Relive Talos' top stories from the past year as we recap the top malware and other threats that came our way.

Tuesday, December 19, 2023 08:00

If there is anything the cybersecurity world learned in 2023, it’s that you can never count any bad guy out. 

Botnets kept coming back from the dead, ransomware actors found new ways to make money through data theft extortion and threat actors and malware who have been around for more than a decade find ways to stay relevant. 

Since it seems like there's a new security threat every day making headlines, we like to take a step back at the end of every year to look back at the top stories in cybersecurity that Talos covered this year, including new research from Talos and the stories that were most interesting to readers. 

*   After Microsoft blocked macros by default in Office documents, attackers needed to find a new file format for their lure documents that could execute malware or malicious code without users noticing. To start off 2023, adversaries shifted toward Shell Link (LNK) files, which provide security researchers the opportunity to capitalize on information that can be provided by LNK metadata. We used this data to uncover new information about the Qakbot botnet and Gamaredon threat actor, and previously unknown connections between multiple threat actors. 
    

*   Attackers deployed the “MortalKombat” ransomware and Laplas Clipper malware together in a campaign primarily looking to generate revenue by forcing users into paying the requested ransom. The encryption screen and ransom note associated with this campaign used images from the “Mortal Kombat” video game series — hence the name. Our research found these adversaries targeting everyone from individual users to massive organizations. 
    

*   The operators behind the Prometei botnet continued to level up their operations, adding new functions and anti-detection methods. Talos reported on what we identified as “version 3” of the botnet in March, including an alternative C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell that’s deployed onto victim hosts. At the time of writing, the botnet had over 10,000 compromised machines. 
    
*   In other botnet news, the infamous Emotet malware came back online after a relatively quiet period, this time deploying malicious Microsoft Word documents as lures. Emotet is famous for going through brief periods of inactivity, often spanning months, and then re-appearing. Its newest efforts involved infection chains that Talos had not observed the operators using before. 
    
*   Talos discovers a new threat actor we called “YoroTrooper” targeting government and energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). YoroTrooper’s activities seem largely centered around trying to steal sensitive information from these groups. We’d continued to follow this group for the remainder of the year, writing about their malware and TTPs multiple times in 2023.  
    

*   Although it was released earlier in the year, Talos disclosed a newly discovered “V2” version of the Typhon Reborn information-stealing malware. The updated version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. At the time, we predicted that Typhon Reborn would appear in future cyber attacks. 
    
*   A large-scale attack on global network infrastructure known as “Jaguar Tooth” goes public, including extensive reporting from Talos and Cisco. In this campaign, state-sponsored actors targeted older networking devices like wireless routers, including Cisco devices. The UK’s National Cyber Security Centre (NCSC) also released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. These ongoing discussions about defending network infrastructure and ensuring organizations use up-to-date devices eventually led to Cisco and other partners co-founding the new Network Resilience Coalition in July. 
    

*   A new phishing-as-a-service tool called “Greatness” appears in the wild, offering attackers the ability to pay a subscription fee for their infrastructure. Greatness allows users to send spam emails, pointing targets to convincing Microsoft 365 login pages. The “as-a-service" model for threat actors had long been around, but the trend received increased attention in 2022 as several large ransomware groups shifted to new affiliate models, which offered their services and code to anyone who wanted to use it for a fee. 
    
*   With the help of our partners at The Citizen Lab, Talos revealed new details about the “ALIEN” and “PREDATOR” mobile spyware suites. Many groups that we called “mercenary spyware” groups use these tools to create spyware, software that is considered illegal in many countries and is often used to target at-risk individuals like politicians and activists. 
    
*   Talos revealed a new threat actor we called “RA Group” targeting users globally, including companies in manufacturing, wealth management, insurance providers and pharmaceuticals. RA Group uses a modified version of the Babuk ransomware, which was leaked online in September 2021. 
    

*   Talos discloses the details of a botnet that’s been active for nearly three full years, “Horabot.” The actor delivers a known banking trojan and spam tool onto victim machines, specifically targeting Spanish-speaking users in North and South America. At the time, Talos believed the actor behind this botnet was located in Brazil. 
    
