Confidentiality and authentication flaws uncovered by researchers

Emma Woollacott 04 October 2022 at 14:49 UTC  
Updated: 04 October 2022 at 16:00 UTC

Confidentiality and authentication flaws uncovered by researchers

Matrix has patched five serious vulnerabilities in its end-to-end encryption that break the confidentiality and authentication of messages.

The flaws would allow a malicious server to read user messages and impersonate devices.

Matrix currently has 69 million accounts in total, spread over around 100,000 servers. The technology provides a federated communication protocol, allowing clients with accounts on different Matrix servers – their homeservers – to exchange messages across the entire ecosystem.

The platform enables end-to-end encryption by default.

However, four researchers – Martin Albrecht of the Royal Holloway, University of London, Sofía Celi of Brave Software, Benjamin Dowling of the University of Sheffield, and Daniel Jones of the University of London – have demonstrated (PDF) five practically-exploitable flaws.

**Fairly straightforward**

The vulnerabilities, two of which are rated critical, undermine assurances of authentication and confidentiality normally offered by the Matrix platform.

"All our attacks require a malicious homeserver – the server where users create accounts – i.e., no external party could mount them because all Matrix communication between clients and servers and between servers for federation are protected by TLS," Albrecht told The Daily Swig.

Catch up with the latest encryption-related news and analysis

"Now, for a malicious homeserver, carrying out these attacks would have been easy. We have implemented proof-of-concept attacks for the vulnerabilities we reported, and these \[are\] usually fairly straightforward."

The first critical vulnerability, CVE-2022-39250, is key/device identifier confusion in SAS verification, a bug in matrix-js-sdk that confuses device IDs and cross-signing keys. “This could be exploited by a malicious server admin to break emoji-based verification when cross-signing is in use, authenticating themselves rather than the target user,” according to a security notice by the developers of Matrix.

The other critically-rate flaw, CVE-2022-39251, is a protocol-confusion bug that incorrectly accepts to-device messages encrypted by Megolm rather than Olm, attributing them to the Megolm sender rather than the actual sender. The vulnerability potentially allows an attacker to send fake keys in order to spoof historical messages from other users.

In addition, the flaw creates a means to add a malicious key backup to a user’s account in order to exfiltrate message keys. Matrix’s developers said this attack scenario, which would require certain unusual preconditions, has not been detected in the wild.

**Impersonation attack**

Meanwhile, a semi-trusted impersonation attack exploits a lack of verification in Element in order to send attacker-controlled Megolm sessions to a target device, falsely posing as a session of the device they wish to impersonate.

Another vulnerability allows a malicious homeserver to add users under their control to end-to-end encrypted rooms – where they can then decrypt future messages sent in the room. This happens because room management messages aren’t authenticated in the Matrix specification, meaning they can be faked by a rogue homeserver.

Lastly Matrix’s use of AES-CTR to encrypt attachments, secrets, and symmetric key backups was faulted for lacking cryptographical rigour. Not good but, as the researchers acknowledge, this IND-CCA break falls short of anything that would result in a practical attack.

The researchers conclude that some of the vulnerabilities reside in the Matrix protocol itself, saying that they highlight the need for a systematic and formal analysis of the cryptography in the Matrix standard.

**Enter the Matrix**

However, the developers of Matrix dispute this.

"We consider the protocol itself to be sound and our security processes to be robust," Matthew Hodgson, co-founder and project lead for Matrix and CEO/CTO at Element, told The Daily Swig.

"For instance, we’re currently in the middle of a series of public, independent audits of our next-gen SDKs \[software development kits\] from Least Authority, and it’s worth noting that our next-gen implementations are not vulnerable to the implementation bugs in question here."

Albrecht responded: "The Matrix developers have shared with us their plans for addressing the issues we argued about, so we are hopeful that eventually the right outcome – Matrix achieving the security guarantees that it promises – will be achieved."

Element offers the flagship client and prototype implementation of Matrix.

RELATED Let’s Encrypt builds infrastructure to support browser-based certificate revocation revival

Matrix address flaws that break message encryption assurances

Parsing a maliciously crafted X_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

**Summary**

Multiple Autodesk AutoCAD and AutoCAD-based products have been affected by Out-of-bound Read, Out-of-bound Write, Use of Uninitialized Variable, Heap based Buffer Overflow, and Memory Corruption vulnerabilities.

