New web targets for the discerning hacker

New web targets for the discerning hacker

Summer is here in the northern hemisphere, but this hasn’t interrupted the steady stream of new bug bounty programs from hitting the market.

During the teaser for its new Lockdown Mode this month, **Apple** said vulnerabilities in the new anti-spyware tech can be disclosed via its Security Bounty program. Rewards of up to $2 million are on offer.

Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is described as “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.

Australia’s **Monash University** has also established a new bug bounty program, which is aimed at shoring up its defenses amid a spate of cyber-attacks impacting the education sector.

Added to the mix this month are two new rewards programs for the burgeoning digital identity market, as **Onfido** partners with YesWeHack and India’s **Aadhaar** dips its toe in the water with a program of its own.

Aadhaar is world’s largest digital identity program that provides services to over 1.3 billion Indian residents. To take part in this new, private bug bounty, hackers must apply via the UIDAI website.

There’s a high bar for entry, too, as Aadhaar stipulates that “candidates should be listed in the top 100 of the bug bounty leaderboards such as HackerOne, Bugcrowd, or listed in the bounty programs conducted by reputable companies such as Microsoft, Google, Facebook, \[or\] Apple”.

**The latest bug bounty programs for August 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aadhaar**

**Program provider:  
**Independent

**Program type:  
**Private

**Max reward:  
**TBD

**Outline:  
**In an effort to secure Aadhaar data hosted in UIDAI’s Central Identities Data Repository (CIDR), UIDAI is planning the launch of a new bug bounty program.

**Notes:  
**Full application details can be found on the UIDAI website. The number of participants is being limited to 20, all of whom must be Indian residents.

Check out the UIDAI bug bounty bulletin (PDF) for more details

**Apple – Lockdown Mode**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$2 million

**Outline:  
**Apple has established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections.

**Notes:  
**Bounties have been doubled for qualifying findings in Lockdown Mode, up to a maximum of $2 million – one of the highest maximum payouts in the industry.

Check out our earlier coverage for more details

**BKEX**

**Program provider:  
**HackenProof

**Program type:  
**Public

**Max reward:  
**$10,000

**Outline:  
**BKEX is a global digital asset trading platform, featuring more than 1,200 cryptocurrencies.

**Notes:  
**The financial service company’s new bug bounty program is replete with a range of in-scope web attack vectors, including remote code execution (RCE), SQL injection vulnerabilities, file inclusion and access control issues, server-side request forgery (SSRF), cross-site request forgery (CSRF), cross-site scripting (XSS), and directory traversal.

Check out the BKEX bug bounty page for more details

**ClickHouse**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time. The main focus of the public program is the open source version of the ClickHouse platform.

**Notes:  
**“No technology is perfect, and ClickHouse believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology,” the company said. “We are excited for you to participate as a security researcher to help us identify vulnerabilities in our open source assets.”

Check out the ClickHouse bug bounty page for more details

**Monash University**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Monash University in Melbourne, Australia, has launched a public bug bounty program to help maintain the security of its digital platforms.

**Notes:  
**In-scope targets include the main Monash University web domain and mobile apps, along with various technologies that are used by the institution, including its VPN and FileShare instances.

Check out our earlier coverage for more details

**Onfido**

**Program provider:  
**YesWeHack

**Program type:  
**Private

**Max reward:  
**TBD

**Outline:  
**Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.

**Notes:  
**Commenting on the partnership, Alex Valle, chief product officer at Onfido, said: “Security and compliance are essential to our mission of creating a more open world, where identity is the key to online access, and we are always looking for ways to strengthen this.”

Check out our earlier coverage for more details

**SideFX**

**Program provider:  
**HackerOne

**Program type:**  
Public

**Max reward:**  
$3,000

**Outline:**  
Canada-based SideFX is the developer of Houdini, a 3D animation software application used in film, television, advertising, and video games.

**Notes:**  
Only vulnerabilities discovered in the company’s main web domain, sidefx.com, are applicable under the terms of this new bug bounty program.

Check out the SideFX bug bounty page for more details

**ZBWeb**

**Program provider:**  
HackenProof

**Program type:**  
Public

**Max reward:**  
$5,000

**Outline:**  
Founded in 2013, ZB.com is a worldwide digital trading platform, facilitating the exchange and management of digital assets from all corners of the globe.

