Hackers cleverly cobbled together a suite of open source software — including a novel RAT — and hijacked servers owned by ordinary businesses.

We imagine that the world’s most successful hackers write their own dangerous code and invest heavily in the technologies they use to breach their targets. In recent months, however, a new cluster of attacks succeeded with just the opposite approach.

According to a report out Jan. 24 from SentinelOne, a threat actor compromised a number of organizations across China and Taiwan by creating a Frankenstein's monster-style composite of preexisting open source components. Among them: multiple tools for escalating user privileges in Windows machines, and for establishing persistence and allowing remote code execution.

In addition to adopting other hackers' code, the attackers freely adopted other organizations' infrastructure, too. In staging their malware, the hackers puppeteered servers located in China, Hong Kong, Singapore, and Taiwan, many of which were hosted by perfectly ordinary businesses, including an art gallery, a retailer for baby products, and companies in the gaming and gambling industries.

Researchers from SentinelOne named the campaign "DragonSpark" — a portmanteau referencing the attackers' Chinese-language links, and "SparkRAT," an open source remote access Trojan (RAT) never seen in the wild until now.

**An Open Source Party**

To gain initial access to their targets, the DragonSpark attackers sought out Internet-exposed Web servers and MySQL database servers. Then, with a foot in the door, they began deploying open source malware.

"Open source tools and existing infrastructure are very practical to threat actors," Aleksandar Milenkoski, senior threat researcher at SentinelOne, tells Dark Reading. This is especially true of "actors involved in cybercrime activities without many resources and in-depth technical readiness to develop their own tool set and setup an intricate infrastructure, but aiming for large-scale, opportunistic attacks at the same time."

The DragonSpark attackers carried out their opportunistic attacks with programs like SharpToken and BadPotato, which enable the execution of commands at the level of the Windows operating system. SharpToken also provides visibility to user and process information; it allows a user to freely add, delete, or modify passwords of system users. BadPotato, the researchers noted, had been previously used by other Chinese threat actors in an espionage campaign.

Next in the arsenal was GotoHTTP, which facilitates persistence, file transfer, and remote screen viewing. But the most notable malware of all was SparkRAT — "a very recent development on the threat landscape," Milenkoski noted. DragonSpark represents "the first concrete observation of threat actors using SparkRAT as part of larger campaigns."

Released in its current version on Nov. 1, 2022, SparkRAT is a jack of all trades. It's compatible with not only Windows but also Linux and macOS systems. Its most notable features are as follows, as the researchers outlined:

*   _**"Command execution:** including execution of arbitrary Windows system and PowerShell commands;_
*   _**System manipulation:** including system shutdown, restart, hibernation, and suspension;_
*   _**File and process manipulation:** including process termination as well as file upload, download, and deletion; and_
*   _**Information theft:** including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration."_

SparkRAT, SharpToken, Bad Potato, and GotoHTTP are all freely available to download online. As open-source tools, their use also makes attribution more difficult.

**Links to China**

All of the targets of DragonSpark were organizations based in East Asia. Many of them "have a large customer base," Milenkoski observes, "leading to the belief that the threat actors may be targeting customer data." Whether the motive was cybercrime or espionage was not determined.

Though unable to attribute anyone specific, the researchers considered it "highly likely" that the DragonSpark attackers were Chinese speakers. That is, in part, explained by the fact that most of their infrastructure and targets were located in East Asia. Additionally, the Web shell they used to deploy their malware — a well-known tool called China Chopper — and all of the open source tools described above were originally developed by Chinese-speaking developers and vendors.

This is consistent with recent activity in the world of Chinese threat actors. An alert published last summer by the Cybersecurity and Infrastructure Security Agency (CISA) highlighted how state-sponsored APTs from the People's Republic "often mix their customized toolset with publicly available tools."

All signs point to more of these kinds of attacks going forward. SparkRAT in particular, though nascent to the scene, "is regularly updated with new features," the SentinelOne researchers noted, adding that "the RAT will remain attractive to cybercriminals and other threat actors in the future."

'DragonSpark' Malware: East Asian Cyberattackers Create an OSS Frankenstein

The t2'23 Call For Papers has been announced. It will take place May 4th through the 5th, 2023 in Helsinki, Finland.