**Description**

The details of the vulnerabilities are as follows:

1) CVE-2022-33884 - Parsing a maliciously crafted X\_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

2) CVE-2022-33885 - A maliciously crafted X\_B, CATIA, and PDF file when parsed through Autodesk AutoCAD 2023 and 2022 can be used to write beyond the allocated buffer. This vulnerability can lead to arbitrary code execution.

3) CVE-2022-33886 - A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code.

4) CVE-2022-33887 - A maliciously crafted PDF file when parsed through Autodesk AutoCAD 2023 causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code in the context of the current process.

5) CVE-2022-33888 - A malicious crafted Dwg2Spd file when processed through Autodesk DWG application could lead to memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.

**Affected Products**

**Item**

**Impacted Versions**

**Mitigated Versions**

**Update Source**

Autodesk® AutoCAD®

2023, 2022

2023.1.1, 2022.1.3

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Architecture

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Electrical

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Map 3D

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Mechanical

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® MEP

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® Plant 3D

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® AutoCAD® LT

2023, 2022

2023.1.1, 2022.1.3

Autodesk Desktop App, or Accounts Portal

Autodesk® Civil 3D®

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

Autodesk® Advance Steel

2023, 2022

2023.1.1, 2022.1.3\*\*

Autodesk Desktop App, or Accounts Portal

_\*Note: Product list table contents subject to change._

_\*\* Note: Users of Autodesk Advance Steel, Autodesk Civil 3D, and the specialized toolsets of AutoCAD need to install either the AutoCAD product update(s) listed above or a more recent product version. These security fixes are not included in the updates specific to individual toolsets._

**Recommendations**

Autodesk strongly recommends users of the 2022 and 2023 versions of Autodesk® Advance Steel, Autodesk® Civil 3D®, AutoCAD®, AutoCAD® LT, and AutoCAD-based specialized toolsets listed in the table above to install the latest AutoCAD® or AutoCAD LT 2023 and 2022 updates, as applicable, via the Autodesk Desktop App or the Accounts Portal.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

**Acknowledgements**

We would like to thank the following for reporting the relevant issues and for working with Autodesk to help protect our customers:

*   Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2022-33884, CVE-2022-33885, CVE-2022-33887
*   Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative for reporting CVE-2022-33886
*   Kushal Arvind Shah of Fortinet's FortiGuard Labs for reporting CVE-2022-33888

**Revision History**

**Revision**

**Date**

**Description**

1.0

9/22/2022

Initial Release of the Security Advisory

_Disclaimer_

_ANY AND ALL INFORMATION, CONTENT AND MATERIALS IN THIS DOCUMENT AND ANY PRODUCTS, SERVICES OR GRAPHICS PROVIDED BY OR OBTAINED THROUGH THIS SITE (INCLUDING WITHOUT LIMITATION ANY THIRD PARTY PRODUCTS AND SERVICES) ARE PROVIDED “AS IS” AT YOUR OWN RISK AND WITHOUT ANY WARRANTIES. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT._

_© 2022, Autodesk, Inc._

CVE-2022-33884: Security Advisories | Autodesk Trust Center

‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

‘ProxyNotShell’ abuse less severe than 2021 attack wave due to authentication requirement

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server.

The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise mail server by Vietnamese cybersecurity firm GTSC. Microsoft said it is aware of “a small number of targeted attacks” exploiting the flaws, which impact on-prem Microsoft Exchange Server versions 2013, 2016, and 2019.

The bugs appear to be less dangerous variants – on account of authentication to PowerShell being required – of the critical ProxyShell vulnerabilities that were widely abused in 2021.

**RCE chain**

In GTSC's original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).

Catch up of the latest enterprise security news

As the vulnerabilities are yet to be patched, the full technical details have not been released – but proof-of-concept (PoC) code is expected to appear soon.

GTSC informed Trend Micro’s Zero Day Initiative (ZDI) of its findings. After ZDI verified the flaws and reached out to the Microsoft Security Response Center (MSRC), the Redmond giant confirmed the report and published an analysis of attacks exploiting the flaws.

“Authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately,” Microsoft noted.

