IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1could allow a local user with elevated privileges to exploit a vulnerability in the lpd daemon to cause a denial of service. IBM X-Force ID: 238641.

  

**Summary**

A vulnerability in the AIX lpd printer daemon could allow a local user with elevated privileges to cause a denial of service (CVE-2022-43382). The lpd daemon is the remote print server on AIX.

**Vulnerability Details**

**CVEID:**   CVE-2022-43382  
**DESCRIPTION:**   IBM AIX could allow a local user with elevated privileges to exploit a vulnerability in the lpd daemon to cause a denial of service.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238641 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The following fileset levels are vulnerable:

Fileset

Lower Level

Upper Level

bos.rte.printers

7.1.5.0

7.1.5.33

printers.rte

7.1.5.0

7.1.5.31

bos.rte.printers

7.2.5.0

7.2.5.1

bos.rte.printers

7.2.5.100

7.2.5.100

printers.rte

7.2.4.0

7.2.4.0

printers.rte

7.2.5.200

7.2.5.200

bos.rte.printers

7.3.0.0

7.3.0.0

printers.rte

7.3.0.0

7.3.0.0

printers.rte

7.3.1.0

7.3.1.0

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example: lslpp -L | grep -i bos.rte.printers

  

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

AIX Level

APAR

SP

7.1.5

IJ44552

SP11

7.2.5

IJ44559

SP06

7.3.0

IJ42800

SP03

7.3.1

IJ44564

SP02

VIOS Level

APAR

SP

3.1.2

IJ44615

3.1.2.50

3.1.3

IJ42162

3.1.3.30

3.1.4

IJ44559

3.1.4.20

Subscribe to the APARs here:

https://www.ibm.com/support/pages/apar/IJ42162

https://www.ibm.com/support/pages/apar/IJ42800

https://www.ibm.com/support/pages/apar/IJ44552

https://www.ibm.com/support/pages/apar/IJ44559

https://www.ibm.com/support/pages/apar/IJ44564

https://www.ibm.com/support/pages/apar/IJ44615

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

IBM strongly recommends addressing the vulnerability now.

The fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/lpd\_fix3.tar

http://aix.software.ibm.com/aix/efixes/security/lpd\_fix3.tar

https://aix.software.ibm.com/aix/efixes/security/lpd\_fix3.tar

The links above are to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level

Interim Fix

7.1.5.8

IJ44552mAa.221208.epkg.Z

7.1.5.9

IJ44552mAa.221208.epkg.Z

7.1.5.10

IJ44552mAa.221208.epkg.Z

7.2.5.3

IJ44559m4a.221214.epkg.Z

7.2.5.4

IJ44559m4a.221214.epkg.Z

7.2.5.5

IJ44559m5a.221208.epkg.Z

7.3.0.1

IJ42800m2a.221208.epkg.Z

7.3.0.2

IJ42800m2a.221208.epkg.Z

7.3.1.1

IJ44564m1a.221208.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.2.21

IJ44615m2a.221213.epkg.Z

3.1.2.30

IJ44615m2a.221213.epkg.Z

3.1.2.40

IJ44615m2a.221213.epkg.Z

3.1.3.10

IJ42162m4a.221208.epkg.Z

3.1.3.14

IJ42162m4a.221208.epkg.Z

3.1.3.21

IJ42162m4a.221208.epkg.Z

3.1.4.10

IJ44559m5a.221208.epkg.Z

The fixes are cumulative and address the previously issued AIX/VIOS lpd security bulletin with respect to SP and TL:

https://aix.software.ibm.com/aix/efixes/security/lpd\_advisory2.asc

https://www.ibm.com/support/pages/node/6594859

To extract the fixes from the tar file:

tar xvf lpd\_fix3.tar

cd lpd\_fix3

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[file\]" command as the following:

openssl dgst -sha256

filename

9dbee1f9ad2158e491a36186236a776086ae4a3e6ec65052c84688c2412bec3c

IJ42162m4a.221208.epkg.Z

6c3b3f0c7521e46d6071fa62517173de68768487b34260b8b3641391ee194886

IJ42800m2a.221208.epkg.Z

29594f99310e866eaca906730d347b1a9e976212d708a3d95f6c70b517d96b23

IJ44552mAa.221208.epkg.Z

328df5737201ed540a0b011da0cca28a51b182286a12280a21537cff4b5638ce

IJ44559m4a.221214.epkg.Z

b7ab294f33bddb6679157b9e55d0fd3e822c8d7259e119ccc00b027a7f934642

IJ44559m5a.221208.epkg.Z

371bec45e77ec860b79ee3759feedf5b00ea22098c6a79ea9f51d3e0852b6888

IJ44564m1a.221208.epkg.Z

bb941b81852b4a46944ac793173998a714d6facd8af36e0ca63f300bd3c091ef

IJ44615m2a.221213.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Support at https://ibm.com/support/ and describe the discrepancy.

