An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.

**New features**

**Custom record views**

You can now create custom views for your documents in the Overview tab of the Record View by writing template scripts. Learn more.

**Reporting**

Template scripts can also be used to generate reports from Elasticsearch documents in many different formats (PDF, HTML, Word and more) through integration with jsreport. Learn more.

**Filter to dashboard**

You now have the option to apply the filters from one dashboard to another dashboard associated to the same entity table. Learn more.

**Security fixes**

*   Upgraded Node.js to version 14.19.1. For the full list of fixes, see the 14.19.1 changelog.
    
*   Upgraded url-parse to version 1.5.9 to address CVE-2022-0691.
    
*   Upgraded prismjs to version 1.27.0 to address CVE-2022-23647.
    
*   Upgraded moment to version 2.29.2 to address GHSA-8hfj-j24r-96c4.
    

**Breaking Changes**

**Saved objects**

*   The index-pattern saved object type has been removed; the methods that were previously exposed by IndexPattern instances are now part of the SavedSearch interface.
    

**Migration to Babel 7**

*   Siren Investigate is now built with Babel 7; if you made any custom plugin it is recommended to test it on a pristine Siren Investigate 12.1 instance before upgrading.
    

**Deprecations**

**Discover**

*   The Discover application has been deprecated and will be removed in a future release. The buttons to create and save child searches from the Discover application have been removed.
    

**Improvements**

**Auditing**

*   Added a configuration option that allows customization of the Elasticsearch fields to be put in data export audit log entries. Learn more.
    

**Data model**

*   Enabled granular editing of relations in the Relations tab. When saving or deleting a relation the changes will now be applied immediately.
    
*   Improved the performance of the relations tab with a high number of relations.
    
*   Added a button to aggregate multiple relations between two entities into a single link showing the number of relations. In this mode, the individual relation names are displayed in a tooltip.
    
*   When transforming data it is now possible to test the transformation against any of the sample source documents.
    

**Dashboard**

*   It is now possible to use a visual date/time picker when creating filters on date fields.
    
*   When editing a visualization on a dashboard, you can now save it and return immediately to the dashboard by clicking on a **Save and return** button.
    
*   The tooltips showing data model explanations on 360 Dashboards are now enabled by default.
    
*   Modified 360 Dashboards to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Replaced the graph based widget to pick relations in the 360 Dashboard data model configuration with a simpler dropdown based widget.
    

**Record Table**

*   Added options to rearrange the columns of the table to the column context menu.
    

**Record view**

*   It is now possible to use a visual date/time picker when editing date fields.
    
*   It is now possible to add multiple values to a field when editing a document in the record view.
    

**Graph Browser**

*   Links that represent self relations on the same field are now automatically hidden when the source and the target are the same node.
    
*   Added explicit drag and drop handles to the lens listing.
    
*   Added an option to the Node to edge by fields lens configuration that allows you to automatically expand intermediate nodes when creating edge links.
    

**Relational Navigator**

*   Added a configuration option that allows you to group relations having the same label into a single button.
    
*   Modified the relation links to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Removed the automatic capitalization of relation links.
    

**Development**

*   The EUI library dependency has been upgraded to version 34.6.0 .
    

**Bug fixes**

**Auditing**

*   Fixed an issue that caused data requests initiated by the Graph Browser to be classified as count requests.
    
*   Fixed an issue that caused dataExport requests to be assigned to the HOME dataspace instead of the current one.
    

**Data Model**

*   Fixed an issue that prevented child searches from inheriting the search query and filters from their parent.
    
*   Suppressed an unnecessary warning which was appearing after saving changes to a child search.
    
*   Fixed an issue in the data import flow that caused leading zeroes in fields to be automatically stripped.
    

**Graph Browser**

*   Fixed an issue that caused nodes created by a time/location lens to not disappear when disabling the lens.
    
*   You can now use custom icons in node glyphs.
    
*   Fixed an issue that could cause a node to edge lens to not be applied automatically when adding nodes to the graph.
    
*   Fixed an issue that could cause a fatal error when switching between two dashboards with a Graph Browser visualization in map mode.
    
*   Fixed an issue that would cause all the nodes to be expanded when no checkbox was selected in the expansion dialog.
    
*   Adjusted the formula to determine the size of nodes at high zoom levels to minimize overlapping.
    
*   Fixed an issue that prevented the deletion of edges created by Node to edge by fields lens instances.
    
*   Fixed an issue that prevented opening the record view of nodes containing spaces in the _id field.
    

**Enhanced Coordinate Map**

*   Fixed an issue that would cause unnecessary rendering operations while changing the configuration of a visualization.
    

