Space Force's Delta 6 cyber-defense group adds squadrons, updates legacy Satellite Control Network.

Space Force's Delta 6 mission, responsible for thy cyber defense of US military satellites, is adding four squadrons to boost cybersecurity throughout the military branch, as well as oversee the modernization of the aging Satellite Control Network.

Each operational mission within Space Force, from missile warning systems to navigations and communications, is organized into one of nine "Deltas," Breaking Defense explained in a report about the move. 

Delta 6 is the "cyber operations" group and will expand to embed a cyber-defense squadron of personnel called "Cyber Protection Teams" within other wings, Space Operations Command announced. 

Delta 6 will need also need additional help as it tackles upgrading the aging Satellite Control Network, which is a series of 19 antennas positioned around the world and relied upon by the military, NASA, the National Oceanic and Atmospheric Administration, and the National Reconnaissance Office, Breaking Defense reported. 

The system dates back to 1958, according to Delta 6 Commander Roy Rockwell. 

"Our scheduling system still operates on DOS — so, 1990s technology," Rockwell told Breaking Defense. “We are working through an upgrade that should be complete by the end of this year that’ll bring us up to a Windows-level type scheduling capability. So we're still far behind." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Space Force Expands Cyber Defense Operations

The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable -- but the new Yashma version finally generates binaries that can encrypt files of all sizes.

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That's according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.  

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the "initial edition of Chaos overwrites the targeted file with a randomized Base64 string," according to BlackBerry's new report. "Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware."

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

"Based on the forums, the original ransomware is believed to be developed by a solo author," Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. "This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware."

**Inside the Chaos**

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read\_it.txt.”

"This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note," according to BlackBerry's analysis. "In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat."

Over time, the malware has added more sophisticated capabilities, such as the ability to:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode
*   Change the victim’s desktop wallpaper
*   Customizable file-extension lists
*   Better encryption compatibility
*   Run on startup
*   Drop the malware as a different process
*   Sleep prior to execution
*   Disrupt recovery systems
*   Propagate the malware over network connections
*   Choose a custom encryption file-extension
*   Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

"The code is written in such a way that the wiper function is certainly not accidental. It's unclear why the authors made this choice," Valenzuela says. "It's possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there's a small chance the user might notice and be able to power off the device."

**Chaos, Version Four: 'Onyx' Ransomware, Still With Wiper**

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

"This particular threat group \[infiltrates\] a victim organization's network, \[steals\] any valuable data it found, then would unleash 'Onyx ransomware,' their own branded creation based on Chaos Builder v4.0," researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions.

Onyx has also implemented a leak site called “Onyx News” hosted on the Tor network, with information about its victims and publicly viewable stolen data. The site is also used to give victims more information on how to recover their data.

"The best advice we could offer companies \[targeted with the Onyx wiper\] is to maintain regular backups, which are stored separately, and to not pay the ransom as most of their files are not recoverable due to design," says Valenzuela. "Again, proper incident command is paramount, something that is always better planned in advance."

**Chaos Wiper Reined in With Yashma**

In early 2022, Chaos released a fifth version of its builder, which finally generated ransomware binaries capable of encrypting large files without irretrievably corrupting them.

"Though slower to complete its malicious tasks on the victim device than when it was simply destroying files, the malware finally operates as expected, with files of all sizes being properly encrypted by the malware and retaining the potential to be restored to their former unencrypted state," researchers noted.

A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.

"Malware-as-a-service \[MaaS\] is a popular model these days; however, a unique selling point for Chaos is that up until the rebrand to Yashma, all releases have been free," Valenzuela notes. "That said, the Yashma versions are still only $17, making the ransomware widely accessible."

Yashma incorporates two advances over the fifth version: the ability to prevent the ransomware from running depending on the language set on the victim device, and the ability to stop various services.

Regarding the latter, Yashma terminates the following:

*   Antivirus (AV) solutions
*   Vault services
*   Backup services
*   Storage services
*   Remote Desktop services

Both of these versions have seen little action in the wild to date – meaning that Chaos ransomware attacks will most often incorporate a destructive wiper dimension. But it's likely that binaries based on all of the iterations of the builder will become more common over time.

"What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability," researchers noted in the report. "As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims."

**Every Business Is a Target**

Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps required to generate a binary of one's own are straightforward.

"No organization or industry is exempt from this risk," he said. "Every business needs to have a good defensive strategy – including a tested defensible architecture with a combination of technologies that provide prevention, visibility, and detection coverage, as well as continuous monitoring augmented with up-to-date threat intelligence – to respond early in the attack chain."

Valenzuela adds, "We have seen how many businesses have been compromised for days or weeks before the detonation of the ransomware payloads, so being able to respond to threats quickly is paramount to lessen the impact of these attacks."

New Chaos Malware Variant Ditches Wiper for Encryption

The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.

The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.  

ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.

“The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications,” Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. “Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate.”  

In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.  

Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader’s abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.

“PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks,” explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. “Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform.”

He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.

**Infecting the Browser Helps Bypass Security Measures**

Parkin adds that with so many applications being now browser-based, it’s a logical place for cybercriminal to put their malicious code.

In addition, the browser is an application that is not monitored by most security programs, and extensions are usually not scanned by most endpoint protection solutions to determine whether they are malicious.

“By infecting the browser, the attacker gets around a number of security measures, such as traffic encryption, that would otherwise impede their attack,” Parkin says. “It’s like adding a malicious hard drive to your system.”

