Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S.
The activity cluster, which originated from Iran, "appeared to have focused on political and diplomatic

Election Security / Threat Intelligence

Meta Platforms on Friday became the latest company after Microsoft, Google, and OpenAI to expose the activities of an Iranian state-sponsored threat actor, who it said used a set of WhatsApp accounts that attempted to target individuals in Israel, Palestine, Iran, the U.K., and the U.S.

The activity cluster, which originated from Iran, "appeared to have focused on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump," Meta said.

The social media giant attributed it to a nation-state actor tracked as APT42, which is also known as Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. It's assessed to be linked to Iran's Islamic Revolutionary Guard Corps (IRGC).

The adversarial collective is well-known for its use of sophisticated social engineering lures to spear-phish targets of interest with malware and steal their credentials. Earlier this week, Proofpoint revealed that the threat actor targeted a prominent Jewish figure to infect their machine with malware called AnvilEcho.

Meta said the "small cluster" of WhatsApp accounts masqueraded as technical support for AOL, Google, Yahoo, and Microsoft, although the efforts are believed to be unsuccessful. The accounts have since been blocked.

"We have not seen evidence that their accounts were compromised," the parent company of Facebook, Instagram, and WhatsApp said. "We have encouraged those who reported to us to take steps to ensure their online accounts are safe across the internet."

The development comes as the U.S. government formally accused Iran of attempting to undermine U.S. elections, stoke divisive opinion among the American public, and erode confidence in the electoral process by amplifying propaganda and gathering political intelligence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

DiCal-RED version 4009 is vulnerable to unauthorized log access and other files on the device's file system due to improper authentication checks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-040  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Improper Authentication (CWE-287)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36444  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to improper authentication checks, the device is vulnerable to  
unauthorized access to logs and other files on the device's file system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device allows viewing log files via the administrative web interface.  
This function does not require an authenticated session.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As other parts of the administrative web interface do require authentication,  
a simple proof of concept is to log in to the web interface and navigate to  
the function to view log files.  
Log file contents are returned by a URL similar to  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0}

Using a local proxy to remove the QSESSIONID cookie from this request shows  
that the content is also returned when not sending any session information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-040  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/  
oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0  
06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw  
MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts  
N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA  
EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I  
6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k  
ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP  
CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS  
c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X  
jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM=  
=Iaf1  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Log Disclosure

The Telegram channel and website Deep State uses public data and insider intelligence to power its live tracker of Ukraine’s ever-shifting front line.

Over time, Deep State has added more advanced features and quirks to the map. A toolbar in the bottom-left corner offers the option to enable different layers, including weather patterns, fortifications, and gamma radiation levels in case of nuclear disaster. Users can simulate the effect of different weapons, calculating the range and potential damage of everything from self-propelled howitzers and ballistic missiles to Patriot air defense systems and nuclear explosions. A hidden Easter egg summons an animation of Baby Yoda that, when poked, uses the Force to destroy Russian units.

The map soon became too much for Mykula and Pohorilyi to manage alone; they now enlist the help of more than 100 paid employees and volunteers. Their methods have also evolved. They still use open source intelligence to verify new information, but also acquire data directly from frontline military units whom they’ve developed relationships with. In some cases, the authority of a single source whom they’ve learned to trust is enough, though Mykula admits there have been occasional errors. In other cases, when multiple sources contradict one another, they wait until definitive evidence emerges. Propaganda is rife on both sides, and Mykula insists that Deep State will take no part in it. “We want to win,” he says. “Propaganda will not win.”

Mykula and Pohorilyi do, however, oblige when Ukrainian military commanders request delays to map updates that may compromise their activities. They also receive some government funding for an alternate version of the map available only to verified members of the military. The government funding also goes toward other intelligence activities that Ruslan refuses to discuss; most of their funding comes from public donations.

Late in the first year of the war, Mykula and Pohorilyi learned that their map was helping another, unexpected group of users: Russian soldiers. The map’s designer had added a function that would display instructions to surrender if a user tried to access from a Russian IP address. Then, in October 2022, in an interview with a popular Ukrainian blogger, a Russian POW testified that he had used Deep State’s map for this exact purpose.

The success of Deep State’s map has attracted more users to their original Telegram channel, which now has more than 700,000 subscribers. It publishes its own original reports of the war, all available through a free app, which other established Ukrainian media organizations sometimes refer to. But the map remains the most popular product, used by Ukrainians at home and abroad to track the front line that, at the time of writing, creeps further toward their office in Kyiv every day.