    Call For Papers 2023Tired of your bosses suspecting conference trips to exotic locations being just a ploy to partake in Security Vacation Club? Prove them wrong by coming to Helsinki, Finland on May 4-5 2023! Guaranteed lack of sunburn, good potential for rain or slush. In case of great spring weather, though, no money back.CFP and registration both open. Read further if still unsure.Maui, Miami, Las Vegas, Tel Aviv or Wellington feel so much sunnier once you’ve experienced the lack of infinity pools in Northern Europe. Instead of pools and palms trees, we can offer you actual saunas and a high tech environment, which is a weird combination of demoscene, widespread Linux adoption, mobile Internet with uncapped flat rate data and a long history of IRC and imageboards.What defines a conference? For t2 it has always been that intimate welcoming atmosphere of a small event, which makes both audience and speakers approachable. There are enough regulars to create the feeling of a community, but not too many that a first-comer would feel being left out. On the content side, we have always been and always will be a technical security conference, emphasizing the cutting edge, world class research. This is an event for the community. Our focus[1] is on technical excellence, not politics or player hating.t2’23 offers you an audience with a taste for technical security presentations containing original content. This is your chance to showcase the latest research and lessons in EDR simulation and healthcheck spoofing, hardware insecurity, inferring information from interference, cloud-scale forensics or persistance automation, new vulnerability classes, AI exploitation, virtual machines inside parsers, elegant exploitation of old vulnerability classes, modern defense, dropping zero days during presentations, state of the art memory corruption mitigation bypasses, evasions, safe cracking, satellite and space security, remote vehicle access, or whatever research lights up the eyes of seasoned conference visitors. For the hackers by the hackers.The advisory board will be reviewing submissions until 2023-03-17. Slide deck submission final deadline 2023-04-20 for accepted talks.First come, first served. Submissions will not be returned.Quick facts for speakers+ presentation length 60-120 minutes, in English+ complimentary travel and accommodation for one person[6]+ decent speaker hospitality benefits+ no marketing or product propagandaStill not sure if this is for you? Check out the blast from the past[2].The total amount of attendees, including speakers and organizers is limited to 99. Advisory Board recognize[3] the OG Finnish sauna culture is an acquired taste and can promise the lack of sweaty, partially or fully nude sauna-goers at all conference functions.[0] hunter2[1] https://t2.fi/about/eula/[2] https://t2.fi/schedules/[3] https://youtu.be/Oj8JBBAM5jY?t=40[6] except literally @nudehaberdasher and @0xcharlieHow to submitFill out the form at https://if.t2.fi/action/cfpHow to registerBuy your ticket at https://t2.fi/registration/

t2'23 Call For Papers

Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5822-1  
January 24, 2023

samba vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Samba.

Software Description:  
- samba: SMB/CIFS file, print, and login server for Unix

Details:

It was discovered that Samba incorrectly handled the bad password count  
logic. A remote attacker could possibly use this issue to bypass bad  
passwords lockouts. This issue was only addressed in Ubuntu 22.10.  
(CVE-2021-20251)

Evgeny Legerov discovered that Samba incorrectly handled buffers in  
certain GSSAPI routines of Heimdal. A remote attacker could possibly use  
this issue to cause Samba to crash, resulting in a denial of service.  
(CVE-2022-3437)

Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos  
keys. A remote attacker could possibly use this issue to elevate  
privileges. (CVE-2022-37966, CVE-2022-37967)

It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure  
Channel. A remote attacker could possibly use this issue to elevate  
privileges. (CVE-2022-38023)

Greg Hudson discovered that Samba incorrectly handled PAC parsing. On  
32-bit systems, a remote attacker could use this issue to escalate  
privileges, or possibly execute arbitrary code. (CVE-2022-42898)

Joseph Sutton discovered that Samba could be forced to issue rc4-hmac  
encrypted Kerberos tickets. A remote attacker could possibly use this issue  
to escalate privileges. This issue only affected Ubuntu 20.04 LTS and  
Ubuntu 22.04 LTS. (CVE-2022-45141)

WARNING: The fixes included in these updates introduce several important  
behavior changes which may cause compatibility problems interacting with  
systems still expecting the former behavior. Please see the following  
upstream advisories for more information:

https://www.samba.org/samba/security/CVE-2022-37966.html  
https://www.samba.org/samba/security/CVE-2022-37967.html  
https://www.samba.org/samba/security/CVE-2022-38023.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   samba                           2:4.16.8+dfsg-0ubuntu1

