An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG

As Israel increases its ground operation in Gaza, the last remaining internet and mobile connections have gone dark.

For more than three weeks, Gaza has faced an almost total internet blackout. The cables, cell towers, and infrastructure needed to keep people online have been damaged or destroyed as Israel launched thousands of missiles in response to Hamas attacking Israel and taking hundreds of hostages on October 7. Then, this evening, amid reports of heavy bombing in Gaza, some of the last remaining connectivity disappeared.

In the days after October 7, people living in Gaza have been unable to communicate with family or friends, leaving them unsure whether loved ones are alive. Finding reliable news about events has become harder. Rescue workers have not been able to connect to mobile networks, hampering recovery efforts. And information flowing out of Gaza, showing the conditions on the ground, has been stymied.

As the Israel Defense Forces said it was expanding its ground operations in Gaza this evening, internet connectivity fell further. Paltel, the main Palestinian communications company, has been able to keep some of its services online during Israel’s military response to Hamas’ attack. However, at around 7:30 pm local time today, internet monitoring firm NetBlocks confirmed a “collapse” in connectivity in the Gaza Strip, mostly impacting remaining Paltel services.

“We regret to announce a complete interruption of all communications and internet services within the Gaza Strip,” Paltel posted in a post on its Facebook page. The company claimed that bombing had “caused the destruction of all remaining international routes.” An identical post was made on the Facebook page of Jawwal, the region’s biggest mobile provider, which is owned by Paltel. Separately, Palestinian Red Crescent, a humanitarian organization, said on X (formerly Twitter) that it had lost contact with its operation room in Gaza and is “deeply concerned” about its ability to keep caring for people, with landline, cell, and internet connections being inaccessible.

“This is a terrifying development,” Marwa Fatafta, a policy manager focusing on the Middle East and North Africa at the digital rights group Access Now, tells WIRED. “Taking Gaza completely off the grid while launching an unprecedented bombardment campaign only means something atrocious is about to happen.”

A WIRED review of internet analysis data, social media posts, and Palestinian internet and telecom company statements shows how connectivity in the Gaza Strip drastically plummeted after October 7 and how some buildings linked to internet firms have been damaged in attacks. Photos and videos show sites that house various internet and telecom firms have been damaged, while reports from official organizations, including the United Nations, describe the impact of people being offline.

Damaged Lines

Around the world, the internet and telecoms networks that typically give web users access to international video calls, online banking, and endless social media are a complicated, sprawling mix of hardware and software. Networks of networks, combining data centers, servers, switches, and reams of cables, communicate with each other and send data globally. Local internet access is provided by a mix of companies with no clear public documentation of their infrastructure, making it difficult to monitor the overall status of the system as a whole. In Gaza, experts say, internet connectivity is heavily reliant on Israeli infrastructure to connect to the outside world.

Amid Israel’s intense bombing of Gaza, physical systems powering the internet have been destroyed. On October 10, the United Nations’ Office for the Coordination of Humanitarian Affairs (OCHA), which oversees emergency responses, said air strikes “targeted several telecommunication installations” and had destroyed two of the three main lines of communications going into Gaza.

The Destruction of Gaza’s Internet Is Complete

NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This is a bypass of the patch put in for CVE-2023-37679.

**Summary**

Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability, CVE-2023-43208. If you’re a user of Mirth Connect, you’ll want to upgrade to the latest patch release, 4.4.1, as of this writing.

**Background**

A few months ago, we came across an unauthenticated remote code execution vulnerability, CVE-2023-37679, affecting Mirth Connect that was reported by IHTeam. Mirth Connect is an interesting application for us at Horizon3.ai because a number of our clients are in the healthcare space and use this application. Healthcare companies are commonly targeted by ransomware threat actors, and this application has decent exposure on the Internet (about 1200+ unique hosts).

 

CVE-2023-37679 was reported to be fixed in Mirth Connect 4.4.0. In the release notes for 4.4.0, it was reported as only affecting Mirth Connect installs running on Java 8 or below. This caught our attention (why only Java 8?), and we started digging. We found that in fact, all installs of Mirth Connect, regardless of the Java version, were vulnerable. We also found that the patch for CVE-2023-37679 could be bypassed. We subsequently reported a new vulnerability to NextGen, tracked as CVE-2023-43208. The fix for CVE-2023-43208 is in 4.4.1.