Having access to a browser provides attackers access to victim data and could, in some cases, provide the opportunity to perform actions on the compromised person's behalf. With such easy access and high-value information inside browsers, malware operators can achieve big results for minimal effort.

To boot, ChromeLoader's capabilities do not end with installing malicious extensions — it could carry out more advanced attacks as well.

“Most security tools don't detect it,” says Talon's Bobrov. “The fact that ChromeLoader abuses PowerShell makes it incredibly dangerous, since this can allow for more advanced attacks, such as ransomware, fileless malware, and malicious code memory injections.”

He adds that ISO files can hold a lot of data, so there's plenty of room for malware to hide. In addition, these files are confusing for end users and have some automatic actions that the operating system might perform.

**Cyber Hygiene, User Education Needed to Stop Malicious ISO Files**

Bobrov says that to prevent exposure to malicious ISO files, the first step is related to basic cyber hygiene: You need to understand and trust the data you download and where you download it from.

“Do not launch ISO files that are not from trusted sources, and never run files inside ISO without verifying their safety,” he advises. “When browsing the Internet, make sure you have security controls in place to help monitor the websites you browse and help protect you from malicious content.”

From Parkin’s perspective, user education is a good first step to prevent exposure to malicious ISO files, which includes teaching users to be wary of downloading suspect files. (Any cracked software falls into this bucket.)

“Beyond user education, admins can deploy tools and enforce policies that restrict mounting ISO files, though that may be a challenge in \[bring-your-own-device\] BYOD environments,” he says.

A step beyond that is using remote desktop environments such as VNC, Citrix, or Windows Remote Desktop, which can shift policy enforcement back into the IT admin’s hands.

ChromeLoader Malware Hijacks Browsers With ISO Files

Red Hat Security Advisory 2022-4711-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Issues addressed include cross site scripting and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update  
Advisory ID:       RHSA-2022:4711-01  
Product:           Red Hat Virtualization  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4711  
Issue date:        2022-05-26  
CVE Names:         CVE-2021-3807 CVE-2021-23425 CVE-2021-33502  
                   CVE-2021-41182 CVE-2021-41183 CVE-2021-41184  
====================================================================  
1. Summary:

Updated ovirt-engine packages that fix several bugs and add various  
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a  
centralized management platform that allows system administrators to view  
and manage virtual machines. The Manager provides a comprehensive range of  
features including search capabilities, resource management, live  
migrations, and virtual infrastructure provisioning.

Security Fix(es):

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching  
ANSI escape codes (CVE-2021-3807)

* nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)

* normalize-url: ReDoS for data URLs (CVE-2021-33502)

* jquery-ui: XSS in the altField option of the datepicker widget  
(CVE-2021-41182)

* jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)

* jquery-ui: XSS in the 'of' option of the .position() util  
(CVE-2021-41184)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

A list of bugs fixed in this update is available in the Technical Notes  
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

