The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.

Rackspace has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.

The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.

Rackspace had decided not to apply Microsoft's ProxyNotShell patch to its Exchange Servers amid concerns over reports that the software update caused "authentication errors" that the company feared could take down its servers. Instead, it stuck with Microsoft's recommended mitigations for the vulnerabilities to thwart a ProxyNotShell attack.

That strategy fell apart, as the Play ransomware group was able to bypass Microsoft's mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace's Hosted Exchange systems. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable," Rackspace noted in a post today.

**Play Stole Data from 27 Rackspace Customers**

According to the managed cloud hosting services company, the attackers grabbed the Personal Storage Tables (PSTs) of 27 of its around 30,000 Hosted Exchange customers, but there is no evidence the Play hackers ever viewed or distributed the pilfered information. "Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor," the company said.

"As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident," Rackspace asserted.

Meanwhile, the email data recovery efforts remain underway for its Hosted Exchange customers. "As of today, more than half of impacted customers have some or all of their data available to them for download. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data," Rackspace said. The company also will offer an on-demand option for customers who want to download their data.

Rackspace said it's contacting customers for which it has recovered more than half of their mailboxes; their recovered data is available via its customer portal. "To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources) and see if your mailbox is ready to download," the company said in its post, which provides additional resources as well.

Rackspace Sunsets Email Service Downed in Ransomware Attack

Encrypting data while in use, not just in transit and at rest, closes one more avenue of cyberattack.

Digital transformation initiatives, spurred by COVID-19, are helping companies scale new heights in efficiency and productivity. However, they have also highlighted to enterprise leaders the need for tighter cybersecurity measures — especially as attackers continue to ride the wave of new technologies to launch sophisticated attacks. The number of records exposed in data breaches consistently went up throughout 2022 — 3.33 million records in the first quarter of 2022, 5.54 million records in the second quarter, and 14.78 million records in the third quarter — according to data from Statista.

Organizations face various challenges as they grapple with managing and securing the explosion of data created, in part, by remote environments. This, coupled with the lack of visibility across dispersed networks and growing migration to the cloud, has increased the risk of attacks across multiple industries, including healthcare, financial services, and decentralized finance (DeFi).

Confidential computing segregates data and code from the host computer's system and makes it harder for unauthorized third parties to access the data. The way that confidential computing protects sensitive data could smooth the way for increased cloud adoption in highly regulated sectors such as finance and healthcare, according to Gartner.

As more organizations handle large volumes of data, ushering in a greater need for privacy and data security, confidential computing is poised to close that security gap by ensuring data remains confidential at all times — while at rest, in transit, and in use.

**A Different Approach to Cybersecurity**

Most encryption schemes focus on protecting while at rest, or while in transit. Confidential computing protects data while in use — by allowing data to remain encrypted even as it’s being processed and used in applications. The market for confidential computing is expected to grow up to $54 billion by 2026, according to a report by Everest Group.

"Everybody wants to continue to reduce the attack surface of data. Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level," said Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations, in a previous article on Dark Reading.

Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer, also noted in the article that confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models.

The hardware element of confidential computing makes it uniquely secure, says Jay Harel, VP of product at Opaque Systems. "A hacker must literally crack the CPU open and tap into the silicon die in order to steal any confidential data," Harel says. "Most data breaches happen remotely, over the Internet. Confidential computing requires physical access to the hardware, making a breach much less likely."

Cloud vendors Microsoft Azure and Google Cloud make confidential computing available through CPUs from Intel and AMD, while Amazon AWS uses its own Nitro technology. "I wouldn't say that the hardware is fully mainstream yet, as most compute resources offered by these vendors still don't have confidential computing capabilities," Harel notes.

As Noam Dror, senior vice president of solution engineering at Hub Security, puts it, "Today, when hackers get past standard security controls, they can access data in use which is totally exposed and unencrypted. Existing cybersecurity measures have a hard time dealing with these issues. This is where confidential computing comes in, providing comprehensive cyber protection across all levels. These most sensitive data must be protected leveraging confidential computing because the computing environment will always be vulnerable."

**Helps Industries Share Data Securely**

The confidential computing approach to cybersecurity offers several advantages, particularly in sectors where client or patient data is highly sensitive and regulated — like the healthcare sector, for example. In such sectors, confidential computing can enable secure multiparty training of AI for different purposes and ensure data privacy.