Ubuntu 22.04 LTS:  
   samba                           2:4.15.13+dfsg-0ubuntu1

Ubuntu 20.04 LTS:  
   samba                           2:4.13.17~dfsg-0ubuntu1.20.04.4

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
   https://ubuntu.com/security/notices/USN-5822-1  
   CVE-2021-20251, CVE-2022-3437, CVE-2022-37966, CVE-2022-37967,  
   CVE-2022-38023, CVE-2022-42898, CVE-2022-45141

Package Information:  
   https://launchpad.net/ubuntu/+source/samba/2:4.16.8+dfsg-0ubuntu1  
   https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1  
   https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu1.20.04.4

Ubuntu Security Notice USN-5822-1

Apple Security Advisory 2023-01-23-8 - Safari 16.3 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-01-23-8 Safari 16.3Safari 16.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213600.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved checks.WebKit Bugzilla: 245464CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, JimingWang, JiKai Ren and Hang Shu of Institute of Computing Technology,Chinese Academy of SciencesWebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 248268CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEWebKit Bugzilla: 248268CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEAdditional recognitionWebKitWe would like to acknowledge Eliya Stein of Confiant for theirassistance.Safari 16.3 may be obtained from the Mac App Store.All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPImAACgkQ4RjMIDkeNxmOtA/8C2w5NPXlcGH2m1GpCgxiEDQ/SreXYbyKbflivbXDwE1L+XAzTMhRIHF5KjcqvjaoBh4oHN7IfQNq12/YE3+RMDF03J0sTefTT7SeLjN0wKM92jcqFWSGsLNIUrsO3+jP89/2Di4IY3E07mu7iiZzgi8zGUPoMOxqJK8zpfYFXVe5LVyOfI3ETe2RnjH7et/tvW4KgVGyS4+tVHvC6Dts7efEKC10vgc4xdlWH69OHqUYT2eP7bX909MKt8qnl5YW/W155rKWeZrngRP5gbwAWv6+Q5Jh6X/TZYi1S/5HEgBSUdn/8Cto9A2v5FLZJLtYdoO137FqFMxH8ePWGGaL2JOVkeVYRZgkBnqZWMw4CUFgA6zW8i20e/aYk1IaJsQzgrXzYEDjoXIq1MXgO5egY6pQNIyKtutRSpskWhoOFRXjKHLna0W1R+l6YvfIpprHPlOae7koSwJJqQbq/XvD3XECtrf0xGqFiD5ntCNysFcy5hAEoswVpzkz8368C6OU/bwOuryTlrImLDEsgJBozJk6CGhNgFMg81xzCMt7SzOqTR7u50P3VOki9wt38tejRZyWTJiy3Tke/WlxrN0xl6vnBPsfDX7EW8+xC17mFAJlpnxy3f5Z1mdQq6mG51oZtFSgQR1cKUek/fnKpBNiauEk7A+Amm0nfzlpBT+4rKw=YCs8-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-8

Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3

macOS Big Sur 11.7.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213603.

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Big Sur  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.85.0.  
CVE-2022-35252

dcerpc  
Available for: macOS Big Sur  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Screen Time  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

WebKit  
Available for: macOS Big Sur  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Windows Installer  
Available for: macOS Big Sur  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