655153 - [RFE] confirmation prompt when suspending a virtual machine - webadmin  
977778 - [RFE] - Mechanism for converting disks for non-running VMS  
1624015 - [RFE] Expose Console Options and Console invocation via API  
1648985 - VM from VM-pool which is already in use by a SuperUser is presented to another User with UserRole permission who can shutdown the VM.  
1667517 - [RFE] add VM Portal setting for set screen mode  
1687845 - Multiple notification for one time host activation  
1781241 - missing ?connect automatically? option in vm portal  
1782056 - [RFE] Integration of built-in ipsec feature in RHV/RHHI-V with OVN  
1849169 - [RFE] add virtualCPUs/physicalCPUs ratio property to evenly_distributed policy  
1878930 - [RFE] Provide warning event if MAC Address Pool free and available addresses are below threshold  
1922977 - [RFE] VM shared disks are not part of the OVF_STORE  
1926625 - [RFE] How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD for Red Hat Virtualization Manager  
1927985 - [RFE] Speed up export-to-OVA on NFS by aligning loopback device offset  
1944290 - URL to change the password is not shown properly  
1944834 - [RFE] Timer for Console Disconnect Action - Shutdown VM after N minutes of being disconnected (Webadmin-only)  
1956295 - Template import from storage domain fails when quota is enabled.  
1959186 - Enable assignment of user quota when provisioning from a non-blank template via rest-api  
1964208 - [RFE] add new feature for VM's screenshot on RestAPI  
1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs  
1971622 - Incorrect warning displayed: "The VM CPU does not match the Cluster CPU Type"  
1974741 - Disk images remain in locked state if the HE VM is rebooted during a image transfer  
1979441 - High Performance VMs always have "VM CPU does not match the cluster CPU Type" warning  
1979797 - Ask user for confirmation when the deleted storage domain has leases of VMs that has disk in other SDs  
1980192 - Network statistics copy a U64 into DECIMAL(18,4)  
1986726 - VM imported from OVA gets thin provisioned disk despite of allocation policy set as 'preallocated'  
1986834 - [DOCS] add nodejs and maven to list of subscription streams to be enabled  in RHVM installation  
1987121 - [RFE] Support enabling nVidia Unified Memory on mdev vGPU  
1988496 - vmconsole-proxy-helper.cer is not renewed when running engine-setup  
1990462 - [RFE] Add user name and password to ELK integration  
1991240 - Assign user quota when provisioning from a non-blank template via web-ui  
1995793 - CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing  
1996123 - ovf stores capacity/truesize on the storage does not match values in engine database  
1998255 - [RFE] [UI] Add search box for vNIC Profiles in RHVM WebUI on the main vNIC profiles tab  
1999698 - ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights)  
2000031 - SPM host is rebooted multiple times when engine recovers the host  
2002283 - Make NumOfPciExpressPorts configurable via engine-config  
2003883 - Failed to update the VFs configuration of network interface card type 82599ES and X520  
2003996 - ovirt_snapshot module fails to delete snapshot when there is a "Next Run configuration snapshot"  
2006602 - vm_statistics table has wrong type for guest_mem_* columns.  
2006745 - [MBS] Template disk Copy from data storage domain to Managed Block Storage domain is failing  
2007384 - Failed to parse 'writeRate' value xxxx to integer: For input string: xxxx  
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes  
2008798 - Older name rhv-openvswitch is not checked in ansible playbook  
2010203 - Log analyzer creates faulty VM unmanaged devices  report  
2010903 - I/O operations/sec reporting wrong values  
2013928 - Log analyzer creates faulty non default vdc_option report  
2014888 - oVirt executive dashboard/Virtual Machine dashboard does not actually show disk I/O operations per second, but it shows sum of I/o operations since the boot time of VM  
2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied  
2019144 - CVE-2021-41182 jquery-ui: XSS in the altField option of the datepicker widget  
2019148 - CVE-2021-41183 jquery-ui: XSS in *Text options of the datepicker widget  
2019153 - CVE-2021-41184 jquery-ui: XSS in the 'of' option of the .position() util  
2021217 - [RFE] Windows 2022 support  
2023250 - [RFE] Use virt:rhel module instead of virt:av in RHEL 8.6+ to get advanced virtualization packages  
2023786 - RHV VM with SAP monitoring configuration does not fail to start if the Host is missing vdsm-hook-vhostmd  
2024202 - RHV Dashboard does not show memory and storage details properly when using Spanish language.  
2025936 - metrics configuration playbooks failing due to rhel-system-role last refactor  
2030596 - [RFE] RHV Manager should support running on a host with the PCI-DSS security profile applied  
2030663 - Update Network statistics types in DWH  
2031027 - The /usr/share/ovirt-engine/ansible-runner-service-project/inventory/hosts fails rpm verification  
2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree  
2037115 - rhv-image-discrepancies (rhv-log-collector-analyzer-1.0.11-1.el8ev) tool continues flags OVF_STORE volumes.  
2037121 - RFE:  Add Data Center and Storage Domain name in the rhv-image-discrepancies tool output.  
2040361 - Hotplug VirtIO-SCSI disk fails with error "Domain already contains a disk with that address" when IO threads > 1  
2040402 - unable to use --log-size=0 option  
2040474 - [RFE] Add progress tracking for Cluster Upgrade  
2041544 - Admin GUI: Making selection of host while uploading disk it will immediately replace it with the first active host in the list.  
2043146 - Expired /etc/pki/vdsm/libvirt-vnc/server-cert.pem certificate is skipped during Enroll Certificate  
2044273 - Remove the RHV Guest Tools ISO image upload option from engine-setup  
2048546 - sosreport command should be replaced by sos report  
2050566 - Upgrade ovirt-log-collector to 4.4.5  
2050614 - Upgrade rhvm-setup-plugins to 4.5.0  
2051857 - Upgrade rhv-log-collector-analizer to 1.0.13  
2052557 - RHV fails to release mdev vGPU device after VM shutdown  
2052690 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine  
2054756 - [welcome page] Add link to MTV guide  
2055136 - virt module is not changed to the correct stream during host upgrade  
2056021 - [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key  
2056052 - RHV-H w/ PCI-DSS profile causes OVA export to fail  
2056126 - [RFE] Extend time to warn of upcoming certificate expiration  
2058264 - Export as OVA playbook gets stuck with 'found an incomplete artifacts directory...Possible ansible_runner error?'  
2059521 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine-metrics  
2059877 - [DOCS][Upgrade] Update RHVM update procedure in Upgrade guide  
2061904 - Unable to attach a RHV Host back into cluster after removing due to networking  
2065052 - [TRACKER] Upgrade to ansible-core-2.12 in RHV 4.4 SP1  
2066084 - vmconsole-proxy-user certificate expired - cannot access serial console  
2066283 - Upgrade from RHV 4.4.10 to RHV 4.5.0 is broken  
2069972 - [Doc][RN]Add cluster-level 4.7 to compatibility table  
2070156 - [TESTONLY] Test upgrade from ovirt-engine-4.4.1  
2071468 - Engine fenced host that was already reconnected and set to Up status.  
2072637 - Build and distribute python38-daemon in RHV channels  
2072639 - Build and distribute ansible-runner in RHV channels  
2072641 - Build and distribute python38-docutils in RHV channels  
2072642 - Build and distribute python38-lockfile in RHV channels  
2072645 - Build and distribute python38-pexpect in RHV channels  
2072646 - Build and distribute python38-ptyprocess in RHV channels  
2075352 - upgrading RHV-H does not renew certificate

