**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20221213**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20221213)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-21720: Microsoft Edge (Chromium-based) Tampering Vulnerability

By Waqas
An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations.
This is a post from HackRead.com Read the original post: What is an OSINT Tool – Best OSINT Tools 2023

Open Source Intelligence (OSINT) tools are an invaluable resource for companies, organizations cybersecurity researchers and students. In this article, we will explore the 15 best OSINT tools that you can use for your investigations and education purposes.

**OSINT**, or Open Source Intelligence, refers to the practice of gathering information from publicly available sources. In the information and digital age, there are countless tools and resources available for OSINT practitioners to use, making it easier than ever to collect and analyze information. Here are the 15 best OSINT tools that you can use for your investigations:

**Maltego**

Maltego is a powerful and sophisticated OSINT tool for gathering data from public sources. Developed by Paterva, Maltego OSINT allows users to quickly uncover relationships between large amounts of disparate data which can then be used to build intelligence profiles.

With Maltego OSINT, users are able to extract information from multiple online sources using simple graphic representations. This includes the ability to map out social networks, capture contact details and business data, track domain names and IP addresses, uncover digital evidence such as documents or images stored on websites, find related news articles and more.

Furthermore, by automating the process of gathering publicly available data in this way, Maltego OSINT enables users to quickly discover hidden connections that would otherwise remain undetected. Visit the official website of Maltego **here**.

**Shodan**

**Shodan** is a search engine for the Internet of Things **(IoT) devices** and an OSINT tool that is used to uncover vulnerable and exposed devices connected to the Internet, otherwise known as smart devices.

Shodan was created by John Matherly in 2009 and is considered to be the world’s first computer search engine. Shodan can be used to detect security vulnerabilities on public websites, as well as provide detailed information about each web server it finds.

Shodan has become increasingly popular among cybersecurity and IT security professionals who use it for vulnerability assessment, penetration testing, and network mapping. Shodan also helps them identify insecure services such as **misconfigured cloud databases**, FTP servers, telnet servers, and SSH servers that are exposed on the internet without authentication or encryption.

Additionally, Shodan provides detailed technical information about each device it finds including IP address, operating system type, open ports, running software programs and associated vulnerabilities. That is why Shoden is a perfect OSINT tool out there. Visit the official website of Shodan **here**.

**TheHarvester**

TheHarvester is a powerful OSINT tool used to find information related to domains and email addresses. It can be used by security professionals, IT administrators, and hackers alike to collect information from different sources on the internet.

TheHarvester was created as an alternative for doing research on public resources such as search engines, PGP key servers, and social networks. It allows users to quickly gather large amounts of data from sites like Google, Bing, Yahoo!, Dogpile, LinkedIn, Twitter and many more.

All of the gathered data can be exported into several formats such as HTML/XML or even saved as a text file. Additionally, it includes an API that allows users to customize their searches according to their specific needs. Visit the official TheHarvester page on Kali **here**.

**Recon-ng**

Recon-ng is an OSINT tool used for reconnaissance and data gathering. It is a full-featured web application that can be used to gather subsets of public information related to a target, such as usernames, names, email addresses, domain names and other relevant details.

Recon-ng has been designed to automate the process of gathering intelligence about a given target as quickly and efficiently as possible. The Recon-ng OSINT tool provides users with access to multiple resources such as Google, Bing, Twitter, Shodan and more.

The platform also allows users to interact with each resource using the same interface which simplifies the data-gathering process significantly compared to traditional methods. It enables users to quickly collect comprehensive information on a target without having to manually search multiple online sources or databases. Visit the official Recon-ng page on Kali **here**.

**Spiderfoot**

Spiderfoot is an excellent OSINT tool designed to automate the process of gathering information about a specific target. Spiderfoot enables users to have quick and easy access to a wide range of data sources.

It is capable of collecting information from over 200 sources, such as DNS records, WHOIS information and public resources like Shodan, **VirusTotal**, Google and others. Spiderfoot can be used for reconnaissance, investigative research and even threat hunting by allowing users to quickly identify potential threats or vulnerabilities in their environment.

The tool works by scanning the internet for publicly available data from various sources based on the user’s input query parameters. The collected data can then be mapped out into an interactive graph with various visual indicators which make it easier to interpret the gathered information.

This feature makes it much easier for security professionals to recognize trends or anomalies within their networks which can help them detect malicious activities or threats early on. Visit the official website of Spiderfoot **here**.

**OSINT Framework**

OSINT Framework is a website and information-gathering tool used by security professionals for investigative purposes. It is a collection of free and publicly available tools that can be used to conduct online investigations.