**Notes:**  
In-scope web vulnerabilities include business logic issues, payment manipulation, RCE, SQL injection, access control issues, SSRF, CSRF, XSS, and other vulnerabilities with a “clear potential loss”.

Check out the ZBWeb bug bounty page for more details

**Other bug bounty and VDP news this month**

*   **HackerOne** has disclosed details of an incident involving a former employee who was accused of accessing internal data for personal financial gain.
*   **Go Daddy**, **Trellix**, and **Fidelity** have launched (unpaid) vulnerability disclosure programs (VDPs).
*   Advertising platform developer and social media company **Meta** has released its inaugural ‘Bug Bulletin’, which includes details of some of the notable finds identified in its own, and in third-party, code.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for July 2022

Bug Bounty Radar // The latest bug bounty programs for August 2022

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.

  Overview

Squirrel is a high level imperative, object-oriented programming language, designed to be a light-weight scripting language that fits in the size, memory bandwidth, and real-time requirements of applications like video games. Although Squirrel offers a wide range of features like:

*   Open Source MIT licence
*   dynamic typing
*   delegation
*   classes & inheritance
*   higher order functions
*   lexical scoping
*   generators
*   cooperative threads(coroutines) 
*   tail recursion
*   exception handling
*   automatic memory management (CPU bursts free; mixed approach ref counting/GC)
*   both compiler and virtual machine fit together in about 7k lines of C++ code and add only around 100kb-150kb the executable size.
*   optional 16bits characters strings
*   powerful embedding api
    
    *   eg. function/classes can be defined by scripts or in C
    *   eg. objects can fully exist in the VM or be bound to native code
    *   eg. classes created in C can be extended by scripts or vice-versa
    *   and more
    
    Squirrel is inspired by languages like Python,Javascript and especially Lua(The API is very similar and the table code is based on the Lua one)
    
      
    
    What Does it look like?  
    squirrel's syntax is similar to C/C++/Java etc... but the language has a very dynamic nature like Python/Lua etc...
    
    local table = {
    	a = "10"
    	subtable = {
    		array = \[1,2,3\]
    	},
    	\[10 + 123\] = "expression index"
    }
     
    local array=\[ 1, 2, 3, { a = 10, b = "string" } \];
     
    foreach (i,val in array)
    {
    	::print("the type of val is"+typeof val);
    }
     
    /////////////////////////////////////////////
     
    class Entity
    {	
    	constructor(etype,entityname)
    	{
    		name = entityname;
    		type = etype;
    	}
    									
    	x = 0;
    	y = 0;
    	z = 0;
    	name = null;
    	type = null;
    }
     
    function Entity::MoveTo(newx,newy,newz)
    {
    	x = newx;
    	y = newy;
    	z = newz;
    }
     
    class Player extends Entity {
    	constructor(entityname)
    	{
    		base.constructor("Player",entityname)
    	}
    	function DoDomething()
    	{
    		::print("something");
    	}
    	
    }
     
    local newplayer = Player("da playar");
     
    newplayer.MoveTo(100,200,300);			
    
      
    Development state  
    
    The current stable release is 3.2  
    The project has been compiled and run on Windows(x86 & x64), Linux(x86 & x64), Illumos(x86 & x64), Mac OS X, FreeBSD, iOS and Android.  
    Has been tested with the following compilers:
    
    > MS Visual C++ 6.0,7.0,7.1,8.0,9.0 and 10.0(x86 & x64)  
    > MinGW gcc 3.2 (mingw special 20020817-1)  
    > Cygwin gcc 3.2  
    > Linux gcc 3.x  
    > Linux gcc 4.x  
    > Illumos gcc 4.x  
    > XCode 4  
    
    The documentation has to be improved.  
    
    I'd like to have some feed back and maybe help to design/port/test it.
    
      
    Work in Progress
    
    In the next release(3.2.x stable):
    
    *   more compact bytecode
    *   performance tuning
    *   additional documentation
    
      
    Documentation  
    **Squirrel 3.2**
    
    Online Squirrel 3.2 reference manual and Standard Libraries manual)
    
    Offline Squirrel 3.2 Reference Manual (PDF)  
    Offline Squirrel 3.2 Standard Libraries Manual (PDF)
    
    both manuals are included in the language distribution
    
      
    **Squirrel 3.0.x**
    
    Squirrel 3.0 reference manual(PDF/HtmlHelp/Html Online)
    
