A vulnerability has been identified in Solid Edge (All versions < V2023 MP1). The DOCMGMT.DLL contains a memory corruption vulnerability that could be triggered while parsing files in different file formats such as PAR, ASM, DFT. This could allow an attacker to execute code in the context of the current process.

%PDF-1.5 %���� 51 0 obj << /Length 2841 /Filter /FlateDecode >> stream xڵZ\[s�H~���mQUL� tj\_<���l�x-�SS�y ��HB������,Ƥ4�\`K�����9�;�xK�x�N~����(���Л=x �0�"�I#o����,\]��rrʢ؟��\]19��Ϫ�����)+sr⻡��|om�)��n^�\_�N�z6�s������?'��0 ��So�>��'����#W��lV�=!y ���7=�� qB՟-�Z�H����X\* I��Q(E� �\*�a�4=;U\*�"��P \*e@٨ÃX���= !�H0��!�5�(bm>f����8 d�ǜ���c\]�h I= �b"�ڬ�h?J� ��6�C)���c�\`Bb�"bpI��E�������߭6i�|�V�f��98?J��01�eA� ȡ��P���6=�Kv�A�%�܈�ăn��q�q�i��=�+0r���b�G��������\\,���s�'X/��\_p�O�1$���!�����>�t�}D1�<w2��;t�A�1��{S�I;K��X15�3�s�� 5�v\_'���@�l�ܙ���I����/�\*���kaN �Gi�z;����n�����s�\]�\]2��\]绢H7n��$��%N�nAc��#��N��'P�헤L\]e1�πDJ? �W- 5h��=�K�K��,�( ��������v"���>��x���vY�б7\[71�0}��L��J;�<�R(?�W�\[�}B�����N׺�bn��Є��v�ڪ�2e��Pg���P�1�ꍻU}�c�Ҕ��-�ia���c�V�nY��6NdL(\\������F�"M4����V���6vp�Ab��: ��:;m���\_'UiG����~K�� e�?�}gϦ��삋�33؉���~�ʴp�8ҕ�r������R�~�ە�6ݴ��($�w�!��Y��h��$�G�k�d�� I}����Wy�+�wn��MWU��naGkc!����@��/��,�q�\\��3z>��۴x�4�%BmG�c�(��#�j���W38��\[#x����w����y��,;����b?�l�|��F5AN"h�� ���})�U����O��;�����Q���qsm��EMl��q��7�됫�!V��ê������M")G$�hq��$ 9q����/�g�=hI %؈��VX�P�R:�����C�kb��nqs������l�#�����@�5���Ѡ F�c�/=�ge�Q�3� ;c'B�-��Ą�ڌO�~��\]}���H�����H�T؂��a࿉� B���!Xl�ú����\_�K�3r�j60�}��gLwhM�H����E��>Ld8��^n\]�����M1���t�н.JR�u�8�)!����\` N��c¡ JE\[#�独)A�Jxi�B��

CVE-2022-47967

A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

%PDF-1.5 %���� 56 0 obj << /Length 2384 /Filter /FlateDecode >> stream xڽZ\[s�6~���#5SѸ�ȴ;�:N&�8�Zr�;I��9�D-I����s�&%Y�WN� ppn��$�m@��'��NN���(���M�I+hc"Iu0���i�-�U53��,ݔ�1�a^��&��yU� '��:b�so�eY�7i}v~5�ٳ���N�g'�=�� �2Ҝ����$�û�q�v�2�GRpx^ӓ�/T�ۣ��i�"�C4c-Z�V?��GFh�U�4U�W�t2F)"^� D��(�9���ݼCB��:��4��qN���h����Ӽ�v�\`<���T;�=B0�#�� !Hd�9$cJo�!-�u��nw��DGB�c��TAxĥ:�>�\*�q��O#E��b����|��kW G1=J �\`� odQ�iI֗"\_��-���:�mG��<��� 1�>��j����y �2�(�U�d6���$�m�\\�����(��LČ{�E�3�2���m�݊\*$3 .��ˍ��

CVE-2022-46823

Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.