**Scripting**

*   Fixed an issue that could cause a fatal error when editing a script containing JSX fragments.
    

**Record Table**

*   Fixed an issue that caused a wrong search request to be generated after creating a negated filter having multiple values by holding CTRL/CMD.
    

**Dashboard**

*   Fixed an issue that caused a wrong confirmation dialog to appear after deleting a dashboard whilst in edit mode.
    
*   Fixed an issue that prevented nodes from being added to a Graph Browser visualization when dragging a dashboard with a modified state.
    
*   The explanation tooltip for visualizations in 360 Dashboards is now enabled by default following recent performance improvements.
    

**Miscellaneous**

*   Added the investigate_core.search.max_buckets configuration setting. This setting prevents aggregations with a large number of buckets from being processed by visualizations and freezing the browser. The default value of the setting is 1000.
    
*   Improved the Elasticsearch periodic health check to wait for the ACL index to be ready in addition to the main Siren Investigate index.

CVE-2022-47544: Release Notes :: SIREN DOCS

The infamous, FSB-connected Turla group took over other hackers' servers, exploiting their USB drive malware for targeted espionage.

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of _other_ hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections

DevOps platform warns customers of a "security incident" under investigation.

DevOps platform CircleCI is warning users of its continuous integration and deployment (CI/CD) to "immediately" rotate all secrets — think passwords, API keys, SSH keys, configuration files, OAuth tokens, etc. — stored on the platform in the wake of a security incident under investigation at the company.

In a blog post this week, Ron Zuber, CTO of CircleCI, urged customers to first rotate all secrets stored "in project environment variables or in contexts" and then check internal logs for signs of "unauthorized access" from Dec. 21, 2022, and up to the date of rotation.

"Additionally, if your project uses Project API tokens, we have invalidated those and you will need to replace them. You can find more information on how to do that in our documentation here," Zuber said.

The company is continuing to investigate the security breach and plans to provide more details as they emerge. "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well," Zuber wrote.

Meanwhile, CI/CD services have become a popular target of cryptominers for deploying code and setting up cloud-based mining platforms, a recent report from Sysdig found.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CircleCI: Rotate Stored Secrets ASAP

Amid internet shutdowns in Iran, the encrypted messaging app is introducing proxy connections that can help people get online.

When repressive governments want to control their populations, citizens’ access to the internet is often one of the first things to go. Since 2016, 74 countries around the world have shut down the internet for tens of millions of people more than 900 times. In recent years, Iran shut down the internet to hide brutality against protesters. Russia rapidly increased its censorship after its full-scale invasion of Ukraine. And internet curfews in Myanmar left people in information blackouts. 

Internet shutdowns, at their worst, can involve connections being completely shut, while censorship measures can block access to specific websites or apps. Disrupting the internet is widely considered a tactic to undermine people’s human rights. There are multiple ways people can try to dodge censorship and internet shutdowns—although, there’s no one simple way to restore connectivity for millions of people at once.

Tools to help people get around censorship are increasing. Today, WhatsApp—Meta’s end-to-end encrypted messenger that’s used by more than 2 billion people a month—is expanding its anti-censorship measures.

In particular, the company is making it possible for people facing censorship to use WhatsApp through proxy connections, potentially allowing them to communicate when a country has blocked the app. “Choosing a proxy enables you to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely,” the company says in a blog post announcing the feature.

Proxies can help people avoid censorship by essentially disguising their traffic. If WhatsApp is blocked in a country, for example, officials doing the blocking are likely to stop devices communicating with WhatsApp’s infrastructure. When someone connects to a proxy server, their traffic is routed through this server before being passed to WhatsApp. The extra step dodges filters and blocks that may have been put in place.

Natalia Krapiva, tech legal counsel at internet rights nonprofit Access Now, says Meta’s tool is a step in the right direction. “WhatsApp can be viewed as a critical infrastructure in many countries, so when it goes offline, either because of targeted blockings or blanket internet shutdowns, people suffer as they are left unable to communicate and access life-saving information during critical events and crises,” Krapiva says. WhatsApp says its encryption, which ensures nobody can snoop on your messages, including Meta, isn’t impacted by using a proxy.

WhatsApp isn’t the first messaging platform to allow proxy connections, but the platform’s scale makes it significant. Encrypted chat app Signal also allows people to set up and run proxy servers. It launched the service for Android in February 2021 and then on iOS in September 2022, both in response to Iran’s blocking of Signal.

WhatsApp says it is also launching proxy connections now because of the ongoing internet disruption in Iran. The country has been shutting down the internet for several months, following nationwide protests over the death of 22-year-old Mahsa Amini, who died in police custody. Iran’s internet blackouts and blocking of services, including WhatsApp, have further crippled its economy and drawn international scorn. (Analysts forecast that internet shutdowns cost the world $24 billion in 2022.)

The company says it started putting the capability for proxies to be used in WhatsApp in the final few months of 2022 and is launching it now as most people are using a version of its app that can support proxies. In its blog post, the company says internet disruptions, like Iran’s, “deny people’s human rights and cut people off from receiving urgent help.”

To connect to a WhatsApp proxy, people need to have the proxy’s details. These can usually be found, when proxies are running, by searching social media. (Proxies aren’t effective during full internet shutdowns where there is no connectivity). Proxy details can be entered in WhatsApp’s iOS and Android apps through the Storage and Data menu, which is found in the app’s settings. WhatsApp says people wanting to set up proxy servers can use ports 80, 443, or 5222, and a domain or subdomain that points to the server’s IP address—it has published detailed documentation on its GitHub page. 

As the number of internet shutdowns and disruptions has increased in recent years, the available censorship circumvention tools have risen as well. Most commonly, anonymity service Tor and VPNs are used to get around government censorship, blocking, or filtering of apps and websites. However, new tools are also appearing: Samizdat Online allows Russians to access blocked news websites without any technical knowledge, and the CENO browser is built on peer-to-peer sharing technology, which the organization says reduces the reliance on international networks.

Ksenia Ermoshina, a user experience researcher for CENO and researcher with the Center for Internet and Society CNRS and Citizen Lab, says CENO has been widely used during Iran’s shutdowns, and WhatsApp’s introduction of proxies may also help people communicate where the app is blocked. Ermoshina says proxies helped to keep Telegram online in Russia in 2018 when the country unsuccessfully tried to block the messaging app.

There are some limitations to proxies though, Ermoshina says. “They can slow down your traffic considerably, in terms of calls, for example, or file sharing.” Connections via proxies can also be blocked if authorities discover their details. “VPNs and proxies are part of cat-and-mouse tools,” Ermoshina says. Their developers are always trying to evade censors. The more people that run proxy servers, the harder it is for governments to take them all down.

For people who are looking to avoid censorship, it is likely that a mix of anti-censorship tools will be useful. People should research the tools they are planning to use in the event of a future shutdown, if possible, and consider any risk that may be unique to them. “Different users will have different needs, threat models, and technical skills, so one tool will not fit all,” Access Now’s Krapiva says. “I do hope that Meta will ensure that they provide guidance to their users on what proxy servers can and cannot do, however, and how to use them securely, as the kinds of people who are likely going to be needing this feature the most will also tend to be the most at risk.”

WhatsApp Launches Proxy Tool to Fight Internet Censorship

Financial institutions are being targeted by a new version of Android malware called SpyNote at least since October 2022.
"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the

Mobile Security / Surveillance

Financial institutions are being targeted by a new version of Android malware called **SpyNote** at least since October 2022.

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors \[in\] developing and distributing the spyware, often also targeting banking institutions."

Some of the notable institutions that are impersonated by the malware include Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank.

SpyNote (aka SpyMax) is feature-rich and comes with a plethora of capabilities that allow it to install arbitrary apps; gather SMS messages, calls, videos, and audio recordings; track GPS locations; and even hinder efforts to uninstall the app.

It also follows the modus operandi of other banking malware by requesting for permissions to accessibility services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to siphon banking credentials.

In addition, SpyNote packs in functionalities to plunder Facebook and Gmail passwords as well as capture screen content by leveraging Android's MediaProjection API.

The Dutch security firm said that the most recent iteration of SpyNote (called SpyNote.C) is the first variant to strike banking apps as well as other well-known apps like Facebook and WhatsApp.

It's also known to masquerade as the official Google Play Store service and other generic applications spanning wallpapers, productivity, and gaming categories. A list of some of the SpyNote artifacts, which are mainly delivered through smishing attacks, is as follows -

*   Bank of America Confirmation (yps.eton.application)
*   BurlaNubank (com.appser.verapp)
*   Conversations\_ (com.appser.verapp )
*   Current Activity (com.willme.topactivity)
*   Deutsche Bank Mobile (com.reporting.efficiency)
*   HSBC UK Mobile Banking (com.employ.mb)
*   Kotak Bank (splash.app.main)
*   Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)

SpyNote.C is estimated to have been purchased by 87 different customers between August 2021 and October 2022 after it was advertised by its developer under the name CypherRat through a Telegram channel.