    Squirrel 3.0 Standard Libraries manual(PDF/HtmlHelp/Html Online)
    
    both manuals are included in the language distribution
    
      
    **Squirrel 2.x**
    
    Squirrel 2.0 reference manual(PDF/HtmlHelp/Html Online)
    
    Squirrel 2.0 Standard Libraries manual(PDF/HtmlHelp/Html Online)
    
    both manuals are included in the language distribution
    
      
    Download  
    **stable release**
    
    You can download Squirrel 3.2 stable here  
    _Released February 10, 2022._
    
    **GitHub Repository**
    
    Squirrel's GitHub repository is here
    
    **older 3.x release**
    
    You can download Squirrel 3.0.7 stable here  
    _Released January 10, 2015._
    
    **older 2.x stable release**
    
    You can download Squirrel 2.2.5 stable here  
    _Released November 28, 2011._
    
    My name is Alberto Demichelis if you want to know more about me, this is my personal homepage

CVE-2021-41556: Squirrel - The Programming Language

Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0.

Software: nodepdf  
Website: https://github.com/TJkrusinski/NodePDF

Input passed to the Pdf() function is shell escaped and passed to child\_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution.

This vulnerability was later fixed in the shell-escape library and assigned the identifier CVE-2016-10541.

    var nodepdf = require('nodepdf');
    var url = ";{echo,hello,world};w";
    var filename = "output.pdf";
    var pdf = new nodepdf(url, filename, {});
    pdf.on('stdout', console.log);
    pdf.on('stderr', console.error);
    

    $ npm install [email protected]
    $ node render.js
    11 incorrect args
    hello world
     03:31:25 up 19 days, 16 min,  1 user,  load average: 0.15, 0.15, 0.10
    USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
    user     pts/0    192.168.1.64     02:38    0.00s  0.31s  0.00s w

CVE-2016-4991: CVE-2016-4991: Command injection in NodePDF

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

**Abstract**

Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).

**Affected Products**

Product

Severity

Fixed Release Availability

DSM 6.2

Important

Upgrade to 6.2.4-25553 or above.

DSMUC 3.0

Moderate

Pending

VS Firmware 2.3

Not affected

N/A

**Mitigation**

None

**Detail**

*   CVE-2021-26563
    
    *   Severity: Important
    *   CVSS3 Base Score: 8.2
    *   CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    *   Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
*   CVE-2021-29088
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.8
    *   CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    *   Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
*   CVE-2022-22684
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.2
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/MAV:L
    *   Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote attackers to execute arbitrary commands via unspecified vectors.
*   CVE-2021-33182
    
    *   Severity: Moderate
    *   CVSS3 Base Score: 5.0
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
    *   Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.

**Acknowledgement**

*   Claudio Bozzato of Cisco Talos
    
*   Bing-Jhong Jheng
    
*   Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group
    

**Revision**

Revision

Date

Description

1

2021-02-23

Initial public release.

2

2021-06-10

Disclosed vulnerability details.

3

2022-07-28

Disclosed vulnerability details.

CVE-2022-22684: Synology_SA_21_03 | Synology Inc.

A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended.

CVE-2021-46830: GoAnywhere MFT Release Notes

Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2022-1875

Microsoft flagged the company's Subzero tool set as on offer to unscrupulous governments and shady business interests.

A cyber-weapons broker dubbed Knotweed has been outed, with Microsoft flagging it as being behind numerous spyware attacks on law firms, banks, and strategic consultancies in countries around the world.

To boot, Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft.

Knotweed falls into a murky category of so-called "private sector offensive actors" (PSOAs, aka commercial spyware vendors) that hawk their wares to unscrupulous governments and business interests. These ultrasophisticated (and expensive) tools are often used against dissidents, journalists, and other members of civil society, but they've been known to enable straightforward corporate espionage too.  

**In the Shadows**

The breed is best exemplified by the infamous NSO Group and Pegasus mobile spyware, but many others lurk in the shadows, Microsoft warned.

One such is Knotweed, which is an alias for an Austrian outfit called DSIRF. It's a company that, as Microsoft explained in a post on Wednesday, "ostensibly sells general security and information analysis services to commercial customers." But that's only part of the story, according to the computing giant.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices," according to the analysis.

The aforementioned Microsoft and Adobe bugs in the tool set (detailed in a technical breakdown) have been seen in recent cyberattacks against targets in Austria, Panama, and the United Kingdom. In addition to publishing software updates to plug the holes on a regular basis, Microsoft has also published a Subzero malware signature for defense.