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/lpd\_advisory3.asc.sig

https://aix.software.ibm.com/aix/efixes/security/lpd\_advisory3.asc.sig

ftp://aix.software.ibm.com/aix/efixes/security/lpd\_advisory3.asc.sig

**C. FIX AND INTERIM FIX INSTALLATION**

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p # where ipkg\_name is the name of the

\# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X # where ipkg\_name is the name of the

\# interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

14 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2022-43382: Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382)

When properly designed and trained, artificial intelligence and machine learning can help improve the accuracy of distributed denial-of-service detection and mitigation.

After early excitement about artificial intelligence (AI) in the late 1980s and early 1990s, followed by a couple of "AI winters" — periods of reduced funding, interest and even disillusionment — we now again see great enthusiasm about all things related to AI and machine learning (ML). It is no wonder that AI/ML is also being considered for network security, including distributed denial-of-service (DDoS) protection.

It's not that AI/ML algorithms have changed so radically — but they have matured. In network security, like in many other fields, the abundance of data and greater-than-ever processing power makes it feasible to implement new AI/ML algorithms in silicon or in the cloud, allowing us to teach machines to be more accurate and faster than humans are.

With DDoS security, the problem is distinguishing "good" from "bad" traffic and minimizing the mitigative actions to reduce the effect on "good" traffic. Apart from accuracy and speed, the percentage of false positives indicates how good your detection is — the lower, the better. Until recently, the industry-accepted rate of 5% to 10% false positives meant that neutralizing a 2Tbps-size DDoS attack could also block 100Gbps to 200Gbps of legitimate network traffic. This needs to improve by at least an order of magnitude.

**AI/ML for Better DDoS Detection**

AI/ML can help network security teams make more accurate and faster decisions about what constitutes a DDoS threat or is an ongoing attack. Knowing the larger Internet-security context is essential — a global perspective of traffic down to the IP address level, with prior history of traffic patterns and abuse — can help prevent making a snap decision about whether certain traffic flows are legitimate. It's like a credit card company tracking all transactions in order to decide which ones are fraudulent.

Big data collected from the network itself — in the form of telemetry from IP routers, enhanced with the larger security context — provides a great base for training AI/ML models to recognize DDoS patterns. Still, human intelligence is irreplaceable: People need to teach AI/ML what to look for. And there is a lot to be taught, from recognizing a botnet DDoS (coming from thousands of IoT devices as regular IP traffic) to understanding when seemingly separate network patterns are all parts of a larger, coordinated DDoS activity.

**Better Mitigation, Too**

Another important role for AI/ML is in defining DDoS mitigation strategies and driving real-time tactics based on changing network conditions and mitigation results.

DDoS detection is a big data problem with somewhat unconstrained resources, limited only by the processing platforms. DDoS mitigation, however, is a problem where resources are constrained. Mitigation capabilities, capacity, and scale can differ from product to product and from one network to another. The actual mitigative actions need to consider all of those details and more — preferences about the number of security filters applied on routers, whether NETCONF or Flowspec should be used, etc. All of these constraints can be passed to an AI/ML system to drive networkwide AI/ML-optimized mitigation.

Additionally, AI/ML algorithms could be used to calculate the efficiency (as measured by false-positive rates) of suggested mitigation scenarios and to test and evaluate different what-if scenarios offline to improve the mitigation further.

**Understanding Wider Context Is Key**

Big data platforms can efficiently sift through massive amounts of data, ingesting information about the Internet-wide security-related context and real-time network data about network flows, usage patterns, and other relevant metrics.

With the help of AI/ML algorithms, it is now possible to detect DDoS activity early and take immediate, targeted, and optimized mitigation measures to thwart such attacks.

By incorporating big data analytics and AI/ML into all stages of a comprehensive DDoS security strategy, we can guard our networks against malicious DDoS attacks, keep the services running, and protect users online.

How AI/ML Can Thwart DDoS Attacks

Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences

Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences

John Jackson has been working in cybersecurity for less than five years, but already has several significant wins under his belt.

After five years as an engineer in the Marine Corps he founded white-hat hacker collective Sakura Samurai, which last year discovered git directories and credential files within United Nations infrastructure that exposed more than 100,000 private employee records.

On a roll, the group soon after publicly disclosed vulnerabilities within the Indian government that allowed them to access personal records, police reports, and other hugely sensitive data, along with session hijacking and arbitrary code execution flaws on finance-related governmental systems.

Jackson’s other notable successes have included the discovery of a vulnerability in the Talkspace mental health app and two serious bugs in Chinese-made TCL brand televisions.

In a follow-up to the first part of our two-part feature on becoming a pen tester, we asked Jackson, now senior offensive security consultant at Trustwave, about his achievements, his love for pen testing, and the skills that would-be penetration testers need to succeed.

Daily Swig: How did you get into pen testing?

John Jackson: My story’s a little non-traditional. I didn’t grow up as a computer nerd. I was actually going to college for philosophy at CU Denver when I got a phone call from a recruiter and he asked me, hey, do you want to be a hacker?

I went through a boot camp and by the time I got to certified ethical hacker level I was actually helping class members learn, because I had done so much self-study on my own as I was just so excited.

I got recruited by TEKsystems as a contractor to go and work for Staples, initially as a cybersecurity engineer, and after the first six months there, they switched me to endpoint detection response. I went from application security engineer to senior applications security engineer for Shutterstock and after that, I went to Trustwave.