macOS Big Sur 11.7.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
NxmcTxAA5RgSSuSbRaEzLzDYMXICkEWJLRFDxirCePXlty57qxD+Edl/f7rZhvxx  
nt5f0TTSVV2D4j+bb1MC/qFgINJ2SV31UY3nQXg+k85QeCyjEMXQDgIk5QBJd40E  
gcPXFOQULvHJAhyKAvNexGqyRTUk4GqifPZNwXFxKC/tsPahr/Bh6OP+l7CkhG7Y  
XiDuKLpL7ssAMl6sf7Lg5H114P/6pPwKM949mYzUz+0CH6uXQ7oWSx/KirbR3HD8  
W3FQY/iS3hzG6EALUbFWKjxXPHRv/59TQElizLVqfxLQCjSokxyDiW5OehMeefQs  
8dFDCMbpbQFC0RBVFVCS3fzhCNu24LfihyUmz9//Azguv3HJhbuZ/kz70JhsLW9F  
6mGlbXA/w2rAWXpJ2fRsHSqpZw9jiX1FlfUH+h3T8cmtnfZDduV0AEvCIK8Zp/nq  
S6+sZ3i5VtQyUGZc3FKTQVTeMPrXhyLCXlfiCXMfo04P11AJNxOqSHgBH43N8pNp  
drRKydDb+u8QpxUzuaxbyn2dgoEaxwRke6jspkPFPZ/ipj8eNLIn2FqQx8CGXCDL  
2k/+/a4M/zsGcr39kuGjcXNba6YbXnA8HwWqmKeMwQ+3VTMwf6C2x0h6OBQGIGcv  
MyrKHkVVE9KyPk9AULiw4BJYX7MMBmSbpf2OEDP3d06d6e1ljv8=  
=hYz5  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-6

Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3

macOS Monterey 12.6.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213604.

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.86.0.  
CVE-2022-42915  
CVE-2022-42916  
CVE-2022-32221  
CVE-2022-35260

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.85.0.  
CVE-2022-35252

dcerpc  
Available for: macOS Monterey  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

DiskArbitration  
Available for: macOS Monterey  
Impact: An encrypted volume may be unmounted and remounted by a  
different user without prompting for the password  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

DriverKit  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32915: Tommy Muir (@Muirey03)

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-23507: an anonymous researcher

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Screen Time  
Available for: macOS Monterey  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Regula of SecuRing (wojciechregula.blog)

Weather  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Windows Installer  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

Additional recognition

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

macOS Monterey 12.6.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
NxlXeg/+JwvCu4zHuDTptxkKw1gxht0hTTVJvNjgNWj2XFtnOz9kCIupGj/xPTMl  
P9vABQWRbpEJfCJE31FbUcxRCMcr/jm8dDb1ocx4qsGLlY5iGLQ/M1G6OLxQVajg  
gGaCSMjW9Zk7l7sXztKj4XcirsB3ft9tiRJwgPUE0znaT70970usFdg+q95CzODm  
DHVoa5VNLi0zA4178CIiq4WayAZe90cRYYQQ1+Okjhab/U/blfGgEPhA/rrdjQ85  
J4NKTXyGBIWl+Ix4HpLikYpnwm/TKyYiY+MogZ6xUmFwnUgXkPCc4gYdPANQk064  
KNjy90yq3Os9IBjfDpw+Pqs6I3GMZ0oNYUKWO+45/0NVp5/qjDFt5K7ZS+Xz5Py7  
YrodbwaYiESzsdfLja9ILf8X7taDLHxxfHEvWcXnhcMD1XNKU6mpsb8SOLicWYzp  
8maZarjhzQl3dQi4Kz3vQk0hKHTIE6/04fRdDpqhM9WXljayLLO7bsryW8u98Y/b  
fR3BXgfsll+QjdLDeW3nfuY+q2JsW0a2lhJZnxuRQPC+wUGDoCY7vcCbv8zkx0oo  
y1w8VDBdUjj7vyVSAqoZNlpgl1ebKgciVhTvrgTsyVxuOA94VzDCeI5/6RkjDAJ+  
WL2Em8qc4aqXvGEwimKdNkETbyqIRcNVXWhXLVGLsmHvDViVjGQ=  
=BbMS  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-5

Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-4 macOS Ventura 13.2

macOS Ventura 13.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213605.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.86.0.  
CVE-2022-42915  
CVE-2022-42916  
CVE-2022-32221  
CVE-2022-35260

dcerpc  
Available for: macOS Ventura  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

DiskArbitration  
Available for: macOS Ventura  
Impact: An encrypted volume may be unmounted and remounted by a  
different user without prompting for the password  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-23507: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23506: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Mail Drafts  
Available for: macOS Ventura  
Impact: The quoted original message may be selected from the wrong  
email when forwarding an email from an Exchange account  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23498: an anonymous researcher

Maps  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: An app may be able to access a user’s Safari history  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23510: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Safari  
Available for: macOS Ventura  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Screen Time  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

Vim  
Available for: macOS Ventura  
Impact: Multiple issues in Vim  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-3705

