Ubuntu Security Notice 6738-1 - Fabian Bäumer, Marcus Brinkmann, and Joerg Schwenk discovered that LXD incorrectly handled the handshake phase and the use of sequence numbers in SSH Binary Packet Protocol. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to bypass integrity checks.

    ==========================================================================Ubuntu Security Notice USN-6738-1April 22, 2024lxd vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:LXD could be made to bypass integrity checks if it received specially craftedinput.Software Description:- lxd: Container hypervisor based on LXCDetails:Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that LXDincorrectly handled the handshake phase and the use of sequence numbers in SSHBinary Packet Protocol (BPP). If a user or an automated system were trickedinto opening a specially crafted input file, a remote attacker could possiblyuse this issue to bypass integrity checks.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):   lxd                             3.0.3-0ubuntu1~18.04.2+esm1   lxd-client                      3.0.3-0ubuntu1~18.04.2+esm1   lxd-tools                       3.0.3-0ubuntu1~18.04.2+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   golang-github-lxc-lxd-dev       2.0.11-0ubuntu1~16.04.4+esm1   lxc2                            2.0.11-0ubuntu1~16.04.4+esm1   lxd                             2.0.11-0ubuntu1~16.04.4+esm1   lxd-client                      2.0.11-0ubuntu1~16.04.4+esm1   lxd-tools                       2.0.11-0ubuntu1~16.04.4+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6738-1   CVE-2023-48795

Ubuntu Security Notice USN-6738-1

Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

_By Joey Chen, Chetan Raghuprasad and Alex Karkins._ 

*   Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
*   Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
*   This campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file and payload. 
*   Talos assesses with moderate confidence that the threat actor CoralRaider operates the campaign. We observed several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.  

**Victimology and actor infrastructure**

The campaign affects victims across multiple countries, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey, based on our telemetry data and OSINT information. Our telemetry also disclosed that some affected users were from Japan’s computer service call center organizations and civil defense service organizations in Syria. The affected users were downloading files masquerading as movie files through the browser, indicating the possibility of a widespread attack on users across various business verticals and geographies.

We observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to deceive network defenders. 

CDN edge URLs 

Information Stealer

hxxps\[://\]techsheck\[.\]b-cdn\[.\]net/Zen90

Cryptbot

hxxps\[://\]zexodown-2\[.\]b-cdn\[.\]net/Peta12

Cryptbot

hxxps\[://\]denv-2\[.\]b-cdn\[.\]net/FebL5

Cryptbot, Rhadamanthys

hxxps\[://\]download-main5\[.\]b-cdn\[.\]net/BSR\_v7IDcc

Rhadamanthys

hxxps\[://\]dashdisk-2\[.\]b-cdn\[.\]net/XFeb18

Cryptbot

hxxps\[://\]metrodown-3\[.\]b-cdn\[.\]net/MebL1

Cryptbot

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/MebL1

Cryptbot, LummaC2

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/SAq2

LummaC2

Talos discovered that the actor is using multiple C2 domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing. 

**Tactics, techniques and procedures overlap with other campaigns **

Talos assesses with moderate confidence that threat actor CoralRaider is likely operating this campaign based on several overlaps in the TTPs used and the targeted victims’ geography of this campaign with that of the CoralRaider’s Rotbot campaign. We spotted that the PowerShell scripts used in the attack chain of this campaign to decrypt the PowerShell scripts of further stages and the downloader PowerShell script are similar to those employed in the Rotbot’s campaign.

PowerShell decryptor script of Rotbot campaign (left) and new unknown campaign (right).

String decrypt and download routine of Rotbot campaign (Left) and new unknown campaign (right).

The Powershell script did not appear in any public repository or article, indicating the threat actor likely developed these PowerShell scripts. Pivoting on the PowerShell argument embedded in the LNK file showed us that such arguments are not popular and likely specific to the actor and the campaign.  