I was still hacking on my own time doing ethical hacking, and I established a group at the time called Sakura Samurai.

DON’T MISS How to become a pen tester: Part 1 – your path into offensive security testing

DS: What’s the best way to get into penetration testing?

JJ: There’s not a linear path. When I was getting into it, they \[the industry\] didn’t have as many certifications as they do now, and they also didn’t have as many materials, but nowadays they have things like Hack the Box, which can be a good way in.

I think there is no definitive skill that makes you a good hacker – it’s not so much a skill but a mindset. It’s endless curiosity.

If you’re not the type of person that likes spending a lot of your free time learning then it’s not the best field for you, because you’re always going to have to improve, and it’s very difficult to improve if you’re not continually learning, and a lot of the time that’s on your own time.

DS: What are your favourite things about your job?

JJ: One of my favourite things is the ability to hack so many different things. I’ve done ATM hacking, I’ve done phishing and social engineering, and then I moved into red teaming where the scope is a lot larger, and you have a lot more control over how you hack the organizations because you emulate advanced persistent threat actors.

Pen testing is amazing because I’m always learning – it really keeps me going and keeps my brain fresh. I don’t get bored because every day is new.

DS: And the worst?

JJ: A lot of non-technical people are sometimes involved in setting up and arranging pen tests and red teams, and sometimes they under-scope the assessments and take a very check-in-the-box approach to pen testing.

I think that that’s bad for everyone involved – it’s bad for the pen testers because you’re limited to such a narrow scope of what you can and can’t do, and it’s bad for security because in reality it’s just not realistic. A criminal hacker is not going to stop and say “you know what, this domain’s out of scope, this technology’s out of scope, I’m not going to mess with that”.

Pen testers are highly technical and sometimes you’re dealing with people that are more salesy or C-level, and you have to explain why it matters – and that can be tough.

MUST READ A rough guide to launching a career in cybersecurity

DS: What’s the most enjoyable project you’ve ever worked on?

JJ: I think my favourite project was a bank that wanted a red team with a scope of pretty much everything. That was a lot of fun, because I got to use the expertise I had to think outside of the box and use some of their own platforms to abuse their company.

They were blown away because they didn’t expect to see this or that service get abused, so I felt kind of proud doing that. \[It felt like\] finally someone appreciates that outside of the box thinking.

‘Red teaming’ gives you much ‘more control over how you hack the organizations because you emulate’ APTs

DS: And the most serious?

JJ: With the UN, with my group Sakura Samurai, we found GitHub credentials. We used the GitHub credentials to download the organization’s internal GitHub code and then, going through the code, we found over 100,000 lines of employee information. It was insane. That was definitely pretty scary.

The Indian government hack was crazy too – that was on another level. We found a lot of vulnerabilities – credentials, remote code execution, you name it. We were just going in and gave them a very extensive report, and actually coordinated it with DC3 \[Department of Defense Cyber Crime Center\] to help us disclose, because we were so worried about how much we found.

DS: What are your thoughts about bug bounties?

JJ: I’ve got a lot of complaints \[about\] bug bounty \[programs\], the biggest one being that you have to sign non-disclosure agreements when you submit these bugs, and sometimes that’s a moral conflict because you’ll discover things that are really bad. I was a blue teamer for half of my career, so when I find these certain types of bugs in bug bounty programs it’s unnerving because I know they’re not going to handle this how they need to handle this, they’re going to try and sweep this under the rug.

I moved towards vulnerability disclosure programs because you give them time to fix it and then you can disclose the bug that you found. I think that all hackers should try some vulnerability disclosure because it really just gives you a chance to get your hands on hacking a lot of things at once and then go through the process.

Read more of the latest news from the pen testing industry

DS: What are you working on now?

JJ: Right now, I’m working on another red team engagement. We’re on the internal phase, so the phase of just being inside the organization and looking for security vulnerabilities to see what we can and can’t do, how far we can go.

It’s always exciting. I love doing it, as this just really combines a lot of elements of hacking – network hacking, web hacking, and then the social aspects like what type of technologies do people use, and how can you abuse that internally?

A good example that I can say on record because it’s very obvious is Office 365, using Microsoft products to get more passwords or access to the organization, so that’s what I’m dealing with right now.

DS: What careers could pen testing lead on to?

JJ: I definitely have moved towards red teaming more, which is just a different form of pen testing. But I’d say for me red teaming and pen testing is the end of the line.

You could spend your entire life as a pen tester, absolutely, but I think a lot of people in the different client environments have shifted into a model of wanting pen testers to do more threat emulation – specific goals like ‘steal our credit card data, steal our employee accounts’.

The reality is it’s just endless, and there’s always something bigger you can aspire to. So if you’re a pen tester maybe \[the next step is\] senior pen tester, if you’re a senior pen tester maybe it’s to go to offensive security consultant, moving into red teaming. I think shifting into red teaming is the end goal for a lot of people.

YOU MAY ALSO LIKE How to become a CISO – Your guide to climbing to the top of the enterprise security ladder

How to become a penetration tester: Part 2 – ‘Mr hacking’  John Jackson on the virtue of ‘endless curiosity’ 

Asset inventory, behavioral baselining, and automated response are all key to keeping patients healthy and safe.

