An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.8. The event logging of the ASQ sofbus lacbus plugin triggers the dereferencing of a NULL pointer, leading to a crash of SNS. An attacker could exploit this vulnerability via forged sofbus lacbus traffic to cause a firmware crash.

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2022-015

CVE-2022-30279

02/09/2022

medium

v1

**Vulnerability details**

The event logging of the ASQ sofbus lacbus plugin could lead to the dereferencing of a null pointer leading to the crash of SNS.

**Impacted products**

Products

Severity

Detail

Stormshield Network Security

medium

SNS is impacted

**Revisions**

Version

Date

Description

v1

 05/12/2022

Initial release

**Stormshield Network Security**

**CVSS v3.1 Overall Score: 6.2      **

**Analysis**

**Impacted version**

An attacker could exploit this vulnerability via forged sofbus lacbus traffic to cause a firmware crash.

*   SNS 4.3.3 to 4.3.7

**Workaround solution**

**Solution**

Disable sofbus lacbus ASQ plugin.  
Or disable the “log by request” option in the plugin configuration (Token Log=0 in ConfigFiles/Protocols/Modbus/0x).

The 4.3.8 update will fix this vulnerability.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Network

High

Low

None

Unchanged

None

None

High

CVSS Base score: 5.3

CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Exploit Code Maturity

Remediation Level

Report Confidence

Unproven that exploit exists

Official fix

Confirmed

CVSS Temporal score: 4.6

CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

High

High

High

CVSS Environmental score: 6.2

CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2022-30279: SNS: ASQ sofbus lacbus plugin null pointer dereferencing

By understanding how FaaS works and following best practices to prevent it, your business can protect its customers, revenue, and brand reputation.

The pandemic pivot to digital banking, shopping, and other services was an important health measure, but it created opportunities for organized fraudsters to grow their "business" and expand their offerings to include fraud-as-a-service (FaaS). FaaS takes several forms, all with the goal of making it easier for both experienced and novice criminals to commit fraud. Here's what merchants need to know about this trend and how to prevent FaaS attacks.  

**How Fraud-as-a-Service Works  
**There are two main components to FaaS: bots and brand impersonation. Neither tactic is entirely new. Fraudsters have been using bots for card-testing attacks for years, and brand impersonation is a classic scheme for phishing credentials and payment data.

Now, though, fraud "service providers" are going farther. Criminals can rent bot networks inexpensively to launch large-scale fraud campaigns against websites and to phish victims. However, two-factor authentication (2FA) can prevent thieves from breaking into accounts even with stolen data. SIM-swapping is one option for getting around 2FA, but it's time consuming and requires planning. So, criminals now offer OTP (one-time password) bot services. Fraudsters can plug in victims' names and financial institutions or favorite stores, and the bot handles the rest – phishing the victim for their one-time password so fraudsters can take over the related account – all for as little as 15 cents per bot call.  

**Detecting and Preventing Fraud-as-a-Service Attacks  
**The best practices that protect businesses from fraud are more important than ever . This is a good time to make sure your organization's anti-fraud program includes these elements:

**1\. Limit data entry attempts and velocity:** One of the telltale signs of a bot attack is the speed at which it moves. Bots can load up carts, check out, and place orders much faster than humans can. They can also repeatedly enter different passwords and one-time codes until they hit a match.

If your website allows customers to make unlimited attempts to enter their data correctly, setting a limit on the number of attempts before they're locked out can protect your store from bots. Likewise, flagging orders for velocity can help to separate busy shoppers who are reordering familiar items from botnets that are programmed to scoop up as many items as they can, as fast as possible.

**2\. Screen every order:** Because there are billions of compromised credentials available to fraudsters now, because FaaS scams are harvesting more credentials, and because FaaS bots can use those credentials to crack accounts at scale, businesses can no longer assume that returning customers are who they appear to be.

That means it's no longer safe to automatically approve orders from known customers. Every order needs to be screened for payment data as well as for device, geolocation, and behavioral biometrics to help validate the customer or flag the order as possible account takeover fraud.

