The funds from Germany's Sovereign Tech Fund will be used to integrate zero-trust capabilities, tools for software bill of materials, and other security features.

Source: Les Polders via Alamy Stock Photo

The health of the global Internet and digital infrastructure relies heavily on volunteer-maintained open source projects. Various organizations and initiatives now provide funding to make security fixes or improve features for some of these projects.

Last week, the FreeBSD Foundation announced a €686,400 (approximately $762,540) investment from Germany's Sovereign Tech Fund. The foundation drives development and maintenance of the FreeBSD operating system, a Unix-based operating system similar to Linux. The funding from STF is intended to cover work for the rest of 2024 and extend into 2025 and will focus on security features and improvements.

STF is supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK) and is hosted by the German Federal Agency for Disruptive Innovation (SPRIND). The fund has actively supported open source projects that are important components of the global digital infrastructure, such as €1 million ($1.1 million) for GNOME (a widely used desktop application for Linux operating systems) development at the end of last year and €203,000 ($225,487) to GStreamer (a multimedia framework used widely in streaming apps, embedded devices, and browsers) earlier this year. Several of STF's recent investments are tied to security improvements, such as making the encrypted home directory a GNOME feature and rewriting GStreamer's various Web and networking protocols (RTP/RTCP, RTSP, and WebRTC) from C to Rust to eliminate recurring memory-based vulnerabilities.

The FreeBSD investment will also focus on several security initiatives, such as zero-trust builds, continuous integration/continuous delivery (CI/CD) automation, reducing technical debt, enhancing security controls, and improving tools related to the software bill of materials. Reducing technical debt is important since many vulnerabilities linger on in years-old components that are no longer being maintained or even looked at.

Zero-trust builds refer to the ability to prove where all the source code and tooling used in FreeBSD came from and are trusted. This is necessary to ensure that the tools used (such as compilers) are not introducing backdoors or malware into the code.

The focus on CI/CD automation is necessary to streamlining software delivery and operations. It will allow for constantly running security tests to ensure that changes have not introduced vulnerabilities and fixing them as they are found.

"This investment in critical digital infrastructure will accelerate modernization of FreeBSD, enhance security hygiene, and improve developer experiences," said Fiona Krakenbürger, co-founder of STF, in a statement.

STF has supported a slew of other open source projects, including curl, FFmpeg, Rustls (a TLS library written in Rust), and Coreutils uutils (the coreutils library with basic file, shell, and text functions rewritten in Rust).

FreeBSD Gets €686,400 to Boost Security Features

Talos' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers.

Friday, September 6, 2024 08:59

As we head into the final furlong of 2024, we caught up with Talos’ Head of Outreach Nick Biasini to ask him what sort of year it’s been so far in the threat landscape. 

In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been particularly active this year (Clue: It rhymes with “Bolt Teaspoon”), and we talk about why the infostealer market has gone through a maturing phase, and why that’s an issue for defenders.

After you’ve watched the video, I’ve highlighted some of our threat spotlight blogs from the year so far below, which may be worth a revisit.

**2024 in threat research:**

**Jan. 18:** **Exploring malicious Windows drivers**

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Part 1 of our Driver series served as a starting point for learning about malicious drivers while part 2, released in June, covered the I/O system, IRPs, stack locations, IOCTLs and more.

**Feb. 8:** **New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization**

Talos discovered a new, stealthy espionage campaign that likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” 

**Feb. 15:** **TinyTurla Next Generation — Turla APT spies on Polish NGOs**

This backdoor we called “TinyTurla-NG” (TTNG) was similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

**Feb. 20:** **Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns**

Since September 2023, we observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

**Feb. 27:** **TimbreStealer campaign targets Mexican users with financial lures**

Talos observed a phishing spam campaign targeting victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

**March 5:** **GhostSec’s joint ransomware operation and evolution of their arsenal**

We observed a surge in GhostSec’s malicious activities this past year. GhostSec evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

**April 9:** **Starry Addax targets human rights defenders in North Africa with new malware**

We disclosed a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

**April 16:** **Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials**

Talos actively monitored a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

**April 17:** **OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal**

During a threat-hunting exercise, Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 

**April 23:** **Suspected CoralRaider continues to expand victimology using three information stealers**

Talos discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

**April 24:** **ArcaneDoor — New espionage-focused campaign found targeting perimeter network devices**

ArcaneDoor was a campaign that was the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

**May 22:** **From trust to trickery: Brand impersonation over the email attack vector**

Cisco developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

**May 31:** **New banking trojan “CarnavalHeist” targets Brazil with overlay attacks**

Since February 2024, Cisco Talos observed an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) were common among other banking trojans coming out of Brazil.

**June 5:** **DarkGate switches up its tactics with new payload, email templates**

DarkGate was observed distributing malware through Microsoft Teams and even via malvertising campaigns.