%PDF-1.5 %���� 289 0 obj << /Length 2716 /Filter /FlateDecode >> stream x��\[Ks�8��W�(U��x?����n�qⵔLm%s�E�fE=�O��v MI�VjևD$4����i��%4��ɛ���/�Nq��dr�J�։q�(f�I�|��|�/��7v0Χ�j8bjP�~����G�,�Q�Al���zc�UUf������zO��Mޟ����~�@!��'1�%�����h���� %������'R ����Y2>�� ���7d��҄Z�O���و�q �Ic�R�0m��Ƨ#i�Q��1��L�$1R7��DhG�=h�I;��\`�� .��X��j�9#��C�v�:֡=�/��Y&�i��զ���s��z����u���}�!�׻CDN�p��!�%���u\\��jWu!�a�T��+t�r/�P�4\[����k\`Խ�Qv�څ�%�� ��l\*>Z:����K\*�1����q\`�a��Ě��Aa��M��E��"�a�>���� �C��U�i!����M����&��^�;0�a����Aan;�\]}�ܻ|d�2����!�g$�&��!�?�i���o�x\[{9MF\\)d}���򬘦��\\���<\]���m%�ň��N���T�!��1��0J��Ǩ�uU�8�r-��0;��̲�F��}�à��p�&\]�1���\*\`�H������(����� �X��DEBu��������P��p�-�Ú��"J�D�#���d�Ooo�� ��\*���� �e�� C��b$����<<���\[w��!$R���K���gx���}Q��r�J!T���"4���m����\]hC�ɐ1;YFJ�-�&s#uӀbkMX�?�\*{DԦ�W�z�k��Wj �,05�&,���\*�C��y&t@u<4L�l�)�l�\`\`յ7���ݡ( Hco(l��9�<+�Yh���$�wV��hU�=+Ic ��z ��L6��ا�U:E6~rй ���\*p�p���\\Wgq�X�׫2��u��ƺ�~Z�gY�\\{�XZ�5��fi=��uS�C� 7�<������&M���V&,��Z���~��O��iuS�\*tx�QDx�6��%�2�P�����8'a����XGA\[\\��ع�-�0�M1ȂU������ �O��-�t��Nb2zڢ���<��޹V���|Z��6�j�"^��4�<"��t�^s�iLM��,��&���R�\[�%��{��yD�}�ؘ z��?�n3@L�g�7A�ޒB���~�-O��\`�Щ#�R2H����wdFT ��J�q�r1�Y5A)�Z����b���ߧ(˳9� -����~#��y.\[h��RAe�$PDt� �9�b�4V��\_bsf�(\]�#u��9����0����PO��1�<>7 �J�Mz�\`�l��A=��\_�-����2 ��;,|߸<�~>x0XQ\[���\[���I��=R�����R�(���8&>�F)1(��� �8�����>�xj�T�9мt�yUc^�r�a���b$��>���g��՞��fY��&�=�9?@�Ud��}X��8ϷP7�OV0��R,ˍσ��N�ƹ8Ͳ3ɚ\*�OPP@c|�d<�!t�%�m5򟪉H��@\*T3�3���xL�K�lwZ���I�RǬ��������y�)� �2� �w�e�A�C�lۧ< jK��kDާ��g�q� Tt����rB"\*P���%�0mĖ>�w�AQ�z)\`��C��Ga hS���'�>}��,&.<�~�N)��8�䢫�=�"8����H�Ǫ����$�\]��r�q� )s�i��s<e��\*On\[���\[���k$9�\\2�Bc��h\]5��d�{�I�S�/X�aT�f�>4D��ۃ;�lt\_�\*!x�M�\\�^����Y����\_��\]�q��r��� @��z�:�d�� �>W�G��.�%���婯t'�\`׵��c��6V��J骜Ͱ����Xș s���rr���ִIl���J������h�F����=}C���w\[������-l���t�����}Fԉ�c��fm�ֱO��/b�2�P%�JP�ֳ���Z�p�XS���(�TMy�/C�mU����DM� -�/�v\_���Z�\]��U��ڬ��F+��#M�����.N���k���;BR�^,�+i+RB������X44�i(���,4���#شkm��Pj��d��D:ދ�/��.�@�{�rF����,�P49��B'\[Ź�,� \[�bt|�/F,\\\\}�"�X��d��{�\*�;����;\*�PS\*�k2�\[E�e}��r;ﰆ���ż�2�y�j��#3�+G����\[i�M<�\*�;�|F��w�x��&�"���$�^l�\]���ُv=e혁��Z��f�u�%rm�qh�ﳞ�-����h�|�;���m�j�����pb�/��F�Pu���d���|G%s�"^�x�j��X���;�a� ��������;6�\`&�arS�$F�Wc�l�@�6�q��#\`^�{B+{�z/��.s8�~��)�g��6�ȹ&(C=ߕlJ��\_��=Ir�!����O�c�̃@.�w���\_}�<݋xG0c��xG�ś���"�7��t/��\_\`�t/:����߿��c�����!i8����\*���o\\���q�/"��\\��!Te�\*x�6��a|۰�MUX� endstream endobj 304 0 obj << /Length 1444 /Filter /FlateDecode >> stream x�͚Ms�6���<����9;�d�q#ez�sp-٣�%������~I2�3 A�|�� ���m&�ףW��Ogd2/�A��n2+�3&������E>\].V��}1F�����q\[����ÿU�����~ÕJ�u�����Ϸ�������C�WϊO������p�d��� ����������L �\]�wy�\*Ӥi��l:�u$�?��B"fր �O��7Z���:� �F��$d���@�B��ИFԖ�Zm�e��V��7�O ���L���&�Z�Y��dr�1(CUy�Ku��$��Ԇ����~�r7Z�I�~N�I˓W�o���.�Bg�g{��~x=��RH���UAqrwW���)\_l���R�nEo�Q.��Jjl\[k\_h��q�\]���\[o�㥔�OU\\�!����z���>�/������2Z�NY,�&�|��ެ8��W�-+o��UU�\_\\������bY�\]�E\*��P�o\*x���n�����j��JY���z^����ay\[��}&��r���� K�vߌM FϘ�N���NW~w�#!�ߡ�C����&B\[���g��h�C�g,=Ơ���6� �~& �X��(�PŢ��Ƿ��C�w셓��P�M|hU \_��\*|<��j�&��V�1���>e�x>��:�����\]pXB!�������JL �=�\`�x0Gcv� �̙��&D���G�r��!�#KB�^�;�O�Tz�=�ď��=/k�c���s���U؝�ع;�?��a�\`J����b\]lC��.-sʖa2$sHl��b���\]V �\`o�̛6��v>5s�c��0�y��Z��Ls)�ló�/)wڹ2\\�N\[#H������&HHQ��j�����&fO�iz ��RᎽ��WR8نh�\_Z���p=�E����.6�|z���2��6�� Z��Ѥ�ءNJ�B!�7+@�<�j��5������l�e^ ;�8mLLʟr���T��P����

CVE-2022-38773

The AI-based chatbot is allowing bad actors with absolutely no coding experience to develop malware.

Since OpenAI released ChatGPT in late November, many security experts have predicted it would only be a matter of time before cybercriminals began using the AI chatbot for writing malware and enabling other nefarious activities. Just weeks later, it looks like that time is already here.

In fact, researchers at Check Point Research (CPR) have reported spotting at least three instances where black hat hackers demonstrated, in underground forums, how they had leveraged ChatGPT's AI-smarts for malicious purposes.

By way of background, ChatGPT is an AI-powered prototype chatbot designed to help in a wide range of use cases, including code development and debugging. One of its main attractions is the ability for users to interact with the chatbot in a conversational manner and get assistance on everything from writing software to understanding complex topics, writing essays and emails, improving customer service, and testing different business or market scenarios.

But it can also be used for darker purposes.

**From Writing Malware to Creating a Dark Web Marketplace**

In one instance, a malware author disclosed in a forum used by other cybercriminals how he was experimenting with ChatGPT to see if he could recreate known malware strains and techniques.

As one example of his effort, the individual shared the code for a Python-based information stealer he developed using ChatGPT that can search for, copy, and exfiltrate 12 common file types, such as Office documents, PDFs, and images from an infected system. The same malware author also showed how he had used ChatGPT to write Java code for downloading the PuTTY SSH and telnet client, and running it covertly on a system via PowerShell.