**3\. Run batch analyses to detect fraud at scale:** Bot rental and compromised credentials allow fraudsters to get creative with their attacks on businesses. For example, a gang can target an online store with a spate of orders that appear to come from different customers using different payment methods. Each of these orders may pass muster with the fraud screening solution and get approved.

However, if the merchant also selects random orders for analysis as a group, the fraud solution may find patterns that indicate criminal activity. Maybe that burst of orders from different customers were all shipping to the same address. Or perhaps all of the cards they used to pay had the same bank identification number, indicating that the customers might be synthetic identities. Batch analysis can reveal these issues so that fraudulent orders can be canceled before items ship.

**4\. Avoid automatic declines:** Stopping fraud can only save a company money if it doesn't also stop good customers from completing their orders and coming back for repeat purchases. Automatic declines may seem like a way to save money and time on order decisioning, but this approach typically generates a high rate of false declines. A recent ClearSale five-country survey of online shoppers found that 40% won't ever go back to a website that declines their order. That represents a lot of lost customer lifetime value.

**5\. Use manual review:** The alternative to automatic declines is manual review by fraud specialists, who can distinguish between fraud and unusual but valid customer behavior. Manual review of flagged orders costs more than auto-declines up front, but the ROI includes more approved orders and less customer churn due to false declines.

**6\. Continuously train your ML:** Manual review results can and should feed the automated fraud solution's machine learning algorithms. This helps the AI get better at detecting sophisticated fraud and customer behavior that's not completely normal but also isn't fraudulent. This can result in fewer flagged orders and reduce the need for manual review over the long term.

**7\. Monitor brand mentions:** FaaS schemes often impersonate brands to trick consumers into sharing their credentials and even authentication codes. Every business should keep an eye out for social media accounts, websites, email campaigns, and even SMS campaigns that impersonate their brand. Depending on the channel, a company can report imposters to the platform, Web host, or Federal Communications Commission and alert their customers there's a scam operating under the company's brand.

FaaS shows how fraud continues to evolve, and how the technologies that make life more convenient for customers also make fraud easier for criminals. By understanding how FaaS works and following best practices to prevent it, your business can help protect your customers, your revenue, and your brand reputation.

How Can Your Business Defend Itself Against Fraud-as-a-Service?

Researcher shares how he unearthed newer bugs in Apple's operating system by closer scrutiny of previous research, including vulnerabilities that came out of the Pwn2Own competition.

Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That's how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest found and executed there.

Fitzl, a content developer for Offensive Security, says he reread and studied the winning six-exploit chain that the researchers used to hack macOS. One of the exploits in that chain weaponized a privilege escalation bug, which Apple later fixed. But there still was a hole, and he found it: "Although Apple fixed it properly, but still there was an extra function ... that basically opened up another vulnerability to be utilized a bit differently than the original one," Fitzl explains.

Apple's original fix for the flaw allowed an attacker to change ownership of a directory in macOS. But Fitzl discovered that he could create a new directory on the targeted system, which could allow an attacker to escalate their privileges on macOS. "Although you had to use different techniques to get through to the system, but because you could create an arbitrary directory anywhere on the system, you could elevate your privileges to root," he says.

It was basically the same logic flaw but in a different piece of the code. Apple has since patched the vulnerability Fitzl found as well.

This week at Black Hat Singapore, Fitzl will share technical details of this and two other vulns he found while drilling down on previous vuln research on macOS during a session entitled "macOS Vulnerabilities Hiding in Plain Sight."

Apple had not responded to a request for comment as of this posting.

**'Something Is Not Right'  
**Fitzl says he didn't actually spot traces of the new flaws linked to previous research until after he reread the research papers. "At some point it hit me that there is something not right. It turned out that there is a vulnerability not like the one initially documented," he explains of his findings. "That eventually led to me to find or identify new vulnerabilities."

The other two flaws he found include one that built upon research from Mickey Jin, who discovered a bypass for an Apple patch for the so-called XCSSET malware that targeted Apple's built-in Transparency, Consent, and Control (TCC) privacy and security framework. XCSSET pilfers sensitive user and developer information from applications on a Mac machine.