OSINT Framework provides users with an easy-to-use platform to quickly search, collect and analyze data from various sources such as social media platforms, websites, forums, blogs and more. By using this framework, security professionals are able to gather a wealth of information in order to identify potential threats or anomalies on the web.

The OSINT Framework enables users to access public records and other sources of information quickly and efficiently. It utilizes specialized search engines and databases such as Google Hacking Database (**GHDB**) as well as several other open-source intelligence tools such as Recon-ng, Maltego and Shodan. Visit the official website of OSINT Framework **here**.

**Foca**

Foca (Fingerprinting Organizations with Collected Archives) is an OSINT tool used by cybersecurity professionals to collect data from the internet. It can be used to find information on any subject, including people, companies, and other organizations. The tool gathers data from a variety of sources such as social media platforms, websites, and search engines.

The tool helps users to collect information quickly and efficiently by providing them with a set of tools for searching, collecting and analyzing the collected data. It provides users with advanced filtering options that allow them to narrow down their searches and find relevant information easily.

Foca also has features such as keyword analysis which enables users to analyze text-based content or images in order to identify patterns or trends in the collected data. Additionally, it offers other features like automated report generation which allows users to generate reports quickly without having to manually gather all the necessary data themselves. Visit the official GitHub repository of FOCA **here**.

**Metagoofil**

Metagoofil is a powerful OSINT tool used for gathering publicly available information about a particular target. It is especially useful for penetration testers, security professionals, and researchers who need to collect data from websites in order to perform reconnaissance on their targets.

Metagoofil was developed by Edge Security in 2006 as part of the framework for its security consulting services. This tool can be used to scan websites, search engines, and public document archives such as **PDFs and Microsoft Office documents**. It then searches for specific keywords related to the target and collects the relevant information from these sources.

With its easy-to-use interface, Metagoofil allows users to quickly find files containing sensitive information such as usernames, passwords, email addresses, IP addresses, etc., which can then be used in further attacks or research projects. Visit the official Metagoofil page on Kali **here**.

**GHunt**

GHunt is a new OSINT tool that lets users extract information from any Google Account using an email. The information that GHunt extracts include:

*   Google ID
*   Owner’s name
*   Public photos (P)
*   Phones models (P)
*   Phones firmware
*   Installed Softwares
*   Google Maps reviews
*   Possible physical location
*   Possible YouTube channel
*   Possible other usernames
*   Events from Google Calendar
*   If the account is a Hangouts Bot
*   Last time the profile was edited
*   Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)

Visit GHunt’s GitHub repository **here**.

**Yandex Images**

The Russian counterweight to America’s Google, Yandex has been extremely popular in Russia and offers users the option to search across the internet for thousands of images. This is in addition to its reverse-image functionality which is remarkably similar to Google.

A good option included within is that you could sort images category wise which can make your searches more specific and accurate.

**Tip:** In my personal experience; Yandex image search results are far more accurate and in-depth than Google Images. Visit Yandex **here**.

**N2YO.com**

Allowing you to track satellites from afar, N2YO is a great tool for space enthusiasts. It does so by featuring a regularly searched menu of satellites in addition to a database where you could make custom queries along the lines of parameters such as the Space Command ID, launch date, satellite name, and an international designator.

You could also set up custom alerts to know about space station events along with a live stream of the International Space Station(ISS)! Visit the official website of N2YO **here**.

**TinEye**

TinEye is the original reversed image search engine, and all you have to do is submit a proper picture to TinEye to get all the required information, like where it has come from and how it has been used.

Instead of using keyword matching, it uses a variety of approaches to complete its tasks, including picture matching, signature matching, watermark identification, and numerous other databases to match the image. 

In conclusion, these 15 OSINT tools are among the best available for conducting investigations using publicly available information. Whether you are a professional investigator or a curious individual, these tools can help you gather and analyze information more efficiently and effectively. Visit the official website of TinEye **here**.

**Have I Been Pwned**

**Have I Been Pwned** is an online service that helps people determine if their personal data has been compromised. It works by using email addresses to track data breaches, allowing users to know whether their information has been leaked or stolen due to a hack or other incident.

Have I Been Pwned was created in 2013 by Troy Hunt, a Microsoft Regional Director and security expert. The site provides users with detailed information about the source of any breach affecting their personal data, as well as the types of data that may have been leaked. This allows them to take appropriate steps to protect themselves from future attacks.

Have I Been Pwned or HIBP currently tracks more than 12 billion accounts across over 600 major data breaches, providing one of the most comprehensive databases for checking if your account details have been exposed online. Visit Have I Been Pwned **here**.

