A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers to gain control of vulnerable devices. The flaw is under investigation, with full disclosure expected next week.

Simone Margaritelli, a cybersecurity researcher and Linux developer has discovered a critical Linux vulnerability that could allow attackers to gain complete control of vulnerable systems. This Linux vulnerability affects GNU/Linux systems, specifically for Linux Remote code execution. If confirmed, it could be one of the worst vulnerabilities in history.

****A Decade-Old Flaw:****

The vulnerability, which has reportedly existed for over a decade, impacts all GNU/Linux systems. While specific details remain confidential, the severity score of 9.9 out of 10, confirmed by major Linux distributors like Canonical and Red Hat, indicates the immense potential for damage if exploited.

****The Controversy:** **

Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, and developers are still debating whether certain aspects of the vulnerability pose a security risk. This disagreement has led to delays in addressing the issue and has caused frustration among security researchers.

Margaritelli has publicly expressed his disappointment with the handling of the disclosure. He claims to have provided proof-of-concept exploits, but developers have been more focused on debating the vulnerability’s impact rather than working towards a solution.

He has, therefore, decided not to go for responsible disclosure instead of full disclosure of the flaw. While his decision could accelerate the fix race but will also expose millions of Linux systems to malicious attacks if no swift countermeasures are taken.

For your information, Simone Margaritelli, aka evilsocket, is a renowned cybersecurity expert who has created numerous tools for professionals and researchers worldwide. One of his most notable contributions is Bettercap, an open-source tool designed for Man-in-the-Middle (MITM) hacking attacks and network penetration testing.

The vulnerability may affect known exposed services like OpenSSH and possibly filtering services like Net Filter, although there is no indication of which service may be affected, and these are just hypotheses.

As per the latest updates, the flaw will be initially disclosed to the Openwall security mailing list on September 30th, followed by full public disclosure on October 6th. Linux users are advised to stay informed about official updates and patch systems as soon as patches are available.

> \* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.  
> \* Full disclosure happening in less than 2 weeks (as agreed with devs).  
> \* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).  
> \* Still no working fix.  
> \* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR
> 
> — Simone Margaritelli (@evilsocket) September 23, 2024

Brian Fox, CTO of software security platform, Sonatype, and governing board member of the Open Source Security Foundation, has found similarities between this vulnerability and the **Log4j/Log4Shell** vulnerability (CVE-2021-44228). Fox is working closely with Sonatype’s research team and the open-source security community to understand the gravity of the issue and possible mitigation methods.

“While we don’t have the technical details yet, a vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system. Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your wifi router to the grid keeping the lights on runs on Linux,” Brain explained.

He further added “This combination of low complexity and high usage is reminiscent of Log4Shell, though the scale of usage here is much more significant. I understand the logic in phasing out disclosure, as this vulnerability will take time to find and fix, however, we should also expect threat actors to be scrutinizing the commit history and looking for clues to exploit.”

“As we wait for more details to come out, enterprise security teams must scour their environments and SBOMs to understand where they might be vulnerable and be prepared to patch. Cancel your vacations because, on October 6, it could be a race against attackers,” Brian emphasised.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**
5.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**

Old Vulnerability Rated 9.9 Impacts All GNU/Linux Systems, Researcher Claims

There will be four major categories in the 2025 retread of the hacking competition, with prizes ranging for each challenge, from $20,000 to half a million.

Source: Zoonar GmbH via Alamy Stock Photo

The Pwn20wn Automotive contest will be returning to Tokyo in 2025 for its second year, offering a new set of challenges and winnings of more than $1 million in cash and prizes.

A random drawing will determine the schedule of attempts the day before the contest begins, focusing on four categories: Tesla, in-vehicle infotainment (IVI), electric vehicle chargers, and operating systems.

Each of these categories have individual targets and vary in prize amounts. In the Tesla category, the highest prize is half a million dollars for the Autopilot target in the "full remote with unconfined root" subcategory. The other three categories have fewer targets and smaller prize offerings, ranging from $20,000 to $60,000. Points are accumulated for each successful attempt on each target, and the participant with the most points by the end of the competition will earn the Master of Pwn crown and instant Platinum status in 2026.