**Aug. 1:** **APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike**

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

**Aug. 28:** **BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks**

In recent investigations, Talos Incident Response observed the BlackByte ransomware group using techniques that depart from their established tradecraft. 

You can always bookmark the Threat Source newsletter to keep up to date with all things Talos threat research.

The 2024 Threat Landscape State of Play

It’s been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally

It's been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally tailored for Critical infrastructure, 2018's version 1.1 was designed for any organization looking to address cybersecurity risk management.

CSF is a valuable tool for organizations looking to evaluate and enhance their security posture. The framework helps security stakeholders understand and assess their current security measures, organize and prioritize actions to manage risks, and improve communication within and outside organizations using a common language. It's a comprehensive collection of guidelines, best practices, and recommendations, divided into five core functions: Identify, Protect, Detect, Respond, and Recover. Each function includes several categories and subcategories, notably:

1.  **Identify** - Understand which assets need to be secured.
2.  **Protect** - Implement measures to ensure assets are properly and adequately secured.
3.  **Detect** - Set up mechanisms to detect attacks or weaknesses.
4.  **Respond** - Develop detailed plans for notifying individuals affected by data breaches, recent events that might jeopardize data, and regularly test response plans, to minimize impact of attacks.
5.  **Recover** - Establish processes to get back up and running post-attack.

(Want to learn more about CSF 1.1's 5 steps? Download our NIST CSF checklist here!)

****Changes to CSF 2.0, with a Focus on Continuous Improvement****

In February 2024, NIST released CSF 2.0. The goal of this new version is to help CCSF become more adaptable and thus widely adopted across a wider range of organizations. Any organization looking to adopt CSF for the first time should use this newer version and organizations already using it can continue to do so but with an eye to adopt 2.0 in the future.

2.0 brings with it some changes; among other advancements, it adds in "Govern" as a first step, because, according to ISC.2.org, "the CSF's governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders must consider alongside others such as finance and reputation. The objectives are to integrate cybersecurity with broader enterprise risk management, roles and responsibilities, policy and oversight at organizations, as well as better support the communication of cybersecurity risk to executives."

It also has an expanded scope, it's more clear and user-friendly, and most importantly (for the purposes of this article anyway), it strongly focuses on emerging threats and zero's-in on a continuous and proactive approach to cybersecurity via the newly added Improvement Category in the Identify Function. Taking a continuous approach means organizations are encouraged to assess, reassess, and then update cybersecurity practices on a regular basis. This means organizations can respond faster and with better accuracy to events for reduced impact.

****CSF and CTEM – Better Together****

Today, there are multiple actionable frameworks and tools designed to work within the parameters of the high-level CSF guidelines. For example, the Continuous Threat Exposure Management (CTEM) is highly complementary to CSF. Released in 2022 by Gartner, the CTEM framework is a major shift in how organizations handle threat exposure management. While CSF provides a high-level framework for identifying, assessing, and managing cyber _risks_, CTEM focuses on the continuous monitoring and assessment of _threats_ to the organization's security posture – the very threats that constitute risk itself.

CSF's core functions align well with the CTEM approach, which involves identifying and prioritizing threats, assessing the organization's vulnerability to those threats, and continuously monitoring for signs of compromise. Adopting CTEM empowers cybersecurity leaders to significantly mature their organization's NIST CSF compliance.

Prior to CTEM, periodic vulnerability assessments and penetration testing to find and fix vulnerabilities was considered the gold standard for threat exposure management. The problem was, of course, that these methods only offered a snapshot of security posture – one that was often outdated before it was even analyzed.

CTEM has come to change all this. The program delineates how to achieve continuous insights into the organizational attack surface, proactively identifying and mitigating vulnerabilities and exposures _before_ attackers exploit them. To make this happen, CTEM programs integrate advanced tech like exposure assessment, security validation, automated security validation, attack surface management, and risk prioritization. This aligns perfectly with NIST CSF 1.1, and provides tangible benefits across all five core CSF functions:

1.  **Identify** - CTEM demands that organizations rigorously identify and inventory assets, systems, and data. This often turns up unknown or forgotten assets that pose security risks. This enhanced visibility is essential for establishing a strong foundation for cybersecurity management, as outlined in the Identify function of the NIST CSF.
2.  **Protect** - CTEM programs proactively identify vulnerabilities and misconfigurations before they can be exploited. CTEM prioritizes risks based on their actual potential impact and their likelihood of exploitation. This helps organizations address the most critical vulnerabilities first. What's more, CTEM-dictated attack path modeling helps organizations reduce the risk of compromise. All this dramatically impacts the Protect function of the CSF program.
3.  **Detect** – CTEM requires continuous monitoring of the external attack surface, which impacts CSF's Detect function by providing early warnings of potential threats. By identifying changes in the attack surface, such as new vulnerabilities or exposed services, CTEM helps organizations quickly detect and respond to possible attacks _before_ they cause damage.
4.  **Respond** – When a security incident occurs, CTEM's risk prioritization stipulations are what help organizations prioritize response, ensuring that the most critical incidents are addressed first. Also, CTEM-mandated attack path modeling helps organizations understand how attackers may have gained access to their systems. This impacts the CSF Respond function by enabling organizations to take targeted actions to contain and eradicate the threat.
5.  **Recover** - CTEM's continuous monitoring and risk prioritization plays a crucial role in the CSF Recover function. CTEM enables organizations to quickly identify and address vulnerabilities, which minimizes the impact of security incidents and speeds up recovery. Also, attack path modeling helps organizations identify and address weaknesses in their recovery processes.