Weather  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Wi-Fi  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23501: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Windows Installer  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

Additional recognition

Bluetooth  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

Shortcuts  
We would like to acknowledge Baibhav Anand Jha from ReconWithMe and  
Cristian Dinca of Tudor Vianu National High School of Computer  
Science, Romania for their assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

macOS Ventura 13.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
Nxnt7RAA2a0c/Ij93MfR8eiNMkIHVnr+wL+4rckVmHvs85dSHNBqQ8+kYpAs2tEk  
7CVZoxAGg8LqVa6ZmBbAp5ZJGi2nV8LjOYzaWw/66d648QC2upTWJ93sWmZ7LlLb  
m9pcLfBsdAFPmVa8VJO0fxJGkxsCP0cQiBl+f9R4ObZBBiScbHUckSmHa6Qn/Q2U  
VsnHnJznAlDHMXiaV3O1zKBeahkqSx/IfO04qmk8oMWh89hI53S551Z3NEx63zgd  
Cx8JENj2NpFlgmZ0w0Tz5ZZ3LT4Ok28ns8N762JLE2nbTfEl7rM+bjUfWg4yJ1Rp  
TCEelbLKfUjlrh2N1fe0XWBs9br/069QlhTBBVd/qAbUBxkS/UOlWk3Vp+TI0bkK  
rrXouRijzRmBBK93jfWxhyd27avqQHmc04ofjY/lNYOCcGMrr813cGKNs90aRfcg  
joKeC51mYJnlTyMB0nDcJx3b5+MN+Ij7Sa04B9dbH162YFxp4LsaavmR0MooN1T9  
3XrXEQ71a3pvdoF1ffW9Mz7vaqhBkffnzQwWU5zY2RwDTjFyHdNyI/1JkVzYmAxq  
QR4uA5gCDYYk/3rzlrVot+ezHX525clTHsvEYhIfu+i1HCxqdpvfaHbn2m+i1QtU  
/Lzz2mySt3y0akZ2rHwPfBZ8UFfvaauyhZ3EhSP3ikGs9DOsv1w=  
=pcJ4  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-4

The company will block the configuration files, which interact with Web applications — since threat actors increasingly use the capability to install malicious code.

Microsoft plans to add a feature to Office Excel that will make it harder for cyberattackers to exploit the spreadsheet application's "add-ins" function to run malicious code on a victim's computer.

And while it's a welcome development, Microsoft's countermeasure is just the latest go-around in the cat-and-mouse game going on between major software makers and cyberattackers, researchers say.

**Microsoft Takes Aim at XLLs **

In an update to its Microsoft 365 road map last week, the company stated that it is currently "implementing measures to block XLL \[add-in files\] coming from the internet," with a goal to have the feature in general availability sometime in March. 

Excel add-in files are designated with the XLL file extension. They provide a way to use third-party tools and functions in Microsoft Excel that aren't natively part of the software; they're similar to dynamic link libraries (DLLs) but with specific features for Excel spreadsheets. For cyberattackers, they offer a way to read and write data within spreadsheets, add custom functions, and interact with Excel objects across platforms, Vanja Svajcer, a researcher with Cisco's Talos group, said in a December analysis.

And indeed, attackers started experimenting with XLLs in 2017, with more widespread usage coming after the technique became part of common malware frameworks, such as Dridex. The add-in functionality has become increasingly popular with attackers since then; in fact, according to an Arctic Wolf report from early 2022, the use of XLL files increased nearly 600% in 2021.

One of the reasons for that is because Microsoft Office does not block the feature but raises a dialogue box instead, a common approach that Microsoft has taken in the past, Svajcer wrote: "Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning."

That could be an issue even after blocking is in place, Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading.

"Unfortunately, it's unclear at this point whether it's just going to be a warning that users can easily click through, a more proactive 'off by default' setting, or whether they are going to disable it entirely for XLL files downloaded from the Internet," he notes.

**Staying Ahead of the Cyberattackers?**

For more than two decades, cybersecurity firms have sought to strip out potential avenues for malicious scripts in common files types — such as Office formats or PDF files — but attackers have always adapted. 

For instance, Visual Basic for Applications (VBA) and Excel 4.0 macros both became so popular over the past five years for malware delivery that Microsoft blocked Office macros by default in the summer of 2022, disallowing macros from running when they have been assigned a Mark of the Web (MotW) tag, which indicates that the document came from the Internet.

Following that decision, threat actors began incorporating Shell Link (LNK) files as payloads for a number of malware families, with their use peaking in October with a spike in usage by the operators behind Qakbot, according to an analysis this week by researchers in Cisco's Talos intelligence group.

And LNK files aren't the only file type that's becoming a more popular way to hide malicious code in the wake of blocking macros. In the third quarter of 2022, for example, zip archives and HTML files became the most common file types for malware delivery, with 44% of malware files hidden in archives, according to the third quarter "HP Wolf Security Threat Insights Report." 

Even if these alternative approaches are not as efficient or powerful, attackers will have to adopt them to continue to successfully compromise victim's systems, because companies are hardening their products against more common attack techniques, Dave Storie, an adversarial collaboration engineer at cybersecurity-services firm Lares Consulting, said in a statement sent to Dark Reading.

"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," he said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."

Microsoft to Block Excel Add-ins to Stop Office Exploits

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-4144: QEMU: QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read


RHSA-2023:0432: Red Hat Security Advisory: virt:rhel and virt-devel:rhel security and bug fix update

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy.

The figure, based on the latest annual report from the IoT Security Foundation (IoTSF), compares to the 9.7% of IoT (Internet of Things) vendors that were reported to have a disclosure policy in the 2018 edition of the same study.

BACKGROUND IoT Security Foundation launches vulnerability disclosure platform for smart device vendors

Vulnerability management ought to be a cornerstone of connected product security, widely recommended in 30 cybersecurity guidance initiatives including the IoTSF’s IoT Security Assurance Framework.

Straightforward reporting of security issues is essential for security lifecycle maintenance, and vendors risk falling foul of newly enacted UK regulations if they ignore best practice mandates.

The UK’s Product Security and Telecoms Infrastructure – which became law in early December 2022 – requires that IoT manufacturers, importers, and distributors offer a vulnerability disclosure policy, with suppliers who breach this risking potential sanctions including penalties of up to £20,000 per day in the most severe cases.

Catch up on the latest vulnerability disclosure policy news

The IoTSF’s latest study was based on a review of practice of 332 companies who sell consumer-focused IoT products. The review, carried out by mobile and IoT security consultancy Copper Horse, covered security practices tied to a range of products ranging from tablets and routers to smart home lighting controls and smart speakers.

Vendors from Asia tended to be better at establishing vulnerability disclosure programs, with European suppliers trailing significantly behind (34.7% versus 14.5%, respectively).

Laurie Mercer, senior manager of security engineering at HackerOne, said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle.

“It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice.”

**Increased regulation**

Lawmakers across the world are looking to introduce regulations in order to push IoT vendors into making their products more secure. For example in the US lawmakers have established the IoT Cybersecurity Improvement Act (2020).

The draft European Cyber Resilience Act covers similar ground.

David Rogers, CEO of Copper Horse, told The Daily Swig: “The trend is towards mandating it – which makes you wonder again, why aren’t companies realising this? The writing is on the wall!”

Rogers added: “Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

During the study, researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions.

Other trends uncovered were an increase in the number of vendors that updated their policies and a rise in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

**Best practice**

It’s not all doom and gloom, however, as the report did highlight examples of good practice by some vendors.

Rogers explained: “Some companies and industries are starting to act in a much better way – there are some examples in the car industry such as Volkswagen Group where they have completely transformed their approach, in a positive way.

“I think these companies can set a good example to their peers in showing that you can work with the security research community without all the brinksmanship.”

Vendors would do well to have a safe harbor policy, a legal framework that allows ethical hackers to look for flaws in systems with risking legal threats or potential prosecution. LG, for example, operates a safe harbor policy for its IoT products.

Looking more broadly, the IoTSF report commends 34 vendors that “meet or exceed what will be required by legislation” based on a review of their policies by security researchers from Copper Horse. Firms listed include Bosch, BT, Canon, Huawei, LG, Logitech, Microsoft, Peloton, Samsung, and Wink.

YOU MAY ALSO LIKE WAGO fixes config export flaw threatening data leak from industrial devices

Tag

#mac