However, the open source availability of CypherRat in October 2022 led to a dramatic increase in the number of samples detected in the wild, suggesting that several criminal groups are co-opting the malware in their own campaigns.

ThreatFabric further noted that the original author has since started work on a new spyware project codenamed CraxsRat, which is set to be offered as a paid application with similar features.

"This development is not as common within the Android Spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of Accessibility services gives to criminals," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SpyNote Strikes Again: Android Spyware Targeting Financial Institutions

The Irish Data Protection Commission (DPC) has fined Meta Platforms €390 million (roughly $414 million) over its handling of user data for serving personalized ads in what could be a major blow to its ad-fueled business model.
To that end, the privacy regulator has ordered Meta Ireland to pay two fines – a €210 million ($222.5 million) fine over violations of the E.U. General Data Protection

Privacy / Data Protection

The Irish Data Protection Commission (DPC) has fined Meta Platforms €390 million (roughly $414 million) over its handling of user data for serving personalized ads in what could be a major blow to its ad-fueled business model.

To that end, the privacy regulator has ordered Meta Ireland to pay two fines – a €210 million ($222.5 million) fine over violations of the E.U. General Data Protection Regulation (GDPR) related to Facebook, and a €180 million ($191 million) for similar violations in Instagram.

The latest enforcement comes in the wake of concerns that the social media company used its Terms of Service to gain users' forced consent to allow targeted advertising based on their online activity. The complaints were filed on May 25, 2018, the date when GDPR came into effect in the region.

It also arrives a month after the European Data Protection Board (EDPB), an independent body that oversees the consistent application of GDPR in the E.U., announced that it had reached binding decisions with regards to the matter.

The DPC ruling means that Meta is no longer allowed to rely on contracts – i.e., accepting its Terms of Service – as a legal basis for processing personal data for behavioral advertising, effectively deeming the company's advertising practices illegal.

"Meta Ireland is not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services, and that its processing of users' data to date, in purported reliance on the 'contract' legal basis, amounts to a contravention of Article 6 of the GDPR," the DPC said.

While Meta has argued that tailoring the ads it offers based on data it has about users' online behavior is a necessary part of the personalized service it offers, the company has three months to bring its data processing operations into compliance.

"Instead of having a 'yes/no' option for personalized ads, they just moved the consent clause in the terms and conditions," NOYB's Max Schrems, whose privacy non-profit filed the original complaint against Meta, said. "This is not just unfair but clearly illegal."

Meta, which has already suffered a decline in ad revenue over the past year in part due to Apple's privacy changes in iOS last year that require apps to ask for permission before tracking users, said it was "disappointed" by the decision and that it "strongly" believes its approach respects GDPR. The firm intends to appeal the DPC's findings.

"It's important to note that these decisions do not prevent personalized advertising on our platform," the company pointed out. "The decisions relate only to which legal basis Meta uses when offering certain advertising."

The tech giant further characterized the suggestion that it can no longer offer personalized ads to European users without their opt-in approval as "incorrect," stating there has been a lack of regulatory clarity on the issue.

These new financial penalties add to a pile of privacy fines for Meta in Europe and the U.S. last year. In late December 2022, it also agreed to pay $725 million to settle a class-action lawsuit that accused the company of giving third-parties access to user data without their permission.

The class action lawsuit was prompted in 2018 after Facebook disclosed that the information of 87 million users was improperly shared with Cambridge Analytica, a British political consultancy firm that used the harvested data to inform political campaigns.

**Apple is fined €8 million by France's CNIL**

In a related development, France's privacy watchdog, the Commission nationale de l'informatique et des libertés (CNIL), has hit Apple with a €8 million fine for not obtaining iPhone users' consent in iOS 14.6 prior to using identifiers to present targeted ads.

"In addition, the user had to perform a large number of actions to disable this setting since this possibility was not integrated into the initialization path of the phone," the agency said.

Apple said it plans to appeal the case, noting that it provides users "with a clear choice as to whether or not they would like personalized ads." It also stated that the service only relies on first-party data.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.

