name modification or file transfer via websockets (that is not blocked before sending) and just modify the request directly. On the participant's side, no validation or sanitization will take place and the XSS payloads will trigger again.

An example websocket request for file transfer would look like this:

    42["fileInfo",{"room_id":"08662TinyTowel","broadcast":true,"peer_name":"Kali","peer_id":"am6Y_BhRyop_UOzkAAmj","file":{"fileName":"<img src=x onerror=alert(document.domain)>","fileSize":156,"fileType":"image/png"}}]
    

So your fix does not mitigate XSS, unfortunately.

Here an example for name changing via websockets:

Copy link

Contributor Author

It's a general problem with output sanitization, since input validation will always be easily bypassed due to JS and websockets.

For example, the raising hand feature is also susceptible. An attacker can easily modify the websocket request and again modify the peer\_name. XSS on all participants, as the peer\_name is reflected.

    42["peerStatus",{"room_id":"97337HotCouch","peer_name":"<img src=x onerror=alert(document.domain)>","element":"hand","status":true}]
    

Copy link

Contributor Author

Same for sharing a video. Peer name can again be weaponized for XSS. The opened video player on the participant's side will reflect which peer opened the video.

    42["videoPlayer",{"room_id":"97337HotCouch","peer_name":"Kali<img src=x onerror=alert(document.domain)>","video_action":"open","video_src":"https://www.youtube.com/embed/uxELAbwB19c?autoplay=1","peer_id":null}]
    

BTW, this also allows for impersonification. So an attacker could easily fake the peer_name and specify another participants name and share an inappropriate video. Other participants will only see the text "<PEER\_NAME> opened a video..." and would be like "what the f\*ck ....".

Copy link

Contributor Author

So sorry to spam the project with security issues but I really love this project.

It is so much better than other web meeting platforms and provides a lot of cool and thoughtful features.

If we get things like these sorted, it's just brilliant <3!

Hi @l4rm4nd, Don't worry, I'm very glad you care about security!

I added the XSS sanitization on the server side, in theory now should everything be fixed regarding the xss?

Can you confirm please? Thank you!

> It is so much better than other web meeting platforms and provides a lot of cool and thoughtful features.

Thank you for your nice feedback! :)

> If we get things like these sorted, it's just brilliant <3!

Sure, Thanks to your cooperation everything will be improved - fixed ;)

Copy link

Contributor Author

hi @miroslavpejic85,

good job using the js-xss library. Looks like the XSS is successfully fixed.

I've even tried some older XSS payloads to especially bypass js-xss from Portswigger XSS Cheatsheet. No luck.

    <script>Object.prototype.whiteList = {img: ['onerror', 'src']}</script><script>document.write(filterXSS('<img src onerror=alert(1)>'))</script>
    

The only thing that is now still possible is HTML injection. But honestly, the impact for this is kinda low.

And some self-XSS popups that are not exploitable for other participants. Will only trigger a JS popup for the attacker himself. Should be fixed too but there is no security impact/risk leaving it as is.

For example a name change to <img src=x onerror=alert(1)> or a file upload with filename of Sun'><img src=x onerror=alert(1)>set.jpg gets blocked by your client.js fix and the messages invalid name and filename are shown. However, the JS payload is nonetheless executed (only in the attackers browser though; so a self-xss issue with no impact).

Hi @l4rm4nd,

Nice to hear your again.

> good job using the js-xss library. Looks like the XSS is successfully fixed.

Thank you, yes, seems very good!

> The only thing that is now still possible is HTML injection. But honestly, the impact for this is kinda low.

I agree with you.

> And some self-XSS popups that are not exploitable for other participants. Will only trigger a JS popup for the attacker himself. Should be fixed too but there is no security impact/risk leaving it as is.

For the name change, I found a way to disable the JS Popup and clean up :)  
For the file name, seems I can't do it, as it's read only, but is xss with no impact.

Thanks again so much for reporting this issue to me and for helping with debugging, much appreciated!

Copy link

Contributor Author

Hi @miroslavpejic85 ,

very nice. The self XSS for the name change function is now fixed.

I've found a remaining self XSS when joining a meeting. You may want to fix this too as it is the second input field presented to a user (after optionally choosing a room name).

You may want to restrict and filter the room name people can choose. A room name with </h1> or just </> bricks the loading screen.

Copy link

Contributor Author

Hi @miroslavpejic85 ,

sorry, I've found another XSS. This time it is a bit more hidden.

A user can choose an XSS payload as name when joining a web meeting. The XSS name will trigger a self XSS popup for the attacker himself. No impact for other participants.

However, the private messages feature allows to search for meeting participants and sending them a private message. When a message is sent, the chat will print a text like Private message to <peer_name>. Malicious peer name allows for XSS again.

Proof of Concept:

1.  Attacker chooses XSS as name during meeting join
2.  Another participant sends the attacker with XSS payload in his name a private message
3.  The victim who sent a message to the attacker triggers the JS payload

_Image1: Attacker sets his name to an xss payload_

_Image2: Victim want to send a private message to the attacker_

_Image3: Attacker's peer name is reflected in the chat which triggers XSS_

So the reflection of peer\_name for private messages must be validated and sanitized too.

Hi @l4rm4nd,  
Yeah you are right, can you try now please? should be fixed.  
Thank you!

Copy link

Contributor Author

> Hi @l4rm4nd, Yeah you are right, can you try now please? should be fixed. Thank you!

Looks good! Malicious HTML/JS is escaped properly.

Participants can also not choose malicious payloads anymore during meeting join:

Also within meeting a peer name cannot be changed to malicious JS/HTML on the frontend:

Great job and many thanks for your fast replies and implemented fixes!

🥇 👍

Good! It's a pleasure, Many thanks to you!

2 participants

CVE-2023-27054: Multiple Cross-Site Scripting (XSS) · Issue #139 · miroslavpejic85/mirotalk

**NEW YORK** **,** **March 22, 2023** **/PRNewswire/ --** Lightspin, the leading cloud security solution for SaaS companies, today launched the Remediation Hub as part of its cloud-native application protection platform (CNAPP) solution. An evolution of Lightspin's root cause analysis feature, the Remediation Hub provides users the ability to dynamically remediate the most critical cloud environment risks, at scale. As a result, organizations can quickly identify and fix the security threats that matter most. 

"Our Remediation Hub was born out of the overwhelming positive customer response to our root cause analysis feature," said Vladi Sandler, co-founder and CEO for Lightspin. "The Remediation Hub expands on our industry-leading capabilities and helps maximize remediation depth and breadth for overlapping critical issues discovered, thus improving efficiency and reducing the time spent on one-off fixes. By providing the much-needed context, the Remediation Hub allows users to reduce the most risk with minimum actions."

Lightspin analyzes the root cause of all risks detected in the cloud environment including vulnerabilities, misconfigurations, identity risks and prioritizes remediation steps based upon a quantified risk score produced by Lightspin's proprietary algorithm. It then generates the proposed remediation to the root cause – Lightspin is the only CNAPP solution to offer remediation with dynamic guardrails for DevOps. Security teams can quickly and easily see how much a remediation action will improve the security score of their cloud environment. 

In a real-world example, a cloud environment has a root cause risk source of an unpatched image. The image has 100 vulnerabilities and there are five EC2 instances using the image. Most tools will flag 500 vulnerabilities to fix. With Lightspin's root cause analysis, the security team can see that there is only one necessary action: fix the image. 

Other cloud security tools push automated corrective remediation in users' public clouds, but this approach can actually add risk and cause more issues if not implemented carefully. Lightspin's Remediation Hub instead offers recommended remediation with the flexibility for teams to select to apply these fixes to their environments or to modify them to suit their unique organizational requirements.

The Remediation Hub also enables ticketing management via platforms such as Jira and ServiceNow, giving security teams capability to assign owners and track results right in the platform dashboard without navigating to another tool. By centralizing the Lightspin recommended actions and remediations discovered, security teams can simplify and streamline workflows to easily address and understand the root cause of vulnerabilities in their cloud environment. 