**Impact**

This is an easily exploitable, unauthenticated remote code execution vulnerability. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data.

We are not releasing an exploit at this time, but the methods for exploitation (involving Java XStream) are well known and documented. We have verified that Mirth Connect versions going as far back as 2015/2016 are vulnerable.

On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user. Here’s an example of exploiting this vulnerability to run the ping command on a Windows host:

 

 

 

**Detection**

The version of the Mirth Connect server can be determined as follows:

% curl  -k -H 'X-Requested-With: OpenAPI' https://<server>:<port>/api/server/version  
4.4.0

Any server reporting a version less than 4.4.1 is highly likely to be exploitable.

**Remediation**

We urge all users of Mirth Connect, especially instances that are Internet-facing, to prioritize updating to 4.4.1 ASAP.

**Timeline**

*   **Sept. 8, 2023**: Horizon3.ai sends initial report to NextGen
*   **Sept. 8, 2023**: NextGen acknowledges receipt
*   **Oct. 6, 2023**: NextGen provides Horizon3.ai a test build for 4.4.1
*   **Oct. 13, 2023**: Horizon3.ai completes testing/review of test build
*   **Oct. 17, 2023**: NextGen releases 4.4.1
*   **Oct. 25, 2023**: This post

We’d like to thank NextGen for the prompt handling of this vulnerability, and a hat tip to IHTeam for discovering the original issue.

**References**

*   Mirth Connect on GitHub
*   Mirth Connect 4.4.1 Release Notes
*   CVE-2023-43208
*   IHTeam Advisory for CVE-2023-37679
*   CVE-2023-37679

**Sign up for a free trial and quickly verify you’re not exploitable.**

Start Your Free Trial

CVE-2023-43208: NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208)

Incorrect Permission Assignment for Critical Resource in GitHub Enterprise Server that allowed local operating system user accounts to read MySQL connection details including the MySQL password via configuration files. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.7.18, 3.8.11, 3.9.6, and 3.10.3.


CVE-2023-23767: Release notes - GitHub Enterprise Server 3.9 Docs

The popularity of Brazil's PIX instant payment system has made it a lucrative target for threat actors looking to generate illicit profits using a new malware called GoPIX.
Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off using malicious ads that are served when potential victims search for "WhatsApp web" on search engines.
"The

The popularity of Brazil's PIX instant payment system has made it a lucrative target for threat actors looking to generate illicit profits using a new malware called **GoPIX**.

Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off using malicious ads that are served when potential victims search for "WhatsApp web" on search engines.

"The cybercriminals employ malvertising: their links are placed in the ad section of the search results, so the user sees them first," the Russian cybersecurity vendor said. "If they click such a link, a redirection follows, with the user ending up on the malware landing page."

As other malvertising campaigns observed recently, users who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots, and others not deemed to be genuine victims.

This is accomplished by using a legitimate fraud prevention solution known as IPQualityScore to determine if the site visitor is a human or a bot. Users who pass the check are displayed a fake WhatsApp download page to trick them into downloading a malicious installer.

In an interesting twist, the malware can be downloaded from two different URLs depending on whether port 27275 is open on the user's machine.

"This port is used by the Avast safe banking software," Kaspersky explained. "If this software is detected, a ZIP file is downloaded that contains an LNK file embedding an obfuscated PowerShell script that downloads the next stage."

Should the port be closed, the NSIS installer package is directly downloaded. This indicates that the additional guardrail is set up explicitly to bypass the security software and deliver the malware.

The main purpose of the installer is to retrieve and launch the GoPIX malware using a technique called process hollowing by starting the svchost.exe Windows system process in a suspended state and injecting the payload into it.

GoPIX functions as a clipboard stealer malware that hijacks PIX payment requests and replaces them with an attacker-controlled PIX string, which is retrieved from a command-and-control (C2) server.

"The malware also supports substituting Bitcoin and Ethereum wallet addresses," Kaspersky said. "However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine."

This is not the only campaign to target users searching for messaging apps like WhatsApp and Telegram on search engines.

In a new set of attacks concentrated in the Hong Kong region, bogus ads on Google search results have been found to redirect users to fraudulent lookalike pages that urge users to scan a QR code to link their devices.

"The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp," Jérôme Segura, director of threat intelligence at Malwarebytes, said in a Tuesday report.

As a result, the threat actor's device gets linked to the victim's WhatsApp accounts, granting the malicious party complete access to their chat histories and saved contacts.

Malwarebytes said it also discovered a similar campaign that uses Telegram as a lure to entice users into downloading a counterfeit installer from a Google Docs page that contains injector malware.

The development comes as Proofpoint revealed that a new version of the Brazilian banking trojan dubbed Grandoreiro is targeting victims in Mexico and Spain, describing the activity as "unusual in frequency and volume."

The enterprise security firm has attributed the campaign to a threat actor it tracks as TA2725, which is known for using Brazilian banking malware and phishing to single out various entities in Brazil and Mexico.

The targeting of Spain points to an emerging trend wherein Latin American-focused malware are increasingly setting their sights on Europe. Earlier this May, SentinelOne uncovered a long-running campaign undertaken by a Brazilian threat actor to target over 30 Portuguese banks with stealer malware.

Meanwhile, information stealers are flourishing in the cybercrime economy, with crimeware authors flooding the underground market with malware-as-a-service (MaaS) offerings that provide cybercriminals with a convenient and cost-effective means to conduct attacks.

What's more, such tools lower the entry barrier for aspiring threat actors who may lack technical expertise themselves.

The latest to join the stealer ecosystem is Lumar, which was first advertised by a user named Collector on cybercrime forums, marketing its capabilities to capture Telegram sessions, harvest browser cookies and passwords, retrieve files, and extract data from crypto wallets.

"Despite having all these functionalities, the malware is relatively small in terms of size (only 50 KB), which is partly due to the fact that it is written in C," Kaspersky noted.

"The emerging malware is often advertised on the dark web among less skilled criminals, and distributed as MaaS, allowing its authors to grow rich quickly and endangering legitimate organizations again and again."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malvertising Campaign Targets Brazil's PIX Payment System with GoPIX Malware

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: hong kong

Tags: malware

Tags: whatsapp

Tags: telegram

Ads on Google for popular communication apps are used as a lure to compromise the devices of people from Hong Kong.



(Read more...)




The post Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram appeared first on Malwarebytes Labs.

Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users. A recent article from the South China Morning Post discussed an increase in malicious webpages for the popular WhatsApp communication tool, driven via malicious Google ads. The paper described how these ads appeared to be exclusively targeted at people from Hong Kong and have caused losses of about USD$300K last month.

We started investigating this situation and were able to identify what may be a similar campaign. The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Instead, it wasn't the user's device that was added to the WhatsApp account, but rather the threat actor's.

We also found another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.

We have reported the malicious ads to Google and worked with partners to take down the infrastructure used in these campaigns.

**Malicious WhatsApp ad leads to QR code page**

Just like the South China Morning Post stated that users were seeing malicious ads for WhatsApp, we were able to find one immediately after switching our online profile to use a Hong Kong IP address:

The text of the ad reads as follows (translated from Chinese):

_WhatsApp New Version - WhatsApp Official Authorization_

_We are constantly updating and launching various fun and interesting functions as well as safe and reliable communication applications. Welcome to download and experience it. The cross-platform application brings you a reliable experience, and you can send private messages to your friends at any time._

Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web:

What's interesting, and works well as a lure, is the fact that WhatsApp is not just a mobile phone app, but does indeed have a web version for computers as well. The real domain for it is hosted at web.whatsapp.com and also uses a QR code to add a linked device to your account. What this means is that you can use WhatsApp on your PC or Mac after you scan the QR code and authorize that new device from your phone.

The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp:

The domain used to generate those QR codes (lawrencework\[.\]com) was registered just two days ago. A search on urlscan.io reveals that it is associated with several other fake WhatsApp pages. We tested the QR code by adding it from a burner phone with a brand new WhatsApp account without any previous linked devices. A few seconds later, we saw a new device was added (Google Chrome running on Mac OS):

While we could not get more information (IP address, geolocation) about this new device, we knew it was not ours. When you link a new device to your WhatsApp account, the saved chat history is synced to it. This means that an attacker can essentially read your entire past and future conversations and has access to your saved contacts.

**Telegram ad links to malware**

The second ad we saw related to this campaign was using Telegram as a lure. We know it is related to the above WhatsApp attack because the ad is from the same advertiser.

The text of the ad reads as follows (translated from Chinese):

_telegram official website – telegram Chinese version – telegram download Telegram Chinese version is a Telegram client specially developed for Chinese users. Welcome to the Chinese channel, a new era of information, delivering more exciting information_

It links to a Google Docs page pretending to be a download site:

_Telegram instant messaging - simple, fast, secure and syncs across all your devices. It is one of the most downloaded apps in the world, with over 500 million active users. The latest official Telegram Chinese computer version TG-Chinese version: Click to download TG-PC: Click to download_

The two links (identical) download an MSI installer from the following URL:

kolunite.oss-ap-southeast-7.aliyuncs\[.\]com/HIP-THH-19-1.msi

This installer has been injected with malware, which we can see once we execute it:

**Targeted malvertising and motives**

These two campaigns abusing the WhatsApp and Telegram brands could be used for a variety of reasons. We did not investigate further what the ultimate ploy was, although both lead to data theft, impersonation and malware. The threat actor could use any private information from past conversations, phish the victim's contacts and much more.

This was our first foray into malvertising attacks targeted at Hong Kong. Given that this special administrative region of the People's Republic of China has a long history of tensions with Beijing, we could not help but think that malvertising campaigns such as these could be used for political reasons, although we saw no evidence of it.

Linking additional devices via QR code is a useful feature but it can also easily be abused. It's important to be cautious when scanning QR codes by verifying which site is issuing those. It's a good idea to periodically check which devices have access to your accounts, and revoke any that you don't recognize.

_Thanks to Nathan Collier for the assist with the QR code scanning on Android._

**Indicators of Compromise**

Malicious WhatsApp domains

uaa.vvg2rt\[.\]top  
wss.f8ddcc\[.\]com

QR code hostname

119srv\[.\]lawrencework\[.\]com

Telegram MSI URL

kolunite.oss-ap-southeast-7.aliyuncs\[.\]com/HIP-THH-19-1.msi

Telegram MSI

36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b

Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram

Red Hat Security Advisory 2023-6069-01 - An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6069.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python39:3.9 and python39-devel:3.9 security updateAdvisory ID:        RHSA-2023:6069-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6069Issue date:         2023-10-24Revision:           01CVE Names:          CVE-2023-40217====================================================================Summary: An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: TLS handshake bypass (CVE-2023-40217)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40217References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6069-01

An EU government body is pushing a proposal to combat child sexual abuse material that has significant privacy implications. Its lead advocate is making things even messier.

Danny Mekić, an Amsterdam-based PhD researcher, was studying a proposed European law meant to combat child sexual abuse when he came across a rather odd discovery. All of a sudden, he started seeing ads on X, formerly Twitter, that featured young girls and sinister-looking men against a dark background, set to an eerie soundtrack. The advertisements, which displayed stats from a survey about child sexual abuse and online privacy, were paid for by the European Commission.

Mekić thought the videos were unusual for a governmental organization and decided to delve deeper. The survey findings highlighted in the videos suggested that a majority of EU citizens would support the scanning of all their digital communications. Following closer inspection, he discovered that these findings appeared biased and otherwise flawed. The survey results were gathered by misleading the participants, he claims, which in turn may have misled the recipients of the ads; the conclusion that EU citizens were fine with greater surveillance couldn’t be drawn from the survey, and the findings clashed with those of independent polls.

The micro-targeting ad campaign categorized recipients based on religious beliefs and political orientation criteria—all considered sensitive information under EU data protection laws—and also appeared to violate X’s terms of service. Mekić found that the ads were meant to be seen by select targets, such as top ministry officials, while they were concealed from people interested in Julian Assange, Brexit, EU corruption, Eurosceptic politicians (Marine Le Pen, Nigel Farage, Viktor Orban, Giorgia Meloni), the German right-wing populist party AfD, and “anti-Christians.”

Mekić then found out that the ads, which have garnered at least 4 million views, were only displayed in seven EU countries: the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal, and the Czech Republic.

At first, Mekić could not figure out the country selection, he tells WIRED, until he realized that neither the timing nor the purpose of the campaign was accidental. The Commission’s campaign was launched a day after the EU Council met without securing sufficient support for the proposed legislation Mekić had been studying, and the targeted counties were those that did not support the draft.

The legislation in question is a controversial proposal by the EU Commission known as Chat Control or CSA Regulation (CSAR) that would obligate digital platforms to detect and report any trace of child sexual abuse material on their systems and in their users’ private chats, covering platforms such as Signal, WhatsApp, and other messaging apps. Digital rights activists, privacy regulators, and national governments have strongly criticized the proposal, which the European data protection supervisor (EDSR) Wojciech Wiewiorowski said would amount to “crossing the Rubicon” in terms of mass surveillance of EU citizens.

“I think it is fair to say that this was an attempt to influence public opinion in countries critical of the indiscriminate scanning of all digital communications of all EU citizens and to put pressure on the negotiators of these countries to agree to the legislation,” says Mekić. “If the European Commission, a significant institution in the EU, can engage in targeted disinformation campaigns, it sets a dangerous precedent.”

The Dutch researcher’s find adds to the controversy surrounding the Commission, which has recently come under fire due to allegations that certain AI firms and advocacy groups with significant financial backing have had a notable level of influence over the shaping of CSAR—allegations that lead Commissioner Ylva Johansson countered, asserting that she had committed no wrongdoing. Johansson’s office did not respond to WIRED’s request for comment.

“There’s an inexplicable obsession with this file \[CSAR\] in the Commission. I don’t know where that comes from,” EU lawmaker Sophie in ’t Veld told WIRED after she submitted a priority parliamentary question on the case. “Why are they doing \[the campaign\] while the legislative process is still ongoing?”

As the pressure on the Commission has been mounting, Johansson lashed out against the influential civil rights nonprofit European Digital Rights, one of the strongest critics of the legislation and a defender of end-to-end encryption. She referred to its funding from Apple, suggesting EDRi was laundering the company’s talking points. “Apple was accused of moving encryption keys to China, which critics say could endanger customer data. Yet no one asks if these are strange bedfellows, no one assumes Apple is drafting EDRI’s speaking points,” she noted in a Commission blog on October 13.

Referring to EDRi’s independence and transparent funding processes, senior policy adviser Ella Jakubowska tells WIRED: “Attempts to delegitimize civil society suggest a worrying effort to silence critical voices, in line with broader trends of shrinking civic space. When both the content and the process regarding this law are so troubling, we need to ask how the European Commission allowed it to reach this point.”

Adding to the Commission’s conspicuous ad campaign, Mekić’s discovery came on the same day the European Commission formally sent X a request for information under the Digital Services Act, the sweeping EU digital disinformation law, following indications of “spreading of illegal content and disinformation” on the platform.

“The Commission’s ability to enforce the DSA could be undermined if their own services are willing to flagrantly disregard these rules. Whilst the DSA is supposed to rein in the power of big tech, the CSA Regulation would force digital service providers to become a privatized police force in all our online chats, emails, and messages,” says Jakubowska. “It’s hard to see how these regimes can coexist or more broadly, how the EU can uphold fundamental human rights if it passes a law which could violate the essence of certain rights.”

The votes in the European Parliament and EU Council are still pending. “The Commission seems to forget its own role here: It is not a legislator. It only has the prerogative of proposing legislation,” says in ’t Veld. “It has no business interfering in the internal debate, neither in the Council nor in the European Parliament. The Commission is completely out of bounds here.”

Commenting on the negotiations, the outcome of which remains uncertain, EDRi’s Jakubowska observed that “it is reassuring to see that many lawmakers are alert to just how terrifying it would be for the EU to endorse a proposal that in essence amounts to distributed spyware on everyone’s devices.”

As far as the contested ad campaign is concerned, Wiewiorowski, the European data protection supervisor, initiated a pre-investigation requesting from the Commission “information related to the described use of microtargeted ads,” with a response due by the end of last week. Wiewiorowski’s office declined WIRED’s request to comment on the potential for a formal investigation.

Ironically, Danny Mekić now believes he’s been shadowbanned by X, alongside other journalists, scientists, and researchers who have been critical of CSAR. X did not respond to WIRED’s request for comment.

“I haven’t received any response from X,” Mekić says. “Steps are currently being taken to find out what caused this and whether it was an algorithmic or human decision or whether it was done at the request of so-called trusted flaggers—such as, for example, the European Commission itself, or one of the organizations involved in the CSAR lobby.”

A Controversial Plan to Scan Private Messages for Child Abuse Meets Fresh Scandal

A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.

In the latest in the saga of compromise involving a max-critical Cisco bug that has been exploited as a zero-day as users waited for patches, several security researchers reported observing a sharp decline in the number of infected Cisco IOS XE systems visible to them over the weekend. 

The drop sparked a range of theories as to why, but researchers from Fox-IT on Oct. 23 identified the real reason as having to do with the attacker simply altering the implant, so it is no longer visible via previous fingerprinting methods.

By way of background: The main bug being used in the exploit chain exists in the Web UI of IOS XE (CVE-2023-20198). It ranks 10 out of 10 on the CVSS vulnerability-severity scale, and gives unauthenticated, remote attackers a way to gain initial access to affected devices and create persistent local user accounts on them. 

The exploit method also involves a second zero-day (CVE-2023-20273), which Cisco only discovered while investigating the first one, which allows the attacker to elevate privileges to root and write an implant on the file system. Cisco released updated versions of IOS XE addressing the flaws on Oct. 22, days after disclosure, giving cyberattackers ample opportunity to go after legions of unpatched systems.

**Sudden Decline in Compromised Systems**

And go after them they did. Security researchers using Shodan, Censys, and other tools last week reported observing what appeared to be a single threat actor infecting tens of thousands of affected Cisco IOS XE devices with an implant for arbitrary code execution. The implants are not persistent, meaning they won't survive a device reboot.

A sudden and dramatic drop over the weekend in the number of compromised systems visible to researchers caused some to speculate if an unknown grey-hat hacker was quietly removing the attacker's implant from infected systems. Others wondered if the attacker had moved to another exploit phase, or was doing some sort of clean-up operation to conceal the implant. Another theory was that the attacker was using the implant to reboot systems to get rid of the implant.

But it turns out that nearly 38,000 remain compromised via the two recently disclosed zero-day bugs in the operating system, if one knows where to look.

**Altered Cisco Implant**

"We have observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding," the Fox-IT researchers said on X, the platform formerly known as Twitter. "This explains the much-discussed plummet of identified compromised systems in recent days." 

By using another fingerprinting method to look for compromised systems, Fox-IT said it identified 37,890 devices with the attackers implant still on them. 

"We strongly advise everyone that has (had) a Cisco IOS XE WebUI exposed to the Internet to perform a forensic triage," the company added, pointing to its advisory on GitHub for identifying compromised systems.

Researchers from VulnCheck who last week reported seeing thousands of infected systems, were among those who found the compromised devices suddenly disappearing from view over the weekend. CTO Jacob Baines, who initially was among those unsure about what might have happened, says Fox-IT's take on what happened is correct.

"Over the weekend the attackers changed the way the implant is accessed so the old scanning method was no longer usable," Baines says. "We've just recently altered our scanner to use the new method demonstrated by Fox-IT, and we are seeing essentially what we saw last week: thousands of implanted devices."

Cisco updated its guidance for detecting the implant on October 23. In a statement to Dark Reading, the company said it released the new indicators of compromise after uncovering a variant of the implant that hinders the identification of compromised systems. "We strongly urge customers to implement the guidance and install the security fix outlined in Cisco’s updated security advisory and Talos blog," the company said.

**Puzzling Cyberattacker Motivations**

Baines says the attacker's motivation for altering the implant is puzzling and completely unexpected. "I think normally, when an attacker is caught, they go quiet and revisit the affected systems when the dust has settled."

In this case, the attacker is attempting to maintain access to implants that dozens of security companies now know exist. 

"To me, it seems like a game they can't win," Baines says. "It seems this username/password update must be a short-term fix so that they can either hold on to the systems for a few more days — and accomplish whatever goal — or just a stopgap until they can insert a more stealthy implant."

Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices

What cloud service providers need to know to prepare for FedRAMP Baselines Rev. 5, as documented in the new Transition Guide.

On May 30, 2023, the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board approved new Revision 5 (Rev. 5) baselines. The new baselines align with the National Institute of Standards and Technology's (NIST) "Special Publication (SP) 800-53 Rev. 5" and "SP 800-53B Control Baselines for Information Systems and Organizations."

This article covers high-level information that cloud service providers (CSPs) need to know to prepare for their transition to FedRAMP Rev. 5, as documented in the "FedRAMP Baselines Rev. 5 Transition Guide."

**What's Changing in FedRAMP?**

The FedRAMP baseline security controls, documentation, and templates were updated to reflect changes in NIST SP 800-53, Rev. 5. This means the two programs will better align with each other.

FedRAMP has also added guidance for many of its controls. There is a new control family, Supply Chain Risk Management. The baselines also require a higher configuration management level of diligence and increased focus on privacy and customization for agency requirements.

Along with these changes, FedRAMP includes "integration of new privacy considerations, notable control families, and guidance not featured in Rev. 4," as well as "changes to the control totals," according to IT attestation and compliance firm Schellman.

However, program management (PM) controls remain an agency responsibility and are not reflected in the updated baselines.

**How CSPs Can Transition to FedRAMP Rev. 5**

Your transition timeline will vary depending on your organization. To begin, identify your current FedRAMP authorization phase. There are three phases outlined in the Rev. 5 transition guide: planning, initiation, and continuous monitoring. Each phase has detailed instructions on the next steps, including an overall timeline; refer to the "Transition Guide" for further information.

**Develop a Schedule**

To transition to Rev. 5, you need to develop a schedule demonstrating your transition plan, called a Plan of Action and Milestones (POA&M). Major milestone activities listed in the "Transition Guide" are:

1.  **CSP:** Complete a new Rev. 5 System Security Plan (SSP) and appendices (which, along with the other documents listed below, can be found on the FedRAMP Documents and Templates page).
2.  **Assessor:** Complete the Security Assessment Plan (SAP) template.
3.  **CSP and Assessor:** Submit the SSP and SAP to your FedRAMP Joint Authorization Board (JAB) Point of Contact (POC) or agency authorizing official (AO) for approval.
4.  **Assessor:** Conduct testing.
5.  **Assessor:** Complete the Security Assessment Report (SAR) template.
6.  **CSP and Assessor:** Submit the SAR, POA&M, attachments, and updated SSP to the FedRAMP JAB POC or agency AO.

**Update Your Documentation**

Included in Rev. 5 are new, updated templates for the SSP and attachments, provided by the FedRAMP project management office (PMO). You must complete a new authorization package based on the updated templates.

**Determine the Scope of Your Assessment**

The scope of your assessment will depend on your determination of specific FedRAMP NIST SP 800-53 Rev. 5 controls that require an assessor to test. According to the "Transition Guide," all new or modified requirements must be tested and, depending on CSP-specific implementations and continuous monitoring activities, other control testing may be required.

**Control selection process:** FedRAMP provides in-depth worksheets and information for the control selection process. The main template, the "FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template," is categorized into High, Moderate, and Low — just like FedRAMP impact levels.

The template, which comes in the form of a spreadsheet, contains four worksheets: Rev. 5 List of Controls, Conditional Controls, CSP-Specific Controls, and Inherited Controls. You can find more information on these worksheets and how to use them in the "Transition Guide."

**Complete the Security Assessment**

While there are quite a few differences between FedRAMP Rev. 4 and Rev. 5, assessors will perform the same processes and procedures for a FedRAMP Rev. 5 assessment. The scope of the assessment will differ based on the organization. Testing will require using the FedRAMP Rev. 5 Test Case templates, which can be found in Section 6, FedRAMP Rev. 5 Test Cases (available on the FedRAMP templates page), as well as the requirements outlined in the "Continuous Monitoring Strategy Guide."

To complete your security assessment, you must: define your processes, procedures, and methodologies for testing in your SAP; define the processes, procedures, and methodologies used in testing as required and document the results of the tests in your SAR; and have your assessor prepare and submit the relevant FedRAMP Security Assessment Test Cases as part of the SAR.

**Complete the POA&M**

To complete your POA&M, you will need to use the "FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide." All residual risks listed in your SAR will need a defined plan for remediation. In the POA&M, you also need to include known risks identified by the third-party assessment organization (3PAO) associated with your platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) systems.

**Learn More**

Tackling FedRAMP Rev. 5 can be overwhelming, but there are governance, risk, and compliance (GRC) tools available to help you get a full repository of your controls, track your progress against the framework, and streamline assessments using automated evidence collection. FedRAMP also provides training and educational forums specific to the Rev. 5 updates and transition process for those looking for additional support. You can also join the FedRAMP subscriber list to receive program updates, important reminders, blog announcements, and the monthly PMO Newsletter to stay up to date on the latest FedRAMP changes.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member. He focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

Tag

#sap