*   A month after the .zip top-level domain was released for the public to register, our researchers noticed attackers using it in scams designed to get users to leak sensitive information. As a result of user applications increasingly registering “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server. 
    

*   We discovered multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. Our research indicates that RedDriver has been active since at least 2021. This attack primarily targets Chinese-speaking users, and we suspected the creators of RedDriver are also native Chinese speakers. 
    
*   An unnamed actor started targeting government agencies in Ukraine and Poland, looking to steal sensitive information and setting up a backdoor for potential future attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) attributed attacks, first spotted in July, to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. 
    

*   Talos’ Vulnerability Research team disclosed dozens of vulnerabilities that affect several small and home office (SOHO) routers. That team spent years on this research in the wake of the massive VPNFilter attack. Adversaries could chain together many of these vulnerabilities to directly access or those an adversary could chain together to gain elevated access to the devices. 
    
*   A new attacker appeared to use a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The actor, apparently of Vietnamese origins, was targeting users in targets Bulgaria, China, Vietnam and other countries since at least June. The new wrinkle to this ransomware attack is that the adversary asks the target to download the ransom note via their publicly available GitHub, rather than including some strings in the binary. 
    
*   The U.S. Department of Health and Human Services (HHS) released a warning to the healthcare industry about Rhysida ransomware activity. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site since then, causing the U.S. government to release a specific warning alerting hospital systems and doctor’s offices about the activity. Talos released several new Snort rules to detect the Rhysida ransomware and details on the actor’s TTPs, including a new ransom note in which they pose as a legitimate cybersecurity company.  
    
*   Talos discloses new information about the infamous Lazarus Group APT, including several new RATs they’re using in the wild. The North Korean state-sponsored actor targeted internet infrastructure and healthcare entities in Europe and the United States with what we called “QuietRAT.” Additional research into the group found that Lazarus Group is increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.  
    
*   SapphireStealer, an open-source information stealer, is disclosed after Talos observed the malware across public malware repositories with increasing frequency since its initial public release in December 2022. We assessed with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants. 
    

*   Talos discovered a new malware family we called “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant called “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Both tools are believed to be created and owned by the ShroudedSnooper threat actor, which built the intrusion set.  
    
*   Our researchers spot threat actors abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. These attacks specifically target graphic designers or other artists who use computers with exceptionally large graphics cards — thus making them more valuable for cryptocurrency mining.  
    

*   Cloudflare and other internet hosting providers reported what was considered the largest distributed denial-of-service attack ever. Though the actual attack occurred earlier in the year, the official disclosure came in October, including details of a vulnerability in the HTTP/2 protocol that the attackers exploited. Talos released an advisory about these attacks, urging users to patch immediately and releasing new Snort rules to detect the exploitation of CVE-2023-44487. 
    
*   YoroTrooper, which Talos initially reported on earlier in the year, started using new TTPs, including new obfuscation techniques and the use of commodity malware. The actor is likely operating out of Kazakhstan, but these new tactics were made to look as if their lure documents came from the government of Azerbaijan.  
    
*   Arid Viper, a threat actor believed to be based out of Gaza, is disclosed. The APT used malicious apps designed as software for the Android operating system to collect sensitive information from targets and deploy additional malware onto infected devices. Although Arid Viper is believed to be based out of Gaza, Cisco Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war, which also began in October. 
    

*   Talos identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure. Our researchers looked at observed Phobos activity and analyzed more than 1,000 Phobos samples from VirusTotal dating back to 2019. We found that the 8Base group was increasingly deploying variants of Phobos via the SmokeLoader backdoor. We also found indications that Phobos could be available as a pay-for ransomware-as-a-service model. 
    
*   Talos discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. SugarGh0st is believed to be a variant of the infamous Gh0st RAT, a years-old malware of Chinese origin. SugarGh0st is believed to be targeting users in Uzbekistan and South Korea. 
    

*   Talos releases the details of Project PowerUp, an effort from multiple teams across Cisco to create a new, bespoke hardware device used to protect Ukraine’s power grid. The modified IoT switches allow the country’s power grid to be protected against GPS-jamming attacks, which traditionally tried to disrupt the way timing on the network worked. CNN first wrote about these efforts, and Joe Marshall, Talos’ researcher who spearheaded the project, wrote a firsthand account for the Talos blog.  
    