**Follow Lightspin**  
LinkedIn: https://www.linkedin.com/company/lightspin/  
Twitter: @lightspintech  
Blog: https://blog.lightspin.io/

**About Lightspin**

Lightspin is the #1 cloud security solution for SaaS companies of all sizes. Agentless and easy to deploy, Lightspin's Cloud Native Application Protection Platform (CNAPP) efficiently prioritizes and remediates cloud security risks in minutes using the industry's only Attack Path Engine built on the graph. Supporting Amazon Web Services, Google Public Cloud, Microsoft Azure and Kubernetes, Lightspin simplifies cloud security and compliance via its self-serve offering and graph-based algorithms. Based in New York and Tel Aviv, Lightspin is backed by Dell Technologies Capital, IBM, and Ibex Investors. Leading SaaS companies such as Imperva, ITV, Kaltura, PageUp and Riskified trust Lightspin to protect their data and workloads in the cloud. Learn more at www.lightspin.io.

Lightspin Launches Remediation Hub to Identify and Fix Cloud Security Threats

A new Tech Insight report examines how the enterprise attack surface is expanding and how organizations must deal with vulnerabilities in emerging technologies.

Keeping applications and networks secure can seem like a Sisyphean task. No matter how much time and resources security and IT teams devote to vulnerability assessment, patching, and other mitigations to reduce cyber-risk, they are not enough. In fact, vulnerability management can feel like a series of never-ending tasks.

There is no shortage of vulnerabilities under attack by criminals. Last year saw major vulnerabilities, such as Log4Shell, Ruby on Rails (Follina), and Spring4Shell, plus flaws in Google Chrome, F5 BIG-IP, Microsoft Office, and Atlassian Confluence, to name a few.

The Cybersecurity Infrastructure Agency's Known Exploited Vulnerabilities catalog currently lists vulnerabilities in widely used enterprise applications, such as Oracle eBusiness suite, SugarCRM, Zoho, Control Web Panel, and Microsoft Exchange Server.

And common, yet dangerous vulnerabilities persistently make their way into Web applications, such as broken access control, cryptographic failures, security misconfigurations, and vulnerable and outdated components.

However, enterprise security teams can’t consider their jobs done just by mitigating these types of vulnerabilities. As they adopt new technologies, enterprises need to expand their vulnerability and attack surface management programs accordingly.

A new Dark Reading Tech Insight report examines key areas for enterprise security teams to pay attention to: firmware, 5G networks, edge computing, operational technology and IT convergence, cloud vulnerabilities and misconfigurations, vulnerabilities in open source software, and vulnerabilities in continuous software development pipelines. The report details these types of vulnerabilities and how to mitigate them.

10 Vulnerability Types to Focus On This Year

Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus.
Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.
Since returning, Emotet has leveraged several distinct infection chains, indicating that

Wednesday, March 22, 2023 15:03

*   Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus.
*   Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.
*   Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems.
*   The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

**Initial campaign**

Following its initial return to spamming operations, Emotet was leveraging heavily padded Microsoft Word documents in an attempt to evade detection. By leveraging a large number of inconsequential bytes in their documents, they could increase the size of the documents to surpass the maximum file size restrictions that automated analysis platforms like sandboxes and anti-virus scanning engines enforce.

The initial emails were consistent with what has been commonly observed from Emotet in recent years. They typically contained an attached ZIP archive containing a Microsoft Word document. An example of one such email is shown below.

While the ZIP archives are often small, in some cases only ~646KB, the Microsoft Word document when fully extracted was ~500MB in size.

The document included a large number of 0x00 bytes, a technique commonly referred to as “padding.”

Some of the documents also featured excerpts from the classic novel “Moby Dick,” another attempt to increase the size of the documents for evasion purposes.

The Office documents featured templates consistent with those used by Emotet in the past, as shown below.

The Word documents in this campaign contained malicious VBA macros that, when executed, functioned as a malware downloader, retrieving the Emotet payload from attacker-controlled distribution servers and infecting systems, thus adding them to the Emotet botnets.