Fitzl says he noticed an underlying weakness in the TCC framework that would allow an attacker to bypass TCC. He consulted with fellow researcher Wojciech Regula, head of mobile security and principal security consultant at SecuRing, on the issue.

"We found that we can still generically bypass TCC because there was an inherent vulnerability" that came out of the previous research, he says. It was a flaw in TCC that could allow an attacker to bypass the macOS privacy and security framework.

While macOS relies heavily on code-signing and verification of code-signing, Fitzl explains, TCC was not verifying a process that was running but rather verifying binary code on the disk. "This allowed all these abuses by malware," he says. "So we just replaced the binary on the disk and that's it: We could bypass TCC again."

Apple has since fixed the issue, he says.

The third macOS vuln Fitzl found builds off a flaw used in a 2017 Pwn2Own macOS exploit chain: another privilege escalation flaw that Apple later patched in its disk arbitration framework to elevate to root access. Then Fitzl found that the new version of Apple's disk arbitration source code included the "exact same" logic bug that could lead to privilege escalation. "You could use the same logic bug to escape the \[macOS\] sandbox" that keeps applications from getting access to other parts of the machine they don't need, he says.

For example, an attacker could abuse the vulnerability to escape Safari's sandbox and gain broader access across the victim's machine.

**Protecting macOS  
**Fitzl recommends that organizations religiously update their Macs with the latest versions of macOS to keep their endpoints protected from attacks such as these. They should also run anti-malware and endpoint detection and response on their machines.

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks.

Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks.

On April 23rd, 2022, a Discord user with the handle “Portu” began advertising a new password-stealing malware builder.

Malware builders are programs which so-called script kiddie hackers can craft their own executables on top of. Script kiddie is cybersecurity parlance for a novice hacker who uses a preexisting code to slightly modify it for their own nefarious purposes.

Four days later, threat analysts from Uptycs discovered the first sample of a Portu-inspired malware sample in the wild researchers dubbed “KurayStealer.” According to researchers, the malware has been used to target Discord users.

**How KurayStealer Works**

The author behind KurayStealer has clearly taken inspiration – and code – from those other attacks. “We have seen several other similar versions floating around in public repositories like github,” the researchers noted, concluding that “the KurayStelaer builder has several components of different password stealers.”

When it’s first executed, KurayStealer runs a check to determine if the malicious user is running the free or “VIP” (paid) version.

Next, it attempts to replace the string “api/webhooks” with “Kisses” in BetterDiscord – an extended version of the Discord app, with greater functionality for developers. If this action is successful, the hacker can undermine the app in order to set up webhooks.

Webhooks are a mechanism by which webpages and applications can send real-time data to one another over HTTP. They’re like APIs, the key difference being that webhooks send information automatically, without the need for a request from the receiver.

With webhooks in place, the program takes a screenshot and grabs the geo-location of the target machine. Then it begins credential hunting: probing for passwords, tokens, IP addresses and more from Discord, Microsoft Edge, Chrome, and 18 other apps. Any data scoured in this process funnels back to the attacker via the webhooks.

**What We Know of the Author**

Script kiddies are rarely subtle.

Within KurayStealer’s code is a reference to who wrote it: “Suleymansha & Portu,” and an invite to a Discord channel run by the user “Portu#0022.” Portu#0022’s profile contains a link to their profile on Shoppy – an ecommerce platform – with samples of other malicious programs. It also points to their YouTube channel, which used to have a video up that demonstrated how to use KurayStealer. The channel is barren now, but for a cartoon profile picture and an indication that Portu is from Spain.

On April 26th, Portu announced they were working on a new ransomware program. “Based on the announcement and the observations,” the researchers concluded, “we believe that the authors might come up with newer versions of password stealers and other malware.”

“Our research on KurayStealer backed with OSINT highlights the rise in prevalence of password stealers using Discord tokens as a C2 for harvesting the victims’ credentials. Enterprises must have tight security controls and multi-layered visibility and security solutions to identify and detect such attacks.”