**Conclusion**

In conclusion, OSINT tools are an invaluable resource for anyone looking to stay ahead of the curve in the world of digital intelligence. The 15 Best OSINT tools outlined in this article provide an excellent overview for any user, from the novice to the professional, to get started. By using these tools and understanding their functions, users can empower themselves to become better researchers and find valuable data more quickly.

1.  **Top 10 Reliable VPN Services**
2.  **5 Free Best Internet Speed Test Websites**
3.  **8 Online Best Dark Web Search Engines for Tor Browser**
4.  **What Are Dark Web Search Engines and How to Find Them?**
5.  **Best legal & free online streaming sites for movies & TV shows**

What is an OSINT Tool – Best OSINT Tools 2023

**LONDON, UK – 1 February 2023 –** Leading cybersecurity provider Hornetsecurity has today launched two new tools – the QR Code Analyzer and Secure Links - to combat growing cyber threats. These launches come in response to a rise in fake QR codes and the ongoing threat of phishing, which represents 40% of all cyber threats.   

Hornetsecurity has also released a new automated mailbox migration solution, which helps partners efficiently and securely deploy and operate Microsoft 365 in the cloud for their customers – and remain safe from cyberattacks. In addition, the cybersecurity specialist has simplified its partner program to enable partners to work on projects and MSP business equally and centrally.   

**QR code phishing**

Research from Hornetsecurity’s Security Lab has discovered that cybercriminals are using QR codes in emails to obtain confidential data. To counter this latest threat, Hornetsecurity is expanding its Advanced Threat Protection and 365 Total Protection Suite for Microsoft 365 with the launch of its QR Code Analyzer. This unique technology determines whether QR codes link to malicious sites when scanned.   

The launch of Hornetsecurity’s ‘Secure Links’ functionality will also help limit cyber-attacks, especially ransomware attempts. This new service runs all email links through a secure analyzer before enabling the recipient to safely open the link. Both new technologies provide businesses and their employees with extra reassurance that their email communications are safe.   

Hornetsecurity CEO, Daniel Hofmann, said: “Hornetsecurity is committed to pre-empting and responding to new cybersecurity threats and customer concerns. Phishing attacks and fake QR codes are on the increase, so we are pleased to launch unique technologies that will combat these ever-growing threats. The QR Code Analyzer and Secure Links tools will benefit businesses by fighting cybersecurity attacks in a safe, reliable and cost-effective way.”  

**Migrate mailboxes in a safe and efficient way**

In response to challenges that Hornetsecurity partners have faced in transferring mailboxes from on-prem to Microsoft 365 cloud, the cybersecurity specialist has developed the Mailbox Migration Tool. This new offering enables Hornetsecurity partners to automatically migrate customers securely, efficiently and with major time-savings – in turn, enabling them to provide peace of mind by offering full security for Microsoft 365 via 365 Total Protection.  

**New simplified partner program** 

Hornetsecurity has also created a new simplified partner program. The newly adjusted program aims to unify partner levels and includes both managed service (MSP) and project business. These updates make entry barriers negligible, so partners can provide Hornetsecurity's services with minimal effort and investment.  

Hornetsecurity COO, Daniel Blank added: “Hornetsecurity has listened to our partners’ needs, which has led to the launch of our efficient and safe Mailbox Migration Tool, at the same time as our new partner program is rolled out.  

“This launch package is just the start of what will be a busy 2023 for Hornetsecurity as we monitor, learn and respond to new sophisticated cyberattacks, and continue to keep our customers’ data safe from ever-present threats.”   

**Further information**

For more information on Hornetsecurity’s new cybersecurity tools, please visit Advanced Threat Protection and

Hornetsecurity Combats QR Code Phishing With Launch of New Technology

Current and former cybersecurity leaders from Microsoft, Google, GitLab, Check Point, OWASP, Fortinet and others have already joined the open framework initiative, which is being led by OX Security.

**TEL AVIV, Israel****,** **Feb. 1, 2023** **/PRNewswire/ --** OX Security, the first end-to-end software supply chain security solution, today announced the launch of OSC&R (Open Software Supply Chain Attack Reference)_,_ the first and only open framework for understanding and evaluating existing threats to entire software supply chain security.

The founding consortium of cybersecurity leaders behind OSC&R include: David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.

Discussions with hundreds of industry leaders revealed that there was a very concrete need for a MITRE-like framework that would allow experts to better understand and measure supply chain risk, a process that until now could only be  based on intuition and experience. OSC&R is designed to provide a common language  and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Neatsun Ziv, who served as Check Point's VP of Cyber Security before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."

OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups.