The rules of the contest can be found on the Zero Day Initiative (ZDI) website, and can change without notice, so participants should regularly update themselves on the guidelines. Registration closes on Jan. 16, 2025, at 5 p.m. Japanese Standard Time.

**About the Author**

Pwn2Own Auto Offers $500K for Tesla Hacks

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Source: Kristoffer Tripplaar via Alamy Stock Photo

Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild.

The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal in Ivanti CSA that allows a remote, unauthenticated attacker to access restricted functionalities. Attackers have chained it to the previously disclosed flaw, CVE-2024-8190, which is a high-severity OS command injection flaw that can allow unauthorized access to devices. The chain can be exploited for remote code execution (RCE), if the attacker has admin-level privileges.

"If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance," the enterprise said.

The news comes during an ongoing series of security issues Ivanti has faced since 2023.

**Not First & Likely Not the Last**

Just this year alone, Ivanti has faced flaw after flaw; in February, the Cybersecurity and Infrastructure Security Agency (CISA) ordered Ivanti VPN appliances be disconnected, rebuilt, and reconfigured in 48 hours, after there were concerns that multiple threat actors were exploiting security flaws found in the systems.

In April, foreign nation-state hackers took advantage of vulnerable Ivanti gateway devices and attacked MITRE, breaking its 15-year streak of being incident free. And MITRE wasn’t alone in this, as thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities.

And in August, Ivanti's Virtual Traffic Manager (vTM) harbored a critical vulnerability that could have led to authentication bypass and creation of an administrator user without the patch that the enterprise provided.

"These known but unpatched vulnerabilities have emerged a favorite target for attackers because they are easy to exploit and oftentimes organizations have no idea that devices with EOL systems are still running in their network," Greg Fitzgerald, co-founder of Sevco Security, said in an emailed statement to Dark Reading.

**Protection in an Ongoing Storm**

To mitigate this threat, Ivanti recommends that its customers upgrade the Ivanti CSA 4.6 to CSA 5.0. They can also update CSA 4.6 Patch 518 to Patch 519; however, this product has entered end of life, so it's recommended to upgrade to CSA 5.0 instead. 

In addition to this, Ivanti recommends that all customers ensure dual-homed CSA configurations with eth0 as an internal network.

Customers should review the CSA for modified or newly added administrators if they are concerned that they may have been compromised. If users have endpoint detection and response (EDR) installed, it's recommended to review those alerts as well. 

Users can request help or ask questions by logging a case or requesting a call through Ivanti's Success Portal.

Ivanti's Cloud Service Appliance Attacked via Second Vuln

Apple Security Advisory 09-16-2024-10 - macOS Ventura 13.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-10 macOS Ventura 13.7

macOS Ventura 13.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121234.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive user information  
Description: The issue was addressed with improved checks.  
CVE-2024-44129

App Intents  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppKit  
Available for: macOS Ventura  
Impact: An unprivileged app may be able to log keystrokes in other apps  
including those using secure input mode  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27886: Stephan Casas, an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40814: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

