Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

Adam Bannister 03 February 2023 at 16:36 UTC  
Updated: 03 February 2023 at 16:37 UTC

Path traversals could ‘void reverse engineering efforts and tamper with evidence collected’

Security analysis tool Binwalk itself poses a security risk to users running out-of-date versions due to a path traversal vulnerability that could lead to remote code execution (RCE).

Binwalk is a popular command-line tool in Linux that is used for analyzing, reverse engineering, and extracting firmware images.

The path traversal issue requires users to open a “malicious file with binwalk using extract mode ( option)” so user interaction is required, according to a security advisory published by Quentin Kaiser of ONEKEY Research Lab.

The flaw is tracked as CVE-2022-4510 and classified as high severity (CVSS 7.8).

**Root cause**

The vulnerability was introduced by the merging of the Professional File System (PFS) extractor plugin with binwalk in 2017, and arises because an attempt to mitigate path traversal risk with failed.

The upshot is that six years later, Kaiser discovered that “by crafting a valid PFS filesystem with filenames containing the traversal sequence, we can force binwalk to write files outside of the extraction directory”.

PFS is an obscure filesystem format occasionally found in embedded devices.

**‘Environment agnostic’**

Kaiser targeted binwalk’s plugin system in a bid to achieve an “environment agnostic” path to RCE.

Plugins load on all binwalk scans once they are dropped into the Python tool’s plugin directory.

“So, if we exploit the path traversal to write a valid plugin at that location, binwalk will immediately pick it up and execute it while it’s still scanning the malicious file,” Kaiser explained. “On top of that, the PFS extractor will take care of creating all required directories if they do not exist, so we don’t need to expect anything from the system we’re running on.”

Kaiser crafted a malicious plugin that “executes two times since it does not define an explicit MODULE attribute that defines its purpose (e.g., signature scan, entropy calculation, compression stream identification). I take advantage of that behavior to make it clean up after itself.”

Vulnerable versions span 2.1.2b through 2.3.3 inclusive. The vulnerability was addressed yesterday (February 2) with the release of binwalk version 2.3.4 – more than three months after ONEKEY said it first contacted the tool’s maintainer, Microsoft-owned Refirm Labs, and provided a suggested patch, in October 2022.

**Yaffshiv**

Kaiser’s research also uncovered similar, medium severity CVEs affecting other filesystem extractors, namely the ubi\_reader, Jefferson, yaffshiv projects.

Kaiser warned that even fully up-to-date binwalk instances were potentially vulnerable to the same exploit chain because yaffshiv is installed and enabled by default on binwalk, except the attack vector would be YAFFS instead of PFS.

“Yaffshiv is maintained by the team behind binwalk so we hope a fix will be available soon,” Kaiser told The Daily Swig.

“Writing secure format parsers and extractors is a complex task (believe us, we've been working on exactly those issues with \[our own extraction suite\] Unblob) so it's not a surprise that we found these kinds of vulnerabilities in binwalk given the amount of format it supports.”

**Salutary reminder**

The research serves as a salutary reminder that security tools can themselves contain security holes. “This especially becomes critical in forensic analysis and reverse engineering where we are commonly faced with untrusted, potentially malicious files,” said Kaiser.

“While the path traversals described in this article have the potential to void any reverse engineering efforts and to tamper with evidence collected, they also demonstrate the importance of sandboxing analysis environments to limit the impact of such vulnerabilities. Especially with the rise of automated extraction and analysis tools relying on tools like binwalk (e.g., FACT, ofrak, EMBA), it’s important for developers and users of those solution to be aware of the risks.”

Kaiser hinted that ‘D-Link RomFS’ plugin could be his next focus for research as it “is probably affected by a similar vulnerability”.

The Daily Swig has approached Refirm Labs for comment. We will update this article if and when they respond.

MORE RELATED RESEARCH WAGO fixes config export flaw threatening data leak from industrial devices

Serious security hole plugged in infosec tool binwalk

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.
Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Attack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

"It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote," Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "payload smuggling" attack.

"Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote," TrustedSec researcher Scott Nusbaum said. "These file types include CHM, HTA, JS, WSF, and VBS."