"OSC&R helps security teams build their security strategy with confidence," said Hiroki Suezawa, Senior Security Engineer at Gitlab. "We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions," he continued.

The OSC&R framework will update as new tactics and techniques emerge and evolve. It will also assist red-teaming activities by helping set the scope required for a pentest or a red team exercise, serving as a scorecard both during and after the test. The framework will also now be open for other cybersecurity leaders and practitioners to contribute to OSC&R.

"I believe the OSC&R framework will help organizations reduce their attack surface," said Naor Penso, Head of Product Security at FICO. "I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise."

The OSC&R framework is now online: https://pbom.dev/

**About OX Security**

OX Security believes that security should be an integral part of the software development process, not an afterthought. Founded by Neatsun Ziv and Lior Arzi, who previously led Check Point's Security Group, OX  is the first end-to-end software supply chain security solution. OX provides DevSecOps teams with the automation, visibility, and risk insights they need to bring security and integrity to every step of the supply chain, from the earliest planning stages until deployment to production.

SOURCE Ox Security

Cybersecurity Leaders Launch First Attack Matrix for Software Supply Chain Security

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country.
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of

Cyber Risk / Threat Detection

The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as **Gamaredon** for its targeted cyber attacks on public authorities and critical information infrastructure in the country.

The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013.

"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns."

GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands.

The goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the "insistent" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a "key cyber threat."

Attack chains commence with spear-phishing emails carrying a RAR archive that, when opened, activates a lengthy sequence comprising five intermediate stages – an LNK file, an HTA file, and three VBScript files – that eventually culminate in the delivery of a PowerShell payload.

Information pertaining to the IP address of the command-and-control (C2) servers is posted in periodically rotated Telegram channels, corroborating a report from BlackBerry late last month.

All the analyzed VBScript droppers and PowerShell scripts, per SCPC, are variants of GammaLoad and GammaSteel malware, respectively, effectively permitting the adversary to exfiltrate sensitive information.

The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed details of a new malicious campaign targeting state authorities of Ukraine and Poland.

The attacks take the form of lookalike web pages that impersonate the Ministry of Foreign Affairs of Ukraine, the Security Service of Ukraine, and the Polish Police (Policja) in an attempt to trick visitors into downloading software that claims to detect infected computers.

However, upon launching the file – a Windows batch script named "Protector.bat" – it leads to the execution of a PowerShell script that's capable of capturing screenshots and harvesting files with 19 different extensions from the workstation.

CERT-UA has attributed the operation to a threat actor it calls UAC-0114, which is also known as Winter Vivern – an activity cluster that has in the past leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.

Russia's invasion of Ukraine in February 2022 has been complemented by targeted phishing campaigns, destructive malware strikes, and distributed denial-of-service (DDoS) attacks.

Cybersecurity firm Trellix said it observed a 20-fold surge in email-based cyber attacks on Ukraine's public and private sectors in the third week of November 2022, attributing a majority of the messages to Gamaredon.

Other malware families prominently disseminated via these campaigns consist of Houdini RAT, FormBook, Remcos, and Andromeda, the latter of which has been repurposed by the Turla hacking crew to deploy their own malware.

"As the Ukraine-Russia war continues, the cyber attacks on Ukraine energy, government and transportation, infrastructure, financial sector etc. are going on consistently," Trellix said. "In times of such panic and unrest, the attackers aim to capitalize on the distraction and stress of the victims to successfully exploit them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Russian-Backed Gamaredon's Spyware Variants Targeting Ukrainian Authorities

Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

ESTsoft Alyac 2.5.8.645

**PRODUCT URLS**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 SCORE**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**DETAILS**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

When coen.aym receives a path to the file to scan, it figures out what type of file it is and selects appropriate scanning strategy.

In the case of the crashing file, it scans using DefaultScanStrategy.

While scanning, it calls utility function esc::engine::FileTool::GetTextSectionRange(...) which like the name, tries to locate the .text section inside the scanning PE file.

It internally calls sub_1800809b0 which checks magic value MZ and locates NT header by referencing e_lfanew field in the DOS header.

    1800809ce  b84d5a0000         mov     eax, 'MZ'
    1800809d3  4c894150           mov     qword [rcx+0x50], r8
    1800809d7  48895108           mov     qword [rcx+0x8], rdx
    1800809db  663902             cmp     word [rdx], ax
    1800809de  0f8503010000       jne     0x180080ae7
    
    1800809e4  4863423c           movsxd  rax, dword [rdx+0x3c] ; e_lfanew
    1800809e8  493bc0             cmp     rax, r8    ; check with file size
    1800809eb  0f87f6000000       ja      0x180080ae7
    
    1800809f1  488d0c10           lea     rcx, [rax+rdx]        ; oob
    1800809f5  48894b10           mov     qword [rbx+0x10], rcx
    1800809f9  813950450000       cmp     dword [rcx], 'PE'
    

However, it incorrectly only checks whether e_lfanew is larger than the file size. Providing value which is same as the file size to e_lfanew will pass the check but the file will not be large enough to store NT header.