More action is needed on a broader level, given that DSIRF will not be the last PSOA to come to light, as Microsoft researchers explained in a brief sent to Congress on Wednesday.

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," according to the brief (PDF). "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware

InMailX Outlook Plugin < 3.22.0101 is vulnerable to Cross Site Scripting (XSS). InMailX Connection names are not sanitzed in the Outlook tab, which allows a local user or network administrator to execute HTML / Javascript in the Outlook of users.

**Enterprise Email Management, Compliance and Productivity Solution**

**inMailX** is an enterprise email management, compliance and productivity solution for Microsoft Outlook and Office 365, which provides the functionality and tools users need to effectively manage their emails and attachments.  inMailX integrates seamlessly with records and document management systems, cloud and network folder structures, helping users improve their email filing compliance.

With inMailX staff can improve their emails and attachments management compliance, productivity and the quality of work, while maintaining focus and reducing operational errors.  inMailX substantially enhances existing Outlook functionality and provides users with the ability to:

 - Manage emails and attachments using a simple and efficient interface  
 - Preview attachments when composing emails to ensure they are correct  
 - Clean metadata from Word, Excel PowerPoint, PDF and Image attachments  
 - Convert attachments to PDF 'on the fly' and prompt users to convert on send  
 - Combine, bookmark and secure multiple attachments into a single PDF  
 - Password protect Word, Excel PowerPoint and PDF attachments  
 - Rename and Reorder email attachments 'on the fly'  
 - Compress and secure attachments into ZIP while composing emails  
 - Save paper by printing only the most recent email conversation threads  
 - Print email body and attachments selectively and simultaneously  
 - Schedule follow-up tasks/appointments when filing or sending emails  
 - Reduce repetitive typing and quickly compose standard emails with content manager  
 - File emails into records and document management systems, network or cloud repositories

Its user interface is simple and intuitive, and it has been designed to combine most common tasks, such as 'Send, File & Print', 'Close, File & Print' or 'Attachments Preview, Clean, PDF, Protect, Rename, Reorder', into simple one-click actions.  Digitus has developed several inMailX modules that can be purchased separately or bundled in two cost effective suites_, inMailX Standard_ and _inMailX Professional__._

> **inMailX Standard** includes the following modules**:**
> 
> *   _Attachment Manager  
>     _
> *   _Content Manager  
>     _
> *   __Print Manager  
>     __
> 
> **inMailX Professional** includes the following modules**:**
> 
> *   _Email Manager  
>     _
> *   _Attachment Manager  
>     _
> *   _Content Manager  
>     _
> *   _Print Manager  
>     _
> *   _Time Manager  
>     _
> *   _Brand Manager  
>     _

**inMailX scales easily to meet the needs of any organisation, and it brings teams productivity to new levels.** 

**As new users are created, they automatically receive enhanced email management functionality, efficient attachments Preview, Clean, PDF, Protect, ZIP, Rename and Reorder tools, global quick text content, personalised email signatures and standardised corporate forms, so that they can immediately become productive.** 

**Integration with third party electronic documents and records management systems**

When used with its optional connectors for document/records management and file system integration, inMailX enhances Microsoft Outlook capabilities to file emails into third party document/records management systems, such as: iManage Work/Worksite, Micro Focus/HPE Content Manager, NetDocuments, SharePoint, Worldox, WebDAV (Oracle UCM, WebDAV Repositories, etc.), Cloud Stores or Network Folders (Box, Dropbox, GoogleDrive, OneDrive, MYOB Accountants Enterprise, MYOB Insolvency, APS Folders, etc.).

By integrating directly into Microsoft Outlook, inMailX allows staff to take control over managing their emails without losing any of the existing Outlook functionality. To find out more, click here.

**Save time, Reduce costs, Increase productivity**

With inMailX, organisations will ensure that their staff are able to maintain their sent and received emails organised, that email attachments can easily be previewed, cleaned, converted to PDF, reanmed and reordered, and that paper wastage is reduced by being able to truncate email printing and selectively print attachments.

In addition, organisations will improve their email branding by being able to centrally deploy and maintain standardised corporate email forms and signatures which are integrated Exchange Global Address List and Active Directory.

Since inMailX is extremely intuitive, it allows users to take advantage of its benefits with minimal training, and without delay. This translates into saving valuable time, reduced running costs, and increased productivity.