According to a 2020 memo from the Commonwealth of Massachusetts Department of Public Health, a code black event is "defined as when a hospital's Emergency Department is closed, as declared by an authorized hospital administrator, to all patients (ambulance and walk-in patients) due to an internal emergency."

The memo goes on to list a number of situations constituting internal emergencies, including:

*   Fires
*   Explosions
*   Hazardous material spills or releases
*   Other environmental contamination
*   Flooding
*   Power or other utility failures
*   Bomb threats
*   Violent or hostile actions impacting the Emergency Department

**Code Black/Code Dark**

On April 20, 2022, the Bay State added another item to that list, when code black events were declared at hospitals in Worcester and Framingham, following cyberattacks on Tenet Healthcare Corporation facilities there and in Florida. According to HealthcareITNews, "Tenet immediately suspended user access to impacted IT applications, executed extensive cybersecurity protection protocols and took steps to restrict further unauthorized activity." HealthITSecurity later reported that the attack campaign included a ransomware infection that ultimately cost Tenet $100 million in lost revenue during the second quarter. 

Now, cyberattacks have their own emergency response designation, called "code dark." A recent Wall Street Journal article described code dark procedures at Washington, DC's Children's National Hospital, during which, while IT staff respond to the event, hospital employees are trained to turn off Internet-connected medical equipment to keep an attack from spreading. Under such conditions, the hospital's CISO said, "If we call a code dark, the entire hospital knows to disconnect devices anywhere they can." 

**Patient Safety at Risk**

That's not especially comforting, given healthcare providers' reliance on medical devices. Hospitals are prime targets for threat actors, and especially for ransomware gangs. They know healthcare providers are under great pressure to maintain continuity of operations and to protect patient safety, and so are most likely to pay the cost to unlock medical systems, devices, and data, rather than risk an unfortunate outcome. A new study by the Ponemon Institute underscores this risk, finding that hospitals falling victim to a ransomware attack experience a decline in care quality and outcomes, including longer patient stays, test and procedure delays, and even more complications following care. 

Healthcare organizations invest aggressively in connected devices to improve facilities management and administration, and to provide a higher quality of patient care. Those devices include the Internet of Things (IoT), the Internet of Medical Things (IoMT), and operational technologies (OT). A recent study by Juniper Research forecasts that the average hospital will have as many as 3,850 IoMT devices connected to their networks by 2026. Every device that connects increases the complexity of a hospital's IT estate and its attack surface.

**Zero Trust for Connected Devices Starts With Asset Inventory and Baselining**

The proliferation of these devices in a hospital's IT infrastructure requires meticulous attention be paid to the risk each connected device adds to the network. Without the means to discover, monitor, and manage every connected device, the security of an organization's devices, data, and even patients themselves could be compromised. That makes it imperative to translate the elements of zero trust (never trust, always verify, and least privilege access) and apply them to a connected device security strategy.  

The first step in doing that requires knowing your attack surface. The adage "You can't protect what you can't see" holds true here, making complete device discovery and classification essential and foundational to protecting healthcare environments. This can range from traditional IT devices and medical devices that cannot be discovered via traditional means to elevator and HVAC control systems that are core to hospital operations. The approach needs to be "passive" so it doesn't impact device function.  

The next step is mapping transactions. With connected devices, this starts by using machine learning to establish and understand a baseline of how each device should behave. Since most IoT, IoMT, and OT devices operate within deterministic parameters, having an accurate understanding of normal, safe behavior makes it easier to recognize anomalous behaviors that represent early indicators of compromise. And when you can accurately detect an attack or risky behavior, you can automate policy enforcement that isolates compromised or at-risk devices. 

**Automate Response and Policies With Machine Efficiency**

That granular device profile — what a device is, how it's communicating, where it's connected, and its normal patterns of behavior — contains the elements you need to architect your zero\-trust policies and response — both reactive and proactive. The device context allows you to quickly respond to an attack and minimize and contain the blast radius. It also allows you to maintain operational continuity by keeping gear in service rather than shutting things down that might not need to be taken offline, or that could put patient care at risk if disconnected.  

For example, rather than taking a connected medical device offline if it is being used by a patient, dynamically generate zero\-trust segmentation policies that can quickly isolate the device on the network and allow its "sanctioned" behavior to continue. In contrast, a compromised surveillance camera communicating to a malicious domain can be blocked and taken off the network immediately, without risking an adverse medical outcome. 

**Enlightened, Not Dark**

A code dark protocol that asks doctors, nurses, and medical support staff to disconnect devices is one way to deal with a cyberattack, but it's not the best way. Instead, use an enlightened approach that applies a zero\-trust strategy to protecting connected devices. By starting with an asset inventory of devices in the network, baselining of device behavior, and leveraging automation to respond to threats and quickly stop lateral movement, you can maintain a higher security profile without compromising healthcare quality. When that is the model, network and patient safety can be maintained at a high level, even in the middle of a cyberattack, without pulling the plug.