Unfortunately, the authentication required is nothing more than a standard user. As a result, cybercriminals could obtain these credentials via theft, credential stuffing, and brute-force attacks.

**State-sponsored attacks**

According to Microsoft, fewer than 10 organizations worldwide have been targeted by what is likely a “state-sponsored organization”.

GTSC researchers said there are indicators that a Chinese threat group is leveraging Antsword, a Chinese cross-platform website management suite with web shell functionality.

China Chopper, a web shell, has apparently been used to perform Active Directory reconnaissance and data exfiltration. If this sounds familiar, the same web shell was used in attacks exploiting Exchange Server zero-day vulnerabilities in 2021. These attacks were attributed to the state-sponsored Chinese threat group HAFNIUM.

BACKGROUND ‘A whole new attack surface’ – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

Security researcher Kevin Beaumont has noted similarities between the paths used by the new bugs, which he has dubbed ‘ProxyNotShell’, and the zero days from last year.

Devcore researcher Orange Tsai, who discovered the original, ProxyShell flaws, suggested in a talk at Black Hat USA (PDF) last year that fundamental path confusion issues could see further ProxyShell variants emerge – a prediction that has now come to pass.

**Mitigation advice**

Microsoft has released customer guidance for mitigating the new bugs while it works on a patch.

The company is urging customers to disable remote PowerShell access for non-administrators immediately. If the Exchange Emergency Mitigation Service (EEMS) is enabled, further mitigations will be applied automatically.

According to the tech giant, Exchange Online customers do not need to take any action. However, Beaumont has queried the wisdom of this statement, given that Microsoft Exchange Online migration involves using hybrid, internet-facing Exchange servers.

“It is expected that similar threats and overall exploitation of these vulnerabilities will increase, as security researchers and cybercriminals adopt the published research into their toolkits and proof of concept code becomes available,” Microsoft commented.

CISA has added the two zero-days to the Known Exploited Vulnerabilities Catalog.

Microsoft told The Daily Swig that the company has nothing further to share beyond the published advisories.

YOU MIGHT ALSO LIKE #AttachMe Oracle cloud bug exposed volumes to data theft, hijack

Microsoft confirms zero-day exploits against Exchange Server in ‘limited’ attacks

By Waqas
The hacker group is called ZINC, and its primary targets are organizations in the aerospace, media, IT services, and defense sectors.
This is a post from HackRead.com Read the original post: NK Hackers Lacing Legit Software with Malware

Microsoft threat hunters discovered a new phishing campaign launched by a North Korean government-backed hacking group involving the use of weaponized open-source software. The malware is laced with extensive capabilities, including data theft, spying, network disruption, and financial gains.

**Well-known Software Used in Phishing Campaign**

In the new campaign, hackers are weaponizing famous open-source software, and their primary targets are organizations in the aerospace, media, IT services, and defense sectors.

In its report published on Thursday, Microsoft stated that the hackers are a sub-division of the notorious Lazarus hacking group called ZINC. This group has injected encrypted code in several open-source apps, including KiTTY, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers, eventually leading to espionage malware being installed as ZetaNile.

For your information, ZINC is the same group that successfully conducted the highly destructive Sony Pictures Entertainment compromise in 2014.

**LinkedIn Abused to Lure Targets**

The researchers have referred to the attackers as highly dangerous, operational, and sophisticated nation-state actors abusing the LinkedIn networking portal to hunt for targets. The crooks use the network to connect and befriend employees of their selected organizations. Their targets are based in India, Russia, the UK, and the USA.

The campaign started in June 2022, whereby ZINC used conventional social engineering tactics to search and connect with individuals and gain their trust before switching the conversation to WhatsApp. Once this is achieved, they deliver the malicious payloads.

LinkedIn’s threat prevention and defense team confirmed detecting fake profiles created by North Korean actors impersonating recruiters working at prominent media, defense, and tech firms. They want to lure targets away from LinkedIn and move them to WhatsApp.

It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016.

One of the fraudulent recruiter profiles on Linkedin used in the campaign (Image: Microsoft)

**Attach Methodology Explained**

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the trojanized KiTTY and PuTTY apps use an intelligent tactic to ensure that only selected targets are infected with malware and not others.

To achieve this, the app installers don’t execute malicious code. The malware is installed only when the apps connect to a particular IP address and use login credentials given to the targets by fake recruiters.