**Any organisation, regardless of its size, using Microsoft Outlook, will benefit from inMailX' High Return on Investment.**

**Contact us for a free inMailX demonstration, and discover the power of inMailX today!**

  
inMailX, inDocX, LawConnect, DigitusNet, iDigitus, Digitus are registered trademarks of Digitus Information Systems Pty Ltd in Australia and in some other countries. All third-party trademarks are the property of their respective owners.

CVE-2022-27105: inMailX | Digitus Information Systems

The fax is dead. Long live the online fax? A new study suggests many healthcare professionals believe that flaws in today’s web security landscape are prompting a return to what’s been deemed an “extr

The fax is dead. Long live the online fax?

A new study suggests many healthcare professionals believe that flaws in today’s web security landscape are prompting a return to what’s been deemed an “extremely” secure medium: fax.

Published earlier this month, eFax research surveyed 1,000 IT and business decision-makers in the UK and Europe.

According to the report (PDF), 62% of respondents in the healthcare sector said that security was the major reason for a “migration” to cloud-based fax systems, and 21% of those surveyed believe that digital fax systems are “extremely” secure.

**What is ‘cloud fax’?**

Cloud faxing removes the need for on-premise equipment on both sides of a transmission. The gist is that users can send a fax quickly, via an online service, to be viewed and/or printed by the recipient.

Among fax users in healthcare, 37% of respondents said they use “cloud-based fax” systems, while 21% use both cloud and traditional faxing.

The research is the work of eFax, a company that uses the slogan: “The fast & easy way to send and receive faxes by email”.

It’s interesting, then, that the company’s own research says: “One of the main problems with email is its increasing vulnerability to interception, hacking, and fraud.”

“eFax is an internet fax service that eliminates the need for a fax machine, extra fax line, and all the associated expenses,” the company says. “Get a real local or toll-free fax number to send and receive faxes as email attachments. Online faxing is more reliable, secure, and convenient than analog fax machines.”

**Blurred lines**

When you send a test eFax ‘fax’, you receive an ‘incoming’ fax email with a PDF attached. Faxes can be sent to a phone number or online assignment number and can be accessed via email, the eFax portal, mobile app, or a standard fax machine.

Overall, a third of respondents (37%) said fax usage was likely to increase in the future – but 35% also said there might be a decrease.

However, while eFax appears to be trying to separate email and fax security, the line between what can be considered a fax message, or just an email, has been blurred.

Read more of the latest email security news

Traditional fax machines were considered secure in the past as they were ‘dumb’, internet connections were dial-up or nothing, and contained limited, analog functionality.

But the moment you connect a fax ‘number’ to a digital channel – whether this is an online portal accessed through a browser, email account, or app – there is always a risk of compromise.

When the study was published, Scott Wilson, vice president of sales and service at eFax, commented:

It’s clear that email is the established and widely accepted format for most communications, but it’s flawed and vulnerable to interception and hacking. Cloud faxing is more secure than email not least because fax infrastructure has limited exposure to the internet and internet-connected devices.

**‘Encryption is king’**

Using a fax number to send a message rather than an email address might not be traceable to a specific company department or user, and so could mitigate the risk of targeted attacks.

Sending a document directly to a physical fax machine, too, might have some perceived advantages – but it does not take away the risks of its underlying, digital infrastructure.

When asked by _The Daily Swig_ how eFax differs from standard email, and what security or encryption measures are in place, the eFax did not respond. (The firm’s help center, however, does mention TLS and some form of encryption.)

Simon Mullis, CTO of Venari Security, commented: “Cloud-based fax systems are a resourceful way to ensure the secure communication of confidential information, but for most encryption will be king.

“With 25% of healthcare organizations saying they rely on email encrypted software, it’s important to recognize the role of end-to-end encryption in ensuring higher levels of security and privacy, while also remaining compliant of regulations like GDPR.”

Cloud fax services can be quicker, cheaper, and more convenient for businesses that don’t want to rely on analog lines. However, the jury’s out on whether digital ‘faxes’ are any more, or less, secure than email – especially when both would depend on the implementation of basic security measures such as end-to-end encryption.

**YOU MIGHT ALSO LIKE** Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles

Cloud fax company claims healthcare pros are ditching email for ‘more secure’ fax

The firmware threat offers ultimate stealth and persistence — and may be distributed via tainted firmware components in a supply chain play, researchers theorize.