Protecting Hospital Networks From 'Code Dark' Scenarios

Threat actors can take over victims' cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

Attackers can compromise a new feature in Amazon Web Services (AWS) to hijack cloud accounts' static public IP addresses and abuse them for various malicious purposes, researchers have found.

Threat actors can use the Amazon Virtual Private Cloud (VPC) Elastic IP (EIP) transfer feature to steal someone else's EIP and use it as their own command-and-control (C2), or to launch phishing campaigns that impersonate the victim, researchers from cloud incident response firm Mitiga revealed in a blog post on Dec. 20.

Attackers also can use the stolen EIP to attack a victim's own firewall-protected endpoints, or to serve as the original victim’s network endpoint to extend opportunities for data theft, the researchers said.

"The potential damage to the victim by hijacking an EIP and using it for malicious purposes can mean using the victim’s name, jeopardizing the victim’s other resources in other cloud providers/on-premises, and \[stealing the\] victim’s customers' information," Or Aspir, software engineer at Mitiga, wrote in the post.

Threat actors must already have permissions on an organization's AWS account to leverage the new attack vector, which the researchers call "a post-initial-compromise attack."

However, because the attack was not possible before the feature was added and is not yet listed in the MITRE ATT&CK Framework, organizations may be unaware that they are vulnerable to it, as it's not likely to be picked up by existing security protections, the researchers said.

"With the right permissions on the victim’s AWS account, a malicious actor using a single API call can transfer the victim’s used EIP to their own AWS account, thus practically gaining control over it," Aspir wrote. "In many cases it allows greatly increasing the impact of the attack and gaining access to even more assets."

**How Elastic IP Transfer Works**

AWS introduced EIP in October as a legitimate feature to allow transfer of Elastic IP addresses from one AWS account to another. An Elastic IP (EIP) address is a public and static IPv4 address that can be reached from the Internet and can be allocated to an Elastic Compute Cloud (EC2) instance for Web-facing activities, such as website hosting or communicating with network endpoints under a firewall.

AWS introduced the feature to make it easier to move Elastic IP addresses during AWS account restructuring by transferring the EIP to any AWS account — even AWS accounts that are not owned by someone or his or her organization, the researchers said.

With the feature, the transfer is a mere "two-step handshake between AWS accounts — the source account (either a standard AWS account or an AWS Organizations account) and the transfer account," Aspir explained.

**Abuse of Elastic IP Transfer**

The ease with which EIPs can now be transferred creates an unintentional issue, however — while it certainly facilitates the process of transferring IP for legitimate account owners, it also makes it easier for malicious actors as well, the researchers said.

Researchers described a basic scenario to illustrate how attackers can take advantage of EIP transfer, assuming that attackers already have permissions that allow them to "see" existing EIPs and their status, or whether or not they are associated with other computer resources.

Typically, EIPs are associated, but sometimes an organization keeps dissociated EIP for later use, or as a result of an unmanaged environment that keeps unused resources, the researchers said. "Either way, the attacker only needs to enable the EIP transfer, and the IP address is theirs," Aspir wrote.

Attackers can do this in two ways with the correct permissions: either transfer a dissociated EIP or remove the association of an associated EIP and then transfer it, the researchers said.

For the former, an adversary must have the following action in its attached Identity and Access Management (IAM) policy on AWS: "ec2:DisassociateAddress" action on the elastic IP addresses and the network interfaces that the IP addresses are attached to.

To transfer an EIP, a threat actor must have the following actions in its attached IAM policy: "ec2:DescribeAddresses" on all the IP addresses and "ec2:EnableAddressTransfer" on the EIP address that the attacker wants to transfer, the researchers said.

**Leveraging a Stolen EIP**

There are a wide range of attack scenarios that a threat actor can engage in after successfully transferring someone else's EIP to their own control.

In external firewalls used by the victim, for example, an attacker can communicate with the network endpoints behind the firewalls if there is an allow rule on the specific IP address, the researchers said.

Moreover, in cases in which a victim uses DNS providers such as a Route53 service, there could be DNS records of an "A" type in which the target is the transferred IP address. In this case, an attacker can abuse the address for hosting a malicious Web server under a legitimate victim’s domain, then launch other malicious actions, such as phishing attacks, the researchers said.

Attackers also can use the stolen IP address as C2, using it for malware campaigns that appear legitimate and thus fly under the radar of security defensives. A threat actor can even cause denial of service (DoS) to a victim's public services if they dissociate an EIP from a running endpoint and transfer it, the researchers said.

**Who's at Risk and How to Mitigate It**

Anyone using EIP resources in an AWS account is at risk, and thus must treat the EIP resources like other resources in AWS that are in danger of exfiltration, the researchers advised.

To protect themselves from an EIP transfer attack, Mitiga recommends that enterprises use the principle of least privilege on AWS accounts and even disable the ability to transfer EIP entirely if it's not a necessary feature on their environment.

To do this, an organization can use native AWS IAM features such as service control policies (SCPs), which offer central control over the maximum available permissions for all accounts in an organization, the researchers said, providing an example in their post of how this works.