On Dec. 21, a threat actor using the handle USDoD posted a Python script he generated with the chatbot for encrypting and decrypting data using the Blowfish and Twofish cryptographic algorithms. CPR researchers found that though the code could be used for entirely benign purposes, a threat actor could easily tweak it so it would run on a system without any user interaction — making it ransomware in the process. Unlike the author of the information stealer, USDoD appeared to have very limited technical skills and in fact claimed that the Python script he generated with ChatGPT was the very first script he had ever created, CPR said.

In the third instance, CPR researchers found a cybercriminal discussing how he had used ChatGPT to create an entirely automated Dark Web marketplace for trading stolen bank account and payment card data, malware tools, drugs, ammunition, and a variety of other illicit goods.

"To illustrate how to use ChatGPT for these purposes, the cybercriminal published a piece of code that uses third-party API to get up-to-date cryptocurrency (Monero, Bitcoin, and \[Ethereum\]) prices as part of the Dark Web market payment system," the security vendor noted.

**No Experience Needed**

Concerns over threat actors abusing ChatGPT have been rife ever since OpenAI released the AI tool in November, with many security researchers perceive the chatbot as significantly lowering the bar for writing malware.

Sergey Shykevich, threat intelligence group manager at Check Point, reiterates that with ChatGPT, a malicious actor needs to have no coding experience to write malware: "You should just know what functionality the malware — or any program — should have. ChatGTP will write the code for you that will execute the required functionality."

Thus, "the short-term concern is definitely about ChatGPT allowing low-skilled cybercriminals to develop malware," Shykevich says. "In the longer term, I assume that also more sophisticated cybercriminals will adopt ChatGPT to improve the efficiency of their activity, or to address different gaps they may have."

From an attacker’s perspective, code-generating AI systems allow malicious actors to easily bridge any skills gap they might have by serving as a sort of translator between languages, added Brad Hong, customer success manager at Horizon3ai. Such tools provide an on-demand means of creating templates of code relevant to an attacker's objectives and cuts down on the need for them to search through developer sites such as Stack Overflow and Git, Hong said in an emailed statement to Dark Reading.

Even prior to its discovery of threat actors abusing ChatGPT, Check Point — like some other security vendors — showed how adversaries could leverage the chatbot in malicious activities. In a Dec. 19 blog, the security vendor described how its researchers created a very plausible-sounding phishing email merely by asking ChatGPT to write one that appears to come from a fictional webhosting service. The researchers also demonstrated how they got ChatGPT to write VBS code they could paste into an Excel workbook for downloading an executable from a remote URL.

The goal of the exercise was to demonstrate how attackers could abuse artificial intelligence models such as ChatGPT to create a full infection chain right from the initial spear-phishing email to running a reverse shell on affected systems.

**Making It Harder for Cybercriminals**

OpenAI and other developers of similar tools have put in filters and controls — and are constantly improving them — to try to limit misuse of their technologies. And at least for the moment, the AI tools remain glitchy and prone to what many researchers have described as flat-out mistakes on occasion, which could thwart some malicious efforts. Even so, the potential for misuse of these technologies remains large over the long term, many have predicted.

To make it harder for criminals to misuse the technologies, developers will need to train and improve their AI engines to identify requests that can be used in a malicious way, Shykevich says. The other option is to implement authentication and authorization requirements in order to use the OpenAI engine, he says. Even something similar to what online financial institutions and payment systems currently use would be sufficient, he notes.

Attackers Are Already Exploiting ChatGPT to Write Malicious Code

By Deeba Ahmed
The attacks, according to Reuters' report, happened between August and September 2022. 
This is a post from HackRead.com Read the original post: Russian Hackers Targeted Three US Nuclear Research Labs

The Russian hackers from the Callisto group used fake login pages for each lab and sent emails to nuclear scientists to trick them into divulging their passwords.

In its latest report released this Friday, Reuters revealed surprising details of how a group of Russian hackers targeted three high-profile nuclear research laboratories.

As per Reuters research, the hacking group is known as Callisto (aka Cold River), and they managed to target the Argonne, Brookhaven, and Lawrence Livermore National Laboratories. On the other hand, at least five prominent cybersecurity experts second these findings.