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:  
ansible-runner-2.1.3-1.el8ev.src.rpm  
apache-sshd-2.8.0-0.1.el8ev.src.rpm  
engine-db-query-1.6.4-1.el8ev.src.rpm  
ovirt-dependencies-4.5.1-1.el8ev.src.rpm  
ovirt-engine-4.5.0.7-0.9.el8ev.src.rpm  
ovirt-engine-dwh-4.5.2-1.el8ev.src.rpm  
ovirt-engine-metrics-1.6.0-1.el8ev.src.rpm  
ovirt-engine-ui-extensions-1.3.3-1.el8ev.src.rpm  
ovirt-log-collector-4.4.5-1.el8ev.src.rpm  
ovirt-web-ui-1.8.1-2.el8ev.src.rpm  
rhv-log-collector-analyzer-1.0.13-1.el8ev.src.rpm  
rhvm-branding-rhv-4.4.11-1.el8ev.src.rpm  
rhvm-setup-plugins-4.5.0-2.el8ev.src.rpm  
vdsm-jsonrpc-java-1.7.1-2.el8ev.src.rpm

noarch:  
ansible-runner-2.1.3-1.el8ev.noarch.rpm  
apache-sshd-2.8.0-0.1.el8ev.noarch.rpm  
apache-sshd-javadoc-2.8.0-0.1.el8ev.noarch.rpm  
engine-db-query-1.6.4-1.el8ev.noarch.rpm  
ovirt-dependencies-4.5.1-1.el8ev.noarch.rpm  
ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-backend-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-dbscripts-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-dwh-4.5.2-1.el8ev.noarch.rpm  
ovirt-engine-dwh-grafana-integration-setup-4.5.2-1.el8ev.noarch.rpm  
ovirt-engine-dwh-setup-4.5.2-1.el8ev.noarch.rpm  
ovirt-engine-health-check-bundler-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-metrics-1.6.0-1.el8ev.noarch.rpm  
ovirt-engine-restapi-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-base-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-cinderlib-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-imageio-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-tools-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-tools-backup-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-ui-extensions-1.3.3-1.el8ev.noarch.rpm  
ovirt-engine-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-webadmin-portal-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-engine-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm  
ovirt-log-collector-4.4.5-1.el8ev.noarch.rpm  
ovirt-web-ui-1.8.1-2.el8ev.noarch.rpm  
python3-ovirt-engine-lib-4.5.0.7-0.9.el8ev.noarch.rpm  
python38-ansible-runner-2.1.3-1.el8ev.noarch.rpm  
python38-docutils-0.14-12.4.el8ev.noarch.rpm  
rhv-log-collector-analyzer-1.0.13-1.el8ev.noarch.rpm  
rhvm-4.5.0.7-0.9.el8ev.noarch.rpm  
rhvm-branding-rhv-4.4.11-1.el8ev.noarch.rpm  
rhvm-setup-plugins-4.5.0-2.el8ev.noarch.rpm  
vdsm-jsonrpc-java-1.7.1-2.el8ev.noarch.rpm  
vdsm-jsonrpc-java-javadoc-1.7.1-2.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3807  
https://access.redhat.com/security/cve/CVE-2021-23425  
https://access.redhat.com/security/cve/CVE-2021-33502  
https://access.redhat.com/security/cve/CVE-2021-41182  
https://access.redhat.com/security/cve/CVE-2021-41183  
https://access.redhat.com/security/cve/CVE-2021-41184  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYo/qI9zjgjWX9erEAQhpng//aJBlyx9sUzPTC08WE6OwY4Ihk8b0wSh5  
C9RWX/PmlDE2CAivQHpSs8D7/IizHl4Arn6f0HJx+NavN8YfbApqs2mcq+KUKYuC  
/VxCb3YlukeDsXeYIM+ScifS9M+N+WNGy9BRrlcYxZ4Ya5zLYv/ibrrHCX44yKz8  
Jg5abyQyCzI6DEPjSDRIZkULLIdkbQ8xGd7j5P4ThAR2MRf8deeHez4/NmfrQm6n  
Q3f4qeQlljiNgoGdxa2z65Shxpb3pkWGt81MZuMwKpRa6EDBDs8vGMA0LZamsikv  
XZUU2P7d+JrXvLd2bmfGty6EaQ2FY0XoB0vvK1AyUhSZkX2thUvFsEgIdWjLSu4a  
eT28D2etZLTIyl1DB42L+5gcomaQTn0sT0i99ExWkFyf9xWne+ygOFYydjV0/fy+  
530Pwzlk9c2QtHgJ/XzGU12QLzKa/tvLbqXTfmAmlqDkU/+3aIr2l5SgnudzY4NN  
BAUae8noIVWEs6L+6DY5HYt+x+WYYLipQh9gPjpBOaH+sEFvZ2+GzlVR0zF4IM5E  
qLH5bopwO6GfHeNjv+4U+l+3kjhJIpwrsy/uzc+/mExrraYFpZc8skbcGRyhQ7ML  
CtHSV7Y4x/OguhgYeqx1ocCfpIpkbu4MGa4esGDW4ocvL03AHnbxOG7gGvBH35oF  
cada2etYwu0=nreb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4711-01

Today's modern companies are built on data, which now resides across countless cloud apps. Therefore preventing data loss is essential to your success. This is especially critical for mitigating against rising ransomware attacks — a threat that 57% of security leaders expect to be compromised by within the next year. 
As organizations continue to evolve, in turn so does ransomware. To help you

Today's modern companies are built on data, which now resides across countless cloud apps. Therefore preventing data loss is essential to your success. This is especially critical for mitigating against rising ransomware attacks — a threat that 57% of security leaders expect to be compromised by within the next year.