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft's protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn't gone unnoticed by the Windows maker, which is planning an update to "block XLL add-ins coming from the internet," citing an "increasing number of malware attacks in recent months." The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

"It's clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices," Bitdefender's Adrian Miron said. "These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221213**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221213)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-21720: Microsoft Edge (Chromium-based) Tampering Vulnerability

By Waqas
An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations.
This is a post from HackRead.com Read the original post: What is an OSINT Tool – Best OSINT Tools 2023

Open Source Intelligence (OSINT) tools are an invaluable resource for companies, organizations cybersecurity researchers and students. In this article, we will explore the 15 best OSINT tools that you can use for your investigations and education purposes.

**OSINT**, or Open Source Intelligence, refers to the practice of gathering information from publicly available sources. In the information and digital age, there are countless tools and resources available for OSINT practitioners to use, making it easier than ever to collect and analyze information. Here are the 15 best OSINT tools that you can use for your investigations:

**Maltego**

Maltego is a powerful and sophisticated OSINT tool for gathering data from public sources. Developed by Paterva, Maltego OSINT allows users to quickly uncover relationships between large amounts of disparate data which can then be used to build intelligence profiles.

With Maltego OSINT, users are able to extract information from multiple online sources using simple graphic representations. This includes the ability to map out social networks, capture contact details and business data, track domain names and IP addresses, uncover digital evidence such as documents or images stored on websites, find related news articles and more.

Furthermore, by automating the process of gathering publicly available data in this way, Maltego OSINT enables users to quickly discover hidden connections that would otherwise remain undetected. Visit the official website of Maltego **here**.

**Shodan**

**Shodan** is a search engine for the Internet of Things **(IoT) devices** and an OSINT tool that is used to uncover vulnerable and exposed devices connected to the Internet, otherwise known as smart devices.

Shodan was created by John Matherly in 2009 and is considered to be the world’s first computer search engine. Shodan can be used to detect security vulnerabilities on public websites, as well as provide detailed information about each web server it finds.

Shodan has become increasingly popular among cybersecurity and IT security professionals who use it for vulnerability assessment, penetration testing, and network mapping. Shodan also helps them identify insecure services such as **misconfigured cloud databases**, FTP servers, telnet servers, and SSH servers that are exposed on the internet without authentication or encryption.

Additionally, Shodan provides detailed technical information about each device it finds including IP address, operating system type, open ports, running software programs and associated vulnerabilities. That is why Shoden is a perfect OSINT tool out there. Visit the official website of Shodan **here**.

**TheHarvester**

TheHarvester is a powerful OSINT tool used to find information related to domains and email addresses. It can be used by security professionals, IT administrators, and hackers alike to collect information from different sources on the internet.

TheHarvester was created as an alternative for doing research on public resources such as search engines, PGP key servers, and social networks. It allows users to quickly gather large amounts of data from sites like Google, Bing, Yahoo!, Dogpile, LinkedIn, Twitter and many more.

All of the gathered data can be exported into several formats such as HTML/XML or even saved as a text file. Additionally, it includes an API that allows users to customize their searches according to their specific needs. Visit the official TheHarvester page on Kali **here**.

**Recon-ng**

Recon-ng is an OSINT tool used for reconnaissance and data gathering. It is a full-featured web application that can be used to gather subsets of public information related to a target, such as usernames, names, email addresses, domain names and other relevant details.

Recon-ng has been designed to automate the process of gathering intelligence about a given target as quickly and efficiently as possible. The Recon-ng OSINT tool provides users with access to multiple resources such as Google, Bing, Twitter, Shodan and more.

The platform also allows users to interact with each resource using the same interface which simplifies the data-gathering process significantly compared to traditional methods. It enables users to quickly collect comprehensive information on a target without having to manually search multiple online sources or databases. Visit the official Recon-ng page on Kali **here**.

**Spiderfoot**

Spiderfoot is an excellent OSINT tool designed to automate the process of gathering information about a specific target. Spiderfoot enables users to have quick and easy access to a wide range of data sources.

It is capable of collecting information from over 200 sources, such as DNS records, WHOIS information and public resources like Shodan, **VirusTotal**, Google and others. Spiderfoot can be used for reconnaissance, investigative research and even threat hunting by allowing users to quickly identify potential threats or vulnerabilities in their environment.

The tool works by scanning the internet for publicly available data from various sources based on the user’s input query parameters. The collected data can then be mapped out into an interactive graph with various visual indicators which make it easier to interpret the gathered information.

This feature makes it much easier for security professionals to recognize trends or anomalies within their networks which can help them detect malicious activities or threats early on. Visit the official website of Spiderfoot **here**.