It is worth noting that in December 2020, a group of Russian hackers were also blamed for targeting 40 agencies including US Nuclear Agency.

**When and How the Attacks Occurred?**

The attacks, according to Reuters’ report, happened between August and September 2022. That’s when Russian president Vladimir Putin claimed Russia intended to use nuclear weapons for its defence. So, it seems likely that the three labs were targeted to steal crucial information.

During their attack, the hackers used phishing techniques by creating fake login pages for each lab and sent emails to nuclear scientists to trick them into giving away their passwords. Researchers couldn’t determine why Callisto targeted these three labs and whether they succeeded in their attempts.

However, they did reveal that the attack occurred after United Nations (UN) experts entered Ukraine’s Russian-held territories to inspect the Russian-occupied Zaporizhzhia nuclear plant to assess the extent of fallout that could be caused by excessive shelling in its vicinity.

Malicious PDF files sent by Calisto (Image credit: Sekoia)

**About Callisto**

This hacking group first surfaced on the internet in 2016 when Britain’s Foreign Office was targeted. The group is known for targeting Western allies of Ukraine and has stepped up its hacks after the Russian invasion of Ukraine in February 2022.

The same group was also pointed out for targeting and leaking the emails of the former head of the British intelligence agency MI6. You can also read the group’s activities, analyzed by cyber security researchers at Sekoia, in their blog post.

Recently, Callisto has been involved in many prominent hacking incidents. Reuters connected the emails used by this group between 2015 and 2020 to Andrey Korinets, a Syktyvkar-based bodybuilder and IT expert.

However, when Reuters interviewed him, Korinets admitted using those emails but denied any connection with Callisto. Nonetheless, Billy Leonard from Google Threat Analysis Group claims they have verified Korinets as an active member of Callisto.

1.  Top US Federal Agencies Hacked by Russian Hackers
2.  Russian hackers hit Republican and Conservative leaders
3.  Russia Hackers Abusing BRc4 Red Team Penetration Tool
4.  Russian hackers hacked Department of Homeland Security
5.  SolarWinds Hack – US Blames Russian Intel Agency Hackers

Russian Hackers Targeted Three US Nuclear Research Labs

An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.

**New features**

**Custom record views**

You can now create custom views for your documents in the Overview tab of the Record View by writing template scripts. Learn more.

**Reporting**

Template scripts can also be used to generate reports from Elasticsearch documents in many different formats (PDF, HTML, Word and more) through integration with jsreport. Learn more.

**Filter to dashboard**

You now have the option to apply the filters from one dashboard to another dashboard associated to the same entity table. Learn more.

**Security fixes**

*   Upgraded Node.js to version 14.19.1. For the full list of fixes, see the 14.19.1 changelog.
    
*   Upgraded url-parse to version 1.5.9 to address CVE-2022-0691.
    
*   Upgraded prismjs to version 1.27.0 to address CVE-2022-23647.
    
*   Upgraded moment to version 2.29.2 to address GHSA-8hfj-j24r-96c4.
    

**Breaking Changes**

**Saved objects**

*   The index-pattern saved object type has been removed; the methods that were previously exposed by IndexPattern instances are now part of the SavedSearch interface.
    

**Migration to Babel 7**

*   Siren Investigate is now built with Babel 7; if you made any custom plugin it is recommended to test it on a pristine Siren Investigate 12.1 instance before upgrading.
    

**Deprecations**

**Discover**

*   The Discover application has been deprecated and will be removed in a future release. The buttons to create and save child searches from the Discover application have been removed.
    

**Improvements**

**Auditing**

*   Added a configuration option that allows customization of the Elasticsearch fields to be put in data export audit log entries. Learn more.
    

**Data model**

*   Enabled granular editing of relations in the Relations tab. When saving or deleting a relation the changes will now be applied immediately.
    
*   Improved the performance of the relations tab with a high number of relations.
    
*   Added a button to aggregate multiple relations between two entities into a single link showing the number of relations. In this mode, the individual relation names are displayed in a tooltip.
    
*   When transforming data it is now possible to test the transformation against any of the sample source documents.
    

**Dashboard**

*   It is now possible to use a visual date/time picker when creating filters on date fields.
    
*   When editing a visualization on a dashboard, you can now save it and return immediately to the dashboard by clicking on a **Save and return** button.
    