Malware Builder Leverages Discord Webhooks

WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.

The ransomware landscape has evolved considerably since WannaCry dramatically drove home the potential severity of the threat five years ago on May 12. What has changed somewhat less over the same period is enterprise preparedness in the face of ransomware attacks. 

Ransomware emerged and has remained entrenched as one of the most difficult security issues for organizations across sectors in the past few years. WannaCry itself, while nowhere near as widespread as it was initially, remains a potent threat and even figured in some vendor lists of top malware threats as recently as last November.

By most accounts, enterprise organizations have gotten better at remediating vulnerabilities and updating obsolete and outdated software. Even so, the vulnerable version of the Server Message Block (SMB) protocol that WannaCry used to spread like wildfire remains in widespread use across organizations and regions. Most attacks against the SMB protocol still attempt to exploit EternalBlue, the exploit that was used in the WannaCry attacks. Patching and vulnerability management programs continue to pose challenges, as do practices such as threat detection, remediation, and response.

Meanwhile, ransomware and the manner in which it is used has changed. Many ransomware attacks these days are highly targeted and involve hands-on tactics for maximum effectiveness. Tools are increasingly becoming multiplatform, meaning they can be used to attack different operating systems. Examples of these tools include Conti, BlackCat, and Deadbolt. 

And the proliferation of ransomware-as-a-service offerings has lowered the barrier to entry for common cybercriminals, even as it has fostered increasingly businesslike hierarchies and processes within the criminal industry. A high percentage of ransomware attacks these days also involve data theft and denial-of-service attacks as additional forms of extortion.

**Alive and Kicking  
**"WannaCry, though not nearly as prevalent of a threat as it once was, is still alive and kicking," says Tessa Mishoe, senior threat analyst at LogicHub. Over the time between its first attacks and now, the ransomware industry has learned from WannaCry's efforts and the responses to it — whether it be new tactics such as auctioning data and blackmailing customers or new techniques like more complex virtual machine escapes and persistence. "Ransomware's increase in market share should be a good indicator of how WannaCry launched more intrigue into ransomware," Mishoe says.

WannaCry surfaced on May 12, 2017, and in a matter of days spread to some 300,000 computers worldwide. Though many have described it as ransomware, one of its main functions was to wipe data clean from infected systems. 

Numerous organizations were affected in the outbreak, including FedEx, Nissan, and, perhaps most notably, the United Kingdom's National Health Service. The US Department of Justice and numerous others have attributed the malware and the attacks to North Korea's Lazarus Group. Over the years, researchers have estimated damages associated with the malware to be more than $1 billion dollars.

The malware spread via a publicly leaked, US National Security Agency (NSA)-developed exploit called EternalBlue that targeted a critical remote code execution vulnerability (MS17-010) in Microsoft's Server Message Block 1.0 (SMBv1) file-sharing protocol. Once installed on a system, WannaCry quickly spread to other devices running a vulnerable SMB version. Most of these were older Windows systems, such as those running on Windows Vista, Windows 7, and Windows 8.1. 

Though Microsoft had issued a patch for the SMB flaw more than a month before WannaCry, millions of computers were unpatched against the problem when the malware hit.

**A Continuing Threat  
**Five years later, attackers are continuing to use the EternalBlue exploit to deploy WannaCry and other malware on enterprise systems.

A recent analysis conducted by Barracuda Networks of attacks over a three-month period shows a staggering 92% of all attacks on SMB port 445 involve attempts to use the EternalBlue exploit. 

"There are still machines out there that have never been patched against these sorts of exploits and likely won't ever be," says Jonathan Tanner, senior security researcher at Barracuda. "So, it's not a lot of work on the attackers' part to try to find and exploit these systems."

Much of this also is due to continued delays in organizations updating their infrastructures. A survey of 500 IT decision-makers by vendor ExtraHop found 68% of respondents admitting to still running SMBv1, even though newer, more secure versions of the file-sharing protocol have been around for years. The company will be discussing the obstacles that companies face in hardening themselves for ransomware attacks at the upcoming RSA Conference (RSAC), in a session aptly entitled, "What Will It Take to Stop Ransomware?"