A Windows firmware rootkit known as "CosmicStrand" has appeared in the cyberthreat firmament, targeting the Unified Extensible Firmware Interface (UEFI) to achieve stealth and persistence.

UEFI firmware is tasked with booting up Windows computers, including the loading of the operating system. As such, if the firmware is tainted with malicious code, that code will launch before the OS does — making it invisible to most security measures and OS-level defenses.

"This, along the fact that the firmware resides on a chip separate from the hard drive, makes attacks against UEFI firmware exceptionally evasive and persistent," researchers from Kaspersky explained in a posting on Monday. "Regardless of how many times the operating system is reinstalled, the malware will stay on the device."

Once triggered, the code deploys a malicious component inside the Windows OS, after a long execution chain. This component connects to a command-and-control server (C2) and waits for instructions to download additional malicious code snippets, which the malware maps into kernel space and assembles into a shellcode.

One shellcode sample obtained by Kaspersky was used to create a new user on the victim's machine and add it to the local administrators group.

"We can infer from this that shellcodes received from the C2 server might be stagers for attacker-supplied PE executables, and it is very likely that many more exist," according to the writeup.

As the US Department of Homeland Security (DHS) and Department of Commerce said in a March report on firmware threats, rootkits present a tremendous amount of risk.

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the government agencies noted in a joint draft report (PDF).

This particular campaign appears highly targeted to specific individuals in China, with some cases seen in Iran and Vietnam, researchers noted. It's unclear what the ultimate endgame for Cosmic Strand is, but it's likely an espionage play; Kaspersky attributed the campaign to an as-yet-unknown Chinese-speaking advanced persistent threat (APT) with overlaps with the MyKings botnet gang.

**Supply Chain, 'Evil Maid' Concerns**

The researchers know very little about how the rootkit is making it onto peoples' machines. That said, supply chain weakness is a possibility, according to Kaspersky, with "unconfirmed accounts discovered online indicating that some users have received compromised devices while ordering hardware components online."

The modifications were specifically introduced to a specific driver by patching it to redirect to malicious code executed during system startup.

"We assess that the modifications \[to the driver\] may have been performed with an automated patcher," the Kaspersky researchers noted. "If so, it would follow that the attackers had prior access to the victim's computer in order to extract, modify and overwrite the motherboard's firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario)."

They added that in the attacks, the implant burrowed into Gigabyte and ASUS motherboards specifically, which share the H81 chipset. This offers up another possibility for initial compromise.

"This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image," according to the report.

**Circa 2016**

Very notably, CosmicStrand appears to have been used in the wild since the end of 2016, long before UEFI attacks were known to be a thing.

"Despite being recently discovered, the CosmicStrand UEFI firmware rootkit seems to have been being deployed for quite a long time," says Ivan Kwiatkowski, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky. "This indicates that some threat actors have had very advanced capabilities that they've managed to keep under the radar since 2017. We are left to wonder what new tools they have created in the meantime that we have yet to discover."

UEFI rootkits are still rarely seen in the wild, thanks to how complex and difficult they are to develop — but they're not mythical, either. The first one ever officially spotted was observed by Qihoo 360 to be used by a China-backed APT in 2017; Kaspersky believes CosmicStrand to be related to that threat, which was called the Spy Shadow Trojan.

Then, ESET discovered one in 2018 being used by Russian state-sponsored actor APT28 (aka Fancy Bear, Sednit, or Sofacy). It was dubbed LoJax because of its underlying code, which was a modified version of Absolute Software’s LoJack recovery software for laptops.

Since then, others have infrequently come to light, such as MosaicRegressor and MoonBounce, which Kaspersky found in 2020 and 2022, respectively.

Kaspersky researchers warned that these types of rootkits continue to provide mysteries and raise questions, and deserve more attention from the analyst community.

"CosmicStrand is a sophisticated UEFI firmware rootkit \[that\] appears to have been used in operation for several years, and yet many mysteries remain," they noted. "How many more implants and C2 servers could still be eluding us? What last-stage payloads are being delivered to the victims? But also, is it really possible that CosmicStrand has reached some of its victims through package 'interdiction'? In any case, the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."

The feds agree. The aforementioned DHS-led joint draft report noted that firmware presented "a large and ever-expanding attack surface." They added that firmware security is often overlooked, even though it's one of the stealthiest methods by which an attacker can compromise devices at scale.

Tag

#pdf