*   The tooltips showing data model explanations on 360 Dashboards are now enabled by default.
    
*   Modified 360 Dashboards to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Replaced the graph based widget to pick relations in the 360 Dashboard data model configuration with a simpler dropdown based widget.
    

**Record Table**

*   Added options to rearrange the columns of the table to the column context menu.
    

**Record view**

*   It is now possible to use a visual date/time picker when editing date fields.
    
*   It is now possible to add multiple values to a field when editing a document in the record view.
    

**Graph Browser**

*   Links that represent self relations on the same field are now automatically hidden when the source and the target are the same node.
    
*   Added explicit drag and drop handles to the lens listing.
    
*   Added an option to the Node to edge by fields lens configuration that allows you to automatically expand intermediate nodes when creating edge links.
    

**Relational Navigator**

*   Added a configuration option that allows you to group relations having the same label into a single button.
    
*   Modified the relation links to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Removed the automatic capitalization of relation links.
    

**Development**

*   The EUI library dependency has been upgraded to version 34.6.0 .
    

**Bug fixes**

**Auditing**

*   Fixed an issue that caused data requests initiated by the Graph Browser to be classified as count requests.
    
*   Fixed an issue that caused dataExport requests to be assigned to the HOME dataspace instead of the current one.
    

**Data Model**

*   Fixed an issue that prevented child searches from inheriting the search query and filters from their parent.
    
*   Suppressed an unnecessary warning which was appearing after saving changes to a child search.
    
*   Fixed an issue in the data import flow that caused leading zeroes in fields to be automatically stripped.
    

**Graph Browser**

*   Fixed an issue that caused nodes created by a time/location lens to not disappear when disabling the lens.
    
*   You can now use custom icons in node glyphs.
    
*   Fixed an issue that could cause a node to edge lens to not be applied automatically when adding nodes to the graph.
    
*   Fixed an issue that could cause a fatal error when switching between two dashboards with a Graph Browser visualization in map mode.
    
*   Fixed an issue that would cause all the nodes to be expanded when no checkbox was selected in the expansion dialog.
    
*   Adjusted the formula to determine the size of nodes at high zoom levels to minimize overlapping.
    
*   Fixed an issue that prevented the deletion of edges created by Node to edge by fields lens instances.
    
*   Fixed an issue that prevented opening the record view of nodes containing spaces in the _id field.
    

**Enhanced Coordinate Map**

*   Fixed an issue that would cause unnecessary rendering operations while changing the configuration of a visualization.
    

**Scripting**

*   Fixed an issue that could cause a fatal error when editing a script containing JSX fragments.
    

**Record Table**

*   Fixed an issue that caused a wrong search request to be generated after creating a negated filter having multiple values by holding CTRL/CMD.
    

**Dashboard**

*   Fixed an issue that caused a wrong confirmation dialog to appear after deleting a dashboard whilst in edit mode.
    
*   Fixed an issue that prevented nodes from being added to a Graph Browser visualization when dragging a dashboard with a modified state.
    
*   The explanation tooltip for visualizations in 360 Dashboards is now enabled by default following recent performance improvements.
    

**Miscellaneous**

*   Added the investigate_core.search.max_buckets configuration setting. This setting prevents aggregations with a large number of buckets from being processed by visualizations and freezing the browser. The default value of the setting is 1000.
    
*   Improved the Elasticsearch periodic health check to wait for the ACL index to be ready in addition to the main Siren Investigate index.

CVE-2022-47544: Release Notes :: SIREN DOCS

The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Bluebottle Continues Bank Heist Assault With Signed Malware

** DISPUTED ** The tf_remapper_node component 1.1.1 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. This occurs because a topic name depends on the attacker-controlled old_tf_topic_name and/or new_tf_topic_name parameter. NOTE: the vendor's position is "it is the responsibility of the programmer to make sure that only known and required parameters are set and unexpected parameters are not."

Hi,

We notice that you are using topic names from ROS parameter at the following locations:  

this\->oldTfTopic, 100, &TfRemapperNode::oldTfCallback, this);

  

this\->remappedTfTopic, 100, this\->staticTf);

  

this\->remappedTfTopic, 100, &TfRemapperNode::remappedTfCallback, this);

  

this\->oldTfTopic, 100, this\->staticTf);

  
For security reasons detailed below, we strongly suggest avoiding the usage of strings from parameters as topic names.