Automator  
Available for: macOS Ventura  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Ventura  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Ventura  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Ventura  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Shortcuts  
Available for: macOS Ventura  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Ventura 13.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboy2sACgkQX+5d1TXa  
IvoOmhAA1kPpqqhEBRbskSU4pFIfX+JY/MyIrnI+6pNgMk3CLhQ5SSx0aFS2tg/c  
We70hoiTA8eWMvRkYr8KYNriNstqCivg7iq84Gv4/ycJ9Hx4Zwj6pZh5If1H8y+Q  
3NVsvLgnmvnAb6W7MvpXtgma47vA5xRe2oefCNe6QbcC2qnQ2xaspBZtH805IkAi  
WznXdr7UXmjJyfjlgp2FifyiLYQoPXPGFOLKkBURDCxaH4SJidgvzxerU+B+1ju9  
dqW29eQwTjG+qhXncTuxfUSuQ5s7g5XfVqfvcTQihUk+ZjWaMYOaUT2UYlAgDfg5  
Mq35kP/Hvh8zmf+Ryufl3D+qfKpyVUUJUKu+kEMbOIoIMkCzM4F0G30czaKiGCA+  
tJCEtsY/oxcbEcy8DLQbesPCv5Hf1Gv2fMkP3p/6CAYqXQ1mXQF0Vm2erKRqS+yD  
N2+M+r/GFzvK4i9bf6j10kDgv9PRxPs+pH9zuU85cwhT+jZzr2dkvTC9p+mI+5CJ  
AZ7ZMgTLbXDw2M4d4e6mEV3XbJ5ebNqQv9t0Hfbg3pf8YVEeAO0casIPopLK6fqi  
uS7gn/3PL9C1HS2gqlekYuwiP0DSleKk9qCDUVVfmAAxTA1vHKvtvlRBO0ykN7HI  
NmX+8AuFy8jnZRmZWXIbav1/EdWYg7e5SLCD+pemYLcMYSoSNXg=  
=YxVI  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-16-2024-10

Apple Security Advisory 09-16-2024-9 - macOS Sonoma 14.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-9 macOS Sonoma 14.7

macOS Sonoma 14.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121247.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved permissions logic.  
CVE-2024-44153: Mickey Jin (@patch1t)

App Intents  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted video file may lead to  
unexpected app termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-40846: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative  
CVE-2024-40845: Pwn2car working with Trend Micro Zero Day Initiative

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: A memory initialization issue was addressed with improved  
memory handling.  
CVE-2024-44154: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

AppleVA  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted video file may lead to  
unexpected app termination  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2024-40841: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access protected files within an App  
Sandbox container  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44135: Mickey Jin (@patch1t)

Automator  
Available for: macOS Sonoma  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Sonoma  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-27880: Junsung Lee

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Sonoma  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Sonoma  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Sonoma  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Sonoma  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Sandbox  
Available for: macOS Sonoma  
Impact: A malicious application may be able to leak sensitive user  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44125: Zhongquan Li (@Guluisacat)

Security Initialization  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito  
(@pvieito), an anonymous researcher

Shortcuts  
Available for: macOS Sonoma  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Sonoma  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

sudo  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A logic issue was addressed with improved checks.  
CVE-2024-40860: Arsenii Kostromin (0x3c3e)

System Settings  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Sonoma 14.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboywEACgkQX+5d1TXa  
IvrDjxAA2tgRLOOTvFpZrVW/HEBxwCFUn7UkzXyfgUTuqntjSvmsc/pyVmPDpnOM  
UnLhZ4d3B6v44MSelhxSbomtGkggQfYAvcNmlPDk+yMMS0K5yRBJ3dobEt4e53Wj  
9DQl2cQfHxop3uaLRFRTRy5Wk46xIZcsPS3Obb0kLAZpnzD1K2UQ5tIgEVF2ETqi  
SaRlrjqsgiauG/qZ8pzJjQSB1/iNBJCf4TBMBmHHJ91zAVOiYxvVcIAcBl1cBK4m  
UU6Z0vF1NmNCTAu/8KPP0Y6AD5tM7ZrkotU1yTP8uey4r3Ec8XrZqzhTH05sMI5V  
Xt98UeRNl2EJQAJR2Wjfsa2u255SvJ9VJpOGpTff9npsP5c6a7fup2mcKSVmCJHG  
FxFoU9WC2Lx2fsb7kBZXx5y4+/lwKBh8gQBkqOB4vttUZIYwp/rwXJtBvwkSb3E+  
2MTYly0SAAAbwrGoImKsskbiOxB+Ebry2cZ4Rg8rKKwQIfpjpgCb2U97Ue1zCU/S  
lHCObpyD0HtDD13zYw3NXfbrcWS195WhLdgtVl9XJz90pQQwdcINzubGhILmabpl  
Q+QXoSuKNi0ooy9qO8yEmQdzF0swD/FZMqTmF6FFtFby4NpY6ooapHHyhJOGeqSn  
/Poj2T/Ay/xaX7VL2fUPU9n0KTNtp+HgvgpzMX31HpBNXo/96Eo=  
=YUrh  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-16-2024-9

SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution.
The vulnerability, tracked as CVE-2024-28991, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data. 
"SolarWinds Access Rights

Software Security / Data Protection

SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution.

