RIOT versions 2024.01 and below suffers from multiple buffer overflows, ineffective size checks, and out-of-bounds memory access vulnerabilities.

RIOT 2024.01 Buffer Overflows / Lack Of Size Checks / Out-Of-Bound Access

Gentoo Linux Security Advisory 202405-14 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.13_p20240322 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #927746  
       ID: 202405-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.13_p20240322  >= 5.15.13_p20240322

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.13_p20240322"

References  
=========  
[ 1 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 2 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 3 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 4 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 5 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 6 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 7 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 8 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 9 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 10 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 11 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 12 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 13 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 14 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077  
[ 15 ] CVE-2024-1283  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1283  
[ 16 ] CVE-2024-1284  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1284

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-14

Live2D Cubism suffers from a heap corruption vulnerability.

    Live2D Cubism is the dominant "vtuber" software suite for 2D avatars for use in livestreaming and integrating them in other software.They publish various SDKs and a frameworks for integrating their libraries with your own program. You're supposed to use those to deserialize and render/animate the models created with their main software - often untrusted files from random people on the internet.While their main java-based programs and their web toolkit seem to have at least minimal sanity checks for input, the same is not true for their "native" (C/C++) framework.This is trivially, unintentionally and repeatedly triggered by people just testing it with janky rips available broadly on the internet, such as this model of a Discord moderator: https://github.com/Eikanya/Live2d-model/tree/master/%E4%B8%BA%E7%BE%8E%E5%A5%BD%E7%9A%84%E4%B8%96%E7%95%8C%E7%8C%AE%E4%B8%8A%E7%A5%9D%E7%A6%8F%EF%BC%81Fantastic%20Days/1399100Those models have nonsense numbers of total segments and points for the animation curves because the Unity live2d asset ripper which was used to generate them calculates the totals wrong. The framework happily trusts the totals and lets you squirt as many bytes (or, more accurately, floating point numbers) as there is contiguous memory allocated. If you hit the upper bound you will segfault, otherwise your allocator will probably panic only on the next free() or allocation.e.g. https://github.com/MizunagiKB/gd_cubism/issues/52TLDR: They don't validate that the total numbers of points and segments in animations actually match the total numbers in the corresponding arrays in serialized models. I sent them a patch to recalculate those numbers and ignore the totals, as it's really annoying to have to validate every model manually with an external python script, but they refuse to apply it because the data wasn't generated by their official program and they think this is a customer support issue ?This leaves gaping wide open a heap corruption issue that I don't have the skill or time to actually exploit in any interesting way, but I'm just going to leave this here because fuck those guys. They also like to send their deranged fanboys after anyone reporting on their incompetence and negligence, because if you're not willing to spend thankless weeks/months trying to get RCE then your bug isn't really el8 enough: https://github.com/UlyssesWu/D2Evil/issues/6#issuecomment-1685596304PT

Live2D Cubism Heap Corruption

By Uzair Amir
Is your coding class engaging and effective? Learn what makes the best online coding classes for kids fun, effective, and future-proof!
This is a post from HackRead.com Read the original post: A Checklist for What Every Online Coding Class for Kids Needs

Parents everywhere are eager to sign up their kids for online coding classes to ensure they’re ready for life and the workforce of the future. Nobody can say with 100% accuracy what the future will hold, but surely, in our digital society, it will be high-tech!

How can parents know which online coding classes are better than others? Here’s a checklist that outlines what the best coding classes offer.

****1\. Fun and Video Games Above All****

Parents want their kids to learn to code online, but having fun after school is even more important. The best coding programs embed games into their classes by teaching kids how to design and program their own video games, ones they can play afterwards with friends and family.

Parents and teachers won’t have to push kids very hard to learn when the goal is something they’re so hungry to achieve. Gamification dynamics make learning as addictive and engaging as playing video games.

****2\. Small Classes****

Some coding programs claim to teach STEM skills and everything kids will need to know in the future, but they’re overly packed with students, making for a distractive environment where learning is difficult. Students shouldn’t have to deal with busy teachers who are more concerned with classroom management than teaching.

The best coding courses limit sessions to four students per class, so every child gets their teacher’s full attention.

****3\. Leading Coding Languages****

Avoid the coding classes that rely too heavily on programs like Scratch, which is more of a drag-and-drop program designed to give kids a sense of what coding is like rather than a proper coding language employers look for in prospective employees. Nobody uses Scratch in the field to make video games, apps, or websites.

Instead, look for a program that teaches kids the popular, in-demand coding languages, such as:

*   C#
*   C++
*   Java
*   Python
*   JavaScript

The classes should be engaging for young students who are brand new to coding but never overwhelming. As students develop and hone their skills within each language, they progress to the next until they develop confidence and expertise in that language, too.

****4\. Expert Teachers****

Finally, the leading coding courses hire computer science and computer engineering students who also grew up playing video games to pass on their knowledge to the next generation. Such an approach has multiple benefits.

Kids should learn how to code games from teachers who also played computer games growing up and have the expertise and domain knowledge. Practically speaking, high school students have the perfect resources to speak to about the coding jobs available and where else programming can take them after school when their teachers are also navigating the same situation.

Every computer-related program for kids promises to give a strong foundation in STEM skills, but they’re not all the same in quality. Before signing up your child for an after-school coding course, you should know how to recognize a red flag or the signs of a great coding program when you see them.

1.  1 in 5 Youth Engage in Cybercrime, NCA Finds
2.  Kids breach and bypass Linux Mint screensaver lock
3.  9 risky apps you must monitor on your kids’ smartphone

A Checklist for What Every Online Coding Class for Kids Needs

Ubuntu Security Notice 6760-1 - George-Andrei Iosif and David Fernandez Gonzalez discovered that Gerbv did not properly initialize a data structure when parsing certain nested RS-274X format files. If a user were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

==========================================================================  
Ubuntu Security Notice USN-6760-1  
April 30, 2024

gerbv vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 23.10  
- - Ubuntu 22.04 LTS  
- - Ubuntu 20.04 LTS  
- - Ubuntu 18.04 LTS  
- - Ubuntu 16.04 LTS  
- - Ubuntu 14.04 LTS

Summary:

Gerbv could be made to crash if it opened a specially crafted input file.

Software Description:  
- - gerbv: Gerber file viewer for PCB design

Details:

George-Andrei Iosif and David Fernandez Gonzalez discovered that Gerbv did  
not properly initialize a data structure when parsing certain nested  
RS-274X format files. If a user were tricked into opening a specially  
crafted file, an attacker could possibly use this issue to cause a denial  
of service (application crash).

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10  
  gerbv                           2.9.8-1ubuntu0.1

Ubuntu 22.04 LTS  
  gerbv                           2.8.2-1ubuntu0.1~esm2  
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS  
  gerbv                           2.7.0-1ubuntu0.2

Ubuntu 18.04 LTS  
  gerbv                           2.6.1-3ubuntu0.1~esm2  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  gerbv                           2.6.0-1ubuntu0.16.04.1~esm2  
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS  
  gerbv                           2.6.0-1ubuntu0.14.04.1~esm2  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6760-1  
  CVE-2023-4508

Package Information:  
  https://launchpad.net/ubuntu/+source/gerbv/2.9.8-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/gerbv/2.7.0-1ubuntu0.2

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmYxdyoACgkQ3gXQmO/T  
r3yNiQ/+KvuxjndpQCm6GeS+17sRUl3W93JhcMAbai01bJN+5OttDZyqm0pP8d7t  
i9ZYyPBV4buYjfKcx2X4yHXRjaer1vctmyy9zxA7hcJd5yTaXU2xH8ks0Ei4rFbg  
DM1rl3470ifaGH4/NTnM2iberSrgG8fbeGGDb3IUpWIQpMZp13PlIQp5dG++4hI1  
CY9d5jdbp/FEH4sVdCozJmDBoZ/tdd7vn3HGXH1Y3i7Pw3RcOUNeNvBALIx81TnS  
JkuFl6ttT194rptxm2151ZFWPNS609kusUd0lUTDWdgQm9Macw7F4RtRLqVGdnHJ  
SZMWbrjKRq/VS0oItBPnEcUGkQ88kEH7tMPfnYB8f9L17B6jMiEI6NM4IgMt8fgM  
Al3Un5x6V/nrTo7jUum/zAS1Ru5iq1EoGK7d794iIH96d8VD9yDejQIZgL0mSsaP  
UxPNelvedu/pGjwd2AUo8Dm5G76J/Ah0zXZrkWkP8Ex6mLkOGLSR5zsj8Joj0ZRt  
5neI8EtWTzeSMTKA4qW9YyUgM4nqz0T2jPE9VsCzIThxZLp5WM3WtKPAwzi1ITNL  
oRwPcfulKUQfLdszRAJyVX5/zP821wlapS4O6ZsDBk6y3g30j8J95OmS+qpwWS3G  
jSssybjnxb7nt9qV3gK2jboEo0Mv/YEhI4tEsF1UaDjLSDtvKfA=  
=8lge  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-6760-1

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

Thursday, April 25, 2024 08:00

Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.  

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.  

There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter. 

Manufacturing was the most targeted vertical this quarter, closely followed by education, a continuation from Q4 2024 where manufacturing and education were also two of the most targeted verticals. There was a 20 percent increase in manufacturing engagements from the previous quarter. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. This quarter, Talos IR observed a wide range of threat activity targeting manufacturing organizations including financially motivated attacks, such as BEC and ransomware, and some brute force activity targeting virtual private network (VPN) infrastructure. The use of compromised credentials on valid accounts was the top observed attack vector within attacks targeting the manufacturing sector this quarter, which represents a change from the previous quarter when the top attack vector observed in these types of engagements was exploiting vulnerabilities in public-facing applications.   

**Watch discussion on the report's biggest trends**

**Surge in BEC **

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. BEC attacks can have many motivations, often financially driven, aimed at tricking organizations into transferring funds or sensitive information to malicious actors.  

BEC offers adversaries the advantage of impersonating trusted contacts to facilitate internal spearphishing attacks that can bypass traditional external defenses and increase the likelihood of deception, widespread malware infections and data theft. 

In one engagement, adversaries performed a password-spraying attack and MFA exhaustion attacks against several employee accounts. There was a lack of proper MFA implementation across all the impacted accounts, leading to the adversaries gaining access to at least two accounts using single-factor authentication. The organization detected and disrupted the attack before adversaries could further their access or perform additional post-compromise activities.    

In another cluster of activity, several employees received spear-phishing emails that contained links that, when clicked, led to a redirection chain of web pages ultimately landing on a legitimate single sign-on (SSO) prompt that was pre-populated with each victim’s email address. The attack was unsuccessful because none of the employees interacted with the email, which was likely due to multiple red flags. For example, the email was unexpected and sent from an external email address, and there was small text within the email that referred to the email as a fax, which was all indicators of a phishing attempt. 

**Ransomware trends **

Ransomware accounted for 17 percent of engagements this quarter, an 11 percent decrease from the previous quarter. Talos IR observed new variants of Akira and Phobos ransomware for the first time this quarter. 

**Akira **

Talos IR responded to an Akira ransomware attack for the first time this quarter in an engagement where affiliates deployed the latest ESXi version, “Akira\_v2,” as well as a Windows-based variant of Akira named “Megazord.” These new Akira variants are written in the Rust programming language, which is a notable change from the previously used C++ and Crypto++ programming languages.  

Talos IR could not determine how initial access was gained, which is common because ransomware attacks often involve multi-stage attack strategies that add additional complexity during the investigation process. Once inside the network, the adversaries began collecting credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and the New Technology Directory Services Directory Information Tree (NTDS.dit) database, where Active Directory data is stored, and leveraged Remote Desktop Protocol (RDP) for lateral movement. Prior to encryption, Megazord ransomware began executing several commands to disable tools and impair defenses, including “net stop” and “taskkill.” Akira\_v2 appended the file extension “.akiranew” during encryption, while Megazord ransomware appended the file extension “.powerranges”.   

First discovered in early 2023, Akira operates as a ransomware-as-a-service (RaaS) model and employs a double extortion scheme that involves exfiltrating data before encryption. Akira affiliates are known to heavily target small- to medium-sized businesses within several verticals primarily located within the U.S. but have targeted organizations within the U.K., Canada, Iceland, Australia and South Korea. Akira affiliates are notorious for leveraging compromised credentials and exploiting vulnerabilities as a means of gaining initial access, such as the SQL injection vulnerability, tracked as CVE-2021-27876, affecting certain versions of Zoho ManageEngine ADSelfService Plus, and the vulnerability, tracked as CVE-2023-27532, affecting certain versions of Veeam’s Backup & Replication (VBS) software.    

**Phobos **

Talos IR has previously observed variants of Phobos ransomware, such as “Faust,” but this quarter, Talos IR responded to an engagement with the “BackMyData” variant of Phobos ransomware. The adversaries leveraged Mimikatz to dump credentials from Active Directory. The adversary also installed several tools in the NirSoft product suite designed to recover passwords, such as PasswordFox and ChromePass, for additional credential enumeration. 

The adversaries used PsExec to access the domain controller before setting a registry key to permit remote desktop connections. Shortly after, the adversaries also modified the firewall to allow remote desktop connections using the Windows scripting utility, netsh. The remote access tool AnyDesk was downloaded to enable remote access as a means of persistence in the environment. Talos IR assessed with high confidence that Windows Secure Copy (WinSCP) and Secure Shell (SSH) were likely used to exfiltrate staged data. Adversaries also relied on PsExec to execute commands, such as deleting volume shadow copies, as a precursor to deploying the ransomware executable. After encryption, the ransomware appended the file extension “.fastbackdata”.   

A notable finding was the persistent use of the “Users/\[username\]/Music” directory as a staging area for data exfiltration to host malicious scripts, tools and malware, a common technique used by numerous ransomware affiliates to evade detection and remain persistent in the environment. Talos IR also identified a digitally signed executable, “HRSword,” developed by Beijing Huorong Network Technology. It is a tool the affiliate used during the attack for potential secure file deletion and as a defensive measure to disable endpoint protection tools, which Phobos affiliates were previously using, according to public reporting.   

Phobos ransomware first emerged in late 2018 and shared many similarities with the Crysis and Dharma ransomware families. Unlike other ransomware families, there are many variants of Phobos ransomware, such as Eking, Eight, Elbie, Devos and Faust. There is little information known about the business model leveraged by the Phobos ransomware operation. In November 2023, Cisco Talos analyzed over a thousand samples of Phobos ransomware to learn more about the affiliate structure and activity, which revealed that Phobos may operate a RaaS model due to the hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base. Talos assessed with moderate confidence that the Phobos ransomware operation is actively managed by a central authority, as there is only one private key capable of decryption in all observed campaigns. 

**Other observed threats  **

Talos IR responded to an attack where adversaries were attempting to brute force several Cisco Adaptive Security Appliances (ASAs). Although the adversaries were unsuccessful in their attack, this activity is in line with the recently observed trend affecting VPN services. 

Cisco Talos has recently seen an increase in malicious activity targeting VPN services, web application authentication interfaces, and Secure Shell (SSH) globally. Since at least March 18, Cisco has observed scanning and brute force activity sourcing from The Onion Router (TOR) exit nodes and other anonymous tunnels and proxies. 

Depending on the target environment, a successful attack could result in unauthorized access to a target network, possibly leading to account lockouts and denial-of-service (DoS) conditions. The brute force attempts include a combination of generic usernames and valid usernames unique to specific organizations. The activity seems indiscriminate and has been observed across multiple industry verticals and geographic regions. 

**Initial vectors **

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, accounting for 29 percent of engagements, a continuation of a trend from the previous quarter when valid accounts were also a top attack vector. 

**Security weaknesses **

For the first time, users accepting unauthorized MFA push notifications was the top observed security weakness, accounting for 25 percent of engagements this quarter. The lack of proper MFA implementation closely followed, accounting for 21 percent of engagements, a 44 percent decrease from the previous quarter. 

Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue and implement the necessary measures to address the situation effectively. Organizations should also consider implementing number-matching in MFA applications to provide an additional layer of security to prevent users from accepting malicious MFA push notifications. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps. 

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include:  

*   Remote access software, such as SplashTop and AnyDesk, were used in 17 percent of engagements this quarter, a 20 percent decrease from the previous quarter.  
*   The use of email hiding rules was the top observed defense evasion technique, accounting for 21 percent of engagements this quarter.   
*   Scheduled tasks were leveraged by adversaries the most this quarter for persistence, accounting for 17 percent of engagements this quarter, a 33 percent increase from the previous quarter.  
*   The abuse of remote services, such as RDP, SSH, SMB and WinRM, more than doubled this quarter compared to the previous quarter, accounting for nearly 60 percent of engagements. 

Reconnaissance 

Example 

T1589.001 Gather Victim Identity Information: Credentials 

Adversaries may gather credentials that can be used during their attack.  

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack. 

Resource Development 

Example 

T1586.002 Compromise Accounts: Email Accounts 

Adversaries may compromise email accounts that can be used during their attack for malicious activities, such as internal spearphishing. 

T1583.001 Acquire Infrastructure: Domains 

Adversaries may acquire domains that can be used for malicious activities, such as hosting malware. 

T1608.001 Stage Capabilities: Upload Malware 

Adversaries may upload malware to compromised domains to make it accessible during their attack.  

T1583.008 Acquire Infrastructure: Malvertising 

Adversaries may purchase online advertisements, such as Google ads, that can be used distribute malware to victims. 

T1608.004 Stage Capabilities: Drive-by Target 

Adversaries may prepare a website for drive-by compromise by inserting malicious JavaScript.  

Initial Access 

Example 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

T1566 Phishing 

Adversaries may send phishing messages to gain access to target systems. 

T1189 Drive-by Compromise 

Victims may infect their systems with malware over browsing, providing an adversary with access.  

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1566.002 Phishing: Spearphishing Link 

Adversaries may send phishing emails with malicious links to lure victims into installing malware.  

Execution 

Example 

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack. 

T1569.002 System Services: Service Execution 

Adversaries may abuse Windows service control manager to execute commands or payloads during their attack. 

Persistence 

Example 

T1053.005 Scheduled Task / Job: Scheduled Task 

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands. 

T1574.002 Hijack Execution: DLL Side-Loading 

Adversaries may execute their own malicious code by side-loading DLL files into legitimate programs.  

Privilege Escalation 

Example 

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 

Adversaries may bypass UAC mechanisms to elevate their permissions on a system. 

Defense Evasion 

Example 

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner. 

T1070.004 Indicator Removal: File Deletion 

Adversaries may delete files to cover their tracks during the attack.  

T1218.011 System Signed Binary Proxy Execution: Rundll32 

Adversaries may abuse the Windows utility rundll32.exe to execute malware.  

T1112 Modify Registry 

Adversaries may modify the registry to maintain persistence on a target system.  

T1562.010 Impair Defenses: Downgrade Attack 

Adversaries may downgrade a program, such as PowerShell, to a version that is vulnerable to exploits. 

Credential Access 

Example 

T1621 Multi-Factor Authentication Request Generation 

Adversaries may generate MFA push notifications causing an MFA exhaustion attack. 

T1003.005 OS Credential Dumping: NTDS 

Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement. 

T1003.001 OS Credential Dumping: LSASS 

Adversaries may dump the contents of LSASS to access credentials that can be used for lateral movement 

T1003.002 OS Credential Dumping: Service Account Manager 

Adversaries may dump the contents of the service account manager to access credentials that can be used for lateral movement. 

T1110.002 Brute Force: Password Cracking 

Adversaries may use brute force account passwords to compromise accounts. 

Discovery 

Example 

T1069.001 Permission Groups Discovery: Local Groups 

Adversaries may attempt to discover local permissions groups with commands, such as “net localgroup.”  

T1069.002 Permission Groups Discovery: Domain Groups 

Adversaries may attempt to discover domain groups with commands, such as “net group /domain.” 

T1201 Password Policy Discovery 

Adversaries may attempt to discover information about the password policy within a compromised network with commands, such as “net accounts.” 

Lateral Movement 

Example 

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.  

T1534 Internal Spearphishing 

Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally. 

T1021.002 Remote Services: SMB / Windows Admin Shares 

Adversaries may abuse valid accounts using SMB to move laterally in a target environment. 

T1021.004 Remote Services: SSH 

Adversaries may abuse valid accounts using SSH to move laterally in a target environment. 

T1021.001 Remote Services: Windows Remote Management 

Adversaries may abuse valid accounts using WinRM to move laterally in a target environment. 

Collection 

Example 

T1114.002 Email Collection: Remote Email Collection 

Adversaries may target a Microsoft Exchange server to collect information.  

T1074.001 Data Staged: Local Data Staging 

Adversaries may stage collected data in preparation for exfiltration. 

T1074 Data Staged 

Adversaries may stage collected data in preparation for exfiltration. 

Command and Control 

Example 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1219 Remote Access Software  

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.  

Exfiltration 

Example 

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 

Adversaries may exfiltrate data to a cloud storage provider, such as Dropbox.  

Impact 

Example 

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system.  

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies.  

T1657 Financial Theft 

Adversaries may commit financial fraud during the attack.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Debian Linux Security Advisory 5664-1 - Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5664-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyApril 17, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : jetty9CVE ID         : CVE-2024-22201Jetty 9 is a Java based web server and servlet engine. It was discovered thatremote attackers may leave many HTTP/2 connections in ESTABLISHED state (notclosed), TCP congested and idle. Eventually the server will stop accepting newconnections from valid clients which can cause a denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 9.4.50-4+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 9.4.50-4+deb12u3.We recommend that you upgrade your jetty9 packages.For the detailed security status of jetty9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/jetty9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYgPqhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeS8Wg/+JvDyNdRq1Tu6rEqfHprMuxVifvPSH4RefpWMVY1MUIwRSxCyL9GEKCtuq0a+Vf/JycNVbTcRB0n/UpgFdCCWE6dUngLIoYX/SmA+dXKLN9a+FIKj/aivOvOrCUEkaJiVBjARYoBxDzoLG8STAJkxJvCAIduOSZ4Pr3iaZ+3+mHLpz38aAHz7QCXSNoqaD66hMTCVPnVTTr3CvrhCIjcdxQRteJwkJ0XxT5WxYSBmVuB+zEAxHUt6ocv25bMel+B4OMcNrRrdQiUtqAF2i7ktAPO2HUo5+9kxYCwkB1DbgIEhdtkA6aBtTYZ0ZJbx4kV206DrQO7PjLzbY6RA2o2EiNb1zEZlaaFuGq6ctIpR52PplC0sEPUTVbDHLlDAQUIXzmmJGhD2etF5dpknbBTcAhUjGebCiasqwZ8HWiVUeIEwi89je7+CThjB3phSjyzqZivdkpYiZTApy3UU3lzXHViCtTIverkaQNoYExWVCKihvMRtSAlhw4b0ukEt+PNzrgl2N0M3bYh1oEh+TGqiP961Je38l5756wKLSxgzfTwTlrPmH6BFwhkFEnMxzjX4jvRWkVC2Yz4/DiJnRnAEjS3iOsvvDnP/lZkWZOXMT3TY0bRJSwUuEgCcNPF/PE/q6KRtzyxJLuTOFRwk/xob/q4GucD+RuqwHEC2w3fN7WE==HK3G-----END PGP SIGNATURE-----

Debian Security Advisory 5664-1

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current 3.x.x release.

**Botan C++ Crypto Algorithms Library 3.4.0**

Posted Apr 9, 2024

Site botan.randombit.net

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current 3.x.x release.

Changes: Added Ed448 signatures and X448 key exchange. X.509 certificate verification now can optionally ignore the expiration date of root certificates. Support for hybrid EC point encoding is now deprecated. Support for creating EC\_Group objects with parameters larger than 521 bits is now deprecated. A dozen additional changes and fixes have been applied.

tags | library

SHA-256 | 71843afcc0a2c585f8f33fa304f0b58ae4b9c5d8306f894667b3746044277557

Download | Favorite | View

Botan C++ Crypto Algorithms Library 3.4.0

Improving security in the applications that drive the digital economy is a necessary undertaking, requiring ongoing collaboration between the public and private sectors.

Neatsun Ziv, CEO & Co-Founder, Ox Security

April 5, 2024

4 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

The recent publication "Back to the Building Blocks: A Path Toward Secure and Measurable Software" by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the National Cybersecurity Strategy released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to memory-safe programming languages with software development practices.

**The Memory Safety Imperative**

Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency's (CISA) road map, is a critical step toward developing software that is secure by design.

**Navigating Legacy System Complexities**

One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.

Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.

**Economic and Technical Considerations**

Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.

Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.

**A Collaborative Effort Toward a Secure Future**

Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity. 

Several industry leaders have already made significant investments in memory-safe languages. Examples include: 

*   Mozilla's Rust programming language: With its emphasis on memory safety, Rust offers a solid alternative to traditional programming languages that marries security and performance.
    
*   Microsoft's investment in Rust: Recognizing that older languages have limitations, Microsoft has embraced Rust and used it in several new projects where memory safety was a concern.
    
*   Google's memory safety efforts: Google has invested considerable resources into finding and mitigating memory safety vulnerabilities and has called for using memory-safe languages in new developments. Last week, Google released a new research report, "Secure by Design: Google's Perspective on Memory Safety," advocating for a secure-by-design strategy. The report focuses on adopting languages with robust memory safety features and acknowledges the limitations of evolving C++ to meet these standards.
    

**Moving Forward: Practical Steps to Meet the ONCD Recommendations**

The path in the latest ONCD report is challenging, but rich with opportunity. It demands practical steps from all actors within the software development and cybersecurity ecosystems, including:

*   Education and training: Organizations must commit to teaching their teams about memory-safe languages and secure development practices, ensuring that developers can make the necessary changes.
    
*   Gradual transition plans: Organizations should create plans for transitioning legacy systems to memory-safe and manageable languages. They should address the most critical areas first and phase the project slowly to minimize operational disruption.
    
*   Leveraging automation tools: Organizations should use modern code analysis tools and compilers that automatically find and remediate unsafe code practices while reducing the burden of manual processes.
    
*   Policy and governance: Organizations must develop explicit governance constructs that bake in memory safety and secure development practices throughout the software development lifecycle.
    
*   Community and collaboration: Importantly, organizations should reach outside their walls and the broader tech community in forums, partnerships, and open source projects to share the knowledge, challenges, and solutions around memory safety that come with this journey.
    

Improving security in the applications that drive the digital economy is a lofty and complex but necessary undertaking requiring ongoing collaboration between the public and private sectors. The ONCD's latest report is a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code are enormous challenges. However, progress is being made with recent advancements in software analysis and compiler technologies and commitments demonstrated by many global technology leaders.

**About the Author(s)**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

White House's Call for Memory Safety Brings Challenges, Changes &amp; Costs

UNAPIMON works by meticulously disabling hooks in Windows APIs for detecting malicious processes.

Source: Panchenko Vladimir via Shutterstock

Researchers have spotted Earth Freybug, a China-linked threat actor, using a new malware tool to bypass mechanisms organizations might have put in place to monitor Windows application programming interfaces (APIs) for malicious activity.

The malware, which researchers at Trend Micro discovered and named UNAPIMON, works by disabling hooks in Windows APIs for inspecting and analyzing API-related processes for security issues.

**Unhooking APIs**

The goal is to prevent any processes that the malware spawns from being detected or inspected by antivirus tools, sandboxing products, and other threat detection mechanisms.

"Looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process," Trend Micro said in a report this week.

"For environments that implement API monitoring through hooking, such as sandboxing systems, UNAPIMON will prevent child processes from being monitored," the security vendor said. This allows malicious programs to run without being detected.

Trend Micro assessed Earth Freybug as being a subset of APT41, a collective of Chinese threat groups variously referred to as Winnti, Wicked Panda, Barium, and Suckfly. The group is known for using a collection of custom tools and so-called living-off-the-land binaries (LOLbins) that manipulate legitimate system binaries such as PowerShell and Windows Management Instrumentation (WMI).

APT41 itself has been active since at least 2012 and is linked to numerous cyber espionage campaigns, supply chain attacks, and financially motivated cybercrime. In 2022, researchers at Cybereason identified the threat actor as stealing large volumes of trade secrets and intellectual property from companies in the US and Asia for years. Its victims have included manufacturing and IT organizations, governments, and critical infrastructure targets in the US, East Asia, and Europe. In 2020, the US government charged five members believed to be associated with the group for their role in attacks against more than 100 organizations globally.

**Attack Chain**

In the recent incident that Trend Micro observed, Earth Freybug actors used a multistaged approach to delivering UNAPIMON on target systems. In the first stage, the attackers injected malicious code of unknown origin into vmstools.exe, a process associated with a set of utilities for facilitating communications between a guest virtual machine and the underlying host machine. The malicious code created a scheduled task on the host machine to run a batch script file (cc.bat) on the host system.

The batch file's task is to collect a range of system information and initiate a second scheduled task to run a cc.bat file on the infected host. The second batch script file leverages SessionEnv, a Windows service for managing remote desktop services, to side-load a malicious dynamic link library (DLL) on the infected host. "The second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is SessionEnv," Trend Micro said.

The malicious DLL then drops UNAPIMON on the Windows service for defense evasion purposes and also on a cmd.exe process that quietly executes commands. "UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string," Trend Micro said. What makes it "peculiar" is its defense evasion technique of unhooking APIs so that the malware's malicious processes remain invisible to threat detection tools. "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case," Trend Micro said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#c++