XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::lookChar() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id148\_heap\_buffer\_overflow\_in\_lookChar.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115813==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x000000754566 bp 0x7ffe27e56210 sp 0x7ffe27e56208
    READ of size 4 at 0x631000038800 thread T0
        #0 0x754565 in DCTStream::lookChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12
        #1 0x68a82a in Object::streamLookChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:291:20
        #2 0x68a82a in Lexer::lookChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:108:17
        #3 0x68a82a in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:458:17
        #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
        #5 0x6aa214 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:69:21
        #6 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
        #7 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
        #8 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #9 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #10 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #11 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #12 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #13 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #14 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #15 0x7f3e6975dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #16 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
    allocated by thread T0 here:
        #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
        #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2331:12 in DCTStream::lookChar()
    Shadow bytes around the buggy address:
      0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115813==ABORTING

CVE-2022-38238: heap_buffer_overflow_in_lookChar · Issue #15 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::getChar() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id93\_heap\_buffer\_overflow\_in\_getChar.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54608ff800 at pc 0x000000750e7c bp 0x7ffdad0d6050 sp 0x7ffdad0d6048
    READ of size 4 at 0x7f54608ff800 thread T0
        #0 0x750e7b in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
        #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
        #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
        #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
        #4 0x6ab867 in Parser::getObj(Object*, int, unsigned char*, CryptAlgorithm, int, int, int, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc
        #5 0x582f60 in Gfx::go(int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:757:13
        #6 0x581775 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:642:3
        #7 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #8 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #9 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #10 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #11 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #12 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #13 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #14 0x7f5463589c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #15 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x7f54608ff800 is located 0 bytes to the right of 131072-byte region [0x7f54608df800,0x7f54608ff800)
    allocated by thread T0 here:
        #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
        #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
    Shadow bytes around the buggy address:
      0x0feb0c117eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0feb0c117ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0feb0c117f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0feb0c117f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115941==ABORTING

CVE-2022-38231: heap_buffer_overflow_in_getChar · Issue #11 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::transformDataUnit at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id64\_heap\_buffer\_overflow\_in\_transformDataUnit.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6200000080e0 at pc 0x000000756136 bp 0x7fff10b0da30 sp 0x7fff10b0da28
    READ of size 2 at 0x6200000080e0 thread T0
        #0 0x756135 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*) /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17
        #1 0x748741 in DCTStream::decodeImage() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2835:6
        #2 0x7402bb in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2261:5
        #3 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
        #4 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
        #5 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
        #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #13 0x7f57efb1ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    Address 0x6200000080e0 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2968:17 in DCTStream::transformDataUnit(unsigned short*, int*, unsigned char*)
    Shadow bytes around the buggy address:
      0x0c407fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c407fff9010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
      0x0c407fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c407fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115877==ABORTING

CVE-2022-38228: heap_buffer_overflow_in_transformDataUnit · Issue #7 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a segmentation violation via DCTStream::getChar() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id46\_SEGV\_in\_getChar.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==115845==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000750afe bp 0x0c40000003cc sp 0x7ffd6a600d80 T0)
    ==115845==The signal is caused by a READ memory access.
    ==115845==Hint: address points to the zero page.
        #0 0x750afe in DCTStream::getChar() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9
        #1 0x6899e3 in Object::streamGetChar() /home/bupt/Desktop/xpdf/xpdf/./Object.h:288:20
        #2 0x6899e3 in Lexer::getChar() /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:92:42
        #3 0x6899e3 in Lexer::getObj(Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:124:14
        #4 0x6a8fc5 in Parser::Parser(XRef*, Lexer*, int) /home/bupt/Desktop/xpdf/xpdf/Parser.cc:33:10
        #5 0x581742 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:16
        #6 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #7 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #8 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #9 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #10 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #11 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #12 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #13 0x7f558fd59c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #14 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2302:9 in DCTStream::getChar()
    ==115845==ABORTING

CVE-2022-38235: SEGV_in_getChar · Issue #5 · jhcloos/xpdf

XPDF commit ffaf11c was discovered to contain a stack overflow via __asan_memcpy at asan_interceptors_memintrinsics.cpp.

CVE-2022-38227: stack overflow · Issue #4 · jhcloos/xpdf

SWFTools commit 772e55a2 was discovered to contain a stack overflow via __sanitizer::StackDepotNode::hash(__sanitizer::StackTrace const&) at /sanitizer_common/sanitizer_stackdepot.cpp.