****The Bottom Line****

The NIST Cybersecurity Framework (CSF) and Continuous Threat Exposure Management (CTEM) program are truly brothers in arms - working together to defend organizations against cyberthreats. CSF provides a comprehensive roadmap for managing cybersecurity risks, while CTEM offers a dynamic and data-driven approach to threat detection and mitigation.

The CSF-CTEM alignment is especially evident in how CTEM's focus on continuous monitoring and threat assessment comes together seamlessly with CSF's core functions. By adopting CTEM, organizations significantly enhance their compliance with CSF – while also gaining valuable insights into their attack surface and proactively mitigating vulnerabilities.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NIST Cybersecurity Framework (CSF) and CTEM – Better Together

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.

Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).

Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.

Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).

KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.

Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.

That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.

"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

OpenSSL Toolkit 3.3.2

OpenSSL Toolkit 3.2.3

OpenSSL Toolkit 3.1.7

OpenSSL Toolkit 3.0.15

Debian Linux Security Advisory 5764-1 - David Benjamin reported a flaw in the X.509 name checks in OpenSSL, a Secure Sockets Layer toolkit, which may cause an application performing certificate name checks to crash, resulting in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5764-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 03, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : opensslCVE ID         : CVE-2024-6119David Benjamin reported a flaw in the X.509 name checks in OpenSSL, aSecure Sockets Layer toolkit, which may cause an application performingcertificate name checks to crash, resulting in denial of service.Additional details can be found in the upstream advisory:https://openssl-library.org/news/secadv/20240903.txtFor the stable distribution (bookworm), this problem has been fixed inversion 3.0.14-1~deb12u2.We recommend that you upgrade your openssl packages.For the detailed security status of openssl please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/opensslFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbXW1pfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RXThAAjRoSSUyNd4LR8nETi9XB31OkPVx0KrvU2hfIRnPUHHb3hOoi8vEKxdqhgd1pHtEKUBB3TBkXnyMuQ1p79+wuIjvV6Jr7uEPK0w2GdvC0KaF4+cohRDB7Xpjk+AjVFprvljePzgR9BcX1LWX/Bj6k7j8Jit4hkSDxeWn2W4NvCk9+1FMaHPa1PCmXAxo83qzlJg/SMcI5s19No3TzY9z9RdXH622J6hZk/DUZi6YMSryxCoAuU7ur/Ol8zGH8RG9THiC4hcnAnNjOrqAJqlLzoLgFxykwrvYGwWk//fsQsCeR2HXNQJiPBKq0QyoXP0WFgIbjnQlRfJI2gxwr5KWn77sNnc2vGZ8HXScj+pKOxrdHyp6a3kaZ99ANDCU5UAo36wSUhZyX9I8nNxjZmb2w5fbeFnHkI2xx2onoLeUjv4hzipS4VS0OP5ThqXhXGjLng4L0bIc5Ad/LuC4T/PnXuwfDgMnAQHHM0zjQcDih/TaTfXn1v+j67FIVBxiqD5EI07ms/jysbmpydB4z2Fwl0D09goEtbO2m2ZE+BU4o8dQIk6UB7KiKTBcyVS3uTR7ZG9AbomfHceh9/3ycI0FMTXUXlifU9v3Btuwpb3DnjCwJKaoAEQNrfuV1OjqV29oZd2ye2bwAC2uveAnS0wxe+26Gsr+PhmdUFSGSAPeULt4==KHr5-----END PGP SIGNATURE-----

Debian Security Advisory 5764-1

Ubuntu Security Notice 6986-1 - David Benjamin discovered that OpenSSL incorrectly handled certain X.509 certificates. An attacker could possible use this issue to cause a denial of service or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6986-1  
September 03, 2024

openssl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS

Summary:

OpenSSL could be made to crash or expose sensitive information  
if it received a specially crafted certificate.

Software Description:  
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

David Benjamin discovered that OpenSSL incorrectly handled certain  
X.509 certificates. An attacker could possible use this issue to  
cause a denial of service or expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libssl3t64                      3.0.13-0ubuntu3.4  
  openssl                         3.0.13-0ubuntu3.4

Ubuntu 22.04 LTS  
  libssl3                         3.0.2-0ubuntu1.18  
  openssl                         3.0.2-0ubuntu1.18

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6986-1  
  CVE-2024-6119

Package Information:  
  https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.4  
  https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.18

Tag

#ssl