Both Mykula and Pohorilyi approach their work with a stern dedication that belies their youth and inexperience. “We don’t want to disappoint our audience because our projects have become critical for Ukrainians,” Mykula says. “If you compare us to other maps, you will see that Ukrainians don’t go to check on them. They come to us.”

_This story first appeared in the September/October 2024 edition of WIRED UK_.

When War Came to Their Country, They Built a Map

It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price.

Thursday, August 22, 2024 14:00

My current least favorite thing about the churn of social media that I’ve seen over the past week is waves of stories, posts and videos saying that every U.S. citizen’s Social Security number has been stolen or potentially viewed by a threat actor. 

The claim comes from a class action lawsuit filed on Aug. 1 against a data broker called National Public Data, claiming they failed to keep U.S. citizens’ Social Security numbers secure. A threat actor going by USDoD claimed in April that it had accessed a database that included information on every person in the U.S., Canada and the U.K.  

The lawsuit states that a breach at National Public Data resulted in the exposure of more than 3 billion personal records (a number that obviously surpasses the current population of the U.S.), including every Social Security number. That sounds scary, and many people took the statement as fact, running to create warnings that your Social Security number had definitely been breached and you needed to “TAKE ACTION NOW!” 

Except, the claim in the lawsuit is still unsubstantiated. This is not to say there was never a breach or that \*some\* public records weren’t stolen or accessed, but almost certainly not literally every single Social Security number. 

For starters, I used a tool from security firm Pentester that allows users to search for if their Social Security number, birthday, or other sensitive information may be in the NPD Breach. I searched for everyone in my immediate family, parents, and stepparents, and nothing turned up. I suppose it’s possible that for some reason just my family was exempted from the breach, but that seems unlikely. 

Reporters at TechCrunch have also viewed the allegedly stolen data, and determined much of the information was incomplete or incorrect, though some of it was legitimate. 

It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price. Which is why I’m disappointed that so many people took off and ran with the claim that every American was affected by this breach. 

There are always steps we can be taking to better protect our personal information, so I don’t want to make it seem like we’re all totally safe and to just go about your business as usual. And if you do use the linked tool above and find that your information may be affected by the NPD breach, it could be a good idea to freeze your credit or keep a close eye on your bank account(s).  

But all the LinkedIn posts and viral videos claiming that every American’s had their Social Security number stolen only leads to more FUD. And it plays right into attackers’ hands: By spreading that FUD, it makes users more likely to fall for other scams that are trying to capitalize on the breach by sending phony scams around identity protection or offering new information on the allegedly stolen data.  

**The one big thing **

Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” Our analysis of infrastructure used in the campaign reveals additional links to the UAT-5394 infrastructure and new tactics, techniques and procedures (TTPs) of the threat actor. This cluster of activity has some overlaps in TTPs and infrastructure patterns with the North Korean state-sponsored group “Kimsuky,” however, we do not have substantial technical evidence to link this campaign with the APT. 

**Why do I care? **

Either UAT-5394 is actually Kimsuky (or a sub-group within Kimsuky) and they are replacing QuasarRAT with MoonPeak. (We have observed UAT-5394 actively setting up and operating QuasarRAT C2 servers before they eventually adopted the use of XenoRAT and MoonPeak.) Or UAT-5394 is another group within the North Korean APT machinery that borrows their TTPs and infrastructure patterns from Kimsuky. Any actor potentially associated with North Korea is worth watching, as these groups are constantly trying to steal money, intellectual property or data on behalf of the state. So, any new developments in how state-sponsored actors work together is relevant to defenders and users alike. 

**So now what? **

Talos released a new Snort rule set that detects the new malware disclosed this week. The timelines of the consistent adoption of new malware and its evolution such as in the case of MoonPeak highlights that UAT-5394 continues to add and enhance more tooling into their arsenal. And the rapid pace of establishing new supporting infrastructure by UAT-5394 indicates that the group is aiming to rapidly proliferate this campaign and set up more drop points and C2 servers, so this is activity we’ll be continuing to monitor and update readers on. 

**Top security headlines of the week **

**A North Korean state-sponsored actor recently exploited a zero-day vulnerability that Microsoft patched earlier this month.** Security researchers say that actors connected to the Lazarus Group, the most prolific and well-known North Korean APT, actively exploited CVE-2024-38193. This is a use-after-free issue in AFD.sys, a binary file in what's essentially the kernel entry point for the Winsock API. The actors then installed the FudModule malware, which was first discovered in 2022. FudModule is more stealthy than other malware, finding additional and new ways to hide from detection. Microsoft disclosed and patched CVE-2024-38193 earlier this month as part of its regular Patch Tuesday update cycle. At the time, it was listed as a zero-day, meaning adversaries had exploited the issue in the wild before a patch was available. This was one of the six zero-days included in Microsoft Patch Tuesday this month. An attacker who exploits the vulnerability could obtain nearly full access to Windows and usually run untrusted code. (Ars Technica, PC World) 

