Red Hat Security Advisory 2024-5041-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5041.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-urllib3 security updateAdvisory ID:        RHSA-2024:5041-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5041Issue date:         2024-08-06Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-5041-03

E-Commerce Site using PHP PDO version 1.0 suffers from a directory traversal vulnerability.

    =============================================================================================================================================| # Title     : E-Commerce Site using PHP PDO v1.0 Directory traversal Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/12287/e-commerce-site-using-php-pdo.html                                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /bower_components/bootstrap/dist/css/../../Gemfile[+] https://www/127.0.0.1/demo/site/loginGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

E-Commerce Site Using PHP PDO 1.0 Directory Traversal

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

Posted Aug 7, 2024

Authored by indoushka

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 8c38f4e680e6513d62d4303a51a4d7e3eaa5a7bb80e3e87ce8e510bba268a0b9

Download | Favorite | View

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Covid-19 Directory on Vaccination System v1.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,289)
*   Arbitrary (16,852)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,792)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,386)
*   DoS (25,050)
*   Encryption (2,389)
*   Exploit (53,137)
*   File Inclusion (4,259)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,889)
*   Intrusion Detection (915)
*   Java (3,143)
*   JavaScript (896)
*   Kernel (7,191)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,167)
*   Perl (1,435)
*   PHP (5,222)
*   Proof of Concept (2,382)
*   Protocol (3,724)
*   Python (1,635)
*   Remote (31,646)
*   Root (3,635)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,605)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,941)
*   Web (9,960)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,090)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,547)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,646)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,459)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,729)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,670)
*   Other

Covid-19 Directory On Vaccination System 1.0 Insecure Settings

Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive.
"Initially, it exploits a timing side-channel of the allocator to perform a cross-cache attack reliably," a group of academics from the Graz University of Technology said [PDF]. "

Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive.

"Initially, it exploits a timing side-channel of the allocator to perform a cross-cache attack reliably," a group of academics from the Graz University of Technology said \[PDF\]. "Concretely, exploiting the side-channel leakage pushes the success rate to above 99% for frequently used generic caches."

Memory safety vulnerabilities impacting the Linux kernel have limited capabilities and are a lot more challenging to exploit owing to security features like Supervisor Mode Access Prevention (SMAP), Kernel address space layout randomization (KASLR), and kernel control flow integrity (kCFI).

While software cross-cache attacks have been devised as a way to counter kernel hardening strategies like coarse-grained heap separation, studies have shown that existing methods only have a success rate of only 40%.

SLUBStick has been demonstrated on versions 5.19 and 6.2 of the Linux kernel using nine security flaws (e.g., double free, use-after-free, and out-of-bounds write) discovered between 2021 and 2023, leading to privilege escalation to root with no authentication and container escapes.

The core idea behind the approach is to offer the ability to modify kernel data and obtain an arbitrary memory read-and- write primitive in a manner that reliably surmounts existing defences like KASLR.

However for this to work, the threat model assumes the presence of a heap vulnerability in the Linux kernel and that an unprivileged user has code execution capabilities.

"SLUBStick exploits more recent systems, including v5.19 and v6.2, for a wide variety of heap vulnerabilities," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Linux Kernel Exploit Technique 'SLUBStick' Discovered by Researchers

You're only as strong as your weakest security link.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

Most companies are sitting ducks regarding API security. During my two decades in infosec, I've never seen a threat landscape evolve as rapidly and dangerously as the one surrounding APIs. And here's the kicker: Most organizations are blissfully unaware of the ticking time bomb in their digital infrastructure.

Remember the Optus breach that exposed 9.8 million customer records last year? That was just the tip of the iceberg. APIs are the new favorite target for hackers, and for good reason. They're everywhere, often poorly secured, and packed with juicy data.

Don't believe me? Let's look at some numbers. A recent security audit for a midsize fintech client uncovered a staggering 5,743 distinct APIs in active use. Five years ago, that number was 486. This isn't an anomaly — it's the new normal.

But here's where it gets scary: Most companies have yet to learn how many APIs they run. It's like leaving your house with every window and door wide open and then wondering why you got robbed.

Take the recent Twilio debacle. A single unsecured API endpoint exposed 33 million phone numbers associated with Authy accounts, according to Trend Micro. The attackers didn't need sophisticated tools or insider knowledge. They fed a list of phone numbers into an API and watched the data pour out. It was that easy.

Or consider the 2021 Peloton fiasco. A faulty API allowed anyone to access users' private account data without authentication. Age, gender, and location were all up for grabs.