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

The threat actors behind the Windows banking malware known as Casbaneiro has been attributed as behind a novel Android trojan called BrasDex that has been observed targeting Brazilian users as part of an ongoing multi-platform campaign.
BrasDex features a "complex keylogging system designed to abuse Accessibility Services to extract credentials specifically from a set of Brazilian targeted apps,

Banking Malware / Mobile Security

The threat actors behind the Windows banking malware known as **Casbaneiro** has been attributed as behind a novel Android trojan called **BrasDex** that has been observed targeting Brazilian users as part of an ongoing multi-platform campaign.

BrasDex features a "complex keylogging system designed to abuse Accessibility Services to extract credentials specifically from a set of Brazilian targeted apps, as well as a highly capable Automated Transfer System (ATS) engine," ThreatFabric said in a report published last week.

The Dutch security firm said that the command-and-control (C2) infrastructure used in conjunction with BrasDex is also being used to control Casbaneiro, which is known to strike banks and cryptocurrency services in Brazil and Mexico.

The hybrid Android and Windows malware campaign is estimated to have resulted in thousands of infections to date.

BrasDex, which masquerades as a banking app for Banco Santander, is also emblematic of a new trend that involves abusing Android's Accessibility APIs to log keystrokes entered by the victims, moving away from the traditional method of overlay attacks to steal credentials and other personal data.

It's also engineered to capture account balance information, subsequently using it to take over infected devices and initiate fraudulent transactions in a programmatic manner.

Another notable aspect of BrasDex is its singular focus on the PIX payments platform, which allows banking customers in Brazil to make money transfers simply using their email addresses or phone numbers.

The ATS system in BrasDex is explicitly designed to abuse PIX technology to make fraudulent transfers.

This is not the first time the instant payment ecosystem has been targeted by bad actors. In September 2021, Check Point detailed two Android malware families named PixStealer and MalRhino that tricked users into transferring their entire account balances to an actor-controlled one.

ThreatFabric's investigation into BrasDex also allowed it to gain access to the C2 panel used by the criminal operators to keep track of the infected devices and retrieve data logs exfiltrated from the Android phones.

The C2 panel, as it happens, is also being utilized to keep tabs on a different malware campaign which compromises Windows machines to deploy Casbaneiro, a Delphi-based financial trojan.

This attack chain employs package delivery-themed phishing lures purporting to be from Correios, a state-owned postal service, to dupe recipients into executing the malware following a multi-staged process.

Casbaneiro's features run the typical backdoor gamut that allows it to seize control of banking accounts, take screenshots, perform keylogging, hijack clipboard data, and even function as a clipper malware to hijack crypto transactions.

"Being independent and full-fledged malware families, BrasDex and Casbaneiro form a very dangerous pair, allowing the actor behind them to target both Android and Windows users on a large scale," ThreatFabric said.

"The BrasDex case shows the necessity of fraud detection and prevention mechanisms in place on customers devices: Fraudulent payments made automatically with the help of ATS engines appear legitimate to bank backends and fraud scoring engines, as they are made through the same device that is usually used by customers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware: Cybercriminals Launch New BrasDex Android Trojan Targeting Brazilian Banking Users

Recession fears notwithstanding, cybersecurity skills — both credentialed and noncredentialed — continue to attract higher pay and more job security.

Company executives continue to voice concerns that a recession is likely in 2023, but cybersecurity professionals — along with IT workers and developers with cybersecurity knowledge — appear well-positioned to weather an economic downturn, according to technology-job experts.

Overall, professional certifications have provided declining salary premiums since 2018, but information security certifications continue to command significantly above-average pay premiums, according to an analysis of more than 4,000 employers in the US and Canada by Foote Partners LLC. Cybersecurity-related skills — such as AWS Certified Security, GIAC Certified Incident Handler, and Okta Certified Developer — make up more than half of the "winner" skills, those that have attracted the most pay and have gained the most in market value.

Noncertified security skills — such as cryptography, DevSecOps, and risk analytics — also attract high premiums, says Bill Reynolds, research director at Foote Partners.

"Obviously, security skills and certs are still commanding cash premiums beyond salary at the 4,057 employers \[we surveyed\] in the US and Canada," he says. "That’s a pretty large sample for a survey, so it’s quite meaningful."

**Positioned to Withstand Recession?**

The robustness of the cybersecurity job market comes as company executives continue to worry about a recession in 2023. The vast majority of company executives (83%) expect a recession in 2023 — as do 82% of investors, according to another online survey — and about half of organizations are pre-emptively cutting expenses. In many cases, that means layoffs. In the cybersecurity industry, nearly a score of companies have cut workers in the last three months, according to tracking site Layoffs.fyi.

The fears of a downturn have even affected the valuations of startup companies in the cybersecurity industry.

Because of the difficulty in hiring and retaining knowledgeable cybersecurity workers, however, layoffs will likely come from less-technical groups, leaving knowledgeable cybersecurity workers. In fact, the majority of companies (60%) still planned to increase the head count of their IT departments as of July 2022, according to the _IT Spending and Staffing Benchmarks 2022/2023_ report published by Computer Economics.

"Expected growth is modest, but this is an indication that IT organizations cannot simply rely on increased efficiency from the cloud and virtualization for growth," the report stated. "Some hiring will still need to be done."