Although parameters are usually set in parameter files, they can also be changed by nodes. Specifically, other nodes in the same ROS application can also change the parameters listed above before it’s used, either by accident or _intentionally_ (i.e., by potential attackers).  
Such changes can lead to disruption of the remapper functionality, as the input or the output tf topic is changed. Moreover, if an attacker exists, she can even change the tf message content by first fool the remapper to publish to a wrong topic like /tf_fake, and then forwarding messages from /tf_fake to /tf after modifying the message contents. Downstream functionalities like navigation will be affected, and severe consequences such as crashes may happen. Because ROS is an OSS (open-source software) community, third-party nodes are widely used in ROS applications, usually without complete vetting of their behavior, which gives the opportunity to potentially malicious actors to inject malicious code (e.g, by submitting hypocrite commits like in other OSS systems \[1\]) to infiltrate the ROS applications that use it (or software supply chain attacks, one of the primary means for real-world attackers today \[2\]).

We understand that using parameters to set topic names brings flexibility. Still, for the purpose of security, we strongly suggest that you avoid such vulnerable programming patterns if possible. For example, to avoid the exposure of this specific vulnerability, you may consider alternatives like remapping, which is designed for configuring names when launching the nodes.

\[1\] Q. Wu and K. Lu, “On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits,” 2021, https://linuxreviews.org/images/d/d9/OpenSourceInsecurity.pdf.  
\[2\] Supply chain attacks are the hacker’s new favourite weapon. and the threat is getting bigger. https://www.zdnet.com/article/supply-chain-attacks-are-the-hackers-new-favourite-weapon-and-the-threat-is-getting-bigger/.

CVE-2022-48217: Potential vulnerability: topic names from ROS parameters · Issue #1 · tradr-project/tf_remapper_cpp

Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:0016-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0016  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-42856  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to an  
arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_7.1.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42856  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7VWL9zjgjWX9erEAQg3Gw//e0sGMYczRnNrkhBxX5J4lP7xUO+/+Pnk  
+ncXuaQpC5qToXl3w/YspsBZ8YCmNTso0WqIZjovsAbAQGgtAHh9tyrtheWkLiEf  
4dS4wocfSQOFjcmrNLVc+hECWUz9RfVuyt758uRzz/pLgKXgrIlVVnMhLk5qCYWD  
gkwYhOHBnWE1iRHVMgdFjwcsk7/V1Pcv3jGjGwy4anK+YbcWpEvHTOyT4E5gO5oj  
Fl6RU3M+cKDOcg5Uxmn5d1/MvWBvQOCu8RvJy5GPdfhZjoiWJKn43pS94Yz8RaMR  
MMa2txkibrcDalMzcFzGdWMcjnCrp30imqzrEdUbs0qeSXUgSjSUN2EEcSSOjnge  
MhkEbZTFHdGakJxWSLXLHP3YC7eJMrawDTzfUotVoQpw6uBNFZQeCrhP25gsTff3  
OSj/m3bCHSOlGZ7gVAFdLuHIomZHU6di66EFeSVIh56ukriNUkDfG3/3v8VYpSY6  
7F0PdLbbw5kW0VfOwuMrznRpzC1Vl2+r7hKBw+WqnYDr8xcI8CgObz+D64JXO3WX  
kFP9NqFYB9M4+5fB9SGcZ+0DUIPpf5w6qB4Wb+3k3IdYLXutUH61/2dCFnTxevKv  
EkVv+aTEcGDnyTgWV8FOTWXGhUBoCYgUbAHYxIbTX3TtIaMesZennJPRvQa63QAc  
nJngrnwCTog=+XpK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0016-01

A vulnerability classified as problematic was found in iText RUPS. This vulnerability affects unknown code of the file src/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leads to xml external entity reference. The name of the patch is ac5590925874ef810018a6b60fec216eee54fb32. It is recommended to apply a patch to fix this issue. VDB-217054 is the identifier assigned to this vulnerability.

Tag

#pdf