These aren't isolated incidents. They're symptoms of a systemic problem in our approach to API security. We're building digital skyscrapers on foundations of sand and then acting surprised when they come crashing down.

So, what can you do about it? Here are some practical steps:

1.  Get your house in order. Start cataloging every API in your ecosystem. You can't secure what you don't know exists. You can use automated discovery tools if you have to, but you can get a complete inventory.
    
2.  Adopt a zero-trust approach. Treat every API call as potentially malicious, regardless of origin. Implement strong authentication and authorization for every endpoint. No exceptions.
    
3.  Rate limit everything. Don't let attackers flood your APIs with requests. Set sensible limits and enforce them rigorously.
    
4.  Versioning is your friend. Implement a robust versioning system for your APIs. When vulnerabilities are discovered (and they will be), you need to be able to deprecate and disable old versions quickly.
    
5.  Educate your developers. Most API vulnerabilities stem from developers' lack of security awareness. Invest in regular training sessions focused explicitly on API security best practices.
    
6.  Monitor aggressively. Implement advanced monitoring and behavioral analysis tools. Be sure to look for anomalies in API traffic patterns. The sooner you can detect unusual activity, the better your chance of preventing a breach.
    
7.  Regular penetration testing. Don't wait for hackers to find your vulnerabilities. Conduct regular, API-focused penetration tests and fix the issues they uncover.
    

Here's the hard truth: If you're doing only some of these things, you're probably next on the hit list. The attackers are getting more innovative, more resourceful, and more persistent. They're probing your defenses right now, looking for that one weak API that will give them the keys to your kingdom.

The subsequent major breach isn't a matter of if, but when. And when it happens, the question won't be, "How did this happen?" We know how it will happen. The question will be, "Why didn't we do more to prevent it?"

It's time to wake up to the API security crisis and stop treating API security as an afterthought or a nice-to-have. With board-level visibility and dedicated resources, it must be at the forefront of your security strategy.

Because if you don't take API security seriously now, you'll be forced to take it seriously after a breach. And by then, it'll be too late.

The choice is yours. Act now — or explain to your customers later why you didn't.

**Additional Considerations**

As we delve deeper into the API security crisis, it's crucial to understand that this is not just a technical problem, it's a business problem. The repercussions of a major API breach can be devastating, affecting everything from your company's bottom line to its reputation in the market.

Consider the following:

1.  Regulatory compliance. With regulations like GDPR, CCPA, and others becoming increasingly stringent, API security is no longer just about protecting data — it's about avoiding hefty fines and legal troubles. A breach could cost your company millions in penalties and long-term damage to your brand.
    
2.  Third-party risk. Your API ecosystem likely extends beyond your organization. Third-party integrations and partnerships can be a significant vulnerability if not properly managed.
    
3.  Evolving attack vectors. Attackers are constantly innovating. From API poisoning to GraphQL abuse, new attack vectors are emerging faster than many organizations can keep up. 
    
4.  Continuous monitoring and improvement. The API security landscape is not static. What's secure today might be vulnerable tomorrow. Please make sure your API security posture evolves with the threat landscape.
    

Remember, you're only as strong as your weakest link in API security. It's time to fortify every aspect of your API ecosystem before it's too late. Your business's future may very well depend on it.

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

The API Security Crisis: Why Your Company Could Be Next

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances.
"When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's

Email Security / Vulnerability

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances.

"When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week.

"Attackers can abuse the vulnerability to steal emails, contacts, and the victim's email password as well as send emails from the victim's account."

Following responsible disclosure on June 18, 2024, the three vulnerabilities have been addressed in Roundcube versions 1.6.8 and 1.5.8 released on August 4, 2024.

The list of vulnerabilities is as follows -

*   **CVE-2024-42008** - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header
*   **CVE-2024-42009** - A cross-site scripting flaw that arises from post-processing of sanitized HTML content
*   **CVE-2024-42010** - An information disclosure flaw that stems from insufficient CSS filtering

Successful exploitation of the aforementioned flaws could allow unauthenticated attackers to steal emails and contacts, as well as send emails from a victim's account, but after viewing a specially crafted email in Roundcube.

"Attackers can gain a persistent foothold in the victim's browser across restarts, allowing them to exfiltrate emails continuously or steal the victim's password the next time it is entered," security researcher Oskar Zeino-Mahmalat said.

"For a successful attack, no user interaction beyond viewing the attacker's email is required to exploit the critical XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user."

Additional technical details about the issues have been withheld to give time for users to update to the latest version, and in light of the fact that flaws in the webmail software have been repeatedly exploited by nation-state actors like APT28, Winter Vivern, and TAG-70.