**OSINT Framework**

OSINT Framework is a website and information-gathering tool used by security professionals for investigative purposes. It is a collection of free and publicly available tools that can be used to conduct online investigations.

OSINT Framework provides users with an easy-to-use platform to quickly search, collect and analyze data from various sources such as social media platforms, websites, forums, blogs and more. By using this framework, security professionals are able to gather a wealth of information in order to identify potential threats or anomalies on the web.

The OSINT Framework enables users to access public records and other sources of information quickly and efficiently. It utilizes specialized search engines and databases such as Google Hacking Database (**GHDB**) as well as several other open-source intelligence tools such as Recon-ng, Maltego and Shodan. Visit the official website of OSINT Framework **here**.

**Foca**

Foca (Fingerprinting Organizations with Collected Archives) is an OSINT tool used by cybersecurity professionals to collect data from the internet. It can be used to find information on any subject, including people, companies, and other organizations. The tool gathers data from a variety of sources such as social media platforms, websites, and search engines.

The tool helps users to collect information quickly and efficiently by providing them with a set of tools for searching, collecting and analyzing the collected data. It provides users with advanced filtering options that allow them to narrow down their searches and find relevant information easily.

Foca also has features such as keyword analysis which enables users to analyze text-based content or images in order to identify patterns or trends in the collected data. Additionally, it offers other features like automated report generation which allows users to generate reports quickly without having to manually gather all the necessary data themselves. Visit the official GitHub repository of FOCA **here**.

**Metagoofil**

Metagoofil is a powerful OSINT tool used for gathering publicly available information about a particular target. It is especially useful for penetration testers, security professionals, and researchers who need to collect data from websites in order to perform reconnaissance on their targets.

Metagoofil was developed by Edge Security in 2006 as part of the framework for its security consulting services. This tool can be used to scan websites, search engines, and public document archives such as **PDFs and Microsoft Office documents**. It then searches for specific keywords related to the target and collects the relevant information from these sources.

With its easy-to-use interface, Metagoofil allows users to quickly find files containing sensitive information such as usernames, passwords, email addresses, IP addresses, etc., which can then be used in further attacks or research projects. Visit the official Metagoofil page on Kali **here**.

**GHunt**

GHunt is a new OSINT tool that lets users extract information from any Google Account using an email. The information that GHunt extracts include:

*   Google ID
*   Owner’s name
*   Public photos (P)
*   Phones models (P)
*   Phones firmware
*   Installed Softwares
*   Google Maps reviews
*   Possible physical location
*   Possible YouTube channel
*   Possible other usernames
*   Events from Google Calendar
*   If the account is a Hangouts Bot
*   Last time the profile was edited
*   Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)

Visit GHunt’s GitHub repository **here**.

**Yandex Images**

The Russian counterweight to America’s Google, Yandex has been extremely popular in Russia and offers users the option to search across the internet for thousands of images. This is in addition to its reverse-image functionality which is remarkably similar to Google.

A good option included within is that you could sort images category wise which can make your searches more specific and accurate.

**Tip:** In my personal experience; Yandex image search results are far more accurate and in-depth than Google Images. Visit Yandex **here**.

**N2YO.com**

Allowing you to track satellites from afar, N2YO is a great tool for space enthusiasts. It does so by featuring a regularly searched menu of satellites in addition to a database where you could make custom queries along the lines of parameters such as the Space Command ID, launch date, satellite name, and an international designator.

You could also set up custom alerts to know about space station events along with a live stream of the International Space Station(ISS)! Visit the official website of N2YO **here**.

**TinEye**

TinEye is the original reversed image search engine, and all you have to do is submit a proper picture to TinEye to get all the required information, like where it has come from and how it has been used.

Instead of using keyword matching, it uses a variety of approaches to complete its tasks, including picture matching, signature matching, watermark identification, and numerous other databases to match the image. 

In conclusion, these 15 OSINT tools are among the best available for conducting investigations using publicly available information. Whether you are a professional investigator or a curious individual, these tools can help you gather and analyze information more efficiently and effectively. Visit the official website of TinEye **here**.

**Have I Been Pwned**

**Have I Been Pwned** is an online service that helps people determine if their personal data has been compromised. It works by using email addresses to track data breaches, allowing users to know whether their information has been leaked or stolen due to a hack or other incident.