SMBv1 has been deprecated since 2014, notes Jeff Costlow, ExtraHop's CISO. "I wish it was surprising that 68% of organizations are still running SMBv1, but I see example after example of organizations running outdated, insecure, or unencrypted protocols — either knowingly or unknowingly," he says. The risk is huge, he adds. "SMBv1 doesn’t need to be installed on every device in the environment to be used to launch a catastrophic attack. It only needs to be on one."

Brian Donahue, principal information security specialist at Red Canary, says that, for the most part, organizations are less vulnerable to WannaCry now than they were before. Even so, many organizations still have not updated to MS17-010 and their SMB installations remain susceptible to the EternalBlue exploit, he says. 

"More generally, enterprise patch-adoption lags behind vendor updates, and organizations will always struggle to keep up to date with new software releases," he notes.

Organizations also need to keep on top of cybercriminal innovation. To that end, Red Canary's Katie Nickels, also a SANS Institute director, will be part of a panel during June's RSAC entitled "The 5 Most Most Dangerous New Attack Techniques," which is aimed at highlighting emerging threat vectors for ransomware (and other cyberattacks). 

**A Dominant and Evolving Threat  
**Donahue says ransomware was one of the most dominant threats in 2017 and remains a major threat in 2022. Worm-like ransomware threats have transitioned from being an emergent threat to the de facto standard for ransomware campaigns. Even more than that, the adoption of exfiltration techniques to perform double extortion was uncommon in 2017, but it's extremely common now.

The ransomware industry has evolved in other ways as well since the WannaCry outbreak. Researchers at Bishop Fox who analyzed the threat space recently spotted a trend toward the use of ransomware as a decoy in state-sponsored attacks, cyber warfare, and criminal activity. They noted how WannaCry, NotPetya, and WhisperGate were disk wipers disguised as ransomware that tricked victims into believing they could get their data back if they paid a ransom. 

In the same manner, attackers are using ransomware to distract victims from an attacker's true motives, according to Bishop Fox.

Today's ransomware attacks are also a lot more tailored and customized compared to WannaCry, which spread indiscriminately in automated fashion, says Trevin Edgeworth, red-team practice director at Bishop Fox. He points to DarkSide, the ransomware that hit Colonial Pipeline, as an example of ransomware that is being largely human-deployed and aimed at specific organizations. 

"Whether it is patient information that a healthcare provider maintains, or the continued operation of systems critical to a manufacturing company, today's attacks are tailored and customized to each targeted organization and what is critical to them," he says.

In a report this week, Kaspersky said it had identified recent instances of ransomware groups taking sides in geopolitical conflicts — such as that involving Russia's war in Ukraine. Groups behind the Conti ransomware family, for instance, have allied themselves with Russian interests, while others such as the IT Army of Ukraine are on the opposite side. That alignment could have an impact on targeted organizations.

WannaCry was a wake-up call for many organizations around their patching practices, and it did foster stronger vulnerability management programs. However, many organizations continue to prioritize operating system patching over patching key applications such as Java, Office, and Adobe products that are installed ubiquitously throughout their environment, Edgeworth says.

"Ransomware preparedness starts first with excelling at basic security hygiene, such as secure network architecture, reducing unnecessary attack surfaces, and enforcing least privilege around Active Directory and 'crown jewels' systems," Edgeworth says. "Organizations must have a plan in advance on how to respond to a ransomware attack."

5 Years That Altered the Ransomware Landscape

A biotech threat intelligence group is gaining supporters as urgency mounts around an overlooked vulnerable sector.

A new partnership between the cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) and the Johns Hopkins University Applied Physics Laboratory (APL), which works on emerging research with US government agencies, is highlighting the need for more resources to better secure biomedical, bioindustrial, and biomanufacturing entities.