As organizations continue to evolve, in turn so does ransomware. To help you stay ahead, Lookout Chief Strategy Officer, Aaron Cockerill met with Microsoft Chief Security Advisor, Sarah Armstrong-Smith to discuss how remote work and the cloud have made it more difficult to spot a ransomware attack, as well as how deploying behavioral-anomaly-based detection can help mitigate ransomware risk. Access the full interview.

**Aaron Cockerill:** I feel like the way modern enterprises operate, which includes a combination of technologies, has allowed the ransomware to thrive. Having experienced this type of attack in my past roles, I know how many CISOs are feeling out there. The human instinct is to pay the ransom. What trends are you seeing?

**Sarah Armstrong-Smith:** It's quite interesting to think about how ransomware has evolved. We think about these attacks as being really sophisticated. The reality is that attackers favor the tried and tested: they favor credential theft, password spray, they're scanning the network, buying credentials off the dark web, using ransomware kits.

So in many ways, things haven't changed. They are looking for any way into your network. So although we talk about cyber attacks becoming sophisticated, that initial point of entry really isn't what sets the ransomware operators apart, it's what happens next.

It's down to that persistence and patience. The growing trend is that attackers understand IT infrastructure really well. For example, lots of companies are running Windows or Linux machines or have entities on-premises. They might also be utilizing cloud services or cloud platforms or different endpoints. Attackers understand all that. So they can develop malware that follows those IT infrastructure patterns. And in essence, that's where they're evolving, they're getting wise to our defenses.

**Aaron:** One evolution we've witnessed is the theft of data and then threatening to make it public. Are you seeing the same thing?

**Sarah**: Yeah, absolutely. We call that double extortion. So part of the initial extortion could be about the encryption of your network and trying to get a decryption key back. The second part of the extortion is really about you having to pay another amount of money to try and get your data back or for it not to be released. You should assume that your data is gone. It's very likely that it's already been sold and is already on the dark web.

**Aaron:** What do you think are some of the common myths associated with ransomware?

**Sarah:** There's a misconception that if you pay the ransom, you're going to get your services back quicker. The reality is quite different.

We have to assume that ransomware operators see this as an enterprise. And, of course, the expectation is that if you pay the ransom, you're going to receive a decryption key. The reality is that only 65% of organizations actually get their data back. And it's not a magic wand.

Even if you were to receive a decryption key, they're quite buggy. And it's certainly not going to open everything up. Often, you still have to go through file by file and it's incredibly laborious. A lot of those files are potentially going to get corrupted. It's also more likely that those large, critical files that you rely on are the ones you won't be able to decrypt.

**Aaron:** Why is ransomware still affecting companies so badly? It seems like we've been talking about methods attackers use to deliver these attacks, such as phishing and business email compromise, as well as preventing data exfiltration and patching servers forever? Why is ransomware still such a big problem? And what can we do to prevent it?

**Sarah**: Ransomware is run as an enterprise. The more people pay, the more threat actors are going to do ransoms. I think that's the challenge. As long as someone somewhere is going to pay, there is a return on investment for the attacker.

Now the difference is, how much time and patience does the attacker have. Particularly some of the larger ones, they will have persistence, and they have the willingness and desire to carry on moving through the network. They're more likely to use scripting, different malware, and they're looking for that elevation of privilege so they can exfiltrate data. They're going to stay in your network longer.

But the common flaw, if you like, is that the attacker is counting on no one watching. We know that sometimes attackers stay in the network for months. So at the point where the network's been encrypted, or data exfiltrated, it's too late for you. The actual incident started weeks, months or however long ago.

That's because they're learning our defenses: "will anyone notice if I elevate privilege, if I start to exfiltrate some data? And assuming I do get noticed, can anyone even respond in time?" These attackers have done their homework, and at the point where they are asking for some kind of extortion or demand, they've done a huge amount of activity. For bigger ransomware operators, there is a return on investment. So they're willing to put the time and effort in because they think they're going to get that back.

**Aaron:** There's an interesting article written by Gartner on how to detect and prevent ransomware. It says the best point to detect attacks is in the lateral movement stage, where an attacker is looking for exploits to pivot from or more valuable assets to steal.

I think that that's one of the most fundamental challenges that we have. We know what to do to mitigate the risk of phishing — although that's always going to be an issue because there's a human element to it. But once they get that initial access, get an RDP (Remote Desktop Protocol), or credentials for the server or whatever it is, and then they can start that lateral movement. What do we do to detect that? Sounds like that's the biggest opportunity for detection.

Listen to the full interview to hear Sarah's thoughts on the best way to detect a ransomware attack.

The first step to securing data is knowing what's going on. It's hard to see the risks you're up against when your users are everywhere and using networks and devices you don't control to access sensitive data in the cloud.

Eliminates the guesswork by gaining visibility into what's happening, on both unmanaged and managed endpoints, in the cloud and everywhere in between. Contact Lookout today.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The Myths of Ransomware Attacks and How To Mitigate Risk

The Colonial Pipeline attack highlighted the risks of convergence. Unified security provides a safer way to proceed.

This month marks the first anniversary of the Colonial Pipeline shutdown — a hugely impactful ransomware attack against critical US infrastructure that has had significant diplomatic and legislative consequences. Among the numerous talking points the attack raised was the issue of IT/OT convergence.