Have I Been Pwned was created in 2013 by Troy Hunt, a Microsoft Regional Director and security expert. The site provides users with detailed information about the source of any breach affecting their personal data, as well as the types of data that may have been leaked. This allows them to take appropriate steps to protect themselves from future attacks.

Have I Been Pwned or HIBP currently tracks more than 12 billion accounts across over 600 major data breaches, providing one of the most comprehensive databases for checking if your account details have been exposed online. Visit Have I Been Pwned **here**.

**Conclusion**

In conclusion, OSINT tools are an invaluable resource for anyone looking to stay ahead of the curve in the world of digital intelligence. The 15 Best OSINT tools outlined in this article provide an excellent overview for any user, from the novice to the professional, to get started. By using these tools and understanding their functions, users can empower themselves to become better researchers and find valuable data more quickly.

1.  **Top 10 Reliable VPN Services**
2.  **5 Free Best Internet Speed Test Websites**
3.  **8 Online Best Dark Web Search Engines for Tor Browser**
4.  **What Are Dark Web Search Engines and How to Find Them?**
5.  **Best legal & free online streaming sites for movies & TV shows**

What is an OSINT Tool – Best OSINT Tools 2023

**LONDON, UK – 1 February 2023 –** Leading cybersecurity provider Hornetsecurity has today launched two new tools – the QR Code Analyzer and Secure Links - to combat growing cyber threats. These launches come in response to a rise in fake QR codes and the ongoing threat of phishing, which represents 40% of all cyber threats.   

Hornetsecurity has also released a new automated mailbox migration solution, which helps partners efficiently and securely deploy and operate Microsoft 365 in the cloud for their customers – and remain safe from cyberattacks. In addition, the cybersecurity specialist has simplified its partner program to enable partners to work on projects and MSP business equally and centrally.   

**QR code phishing**

Research from Hornetsecurity’s Security Lab has discovered that cybercriminals are using QR codes in emails to obtain confidential data. To counter this latest threat, Hornetsecurity is expanding its Advanced Threat Protection and 365 Total Protection Suite for Microsoft 365 with the launch of its QR Code Analyzer. This unique technology determines whether QR codes link to malicious sites when scanned.   

The launch of Hornetsecurity’s ‘Secure Links’ functionality will also help limit cyber-attacks, especially ransomware attempts. This new service runs all email links through a secure analyzer before enabling the recipient to safely open the link. Both new technologies provide businesses and their employees with extra reassurance that their email communications are safe.   

Hornetsecurity CEO, Daniel Hofmann, said: “Hornetsecurity is committed to pre-empting and responding to new cybersecurity threats and customer concerns. Phishing attacks and fake QR codes are on the increase, so we are pleased to launch unique technologies that will combat these ever-growing threats. The QR Code Analyzer and Secure Links tools will benefit businesses by fighting cybersecurity attacks in a safe, reliable and cost-effective way.”  

**Migrate mailboxes in a safe and efficient way**

In response to challenges that Hornetsecurity partners have faced in transferring mailboxes from on-prem to Microsoft 365 cloud, the cybersecurity specialist has developed the Mailbox Migration Tool. This new offering enables Hornetsecurity partners to automatically migrate customers securely, efficiently and with major time-savings – in turn, enabling them to provide peace of mind by offering full security for Microsoft 365 via 365 Total Protection.  

**New simplified partner program** 

Hornetsecurity has also created a new simplified partner program. The newly adjusted program aims to unify partner levels and includes both managed service (MSP) and project business. These updates make entry barriers negligible, so partners can provide Hornetsecurity's services with minimal effort and investment.  

Hornetsecurity COO, Daniel Blank added: “Hornetsecurity has listened to our partners’ needs, which has led to the launch of our efficient and safe Mailbox Migration Tool, at the same time as our new partner program is rolled out.  

“This launch package is just the start of what will be a busy 2023 for Hornetsecurity as we monitor, learn and respond to new sophisticated cyberattacks, and continue to keep our customers’ data safe from ever-present threats.”   

**Further information**

For more information on Hornetsecurity’s new cybersecurity tools, please visit Advanced Threat Protection and

Hornetsecurity Combats QR Code Phishing With Launch of New Technology

Current and former cybersecurity leaders from Microsoft, Google, GitLab, Check Point, OWASP, Fortinet and others have already joined the open framework initiative, which is being led by OX Security.