Therefore it will try to read memory out of bounds when trying to validate NT headers, crashing the malware scanning process.

**Crash Information**

    1:016> ub
    coen!Coen_Clean+0x6ca47:
    00007ff8`f9f709d7 48895108        mov     qword ptr [rcx+8],rdx
    00007ff8`f9f709db 663902          cmp     word ptr [rdx],ax
    00007ff8`f9f709de 0f8503010000    jne     coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709e4 4863423c        movsxd  rax,dword ptr [rdx+3Ch]
    00007ff8`f9f709e8 493bc0          cmp     rax,r8
    00007ff8`f9f709eb 0f87f6000000    ja      coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709f1 488d0c10        lea     rcx,[rax+rdx]
    00007ff8`f9f709f5 48894b10        mov     qword ptr [rbx+10h],rcx
    1:016> r
    rax=0000000000001000 rbx=0000004babdfdf60 rcx=000001f8c9c51000
    rdx=000001f8c9c50000 rsi=00007ff8fa266bb8 rdi=0000004babdfe1b0
    rip=00007ff8f9f709f9 rsp=0000004babdfdef0 rbp=0000004babdfe020
    r8=0000000000001000  r9=0000000000001000 r10=00007ff8fa2606c0
    r11=000001f894f3ab20 r12=0000000000000000 r13=00007ff8fa306e68
    r14=0000000000001000 r15=000001f8c9c50000
    iopl=0         nv up ei pl zr na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    coen!Coen_Clean+0x6ca69:
    00007ff8`f9f709f9 813950450000    cmp     dword ptr [rcx],4550h ds:000001f8`c9c51000=????????
    1:016> k
    Child-SP          RetAddr               Call Site
    0000004b`abdfdef0 00007ff8`f9f2fa5c     coen!Coen_Clean+0x6ca69
    0000004b`abdfdf20 00007ff8`f9f6a577     coen!Coen_Clean+0x2bacc
    0000004b`abdfe0f0 00007ff8`f9f69e96     coen!Coen_Clean+0x665e7
    0000004b`abdfe3b0 00007ff8`f9f538c4     coen!Coen_Clean+0x65f06
    0000004b`abdfe550 00007ff8`f9f09192     coen!Coen_Clean+0x4f934
    0000004b`abdfe7f0 00007ff8`f9ef5f45     coen!Coen_Clean+0x5202
    0000004b`abdfe970 00007ff8`f9f03c24     coen+0x5f45
    0000004b`abdfead0 00000001`8006f6c1     coen!Coen_ScanSharedMemory+0xc4
    0000004b`abdfeb40 00000001`800563a3     ecm!GetModuleConfigValue+0x8771
    0000004b`abdfebf0 00000001`8008bf2e     ecm+0x563a3
    0000004b`abdfedc0 00000001`800666b0     ecm!GetModuleConfigValue+0x24fde
    0000004b`abdfeea0 00007ff7`d046de9e     ecm!ScanFile+0x40
    0000004b`abdfeee0 00007ff7`d04707d0     AYCon+0x2de9e
    0000004b`abdfefc0 00007ff9`3f1c6c0c     AYCon+0x307d0
    0000004b`abdffab0 00007ff9`40c854e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    0000004b`abdffae0 00007ff9`41cc485b     KERNEL32!BaseThreadInitThunk+0x10
    0000004b`abdffb10 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**TIMELINE**

2022-12-13 - Vendor Disclosure  
2023-02-01 - Vendor Patch Release  
2023-02-02 - Public Release

Discovered by Jaewon Min of Cisco Talos.

CVE-2022-43665: TALOS-2022-1682 || Cisco Talos Intelligence Group

Categories: Threat Intelligence
Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology



(Read more...)




The post Ransomware in December 2022 appeared first on Malwarebytes Labs.

_Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom._

Lockbit has rebounded from its unusual fall from grace in November, snatching the title of the month's worst ransomware, back from Royal. Royal has meanwhile still shown itself as a force to be reckoned with, ranking third in number of attacks for December. 

Known ransomware attacks by gang in December 2022

Attacks by Royal may be down 35 percent from their high of 49 in November, but at the same time, there’s good reason to suspect that their attacks are becoming more targeted. 