For further analysis of the threat landscape trends in 2023, download your copy of the Talos Year in Review.

Year in Malware 2023: Recapping the major cybersecurity stories of the past year

By Deeba Ahmed
From WhatsApp to Telegram: New Twist on Old Scam Exploits Users for Money via YouTube Video Engagement.
This is a post from HackRead.com Read the original post: “Get Paid to Like Videos”? This YouTube Scam Leads to Empty Wallets

Beware! YouTube “Social Media Marketing” Scam Snatches Cash After Luring Users with Likes & Subscriptions.

Cybersecurity researchers at Bitdefender Labs have uncovered a new scam wherein users earn money by liking random YouTube videos. In this scam, threat actors send a message from an unknown number, usually beginning with an African country code, promising payment for liking videos on **YouTube**. 

Bitdefender researchers participated in one such scam for investigative purposes and found that scammers ask for personal information, including WhatsApp phone number, age, occupation, full name, and bank account number before asking the victim for likes and subscriptions.

Further, researchers were instructed to like three YouTube videos and send screenshots as proof. The researchers were then instructed to download Telegram, join a channel, and discuss payment with a receptionist. After providing the required data, researchers received a payment of 30 RON ($6.50). The scammer then promised additional daily tasks.

However, the scam’s second phase starts after the victim joins the Telegram channel. They are invited to join a VIP group for higher-earning tasks, which can only be unlocked for a fee, ranging from $21.66 to $1,083. Once the victim makes the payment, scammers block their number and stop communicating. Their Telegram channel features screenshots of payments made to victims to gain trust, highlighting the scammers’ intent.

According to Bitdefender Labs’ **blog post**, researchers found similar job listings on Facebook groups promoting remote work or lucrative pay for liking/subscribing to YouTube channels. One of the posts read, “Hello. I’m Lopez Digital Marketing at , do you want some extra income?

Scammers claim that users can make 30 RON by liking 3 videos and earn around 200-2,000 RON or more per day. One of the intros scammers posted with the offers read (translated in English from Romanian):

“We are a global multinational company and we are currently working as a social media team to increase the visibility of social media celebrities on YouTube and get paid by following and liking our celebrity YouTube accounts. We have to fill out the form to pay you a salary of 30 RON.”

Screenshots from the Telegram channel run by scammers reveal their efforts to prompt people to like a YouTube video about Romania, share payment invoices, and invite unsuspecting victims to join a VIP Telegram group. (Credit: BitDefender)

Although this isn’t the first time a scam is pitched to make money, this time, “victims actually get paid something,” which is “a highly successful tactic”, explained Bitdefender’s Cyber Threat Intelligence Lab’s Manager, Nicolae Postolachi.

That’s because it generates a sense of trust and convinces users to “invest” in becoming VIP members to earn easy money on effortless tasks such as liking YouTube videos.

Remember, there are no secret tools, apps, or platforms that enable easy money. To steer clear of scams on WhatsApp, exercise caution with recruiters who demand high payments for tasks like watching or liking YouTube videos, encourage users to download Telegram, or request upfront payments to unlock higher-paying opportunities.

If you fall victim, take screenshots, cease communication, block the user, and leave the Telegram group. Secure your accounts with strong passwords and **enable two-factor authentication**. Report the scam account to the social media platform, file a police report, and alert friends and family.

****_RELATED ARTICLES_****

1.  **Hackers used fake job website to scam jobless US veterans**
2.  **Fake Resumes, Real Malware: Hackers Target Job Recruiters**
3.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
4.  **Interpol Busts Human Traffickers Luring Victims with Fake Job Ads**
5.  **Hackers Used Fake LinkedIn Job to Hack Off $625M from Axie Infinity**

“Get Paid to Like Videos”? This YouTube Scam Leads to Empty Wallets

A list of topics we covered in the week of December 11 to December 17 of 2023

December 15, 2023 - PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

December 15, 2023 - Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

December 14, 2023 - Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

December 14, 2023 - A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

December 14, 2023 - The ALPHV ransomware group appears to be going through some things.