**Cybersecurity Skills Fetch a Premium**

Overall, cybersecurity workers remain in demand, with 770,000 positions currently unfilled, compared with a cybersecurity workforce of 1.1 million — a 69% shortfall in workers, according to data from the CyberSeek project. The gap between supply and demand is much greater than the 7.4% for the Businesses and Professional Services industry and the 6.9% gap in the Information sector, according to the US Bureau of Labor Statistics.

Workers with specific cybersecurity skills will continue to see opportunities, according to Foote Partners 2022 Tech Compensation Survey Reports. Ten of the 17 skills listed on the firm's IT Winners list, which includes skills that command an above-average premium and which have seen those premiums accelerate in the past few months, are security-related. The same criteria for noncertified IT skills show that 10 of 39 are security-related.

GIAC Certified Forensics Analyst (GCFA), InfoSys Security Engineering Professional, and Okta Certified Developers each have an average pay premium of 12% over base pay, according to Foote's data. For noncertification-based skills, security auditing, cryptography, and identity and access management each had an 18% premium over base pay.

What else is important? Soft skills, says Foote's Reynolds. A worker's ability to collaborate, deal with stress, manage time, have passion for the work, ability to listen, and include others all matter a great deal, he says.

These are "things that have nothing to do with certifications and this appears to be gaining in importance," he says.

**Avoid "Alphabet Soup" of Certifications**

Workers should take care to not collect certifications, as hiring managers and recruiters are wary of an alphabet soup of certifications on applicants' resumes, according to a recent Axios brief.

Foote's Reynolds agrees. Just because workers with a particular certificate get a pay premium isn't the right reason to get the certificate.

"It's like the argument of whether a college degree is mandatory for job consideration," he says. "Just because you have a college degree doesn't mean you're qualified for a particular job. It's more about what you've done with that college degree on the job. Tangible, measurable experience matters a lot."

Security Skills Command Premiums in Tight Market

A vulnerability, which was classified as problematic, was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This affects an unknown part. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216273 was assigned to this vulnerability.

CVE-2022-4611

Risk is no longer a single entity, but rather an interconnected web of resources, assets, and users.

Within the first few hours of the FTX implosion, investors and crypto bulls were working through the Kübler-Ross model's five stages of grief: denial, anger, bargaining, depression, and acceptance. As more details came out about the inner workings of FTX, I realized that truth really is stranger than fiction.

The 30-year-old founder of FTX, Sam Bankman-Fried, was known simply as SBF — a single moniker that put him in the company of Madonna or LeBron. His firm seemingly came out of nowhere to establish itself as the de facto standard for crypto exchanges. The firm and the founder were surrounded by all the trappings of success and legitimacy — a fawning press, famous and powerful friends, and sycophantic politicians.

Who would ever suspect fraud with such a veneer of respectability? The obvious comparison was Theranos and its CEO, Elizabeth Holmes. When stories emerged that FTX's potential losses totaled $50 billion, comparisons to another fraudster — Bernie Madoff — emerged.

However, there is one huge difference between SBF and Madoff: Madoff was a singular figure orchestrating a massive Ponzi scheme. The funds that came to Madoff didn't go into other investments. In fact, they didn’t go into any investments. They were used to keep existing clients happy while new clients were brought in. All of the risk for Madoff clients was represented in Madoff himself.

In the case of FTX, SBF lent Alameda Capital — the firm's in-house investing arm — more than $8 billion in client funds. It is patently illegal to mix client funds in an exchange with outside investments. Most shocking of all is what SBF and Alameda were doing with that money. They thew the money into more than 400 different investments in the emerging crypto market, from failing exchanges to worthless coins. Investors who parked their money, and their crypto, at the FTX exchange had no idea the risks they were facing.

**Know Your Attack Surface**

The threat surface for FTX clients wasn't just about protecting their FTX passwords or hoping the exchange wouldn't get hacked like the Mt. Gox bitcoin exchange and so many others did. Instead, their portfolios were at risk of implosions over assets and investments they had never heard of.

That is the definition of risk: having your hard-earned money and investments merged with a toxic mix of super-risky sludge. That’s a helpless place to be.

After more than 20 years in cybersecurity, it is difficult not to think about risk exposure and threat management in a case like this. Security teams are dealing with something much more akin to SBF than Madoff. There is no singular threat facing an enterprise today. Instead, it is a constellation of assets, devices, data, clouds, applications, vulnerabilities, attacks, and defenses.

Security teams' biggest weakness is that they are being asked to secure what they can neither see nor control. Where is our critical data? Who is accessing it, and who needs access? Every day in cybersecurity, the landscape of what needs to be protected changes. Applications are updated. Data is stored or in transit among multiple clouds. Users change. Every day represents new challenges.

Security starts with visibility. That’s why discovery is all the rage these days. From the cloud to data to external assets, security teams are digging into discovery tools that help them understand exactly what they have to secure, where it is, and who is accessing it. There is an urgent need to understand the connections among users, partners, devices, and applications. The FTX crypto investment scenario I've described could just as easily be interconnected enterprise resources, and internal and external users.