package session import ( goContext "context" "errors" "fmt" "strings" "time" v1Role "github.com/KubeOperator/kubepi/internal/model/v1/role" v1System "github.com/KubeOperator/kubepi/internal/model/v1/system" v1User "github.com/KubeOperator/kubepi/internal/model/v1/user" "github.com/KubeOperator/kubepi/internal/server" "github.com/KubeOperator/kubepi/internal/service/v1/cluster" "github.com/KubeOperator/kubepi/internal/service/v1/common" "github.com/KubeOperator/kubepi/internal/service/v1/ldap" "github.com/KubeOperator/kubepi/internal/service/v1/role" "github.com/KubeOperator/kubepi/internal/service/v1/rolebinding" v1SystemService "github.com/KubeOperator/kubepi/internal/service/v1/system" "github.com/KubeOperator/kubepi/internal/service/v1/user" "github.com/KubeOperator/kubepi/pkg/collectons" "github.com/KubeOperator/kubepi/pkg/kubernetes" "github.com/KubeOperator/kubepi/pkg/logging" "github.com/KubeOperator/kubepi/pkg/network/ip" "github.com/KubeOperator/kubepi/pkg/terminal" "github.com/asdine/storm/v3" "github.com/kataras/iris/v12" "github.com/kataras/iris/v12/context" "github.com/kataras/iris/v12/middleware/jwt" "golang.org/x/crypto/bcrypt" v1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) var JwtSigKey \= \[\]byte("signature\_hmac\_secret\_shared\_key") var jwtMaxAge \= 10 \* time.Minute type Handler struct { userService user.Service roleService role.Service clusterService cluster.Service rolebindingService rolebinding.Service ldapService ldap.Service jwtSigner \*jwt.Signer } func NewHandler() \*Handler { return &Handler{ clusterService: cluster.NewService(), userService: user.NewService(), roleService: role.NewService(), rolebindingService: rolebinding.NewService(), ldapService: ldap.NewService(), jwtSigner: jwt.NewSigner(jwt.HS256, JwtSigKey, jwtMaxAge), } } func (h \*Handler) IsLogin() iris.Handler { return func(ctx \*context.Context) { session := server.SessionMgr.Start(ctx) loginUser := session.Get("profile") if loginUser \== nil { ctx.StatusCode(iris.StatusOK) ctx.Values().Set("data", false) return } p, ok := loginUser.(UserProfile) if !ok { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", "can not parse to session user") return } if p.Mfa.Enable { if !p.Mfa.Approved { ctx.StatusCode(iris.StatusUnauthorized) ctx.Values().Set("message", "no login user") return } } else { if err := session.Man.ShiftExpiration(ctx); err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Errorf("shift expiration falied, err: %v", err)) return } ctx.StatusCode(iris.StatusOK) ctx.Values().Set("data", loginUser != nil) } } } // Auth // @Tags sessions // @Summary User Login // @Description User Login // @Accept json // @Produce json // @Param request body LoginCredential true "request" // @Router /sessions \[post\] func (h \*Handler) Login() iris.Handler { return func(ctx \*context.Context) { var loginCredential LoginCredential if err := ctx.ReadJSON(&loginCredential); err != nil { ctx.StatusCode(iris.StatusBadRequest) ctx.Values().Set("message", err.Error()) return } u, err := h.userService.GetByNameOrEmail(loginCredential.Username, common.DBOptions{}) if err != nil { if errors.Is(err, storm.ErrNotFound) { ctx.StatusCode(iris.StatusBadRequest) ctx.Values().Set("message", "username or password error") return } ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Sprintf("query user %s failed ,: %s", loginCredential.Username, err.Error())) return } if u.Type \== v1User.LDAP { if !h.ldapService.CheckStatus() { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", "ldap is not enable!") return } if err := h.ldapService.Login(\*u, loginCredential.Password, common.DBOptions{}); err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", "username or password error") return } } else { if err := bcrypt.CompareHashAndPassword(\[\]byte(u.Authenticate.Password), \[\]byte(loginCredential.Password)); err != nil { ctx.StatusCode(iris.StatusBadRequest) ctx.Values().Set("message", "username or password error") return } } permissions, err := h.aggregateResourcePermissions(loginCredential.Username) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", err.Error()) return } profile := UserProfile{ Name: u.Name, NickName: u.NickName, Email: u.Email, Language: u.Language, ResourcePermissions: permissions, IsAdministrator: u.IsAdmin, Mfa: Mfa{ Secret: u.Mfa.Secret, Enable: u.Mfa.Enable, Approved: false, }, } authMethod := loginCredential.AuthMethod switch authMethod { case "jwt": token, err := h.jwtSigner.Sign(profile) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", err.Error()) } ctx.StatusCode(iris.StatusOK) ctx.Values().Set("token", token) return default: session := server.SessionMgr.Start(ctx) session.Set("profile", profile) } ctx.StatusCode(iris.StatusOK) go saveLoginLog(ctx, profile.Name) ctx.Values().Set("data", profile) } } func saveLoginLog(ctx \*context.Context, userName string) { var logItem v1System.LoginLog logItem.UserName \= userName logItem.Ip \= ctx.RemoteAddr() qqWry, err := ip.NewQQwry() if err != nil { server.Logger().Errorf("load qqwry datas failed: %s", err) } res := qqWry.Find(logItem.Ip) logItem.City \= res.Area systemService := v1SystemService.NewService() systemService.CreateLoginLog(&logItem, common.DBOptions{}) } func (h \*Handler) aggregateResourcePermissions(name string) (map\[string\]\[\]string, error) { userRoleBindings, err := h.rolebindingService.GetRoleBindingBySubject(v1Role.Subject{ Kind: "User", Name: name, }, common.DBOptions{}) if err != nil && !errors.As(err, &storm.ErrNotFound) { return nil, err } var roleNames \[\]string for i := range userRoleBindings { roleNames \= append(roleNames, userRoleBindings\[i\].RoleRef) } rs, err := h.roleService.GetByNames(roleNames, common.DBOptions{}) if err != nil && !errors.As(err, &storm.ErrNotFound) { return nil, err } mapping := map\[string\]\*collectons.StringSet{} var policyRoles \[\]v1Role.PolicyRule //merge permissions for i := range rs { for j := range rs\[i\].Rules { policyRoles \= append(policyRoles, rs\[i\].Rules\[j\]) } } for i := range policyRoles { for j := range policyRoles\[i\].Resource { \_, ok := mapping\[policyRoles\[i\].Resource\[j\]\] if !ok { mapping\[policyRoles\[i\].Resource\[j\]\] \= collectons.NewStringSet() } for k := range policyRoles\[i\].Verbs { mapping\[policyRoles\[i\].Resource\[j\]\].Add(policyRoles\[i\].Verbs\[k\]) if policyRoles\[i\].Verbs\[k\] \== "\*" { break } } if policyRoles\[i\].Resource\[j\] \== "\*" { break } } } resourceMapping := map\[string\]\[\]string{} for key := range mapping { resourceMapping\[key\] \= mapping\[key\].ToSlice() } return resourceMapping, nil } func (h \*Handler) Logout() iris.Handler { return func(ctx \*context.Context) { session := server.SessionMgr.Start(ctx) loginUser := session.Get("profile") if loginUser \== nil { ctx.StatusCode(iris.StatusUnauthorized) ctx.Values().Set("message", "no login user") return } session.Delete("profile") logging.LogSessions.Clean() terminal.TerminalSessions.Clean() ctx.StatusCode(iris.StatusOK) ctx.Values().Set("data", "logout success") } } func (h \*Handler) GetProfile() iris.Handler { return func(ctx \*context.Context) { session := server.SessionMgr.Start(ctx) loginUser := session.Get("profile") if loginUser \== nil { ctx.StatusCode(iris.StatusUnauthorized) ctx.Values().Set("message", "no login user") return } p, ok := loginUser.(UserProfile) if !ok { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", "can not parse to session user") return } user, err := h.userService.GetByNameOrEmail(p.Name, common.DBOptions{}) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", err.Error()) return } p \= UserProfile{ Name: user.Name, NickName: user.NickName, Email: user.Email, Language: user.Language, IsAdministrator: user.IsAdmin, } if !user.IsAdmin { permissions, err := h.aggregateResourcePermissions(p.Name) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", err.Error()) return } p.ResourcePermissions \= permissions } session.Set("profile", p) ctx.StatusCode(iris.StatusOK) ctx.Values().Set("data", p) } } func (h \*Handler) ListUserNamespace() iris.Handler { return func(ctx \*context.Context) { name := ctx.Params().GetString("cluster\_name") c, err := h.clusterService.Get(name, common.DBOptions{}) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Sprintf("get cluster failed: %s", err.Error())) return } session := server.SessionMgr.Start(ctx) u := session.Get("profile") profile := u.(UserProfile) k := kubernetes.NewKubernetes(c) ns, err := k.GetUserNamespaceNames(profile.Name, profile.IsAdministrator) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", err) return } ctx.Values().Set("data", ns) } } func (h \*Handler) GetClusterProfile() iris.Handler { return func(ctx \*context.Context) { session := server.SessionMgr.Start(ctx) clusterName := ctx.Params().GetString("cluster\_name") namesapce := ctx.URLParam("namespace") c, err := h.clusterService.Get(clusterName, common.DBOptions{}) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", err.Error()) return } k := kubernetes.NewKubernetes(c) client, err := k.Client() if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Sprintf("get k8s client failed: %s", err.Error())) return } u := session.Get("profile") profile := u.(UserProfile) if profile.IsAdministrator { crp := ClusterUserProfile{ UserProfile: profile, ClusterRoles: \[\]v1.ClusterRole{}, } ctx.Values().Set("data", &crp) return } labels := \[\]string{ fmt.Sprintf("%s=%s", kubernetes.LabelManageKey, "kubepi"), fmt.Sprintf("%s=%s", kubernetes.LabelClusterId, c.UUID), fmt.Sprintf("%s=%s", kubernetes.LabelUsername, profile.Name), } clusterRoleBindings, err := client.RbacV1().ClusterRoleBindings().List(goContext.TODO(), metav1.ListOptions{ LabelSelector: strings.Join(labels, ","), }) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Sprintf("get cluster-role-binding failed: %s", err.Error())) return } rolebindings, err := client.RbacV1().RoleBindings(namesapce).List(goContext.TODO(), metav1.ListOptions{ LabelSelector: strings.Join(labels, ","), }) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Sprintf("get role-binding failed: %s", err.Error())) return } roleSet := map\[string\]struct{}{} for i := range clusterRoleBindings.Items { for j := range clusterRoleBindings.Items\[i\].Subjects { if clusterRoleBindings.Items\[i\].Subjects\[j\].Kind \== "User" { roleSet\[clusterRoleBindings.Items\[i\].RoleRef.Name\] \= struct{}{} } } } for i := range rolebindings.Items { for j := range rolebindings.Items\[i\].Subjects { if rolebindings.Items\[i\].Subjects\[j\].Kind \== "User" { roleSet\[rolebindings.Items\[i\].RoleRef.Name\] \= struct{}{} } } } var roles \[\]v1.ClusterRole for key := range roleSet { r, err := client.RbacV1().ClusterRoles().Get(goContext.TODO(), key, metav1.GetOptions{}) if err != nil { ctx.StatusCode(iris.StatusInternalServerError) ctx.Values().Set("message", fmt.Sprintf("get cluster-role failed: %s", err.Error())) return } roles \= append(roles, \*r) } crp := ClusterUserProfile{ UserProfile: profile, ClusterRoles: roles, } if len(roles) <= 0 { ctx.StatusCode(iris.StatusForbidden) return } ctx.Values().Set("data", &crp) } } func Install(parent iris.Party) { handler := NewHandler() sp := parent.Party("/sessions") sp.Post("", handler.Login()) sp.Delete("", handler.Logout()) sp.Get("", handler.GetProfile()) sp.Get("/:cluster\_name", handler.GetClusterProfile()) sp.Get("/status", handler.IsLogin()) sp.Get("/:cluster\_name/namespaces", handler.ListUserNamespace()) sp.Put("", handler.UpdateProfile()) sp.Put("/password", handler.UpdatePassword()) }