On December 07, 2022, the Health Sector Cybersecurity Coordination Center (HC3)—an arm of the US Department of Health and Human Services (HHS)—released a threat brief about Royal after observing the group disproportionately targeting the healthcare industry. Their crowning attack for December came late in the month when they breached telecommunications company Intrado.

Known ransomware attacks by industry sector in December 2022

Known ransomware attacks by country in December 2022

In terms of progress, the two newcomers that we introduced last month, Play and Project Relic, have vastly different stories to tell. 

Project Relic has fallen off the map while Play has turned up the jets—we recorded a whopping 136 percent increase in attacks from the gang compared to November. Since our last update Play has been seen leveraging a never-before-seen exploit chain, which might be responsible for their sharp uptick in attacks. The new Microsoft Exchange attack, dubbed 'OWASSRF', chains exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks. This was the technique behind a ransomware attack on cloud computing service provider Rackspace in early December, which Play later claimed responsibility for. 

Play’s surge in activity, however, was hardly an anomaly for December. Month-on-month we saw hefty percentage-point increases in attacks across the board.

ALPHV (aka BlackCat), for example, is a ransomware gang that has consistently topped the charts in our ransomware reviews; the number of their attacks in December (33), however, is not only a 70 percent increase from November but also the highest it's been all 2022. We also saw 25 percent and 116 percent increases from BianLian and BlackBasta, respectively. These upticks are perhaps to be expected, given that attackers famously love the holiday seasons due to the reduction in security staff on deck. Only time will tell if ransomware gangs will sustain their heightened levels of activity into the New Year—or if the increase is indeed simply a gift-wrapped aberration.

**Lockbit… apologizes?**

Lockbit in December regained the throne as the biggest ransomware gang by attack volume, reversing a three-month downward trend in number of victims.

The prolific ransomware group claimed on December 12 to have stolen up to 75GB of confidential data from California’s Department of Finance, or over 246,000 files in more than 114,000 folders. Not even SickKids (a hospital for sick children) was spared from LockBit’s avarice in December. A ransomware attack using LockBit impacted the hospital's internal and corporate systems, hospital phone lines, and website.

While we’re not surprised to see a gang stoop to such lows, we don’t find many issuing apologies after the fact. Two days later LockBit apologized for the attack, which it blamed on a rogue affiliate, and released a decryptor for free. 

LockBit's operation's policy states "It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed."

Of course the apology doesn't turn LockBit in to some kind of Robin Hood. Its business model is to inflict so much harm that people are willing to pay a fortune to make it stop.

**New ransomware gangs****Unsafe**

In December, we saw a group emerge that makes its cash by riding on the coattails of real ransomware gangs. 

The new player, Unsafe, seems to recycle leaks from other ransomware groups. Unsafe provides security blogs for cybercriminals to post victims and leaked data as well as consultation services for a fee. It currently lists eight victims. 

**Endurance**

We call them ransomware _gangs_ for a reason: These are groups of cybercriminals working together in a hierarchical organization. Rarely do we ever see lone wolf attacks, and if we do it’s even more unusual for them to make as big of a splash in so short of a time as Endurance has.

This cybercriminal, known on dark web forums as IntelBroker, tends to make individual posts about data on sale.

In less than 30 days since its inception, Endurance appears to have successfully infiltrated some big corporations and breached several US government entities. After posting some high-value victims, Endurance has removed them from its dark web site, which is "undergoing development".

Ransomware in December 2022

The Security Innovation Alliance (SIA) empowers customers to create holistic security programs by leveraging robust end-to-end integration partnerships.

**Los Altos, CA — February 1, 2023** — Contrast Security (Contrast), the code security platform built for developers and trusted by security,today announced the launch of its new partner program, theSecurity Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

The goal of SIA is to provide customers with unmatched, fully integrated application security solutions from Contrast and its strategic alliance partners, which include leading multinationals like GitLab Inc., Amazon/Amazon Web Services (AWS), Microsoft, VMware, PagerDuty, Armor Code, Zimperium, Anchore, Neosec, Wallarm, Ermetic, Cloudwize, Noname Security, BLST Security, ProtectOnce, Scribe Security, Wiz, Wib and Legit Security. Additionally, the team will focus on building expanded partnerships with SIs, technology providers and independent software vendors (ISVs).

“We recognize that organizations cannot rely on a single security solution to fully protect customers from rising cyber threats. That is why it is critical to have strong, technical integrations between the tools that developers, operations and security teams use,” said Ben Goodman, Senior Vice President of Corporate Development and Strategic Alliances at Contrast Security. “Contrast has made significant investments in building an ecosystem, an engineering team, interfaces and tooling in order to launch SIA. I believe that technical partnerships start with technical integrations, and this new partner program will revolutionize the way customers scale their security solutions.”

SIA and the strong strategic partner integrations driven by Contrast will not only allow partners to easily integrate with the Contrast Secure Code Platform, but enable customers to achieve the following benefits:

*   Confidently use Contrast offerings as part of a larger application security (AppSec) program.
*   Enhanced security predictability and reduced risk of implementing new code and AppSec technologies.
*   Strengthened trust and confidence in the technologies that have already been deployed.

“When security solutions easily complement your DevSecOps toolchain, software engineers can deliver production grade software faster and more reliably,” said Nima Badiey, Global VP of Alliances at GitLab Inc. “As a launching member of Contrast’s new SIA ecosystem, we are helping customers discover and adopt more robust security practices. This enables companies to continually invest and innovate in modern and secure software supply chains.”

SIA is designed to improve its partners’ business capabilities to meet the needs of customers in AppSec. Contrast works with each partner to provide a custom experience that best fits their interests and business needs including a simple onboarding process, integration support, joint marketing campaigns and access to the company’s impressive install base.

“IDC has long recognized the importance of a robust ecosystem in AppSec. Customers can benefit when strategic partners work together for more holistic and integrated solutions for security. The Security Innovation Alliance enhances Contrast's portfolio by expanding its capabilities for customers and partners," said Jim Mercer, Research Vice President DevOps and DevSecOps at IDC.

SIA is led by Goodman, a successful Alliance professional, and other industry leaders, including Tracey Mead, Vice President, Strategic Alliances, System Integrators; Rachael Mott, Senior Director, Strategic Alliances, Technology Partners; Frank Gasparovic, Director, Ecosystem Engineering; Callie McCormick, Global Director of Channel Sales; and Ram Yonish, VP of EMEA Alliances.

To join the growing ecosystem of partners or to find out more about SIA, please visit our website, read our blog and listen to Goodman’s interview on Contrast’s Code Patrol podcast.

**About Contrast Security (Contrast):**

A world leading code security platform company purposely built for developers to get secure code moving swiftly and trusted by security teams to protect business applications. Developers, security and operations teams quickly secure code across the complete software development life cycle (SDLC) with Contrast to protect against today’s targeted application security (AppSec) attacks. Contrast also makes security testing available to all developers for free with CodeSec.

Founded in 2014 by cybersecurity industry veterans, Contrast was established to replace legacy AppSec solutions that cannot protect modern enterprises. With today’s pressures to develop business applications at increasingly rapid paces, the Contrast Secure Code Platform defends and protects against full classes of common vulnerabilities and exposures (CVEs). This allows security teams to avoid spending time on focusing false positives and remediate true vulnerabilities faster. Contrast’s platform solutions for code assessment, testing, protection, serverless, supply chain, APIs and languages help enterprises achieve true DevSecOps transformation and compliance.

Contrast protects against major cybersecurity attacks for its customer base which represents some of the largest brand-name companies in the world, including BMW, AXA, Zurich, NTT, SOMPO Japan and American Red Cross, as well as numerous other leading global Fortune 500 enterprises. Contrast partners with global organizations such as AWS, Microsoft, IBM Cloud, Guidepoint, Trace3, Deloitte and Carahsoft, to seamlessly integrate and achieve the highest level of security for customers.

The growing demand for the world’s only platform for code security has landed the company on some of the most prestigious lists including the Inc. 5000 List of America’s Fastest Growing Companies and has designated Contrast as one of the fastest growing companies on the Deloitte Technology Fast 500 List.

Contrast Security Launches Alliance Program to Change the Way Customers Scale Their Security Solutions

Findings underscore security awareness training that leverages practical, hands-on exercises is essential to creating a security-aware culture.

**LAVAL, QC****,** **Feb. 1, 2023** **/PRNewswire/ —** The new Phishing Benchmark Global Report, based on the 2022 Gone Phishing TournamentTM hosted by Fortra's Terranova Security, reveals that large organizations of 10,000 employees or more are most susceptible to phishing attacks promising a gift, despite potentially having access to more cyber security resources than smaller businesses.

Co-sponsored by Microsoft, the annual tournament measures and evaluates how employees respond to one of the most common types of cyber threats – phishing attacks. The 2022 Phishing Benchmark Global Report results emphasize the growing need for all organizations to implement engaging and informative security awareness training programs. Ideally, those programs would leverage real-world phishing simulations to ensure employees are aware of the latest phishing tactics, can detect and report cyber threats and, in time, change unsafe online behaviors.