**TEL AVIV, Israel****,** **Feb. 1, 2023** **/PRNewswire/ --** OX Security, the first end-to-end software supply chain security solution, today announced the launch of OSC&R (Open Software Supply Chain Attack Reference)_,_ the first and only open framework for understanding and evaluating existing threats to entire software supply chain security.

The founding consortium of cybersecurity leaders behind OSC&R include: David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.

Discussions with hundreds of industry leaders revealed that there was a very concrete need for a MITRE-like framework that would allow experts to better understand and measure supply chain risk, a process that until now could only be  based on intuition and experience. OSC&R is designed to provide a common language  and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Neatsun Ziv, who served as Check Point's VP of Cyber Security before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."

OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups.

"OSC&R helps security teams build their security strategy with confidence," said Hiroki Suezawa, Senior Security Engineer at Gitlab. "We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions," he continued.

The OSC&R framework will update as new tactics and techniques emerge and evolve. It will also assist red-teaming activities by helping set the scope required for a pentest or a red team exercise, serving as a scorecard both during and after the test. The framework will also now be open for other cybersecurity leaders and practitioners to contribute to OSC&R.

"I believe the OSC&R framework will help organizations reduce their attack surface," said Naor Penso, Head of Product Security at FICO. "I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise."

The OSC&R framework is now online: https://pbom.dev/

**About OX Security**

OX Security believes that security should be an integral part of the software development process, not an afterthought. Founded by Neatsun Ziv and Lior Arzi, who previously led Check Point's Security Group, OX  is the first end-to-end software supply chain security solution. OX provides DevSecOps teams with the automation, visibility, and risk insights they need to bring security and integrity to every step of the supply chain, from the earliest planning stages until deployment to production.

SOURCE Ox Security

Cybersecurity Leaders Launch First Attack Matrix for Software Supply Chain Security

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country.
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of

Cyber Risk / Threat Detection

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as **Gamaredon** for its targeted cyber attacks on public authorities and critical information infrastructure in the country.

The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013.

"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns."

GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands.

The goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the "insistent" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a "key cyber threat."

Attack chains commence with spear-phishing emails carrying a RAR archive that, when opened, activates a lengthy sequence comprising five intermediate stages – an LNK file, an HTA file, and three VBScript files – that eventually culminate in the delivery of a PowerShell payload.

Information pertaining to the IP address of the command-and-control (C2) servers is posted in periodically rotated Telegram channels, corroborating a report from BlackBerry late last month.

All the analyzed VBScript droppers and PowerShell scripts, per SCPC, are variants of GammaLoad and GammaSteel malware, respectively, effectively permitting the adversary to exfiltrate sensitive information.

The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed details of a new malicious campaign targeting state authorities of Ukraine and Poland.

The attacks take the form of lookalike web pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) in an attempt to trick visitors into downloading software that claims to detect infected computers.

However, upon launching the file – a Windows batch script named "Protector.bat" – it leads to the execution of a PowerShell script that's capable of capturing screenshots and harvesting files with 19 different extensions from the workstation.

CERT-UA has attributed the operation to a threat actor it calls UAC-0114, which is also known as Winter Vivern – an activity cluster that has in the past leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.

Russia's invasion of Ukraine in February 2022 has been complemented by targeted phishing campaigns, destructive malware strikes, and distributed denial-of-service (DDoS) attacks.

Cybersecurity firm Trellix said it observed a 20-fold surge in email-based cyber attacks on Ukraine's public and private sectors in the third week of November 2022, attributing a majority of the messages to Gamaredon.

Other malware families prominently disseminated via these campaigns consist of Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which has been repurposed by the Turla hacking crew to deploy their own malware.

"As the Ukraine-Russia war continues, the cyber attacks on Ukraine energy, government and transportation, infrastructure, financial sector etc. are going on consistently," Trellix said. "In times of such panic and unrest, the attackers aim to capitalize on the distraction and stress of the victims to successfully exploit them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Russian-Backed Gamaredon's Spyware Variants Targeting Ukrainian Authorities

Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

ESTsoft Alyac 2.5.8.645

**PRODUCT URLS**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 SCORE**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**DETAILS**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

When coen.aym receives a path to the file to scan, it figures out what type of file it is and selects appropriate scanning strategy.

In the case of the crashing file, it scans using DefaultScanStrategy.

While scanning, it calls utility function esc::engine::FileTool::GetTextSectionRange(...) which like the name, tries to locate the .text section inside the scanning PE file.