The threat actors also use DLL search order hijacking to load and decrypt a second-stage payload when this key 0CE1241A44557AA438F27BC6D4ACA246 is presented for command and control.

Additional malware is installed when the connection is established with the C2 server. Both apps work in the same manner. Similarly, TightVNC Viewer installs the final payload after the user selects ec2-aet-tech.w-adaamazonaws from a dropdown menu of remote hosts in the app.

Microsoft is urging the cybersecurity community to pay attention to this threat, given its extensive usage and use of legit software products. Moreover, it threatens users and organizations across multiple regions and sectors.

**More NK Hackers News**

1.  North Korean Hackers Posing as IT Workers
2.  How Bad is the North Korean Cyber Threat?
3.  NK hackers stole $1.7B from crypto exchanges
4.  Lazarus using AppleJeus MacOS malware for crypto
5.  LAZARUS Using TraderTraitor Malware to Target Blockchain

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

NK Hackers Lacing Legit Software with Malware

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the 'shell.openExternal' function.

CVE-2022-40277: GitHub - laurent22/joplin: Joplin - an open source note taking and to-do application with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.

Gentoo Linux Security Advisory 202209-21 - A vulnerability has been discovered in Poppler which could allow for arbitrary code execution. Versions less than 22.09.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Poppler: Arbitrary Code Execution  
     Date: September 29, 2022  
     Bugs: #867958  
       ID: 202209-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Poppler which could allow for  
arbitrary code execution.

Background  
=========  
Poppler is a PDF rendering library based on the xpdf-3.0 code base.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/poppler           < 22.09.0                  >= 22.09.0

Description  
==========  
Multiple vulnerabilities have been discovered in Poppler. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Processing a specially crafted PDF file or JBIG2 image could lead to a  
crash or the execution of arbitrary code.

Workaround  
=========  
Avoid opening untrusted PDFs.

Resolution  
=========  
All Poppler users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/poppler-22.09.0"

References  
=========  
[ 1 ] CVE-2021-30860  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30860  
[ 2 ] CVE-2022-38784  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38784

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-21

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-21

The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks.

Researchers have discovered the cyberattack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK, and Europe, which is using fake Chrome browser updates as part of watering hole attacks.  

It's a new approach for the group, replacing its previous method of search engine optimization (SEO) poisoning, also known as spamdexing.

SolarMarker is multistage malware which can exfiltrate autofill data, saved passwords, and saved credit card information from victims' Web browsers.

**Preparation for a Wider Attack?**

According to an advisory published by eSentire's Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer's website, which was built with the popular open source content management system WordPress.

The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.

**Monitor Endpoints, Raise Employee Awareness**

The TRU advisory outlines four key steps organizations can take to reduce the impact of these kinds of attacks, including raising employee awareness regarding browser updates that occur automatically, and avoiding downloading files from unknown sites.

"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

The advisory also recommended more vigilant endpoint monitoring, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to bolster the organization's overall defense posture.

**SolarMarker Campaigns Back After Dormant Period**

The .NET malware was first discovered in 2020 and is typically spread via a PowerShell installer, with information-gathering capabilities and a backdoor.

In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, the cybercriminals managed to place links to websites with Trojanized content in the search results of several search engines.

A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs rigged with backdoors.

SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates

A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022.
Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc, which is

A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022.

Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to **Zinc**, which is also tracked under the names Labyrinth Chollima.

Attacks targeted employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the U.S., the U.K., India, and Russia.

The tech giant said it observed Zinc leveraging a "wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks."

According to CrowdStrike, Zinc "has been active since 2009 in operations aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries and conducting currency generation campaigns."

The latest findings dovetail with a recent report from Google-owned Mandiant, which uncovered the adversary's use of PuTTY via fraudulent job lures shared with potential targets on LinkedIn as part of a campaign dubbed Operation Dream Job.

This involves establishing initial connections with individuals by posing as recruitment professionals as a trust-building exercise, before moving the conversation to WhatsApp, where a tailored lure document or seemingly benign software is shared, effectively activating the infection sequence.

A successful compromise is followed by the threat actor moving laterally across the network and exfiltrating collected information of interest by deploying a backdoor called ZetaNile (aka BLINDINGCAN OR AIRDRY).