The Covid-19 pandemic sparked regular people around the world to think about the logistics of vaccine development and production in a tangible and immediate way. But the so-called bioeconomy is silently embedded everywhere, from breeding programs used in agriculture to the development of biofuels. And as industry after industry faces a reckoning about the state of their cybersecurity defenses, researchers are increasingly realizing that the bioeconomy is vulnerable. During the pandemic, for example, Russia, China, and other state actors raced to hack vaccine makers and distributors for intelligence gathering, in a scramble that US officials warned could have been disruptive.

“A lot of the bioeconomy is small companies; that’s the real lifeblood of American biotech,” says BIO-ISAC cofounder Charles Fracchia. “Imagine if Moderna got hacked four years ago, even with some totally non-sophisticated malware, or they faced a ransomware attack. Small companies can go bankrupt really easily, and then we lose the work they're doing for the future. I'm very grateful that APL understood the mission of the BIO-ISAC and joined as a founding member. They want to help.”

Information sharing and analysis centers exist for many industries, from financial services to health care. And Charles Frick, a principal staff member at APL, says that the lab has been supporting ISACs and collaborating with them for many years. During the George W. Bush and Barack Obama administrations, Frick says, APL collaborated with the Department of Homeland Security and the National Security Agency to study the most efficient methods for large-scale threat intelligence sharing and security automation. APL participated in a 2018 financial services pilot for automatically screening and processing machine-readable threat intelligence data in which a process that had one taken 14 hours got whittled down to eight minutes.

All of this matters, because digital attacks on critical services and trends in attacks creep up quickly. The more information an organization can not only gather but also share, the better chance others have of defending themselves against similar hacks. APL's funding for the BIO-ISAC will go toward regular operations, including research, information sharing, and public disclosures. And crucially, it will also support incident response services the BIO-ISAC is launching so biotech and biomanufacturing organizations have someone to call if they're dealing with a digital attack or otherwise suspect that something is wrong. The services will be pay what you can to make them accessible to as many organizations as possible. Depending on demand, though, the BIO-ISAC may not have the capacity immediately to respond to every request. But the group hopes to begin filling a crucial gap in the services that are currently available.

“As we start identifying threats, it's a natural fit for us to say, well, we have an existing set of capabilities and skills that can be applied to this area, and we've demonstrated our ability to work with ISACs in collaboration," says Brian Haberman, an APL program area manager. "So this accomplishes our mission of supporting national priorities in a much faster way when you’re not going it alone. It's the biggest bang for your buck."

A few years ago, the idea of designating US election systems as government “critical infrastructure” was controversial to some. The designation simply unlocks funding and expanded resources from US government agencies, including the Cybersecurity and Infrastructure Security Agency, for critical sectors that work in the public interest. But while health care, food, and agriculture industries obviously have critical infrastructure designations that cover parts of the bioeconomy, the sector as a whole doesn't specifically have its own designation. Instead the US government has classified the bioeconomy with a “critical emerging tech” label.  As a result, groups like the BIO-ISAC are working ad hoc in a largely open field.

“The bioeconomy is an emerging sector of our economy if we really want to make meaningful change and impact, now is the time to get involved—not after it’s already this big thing and we try to go in reverse," says Andrew Kilianski, senior director for emerging infectious diseases at the International AIDS Vaccine Initiative. "We’ve done some of these sectors where we try to build out IT infrastructure and cybersecurity defenses later and it doesn’t work well." Kiliansk worked closely with the US government's Covid Operation Warp Speed initiative and a new member of the BIO-ISAC's national security advisory board.

“There's that squishy, beautiful life sciences spirit that, hey, we share everything, we’re open," Kilianski adds. "But now these discoveries have huge commercial value, not just societal value, and that makes all of this even more sensitive.”

The Hidden Race to Protect the US Bioeconomy From Hacker Threats

A vulnerability affecting F-Secure SAFE browser was discovered. An attacker can potentially exploit Javascript window.open functionality in SAFE Browser which could lead address bar spoofing attacks.