 A week in security (December 11 &#8211; December 17) 

A buffer overflow in websockets in UnrealIRCd 6.1.0 through 6.1.3 before 6.1.4 allows an unauthenticated remote attacker to crash the server by sending an oversized packet (if a websocket port is open). Remote code execution might be possible on some uncommon, older platforms.

CVE-2023-50784: UnrealIRCd - The most widely deployed IRC server

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites.

On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential security vulnerability listed as CVE-2023-50164.

The vulnerability affects Apache Struts versions:

*   2.0.0 through 2.5.32
*   6.0.0 through 6.3.0.1
*   2.0.0 through 2.3.37 (EOL, no longer supported)

The vulnerability that has a CVSS score of 9.8 out of 10, lies in the frameworks’ file upload functionality and can be exploited to achieve remote code execution (RCE). There is an easy to follow proof-of-concept (PoC) available, which makes it easier for cybercriminals to exploit the vulnerability.

Basically it’s a path traversal flaw that allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. The flaw is caused by parameter confusion, where an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. That allows an attacker to bypass the built-in check and leave the path traversal payload in the final filename.

This allows a successful attacker to plant a web shell, a malicious script used by an attacker that allows them to escalate and maintain persistent access. In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. The JSP payload is executed as soon as the attacker requests the file from the server and the server is compromised. Several international organizations like the Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and content delivery giant Akamai are warning that they are seeing active exploitation.

_Tweet by Akamai_

Because of the relative ease-of-use, we can expect to see a lot more of these attacks.

**Update now**

Users and administrators are encouraged to review the Apache Security Bulletin and upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. There are no workarounds.

According to Apache this is a drop-in replacement and upgrade should be straightforward. The new versions can be found on the Struts download page.

Besides updating, additional measures may include:

*   Sanitization checks on uploaded file data.
*   Limit server application permissions to allowed directories.
*   Track which applications in use within your environments are using Struts frameworks.
*   On internet facing Java systems monitor for newly created files outside directories where they are expected.
*   Continue to monitor the situation and respond to new information as it comes to light.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Recently-patched Apache Struts vulnerability used in worldwide attacks 

Ten years in, Microsoft’s DCU has honed its strategy of using both unique legal tactics and the company’s technical reach to disrupt global cybercrime and state-backed actors.

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft's Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft's massive scale and the visibility across the internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU's particular progression was the result of Microsoft's unique dominance during the rise of the consumer internet. As the group's mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU's unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There's simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

As the group has matured and expanded into all of these areas, Boscovich says, a “preoccupation with exposure to liability and risk” is another element of the work that keeps him up at night.

“You want to help, and you want to do all these things, but no good deed goes unpunished sometimes,” he says. “Sometimes, we would try to help someone—and to help them you kind of shut their computer down—and even though you’re trying to help them, their small business goes down. So how do you manage that? That’s always been the hardest part of my job. The legal creativity is cool, but how do I make sure that it’s acceptable risk and that we research everything so there’s no collateral damage?”

The legal strategies the group has focused on developing evolve as digital threats evolve. In 2016, the DCU began taking the approach of establishing a court “special master” when working on disruptions related to state-sponsored hacking. This judge-appointed official is a direct point of contact for ongoing cases and even remains active for years after a case has been officially closed, enabling the DCU to get court approval for infrastructure takedowns and other actions without having to file for new court orders.

“It allows us to stay on top of these threats and get an order within minutes,” Boscovich says. “We can accelerate the process of litigation almost to the speed of cyber.”

He also points out the challenge of taking action against threat actors given the professionalization of the cybercriminal ecosystem in recent years. Crime groups now operate as syndicates with different departments working on different aspects of carrying out crimes while also contracting with third parties for services they don't develop in-house.

“There’s a legal problem: How do you get a bunch of people doing separate activities into one complaint or one charge? They don’t always even know each other,” Boscovich says. To address this situation, the group worked on legal strategies under the US Racketeer Influenced and Corrupt Organizations Act (RICO), which is designed to focus on criminal organizations rather than individual criminal acts.