It internally calls sub_1800809b0 which checks magic value MZ and locates NT header by referencing e_lfanew field in the DOS header.

    1800809ce  b84d5a0000         mov     eax, 'MZ'
    1800809d3  4c894150           mov     qword [rcx+0x50], r8
    1800809d7  48895108           mov     qword [rcx+0x8], rdx
    1800809db  663902             cmp     word [rdx], ax
    1800809de  0f8503010000       jne     0x180080ae7
    
    1800809e4  4863423c           movsxd  rax, dword [rdx+0x3c] ; e_lfanew
    1800809e8  493bc0             cmp     rax, r8    ; check with file size
    1800809eb  0f87f6000000       ja      0x180080ae7
    
    1800809f1  488d0c10           lea     rcx, [rax+rdx]        ; oob
    1800809f5  48894b10           mov     qword [rbx+0x10], rcx
    1800809f9  813950450000       cmp     dword [rcx], 'PE'
    

However, it incorrectly only checks whether e_lfanew is larger than the file size. Providing value which is same as the file size to e_lfanew will pass the check but the file will not be large enough to store NT header.

Therefore it will try to read memory out of bounds when trying to validate NT headers, crashing the malware scanning process.

**Crash Information**

    1:016> ub
    coen!Coen_Clean+0x6ca47:
    00007ff8`f9f709d7 48895108        mov     qword ptr [rcx+8],rdx
    00007ff8`f9f709db 663902          cmp     word ptr [rdx],ax
    00007ff8`f9f709de 0f8503010000    jne     coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709e4 4863423c        movsxd  rax,dword ptr [rdx+3Ch]
    00007ff8`f9f709e8 493bc0          cmp     rax,r8
    00007ff8`f9f709eb 0f87f6000000    ja      coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709f1 488d0c10        lea     rcx,[rax+rdx]
    00007ff8`f9f709f5 48894b10        mov     qword ptr [rbx+10h],rcx
    1:016> r
    rax=0000000000001000 rbx=0000004babdfdf60 rcx=000001f8c9c51000
    rdx=000001f8c9c50000 rsi=00007ff8fa266bb8 rdi=0000004babdfe1b0
    rip=00007ff8f9f709f9 rsp=0000004babdfdef0 rbp=0000004babdfe020
    r8=0000000000001000  r9=0000000000001000 r10=00007ff8fa2606c0
    r11=000001f894f3ab20 r12=0000000000000000 r13=00007ff8fa306e68
    r14=0000000000001000 r15=000001f8c9c50000
    iopl=0         nv up ei pl zr na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    coen!Coen_Clean+0x6ca69:
    00007ff8`f9f709f9 813950450000    cmp     dword ptr [rcx],4550h ds:000001f8`c9c51000=????????
    1:016> k
    Child-SP          RetAddr               Call Site
    0000004b`abdfdef0 00007ff8`f9f2fa5c     coen!Coen_Clean+0x6ca69
    0000004b`abdfdf20 00007ff8`f9f6a577     coen!Coen_Clean+0x2bacc
    0000004b`abdfe0f0 00007ff8`f9f69e96     coen!Coen_Clean+0x665e7
    0000004b`abdfe3b0 00007ff8`f9f538c4     coen!Coen_Clean+0x65f06
    0000004b`abdfe550 00007ff8`f9f09192     coen!Coen_Clean+0x4f934
    0000004b`abdfe7f0 00007ff8`f9ef5f45     coen!Coen_Clean+0x5202
    0000004b`abdfe970 00007ff8`f9f03c24     coen+0x5f45
    0000004b`abdfead0 00000001`8006f6c1     coen!Coen_ScanSharedMemory+0xc4
    0000004b`abdfeb40 00000001`800563a3     ecm!GetModuleConfigValue+0x8771
    0000004b`abdfebf0 00000001`8008bf2e     ecm+0x563a3
    0000004b`abdfedc0 00000001`800666b0     ecm!GetModuleConfigValue+0x24fde
    0000004b`abdfeea0 00007ff7`d046de9e     ecm!ScanFile+0x40
    0000004b`abdfeee0 00007ff7`d04707d0     AYCon+0x2de9e
    0000004b`abdfefc0 00007ff9`3f1c6c0c     AYCon+0x307d0
    0000004b`abdffab0 00007ff9`40c854e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    0000004b`abdffae0 00007ff9`41cc485b     KERNEL32!BaseThreadInitThunk+0x10
    0000004b`abdffb10 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**TIMELINE**

2022-12-13 - Vendor Disclosure  
2023-02-01 - Vendor Patch Release  
2023-02-02 - Public Release

Discovered by Jaewon Min of Cisco Talos.