I feel terrible for anyone caught up in this FTX mess. For cybersecurity professionals, it is yet another reminder that it is not just the resources and employees of your organization that impact security; it is a web of connections that grows every day. We live in the age of discovery for a reason.

Rethinking Risk After the FTX Debacle

A vulnerability, which was classified as problematic, was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. Affected is an unknown function of the component URL Field Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216246 is the identifier assigned to this vulnerability.

%PDF-1.7 %���� 1 0 obj <>/Metadata 2302 0 R/ViewerPreferences 2303 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 594.96 842.04\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��Y�n#7��?�(0�ŝ�р6��XA0�Aq4��G9��S�EK�7����b7��z|�z$�d��{��~ڑ��d�ۭ����A�&��n�}�����k�<��\_�ֻ��\[����;\_u���6�iJf�9�{<2�Z.��U�pM��}3��y����V�Qrđ���� e3E-Y��ŇG\`����?�G(?�G\_o�gx-�Z�%����od��x�DG�B0� &\`�j~��!��O�U�ɧ�|��{�;�Z���rL���hW� 9ȉFN�>㠯CYu(9U��HZR�;'���%�ۨ>X�v�$0H̋�(���Ż�֠��5R�!Q#��x�~ �'�ۨ>j�v��#�7X���$���y5���#(�+��~N���X��8�T\]�@mV����� ㄩ&q�vW ' �z�K���U���jL ��e�/�4��&�/C�ٗ�^8���bzZ�O�A���;�8\\௚�q�����$�� ϠB�s�u�fP���QI�� ĚV�~��"����o��'�xP�\*!}�Z�~�״��"ے�5iv�/�:F{lδ�tԱ)L����v{��jf+�\\ne��Z��k���4����ٺ(��ۚM� $���d7 ��yE�&I���~~� �p� ���Od^#$�E��� �p\_��0$Fсhk}^���>djT| J���\\0ǆ��k�a֟�B���@��~�g��Dbe"I|iU�U�#���J�A�\_\\w�f'����3�H�˫�4�#�����|@��WX��;Pb5kap���|sɨ����R��u��+,�LAb�t����|�S�T������8���v�~���i圁��n����t� �E ha ��<Q��&C�xu LM����9�&�^\];7�����:����|�+I����� e\_E'�d�|�u�|uұ� ������Ǣu�n5���̑�C�6\]u�Z��QhNe?� :������RSy&K>/��^c.�a\\j��3��9�3�Y�N��<+}�Ϭ�K����Wc�OQ?���0p��Mk��>��)X+ 8d���@�O�:�Aw���&��qK����R��ѓ����u���,����?�,� endstream endobj 5 0 obj <> endobj 6 0 obj \[ 7 0 R\] endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> endobj 10 0 obj <> endobj 11 0 obj <> endobj 12 0 obj <> endobj 13 0 obj <> endobj 14 0 obj <> endobj 15 0 obj \[ 16 0 R\] endobj 16 0 obj <> endobj 17 0 obj <> endobj 18 0 obj <> endobj 19 0 obj <> endobj 20 0 obj <> endobj 21 0 obj <> endobj 22 0 obj <> endobj 23 0 obj <> endobj 24 0 obj \[ 25 0 R\] endobj 25 0 obj <> endobj 26 0 obj <> endobj 27 0 obj <> endobj 28 0 obj <> endobj 29 0 obj <> endobj 30 0 obj <> endobj 31 0 obj <> endobj 32 0 obj <> endobj 33 0 obj \[ 34 0 R\] endobj 34 0 obj <> endobj 35 0 obj <> endobj 36 0 obj <> endobj 37 0 obj <> endobj 38 0 obj <> endobj 39 0 obj <> stream x�흽RI�%�h! �Ȇ�J���ȡ,2�,8��En�MH�8XR�9\\����;0w\`�k��O���鞞�ާ��0+�i�\_�s�g:��S�|~�P�\[,:Ή�Ү�ν�o~\]����C��\_��/W}��c��\[��ݝ��v�SI\_ !$�(��\\@7�!���� �����>(�k%�$��"�7 ����!8�t7B"g}���)~� hpQ�:� B�� l.W��E&��=$b���i�I�4\*qI���?��ofNmF�ʿ��KBH\*�IO��J��뇎��������}��1�j�J��CH�F>�%>\\y'$)"�o����+����;�ōB���xC�~�TBË����󢋾p�B�$ ���@+�b���K%�Ex�Y^��P��v5k���Rs� ����)|>jQ�X�!$",�R!�A���M��Pddp&�}��Ρ�b�Dx�I�ڌbK��:����B1d�r�?v���(J�>\[CK|�b�❻2��.��r�~\_��̹fBi I�Œ�>ұY o�A��1��=3����L� '3�3H���\[�X�b� '��3���0�!d,�A�<� �X�Q���<{��%�V�Ev��D��gp͕��Q5��G�������4~��u��Z ��=9�޼�\`&>7��G�3�8e�d��ꚕ�� >S�̔�I�e�;\_歌#�b7��챿��X1� �s���8�I7SPvH�x��}5C�$��4e�V�(;$3 ?ҽ��A�.�.�N�P���PvH60(�0�1F��������);$lKZ���\_�(��z�Y�

Tag

#ios