**LONDON, UK / March 7, 2023** - Egress, a cybersecurity company that provides intelligent email security, today released its **Email Security Risk Report 2023**. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.  

“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”

**Email Security Risks Report 2023: Key findings**

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

**Organizations continue to fall victim to phishing attacks**

Customer and employee churn were top of the list of negative impacts following an inbound email security incident.

*   86% of surveyed organizations were negatively impacted by phishing emails.
*   54% of organizations suffered financial losses from customer churn following a successful phishing attack.
*   40% of incidents resulted in employees exiting the organization.
*   85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email. 
*   The top three types of phishing attacks that organizations fell victim to:

*   Phishing involving malicious URL or malware attachment.
*   Social engineering.
*   Supply chain compromise.

**Risky behavior and mistakes lead to costly data loss**

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:

*   91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:

*   Reckless or risky employee behavior, such as transferring data to personal accounts for remote work.
*   Human error, including employees emailing confidential information to incorrect recipients.
*   Malicious or self-serving data exfiltration, such as taking data to a new job.

*   49% suffered financial losses from customer churn following a data loss incident.
*   48% of incidents resulted in employees exiting the organization.

**Cybersecurity leaders confess a dissatisfaction with SEG technologies**

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

*   58% - It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.
*   53% - Too many phishing emails end up in employees’ inboxes.
*   50% - It takes a lot of administrative time to manage.

**Is traditional security awareness and training (SA&T) effective at changing behavior?**

While 98% of the surveyed organizations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:

*   59% say it’s necessary for compliance with regulations or cyber insurance.
*   46% say employees skip through it as fast as possible.
*   37% admit they are not confident people remember what they’re taught.
*   29% say employees find training annoying.

**How to defend against inbound and outbound email security threats**

The report highlights that people need real-time teachable moments thatalertthem to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.

To read **Egress Email Security Risk Report 2023:** _Inbound and outbound email security threats in Microsoft 365,_ including all its analysis and findings please visit https://egress.co/ufxkz.

**About Egress**

Egress makes digital communication safer for everyone. As advanced and persistent cybersecurity threats continue to evolve, we recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss, resulting in the reduction of human activated risk. 

Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

99% of Cybersecurity Leaders Are Stressed About Email Security

Attackers use phishing emails that appear to come from reputable organizations, dropping the payload using public cloud servers and an old Windows UAC bypass technique.

A phishing campaign targeting organizations in Eastern Europe is leveraging an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), to perform cyber espionage across the region, researchers have found.

The campaign uses emails that appear to come from legitimate and highly regarded institutions in the targeted country to lure victims, researchers from SentinelOne revealed in a recent blog post. If successful in getting users to click on a malicious link, attackers leverage the DBatLoader malware loader, which abuses a technique identified more than two years ago to set up mock trusted folders to bypass Windows UAC and drop the RAT, the researchers said.

DBatLoader is known for using public cloud infrastructure to host its malware staging component, the SentinelOne researchers said. In the case of this campaign, they have observed download links to Microsoft OneDrive and Google Drive sites that have been used for this purpose, one of which was active for more than a month, they said.

"When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location," SentinelOne senior threat researcher Aleksandar Milenkoski wrote in the post.

The executable in this case is the Remcos RAT, a malware that threat actors with cybercriminal and espionage motivations widely use to take over computers and collect keystrokes, audio, video, screenshots, and system information as well as deliver other malware, the researchers noted.

Indeed, the campaign observed by SentinelOne is likely linked to reports by the Ukrainian CERT of "phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments," which also deliver the RAT, Milenkoski wrote.

**Reputation-Based Phishing Lures**

Rather than use socially engineered messages in the campaign, attackers rely solely on the reputations of the purported organizations from which the messages are sent to trick victims into taking the bait, the SentinelOne researchers said.

In fact, the messages generally contain no text at all but merely the malicious attachment, they said. In the cases that the messages do include text, it's written in the language of the target’s country, the researchers added. Further, attackers typically send the emails to the sales departments of the targets or publicly available contact email addresses for the organizations. The emails include attachments in the form of tar.lzarchives that typically masquerade as financial documents, such as invoices or tender documentation that appear to originate from institutions or business organizations related to the target. Some attachments purport to be Microsoft Office, LibreOffice, or PDF documents and use double extensions and/or application icons to fool victims.

"Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based," Milenkoski wrote.

"We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations, which are supposedly sending the email," Milenkoski added.

**Abusing Windows UAC Bypass**

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from an aforementioned public cloud location, which then creates and executes an initial Windows batch script in the %Public%\\Libraries directory, the researchers said.

This script abuses a previously identified method for bypassing Windows UAC that involves the creation of mock trusted directories, such as %SystemRoot%\\System32; this allows attackers to conduct activities with elevated privileges without alerting users, the researchers said. Security researcher Daniel Gebert discovered and subsequently revealed the UAC bypass in a July 2020 post on his security blog.

The bypass occurs through a combination of the mock trusted directories and DLL hijacking, which together cause Windows to automatically elevate the process without issuing an UAC prompt, Milenkoski wrote.

The resulting bypass allows DBatLoader to establish persistence across system reboots, by copying itself in the %Public%\\Libraries directory and creating an autorun registry key that points to an Internet Shortcut file, he explained in the post. This executes the DBatLoader executable in the mock directory, which in turn executes the Remcos RAT through process injection.

Researchers observed a wide variety of Remcos RAT configurations on victim systems, most of which were configured for keylogging and screenshot-theft capabilities, "as well as 'duckdns' dynamic DNS domains for command-and-control purposes," Milenkoski wrote.

**Reducing Cyber-Risk & Avoiding Compromise**

Researchers made a number of recommendations to security administrators to dodge the campaign, particularly given its use of DBatLoader coming through on the public cloud.

First and foremost, they advised vigilance against malicious network requests to public cloud instances, noting that attackers' use of public cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate and thus harder for organizations to detect. "This tactic is popular amongst cybercriminals and espionage threat actors," Milenkoski observed.

Researchers also recommended that administrators monitor for suspicious file creation activities in the %Public%\\Library directory, and process-execution activities that involve filesystem paths with trailing spaces, especially \\Windows \\. "The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%\\System32," Milenkoski wrote.

Another tactic for avoiding compromise that administrators should consider is configuring Windows UAC to "always notify," which will always alert users when a program attempts to make changes to computers across a business network, he added.

Researchers also enforced general advice for avoiding phishing compromise in any form by ensuring that administrators and employees alike are aware of what malicious emails look like and how to avoid engaging with them.

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Adds New features for its Privilege Manager and DevOps Secrets Vault

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors.
"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure

Data Safety / Cyber Threat

Cybersecurity researchers have discovered a new information stealer dubbed **SYS01stealer** targeting critical government infrastructure employees, manufacturing companies, and other sectors.

"The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News.

"The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information."

The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler.

However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actors managed to confuse attribution efforts and evade detection.

The attack chain, per Morphisec, commences when a victim is successfully lured into clicking on a URL from a fake Facebook profile or advertisement to download a ZIP archive that purports to be cracked software or adult-themed content.

Opening the ZIP file launches a based loader – typically a legitimate C# application – that's vulnerable to DLL side-loading, thereby making it possible to load a malicious dynamic link library (DLL) file alongside the app.

Some of the applications abused to side-load the rogue DLL are Western Digital's WDSyncService.exe and Garmin's ElevatedInstaller.exe. In some instances, the side-loaded DLL acts as a means to deploy Python and Rust-based intermediate executables.

Irrespective of the approach employed, all roads lead to the delivery of an installer that drops and executes the PHP-based SYS01stealer malware.

The stealer is engineered to harvest Facebook cookies from Chromium-based web browsers (e.g., Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi), exfiltrate the victim's Facebook information to a remote server, and download and run arbitrary files.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

It's also equipped to upload files from the infected host to the command-and-control (C2) server, run commands sent by the server, and update itself when a new version is available.

The development comes as Bitdefender revealed a similar stealer campaign known as S1deload that's designed to hijack users' Facebook and YouTube accounts and leverage the compromised systems to mine cryptocurrency.

"DLL side-loading is a highly effective technique for tricking Windows systems into loading malicious code," Morphisec said.

"When an application loads in memory and search order is not enforced, the application loads the malicious file instead of the legitimate one, allowing threat actors to hijack legitimate, trusted, and even signed applications to load and execute malicious payloads."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is… 
Continue reading → Persistence – Event Log Online Help

Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. Microsoft in order to assist administrators to retrieve direct information for a particular event ID over the web has embedded a functionality which is called Event Log Online Help.

The Event Log Online Help redirects the users to a Microsoft URL and is controlled from the following registry location.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer

Three registry keys could be modified if local administrator access has been achieved in order to execute arbitrary payloads once the Event Log Online Help is clicked by the user. These keys can be found below:

*   MicrosoftRedirectionProgram
*   MicrosoftRedirectionProgramCommandLineParameters
*   MicrosoftRedirectionURL

A very trivial proof of concept is to trigger a message box.

#include <windows.h>
#pragma comment (lib, "user32.lib")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
  MessageBox(NULL, "pentestlab.blog", "Pentestlab", MB\_OK);
  return 0;
}

The code above could be compiled using MinGW in order to generate an executable.

    x86_64-w64-mingw32-g++ -O2 messagebox.cpp -o messagebox.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings 
    -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

The registry key “_MicrosoftRedirectionProgram”_ could be modified to contain the location of the compiled executable. Clicking the Event Log Online Help will display the message box indicating that code has been executed.

Event Log Online Help – MessageBox

In similar manner “_msfvenom_” could be used to generated a payload.

msfvenom – Payload Generation

Modification of the registry key below to map to the location on the disk of the previously generated payload will execute the payload.

Microsoft Redirection Program – Registry Key

When the Event Log Online Help is clicked a connection will be established.

Event Log Online Help – Meterpreter

The second registry key “_MicrosoftRedirectionProgramCommandLineParameters_” allows the user modify the data value in order to execute commands. A very common living off the land binary such as “regsvr32” can be utilized to execute a fileless payload.

Microsoft Redirection Program Command Line Parameters

Once the Event Log Online Help is clicked the command will be executed and a communication channel will established.

Meterpreter – regsvr32

The last registry key is the “_MicrosoftRedirectionURL_” which by default it points out to a Microsoft location. The registry value could be changed to point either to a malicious URL or to a payload which is dropped on the disk.

Microsoft Redirection URL

In all of the above scenarios the following condition will be created:

*   Parent Process (mmc.exe) –> Child Process (Payload)

MMC – Parent Process

EDR’s should flag when mmc tries to spawn non trusted processes. Furthermore, monitoring of the above registry keys for changes could create a detection opportunity. As access to Windows graphical interface is required and considering the fact that the average user would not typically open event viewer and click on the Windows Event Log Online Help it is unlikely that this technique will gain popularity. However, in an assumed breach or malicious insider scenarios it could be used as a trivial method to maintain an active connection over a C2 channel.

**References**

*   https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/

**Post navigation**

Persistence – Event Log Online Help

Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is… 
Continue reading → Persistence – Event Log Online Help

An older version of Shein's Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.
The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022.
Shein, originally named ZZKKO, is a Chinese online fast

An older version of Shein's Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.

The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022.

Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads.

The tech giant said it's not "specifically aware of any malicious intent behind the behavior," but noted that the function isn't necessary to perform tasks on the app.

It further pointed out that launching the application after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server "api-service\[.\]shein\[.\]com."

To mitigate such privacy risks, Google has further made improvements to Android in recent years, including displaying toast messages when an app accesses the clipboard and barring apps from getting the data unless it is actively running in the foreground.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

"Considering mobile users often use the clipboard to copy and paste sensitive information, like passwords or payment information, clipboard contents can be an attractive target for cyberattacks," researchers Dimitrios Valsamaras and Michael Peck said.

"Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Shein's Android App Caught Transmitting Clipboard Data to Remote Servers

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

**CVE-2022-45141.html:**

\===========================================================
== Subject:     Samba AD DC using Heimdal can be forced to
==              issue rc4-hmac encrypted Kerberos tickets
==
== CVE ID#:     CVE-2022-45141
==
== Versions:    Heimdal builds of the Samba AD DC prior to Samba 4.16 
==
== Summary:     Since the Windows Kerberos RC4-HMAC Elevation of Privilege
==              Vulnerability was disclosed by Microsoft on Nov 8 2022
==              and per RFC8429 it is assumed that rc4-hmac is weak,
==
==              Vulnerable Samba Active Directory DCs will issue rc4-hmac
==              encrypted tickets despite the target server supporting
==              better encryption (eg aes256-cts-hmac-sha1-96).
===========================================================

===========
Description
===========

Kerberos, the trusted third party authentication system at the heart
of Active Directory, issues a ticket using a key known to the target server
but nobody else, returned to the client in a TGS-REP.

This key needs to be of a type understood only by the KDC and target server.

However, due to a coding error subsequently addressed in all recent
Heimdal versions and so fixed with Samba 4.16 (which imports Heimdal
8.0pre), the (attacking) client would be given the opportunity to
select the encryption type, and so obtain a ticket encrypted with
rc4-hmac, that it could attack offline.

This is possible unless rc4-hmac is totally removed from the server's
account, by removing the unicodePwd attribute, but this will break
other aspects of the server's operation in the domain (NETLOGON in
particular).

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.15.13 has been issued as security releases to correct the
defect.  Samba administrators are advised to upgrade to these releases or apply
the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1)

================
(not) Workaround
================

Setting msDS-SupportedEncryptionTypes is not a workaround for this issue.

=======
Credits
=======

Originally reported by Joseph Sutton of Catalyst and the Samba Team.

Advisory written by Andrew Bartlett of Catalyst and the Samba Team.

Patches by Nicolas Williams were identified and backported by Joseph Sutton of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2022-45141: Samba - Security Announcement Archive

The Android app unnecessarily accessed clipboard device contents, which often includes passwords and other sensitive data.

A version of the Shein shopping application in the Google Play store with more than 100 million downloads was unnecessarily accessing Android-device clipboard contents, creating a potential security threat, according to Microsoft.

The software giant said in a blog post from Microsoft Threat Intelligence that it asked Shein to remove the feature from its Android app that accessed user clipboards, and the company complied. However, users need to update their apps to be free from danger. 

From passwords to account numbers, and auto-fill information of all kinds, device clipboards can contain a treasure trove of sensitive data.

"Microsoft discovered that an old version of the Shein Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server," the Microsoft blog post said. "While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Shein Shopping App Glitch Copies Android Clipboard Contents

Ubuntu Security Notice 5917-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5917-1  
March 03, 2023

linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,  
linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle,  
linux-oracle-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems  
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel  
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems

Details:

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

Kyle Zeng discovered that the sysctl implementation in the Linux kernel  
contained a stack-based buffer overflow. A local attacker could use this to  
cause a denial of service (system crash) or execute arbitrary code.  
(CVE-2022-4378)

It was discovered that the NVMe driver in the Linux kernel did not properly  
handle reset events in some situations. A local attacker could use this to  
cause a denial of service (system crash). (CVE-2022-3169)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Gwangun Jung discovered a race condition in the IPv4 implementation in the  
Linux kernel when deleting multipath routes, resulting in an out-of-bounds  
read. An attacker could use this to cause a denial of service (system  
crash) or possibly expose sensitive information (kernel memory).  
(CVE-2022-3435)

It was discovered that a race condition existed in the Kernel Connection  
Multiplexor (KCM) socket implementation in the Linux kernel when releasing  
sockets in certain situations. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3545)

It was discovered that the hugetlb implementation in the Linux kernel  
contained a race condition in some situations. A local attacker could use  
this to cause a denial of service (system crash) or expose sensitive  
information (kernel memory). (CVE-2022-3623)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the Intel i915 graphics driver in the Linux kernel  
did not perform a GPU TLB flush in some situations. A local attacker could  
use this to cause a denial of service or possibly execute arbitrary code.  
(CVE-2022-4139)

It was discovered that a race condition existed in the Xen network backend  
driver in the Linux kernel when handling dropped packets in certain  
circumstances. An attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)

It was discovered that the Atmel WILC1000 driver in the Linux kernel did  
not properly validate offsets, leading to an out-of-bounds read  
vulnerability. An attacker could use this to cause a denial of service  
(system crash). (CVE-2022-47520)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that the Android Binder IPC subsystem in the Linux kernel  
did not properly validate inputs in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-20938)