.(gp -pa 'HKLM:\\SOF\*\\Clas\*\\Applications\\msh\*e').('PSChildName')

**Multi-stage infection chain to deliver the payload **

The infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique, according to our telemetry. The threat actor is likely delivering malicious links to victims through phishing emails.

The Windows shortcut file has an embedded PowerShell command running a malicious HTA file on attacker-controlled CDN domains. HTA file executes an embedded Javascript, which decodes and runs a PowerShell decrypter script. PowerShell decrypter script decrypts the embedded PowerShell Loader script and runs it in the victim’s memory. The PowerShell Loader executes multiple functions to evade the detections and bypass UAC, and finally, it downloads and runs one of the payloads, Cryptbot, LummaC2 or Rhadamanthys information stealer.

**Windows Shortcut file to execute the malicious HTA file**

Windows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine. The threat actor has used “gp,” a PowerShell command alias for Get-ItemProperty, to read the registry contents of the application classes registry key and gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance executes the remotely hosted malicious HTA file on the victim’s machine. 

**Obfuscated HTA runs embedded PowerShell decrypter  **

The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function using the String fromCharCode method. The decoded function then executes an embedded PowerShell decryptor script. 

The decryptor PowerShell script has a block of AES-encrypted string. Using the AES decryptor function, it generates an AES key of 256 bytes from a base64 encoded string “RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=” and the IV “AAAAAAAAAAAAAAAA.” With the key and IV, it decrypts and executes the next stage of the PowerShell Loader script. 

**PowerShell loader downloads and runs the payload**

The PowerShell loader script is modular and has multiple functions to perform a sequence of activities on the victim’s machine. Initially, it executes a function that drops a batch script in the victim machine’s temporary folder and writes its contents, which includes the PowerShell command to add the folder “ProgramData” of the victim machine to the Windows Defender exclusion list. 

The dropped bath script is executed through a living-off-the-land binary (LoLBin) “FoDHelper.exe” and a Programmatic Identifiers (ProgIDs) registry key to bypass the User Access Controls (UAC) in the victim’s machine. Fodhelper is a Windows feature, an on-demand helper binary that runs by default with high integrity. Usually, when the FodHelper is run, it checks for the presence of the registry keys listed below. If the registry keys have commands assigned, the FodHelper will execute them in an elevated context without prompting the user. 

HKCU:\Software\Classes\ms-settings\shell\open\command

HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

Windows Defender, by default, detects if there are attempts to write to the registry keysHKCU:\Software\Classes\ms-settings\shell\open\command and to evade this detection, the threat actor uses the programmatic identifier (ProgID). In Windows machines, a programmatic identifier (ProgID ) is a registry entry that can be associated with a Class ID (CLSID ), which is a globally unique serial number that identifies a COM (Component Object Model) class object. The Windows Shell uses a default ProgID registry key called CurVer, which is used to set the default version of a COM application. 

In this campaign, the threat actor abuses the “CurVer” registry key feature by creating a custom ProgID “ServiceHostXGRT” registry key in the software classes registry and assigns the Windows shell to execute a command to run the batch script. 

Registry Key

"HKCU\\Software\\Classes\\ServiceHostXGRT\\Shell\\Open\\command"

Value

%temp%\\r.bat 

The script configures the ProgID ServiceHostXGRT in the CurVer registry subkey of HKCU\Software\Classes\ms-settings\CurVer, which will get translated to HKCU:\Software\Classes\ms-settings\shell\open\command. After modifying the registry settings, the PowerShell script runs FoDHelper.exe, executing the command assigned to the registry key HKCU:\Software\Classes\ms-settings\shell\open\command and executing the dropped batch script. Finally, it deletes the configured registry keys to evade detection. 

The batch script adds the folder “C:\\ProgramData” to the Windows Defender exclusion list. The PowerShell loader script downloads the payload and saves it in the “C:\\ProgramData” folder as “X1xDd.exe.”