Cloud security company Fortanix says that financial services in particular should invest in confidential computing, for several reasons: it involves masses of personally identifiable information (PII), it is heavily regulated, its monetary value attracts attention from cyber criminals, and "it's an industry that hasn't figured out a secure way to share valuable data among each other that can be used to detect fraud or money laundering," a Fortanix spokesperson says. Fortanix adds it is also seeing interest in confidential computing from industries with similar characteristics, such as healthcare enterprises and government entities.

"Confidential computing reduces the trusted computing base to the minimum. It takes the trust away from configuration files, and secrets and passwords managed by humans, which can be error-prone. The trust circle is reduced to the CPU, and the application, and everything in between — the operating system, the network, the administrators, can be removed from that trust circle. Confidential computing gets closest to achieving zero trust when establishing communication between app-to-app or machine-to-machine," Fortanix says.

**Complete Control Over Data**

Today's protective solutions are insufficient and leave critical data exposed. Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat, and IBM have already deployed confidential computing offerings. A growing number of cybersecurity companies, including Fortinet, Anjuna Security, Gradient Flow, and Hub Security, are also providing such solutions.

Harel says, "Confidential computing is a natural addition to their security arsenal, allowing them to evolve their breach defense and take it to the next level. It allows them to finally protect data in use, after spending decades and billions of dollars protecting data at rest and in transit."

Nataraj Nagaratnam, IBM distinguished engineer and CTO for cloud security, believes that confidential computing is a game-changer, especially because it gives customers complete control of their data. "Confidential computing primarily aims to provide greater assurance to companies that their data in the cloud is protected and confidential. It encourages companies to move more of their sensitive data and computing workloads to public cloud services," he notes.

How Confidential Computing Can Change Cybersecurity

New platform features and integrations enable analysts to quickly detect and remediate threats.

**Broomfield, Colo. — January 05, 2023 —** LogRhythm, the company empowering security teams to navigate the ever-changing threat landscape with confidence, today announced a series of expanded capabilities and integrations for its security operations solutions. The updates propel LogRhythm’s ability to be a much-needed force multiplier for overwhelmed security teams who are expected to confidently, effectively, and efficiently defend against cyberattacks.  

Following the October launch of LogRhythm Axon, a groundbreaking, cloud-native security operations platform, the company is introducing new visualizations and powerful analytics that offer seamless visibility into potential security risks. Designed to streamline the experience of security analysts, Axon and its latest updates make it easier for teams to detect, investigate, and report on potential threats, reducing the burden of managing threats and the operating infrastructure.  

“On a daily basis, we strive to empower lean and overburdened security teams with the most intuitive experience and contextual analytics,” said Chris O’Malley, CEO of LogRhythm. “By continuously working to fulfill that mission and deliver innovation that matters to customers every quarter, we are delivering on our promise of helping customers quickly reduce noise and secure their environment so that they can concentrate on safely competing in the digital age where fast beats slow.”  

“Axon has already given our team the tools to effectively analyze our environment and improve our security posture,” said Eric L., Network Engineer at global manufacturing company. “Data collection and correlation to detect threats and respond can be time consuming. Axon gives us an intuitive interface to perform complex searches on data to filter in what really matters. We cannot wait to use the powerful analytics tools that will quickly surface threats.” 

This quarter’s enhancements span LogRhythm’s product portfolio to collectively enable SOC teams to detect and resolve threats more easily, improving analyst productivity and effectiveness. Additional enhancements and integrations with LogRhythm’s Axon, SIEM, NDR, and UEBA solutions released in this quarterly rollout include: 

LogRhythm Axon 

·New custom and out-of-the box analytics rules, including rules for MITRE ATT&CK detections 

·New markdown widget and histogram widget cuts down on time spent searching for data 

·Easily investigate log observations raised by analytics through the Observation Workflow 

LogRhythm SIEM 

·Improved administrative workflow for collection shortens time to configure, deploy, and manage log sources that require Open Collector 

·Enhanced audit logging makes it easier to monitor suspicious activity and track when users make important changes 

·Updated and expanded LogRhythm’s library of supported log sources 

LogRhythm UEBA 

·New detection models for Windows systems to quickly uncover hard to detect threats 

LogRhythm NDR 

·Improved blind spot detection and endpoint visibility through integration with Microsoft EDR  

·Easily ingest data from VirusTotal with new configuration page 

·Improved analyst experience with expanded UI improvements 

“This quarter, we are especially excited about the number of groundbreaking and enhanced capabilities coming to our market-leading solutions,” said Kish Dill, Chief Product and Customer Officer of LogRhythm. “These enhancements and integrations have been curated with the goal of simplifying the lives of security analysts and enabling them to detect threats faster through seamless visibility, enhanced collection, and an intuitive analyst experience.” 

To learn more about LogRhythm’s offerings, please visit: https://logrhythm.com. 

**About LogRhythm** 

LogRhythm helps busy and lean security operations teams save the day — day after day. There’s a lot riding on the shoulders of security professionals — the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources — the weight of protecting the world.   

LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps. Together, LogRhythm and our customers are ready to defend. Learn more at logrhythm.com.

LogRhythm Enhances Security Analytics With Expanded Security Operations Capabilities

**DALLAS****,** **Jan. 5, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has established CTOne, a new Trend Micro subsidiary focused on advancing 5G network security and beyond. The group's intellectual capital and leadership come from Trend Micro's culture of innovation and is the latest incubation project to launch as a standalone business.

_To learn more about CTOne's private 5G network solutions, please visit:_ https://www.ctone.com

Eva Chen**, CEO of Trend Micro:** "Trend Micro has been at the forefront of network transformations for over three decades. The 5G network technology has enabled new capabilities and applications requiring new cybersecurity infrastructure. With our foresight and over six years of dedicated research into network technology, we are confident that CTOne will safeguard organizations in all 5G network environments."

Organizations need to integrate resources to combat emerging threats in the private 5G networks more effectively. By pre-deploying a security net, CTOne strengthens the digital resilience of vertical application fields and provides security for landing applications in private 5G network environments and achieving comprehensive protection from network to endpoint.

Low latency, large bandwidth, and high-density capabilities have accelerated many organizations to adopt private 5G networks. According to a Grand View Research report\*, the global private 5G network market size was valued at USD 1.38 billion in 2021 and is expected to expand at a compound annual growth rate of 49% in the next year. Private 5G networks are usually considered the most secure wireless communications standard. However, with the widely used Open Radio Access (O-RAN) structure, the proliferation of cloud networks, open-source software, and the variety of IoT devices, the 5G environment faces more cyber threats than ever.

Jason Huang**, CEO of CTOne:** "Safety today doesn't guarantee Safety tomorrow. While the communications technology market is booming, business operations are facing exposure to more complex risks. CTOne enables enterprises to secure private 5G networks against potential cyberattacks and build a high-quality industrial application ecosystem. In the future, we will collaborate with partners to maximize the advantages of private 5G with comprehensive security solutions."

In addition to private 5G network end-to-end security solutions, CTOne is also developing O-RAN and edge computing security solutions to assist enterprises in mitigating cyber risk when deploying related technologies.

\* Private 5G Network Market Size, Share & Trends Analysis Report By Component (Hardware, Software, Services), By Frequency (Sub-6 GHz, mmWave), By Spectrum, By Vertical, By Region, And Segment Forecasts, 2022 – 2030, Grand View Research

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.trendmicro.com.

**About CTOne**

CTOne, a global cybersecurity leader in communication technology, offers enterprise cybersecurity solutions for next-generation wireless networks. A subsidiary of Trend Micro, CTOne enables digital transformation and strengthens the resilience of communication technology. https://www.ctone.com

SOURCE Trend Micro Incorporated

Trend Micro Announces New Subsidiary for 5G Cybersecurity

The notorious information-stealer known as Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server.
"When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a

The notorious information-stealer known as **Vidar** is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server.

"When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. "Threat actors write identifying characters and the C2 address in parts of this page."

In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address.

An advantage to this approach is that should the C2 server be taken down or blocked, the adversary can trivially get around the restrictions by setting up a new server and editing the account pages to allow the previously distributed malware to communicate with the server.

Vidar, first identified in 2018, is a commercial off-the-shelf malware that's capable of harvesting a wide range of information from compromised hosts. It typically relies on delivery mechanisms like phishing emails and cracked software for propagation.

"After information collection is complete, the extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server," ASEC researchers said.

What's new in the latest version of the malware (version 56.1) is that the gathered data is encoded prior to exfiltration, a change from the previous variants that have been known to send the compressed file data in plaintext format.

"As Vidar uses famous platforms as the intermediary C2, it has a long lifespan," the researchers said. "A threat actor's account created six months ago is still being maintained and continuously updated."

The development comes amid recent findings that the malware is being distributed using a variety of methods, including malicious Google Ads and a malware loader dubbed Bumblebee, the latter of which is attributed to a threat actor tracked as Exotic Lily and Projector Libra.

Risk consulting firm Kroll, in an analysis published last month, said it discovered an ad for the GIMP open source image editor that, when clicked from the Google search result, redirected the victim to a typosquatted domain hosting the Vidar malware.

If anything, the evolution of malware delivery methods in the threat landscape is in part a response to Microsoft's decision to block macros by default in Office files downloaded from the internet since July 2022.

This has led to an increase in the abuse of alternative file formats like ISO, VHD, SVG, and XLL in email attachments to bypass Mark of the Web (MotW) protections and evade anti-malware scanning measures.

"Disk image files can bypass the MotW feature because when the files inside them are extracted or mounted, MotW is not inherited to the files," ASEC researchers said, detailing a Qakbot campaign that leverages a combination of HTML smuggling and VHD file to launch the malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media

The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.

Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2 ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka CVE-2022-41080.

"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," Karen O'Reilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."

CVE-2022-41080 is a bug that Microsoft patched in November. 

An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell patch amid concerns over reports that it caused "authentication errors" that the company feared could take down its Exchange Servers. Rackspace had previously implemented Microsoft's recommended mitigations for the vulnerabilities, which Microsoft had deemed a way to thwart the attacks.

Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog post detailing how the Play ransomware group was employing a new technique to trigger the next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrike's post did not name Rackspace at the time, but the company's external advisor tells Dark Reading that the research about Play's mitigation bypass method was the result of CrowdStrike's investigation into the attack on the hosting services provider.

Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations, it does not bypass the actual patch itself.   

Patching is the answer if you can do it," the external advisor says, noting that the company had seriously weighed the risk of applying the patch at a time when the mitigations were said to be effective and the patch came with risk of taking down its servers. "They evaluated, considered and weighed \[the risk\] they knew about" at that time, the external advisor says. The company still hasn't applied the patch since the servers remain down. 

A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Raspberry Robin Worm Hatches a Highly Complex Upgrade

Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.
"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.
The intrusions, observed against

Post-Exploitation / Malware

Financial and insurance sectors in Europe have been targeted by the **Raspberry Robin** worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.

The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.

Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors.

Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.

Security Joes' forensic investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim's browser via social engineering and contains an MSI installer file designed to drop multiple modules.

In another instance, a ZIP file is said to have been downloaded by the victim through a fraudulent ad hosted on a domain that's known to distribute adware.

The archive file, stored in a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader that's protected with numerous layers of obfuscation and encryption to evade detection.

The shellcode downloader is primarily engineered to fetch additional executables, but it has also seen significant upgrades that enables it to profile its victims to deliver appropriate payloads, in some cases even resorting to a form of trickery by serving fake malware.

This involves collecting the host's Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes that have elapsed since system startup, along with the hostname and username information that was gathered by older versions of the malware.

The reconnaissance data is then encrypted using a hard-coded key and transmitted to a command-and-control (C2) server, which responds back with a Windows binary that's then executed on the machine.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a robust RC4 encrypted payload," threat researcher Felipe Duarte said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

Summary

Certain browsers can bypass authentication and redirect to the redirect url provided without any validation (CVE-2022-3614)

Advisory Number

2022-26

Discovery Date

05 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

22 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Low

CVE ID

CVE-2022-3614

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a low rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x versions after 3.5.1
*   All 4.x versions
*   All 2018.x, 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x and 2022.2.x versions
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8063

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.3.10750
*   2022.4.8063

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

3.5 and greater

2022.3.10750 or greater

4.x, 2018.x, 2019.x, 2020.x, 2021.x

2022.3.10750 or greater

2022.1.x, 2022.2.x

2022.3.10750 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8063 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3614, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

CVE-2022-3614: Security Advisory 2022-26

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

Summary

Certain types of sensitive variables may be displayed as plain text in variable preview (CVE-2022-3460)

Advisory Number

2022-25

Discovery Date

10 Oct 2022

Patch Release Date

14 Nov 2022

Advisory Release Date

21 Dec 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-3460

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10863 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

The versions of Octopus Server affected by this vulnerability are:

*   All 2018.x versions after 2018.3
*   All 2019.x, 2020.x and 2021.x versions
*   All 2022.1.x versions
*   All 2022.2.x versions before 2022.2.8552
*   All 2022.3.x versions before 2022.3.10750
*   All 2022.4.x versions before 2022.4.8221

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.8552
*   2022.3.10750
*   2022.4.8221

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10863). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10863):**

If you have feature version...

...then upgrade to this version

2018.3 and greater

2022.2.8552 or greater

2019.x, 2020.x, 2021.x and 2022.1.x

2022.2.8552 or greater

2022.2.x

2022.2.8552 or greater

2022.3.x

2022.3.10750 or greater

2022.4.x

2022.4.8221 or greater

**Mitigation**

There is no known mitigation for CVE-2022-3460, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was reported by an Octopus Deploy customer.

Tag

#microsoft