“These are the guys who developed the malware, brokered the malware, operate the malware, so we can put them all into one legal filing to bring them together,” he says. “Now that has become part of our legal game plan as well.”

As cybercriminal and state-backed hacking has continued to escalate, the DCU has expanded its collaborations with law enforcement and used its techniques during an ever-changing array of global crises. In 2016, for example, the group carried out its first disruption of a state actor, conducting takedowns related to Russia’s APT 28, known as Fancy Bear. The attackers had been using Microsoft-like domains in their notorious phishing rampages and disinformation campaigns related to that year’s US elections. In 2018, the group shared findings with the Delhi police about the actors behind 10 criminal call centers in India who were scamming victims in the US, Canada, the Netherlands, and Australia. The information-sharing resulted in 63 arrests. In 2020, the DCU seized domains used in pandemic-related cybercrime and also conducted takedowns against the notorious Trickbot ransomware group ahead of the 2020 US elections.

“We tend to think about it from the victim protection perspective,” says Amy Hogan-Burney, who oversees the DCU as Microsoft's general manager and associate general counsel of cybersecurity policy and protection. “I leave deterrence generally to governments, but what I always focus on is victim protection. That can be narrow, meaning a Microsoft customer or type of Microsoft customer, or it can be really broad—anyone who is using the internet who may be impacted by cybercrime.”

Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime


Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 



**Impact**

High

**Details**

Proprietary Code CVEs 

Description 

CVSS Base Score 

CVSS Vector String 

CVE-2023-44286 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. .  Exploitation may lead to information disclosure, session theft, or client-side request forgery. 

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-48668 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. 

8.2 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-44285  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44277  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48667 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. 

7.2 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44279  

Dell PowerProtect DD , versions prior to 7.13.0.10,  LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44278 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110  contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44284 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. 

 4.3 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Proprietary Code CVEs 

Description 

CVSS Base Score 

CVSS Vector String 

CVE-2023-44286 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. .  Exploitation may lead to information disclosure, session theft, or client-side request forgery. 

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-48668 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. 

8.2 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-44285  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44277  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48667 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. 

7.2 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44279  

Dell PowerProtect DD , versions prior to 7.13.0.10,  LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44278 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110  contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44284 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. 

 4.3 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed                    

Product 

Affected Versions 

Remediated Versions 

Link 

CVE-2023-44286,  CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances 

Dell PowerProtect DD Virtual Edition 

Dell APEX Protection Storage 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7 

For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):   
 

*   https://www.dell.com/support/kbdoc/ 000081247
    
*   https://www.dell.com/support/kbdoc/ 000014125525902 
    

6.2.1.100 and below 

6.2.1.110 and above 

CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 

Dell PowerProtect DD management Center 

7.0 to 7.12.0.0 

7.13.0.10 and above    
or    
7.10.1.15 and above to stay on LTS2023 7.10    
or     
7.7.5.25 and above to stay on LTS2022 7.7 

6.2.1.100 and below   

6.2.1.110 and above   

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284   
 

PowerProtect DP Series Appliance (IDPA): All Models 

2.7.4 and below 

2.7.6 and above 

Expected Availability: December 21, 2023   

 CVE-2023-44284 

PowerProtect Data Manager Appliance model: DM5500  

5.14 and below 

5.15.0.0 and above 

To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV\_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg 

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7    
 

Contact customer support to schedule the code update. 

For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): 

*   https://www.dell.com/support/kbdoc/000081247 
    
*   https://www.dell.com/support/kbdoc/000014125
    

6.2.1.100 and below 

6.2.1.110 and above  

CVEs Addressed                    

Product 

Affected Versions 

Remediated Versions 

Link 

CVE-2023-44286,  CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances 

Dell PowerProtect DD Virtual Edition 

Dell APEX Protection Storage 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7 

For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):   
 

*   https://www.dell.com/support/kbdoc/ 000081247
    
*   https://www.dell.com/support/kbdoc/ 000014125525902 
    

6.2.1.100 and below 

6.2.1.110 and above 

CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 

Dell PowerProtect DD management Center 

7.0 to 7.12.0.0 

7.13.0.10 and above    
or    
7.10.1.15 and above to stay on LTS2023 7.10    
or     
7.7.5.25 and above to stay on LTS2022 7.7 