After downloading the payload to the victim’s machine, the PowerShell loader executes another function that overwrites the previously dropped batch file with the new instructions to run the downloaded payload information stealer through the Windows start command. It again uses the same FoDHelper technique to run the batch script’s second version, which we explained earlier in this section.  

**Actor’s choice of three payloads in the same campaign **

Talos discovered that the threat actor delivered three famous information stealer malware as payloads in this campaign, including CryptBot, LummaC2 and Rhadamanthys. These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets and financial information. 

**CryptBot**

CryptBot is a typical infostealer targeting Windows systems discovered in the wild in 2019 by GDATA. It is designed to steal sensitive information from infected computers, such as credentials from browsers, cryptocurrency wallets, browser cookies and credit cards, and creates screenshots of the infected system. 

Talos has discovered a new CryptBot variant distributed in the wild since January 2024. The goal of the new CryptBot is the same, with some new innovative functionalities. The new CryptBot is packed with different techniques to obstruct malware analysis. A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with unknown versions. The new CryptBot attempts to steal sensitive information from infected machines and modifies the configuration changes of the stolen applications. The list of targeted browsers, applications and cryptocurrency wallets by the new variant of CryptBot is shown below.

We observed the new CryptBot variant also includes password manager application databases and authenticator application information in its stealing list to steal the cryptocurrency wallets that have two-factor authentication enabled. 

CryptBot is aware that the target applications in the victim’s environment will have different versions, and their database files will have different file extensions. It scans the victim’s machine for database files’ extensions of the targeted applications for harvesting credentials. 

**LummaC2 **

Talos discovered that the actor is delivering a new variant of LummaC2 malware as an alternative payload in this campaign. LummaC2 is a notorious information stealer that attempts to harvest information from victims’ machines. Based on the report posted by outpost24 and other external security reports, LummaC2 has already been confirmed to be sold on the underground market for years. 

The threat actor has modified LummaC2’s information stealer capability and obfuscated the malware with a custom algorithm. The obfuscation algorithm is saved in another section inside the malware shown below.

The new version of LummaC2 also presents the same signature of the alert message displayed to the user during its execution. 

The C2 domains are encrypted with a symmetric algorithm, and we found that the actor has nine C2 servers that the malware will attempt to connect to one by one. Analyzing various samples of the new LummaC2 variant, we spotted that each will use a different key to encrypt the C2.   

Talos has compiled the list of nine C2 domains the new LummaC2 variant attempts to connect in this campaign. 

Encrypted strings

Decrypted Strings

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB+VXagKwrRr7BjLA71GNEZ8E8/0K2otQ==

peasanthovecapspll\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBpVXqwOAHAo75nPQT3Hc4I6EZ+x+u0rVjB

gemcreedarticulateod\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9VXShLxDMqLFmPATgC8Ma+U14zKy0oBnC/kf0

secretionsuitcasenioise\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtXHa6JwfKqbxwOh79B8wb+UF0jbavqkc=

claimconcessionrebe\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBiWXaxIwjMs6Z0Ox/1BsUM8UZ/2qyz60TZ+Vg=

liabilityarrangemenyit\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBjX3O2ORDAtKx0MAjiDcwE9U9mxq7ptl/e5g==

modestessayevenmilwek\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB6Qn6yJAPJoqxwKB77BsAM8kB51K/ptl/e5g==

triangleseasonbenchwj\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtRXunPxbAtLRwPQ78DssH/U1yyqSrqRnC/kf0

culturesketchfinanciall\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9X3GyIhHLs7Z7Lh74AcYM+Ep/xuu0rVjB

sofahuntingslidedine\[.\]shop

LummaC2’s first step in its exfiltration phase is its connection to the C2 server. The malware will exit the process if it does not receive the “OK” message as a response from any of the nine C2 servers. The second step will be exfiltrating information from infected machines. The basic stealing functionality is the same as the previous version, with the addition of victims’ discord credentials to exfiltrate. 