**The FBI and other U.S. federal agencies publicly stated that Iran is behind recent cyber attacks targeting both major U.S. presidential campaigns.** A public statement warned that state-sponsored actors from Iran were trying to “stoke discord and undermine confidence in our democratic institutions.” Threat actors successfully breached an email account belonging to a staffer on former U.S. President Donald Trump’s campaign and leaked that information, though many major news outlets declined to publish any reports on the information because of the way in which it was obtained. “The \[intelligence community\] is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties,” U.S. intelligence officials said in the statement. The presidential campaigns from the Democratic and Republican parties both said they received spear-phishing emails seemingly connected to the efforts. (Associated Press, BBC) 

**Nearly all Google Pixel devices since 2017 have been vulnerable to an exploit that exists in an otherwise dormant app.** Security researchers disclosed the vulnerability last week in Showcase.apk, a software package that exists on all Pixel phones and can be used to turn the devices into store demos for Verizon. Though details on the exact type of vulnerability are still unclear, a report from iVerify stated that the way the software operates fundamentally changes the way the Android operating system works, leaving Pixel devices susceptible to man-in-the-middle attacks or the installation of spyware. Google has since removed the software package from all devices, as it is no longer in use. A Google representative told Recorded Future that it had not seen any information indicating the software had been exploited, and that the hypothetical exploit requires the attacker to have physical access to the device and knowing the user’s device passcode. The app is not present on the Pixel 9, the newest line of phones Google unveiled this week. (Wired, The Record) 

**Can’t get enough Talos? **

*   How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions 
*   Talos Takes Ep. #194: A 1-on-1 with Talos VP Matt Watchinski 
*   MoonPeak malware from North Korean actors unveils new details on attacker infrastructure 
*   Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers 
*   Multiple flaws in Microsoft macOS apps unpatched despite potential risks 
*   Multiple Microsoft Apps for macOS Vulnerable to Library Injection Attacks 

**Upcoming events where you can find Talos **

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**_LABScon_** **_(Sept. 18 - 21)_** 

_Scottsdale, Arizona_

**_VB2024_** **_(Oct. 2 - 4)_**

_Dublin, Ireland_

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668  
**MD5:** 49d35332a1c6fefae1d31a581a66ab46  
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:70ff63.in03.Talos

**SHA 256:** db697b450d015ee948bb50d895acca3e27058b6d546d93212791b9f5ff31c0a3  
**MD5:** 391b3770ab60f9e535fbf3db70c89b04  
**Typical Filename:** vt-upload-o0OJb  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto.db697b.181952.in01

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0  
**MD5:** b4440eea7367c3fb04a89225df4022a6  
**Typical Filename:** Pdfixers.exe  
**Claimed Product:** Pdfixers  
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

No, not every Social Security number in the U.S. was stolen

Red Hat Security Advisory 2024-5692-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5692.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:5692-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5692  
Issue date:         2024-08-21  
Revision:           03  
CVE Names:          CVE-2021-47069  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: smb: client: fix potential OOBs in smb2_parse_contexts() (CVE-2023-52434)

* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)

* kernel: net/sched: act_ct: fix skb leak and crash on ooo frags (CVE-2023-52610)

* kernel: wifi: iwlwifi: dbg-tlv: ensure NUL termination (CVE-2024-35845)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: platform/x86: wmi: Fix opening of char device (CVE-2023-52864)

* kernel: isdn: mISDN: Fix sleeping function called from invalid context (CVE-2021-47468)

* kernel: tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (CVE-2024-36016)

* kernel: wifi: nl80211: don't free NULL coalescing rule (CVE-2024-36941)

* kernel: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). (CVE-2024-36904)

* kernel: gfs2: Fix potential glock use-after-free on unmount (CVE-2024-38570)

* kernel: KVM: x86: nSVM: fix potential NULL derefernce on nested migration (CVE-2022-48793)

* kernel: perf: Fix list corruption in perf_cgroup_switch() (CVE-2022-48799)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47069

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2265285  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2270080  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282719  
https://bugzilla.redhat.com/show_bug.cgi?id=2282887  
https://bugzilla.redhat.com/show_bug.cgi?id=2283894  
https://bugzilla.redhat.com/show_bug.cgi?id=2284474  
https://bugzilla.redhat.com/show_bug.cgi?id=2284541  
https://bugzilla.redhat.com/show_bug.cgi?id=2293423  
https://bugzilla.redhat.com/show_bug.cgi?id=2298129  
https://bugzilla.redhat.com/show_bug.cgi?id=2298135