CVE-2022-43665: TALOS-2022-1682 || Cisco Talos Intelligence Group

Categories: Threat Intelligence
Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology



(Read more...)




The post Ransomware in December 2022 appeared first on Malwarebytes Labs.

_Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom._

Lockbit has rebounded from its unusual fall from grace in November, snatching the title of the month's worst ransomware, back from Royal. Royal has meanwhile still shown itself as a force to be reckoned with, ranking third in number of attacks for December. 

Known ransomware attacks by gang in December 2022

Attacks by Royal may be down 35 percent from their high of 49 in November, but at the same time, there’s good reason to suspect that their attacks are becoming more targeted. 

On December 07, 2022, the Health Sector Cybersecurity Coordination Center (HC3)—an arm of the US Department of Health and Human Services (HHS)—released a threat brief about Royal after observing the group disproportionately targeting the healthcare industry. Their crowning attack for December came late in the month when they breached telecommunications company Intrado.

Known ransomware attacks by industry sector in December 2022

Known ransomware attacks by country in December 2022

In terms of progress, the two newcomers that we introduced last month, Play and Project Relic, have vastly different stories to tell. 

Project Relic has fallen off the map while Play has turned up the jets—we recorded a whopping 136 percent increase in attacks from the gang compared to November. Since our last update Play has been seen leveraging a never-before-seen exploit chain, which might be responsible for their sharp uptick in attacks. The new Microsoft Exchange attack, dubbed 'OWASSRF', chains exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks. This was the technique behind a ransomware attack on cloud computing service provider Rackspace in early December, which Play later claimed responsibility for. 

Play’s surge in activity, however, was hardly an anomaly for December. Month-on-month we saw hefty percentage-point increases in attacks across the board.

ALPHV (aka BlackCat), for example, is a ransomware gang that has consistently topped the charts in our ransomware reviews; the number of their attacks in December (33), however, is not only a 70 percent increase from November but also the highest it's been all 2022. We also saw 25 percent and 116 percent increases from BianLian and BlackBasta, respectively. These upticks are perhaps to be expected, given that attackers famously love the holiday seasons due to the reduction in security staff on deck. Only time will tell if ransomware gangs will sustain their heightened levels of activity into the New Year—or if the increase is indeed simply a gift-wrapped aberration.

**Lockbit… apologizes?**

Lockbit in December regained the throne as the biggest ransomware gang by attack volume, reversing a three-month downward trend in number of victims.

The prolific ransomware group claimed on December 12 to have stolen up to 75GB of confidential data from California’s Department of Finance, or over 246,000 files in more than 114,000 folders. Not even SickKids (a hospital for sick children) was spared from LockBit’s avarice in December. A ransomware attack using LockBit impacted the hospital's internal and corporate systems, hospital phone lines, and website.

While we’re not surprised to see a gang stoop to such lows, we don’t find many issuing apologies after the fact. Two days later LockBit apologized for the attack, which it blamed on a rogue affiliate, and released a decryptor for free. 

LockBit's operation's policy states "It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed."

Of course the apology doesn't turn LockBit in to some kind of Robin Hood. Its business model is to inflict so much harm that people are willing to pay a fortune to make it stop.

**New ransomware gangs****Unsafe**

In December, we saw a group emerge that makes its cash by riding on the coattails of real ransomware gangs. 

The new player, Unsafe, seems to recycle leaks from other ransomware groups. Unsafe provides security blogs for cybercriminals to post victims and leaked data as well as consultation services for a fee. It currently lists eight victims. 

**Endurance**

We call them ransomware _gangs_ for a reason: These are groups of cybercriminals working together in a hierarchical organization. Rarely do we ever see lone wolf attacks, and if we do it’s even more unusual for them to make as big of a splash in so short of a time as Endurance has.

This cybercriminal, known on dark web forums as IntelBroker, tends to make individual posts about data on sale.

In less than 30 days since its inception, Endurance appears to have successfully infiltrated some big corporations and breached several US government entities. After posting some high-value victims, Endurance has removed them from its dark web site, which is "undergoing development".

Tag

#microsoft