**Rhadamanthys**

The last payload we found in this campaign is Rhadamanthys malware, a famous infostealer appearing in the underground forum advertisement in September 2022. The Rhadamanthys malware has been evolving till now, and its authors have released a new version, V0.6.0, on Feb. 15, 2024. However, the Rhadamanthys variant we found in this campaign is still v0.5.0.

The threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory. After decompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages. The first stage is a simple Python script that replaces the binary code from 0 to 9 and decodes the second stage. 

In the second stage, the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process. We spotted that the threat actor is developing the Python script with the intention of including the functionality of executing a shellcode. 

Analyzing the final executable file showed us that the malware unpacks the loader module with the custom format having the magic header “XS” and performs the process injection. The custom loader module in XS format is similar to that of a Rhadamanthys sample analyzed by the researcher at Check Point. The malware selects one of the listed processes as the target process for process injection from a hardcoded list in the binary:

*   "%Systemroot%\\\\system32\\\\dialer.exe"
*   "%Systemroot%\\\\system32\\\\openwith.exe"

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63218 - 63225 and 300867 - 300870.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10027128-0

Txt.Tool.CoralRaider-10027140-0

Html.Downloader.CoralRaider-10027220-0

Win.Infostealer.Lumma-10027222-0

Win.Infostealer.Rhadamanthys-10027293-0

Win.Infostealer.Rhadamanthys-10027294-0

Win.Infostealer.Cryptbot-10027295-0

Win.Infostealer.Cryptbot-10027296-0

Win.Infostealer.Cryptbot-10027297-0

Win.Infostealer.Cryptbot-10027298-0

Win.Infostealer.Cryptbot-10027299-0

Win.Infostealer.Cryptbot-10027300-0

Win.Infostealer.Cryptbot-10027301-0

Win.Infostealer.Cryptbot-10027302-0

Win.Infostealer.Cryptbot-10027303-0

Win.Infostealer.Cryptbot-10027305-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Suspected CoralRaider continues to expand victimology using three information stealers

The threat actor is deploying multiple connections into victim environments to maintain persistence and steal data.

Source: RooM the Agency via Alamy Stock Photo

An advanced persistent threat (APT) group known as ToddyCat is collecting data on an industrial scale from government and defense targets in the Asia-Pacific region.

Researchers from Kaspersky tracking the campaign described the threat actor this week as using multiple simultaneous connections into victim environments to maintain persistence and to steal data from them. They also discovered a set of new tools that ToddyCat (which is a common name for the Asian palm civet) is using to enable data collection from victim systems and browsers.

**Multiple Traffic Tunnels in ToddyCat Cyberattacks**

"Having several tunnels to the infected infrastructure implemented with different tools allow \[the\] attackers to maintain access to systems even if one of the tunnels is discovered and eliminated," Kaspersky security researchers said in a blog post this week. "By securing constant access to the infrastructure, \[the\] attackers are able to perform reconnaissance and connect to remote hosts."

ToddyCat is a likely Chinese-language speaking threat actor that Kaspersky has been able to link to attacks going back to at least December 2020. In its initial stages, the group appeared focused on just a small number of organizations in Taiwan and Vietnam. But the threat actor quickly ramped up attacks following the public disclosure of the so-called ProxyLogon vulnerabilities in Microsoft Exchange Server in February 2021. Kaspersky believes ToddyCat might have been among a group of threat actors that targeted the ProxyLogon vulnerabilities even prior to February 2021, but says it has not found evidence yet to back up that conjecture.  

In 2022, Kaspersky reported finding ToddyCat actors using two sophisticated new malware tools dubbed Samurai and Ninja to distribute China Chopper — a well-known commodity Web shell used in the Microsoft Exchange Server attacks — on systems belonging to victims in Asia and Europe.

**Maintaining Persistent Access, Fresh Malware**

Kaspersky's latest investigation into ToddyCat's activities showed the threat actor's tactic to maintain persistent remote access to a compromised network is to establish multiple tunnels to it using different tools. These include using a reverse SSH tunnel to gain access to remote network services; using SoftEther VPN, an open source tool that enables VPN connections via OpenVPN, L2TP/IPSec, and other protocols; and using a lightweight agent (Ngrok) to redirect command-and-control from an attacker-controlled cloud infrastructure to target hosts in the victim environment.

In addition, Kaspersky researchers found ToddyCat actors to be using a fast reverse proxy client to enable access from the Internet to servers behind a firewall or network address translation (NAT) mechanism.

Kaspersky's investigation also showed the threat actor using at least three new tools in its data-collection campaign. One of them is malware that Kaspersky had dubbed "Cuthead" that allows ToddyCat to search for files with specific extensions or words on the victim network, and to store them in an archive.

Another new tool that Kaspersky found ToddyCat using is "WAExp." The malware's task is to search for and collect browser data from the Web version of WhatsApp. 

"For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data," Kaspersky researchers said. WAExp allows the attacks to gain access to this data by copying the browser's local storage files, the security vendor noted.  

The third tool meanwhile is dubbed "TomBerBil," and allows ToddyCat actors to steal passwords from Chrome and Edge browsers.

"We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest," Kaspersky said. "The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system."

The security vendor recommends that organizations block IP addresses of cloud services that provide traffic tunneling and limit the tools that administrators can use to access hosts remotely. Organizations also need to either remove or closely monitor any unused remote access tools in the environment and encourage users not to store passwords in their browsers, Kaspersky said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

ToddyCat APT Is Stealing Data on 'Industrial Scale'

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

Source: Wright Studio via Shutterstock

Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.

In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said.

The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.

**Attack Volumes Might Increase**

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.

Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether they're the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.

Cisco's advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.

The new wave of attacks is consistent with the surging interest among threat actors in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have ferociously targeted vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), and others.

**VPN Vulnerabilities Explode in Number**

A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products increased 875% between 2020 and 2024. They noted how 147 flaws across eight different vendors' products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.

Cisco's latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Cisco's products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.

**Reconnaissance Effort?**

"This activity appears to be related to reconnaissance efforts," Cisco said in a separate April 15 advisory that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.

The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.

"What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches," Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted.

Thursday, April 18, 2024 14:00

If you’re a regular reader of this newsletter, you already know about how strongly I feel about the dangers of spreading fake news, disinformation and misinformation. 

And honestly, if you’re reading this newsletter, I probably shouldn’t have to tell you about that either. But one of the things that always frustrates me about this seemingly never-ending battle against disinformation on the internet, is that there aren’t any real consequences for the worst offenders. 

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted, or just that one individual post might be removed.  

Twitter, which has become one of the worst offenders for spreading disinformation, has gotten even worse about this over the past few years and at this point doesn’t do anything to these accounts, and in fact, even promotes them in many ways and gives them a larger platform. 

Meta, for its part, is now hiding more political posts on its platforms in some countries, but at most, an account that shares fake news is only going to be restricted if enough people report it to Meta’s team and they choose to take action.  

Now, I’m hoping that Brazil’s Supreme Court may start imposing some real-world consequences on individuals and companies that support, endorse or sit idly by while disinformation spreads. Specifically, I’m talking about a newly launched investigation by the court into Twitter/X and its owner, Elon Musk.  

Brazil’s Supreme Court says users on the platform are part of a massive misinformation campaign against the court’s justices, sharing intentionally false or harmful information about them. Musk is also facing a related investigation into alleged obstruction.  

The court had previously asked Twitter to block certain far-right accounts that were spreading fake news on Twitter, seemingly one of the only true permanent bans on a social media platform targeting the worst misinformation offenders. Recently, Twitter has declined to block those accounts. 

This isn’t some new initiative, though. Brazil’s government has long looked for concrete ways to implement real-world punishments for spreading disinformation. In 2022, the Supreme Court signed an agreement with the equivalent of Brazil’s national election commission “to combat fake news involving the judiciary and to disseminate information about the 2022 general elections.” 

Brazil’s president (much like the U.S.) has been battling fake news and disinformation for years now, making any political conversation there incredibly divisive, and in many ways, physically dangerous. I’m certainly not an authority enough on the subject to comment on that and the ways in which the term “fake news” has been weaponized to literally challenge what is “fact” in our modern society.  

And I could certainly see a world in which a high court uses the term “fake news” to charge and prosecute people who are, in fact, spreading \*correct\* and verifiable information.  

But, even just forcing Musk or anyone at Twitter to answer questions about their blocking policies could bring an additional layer of transparency to this process. Suppose we want to really get people to stop sharing misleading information on social media. In that case, it needs to eventually come with real consequences, not just a simple block when they can launch a new account two seconds later using a different email address. 

**The one big thing **

Talos recently discovered a new threat actor we're calling “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause. Starry Addax primarily uses a new mobile malware that it infects users with via phishing attack, tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. 

**Why do I care? **

The targets in this campaign's case are considered high-risk individuals, advocating for human rights in the Western Sahara. While that is a highly focused particular demographic, FlexStarling is still a highly capable implant that could be dangerous if used in other campaigns. Once infected, Starry Addax can use their malware to steal important login credentials, execute remote code or infect the device with other malware.  

**So now what? **

This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. If you are a user who feels you could be targeted by these emails, please pay close attention to any URLs or attachments used in emails with these themes and ensure you’re only visiting trusted sites. The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**Top security headlines of the week **

**A threat actor with ties to Russia is suspected of infecting the network belonging to a rural water facility in Texas earlier this year.** The hack in the small town of Muleshoe, Texas in January caused a water tower to overflow. The suspect attack coincided with network intrusions against networks belonging to two other nearby towns. While the attack did not disrupt drinking water in the town, it would mark an escalation in Russian APTs’ efforts to spy on and disrupt American critical infrastructure. Security researchers this week linked a Telegram channel that took credit for the activity with a group connected to Russia’s GRU military intelligence agency. The adversaries broke into a remote login system used in ICS, which allowed the actors to interact with the water tank. It overflowed for about 30 to 45 minutes before officials took the machine offline and switched to manual operations. According to reporting from CNN, a nearby town called Lockney detected “suspicious activity” on the town’s SCADA system. And in Hale Center, adversaries also tried to breach the town network’s firewall, which prompted them to disable remote access to its SCADA system. (CNN, Wired) 

**Meanwhile, Russia’s Sandworm APT is also accused of being the primary threat actor carrying out Russia’s goals in Ukraine.** New research indicates that the group is responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022. One attack involved Sandworm, aka APT44, disrupting a Ukrainian power facility during Russia’s winter offensive and a series of drone strikes targeting Ukraine’s energy grid. Recently, the group’s attacks have increasingly focused on espionage activity to gather information for Russia’s military to use to its advantage on the battlefield. The U.S. indicated several individuals for their roles with Sandworm in 2020, but the group has been active for more than 10 years. Researchers also unmasked a Telegram channel the group appears to be using, called “CyberArmyofRussia\_Reborn.” They typically use the channel to post evidence from their sabotage activities. (Dark Reading, Recorded Future) 

**Security experts and government officials are bracing for an uptick in offensive cyber attacks between Israel and Iran** after Iran launched a barrage of drones and missiles at Israel. Both countries have dealt with increased tensions recently, eventually leading to the attack Saturday night. Israel’s leaders have already been considering various responses to the attack, among which could be cyber attacks targeting Iran in addition to any new kinetic warfare. Israel and Iran have long had a tense relationship that included covert operations and destructive cyberattacks. Experts say both countries have the ability to launch wiper malware, ransomware and cyber attacks against each other, some of which could interrupt critical infrastructure or military operations. The increased tensions have also opened the door to many threat actors taking claims for various cyber attacks or intrusions that didn’t happen. (Axios, Foreign Policy) 

**Can’t get enough Talos? **

*   Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services 
*   Decade-old malware haunts Ukrainian police 
*   Attackers are pummeling networks around the world with millions of login attempts 
*   OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal 
*   Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials 
*   Talos Takes Ep. #179: Why we need to stop calling as-a-service group takedowns "takedowns" 

**Upcoming events where you can find Talos **

 **Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

Debian Linux Security Advisory 5655-2 - The update of cockpit released in DSA 5655-1 did not correctly build binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5655-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
April 16, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : cockpit  
Debian Bug     : 1069059

The update of cockpit released in DSA 5655-1 did not correctly built  
binary packages due to unit test failures when building against libssh  
0.10.6. This update corrects that problem.

For the stable distribution (bookworm), this problem has been fixed in  
version 287.1-0+deb12u2.

We recommend that you upgrade your cockpit packages.

For the detailed security status of cockpit please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/cockpit

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYe2O9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QK0RAAkGuh1qsgWCu60JxMYZjfeSyA/w+MlKlwANHCA74QbsvqOyadjrtdxRjK  
EgKRs8Gz7H8o3bpuVE/4mWkIyDjsn9yZeFlro/6wf3yGsxEL7I2MlKWa56A6hNJD  
4dCgdo9gKqcDR7YOpknemN7F8VElUINFjBHzQ6vzm+HMneg4JC3Nhh1TZfNj/trT  
em/LLoMb9VDHutpv8T0OQwt1tgUxfOfxKDFTsLzjxzYwBfAHqJPu/MZrS1kj15iU  
HK9nouDw7hYOx0FzTBhlobNnLod8kYN+McUMkiux84lv8PyYE3sxiDlTYcGeG+0n  
XQ4FHxB6wdolaGKRCwt8t3Bt1uTPvbDYwii6eDmjNLrSFnjbJlfihaVkng9fXb6R  
kfRHRWhcT15/Yv8GmJUAN7/vNlzPEAXkbXmP3O/MmrLymjsyC4p2Oo8PfKn1biK0  
K0s0BrGMd60DvrD6L07ntF0IfF7qoNvYwZLF3ELsXe/h9dlaNtqDHMG2O1OZNB/M  
VYW6S3reytzexMuqUtKPB2kAZeuiIK6iTJNLU7v1ZWPfHp2ApK3yGxTCXrNj3Ufa  
kO7Tw0g6w3xIvlxLjHPZ/V9TxBB75i2PmxQMLIk4VjAMY93I6XmESFhI4Me94oQw  
xYRGVjCCHd8J5Ky4VTgnS66Um2KUkF+nGCZLudTDVeyPzNBh9hk=  
=b5VL  
-----END PGP SIGNATURE-----

Debian Security Advisory 5655-2

Red Hat Security Advisory 2024-1859-03 - OpenShift API for Data Protection 1.3.1 is now available. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1859.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift API for Data Protection (OADP) 1.3.1 security and bug fix update  
Advisory ID:        RHSA-2024:1859-03  
Product:            OpenShift API for Data Protection  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1859  
Issue date:         2024-04-16  
Revision:           03  
CVE Names:          CVE-2023-39326  
====================================================================

Summary: 

OpenShift API for Data Protection (OADP) 1.3.1 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39326

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2253193  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://issues.redhat.com/browse/OADP-1912  
https://issues.redhat.com/browse/OADP-2866  
https://issues.redhat.com/browse/OADP-3005  
https://issues.redhat.com/browse/OADP-3038  
https://issues.redhat.com/browse/OADP-3041  
https://issues.redhat.com/browse/OADP-3044  
https://issues.redhat.com/browse/OADP-3051  
https://issues.redhat.com/browse/OADP-3055  
https://issues.redhat.com/browse/OADP-3189  
https://issues.redhat.com/browse/OADP-3326  
https://issues.redhat.com/browse/OADP-3379  
https://issues.redhat.com/browse/OADP-3390  
https://issues.redhat.com/browse/OADP-3395  
https://issues.redhat.com/browse/OADP-3486  
https://issues.redhat.com/browse/OADP-3495  
https://issues.redhat.com/browse/OADP-3598  
https://issues.redhat.com/browse/OADP-3710  
https://issues.redhat.com/browse/OADP-3821

Red Hat Security Advisory 2024-1859-03

Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said.
Successful attacks could

Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services

By Waqas
A critical vulnerability named LeakyCLI exposes sensitive cloud credentials from popular tools used with AWS and Google Cloud. This poses a major risk for developers, showing the need for strong security practices. Learn how to mitigate LeakyCLI and fortify your cloud infrastructure. 
This is a post from HackRead.com Read the original post: New Vulnerability “LeakyCLI” Leaks AWS and Google Cloud Credentials

Cloud infrastructure is the backbone of modern technology, and its security hinges on the tools developers use to manage it. However, a recently discovered vulnerability dubbed “LeakyCLI” exposes a critical weakness in these tools, potentially granting unauthorized access to sensitive cloud credentials.

This vulnerability affects the command-line interfaces (CLIs) used by major cloud providers like **Amazon Web Services (AWS)** and Google Cloud Platform (GCP). Security researchers at Orca Security identified LeakyCLI, which can inadvertently expose environment variables containing sensitive information like passwords and access keys within logs.

****The Flaw and the Risk****

CLIs are typically designed for use in secure environments. However, the integration with Continuous Integration and Continuous Deployment (**CI/CD**) pipelines, which automate development processes, introduces a security risk. LeakyCLI bypasses secret labelling mechanisms within CI/CD pipelines, potentially printing sensitive credentials to logs that shouldn’t contain them.

“CLI commands are by default assumed to be running in a secure environment,” explains an Orca advisory. “But coupled with CI/CD pipelines, they may pose a security threat.” This vulnerability creates a prime target for attackers employing social engineering tactics.

****Deja Vu: Echoes of the XZ Utils Attack****

In some way, the LeakyCLI vulnerability resembles a **recent incident involving the open-source project XZ Utils,** a popular data compression tool. In that case, a malicious actor gained the maintainer’s trust through flattery, claims of expertise, and ultimately, malicious code insertion. LeakyCLI exposes credentials, making them even more valuable to attackers who might also leverage social engineering to compromise projects.

****Securing the Cloud: Recommendations for Developers****

Security researchers recommend several measures to mitigate the risks associated with LeakyCLI:

*   **Eliminate Secrets in Environment Variables:** Instead of storing sensitive information like passwords and keys in environment variables, leverage dedicated secrets management services offered by cloud providers like AWS Secrets Manager or Google Cloud Key Management Service.
*   **Multi-Factor Authentication (MFA):** Enforce strong authentication protocols like MFA for all users accessing cloud resources and project repositories.
*   **Granular Access Control:** Grant users only the level of access required for their specific tasks within projects.
*   **Code Reviews:** Implement rigorous code review processes to identify and remove any vulnerabilities that might be introduced accidentally or maliciously.
*   **Community Vigilance:** Foster a strong and vigilant development community to identify suspicious activity and report potential threats promptly.

While both AWS and **Google Cloud Platform** were notified of LeakyCLI, they maintain that the current behaviour falls within the expected design parameters. However, the security community is urging cloud providers to consider implementing additional protection within their CLIs to prevent sensitive information from leaking into logs, especially within automated CI/CD workflows.

The LeakyCLI vulnerability goes on to show how cloud security can be at risk. Therefore, developers and cloud providers alike must work together to implement robust security measures and remain vigilant against these ever-sophisticated threats.

1.  SSH Remains Most Targeted Service, Says Cado’s Cloud
2.  Chinese APT Posing as Cloud Services to Spy on Cambodia
3.  Massive Cloud Database Leak Exposes 380 Million Records
4.  Supply Chain Attack HitTelegram, AWS Alibaba Cloud Users
5.  Cloudflare Hacked After State Actor Leverages Okta Breach

Tag

#ssh