But in a bid to evade security defenses and avoid raising red flags, the implant is downloaded only when the victim uses the SSH clients to connect to a particular IP address through the credentials specified in a separate text file.

Likewise, attacks employing the trojanized version of TightVNC Viewer are configured to install the backdoor only when the user selects a particular remote host from the options provided.

"Zinc attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction," the company said.

"Zinc attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

An issue was discovered in Xpdf 4.04. There is a crash in gfseek(_IO_FILE*, long, int) in goo/gfile.cc.

Current version: 4.04  
Released: 2022 Apr 18

The GPG/PGP key used to sign the packages is available here, or from the PGP keyservers (search for xpdf@xpdfreader.com).

**Download XpdfReader:**

*   Linux 32-bit: download (GPG signature)
*   Linux 64-bit: download (GPG signature)
*   Windows 32-bit (Win 7 and newer): download (GPG signature)
*   Windows 64-bit (Win 7 and newer): download (GPG signature)

**Download the Xpdf command line tools:**

*   Linux 32/64-bit: download (GPG signature)
*   Windows 32/64-bit (Win 7 and newer): download (GPG signature)
*   Mac 64-bit: download (GPG signature)

**Download the Xpdf source code:**

*   source code (GPG signature)
    *   fixed URL for latest version (for automated mirroring, etc.)
*   Apache-licensed modules (GPG signature)
*   old versions

**Download fonts:**

*   Type 1 fonts - Symbol and Zapf Dingbats

**Download language support packages for Xpdf:**

*   Arabic \[updated 2011-Aug-15\]
*   Chinese/simplified \[updated 2020-Dec-22\]
*   Chinese/traditional \[updated 2020-Dec-22\]
*   Cyrillic \[updated 2011-Aug-15\]
*   Greek \[updated 2011-Aug-15\]
*   Hebrew \[updated 2011-Aug-15\]
*   Japanese \[updated 2020-Dec-22\]
*   Korean \[updated 2020-Dec-22\]
*   Latin2 \[updated 2011-Aug-15\]
*   Thai \[updated 2011-Aug-15\]
*   Turkish \[updated 2011-Aug-15\]

**Xpdf and XpdfReader use the following open source libraries:**

*   Qt - download Qt 5.9.7
*   FreeType - download FreeType 2.12.0
*   libpng - download libpng 1.6.35
*   zlib - download zlib 1.2.12
*   Little CMS - download lcms 2.12

CVE-2022-41842: Download Xpdf and XpdfReader

An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.

ycdxsb

**Posts:** 2

**Joined:** Wed Jul 13, 2022 2:09 am

**segmemtation fault at xpdf-4.04/xpdf/AcroForm.cc:538**

version:4.04  
reproduce: pdftotext poc.pdf

Code: Select all

    pwndbg> bt
    #0  0x000055555561d7c9 in gAtomicIncrement (counter=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at /root/xpdf-4.04/goo/GMutex.h:67
    #1  0x000055555561d832 in Dict::incRef (this=0x5555557d1960) at /root/xpdf-4.04/xpdf/Dict.h:40
    #2  0x000055555568a4d5 in Object::copy (this=0x5555557b7bc8, obj=0x7fffff7ff1b0) at /root/xpdf-4.04/xpdf/Object.cc:93
    #3  0x00005555556b2f47 in XRef::fetch (this=0x5555557b74e0, num=233, gen=0, obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/XRef.cc:1212
    #4  0x000055555568a575 in Object::fetch (this=0x5555557cfaf8, xref=0x5555557b74e0, obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/Object.cc:116
    #5  0x000055555561d6b1 in Dict::lookup (this=0x5555557cebb0, key=0x5555556dd841 "Parent", obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/Dict.cc:125
    #6  0x000055555568b126 in Object::dictLookup (this=0x7fffff7ff1c0, key=0x5555556dd841 "Parent", obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/Object.h:267
    #7  0x00005555555fad06 in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff250) at /root/xpdf-4.04/xpdf/AcroForm.cc:538
    #8  0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff2d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #9  0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff350) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #10 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff3d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #11 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff450) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #12 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff4d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #13 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff550) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #14 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff5d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548

Attachments

poc.pdf.zip

(30.31 KiB) Downloaded 121 times

Tag

#pdf