The vulnerability, tracked as **CVE-2024-28991**, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data.

"SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability," the company said in an advisory. "If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution."

Security researcher Piotr Bazydlo of the Trend Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw on May 24, 2024.

The ZDI, which has assigned the shortcoming a CVSS score of 9.9, said it exists within a class called JsonSerializationBinder and stems from a lack of proper validation of user-supplied data, thus exposing ARM devices to a deserialization vulnerability that could then be abused to execute arbitrary code.

"Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," the ZDI said.

Also addressed by SolarWinds is a medium-severity flaw in ARM (CVE-2024-28990, CVSS score: 6.3) that exposed a hard-coded credential which, if successfully exploited, could allow unauthorized access to the RabbitMQ management console.

Both the issues have been patched in ARM version 2024.3.1. Although there is currently no evidence of active exploitation of the vulnerabilities, users are recommended to update to the latest version as soon as possible to safeguard against potential threats.

The development comes as D-Link has resolved three critical vulnerabilities affecting DIR-X4860, DIR-X5460, and COVR-X1870 routers (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, CVSS scores: 9.8) that could enable remote execution of arbitrary code and system commands.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Source: Anucha Cheechang via Shutterstock

Microsoft has recategorized a bug that the company fixed in this month's Patch Tuesday update as a zero-day vulnerability, which the "Void Banshee" advanced persistent threat group has been exploiting since before July.

The bug, identified as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and it's one of two very similar issues that Void Banshee is using in its attacks.

**Affects All Supported Windows Versions**

The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work.

Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the company's advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw "as part of an attack chain \[related\] to CVE-2024-38112," a MSHTML platform spoofing vulnerability that the company patched in July 2024.

"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft said in its updated advisory.

The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsoft's Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendor's mitigations for it.

CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research, which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw.

Trend Micro's Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

**A Two-Bug Microsoft Attack Chain**

According to Microsoft's updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws.

Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. "This landing page contains an <iframe> which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461" to make the file appear to be a PDF to the victim, he says.

Girnus says ZDI was aware that the attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. "We however reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft," he says.

In its July report on Void Banshee exploiting CVE-2024-38112, Trend Micro said the flaw is a prime example of how organizations can get tripped up by "unsupported Windows relics" such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. The attack surface is significant, too: A study that Sevco conducted of 500,000 Windows 10 and Windows 11 systems in the immediate aftermath of Microsoft's disclosure of CVE-2024-38112 showed that more than 10% are missing any kind of endpoint protection control and nearly 9% are missing controls for patch management, leaving them completely blind to threats.

“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like \[CVE-2024-43461\]," says Greg Fitzgerald, co-founder of Sevco. "It's critical for enterprises to take the first step of patching this vulnerability, but it can't stop there."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Void Banshee' Exploits Second Microsoft Zero-Day

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.
"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows

Enterprise Security / Threat Intelligence

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances.

"An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution," Ivanti noted in an advisory released earlier this week. "The attacker must have admin level privileges to exploit this vulnerability."

The flaw impacts Ivanti CSA 4.6, which has currently reached end-of-life status, requiring that customers upgrade to a supported version going forward. That said, it has been addressed in CSA 4.6 Patch 519.

"With the end-of-life status this is the last fix that Ivanti will backport for this version," the Utah-based IT software company added. "Customers must upgrade to Ivanti CSA 5.0 for continued support."

"CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action."

On Friday, Ivanti updated its advisory to note that it observed confirmed exploitation of the flaw in the wild targeting a "limited number of customers."