The findings come as details have emerged about a maximum-severity local privilege escalation flaw in the RaspAP open-source project (CVE-2024-41637, CVSS score: 10.0) that allows an attacker to elevate to root and execute several critical commands. The vulnerability has been addressed in version 3.1.5.

"The www-data user has write access to the restapi.service file and also possesses sudo privileges to execute several critical commands without a password," a security researcher who goes by the online alias 0xZon1 said. "This combination of permissions allows an attacker to modify the service to execute arbitrary code with root privileges, escalating their access from www-data to root."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords

PRESS RELEASE

AUSTIN, Texas--(BUSINESS WIRE)-- Votiro, innovator in Zero Trust Data Detection and Response (DDR) and trusted to deliver safe and compliant content to industry leaders across the globe, announces an expansion of privacy toolsets and integrations within its DDR platform. New features include the ability to mask privacy data within documents in real-time, continuous monitoring and reporting on where unstructured data travels throughout an organization, alerts around potential compliance violations, and expanded integrations with key technology partners.

“Despite a growing data security market, data breaches are still running rampant, leading to more stringent data protection and privacy regulations,” said Darin Sanders, CRO at Novacoast. “Compliance has again become a major focus across many industries, and both Novacoast and Votiro are dedicated to helping these organizations not only quickly achieve a compliant posture but stay that way. Votiro’s Zero Trust DDR platform is the answer for teams looking for visibility, reporting, control, and masking.”

With enhanced data privacy functionality, Votiro’s Zero Trust DDR is now well positioned to address both facets of data security in a unified platform – data privacy risks and malware threats. Key new features and integrations include:

1.  Data masking and de-masking: Personally identifiable information (PII) or sensitive enterprise data is masked (obfuscated) while in-transit to satisfy various regional and international data regulations and privacy requirements. Users can also de-mask data based on established enterprise policy controls.
    
2.  Enhanced privacy and threat analytics dashboard: New analytics provided include, but are not limited to, commonly targeted channels and entry points, user behavior, the types of data being ingested and shared throughout the organization, and real-time logging of the files/data detected and masked/sanitized by Votiro.
    
3.  Expanded integration within the Microsoft ecosystem: Real-time data detection and response can be applied throughout the organization. In addition to Microsoft Office 365, Votiro now supports Microsoft Teams, SharePoint, and OneDrive to ensure seamless and safe collaboration for MS users and third-party contributors.
    
4.  Monitoring and masking static environments: If threat actors gain access to secure environments, sensitive data housed within these channels is already anonymized based on permissions and made useless to unauthorized parties looking to exfiltrate PII.
    

“We launched the industry’s first unified content security platform earlier this year to safeguard organizational data against privacy risks and malware threats and simplify compliance efforts. Since the initial launch, our team has been building new innovations within the Zero Trust DDR platform to further support this mission,” said Ravi Srinivasan, CEO at Votiro. “The newly available functionalities are plugging the gaps in many endpoint and reactive-only solutions, providing our customers with a one-stop-shop for preventative, data-centric security.”

Votiro is poised to grow internationally with notable new partnerships including Novacoast, an international cybersecurity company providing IT services and software development, and CyberKis, a full-service cybersecurity company in Israel. Votiro also serves governments worldwide, including government agencies and organizations in Japan with Asgent, where Votiro holds the dominant market position in terms of sales revenue for the last seven consecutive years.

Headed to BlackHat? Votiro will be there! Book time with Ravi Srinivasan if you want to chat more about the evolution of the data security market, Votiro’s Zero Trust DDR, or partnership opportunities.

To book a demo, start a free 30-day trial, or learn more about Votiro’s commitment to preventing privacy risks and malware threats, visit www.votiro.com.

About Votiro

Votiro's Zero Trust Data Detection & Response platform allows data to flow freely and safely. Our unified data security solution provides organizations around the globe with real-time privacy masking, data compliance, proactive file-borne threat prevention, and actionable data insights. The seamless, open-API proactively prevents risks to private data in-motion by detecting and masking information while disarming known and unknown cyber threats before they reach user endpoints.

Votiro is headquartered in Austin, TX, with offices in Australia, Israel, and Singapore. Votiro is SOC 2 Type II compliant. Learn more at www.votiro.com.

Votiro Unveils New Data Privacy Features and Integrations

Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections.
Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the

Malware / Software Security

Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections.

Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the software is from an identified developer.