CVE-2023-22463: KubePi/session.go at da784f5532ea2495b92708cacb32703bff3a45a3 · KubeOperator/KubePi

Researchers who discovered the backdoor Linux malware say it may have been around for more than three years — and it targets 30+ plug-in bugs.

A newly identified Trojan backdoor program exploits some 30 vulnerabilities in WordPress plug-ins and themes in order to breach websites based on the WordPress content management system. It only needs to abuse one of those flaws to execute an attack.

Researchers from Doctor Web who discovered two iterations of the malware — dubbed Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 — said sites running outdated or unpatched versions of these WordPress tools are at risk of harboring malicious JavaScripts that redirect site visitors to nefarious websites, and should update those programs ASAP.

And here's a scary twist: "An analysis of an uncovered trojan application, performed by Doctor Web's specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage," the researchers wrote about the malware, which targets 32-bit versions of Linux and also can run on 64-bit versions of the platform.

Among the plug-ins and themes the Trojan's version 1 variant abuses are WP Live Chat Support Plugin; Yellow Pencil Visual Theme Customizer Plugin; Easysmtp; WP GDPR Compliance Plugin; Google Code Inserter; Blog Designer WordPress Plugin; and WP Live Chat. Version 2 exploits other WordPress plugins, including Brizy WordPress Plugin; FV Flowplayer Video Player; WordPress Coming Soon Page; Poll, Survey, Form & Quiz Maker by OpinionStage; and Social Metrics Tracker.

WordPress plug-ins and themes are a popular avenue for cybercriminals looking to take over websites; they can be used for everything from phishing to ad fraud to malware distribution. Vulnerabilities are not uncommon. For instance, in December an SSRF vulnerability in the Google Web Stories plug-in was found that would allow a cyberattacker to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WordPress Sites Under Attack from Newly Found Linux Trojan

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Raspberry Robin Worm Hatches a Highly Complex Upgrade

This type of devastating scheme ensnares victims and takes them for all they’re worth—and the threat is only growing.