It did not reveal additional specifics related to the attacks or the identity of the threat actors weaponizing it, however, a number of other vulnerabilities in Ivanti products have been exploited as a zero-day by China-nexus cyberespionage groups.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 4, 2024.

The disclosure also comes as cybersecurity company Horizon3.ai posted a detailed technical analysis of a critical deserialization vulnerability (CVE-2024-29847, CVSS score: 10.0) impacting Endpoint Manager (EPM) that results in remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint…

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online.

A hacker using the alias “Fortibitch” has claimed responsibility for leaking 440 GB of data belonging to Fortinet, a prominent cybersecurity firm based in Sunnyvale, California. The hacker stated that the stolen data is now accessible for download via an Amazon S3 bucket, with details of the breach and access credentials shared on the popular underground forum, Breach Forum.

**The Breach: Fortileak**

Dubbed _Fortileak_ by the hacker, the breach allegedly originates from an exposure in Fortinet’s Azure SharePoint instance. In the forum post, the hacker pointed out recent acquisitions by Fortinet, including the Data Loss Prevention (DLP) firm Next DLP and the cloud security company Lacework. They then claimed that Fortinet’s Azure SharePoint had been compromised, allowing for the extraction of the substantial data cache.

The full scope of the compromised data remains unclear, though the hacker emphasized that the breach involves Fortinet’s cloud infrastructure. The hacker provided the following credentials for accessing the alleged stolen data:

Screenshot: Hackread.com

**Ransom Demands and Negotiation Breakdown**

In a further twist, the hacker claimed that Fortinet’s CEO, Ken Xie, walked away from ransom negotiations. In the forum post, the hacker ridiculed Xie, alleging that the CEO refused to engage, stating that he “would rather eat some p\*\*p than pay ransom.” The hacker also questioned why Fortinet had not filed an SEC 8-K form (PDF)—a document required by public companies to disclose major incidents.

The post also contained a mix of taunts and shout-outs to other individuals or groups, which seemed to further underline the hacker’s brash attitude toward the attack and its aftermath.

**Fortinet’s Response**

Hackread.com reached out to Fortinet for an official comment on the breach. A spokesperson for the company confirmed that an unauthorized individual had gained access to a limited number of files stored on a third-party cloud-based shared file drive. These files included data related to a “small” subset of Fortinet customers.

In their statement to Hackread.com, Fortinet reassured stakeholders that there has been no indication of any malicious activity affecting its customers. They emphasized that the company’s operations, products, and services have not been impacted by the breach. Fortinet stated that they have already communicated directly with the affected customers and are continuing to monitor the situation closely.

> _“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate. To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet’s operations, products, and services have not been impacted.”_
> 
> Fortinet Spokesperson

This is not the first time Fortinet has faced a cybersecurity incident. Last year, Chinese hackers were reported to be exploiting a zero-day vulnerability in the company’s products. In another instance, hackers were found exploiting a vulnerability in FortiOS, the operating system for Fortinet’s security appliances, to compromise organizations and customers.

Nevertheless, for now, the full extent of the breach remains under investigation, and it is unclear whether the alleged stolen data will be used maliciously or if the ransom negotiations will have any further developments. As more information emerges, both customers and cybersecurity professionals will be watching closely to assess the impact of this incident.

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
4.  **Cybersecurity Firm Hacks Itself, Finds AWS Credentials Leak**
5.  **Hackers dump plain-text login credentials of Fortinet VPN users**

Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

Thursday, September 12, 2024 14:00

I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate's degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting \*another\* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

**The one big thing **

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

**Why do I care? **

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

**Top security headlines of the week **

**A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals.** An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

**Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect.** A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

**Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts.** Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

**Can’t get enough Talos? **

*   The 2024 Threat Landscape State of Play 
*   Vulnerability in Tencent WeChat custom browser could lead to remote code execution 
*   Watch our new documentary, "The Light We Keep: A Project PowerUp Story" 
*   Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API 
*   Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos  

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd

Tag

#zero_day