6.2.1.100 and below   

6.2.1.110 and above   

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284   
 

PowerProtect DP Series Appliance (IDPA): All Models 

2.7.4 and below 

2.7.6 and above 

Expected Availability: December 21, 2023   

 CVE-2023-44284 

PowerProtect Data Manager Appliance model: DM5500  

5.14 and below 

5.15.0.0 and above 

To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV\_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg 

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7    
 

Contact customer support to schedule the code update. 

For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): 

*   https://www.dell.com/support/kbdoc/000081247 
    
*   https://www.dell.com/support/kbdoc/000014125
    

6.2.1.100 and below 

6.2.1.110 and above  

Additional, related information is available at this Knowledgebase article KB000220263: Additional Information Regarding DSA-2023-412: Dell PowerProtect DD Vulnerabilities.  

Expected availability dates are subject to change.

**Acknowledgements**

CVE-2023-44279: Dell Technologies would like to thank Rushank Shetty and Ryan Kane (Security Researchers at Northwestern Mutual) for reporting this issue. 

CVE-2023-44277, CVE-2023-44284, CVE-2023-44286: Dell Technologies would like to thank Jakub Brzozowski (redfr0g), Franciszek Kalinowski, and Stanisław Koza from STM Cyber for reporting these issues. 

CVE-2023-44285: Dell Technologies would like to thank Jens Krüger from SAP for reporting this issue. 

**Revision History**

Revision 

Date 

Description 

1.0 

2023-12-13

Initial Release 

2.0

2023-12-13 

Updated for enhancement no change to content

3.0

2023-12-13 

• Updated "Affected Product" section under "Article Properties"  
• Added Additional details stating "The downloads will be made available shortly"

4.0

2023-12-13

Added Additional Acknowledgement in "Acknowledgements" section

5.0

2023-12-13

• Corrected link in the "Affected Products and Remediation" Table   
• Removed Additional Details statement "The downloads will be made available shortly"   
• Updated "Affected Product section under "Article Properties"

6.0

2023-12-13

Updated "Affected Product section under "Article Properties"

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Data Backup & Protection Storage, Data Domain, PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, DD3300 Appliance, Data Domain Deduplication Storage Systems, DD OS 6.2, DD OS, DD OS 6.0, DD OS 6.1, DD OS 7.0, DD OS 7.1 , DD OS 7.10, DD OS 7.11, DD OS 7.12, DD OS 7.2, DD OS 7.3, DD OS 7.4, DD OS 7.5, DD OS 7.6, DD OS 7.7, DD OS 7.8, DD OS 7.9, Data Domain Virtual Edition, DD2200 Appliance, DD6300 Appliance, DD6400 Appliance, DD6800 Appliance, DD6900 Appliance, DD9300 Appliance, DD9400 Appliance, DD9800 Appliance, DD9900 Appliance, Disk Library for mainframe, PowerProtect Data Domain Management Center, Integrated Data Protection Appliance Software, PowerProtect DM5500 ...

CVE-2023-44277: DSA-2023-412: Dell Technologies PowerProtect Security Update for Multiple Security Vulnerabilities

Red Hat Security Advisory 2023-7788-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7788.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2023:7788-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7788Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7788-03

Red Hat Security Advisory 2023-7778-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7778.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2023:7778-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7778Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7778-03

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.

The AMD vulnerability sounds like something from back in the eighties:

> “A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”

And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”

MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address multiple vulnerabilities in Adobe software.

*   Adobe Prelude
*   Adobe Illustrator
*   Adobe InDesign
*   Adobe Dimension
*   Adobe Experience Manager
*   Adobe Substance3D Stager
*   Adobe Substance3D Sampler
*   Adobe Substance3D After Effects
*   Adobe Substance3D Designer

**Android**: Google released the Android December 2023 security updates with a fix for a critical zero-day.

**Apache** released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.

**Apple** issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.

**SAP** released its December 2023 Patch Day updates.

**WordPress** released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Tag

#sap