**CVE ID** **DATE ISSUED** **ADVISORY TITLE** **AFFECTED PRODUCTS** CVE-2022-28873  
12-May-2022 Multiple Address Bar Spoofing Vulnerabilities in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28872  
12-May-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28871 25-Apr-2022 Denial-of-Service (DoS) Vulnerability All F-Secure endpoint protection products on Windows and Mac CVE-2022-28870 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28869 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28868 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2021-44751 25-Mar-2022 F-Secure SAFE Browser vulnerable to USSD attacks F-Secure SAFE Browser for Android Version 18.5 and below CVE-2021-44750 09-Mar-2022 Arbitrary Code Execution F-Secure FREEDOME VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security/Anti-Virus CVE-2021-44749 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5 CVE-2021-44748 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5

CVE-2022-28873: Security advisories | F-Secure

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails in a loop.

**CVE ID** **DATE ISSUED** **ADVISORY TITLE** **AFFECTED PRODUCTS** CVE-2022-28874 23-May-2022 Multiple Denial-of-Service (DoS) Vulnerabilities All F-Secure endpoint protection products for Windows and Mac CVE-2022-28873  
12-May-2022 Multiple Address Bar Spoofing Vulnerabilities in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28872  
12-May-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28871 25-Apr-2022 Denial-of-Service (DoS) Vulnerability All F-Secure endpoint protection products for Windows and Mac CVE-2022-28870 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28869 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28868 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2021-44751 25-Mar-2022 F-Secure SAFE Browser vulnerable to USSD attacks F-Secure SAFE Browser for Android Version 18.5 and below CVE-2021-44750 09-Mar-2022 Arbitrary Code Execution F-Secure FREEDOME VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security/Anti-Virus CVE-2021-44749 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5 CVE-2021-44748 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5

CVE-2022-28872: Security advisories | F-Secure

This year's Black Hat Asia is hybrid, with some sessions broadcast on the virtual platform and others live on stage in Singapore. News Desk is available on-demand with prerecorded interviews.

May 11, 2022 — Like many things since 2020, Dark Reading News Desk has had to adapt. Instead of broadcasting live interviews with security researchers presenting at Black Hat, News Desk shifted to prerecorded interviews with the speakers. 

For Black Hat Asia 2022, Dark Reading News Desk is staying virtual, even as the conference goes hybrid. Black Hat attendees have the option to tune in virtually or attend in person at the Marina Bay Sands in Singapore. Dark Reading News Desk is keeping its virtual format.

News Desk interviewed some speakers presenting at Black Hat Asia 2022 about their sessions. These interviews will be available on-demand at Black Hat Virtual (under the show's "Dark Reading News Desk" tab) and right here on Dark Reading:

**DAY 1: Thursday, May 12**

Speakers from Binarly, Immune GmbH, and Red Hat discuss the complexity of the firmware ecosystem and the challenges of identifying and fixing flaws in hardware devices in "The Firmware Supply-Chain Security Is Broken: Can We Fix It?"

Watch the speakers try to distill the challenges in less than 15 minutes in this News Desk segment:  

No Black Hat is complete without at least one dissection of a cyber espionage operation. SideWinder (also known as RattleSnake and T-APT-04) is an aggressive threat actor that has been active since at least 2012. Details on the techniques and methods used by this advanced cyber espionage team will be part of "SideWinder Uncoils to Strike." Dark Reading editor-in-chief Kelly Jackson Higgins offers a sneak peak in this preview. 

Check out the News Desk segment:  

****DAY 2: Friday, May 13****

Trend Micro researchers discuss their discovery of a botnet infrastructure masquerading as an SMS phone-verified account service in "SMS PVA Services Fueled by Compromised Supply-Chain Mobile Botnets."

Watch the News Desk segment on this mobile threat:  

With the Russian invasion of Ukraine in February, the world has had a front-row seat to information warfare. A security expert with experience in security intelligence, policy, and Ukraine dissects what is happening in "The Virtual Battlefield in 2022: Russia-Ukraine War & Its Policy Implications."

Watch this News Desk segment with Very Good Security’s Kenneth Geers:  

It's a fact that every operating system has vulnerabilities, but it still takes many by surprise when there are "macOS Vulnerabilities Hiding in Plain Sight."

Watch Offensive Security's Csaba Fitzl describe what he found:  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

On the Air With Dark Reading News Desk at Black Hat Asia 2022

The stealthy, feature-rich malware has multistage evasion tactics to fly under the radar of security analysis, researchers at Proofpoint have found.

The stealthy, feature-rich malware has multistage evasion tactics to fly under the radar of security analysis, researchers at Proofpoint have found.

A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.

Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.

The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from “Nerbia,” a fictional place from the novel _Don Quixote_, researchers said.

Proofpoint researchers first observed the RAT being distributed in a low-volume email campaign beginning on April 26 in messages sent to multiple industries, mainly impacting organizations in Italy, Spain and the United Kingdom, they said.

“The emails claimed to be representing the World Health Organization (WHO) with important information regarding COVID-19,” researchers wrote, noting that the messages are a throwback to similar phishing campaigns that circulated in 2020 in the early days of the pandemic.

Sample emails shared in the post are sent from email addresses attempting to appear as if they coming from the WHO, such as who.inter.svc@gmail\[.\]com and announce@who-international\[.\]com, and use as their subject line WHO or World Health Organization.

The messages include safety measures related to COVID-19 as well as attachments that also include “covid19” in their names but are actually Word documents containing malicious macros.

When macros are enabled, the document reveals information relating to COVID-19 safety, specifically about self-isolation and caring for individuals with COVID-19. Macros-enablement also spurs the document to execute an embedded macro that drops a file that performs a PowerShell process to drop the Nerbian RAT dropper in a 64-bit executable file called UpdateUAV.exe written in Go, researchers wrote.

Go is becoming “an increasingly popular language used by threat actors, likely due to its lower barrier to entry and ease of use,” they noted.

****Complexity and Evasion****

The Nerbian RAT “leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries,” researchers wrote.

Indeed, the malware shows sophistication, working in three distinct phases. It starts with the aforementioned malicious document spread via phishing and then moves on, as described, to the UpdateUAV.exe dropper. The dropper performs various environment scans, such as anti-reversing and anti-VM checks, before executing the Nerbian RAT.

Eventually, the RAT itself is executed via an encrypted configuration file, with “extreme care” taken to ensure data to command-and-control (C&C) is encrypted by sending it over Secure Sockets Layer (SSL), which evades inspection by network-scanning tools, researchers observed.

In addition to communication with C&C, other typical RAT things that the malware can do include keylogging and screen capture, but with its own particular flair, they said. The RAT’s keylogger stores keystrokes in encrypted form, while its screen-capturing tool works across all OS platforms.

****Extreme Vetting****

Perhaps the most complex evasion functionality in the three-stage process is what happens before the dropper executes the Nerbian RAT. The dropper performs an extensive vetting of the compromised host and will stop execution if it encounters any of a number of conditions, researchers aid.

These conditions include: the size of the hard disk on the system is less than a certain size, i.e., 100GB; the name of the hard disk, according to WMI , contains “virtual,” “vbox” or “vmware;” the MAC address queried returns certain OUI values; or if any of a number of reverse engineering/debugging programs are encountered in the process list, researchers said.

The dropper also halts execution if the DumpIt.exe, RAMMap.exe, RAMMap64.exe or vmmap.exe memory analysis/memory tampering programs are present in the process list; and if  the amount of time elapsed execution specific functions is deemed “excessive”—which would suggest debugging–by a time measurement function present in the dropper.

However, despite all this complexity to ensure the RAT isn’t detected on its way to a victim’s machine, “the dropper and the RAT itself do not employ heavy obfuscation outside of the sample being packed with UPX–which it can be argued isn’t necessarily for obfuscation, but to simply reduce the size of the executable,” researchers noted.

Researchers also found it easy to infer most of the functionality of both the RAT and the dropper due to the strings in the code referring to GitHub repositories that expose partial functionality of both the dropper and the RAT, they said.

Tag

#mac