Digital swindles like business email compromises and romance scams generate billions of dollars for criminals. And they all start with a little bit of “social engineering” to trick a victim into doing something disadvantageous, whether that's trusting someone they shouldn't or sending money into the void. Now, a new variation of these schemes, known as “pig butchering,” is on the rise, ensnaring unsuspecting targets to steal all of their money and operating at a massive scale thanks in large part to forced labor.

Pig butchering scams originated in China, where they came to be known by the Chinese version of the phrase _shāzhūpán_ because of an approach in which attackers essentially fatten victims up and then take everything they’ve got. These scams are typically cryptocurrency schemes, though they can involve other types of financial trading as well. 

Scammers cold-contact people on SMS texting or other social media, dating, and communication platforms. Often they’ll simply say “Hi” or something like “Hey Josh, it was fun catching up last week!” If the recipient responds to say that the attacker has the wrong number, the scammer seizes the opportunity to strike up a conversation and guide the victim toward feeling like they’ve hit it off with a new friend. After establishing a rapport, the attacker will introduce the idea that they have been making a lot of money in cryptocurrency investing and suggest the target consider getting involved while they can.

Next, the scammer gets the target set up with a malicious app or web platform that appears trustworthy and may even impersonate the platforms of legitimate financial institutions. Once inside the portal, victims can often see curated real-time market data meant to show the potential of the investment. And once the target funds their “investment account,” they can start watching their balance “grow.” Crafting the malicious financial platforms to look legitimate and refined is a hallmark of pig butchering scams, as are other touches that add verisimilitude, like letting victims do a video call with their new “friend” or allowing them to withdraw a little bit of money from the platform to reassure them. The latter is a tactic that scammers also use in traditional Ponzi schemes.

Though the swindle has some new twists, you can still see where it's going. Once the victim has deposited all the money they have and everything the scammers can get them to borrow, the attackers shut down the account and disappear.

“That’s the whole pig butchering thing—they are going for the whole hog,” says Sean Gallagher, a senior threat researcher at the security firm Sophos who has been tracking pig butchering as it has emerged over the past three years. “They go after people who are vulnerable. Some of the victims are people who have had long-term health problems, who are older, people who feel isolated. They want to get every last bit of oink, and they are persistent.” 

Though carrying off pig butchering scams takes a lot of communication and relationship building with victims over time, researchers say that crime syndicates in China developed scripts and playbooks that allowed them to offload the work at scale onto inexperienced scammers or even forced laborers who are victims of human trafficking. 

“We can already see the damage and the human cost both to scam victims and to forced laborers,” says Michael Roberts, a longtime digital forensic analyst who has been working with victims of pig butchering attacks. “That’s why we need to start educating people about this threat so we can disrupt the cycle and reduce the demand for these kidnappings and forced labor.”

The concept is similar to that of ransomware attacks and digital extortion in which law enforcement encourages victims not to pay hackers’ ransom demands so they will be disincentivized to keep trying.

The Chinese government cracked down on cryptocurrency scams beginning in 2021, but criminals have been able to move their pig butchering operations to Southeast Asian countries including Cambodia, Laos, Malaysia, and Indonesia. Governments around the world have increasingly been warning about the threat. In 2021, the FBI’s Internet Crime Complaint Center received more than 4,300 submissions related to pig butchering scams, totaling more than $429 million in losses. And at the end of November, the US Department of Justice announced that it had seized seven domain names used in pig butchering scams in 2022.

“In this scheme, fraudsters, posing as highly successful traders in cryptocurrency, entice victims to make purported investments in cryptocurrency providing fictitious returns to encourage additional investments,” the FBI said in an October alert.

Government officials and researchers emphasize that public education is a key component of helping people avoid becoming the victim of a pig butchering scheme. If people know the telltale signs and understand the concepts underlying the scams, they are less likely to be ensnared. The challenge, they say, is reaching the wider public and getting people who learn about pig butchering to pass on the information to others in their families and social circles. 

As with romance scams and other highly personal and exploitative attacks, researchers say that pig butchering scams take an enormous psychological toll on victims in addition to their financial toll. And the use of forced labor to carry out pig butchering schemes adds yet another layer of trauma and creates even more urgency to addressing the threat.

“Some of the stories you hear from victims—it eats you up,” says Ronnie Tokazowski, a longtime business email compromise and pig butchering researcher and principal threat advisor at the cybersecurity firm Cofense. “It eats you up really freaking bad.”

Tag

#sap