**Emotet shifts to OneNote**

Microsoft recently deployed new security mechanisms around protecting endpoints from macro-based malware infections, which resulted in various threat actors moving away from Office document-based malspam campaigns. In many cases, these malware distribution campaigns switched to distributing OneNote documents instead, likely as a result of decreased infections and lower success rates. Emotet is no different — shortly after their return to spamming operations on March 16, 2023, they began distributing OneNote files, as well.

In one example, the sender purported to be from the U.S. Internal Revenue Service (IRS) and requested that the recipient complete the attached form.

The attached OneNote document featured templates similar to what has been observed in other Office document formats over the past several years, prompting the user to click inside the document to view the file.

When clicked, an embedded WSF script linked behind the view button containing malicious VBScript code is executed.

This VBScript downloader is responsible for retrieving the Emotet malware payload from an attacker-controlled server and infecting the system.

Hovering over the next button indicates that an object called “Object1.js” will execute when the button is clicked. This is because the attacker has embedded a clickable object behind the lure image as shown below.

This object is a heavily obfuscated JavaScript downloader responsible for retrieving and executing the Emotet payload on the system. A snippet from the obfuscated downloader is shown below.

In a relatively short period, Emotet has modified its infection chain several times to maximize the likelihood of successfully infecting victims.

**Indicators of Compromise**

Indicators of compromise (IOCs) associated with ongoing Emotet campaigns can be found here.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Talos created the following coverage for this threat.  

**Snort SIDs:**

51967-51971, 43890-43892, 44559, 44560, 47327, 47616, 47617, 48402, 49888, 49889, 52029, 53108, 53353-53360, 53770, 53771, 54804, 54805, 54900, 54901, 54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782, 55787, 55788, 55869, 55870, 55873, 55874, 55929-55931, 56003, 56046, 56047, 56170, 56171, 56528, 56529, 56535, 56536, 56620, 56621, 56656, 56657, 56713, 56714, 56906, 56907, 56924, 56925, 56969, 56970, 56983, 56984, 57901, 58943  

**ClamAV Rules:**

Onenote.Dropper.Emotet-9993911-1

Onenote.Dropper.CodPhish-Emotet-9993220-1

Onenote.Trojan.Agent-9987935-0

Emotet Resumes Spam Operations, Switches to OneNote

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

An analysis of data associated with zero-day attacks in 2022 suggests that threat actors are increasingly probing for security weaknesses in edge-infrastructure technologies, including VPNs, firewalls, and IT management products.

Researchers from Mandiant tracked a total of 55 zero-day vulnerabilities that adversaries exploited in various malicious campaigns last year and found that 10 of them involved an Internet-facing edge device.

Among them were CVE-2022-1040 and CVE-2022-3236 in Sophos firewalls, CVE-2022-20821 in Cisco IOS, CVE-2022-42474 and CVE-2022-41226 in Fortinet's FortiOS, CVE-2022-288810 in Zoho ManageEngine, and CVE-2022-35247 in SolarWinds Serv-u.

**Hunting on the Edge**

Casey Charrier, Mandiant senior analyst at Google Cloud, says adversaries are focusing on edge technologies likely because they perceive enterprise organizations as having fewer capabilities around endpoint detection and response (EDR) than they have around network monitoring.

"That's definitely an element that we assess is a focus of Chinese threat groups right now," Charrier says. "As more organizations integrate Internet of Things (IoT) devices into their environment, they'll need to take this into consideration when evaluating security tools and the security of these devices."

The 55 zero-days that Mandiant observed adversaries using in 2022 are fewer than the all-time high of 81 that its researchers observed in 2021. Even so, the number was nearly three times higher than the 20 zero-days Mandiant observed being exploited in 2020.

**Chinese Actors Continue to Be Most Active Exploiters of Zero-Days**

As has been the case for some time now, Chinese state-sponsored threat groups exploited more zero-days in 2022 than any other threat group. Of the 13 zero-days that Mandiant was able to identify as likely exploited by a state-backed group, seven — or more than half — involved a Chinese advanced persistent threat (APT) group.