Kyle Zeng discovered that the class-based queuing discipline implementation  
in the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23454)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1065-gkeop    5.4.0-1065.69  
   linux-image-5.4.0-1087-kvm      5.4.0-1087.93  
   linux-image-5.4.0-1094-oracle   5.4.0-1094.103  
   linux-image-5.4.0-1095-gke      5.4.0-1095.102  
   linux-image-5.4.0-1097-aws      5.4.0-1097.105  
   linux-image-5.4.0-1101-gcp      5.4.0-1101.110  
   linux-image-5.4.0-1104-azure    5.4.0-1104.110  
   linux-image-5.4.0-144-generic   5.4.0-144.161  
   linux-image-5.4.0-144-generic-lpae  5.4.0-144.161  
   linux-image-5.4.0-144-lowlatency  5.4.0-144.161  
   linux-image-aws-lts-20.04       5.4.0.1097.94  
   linux-image-azure-lts-20.04     5.4.0.1104.97  
   linux-image-gcp-lts-20.04       5.4.0.1101.103  
   linux-image-generic             5.4.0.144.142  
   linux-image-generic-lpae        5.4.0.144.142  
   linux-image-gke                 5.4.0.1095.100  
   linux-image-gke-5.4             5.4.0.1095.100  
   linux-image-gkeop               5.4.0.1065.63  
   linux-image-gkeop-5.4           5.4.0.1065.63  
   linux-image-kvm                 5.4.0.1087.81  
   linux-image-lowlatency          5.4.0.144.142  
   linux-image-oem                 5.4.0.144.142  
   linux-image-oem-osp1            5.4.0.144.142  
   linux-image-oracle-lts-20.04    5.4.0.1094.87  
   linux-image-virtual             5.4.0.144.142

Ubuntu 18.04 LTS:  
   linux-image-5.4.0-1094-oracle   5.4.0-1094.103~18.04.1  
   linux-image-5.4.0-1097-aws      5.4.0-1097.105~18.04.1  
   linux-image-5.4.0-1104-azure    5.4.0-1104.110~18.04.1  
   linux-image-5.4.0-144-generic   5.4.0-144.161~18.04.1  
   linux-image-5.4.0-144-generic-lpae  5.4.0-144.161~18.04.1  
   linux-image-5.4.0-144-lowlatency  5.4.0-144.161~18.04.1  
   linux-image-aws                 5.4.0.1097.75  
   linux-image-azure               5.4.0.1104.77  
   linux-image-generic-hwe-18.04   5.4.0.144.161~18.04.115  
   linux-image-generic-lpae-hwe-18.04  5.4.0.144.161~18.04.115  
   linux-image-lowlatency-hwe-18.04  5.4.0.144.161~18.04.115  
   linux-image-oem                 5.4.0.144.161~18.04.115  
   linux-image-oem-osp1            5.4.0.144.161~18.04.115  
   linux-image-oracle              5.4.0.1094.103~18.04.68  
   linux-image-snapdragon-hwe-18.04  5.4.0.144.161~18.04.115  
   linux-image-virtual-hwe-18.04   5.4.0.144.161~18.04.115

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5917-1  
   CVE-2022-3169, CVE-2022-3424, CVE-2022-3435, CVE-2022-3521,  
   CVE-2022-3545, CVE-2022-3623, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-4139, CVE-2022-42328, CVE-2022-42329, CVE-2022-4378,  
   CVE-2022-47520, CVE-2022-47929, CVE-2023-0045, CVE-2023-0266,  
   CVE-2023-0394, CVE-2023-0461, CVE-2023-20938, CVE-2023-23454,  
   CVE-2023-23455

Package Information:  
   https://launchpad.net/ubuntu/+source/linux/5.4.0-144.161  
   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1097.105  
   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1104.110  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1101.110  
   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1095.102  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1065.69  
   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1087.93  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1094.103  
   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1097.105~18.04.1  
   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1104.110~18.04.1  
   https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-144.161~18.04.1  
   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1094.103~18.04.1

Tag

#microsoft