The attack, orchestrated by ransomware group DarkSide, targeted the pipeline's IT billing systems rather than its operation technology (OT), but Colonial was still forced to shut down physical operations for several days. Despite its oil-pumping systems retaining functionality, Colonial believed the risk of continuing operations with an IT compromise was too great. This was largely due to the proximity of its IT and OT systems: Had the attackers moved laterally to the company's operational networks, they could have imposed a longer and more costly shutdown, potentially tampering with safety mechanisms and damaging equipment — even endangering the pipeline's employees.

The risk of IT attacks spilling over into OT has grown as the organizations operating these systems look to gain an edge over their competitors. IT/OT convergence makes industrial control systems (ICS) cheaper, easier to manage, and more rapidly available to different administrators. At the same time, as the Colonial Pipeline instance showed us, it presents new risks and avenues for cyber disruption.

This is partly because most OT security tools today look at industrial systems in isolation — as a disconnected silo, separate to the rest of the business. The same is true of network security, email systems, and the cloud. And when many of these tools were being developed, there was nothing wrong with this approach. But as these digital environments converge, relying on disjointed point solutions to stop cyberattacks isn't effective, especially because a single attack can now target and traverse multiple fields of operation.

By unifying their security stack, defenders can use IT/OT convergence to their advantage and turn vulnerability into strength.

This requires a move away from tools trained on historical attacks and toward self-learning technology that can learn its digital surroundings from scratch, without any prior assumptions. By understanding the unique behavior of every IT and OT device — no matter how bespoke or complex the technology — this approach enables the detection of novel threats. By definition, a cyberattack causes a machine or user account to behave in a way it normally does not, and these deviations can be picked up, no matter where they appear.

**How Ransomware Groups Exploit IT/OT Convergence**

The risk of connecting cloud platforms to ICS was demonstrated in an attack against a European OT R&D investment firm last year.

Two of the firm's Industrial Internet of Things (IIoT) devices, which ran Windows OS and made regular connections to an industrial cloud platform, were compromised when they used the server message block (SMB) protocol to connect to an infected domain controller and read a malicious executable file. Security teams are often stymied by IIoT devices, which can lack CPUs, traditional operating systems, or sufficient disk space for putting security measures in place.

A malicious payload lay dormant for almost a month within the two IIoT devices, one of which was a human-machine interface (HMI) and the other an ICS historian. Darktrace's investigation showed that, while network segregation was sufficient to stop the attack's command-and-control (C2) communications on the HMI device, connections from the ICS historian reached around 40 unique external endpoints.

Both devices then wrote suspicious shell scripts to network servers and, finally, used SMB to encrypt files stored in network shares. A ransomware note was written by the ICS to targeted devices, and the attack was complete. This kind of attack life cycle, which demonstrates the limitations of network segregation and air-gapping, has been the basis for widespread concerns around IT/OT convergence.

No signatures or threat intelligence were associated with this attack, and so it flew under the radar of the company's traditional security tools. Only through self-learning technology from Darktrace was the security team able to gain full visibility into the attack.

**Riding the Changing Tides**

Reference architectures that rely on air-gapping ICS from IT are increasingly incompatible with the technological advancements many organizations are making in order to remain competitive. If attackers no longer view IT and OT as distinct, partitioned regions, neither should security teams.

It is possible for businesses to safely embrace interconnectivity, with all of its advantages, by adopting security that learns the business from the ground up to address sophisticated threats across both their IT and OT environments.

Unified security efforts reflect the reality of converging systems and ensure that no gaps are left for attackers to exploit. When the entire digital environment can be viewed through a single pane of glass and no single, exploitable system is left without protection, organizations will be able to interconnect systems without taking on undue risk.

Taking the Danger Out of IT/OT Convergence

By Owais Sultan
Screen recorder for Windows is a useful feature that comes in handy for a variety of tasks, especially…
This is a post from HackRead.com Read the original post: How To Screencast on Windows 10

Screen recorder for Windows is a useful feature that comes in handy for a variety of tasks, especially when writing lessons. Screen recorder for Windows 10 is a terrific technique to demonstrate to someone how to conduct a task in a critical application or to show off your gaming skills.

**Why do YouTubers, educators, and gamers need to record Windows 10**

Screen recordings for Windows 10 are quite helpful for generating videos. If you’re a YouTuber, an instructor, or a gamer, you’re probably already familiar with screen recording. The ability to record screens in Windows 10 is essential. Whether you want to share hands-on instruction with your followers or relay the latest trends, this is the ideal partner for your videos.

Even if you wish to record your activity in a non-gaming program, Windows 10 includes a screen recording feature built right in as part of the Xbox Game Bar utility. The built-in function Game Bar in Windows 10 allows you to record your screen.

It was made primarily to record PC and Xbox gaming sessions, but it can also record other programs and activities. If you want to edit your video and add some effect, you can try Wondershare DemoCreator. The all-in-one screen recorder and video editor. 

It’s beneficial to learn how to screen record on Windows 10 for several reasons, including:

*   Keeping track of social media content
*   Sharing your gameplay video and tricks
*   When you want to deliver workshops or courses to teach
*   This is helpful when you Explain technical concerns to a computer repair expert

Screen capture is useful whenever you want to save an action on your screen to view or share later. This easy method can help you save time and hassle.

**How to record screen on Windows 10 PC**

There are a variety of ways in which you can cast a screen on Windows 10. You can capture a video of your actions in practically any Windows software on your laptop if you want to film games or create a tutorial. Below are effective ways to explore Screen Recording. Let’s dig in!