One example is CVE-2022-30190, a vulnerability in the Microsoft Windows Support Diagnostic Tool that enables remote code execution (RCE) via malicious Office documents, even when a user might have disabled macros. Chinese threat actors used the vulnerability, also referred to as "Follina," in numerous threat campaigns throughout the year, making it one of the most heavily exploited flaws of 2022.

Several of the zero-days that Chinese state actors leveraged in attacks last year targeted network devices. One example is CVE-2022-42475, a buffer-overflow flaw in FortiOS SSL VPN technology that a China-based actor used in a campaign last year to deliver a highly customized tool for exploiting Fortinet's FortiGate firewalls. Another flaw in this category that a Chinese actor abused is CVE-2022-41328, a path traversal vulnerability in FortiOS. Mandiant observed a Chinese group identified as UNC3886 exploiting the vulnerability in a potential cyber-espionage campaign. The same actor was previously associated with an attack campaign targeting VMware ESXi hypervisors using a new technique with malicious vSphere Installation Bundles.

Mandiant said it also observed zero-day exploit activity involving North Korean threat actors ticking up slightly in 2022 compared with previous years. The two zero-days that Mandiant identified North Korean actors exploiting were: CVE-2022-0609, a Google Chrome vulnerability that a North Korean group exploited in a campaign targeting the high tech, media, and financial sectors, and CVE-2022-41128, an RCE in Windows Server that North Korea's APT37 exploited in a phishing campaign.

**Financially Motivated Cyberattackers Want in on the Action Too**

Financially motivated threat actors continued to be another set of adversaries that actively exploited zero-day vulnerabilities last year, though not to the same extent as in 2021. Of the 16 zero-days for which Mandiant was able to attribute a motive, four were used in financially motivated attacks. Many of these attacks involved ransomware deployments. Examples include CVE-2022-29499, an RCE flaw in a Mitel VoIP appliance that a threat actor used to deploy Lorenz ransomware, and CVE-2022-41091, i.e. a Windows Mark of the Web flaw that the operator of the Magniber ransomware used in one campaign.

Since 2019, zero-day exploit activity involving ransomware groups has been increasing, says Charrier. "This is the case for a variety of reasons," Charrier notes. "For one, ransomware, as a proportion of all financially motivated activity, has continued to grow and take over the criminal ecosystem. Second, it can be more obfuscated in terms of tracking the money as well as tracking any sort of victim payments."

Microsoft, Google, and Apple topped the charts — as they always have — in terms of the number of zero-day vulnerabilities in their respective products. The three vendors together accounted for 37 of the 55 zero-days that Mandiant tracked last year. Fifteen of the zero-days in operating systems affected Windows and nine out of 11 browser zero-days were in Google Chrome.

At the same time, the number of zero-days that threat actors found and exploited in other technologies grew as well. As zero-day numbers increase, so do the number of vendors that are victims, Charrier says: "While the top three targeted vendors remain consistent, the variety of additional targeted vendors generally continues to expand and vary each year."

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.
According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection.
"

Cyber Threat Intelligence

The North Korean advanced persistent threat (APT) actor dubbed **ScarCruft** is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.

According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection.

"The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.

ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012.

Last month, ASEC disclosed a campaign that employed HWP files that take advantage of a security flaw in the Hangul word processing software to deploy a backdoor referred to as M2RAT.

But new findings reveal the threat actor is also using other file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets.

These infection chains often serve to display a decoy file and deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.

Some of the new capabilities of Chinotto include capturing screenshots every five seconds and logging keystrokes. The captured information is saved in a ZIP archive and sent to a remote server.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The insights about ScarCruft's various attack vectors come from a GitHub repository maintained by the adversarial collective to host malicious payloads since October 2020.

"The threat actor was able to maintain a GitHub repository, frequently staging malicious payloads for more than two years without being detected or taken down," Zscaler researchers said.

Outside of malware distribution, ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.

It's however not clear how these pages are accessed by the victims, raising the possibility that they may have been embedded inside iframes on websites controlled by the attacker or sent as HTML attachments via email.

Also discovered by SEKOIA.IO is a piece of malware named AblyGo, a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.

The use of CHM files to smuggle malware appears to be catching on with other North Korea-affiliated groups as well, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft