A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2022-21385

By Deeba Ahmed
HelloTalk, GoogleClassroom, ClassDojo, and Duolingo turned out to be the top 3 educational apps that collect the most user data from Android devices.
This is a post from HackRead.com Read the original post: What Are the Top 10 Android Educational Apps That Collect Most User Data?

It’s an open secret that app vendors regularly collect user data, including sensitive information. However, when this happens with educational apps, this becomes an issue of grave concern. That’s because the users of educational apps are primarily children and minors.

**Which Apps were Analyzed?**

In its newly published study, Atlas VPN examined privacy-based educational apps to evaluate how much user data they collected. Researchers found that 92% of Android educational apps collected user data.

Researchers assessed the profiles of fifty common **Android apps on Google Play** that fell into the education category. They analyzed all educational apps, including virtual classroom apps, language, and musical instrument learning apps, study help, online course apps, book reading apps, and educational games.

**How were Apps Ranked?**

The researchers based their ranking on the number of user information segments each of the apps collected and picked the apps that were ranked higher in the Android app charts for 2022. Such as Similar Web and Sensor Tower.

For your information, a segment could be any data point like payment method, phone number, name, or **location**, which is categorized under broader data types such as financial, geo-location, or personal information.

**Topmost Privacy-Invasive Apps**

Language learning application HelloTalk and Google’s e-learning platform Google Classroom topped the chart for being highly privacy-invasive apps. These apps collected user data across 24 segments and eleven data types.

Learning language app Duolingo and a communication app ClassDojo ranked second on the list for collecting user data from 18 segments.

Third on the list was the online subscription platform MasterClass, which collected data from 17 segments. The interactive learning forum Seesaw was the fourth most invasive app, with data collected from 15 segments.

Learning management app Canvas Student was at number five, Remind education communication app was sixth, children’s digital app ABCmouse was seven, and Brainly app was eight. All these apps collected user information from 14 segments.

**What Info is Collected?**

Most apps collected personal information (almost 90% of the collected data), including name, address, email, phone, user ID, etc. The individual device, app, or browser identifiers information was next in the line (88%), and app info and performance such as diagnostics and crash logs were also collected (86%).

These apps also collected in-app search history as well as information on other apps installed on the device (78%), images and videos (42%), user payment data, and other financial information (40%).

Around 36% of the apps collected location data. 30% collected audio, and 30% collected message information. About 16% collected files data, 6% obtained calendar and contacts info, 2% collected health and fitness data, and 2% extracted web browsing activities information.

According to AtlasVPN’s **report**, 70% of these apps shared user data with third parties, and just two out of all apps examined didn’t collect any user data.

**How to Protect the Privacy of Android Users?**

As we use our phones for more and more activities, it can be easy to forget that apps are collecting data about us. Android apps are particularly good at collecting data, which can be used for everything from **targeted advertising to selling your information** to the highest bidder. But there are some things you can do to stop android apps from collecting data.

First, you can adjust your privacy settings on your phone. By going into the settings menu and selecting “privacy,” you can disable certain permissions that allow apps to access your location, contacts, and other personal information.

You can also choose to only download apps from trusted sources, like the Google Play Store. While there are some great independent app stores out there, they don’t have the same level of security and vetting as Google does. So if you’re worried about privacy, stick to the Play Store.

1.  **Revealed: The 200 Most used and Worst Passwords of 2021**
2.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
3.  **Microsoft Office Most Exploited Software in Malware Attacks – Report**
4.  **VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware**
5.  **US and China Exposed Most Databases Among 308k Discovered in 2021**

What Are the Top 10 Android Educational Apps That Collect Most User Data?

DevSecOps can help overcome inheritance mentality, especially in low- and no-code environments.

By 2025, total global data creation will reach 181 zettabytes. For enterprises, that data is an asset, allowing them to leverage a variety of technology platforms to create highly personalized customer experiences that engender loyalty and attract new business. However, these experiences are dependent on cloud infrastructures using shared security modes. That's where the risk lies, and it's increasing as technology grows to incorporate a new army of citizen developers using low-code and no-code platforms.

**Understanding and Overcoming the Inheritance Mindset **

Gartner estimates that by 2025, 70% of enterprise applications will be built from low-code and no-code platforms such as Salesforce and ServiceNow. Responding with an inheritance-based mindset is a sure way to set more than two-thirds of enterprise apps up for failure.   

"Inheritance mindset" is an apt descriptor for the problems plaguing infrastructure. It brings to mind a rich, spoiled children who are entirely dependent on the work done and people who came before them. That’s not a good way to build a legacy, and it's an equally bad way to build a system.

When you have a legacy mindset, you assume that the infrastructure is set. The platform is safe, and the security is built in. Trust is assumed simply because the technology was there before the administrator.

That inheritance mindset plagues low-code and no-code platforms. Users rely on the safety of a platform to carry them through an entire enterprise infrastructure. Instead, the security of that platform should apply only to that platform.

Let's say Salesforce developers create an automated assignment program for new leads. They use it within Salesforce for internal assignments, and it's fine. They can rely on the safety of the platform. They decide to expand it to improve automation. They connect that program to an external-facing CRM like ServiceNow, SAP, or Oracle. The inheritance mindset takes over: Salesforce is safe. ServiceNow, SAP or the third-party is safe.

So, Salesforce + third party = safe.

But, there's a great deal of unknown in that plus sign. How do you safely and compliantly connect the internal program created in Salesforce to the external program created in the third-party platform? There is a lot of room for error in that single character.  

And that’s only one connection. Many programs created in Salesforce touch hundreds of others. That’s hundreds of unknowns being treated like the plus sign described above by people who have little to no development experience.  

The only solution is to take that development back down to earth with a return to DevSecOps principles.

**Establishing the DevSecOps Framework **

DevSecOps frameworks have been written, rewritten, and written again since the concept was created. There’s no need to reinvent the wheel when establishing them, especially when SAFECode and the Cloud Security Alliance has built six pillars:

1.  **Collective responsibility:** Security is the responsibility of every person in the enterprise —but people can’t meet standards they don’t know. Leads should be assigned to drive cybersecurity policy and ensure it is disseminated across the enterprise.  
2.  **Collaboration and integration:** Knowledge must be shared and transferred. Half the reason that enterprises fall into the legacy mindset is that everyone who knew the old system is gone. Continuous knowledge sharing helps eliminate this issue.
3.  **Pragmatic implementation:** Pragmatic implementation ties into the developer experience. Processes that are difficult, mundane, and unwieldy are not followed for long. Security should be baked into development practices — that is, every line of code requires a line of test. A high-performing enterprise would take that further by using a tool to automate each line of test code.
4.  **Compliance and development:** Compliance requirements should guide the development process in a way that does not allow developers to deviate from them. A developer for a financial institution, for example, would work on a platform that is designed to be compliant with the Gramm-Leach-Bliley Act. The developer does not have to know the individual ins and outs of the act to be compliant because they are built into the platform.  
5.  **Automation:** Tasks that are predictable, repeatable, and high volume should be automated whenever possible to remove the burden from developers and reduce the risk of human error.
6.  **Monitor:** Modern cloud infrastructures change and grow. It’s vital to keep track of it — ideally, through some form of orchestration that allows an at-a-glance view of all the various interconnections.

In a low- or no-code environment, these pillars are not as straightforward as one would expect. The people using these tools are often business experts with little familiarity with DevSecOps fundamentals.

**Bringing Together People, Processes, and Technology**

The use of low-code and no-code platforms can actually help close this skills gap. Employees want to learn new skills. Enterprises can support that by establishing a DevSecOps framework focusing on people, processes, and technology. 

*   **Processes:** In a zero-trust environment, low-code and no-code developers don’t have to worry about making connections that endanger system integrity because they are incapable of doing so. They have no baseline authority outside of their isolated system.  
*   **People:** A culture of accountability is different from a culture of blame. Accountability means that individuals feel comfortable coming forward with a problem or mistake because the focus is on the issue, not the person.
*   **Technology:** Technology is the single biggest barrier to proper implementation of DevSecOps principles because it is out of the developers' hands. They must use what the organization gives them. If that technology doesn’t work, developers will come up with workarounds that are neither secure nor safe. Essentially, the technology becomes one big shadow IT generator.

We live in an exciting time for development. More and more people have the opportunity to build software, test strategies, and improve business value. But with that comes risk. Enterprises that look at ways to offload that risk onto technology will keep their development down to earth while leaving room to explore.

How DevSecOps Empowers Citizen Developers

OpenSSF welcomes Capital One as a premier member affirming its commitment to strengthening the open source software supply chain.

**SAN FRANCISCO, Aug. 24, 2022** — Capital One joins the Open Source Security Foundation (OpenSSF) as a premier member, affirming its commitment to strengthening the open source software supply chain. OpenSSF is a cross-industry organization hosted at the Linux Foundation, designed to inspire and enable the community to secure the open source software we all depend on, including development, testing, fundraising, infrastructure, and support initiatives.

Capital One joins the OpenSSF Governing Board in charge of leading the organization and providing strategic direction. “We are happy to welcome Capital One to the Open Source Security Foundation,” says Brian Behlendorf, General Manager of OpenSSF. “As a highly regulated company that has invested in technology, Capital One has experience building the governance structure, modern architecture and collaborative culture that is critical for well-managed open source software delivery. By joining the OpenSSF, Capital One is demonstrating a serious commitment to secure open source software that benefits our entire ecosystem.”

As one of the nation’s leading digital banks, technology is central to Capital One’s business strategy and how value is delivered to more than 100 million customers. The company began a technology transformation over a decade ago, which included an open source-first declaration in 2015. A modern architecture in the cloud is allowing Capital One to take advantage of the world’s innovations and accelerate delivery by committing to a collaborative software-building approach among the open source community.

“Today some of the most ground-breaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world’s technology leaders as we collaborate to strengthen the software security supply chain,” said Chris Nims, EVP of Cloud & Productivity Engineering at Capital One. “As a highly-regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community.”

Earlier this year, the OpenSSF unveiled a 10-point plan at the Open Source Security Summit hosted in conjunction with the White House in May. The plan feeds into 10 different workstreams, like finding ways to reduce patching response times for open source software, developing new metrics to track code and components, moving the industry away from non-memory safe programming languages that make it difficult to find and fix vulnerabilities, establishing a framework for incident response teams that can be deployed across the open source community and conducting annual third-party reviews of the top 200 most critical open source security components.

More recently, the OpenSSF hosted a Town Hall especially for open source software maintainers, contributors, software developers, and open source software users who know security is important, but haven’t made the leap to join an OpenSSF Working Group or Project yet. On Tuesday, Sept. 13, they will be hosting an OpenSSF Day EU at the Open Source Summit Europe in Dublin, Ireland, and online.

Capital One joins other OpenSSF premier members 1Password, AWS, Atlassian, Cisco, Citi, Coinbase, Dell Technologies, Ericsson, Fidelity, GitHub, Google, Huawei, Intel, IBM, JFrog, JPMorgan Chase, Meta, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, Sonatype, VMware, and Wipro.

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Capital One Joins Open Source Security Foundation

By Deeba Ahmed
Microsoft has warned that the new post-compromise backdoor MagicWeb lets hackers "authenticate as anyone."
This is a post from HackRead.com Read the original post: SolarWinds Hackers Using New Post-Exploitation Backdoor ‘MagicWeb’

Russian cyberespionage group APT29, responsible for the devastating **SolarWinds supply chain attacks** in 2020, is back in the news. In a technical report published by Microsoft, the APT29 cyberspies have acquired authentication bypass of a new post-exploitation tactic. Microsoft previously tracked the actors as Nobelium (**a**), Cozy Bear (**b**), and the Dukes (**C**).

**Findings Details**

Microsoft wrote in its report that the hackers are targeting corporate networks with a new authentication bypassing technique, which Microsoft has dubbed MagicWeb.

MagicWeb was discovered by Microsoft’s MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) on a client’s systems. This highly sophisticated capability lets the hackers strengthen their control of the targeted networks even after defenders try to eject them.

It is worth noting that the hackers aren’t relying on **supply chain attacks** this time. Instead, they are abusing admin credentials to deploy MagicWeb. It is a backdoor that secretly adds enhanced access capabilities so that the attacker can perform a variety of exploits apart from stealing data.

For instance, the attackers can sign in to the device’s Active Director as any user. Many other security firms have identified sophisticated tools, including backdoors, used by **SolarWinds’ hackers**, out of which MagicWeb is the latest identified and reviewed by Microsoft.

**More Russian Hackers Topics**

1.  **Top US Federal Agencies Hacked by Russian Hackers – Report**
2.  **Russian hackers targeted 40 agencies including US Nuclear Agency**
3.  **Russian hackers sent death threats to US army wives posing as ISIS**
4.  **Russian Hackers Control Malware via Britney Spears Instagram Posts**
5.  **DDoS App Meant to Hit Russia Infected Android Phones of Ukrainians**

**What is MagicWeb – How is it Used in Attacks?**

Microsoft noted that MagicWeb is a “malicious DLL,” which enables the attacker to manipulate the tokens generated by the **AD FS** (Active Directory Federated Services) on-premises server and manipulate the user authentication certificates used primarily for authentication.

> “This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing the malware to be loaded by AD FS instead of the legitimate binary.”
> 
> Microsoft

Regarding how it bypasses authentication, Microsoft wrote its **report** that it passes a non-standard Enhanced Key Usage OID, which is hardcoded in MagicWeb during an authentication request sent for a specific User Principal Name.

When this OID is encountered, the MagicWeb malware enables authentication requests for bypassing standard AD FS processes, including MFA checks, and validates the user’s claims.

Image: Microsoft

In their recent attacks, nobelium used highly privileged credentials to gain initial access and later obtained administrative privileges to the AD FS system. The final step is the deployment of MagicWeb.

**About Nobelium**

Research conducted by cybersecurity experts in the UK and USA **reveals that** Nobelium threat actors are linked with the Russian Foreign Intelligence Service’s hacking unit and have been involved in numerous high-profile supply chain attacks.

They made headlines after compromising SolarWinds’ software development system in late 2020, in which they **compromised 250 companies** and around 18,000 targets. This included US agencies and technology sector firms.

The same group is believed to be involved in the **cyber attack against the DNC** (Democratic National Committee) in 2016. Microsoft claims that the group is highly active. The company found an info-stealing malware deployed by Nobelium in July on one of the company’s support agents’ PCs. It was then used for targeting other devices.

**More Microsoft Security News**

1.  **Hackers are using Microsoft Teams chat to spread malware**
2.  **Microsoft Office Most Exploited Software in Malware Attacks**
3.  **Microsoft bars Tutanota users from registering MS Teams accounts**
4.  **Google, Microsoft and Oracle generated most vulnerabilities in 2021**
5.  **Microsoft Azure customer hit by largest ever 3.47 Tbps DDoS attack**

SolarWinds Hackers Using New Post-Exploitation Backdoor ‘MagicWeb’

The Forte Group, which gained momentum as an informal organization during the pandemic, will offer career development and advocacy for women execs in cybersecurity as well as newcomers.

At the start of the pandemic two years ago, a group of high-level female cybersecurity executives informally began meeting remotely to share ideas, expertise, and professional support. That group of women execs — now with 90 members — today launched as a nonprofit called The Forte Group to officially offer career assistance, advocacy, mentoring, and educational programs for women in the infosec and technology fields.

The Forte Group includes CISOs from large enterprises such as Johnson & Johnson and Wayfair, and leaders from technology giants like Microsoft, as well as cybersecurity business leaders. 

What started as an "offset" in the pandemic grew into a community, says Didi Dayton, chair and president of the newly formed Forte board.

"The opportunity for cybersecurity practitioners to connect regularly with peers has bolstered that community, and we have seen an evolving network effect by members amplifying: sharing speaking opportunities, surfacing hot topics \[such as\] emerging tech, ransomware, hiring strategies, celebrating personal and professional wins, and finding peer mentors and a social network to have meaningful connections with," Dayton explains.

**"When Things Get Tough"**

The virtual forum that the Forte Group initially created provided a way for them to efficiently meet and collaborate on specific topics as well, she says. "Forte members share ideas and resources, and ground one another when things get tough — which for our CISOs is often, unfortunately," she says. For example, the group earlier this year held a town hall to share ideas and expertise on managing software bills of management (SBOMs).

"We have hosted world-renowned speakers to talk about everything from high-stakes negotiation tactics, global policy, personal branding, insurance, board prep ... to other curated topics for this audience," Dayton says.

The group's nonprofit status gives it room to raise funding for more formalized programs in career development and education for women in the industry, as well as scholarships for newcomers. "We're already in talks with corporate sponsors who align with our mission of developing and further careers for a diverse workforce in cybersecurity," says Zenobia Godschalk, vice president of The Forte Group. "In addition, some of our members are eager to contribute or redirect their speaker fees and other professional fees they receive towards Forte’s efforts."

**Other Groups**

Of course, The Forte Group is not the only organization for women in cybersecurity. Groups such as the Executive Women's Forum, Women in CyberSecurity (WiCys), the Diana Initiative, Women's Society of Cyberjutsu (WSC), and others have been active for several years. But Godschalk says the new nonprofit will provide yet another resource for women in cybersecurity. 

"We know there is a lot of overlap in our membership with other groups in this space, and that's a wonderful thing," she says. "While some focus on just career development, and others focus on just privacy, for example, we believe there's room and need for a welcoming umbrella where women in this industry can find a resource for just about anything they're up against in their careers — whether that's how to negotiate an equity offer for comp or investment, how to navigate ransomware best practices, or how to join your first board."

In addition to Dayton and Godschalk, The Forte Group's board of directors includes Flora Garcia (secretary), global privacy and data protection office leader at Wayfair; Caroline Wong (treasurer), chief strategy officer at Cobalt; Swathi Joshi (member), vice president of SaaS cloud security at Oracle; Yael Nagler, Office of the CISO at Yass Partners; and Chenxi Wang (member), managing general partner at Rain Capital.

The Forte Group's roots date back to the so-called "Equal Respect" movement at the RSA Conference in 2014. Other members of The Forte Group include Aanchal Gupta, corporate vice president of Azure and M365 Security at Microsoft; Marene Allison, CISO of J&J; and Marnie Wilking, CISO at Wayfair.

Senior-Level Women Leaders in Cybersecurity Form New Nonprofit

A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat from this vulnerability is to system availability.

Permalink

Browse files

crypto: ccp - fix resource leaks in ccp\_run\_aes\_gcm\_cmd()

There are three bugs in this code:

1) If we ccp\_init\_data() fails for &src then we need to free aad.
   Use goto e\_aad instead of goto e\_ctx.
2) The label to free the &final\_wa was named incorrectly as "e\_tag" but
   it should have been "e\_final\_wa".  One error path leaked &final\_wa.
3) The &tag was leaked on one error path.  In that case, I added a free
   before the goto because the resource was local to that block.

Fixes: 36cf515 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
Reported-by: "minihanshen(沈明航)" <minihanshen@tencent.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: John Allen <john.allen@amd.com>
Tested-by: John Allen <john.allen@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

*   Loading branch information

CVE-2021-3764: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() · torvalds/linux@505d9dc

By Waqas
Barmak Meftah is joining the innovator of Open XDR, Stellar Cyber in a new advisory role. What does…
This is a post from HackRead.com Read the original post: Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR, as Board Advisor

****Barmak Meftah is joining the innovator of Open XDR, Stellar Cyber in a new advisory role. What does that mean for the company and the industry?****

What does the future of cybersecurity hold? Stellar Cyber might have the answer to that question, and they’re bringing reinforcements. 

On August 22nd, **Stellar Cyber** announced a new member in the form of a leadership role. Seasoned cybersecurity leader Barmak Meftah is joining the team as an advisor to the Board of Directors to encourage growth and innovation within the company further.

What can we expect from his new role based on his previous work in prominent **cybersecurity companies**? 

How has Stellar Cyber already paved the way toward more efficient security for enterprises?

Let’s find out.

**Bringing 25 Years of Experience to His New Role**

Meftah brings a stellar track record to his new leadership role. He brings 25 years of the innovative **cybersecurity market** and management experience.

His contribution has been significant within companies currently known as leaders in the cybersecurity field — including AlienVault.

In addition to his leadership positions at **AT&T Cybersecurity and AlienVault**, he previously held management positions at Hewlett-Packard, Fortify Software, Synchron, and Oracle.

Barmak Meftah

**Changming Liu**, CEO, and Co-Founder and CEO of Stellar Cyber says “His leadership experience at AT&T and AlienVault and his current role as an investor focusing on cybersecurity are invaluable to us. We are excited to inject his insights into our strategy sessions and carry out his vision of building an open and intelligent platform to democratize cybersecurity.”

**Stellar Cyber’s Open XDR Platform**

Stellar Cyber is the innovator of Open XDR. Their platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill to successfully secure their environments.

This allows organizations to reduce risks with early and precise identiﬁcation and remediation of threats while cutting costs, retaining investments in existing tools, and improving analyst productivity, delivering a 20X improvement in MTTD and an 8X improvement in MTTR.

**Continuing Where He Left Off With AlienVault**

Stellar Cyber’s specialty is also an area of cybersecurity where Meftah fits right in. In his new position, he’s going to continue the work that he had always envisioned accomplishing for AlienVault.

“At AlienVault, we delivered an excellent product to unify appropriate security components and make detection and response super-easy and accessible. In addition, we always had the vision to be an open platform and integrate with customers’ existing security stack,” said Meftah.

“Today this vision has emerged as Open XDR, and Stellar Cyber is at the forefront of this accelerating trend. I’m thrilled to help advise the company as it continues to innovate and rapidly grow market share.”

**Joe Morin**, CEO of CyFlare, adds, “We adopted AlienVault a couple of years ago because it was the NG-SIEM pioneer and market leader, and it performed well for us. We adopted Stellar Cyber because it unifies SIEM, SOAR, and NDR, and it makes our analysts more productive.”

**Pioneering Innovation and Progress**

Models such as Open XDR are steadily uniting the most popular solutions that have been existing in silos and heading toward accessible and less convoluted security.

For cyber analysts, this means that they can do more regardless of their limited manpower and resources. For businesses, this means they can secure their companies with technology that is more effective for less costly.

Stellar Cyber is already changing the face of the cybersecurity industry one improvement at a time. With Meftah’s contribution, it’s bound to head in a new, innovative, and exciting direction.

1.  **A State in the US arrested cyber security specialists it hired**
2.  **If a Cyber Security Report Falls in a Forest, Is Anyone Listening?**
3.  **Cyber Security companies dismantle Trickbot ransomware botnet**
4.  **Cybersecurity firm Mandiant Denies LockBit Ransomware’s Hacking Claim**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR, as Board Advisor

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.

The cyber-threat analyst team at PwC, which has followed a prime example of this (the Lazarus Group's Operation In(ter)ception) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last week's Black Hat USA 2022 conference in Las Vegas.

PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.

"This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest," Scenarelli explained during her presentation at Black Hat, called "Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering."

The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and has warned that the threat actors (aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) "employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue."

Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.

This is "to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent," she said. "Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method."

Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.

Similarly, Scenarelli recalled another attack by the group, which made off with $625 million in cryptocurrency. She warned that this variant, which PwC researchers call "Black Alicanto," is financially motivated and dangerous. In the wake of Microsoft recently disabling macros in Office documents, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.

"Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that," she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls "Cabbage Loader."

This script places a .lnk file in the victim's startup folder "to ensure persistence and then pulls down a whole series of other JavaScript payloads," she explained. "These are essentially profilers that want to make sure that the actual person that's interacting with them is not a sandbox, is not a researcher, but it's actually a target of interest."

Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.

"The job market right now is a really key area for North Korea-based threat actors," she said. "So, keep your eyes peeled, make sure you're aware of whom you're interviewing. And for the love of all that is holy, don't open those links that you get sent on LinkedIn, do not open them."

State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

Tag

#oracle