CVE-2022-35111: bug report swftools-pdf2swf · Issue #184 · matthiaskramm/swftools

"Seaborgium" is a highly persistent threat actor that has been targeting organizations and individuals of likely interest to the Russian government since at least 2017, company says.

Microsoft's Threat Intelligence Center (MSTIC) has taken steps to disrupt the operations of "Seaborgium," a Russia-based threat actor that has been involved in persistent spear-phishing and credential-theft campaigns aimed at organizations and individuals in NATO countries since at least 2017.

The threat actor's primary motivation appears to be cyber espionage. Its victims include numerous organizations in the defense and intelligence communities, nongovernmental organizations, think tanks, higher-education institutions, and intergovernmental organizations, mainly in the US and UK. Microsoft said it has identified some 30 organizations that have been targeted in Seaborgium campaigns so far this year alone.

"Seaborgium has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications related to Seaborgium activity being delivered to Microsoft consumer email accounts," Microsoft said in a blog post this week. Targeted individuals have included former intelligence officials, Russian experts, and Russian citizens outside the country that are of interest to Moscow. Available telemetry and tactics suggest overlaps between Seaborgium and threat groups that others are variously tracking as the Callisto Group, ColdRiver, and TA446, Microsoft said.

Seaborgium is just one of multiple Russia-based groups that are targeting US firms in cyber-espionage campaigns currently. Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about Russian actors systematically stealing sensitive, but not classified, data on US weapons development and technologies used by the US military and government. The warning followed one from January about the potential for more Russian attacks on US targets in retaliation for US-led sanctions over the war in Ukraine.

**Sophisticated Impersonation**

In its blog post, Microsoft described Seaborgium actors as using mostly the same social-engineering tactics over the years to try and gain an initial foothold in a target organization. Before launching a campaign, the threat actor has typically tended to conduct extensive research on targeted individuals to identify their social and business contacts. The research has often involved the threat actor using social media platforms — including fraudulent profiles on LinkedIn — and publicly available information gather intel on individuals of interest.

They then have used the information to impersonate individuals known to the target and contacted them using new email accounts with email addresses or aliases configured to match the names or aliases of the impersonated individuals, Microsoft said. The tone of the initial contact is usually different depending on whether an individual is a personal/consumer target or someone working in a targeted organization. In the case of the former, Seaborgium actors have typically started with a benign email that exchanges pleasantries on topics of interest to the target and references a nonexistent attachment. Microsoft surmised that the goal of taking this approach is likely to establish a rapport with a target. If the phishing email recipient replies, the threat actor responds with an email containing a link to their credential-stealing infrastructure.

Seaborgium's phishing emails have a more businesslike and organizational tone to them for individuals within a target organization. In these situations, the threat actors have shown a tendency to take a more authoritative approach in directing email recipients to the credential-stealing site — for example, by taking cybersecurity-themed lures. In most campaigns, Seaborgium actors have embedded the URL to their credential-stealing site directly in the email body itself, Microsoft said. But of late, the threat actor has also been using PDF files and attachments spoofing a document or file-hosting service — often OneDrive — to distribute the link.

**Using Stolen Credentials to Steal Emails and Attachments**

Microsoft said its researchers have observed Seaborgium using stolen credentials to directly log in to victims' email accounts and steal their emails and attachments. In a few instances, the threat actor has also been observed configuring victim email accounts to forward emails to attacker-controlled addresses. 

"There have been several cases where Seaborgium has been observed using their impersonation accounts to facilitate dialogue with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Microsoft said, adding that often these conversations have involved potentially sensitive information.

**Under Scrutiny**

As far as the disruption goes, the computing giant has now disabled accounts that Seaborgium actors have been using for victim reconnaissance, phishing, and other malicious activities. This includes multiple LinkedIn accounts. It has also developed detections for phishing domains associated with Seaborgium.

F-Secure, which refers to the threat actor as the Callisto Group, has been tracking its activities since 2015. In a 2017 report, the security vendor had described Callisto Group as a sophisticated actor targeting governments, journalists, and think tanks in the EU and parts of eastern Europe. F-Secure had described the group's campaigns as involving highly convincing spear-phishing emails often sent from legitimate email accounts to which the threat actor had previously gained access, using stolen credentials.

More recently, Google warned about the threat actor in a broader update on malicious cyber activity in eastern Europe since the start of the Ukraine war in February. The company said it had observed ColdRiver — its name for Seaborgium — continuing to use Gmail accounts to send credential-phishing emails to Google and non-Google email accounts belonging to politicians, defense and government officials, journalists, and think tanks. "The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive," Google said. The files have contained a link to a credential-phishing domain, according to Google.

Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign

Contentious edge case activities are no excuse for further delaying of ‘much overdue’ reform, say campaigners

Contentious edge case activities are no excuse for further delaying of ‘much overdue’ reform, say campaigners

Campaigners for reform of the UK’s Computer Misuse Act (CMA) have identified cybersecurity activities that should be legally defensible amid an ongoing government review of the 1990 law.

Based on the “consensus” view of experts, these legitimate hacking activities included responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

This consensus “would form the core basis of a new legal environment for cybersecurity professionals based on a statutory defence,” says a report (PDF) published yesterday (August 15) by the CyberUp campaign.

RELATED Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Far from unleashing “a wild west of cyber vigilantism”, such a defense “will enable the UK’s cybersecurity sector to more effectively protect the UK as part of the whole-of-society effort, whilst ensuring cybercriminals can still be prosecuted”.

**Edge cases**

The CyberUp campaign also set out actions that should broadly be considered illegitimate, such as so-called ‘hack backs’ and malware deployment, as well as ‘active defence’ techniques that “still represent a grey area”.

These “contentious edge cases”, which require “further consultation and discussion as the policy formation process develops”, include exploitation of vulnerabilities, verification of passive-detected vulnerabilities, infiltrating a bad actor’s network, credential stuffing, active intel gathering, forensic analysis, botnets, and neutralizing suspicious or nefarious assets.

CyberUp insisted that the existence of edge cases is no excuse for further delaying of “much overdue” reform.

Campaigners deliver a letter signed by MPs that called for CMA reform to the Prime Minister’s residence

The results were based on input from 15 cybersecurity researchers, consultants, and other experts who assessed activities according to the potential harms and benefits accrued.

The degree of ‘consensus’, whereby more than 50% of experts agreed, varied considerably.

For instance, 100% agreed that use of sandboxes caused no or limited harm but delivered clear benefits, whereas 64% agreed that patching third-party networks or using remote desktop protocol (RDP) connections to obtain information from an attacker’s computers potentially ran the risk of causing harm but also provided worthwhile benefits.

**Importance of intent**

“Unsurprisingly, the exercise also revealed the limitations of any effort to isolate techniques, activities, and actions from the intent of an actor”, where the CMA currently “falls short”, said the report.

Rather than relying on binary lists of legitimate and illegitimate activities, which would quickly become out of date as techniques and technology evolved, CyberUp recommends that courts use broad principles to judge instances of unauthorised access.

A defense framework (PDF) published in 2021 by CyberUp establishes a set of such principles.

Read more of the latest cybersecurity news from the UK

The CyberUp campaign said it disagreed with suggestions from certain experts it consulted that some activities should only be conducted under license or, more stringently still, where actors “have been certified and have a court warrant to proceed”.

“Our view is that, over time with case law, and ideally with clear guidance from prosecutors, the boundaries of legal conduct will be sufficiently unambiguous to counter the need for the high degree of oversight that is sought by those who prefer a system more tightly regulated by the courts,” said the report.

A review of the aging CMA, which criminalizes “unauthorized access”, was announced in May 2021.

RECOMMENDED Browser-powered desync: New class of HTTP request smuggling attacks showcased at Black Hat USA

Legitimate hacking activities under UK law proposed by ‘expert consensus’

Threat hunting not only serves the greater good by helping keep users safe, it rewards practitioners with the thrill of the hunt and solving of complex problems. Tap into your background and learn to follow your instincts.

Growing up in the Pacific Northwest, I was fascinated by treasure hunting. I love the idea of finding something valuable or important. I had an arsenal of tools even the most seasoned treasure hunters would envy: a metal detector, a bucket, and a plastic shovel. Yet the most valuable tool I possessed was my firm belief that I would find treasure as long as I looked hard enough.

Threat hunting is like treasure hunting in many ways. Threat hunters also have their tools of the trade.

Several years ago, I traded that plastic shovel for a data visualization tool (i.e., Kibana) and too much coffee. I still feel the excitement of the hunt for something valuable. You see, treasure hunting and threat hunting both stimulate the mind. They are both filled with hidden clues, there is no set path, and sometimes you must solve complex problems. There is unmistakable value in discovering threats, so that we can improve the security of our organizations.