It also runs checks to ensure that the app is notarized and has not been tampered with to install malware on macOS systems. Furthermore, it requires user approval before allowing any such third-party app to be run.

It's this user approval mechanism that Apple has now tightened further with macOS Sequoia, the next iteration of the Mac operating system that's expected to be released next month.

"In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized," Apple said.

"They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run."

The move is seen as a way to counter stealer malware and backdoors targeting macOS that are often unsigned and trick users into bypassing Gatekeeper protections.

In July 2023, North Korean threat actors were observed propagating an unsigned disk image (DMG) file that impersonated a legitimate video call service named MiroTalk and unleashed its malicious behavior after a victim control-clicks and selects "Open" and ignores the security warning from Apple.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple’s New macOS Sequoia Tightens Gatekeeper Controls to Block Unauthorized Software

While still under development, the malware contains Turkish-language filenames, can record the screen and keystrokes, and inject custom overlays to steal passwords and sensitive data.

Source: Muhammad Toqeer via Shutterstock

A threat intelligence firm discovered samples of a malicious Android program that appears to target Turkish-language speakers. The program can take screen grabs, capture keystrokes, and create custom overlays — also known as Web injections — that can fool users into entering sensitive information.

The Trojan, dubbed BlankBot, appears to be under active development — judging from a significant number of code variants and log files — and remains largely undetected by the anti-malware scanners hosted on VirusTotal, cyberthreat-intelligence firm Intel 471 stated in its report published on Aug. 1. The developers of the Trojan use openly available libraries for mimicking account pages and producing other overlays and showed other signs of cybercriminal sophistication, Intel 471's analysts, who asked not to be named, said in an email interview.

"The developers appear to be experienced Android application developers, and they also demonstrate an understanding of the ATO \[account takeover\] business," they said. "These libraries allow the malware operators to imitate real financial applications more closely and create a seamless, authentic-looking phishing page, making it more likely that a user will follow all the steps and give up their sensitive information."

At this point, the motive for the group's targeting of Turkey is unclear, the company said. In recent years, Turkey has become a target for cyberattackers, especially nation-state espionage groups. India's SideWinder group has targeted individuals in Turkey — in addition to the group's typical targets of regional rivals, such as Pakistan — while China's APT41 has targeted global shipping, technology, and automotive industries, including those in Turkey.

Meanwhile, the country has been developing its own cyber capabilities. A Turkey-linked group has targeted Kurdish opposition groups throughout Europe, the Middle East, and North Africa, while another cybercriminal group in Turkey is targeting corporate databases in the United States, Europe, and Latin America with ransomware.

**Malware Under Development**

The malicious application appears to be under development but already has a host of features. Like other Android malware, BlankBot requests permission and then uses Android's accessibility features to take control of the device. Once in control, the malware can record the screen via the MediaProjection API, with the recording saved as JPEG images, which are then sent to a remote server.

In a relatively rare technique, the malware also creates its own keyboard for input, so the application can more easily capture user keystroke input. BlankBot also uses two open source libraries, CompactCreditInput and Pattern Locker View, to create screens that mimic the data entry pages for various sensitive credentials, such as usernames, passwords, PIN combinations, and credit card information, Intel 471 stated in its advisory.

Finally, using the accessibility services, the company said that the malware can control certain features by spoofing finger swipes.

"Threat actors are able to perform on-device fraud (ODF) by waking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes," the advisory stated. "Additionally, BlankBot is capable of creating overlays, as described in the previous section, as well as collecting contacts, SMS text and a list of installed applications."

**Focused on Cybercrime**

The malware's lineage is still a question mark. While Turkey-linked groups have not shied away from sophisticated attacks against the country's rivals, Intel 471's analysts say the malware seems more likely targeted at financial gain through cybercrime.

"We're fairly certain that this malware was not written for espionage because it has all of the features required for account takeover for financial gain, such as overlays for popular financial applications," the analysts said in an email interview. "Some of those features have limited use for espionage purposes but would make the malware more likely to be detected by anti-malware products."

However, the malware has anti-analysis capabilities, such as obfuscated code and a feature for detecting if it runs in an emulator.

Finally, while Turkish language strings do appear in the code, the malware could easily be localized to target other users and mimic other institutions, Intel 471 stated in its advisory.

"\[N\]o specific financial institutions were identified as targets during our analysis, therefore, this malware could be distributed in campaigns against users in different countries," the advisory stated.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

BlankBot Trojan Targets Turkish Android Users

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Source: ozrimoz via Shutterstock

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

**Multiple Available Techniques**

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

**LNK Stomping Around MoTW**

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth