Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.

A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.

Apple

Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.

Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.

While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.

Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.

Microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.

The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges, nor does the user need to perform any action,” it added.

Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.

Google Android

It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.

One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.

Published:2023/06/30  Last Updated:2023/06/30

**Overview**

"NewsPicks" App uses a hard-coded API key for an external service.

**Products Affected**

*   "NewsPicks" App for Android versions 10.4.5 and earlier
*   "NewsPicks" App for iOS versions 10.4.2 and earlier

**Description**

"NewsPicks" App for Android and "NewsPicks" App for iOS provided by NewsPicks, Inc. use a hard-coded API key for an external service (CWE-798).

**Impact**

Data in the app may be analyzed and API key for an external service may be obtained.  
Note that the users of the app are not directly affected by this vulnerability.

**Solution**

**Update the Application**  
Update the application to the latest version according to the information provided by the developer.

According to the developer, the latest app does not hard-code the API key.  
Also the vulnerable API key has been deactivated, and therefore the information contained in the vulnerable app cannot be abused.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Sunagawa Masanori of BroadBand Security, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-28387: "NewsPicks" App uses a hard-coded API key for an external service

Innovative risk-based model enables better security measures.

**TEL AVIV, Israel****,** **June 28, 2023** **/PRNewswire/ --** OTORIO, the leading provider of operational technology (OT) cyber and digital risk management solutions, today announced a significant advancement in OT security with the availability of its Attack Graph Analysis technology, integrated into the company's powerful Cyber Digital Twin (CDT) model. By leveraging the capabilities of the CDT, organizations can now gain dynamic visual network topology and advanced risk assessment, enabling the proactive management of vulnerabilities in their OT infrastructure. This announcement follows the company's recent securing of a patent from the U.S. Patent and Trademark Office (USPTO) for its risk management model and attack graph analysis algorithm.

Even organizations with skilled OT security personnel face challenges when protecting operational environments due to their complexities and the shortcomings of existing OT security solutions. Limited visibility and partial data can result in an unclear asset inventory, and businesses often don't understand their actual exposure to attacks by only focusing on endpoint vulnerabilities. These factors make it difficult to accurately assess OT security posture.

OTORIO's Cyber Digital Twin and Attack Graph Analysis overcome these challenges. The CDT consists of an automated, secure, and logical representation of the operational network, its entities, and their interrelationships. It acts as a sandboxed model of the operational environment, enabling safe breach and attack simulations (BAS) as well as data-driven impact analysis.

Once the relationships between the entities have been established, the CDT algorithm generates an Attack Graph: a visualization of all network assets, vulnerabilities, and connections that show segmentation gaps and potential attack vectors targeting critical assets and processes. By calculating risk across all assets, threats, and scenarios, it enables businesses to continuously assess, monitor, and proactively protect their critical OT systems. Attack Graph Analysis empowers organizations to prioritize their security efforts by providing actionable insights into the most critical vulnerabilities and potential attack vectors. By identifying and visualizing the high-risk areas within their OT infrastructure, businesses can allocate resources more efficiently and stay ahead of emerging threats.

The CDT and Attack Graph Analysis technology are built on three key pillars:

*   Automation -- OTORIO streamlines security processes, reducing human error and enabling rapid response. It provides an automated, user-friendly report with action items and priorities, eliminating the need for manual analysis.
*   Explainability - The Attack Graph Analysis ensures transparency and enables users to better understand their security posture from a risk and business impact standpoint.
*   Actionability - The visually intuitive Cyber Digital Twin and Attack Graph Analysis reports provide recommendations tailored to network needs. This comprehensive approach equips organizations with effective security strategies, enabling proactive vulnerability management.

"Our Cyber Digital Twin and patent-protected Attack Graph Analysis are game-changing solutions for OT security, and we're thrilled to provide them to our customers," said Ben Reich, Chief Platform Architect at OTORIO. "We are bringing a new level of precision and effectiveness to OT security by empowering organizations to proactively manage risk, ensure operational resilience, and protect their critical assets from evolving cyber threats."

**About OTORIO** 

OTORIO has pioneered an industrial-native OT security platform that enables its customers to achieve an integrated, holistic security strategy for industrial control systems (ICS) and cyber-physical systems (CPS). Together with its partners, OTORIO empowers operational security practitioners to proactively manage cyber risks and ensure resilient operations.

The company's platform provides automated and consolidated visibility of the entire operational network, enabling companies to take control of their security posture, eliminate critical risks, and deliver immediate business value across the  organization. OTORIO's global team combines the extensive mission-critical experience of top nation-state cyber security experts with deep operational and industrial domain expertise. To learn more, visit OTORIO.com.

Logo - https://mma.prnewswire.com/media/2004395/4139581/Otorio\_Logo.jpg

SOURCE OTORIO

OTORIO Rolls Out Advanced Attack Graph Analysis for OT Security

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController.

CVE-2023-34658

Organizations should consider their security practices the same way people think about their well-being. Focus on staying healthy instead of finding a new pill for every security symptom you see.

Since the early 1990s, we've watched the internet evolve from dial-up connections to high-speed, cloud-based computing. Organizations have navigated a shifting maze of technology while defending against cyberattacks. Sadly, after three decades in cybersecurity, I see organizations wrestling with the same problems in 2023 that they grappled with in 1995 when they first plugged into the internet.

Attacks on users through email, attacks on availability through denial-of-service campaigns, and exploits of systems through vulnerable applications are longstanding strategies that remain fruitful for threat actors.

Even today, with increased awareness and public reporting of data breaches, business leaders and developers aren't taught to balance new technologies with the required security. Organizations still focus on functionality and time to market, not on ensuring secure, predictable behavior. This creates a weakened infrastructure that attackers continue to prey on successfully and daily.

So, why do cybersecurity losses continue growing despite a projected $188.3 billion global annual spending on information security and risk management products and services?

**We're Treating Symptoms, Not Causes**

Vendor messaging over the decades has trained the marketplace to believe the solution to cybersecurity challenges is technology. More and more technology. The same proposition leads people to think they can lose weight with a pill — not eating better or exercising more, but a quick and easy solution so that they can pay to make the problem disappear.

The growth of security budgets shows this line of thinking is pervasive and leads to a vicious cycle of trying to outspend risk. In truth, while much of the technology is valuable, cybersecurity issues arise in the gaps.

Like prescriptions that are stopped mid-course or bandages over broken bones, technology adopted without a plan can create misplaced confidence in an incomplete system. Many organizations focus on shiny, new attacks at the expense of solid foundational protection, and this misprioritization has continued a culture of victimization and never-ending vulnerabilities.

The rising cost and destructive power of cyberattacks aren't new; they're collateral damage from years of neglecting basic security policies and best practices. Increased security investment is spent on niche protection technologies promoted by analysts, vendors, press coverage, and practitioner curiosity.

The constant change in tooling and focus also leads to burnout and job dissatisfaction among experienced leaders, exacerbating the cybersecurity skills shortage. To address ongoing vulnerability and increasing stress, we need to think about cybersecurity differently, recognizing that successful businesses rely on a healthy security posture.

**Cybersecurity's Preventive Medicine**

Organizations should consider their security practices the same way people think about their well-being. Focus on staying healthy instead of finding a new pill for every security symptom you see. The same principles you hear from the doctor apply to cybersecurity resilience: Diet, exercise, and regular checkups.

Security's basic food groups are prevention, detection, response, and remediation. Address each appropriately based on the specifics of your organizational need. Too little prevention and your detection, response, and remediation will be swamped. Too little response and security events will drag on. Your security program should consume only what it needs and what your team can digest and use. Any more than this, and you'll be carrying extra weight in your budget.

Cybersecurity conditioning means regularly conducting awareness training, tabletop exercises, practitioner certifications, asset inventory verifications, and penetration tests. Keep the team up to date on roles and responsibilities. Your response will be faster and more targeted, and your organization less disturbed, if you take the time to work out that security muscle regularly.

No one likes going for a yearly physical, but it's a great way to learn if you're as healthy as you think. Find time to run through your security program to make sure it's still balanced. Have your team double-check critical controls and compliance with relevant standards or best practices. Get a second opinion once in a while. Find a third party that doesn't have the context of your business and ask what they see. Good cybersecurity health means looking for even small indications something may have been missed. It doesn't take long for that blind spot to put your whole effort at risk.

**If You Do Get Sick…**

Maintaining a resilient, trustworthy security system is complicated by new capabilities and a diverse threat landscape. By some estimates, more than 250,000 new pieces of malware are detected daily. We need to diagnose and treat new problems like the healthcare industry addresses constantly changing epidemiological challenges.

The healthcare system keeps up with new and mutating diseases because specialists focus on a single condition, determining the best means to identify and diagnose it. Another group focuses on treatment to quell the problem early. Others develop the specialized equipment that powers diagnosis and treatment, while hospitals and the entire healthcare ecosystem support patients.

If we understand our organizations and the threats we're likely to face, we can begin to live the healthy, budgetable, and predictable corporate cybersecurity life we've sought for decades. By taking cyber health more seriously, we can cure the fundamental problems that have plagued the industry for the past 30 years and stop merely treating the symptoms and attacks.

Cybersecurity Is the Healthcare Your Organization Needs

Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).

CVE-2023-33466: Security advisory for Orthanc deployments running versions before 1.12.0

A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams.

Thursday, June 29, 2023 08:06

Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can.

As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint attack scenario, executes the scenario, and records how your current incident response capabilities perform to evaluate your current gaps and inform future enhancements.

Can your organization’s current security incident response program withstand an emulated adversarial attack? Need to put your current TTPs detections to the test? Not sure where to start, what to test, or what gaps exist in your program? No fear, Talos IR can partner with you to provide Purple Team expertise and exercises, tailored for your organization to proactively test and enhance your prevention, detection and response capabilities.

During the Purple Team exercise, an external Red Team acts as an Advanced Persistence Threat (APT) actor while the Talos IR Blue Team, together with the organization’s defender team, is responsible for detecting those activities and responding to the attack in accordance with the existing security procedures.

If you want to learn more about Talos IR's Purple Team, tune into the next Talos IR On Air stream on July 27 at 12 p.m. ET. The stream will be available live on Talos' Twitter and LinkedIn, with a replay going up shortly after on our YouTube page.

Organizations of all sizes can benefit from the Purple Team exercises Cisco offers to proactively test your current cybersecurity risks and solidify your team’s TTPs and increase your overall security knowledge in advance of a cybersecurity incident.

**Purple Team value for joint teams**

Cisco can partner with you to provide Purple Team expertise and exercises, tailored for your organization, to proactively test and enhance your detection and response capabilities. A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams. The Red Team emulates adversary TTPs, while the Blue Team, which consists of seasoned Talos IR responders, works side-by-side with your organization’s defenders to detect and respond to those attacks. During the exercise, the Blue Team is challenged to use the organization’s existing internal security TTPs policies and procedures and test available security tooling. This type of dynamic emulation helps proactively identify any gaps in training and resources and increases the organization’s security awareness and preparedness for the future.

These Purple Team exercises also help organizations optimize their security investments by identifying weaknesses in their current security toolsets. Once these gaps are identified and shared your organization has more insightful data to support future cybersecurity solutions investments. Making informed decisions about where to allocate resources will mitigate the risk of wasting resources on ineffective cybersecurity solutions and can ensure your financial investments are optimized to meet your needs today and tomorrow.

Purple Team exercises also offer a valuable opportunity for knowledge exchange between members of the Blue and Red Teams.

*   The Red Team learns more from the Blue Team about the different security controls that are in place and tries to identify new ways to circumvent these controls.
*   The Blue Team, on the other hand, gains insights into the specific techniques used by the adversaries to compromise the environment, including specific tools and attack scripts.

Internal defenders, employed by the organization, use the firsthand experience from the Purple Team to update and optimize their monitoring and detection capabilities and build new processes.

**Testing approach and steps**

Purple Team exercises have been designed around the MITRE ATT&CK Framework to provide common terminology for identifying and blocking commonly used adversarial TTPs.

During the engagement, Talos Red Team and Talos Incident Response teams work together with the customer’s team to exchange knowledge about common attacks and corresponding detection. The responders from Talos IR collaborated closely with the customer security teams to properly identify all techniques executed by Talos Red Team and verify the defense’s actions. The workshop-style Purple Team engagement increases team trust among members of the internal security team and creates a base to improve the overall organization’s resilience against active threats. With clearly defined steps Talos IR collaborates with your organization’s security teams to properly identify all techniques executed by Talos Red Team and verifies the recorded activity.

The Purple Team exercise starts with the customer and Cisco Talos jointly defining and testing attack scenarios based on the organization’s existing security capabilities. An important part of this process is an evaluation of the strengths and weaknesses across different deployed security capabilities and the identification of areas of concern.

The final scenario is uniquely crafted to meet the risk concerns of the organization in terms of protecting its environment and “crown jewel” assets. A document with scenario details is agreed upon with the organization’s representatives before launching the agreed attack. Throughout the active execution of the attack, the Cisco Talos team will document the response of the security team by collecting detailed notes on topics such as the coverage of the security capabilities, availability of telemetry to detect and analyze the TTPs and, finally, the overall organization.

Integrating threat intelligence into our exercises helps organizations better understand the threats that they face and identify potential vulnerabilities in their security defenses. The intelligence data from Cisco Talos is a key differentiator of our Purple Team capabilities. The Cisco Talos team incorporates threat intelligence data from historical threats related to your organization's unique industry vertical and geography, as well as information on current adversary activity to create your tailored attack scenario. To protect your organization, Cisco Talos offers publicly available Threat Assessment Reports, which are published quarterly and yearly, and are an integral component used to build scenarios based on the latest threat intelligence. The final scenario aims to emulate as closely as possible a specific real-life threat that was analyzed by Talos in the wild, often leveraging existing research on observed threats and direct emergency response experience.

The outcome of the Purple Team exercise heavily relies on visibility into the organization's environment. The Security Operations Team within your organization relies on the existence of sufficient logs and properly configured security tools to quickly identify threats targeting the environment and stop them at an early stage. Verification of detection capabilities and visibility gives the team insights about potential gaps and better preparation for incidents.

Below is a list of standard tools that the Purple Team could use depending on the specific needs of the engagement:

*   Antivirus and Endpoint Detection and Response (EDR)
*   Traditional, Next-Generation and Web Application Firewall(s)
*   NetFlow and Network Telemetry
*   Email Server and Security Appliance Logs
*   DNS Security and Visibility Logs
*   Operating System and Application Logs
*   Auxiliary Operating System Logs
*   Proxy Network Logs
*   Application Logs
*   Data Loss Prevention Logs

**Attack scenario execution**

During the delivery of a Purple Team exercise, Talos IR team supports actively but non-intrusively the security team with detection and identification activities. As the Talos Red team executes step-by-step the pre-defined attack, compromising selected hosts or parts of the environment, Talos IR, in collaboration with the customer’s security team, works on detection across applicable security capabilities and cross-referencing logs to gain full identification of the attack.

For each TTP used by the attacker, the Talos IR team documents the following attributes of the security team’s response:

*   Logged, Alerted, and Mitigated
*   Logged and Alerted
*   Logged and Mitigated
*   Alerted and Mitigated
*   Not Detected

This type of detailed documentation builds up the foundation for the post-exercise report.

**Attack scenario results and reporting**

The Purple Team engagement concludes with a report and a debrief session. The report summarizes the overall activities during the exercise, the preparatory actions in the scenario-building phase, and the results of the detection and response verification. This engagement report serves as a foundation for future improvement of environment detection capabilities and paves the way for enhanced security resilience of the company.

Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding our new Purple Team service.

How Talos IR’s Purple Team can help you prepare for the worst-case scenario

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK

A previously undocumented Windows-based information stealer called **ThirdEye** has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

A notable trait of the malware is that it uses the string "3rd\_eye" to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it's likely that the malicious activity is aimed at Russian-speaking organizations.

"While this malware is not considered sophisticated, it's designed to steal various information from compromised machines that can be used as stepping-stones for future attacks," Fortinet researchers said, adding the collected data is "valuable for understanding and narrowing down potential targets."

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

"The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim's system performance, and the depletion of valuable system resources," Cyble said.

SeroXen infection chain

Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen's development have also contributed to the creation of ScrubCrypt.

The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.

"Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as 'cheats,' 'hacks,' 'cracks,' and other pieces of software related to gaining a competitive edge," Trend Micro noted in a new analysis of SeroXen.

"The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors' standards."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

An unauthenticated attacker within BLE proximity can remotely connect to a 7-Eleven LED Message Cup, Hello Cup 1.3.1 for Android, and bypass the application's client-side chat censor filter.

\*\* 7-Eleven Bluetooth Smart Cup Jailbreak \*\*

****

In 2019 7-Eleven distributed a limited promotional item they generically named the 'Custom Message Cup’\*.

*   https://fccid.io/2AQNV-60961HC

Customers could personalize their cups with their own messages & slogans.

The cup consists of a plastic shell lined with an LED strip that communicates via BlueTooth Low Energy & allows users to send messages from their mobile device & is available for Android & iOs.

There is a word filter restriction on this promotional cup that displays filtered words using asterixis '\*'.

Searching the source via JADX-GUI revealed the de-facto list of vulgar words & the regex word filter accomplished via client-side filtering\* so I proceeded to edit that wordlist.

APK Easy Tool was effective in providing a turn-key solution to decompile, sign & recompile the 'Hello Cup'(v1.3.1) Application.

The first step was to retrieve the Smali resource files that is essentially specialized assembly language code that is used to represent the Dalvik bytecode of Android applications & specific to the Android runtime environment.

Because I quit ‘Pokemon GO’ only the string 'pogo' will be restricted & everything else previously banned such as 'ugly' (really?) will no longer be filtered.

As a result the message 'UGLY POGO STICK' previously rendered as '\*\*\*\* POGO STICK' will now display 'UGLY \*\*\*\* STICK'.

Although modifying the application was trivial, it served as an interesting illustration bypassing client-side filtering.

\*\* CWE-602: Client-Side Enforcement of Server-Side Security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34761

Tag

#ios