At one point in my military career, I worked as a networking specialist on a cyber-protection team, where I became a network traffic analysis expert. The mission was simple — just hunt. Remember, no good treasure hunt starts without a treasure map. That's where this threat-hunting story begins.

I received a PDF version of the network map that contained hundreds of endpoints, ports, protocols, and services (PPS) to quickly identify acceptable and normal network traffic as a baseline. The posters we printed from the PDF were the size of twin-sized blankets. Yet, we hung them up on the ops floor. We had our "treasure map," and set out to analyze the hex and packet captures (PCAPs).

We found nothing that deviated from the baseline and PPS listing. But I still had the unshakeable belief from my youth that I would find something if I looked hard enough. We were parsing through millions of network events and terabytes of data. I decided to investigate the top-talking ports – even the acceptable ports outlined on the PPS.

"Manual" threat hunting, for lack of better words, relies on highly skilled people and the knowledge they have collected over years in the field. Down the list I went looking at HTTPS, HTTP, DNS, SMTP, and so on. Finally, I arrived at port 1433, or SQL, which is the primary language used for managing data. This was significant as it's often a large attack surface for hackers and adversaries. I built a query and modified data fields to quickly identify the IPs communicating with one another.

One pair of IPs looked a little unusual and didn't fit into the schema of the other IPs. It stood out to me because I understood the network (thanks to our trusty map). That's when I discovered unencrypted SQL data. I could see everything and the data in these tables made my jaw drop. This data was leaving the network unencrypted. I immediately notified my mission commander, who carried it up the chain – we discovered it was a configuration error that was quickly fixed. The goal of discovering threats was so that we could take action to remediate them.

**Learning From Experience**

Eight-year-old me would have been very proud of my ability to find such a significant threat – being able to improve our security was certainly of value. There were many lessons to be learned from this hunt that I have held with me over the years:

*   Understand the network you're working on to easily recognize patterns and behaviors that deviate from normal.
*   Question and review all traffic, even acceptable or normal traffic. Network traffic is guilty until proven innocent in the world of threat hunting.
*   Not every hunt will result in threats being found, but always listen to your instincts. If you know it's out there, it probably is.

Threat hunting is an opportunity to help a greater good. Cyberattacks are relentless. We must work together as professionals to change the playing field. Equally, be willing to accept help. I have been fortunate to find work that brings me so much joy. I love what I do because it connects me with a lifelong drive. There are many specialties within cybersecurity; finding your particular niche will make you successful in this field.

Lessons From the Cybersecurity Trenches

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "highly persistent threat actor" whose objectives align closely with Russian state interests.
The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker SEABORGIUM, which it said overlaps with a hacking group also known as Callisto, COLDRIVER, and TA446.
"

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "highly persistent threat actor" whose objectives align closely with Russian state interests.

The company is tracking the espionage-oriented activity cluster under its chemical element-themed moniker **SEABORGIUM**, which it said overlaps with a hacking group also known as Callisto, COLDRIVER, and TA446.

"SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries," Microsoft's threat hunting teams said. "Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft."

Attacks launched by the adversarial collective are known to target the same organizations using consistent methodologies applied over long periods of time, enabling it to infiltrate the victims' social networks through a combination of impersonation, rapport building, and phishing.

Microsoft said it observed "only slight deviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets."

Primary targets include defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education entities located in the U.S. and the U.K., and to a lesser extent in the Baltics, the Nordics, and the Eastern Europe.

Additional targets of interest consist of former intelligence officials, experts in Russian affairs, and Russian citizens abroad. More than 30 organizations and personal accounts are estimated to have been at the receiving end of its campaigns since the start of 2022.

It all starts with a reconnaissance of potential individuals by leveraging fake personas created on social media platforms like LinkedIn, before establishing contact with them via benign email missives originating from newly-registered accounts configured to match the names of the impersonated individuals.

In the event the target falls victim to the social engineering attempt, the threat actor activates the attack sequence by sending a weaponized message embedding a booby-trapped PDF document or a link to a file hosted on OneDrive.

"SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL," Microsoft said. "The actors include a OneDrive link in the body of the email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account."

Furthermore, the adversary has been found to disguise its operational infrastructure by resorting to seemingly harmless open redirects to send users to the malicious server, which, in turn, prompts users to enter their credentials to view the content.

The last phase of attacks entails abusing the stolen credentials to access the victim's email accounts, taking advantage of the unauthorized logins to exfiltrate emails and attachments, set up email forwarding rules to ensure sustained data collection and other follow-on activities.

"There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties," Redmond pointed out.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#pdf