According to the report, many employees are still prone to answering requests for sensitive information – even when they come from unknown or suspicious email senders. This level of trust leaves an organization's confidential data vulnerable to hackers.

"Cyber threats continue to grab headlines worldwide, so it's encouraging to see improvement from last year's phishing simulation. However, let's not forget how, based on their context, each phishing scenario may convince a different set of users to click. There's definitely still work to do with regards to helping organizations build and grow security-aware cultures," **says Theo Zafirakos, CISO at Terranova Security.** "As the Phishing Benchmark Global Report also shows, it's difficult for some organizations, especially with a significant employee base, to educate employees and reinforce cyber security best practices. This is most true in a remote-first environment."

**2022 Phishing Benchmark Global Report: Key Results**

7 percent of all end users who participated in the 2022 phishing simulation clicked on the link in the phishing email. In addition, 3 percent of all end users failed to recognize the warning signs of the simulation's webpage and proceeded to enter their credentials on the malicious webpage.

Despite the seemingly low totals, this year's form completion rate poses a cause for concern. Globally, 44 percent of those who clicked on the phishing simulation link eventually completed the web form on the subsequent webpage and submitted their login credentials.

"To put these numbers into perspective, if an enterprise-level organization of 10,000 employees had been targeted with a phishing scam like the one depicted in the simulation," **says Zafirakos.** "700 employees would have clicked on the phishing link, and over 300 of those clickers would have entered their password, which can be used to compromise systems and sensitive information. Given our reliance on online systems and data to conduct many business transactions and services, this reality is concerning."

The simulation found that employees from large organizations are most susceptible to phishing attacks. According to participant data, organizations with 10,000 employees or more rarely missed security awareness training, indicating a potential lack of effectiveness.

Other key data highlights from the fourth edition of this event include:

*   For click rates by industry, nonprofit, education, manufacturing, and food and agriculture exhibited the highest totals, all scoring over 6 percent. Meanwhile, participants from the public sector, energy, and finance industries kept their click rates under 3.5 percent.
*   The consumer products space had the highest form completion rate across all industries, with 40 percent of those who clicked on the initial phishing link eventually entering their credentials on the malicious webpage.
*   Europe was the top performer of the five regions represented, claiming the lowest email link click and form completion rates. North America, the top-performing region in 2021, slotted into second place.

"The results from this year's Gone Phishing Tournament underscore the importance of taking a human-centric approach to security awareness training and content," says Brand Koeller, Principal Product Manager, Microsoft Defender. "Technical safeguards alone can't guarantee information security. Addressing the human risk factor should be a top priority for all organizations."

**2022 Phishing Benchmark Global Report:**

 **Methodology**

The 2022 Gone Phishing Tournament took place in October to coincide with Cybersecurity Awareness Month. With over 250 participating organizations and over 1.2 million phishing emails sent out during this year's event, it was one of the largest phishing simulations of its kind. The increase in the participation rate shows phishing is a major concern for many organizations considering the ever-evolving complex nature of real-world cyber threats.

Microsoft supplied this year's email and webpage templates designed to imitate a real-world scenario that many employees experience: a gift card scam. The scenario, selected by the Terranova Security leadership team, measured several end-user behaviors, such as clicking on a link in the body of a phishing email and entering credentials into a form on a phishing webpage.

If users clicked on the link in the phishing simulation's email, they were redirected to a landing page, which prompted them to enter credentials that, had the simulation been an actual attack, would have been compromised. If users completed this second step, they were brought to a phishing simulation feedback page highlighting the warning signs they missed and the best practices they should follow.

Though the 2022 Gone Phishing Tournament simulation was deemed easier than in previous years, the click rate and web form submission rate should still be considered high as a result.

Download the 2022 Phishing Benchmark Global Report to get all the results and facts from the latest edition of the Gone Phishing Tournament.

**About Fortra's Terranova Security**   
Fortra's Terranova Security is the global security awareness training partner of choice that has been transforming the world's end users into cyber heroes for more than 20 years. Using a proven pedagogical framework, Fortra's Terranova Security training solutions empower organizations worldwide to implement programs that change user behaviors, reduce human risk, and effectively counter cyber threats. As a result, any employee can better understand phishing, social engineering, data privacy, compliance, and other critical best practices. With the addition of new features like its Content Center and Cyber Hero Score, Fortra's Terranova Security consistently innovates to support all organizations' cyber security objectives. These industry-leading solution additions also strengthen long-term information security for all professionals, regardless of region or sector, in an era where remote work and borderless productivity are standard. Learn more at terranovasecurity.com.

Tag

#microsoft