**1\. How to Use PowerPoint to Record Screen on Windows 10**

Many consumers are unaware that the PowerPoint software on Windows computers allows for screen recording. Of course, this isn’t a full-fledged feature, but it’s worth a go if you want to capture video for your presentation.

*   Open any slide in PowerPoint and choose the “Insert” tab to launch the Windows 10 screen recorder. After that, choose “Screen Recording.”  
    
*   A control dock will now display, prompting you to choose the region you want to record. To choose an area, first, click “Select Area” and then drag it. Use the Windows key + Shift + F keyboard shortcut to record the entire screen. The audio and mouse pointer is recorded by default, however, you can disable them using the control dock.  
    
*   After you’ve made all of your adjustments, press the “Record” button. You can also start/pause the recording by pressing Windows key+Shift+R.  
    
*   Finally, press the stop button to complete the process. Your slide will now have a video embedded in it. You do, however, have the option of saving it wherever you wish. Simply right-click the video and select “Save Media As” from the menu. After that, rename it and choose your favorite location.

**2\. Record Screen Using OBS on Windows 10**

Follow the steps below to record the screen through OBS Studio on Windows 10:

*   To begin, download and run the OBS Studio software (which is free).  
    
*   Now select “Settings.”  
    
*   You may adjust crucial parameters like resolution, encoder, and streaming here to suit your needs. After that, click OK. The selected source should then be added. Under the Sources section, click the “+” button.  
    
*   Next, select the desired source, such as “Game Capture” for game recording, “Window Capture” for app recording, and “Video Capture Device” for a webcam or capture card recording.  
    
*   Now, before you get started, I urge that you review all of the settings one more. Make sure the output format is correct. When you’re ready, click “Start Recording.”  
    
*   Now you’re ready to go! From the File menu, select Show Recordings to access your recordings.

**3\. How to record screen with DemoCreator**

Simply follow these steps to enable Screen+Webcam Recording.

DemoCreator is a video capture software that allows recording tutorials, meetings, games, and more. Screen+Webcam recording is a multitrack recording mode with a conventional recording mode. If you choose this recording option, your screen, microphone, and camera recordings will be split into three tracks, each of which can be edited separately.

*   1\. Select Screen+Webcam in DemoCreator.   
    
*   2\. Create the capture zone. Select whether to record the entire screen, the capture region, and other options.  
    
*   3\. Select other inputs to record alongside the screen. Webcam, microphone audio, and system audio are all options. Check the sound, microphone, and camera connections on your system. Configure the camera and audio for optimal performance. You can also configure the webcam mirror direction and AI facial recognition under the camera recording tab.

*   4\. Stop/resume recording

*   _Click the DemoCreator Recorder on the taskbar, then the end recording button after you’re done recording._
*   _To start/stop a recording, use F10, and to pause/resume a recording, press F9._

*   5\. Remember to convert your screencasts into professional videos.

You’ve got your screen capture and your recording. Now, if you want to make an impression, you should turn your screen recordings into fully edited videos with music and text. This is where an online video comes in helpful. Even if you’ve never edited a video before, you can quickly make professional-quality videos in minutes.

**Windows 10 Makes Screen Recording Easier**

There are times when you’ll need to capture a video, and Windows 10 Screen recording is the perfect tool to help you do it. With so many options to choose from, including some free picks, you can start making great video screen grabs without having to invest in expensive studio equipment. Furthermore, most creators can quickly grasp these possibilities.

Also, screen recording is integrated directly into Windows 10 and the Xbox Game Bar function, and it’s really simple to use. Even if you don’t want to use a gaming app to track your activity. However, Game Bar has certain limits. So if you’re doing something more sophisticated than just capturing one application at a time, you might want to utilize a third-party app. 

It’s exciting to see that kids are employing screen recording as part of their school projects to showcase educational topics to their teachers and classmates using Windows 10. This demonstrates how simple it is to utilize this screen recorder.

To summarize, you can utilize Windows 10 Screen Recording to create video projects or instructional materials for work, school, or just for fun.

**More Windows 10 Topics**

1.  Windows 10 disk management
2.  How to remove adware from Windows 10
3.  Windows 10 is about to get a Big Sun Valley update
4.  Will Microsoft add Android support to Windows 10 next year
5.  Windows 10X – Microsoft’s newest OS on track for Spring 2020 release

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

How To Screencast on Windows 10

EOL Product CVE - Installer of Trend Micro Password Manager (Consumer) versions 3.7.0.1223 and below provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Please note that this was reported on an EOL version of the product, and users are advised to upgrade to the latest supported version (5.x).

**最終更新日: 2022年5月11日**

CVE-2022-28394 における概要および対処方法についてご案内します。

この問題に対する修正はすでに配信されています。  
問題の詳細および修正の確認方法については下記内容をご確認ください。

**概要**

この脆弱性により、攻撃者により事前に同一ディレクトリに用意された DLL を製品インストール時に読みこませることで、任意のコードが実行される可能性があります。

**脆弱性の影響範囲**

下記の製品にて影響を受ける可能性があります。

*   パスワードマネージャー （Windows版） 3.7.0.1223 より前のバージョン

また、CVSS (3.0) によるスコアは次の通りです。

*   CVSS (3.0)：7.8

**脆弱性が発生するプラットフォーム**

Windows

**攻撃を確認しているか**

2022 年 5 月 11 日現在、弊社では本脆弱性を利用した攻撃を確認しておりません。

**対応方法・修正の確認方法**

本脆弱性の修正を行ったパスワードマネージャー (Windows版) 3.7.0.1223 は、2017 年 7 月 31 日に公開済となっておりますが、パスワードマネージャー (Windows版) 3.x は 2019 年 07 月 30 日でサポートを終了し公開も終了しております。

そのため、パスワードマネージャー (Windows版) 3.x をご利用されている場合は、パスワードマネージャー (Windows版) 5.x へバージョンアップを行ってください。

パスワードマネージャー (Windows版) 5.x では、本脆弱性の影響はございません。

**古いバージョンをご利用中のお客さま**

最新の脅威へ対応するため、弊社では常に最新バージョンをご利用いただくことを推奨しています。  
パスワードマネージャー (Windows版) の古いバージョンをお使いの場合は、最新バージョンへのバージョンアップをご検討ください。 (現在の最新バージョンは 5.x )

パスワードマネージャー (Windows版) のバージョンの確認方法およびアップデートの方法に関しましては、下記リンクをご参照ください。

**関連リンク**

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   ※ご入力いただいた内容については、今後の改善の参考とさせていただきます。
*   ※こちらにご質問などをいただきましてもご返答する事ができません。また、個人情報のご記入はご遠慮下さい。

CVE-2022-28394: アラート/アドバイザリ：パスワードマネージャーの脆弱性について (CVE-2022-28394)

By Waqas
A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal…
This is a post from HackRead.com Read the original post: ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

**A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal data.**

A sudden, unexpected spike in browser hijacking campaigns utilizing ChromeLoader malware has been detected lately, stated Aedan Russell from Red Canary. Russell noted that the attackers aim to hijack browsers through the “pervasive and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertisement sites.

The malvertising campaign is financially motivated as the attackers are part of a wider network of marketing affiliates and redirect the user to advertising sites.

**What is ChromeLoader?**

For your information, ChromeLoader is a Chrome browser extension distributed as ISO files through pay-per-install websites and fraudulent social media posts usually offering QR codes, pirated movies, or cracked video games.

A screenshot of a Tweet shared by researchers shows a redacted scannable malicious QR code that leads to ChromeLoader’s download site

ChromeLoader changes web browser settings to display search results that lure users to download unwanted software, visit dating sites or adult games platforms, and participate in fake surveys. It stands apart among other browser hijackers for its incredible persistence, infection route, and volume involving abuse of PowerShell.

**Attack Scenario**

According to Red Canary’s blog post, the malware operators use a malicious ISO archive file to invade the system. This file is promoted as a cracked executable for commercial software or a video game so that the victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.

When the file is double-clicked by a user in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a keygen or game crack titled CS\_Installer.exe, the executable in this ISO file actually unleashes the malware.

ChromeLoader then executes/decodes a PowerShell command to fetch an archive from the remote resource and gets loaded on the system as a Chrome extension. Afterward, the PowerShell removes the scheduled task and infects Chrome with a discreetly injected extension to hijack and manipulate the browser results.

Red Canary researchers identified that ChromeLoader operators also target macOS systems to manipulate Safari web browser and Chrome. The infection chain is similar on macOS, but attackers use DMG (Apple Disk Image) file instead of ISO.

Furthermore, instead of the executable containing the installer, in macOS, an installer bash script is used to download and decompress the malware extension onto the private/var/tmp directory.

**More Chrome Browser and Malware News**

1.  New Jupyter backdoor malware steals Chrome, Firefox data
2.  New variant of MassLogger Trojan stealing Chrome, Outlook data
3.  Chrome extensions with 80 million+ users found engaging in ad fraud
4.  Malicious Chrome, Edge extensions manipulating Google search results
5.  Malware infected browser extensions stealing Chrome, and Edge user data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

Microsoft Dev Box will make it easier for developers and hybrid teams to get up and running with workstations already preconfigured with required applications and tools.

Microsoft's cloud-based developer workstation comes preconfigured with all of the required applications so that developers and hybrid teams have access to everything they need directly through the Web browser.

Microsoft Dev Box is a virtual machine that provides developers with a "ready-to-code" workstation, Microsoft said this week during Build 2022, its annual developer conference. Teams can configure images, assign or remove team members, and start coding on a new project without first dealing with a complex and time-consuming set-up process.

Application testing becomes easier, since each Dev Box can be set up to re-create a specific customer environment. Developers who have to support multiple versions of the same software can have multiple Dev Boxes and switch back and forth between different environments. There is no need to worry about software conflicts and dependency issues, the company says.

Dev Box is based on the same cloud foundations as Windows 365, which offers users Windows machines in the cloud. As a result, Dev Box has similar security benefits as Windows 365 Cloud PC, such as the fact that workstations will automatically be fixed up with the latest security updates and administrators can apply Azure’s access control and authentication policies to control how developers access Dev Box. IT administrators can manage Dev Boxes and Cloud PCs together in Microsoft Intune and Microsoft Endpoint Manager, wrote Kathleen Mitford, corporate vice president of Azure Marketing, on the Azure blog.

Dev Box can wind up making it easier to securely manage remote development teams. Since the developer is going through the Web browser to access the workstation, security teams don’t have to worry about the security of the physical device the developer is using or whether source code and other corporate intellectual property are being downloaded onto a personal device.

While Microsoft did not announce an exact release data for Dev Box, there is a waiting list for private preview.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#windows