Red Hat Security Advisory 2024-5692-03

Red Hat Security Advisory 2024-5689-03 - An update for python3.9 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a traversal vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5689.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3.9 security updateAdvisory ID:        RHSA-2024:5689-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5689Issue date:         2024-08-21Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3.9 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518

Red Hat Security Advisory 2024-5689-03

Red Hat Security Advisory 2024-5599-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5599.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5599-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5599Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5599-03

Red Hat Security Advisory 2024-5584-03 - An update for libreoffice is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5584.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libreoffice security updateAdvisory ID:        RHSA-2024:5584-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5584Issue date:         2024-08-20Revision:           03CVE Names:          CVE-2024-6472====================================================================Summary: An update for libreoffice is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite.Security Fix(es):* libreoffice: bility to trust not validated macro signatures removed in high security mode (CVE-2024-6472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6472References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-5584-03

Red Hat Security Advisory 2024-5582-03 - An update for kpatch-patch-4_18_0-372_87_1 and kpatch-patch-4_18_0-372_91_1 is now available for Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5582.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kpatch-patch-4_18_0-372_87_1 and kpatch-patch-4_18_0-372_91_1 security update  
Advisory ID:        RHSA-2024:5582-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5582  
Issue date:         2024-08-20  
Revision:           03  
CVE Names:          CVE-2024-36971  
====================================================================

Summary: 

An update for kpatch-patch-4_18_0-372_87_1 and kpatch-patch-4_18_0-372_91_1 is now available for Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-4.18.0-372.87.1.el8_6.

Security Fix(es):

* kernel: net: CVE-2024-36971 kernel: UAF in network route management (CVE-2024-36971)

* kernel: virtio-net: tap: mlx5_core short frame denial of service (CVE-2024-41090)

* kernel: virtio-net: tun: mlx5_core short frame denial of service (CVE-2024-41091)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-36971

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2292331  
https://bugzilla.redhat.com/show_bug.cgi?id=2299240  
https://bugzilla.redhat.com/show_bug.cgi?id=2299336

Red Hat Security Advisory 2024-5582-03

Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho.
Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity

Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho.

Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity community under the monikers APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC).

"The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link," security researchers Joshua Miller, Georgi Mladenov, Andrew Northern, and Greg Lesnewich said in a report shared with The Hacker News.

"The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho."

TA453 is assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), carrying out targeted phishing campaigns that are designed to support the country's political and military priorities.

Data shared by Google-owned Mandiant last week shows that the U.S. and Israel accounted for roughly 60% of APT42's known geographic targeting, followed by Iran and the U.K.

The social engineering efforts are both persistent and persuasive, masquerading as legitimate entities and journalists to initiate conversations with prospective victims and build rapport over time, before ensnaring them in their phishing traps via malware-laced documents or bogus credential harvesting pages.

"APT42 would engage their target with a social engineering lure to set-up a video meeting and then link to a landing page where the target was prompted to login and sent to a phishing page," Google said.

"Another APT42 campaign template is sending legitimate PDF attachments as part of a social engineering lure to build trust and encourage the target to engage on other platforms like Signal, Telegram, or WhatsApp."

The latest set of attacks, observed by Proofpoint starting July 22, 2024, involved the threat actor contacting multiple email addresses for an unnamed Jewish figure, inviting them to be a guest for a podcast while impersonating the Research Director for the Institute for the Study of War (ISW).

In response to a message from the target, TA453 is said to have sent a password-protected DocSend URL that, in turn, led to a text file containing a URL to the legitimate ISW-hosted podcast. The phony messages were sent from the domain understandingthewar\[.\]org, a clear attempt to mimic ISW's website ("understandingwar\[.\]org").

"It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware," Proofpoint said.

In follow-up messages, the threat actor was found replying with a Google Drive URL hosting a ZIP archive ("Podcast Plan-2024.zip") that, in turn, contained a Windows shortcut (LNK) file responsible for delivering the BlackSmith toolset.

AnvilEcho, which is delivered by means of BlackSmith, has been described as a likely successor to the PowerShell implants known as CharmPower, GorjolEcho, POWERSTAR, and PowerLess. BlackSmith is also designed to display a lure document as a distraction mechanism.

It's worth noting that the name "BlackSmith" also overlaps with a browser stealer component detailed by Volexity earlier this year in connection with a campaign that distributed BASICSTAR in attacks aimed at high-profile individuals working on Middle Eastern affairs.

"AnvilEcho is a PowerShell trojan that contains extensive functionality," Proofpoint said. "AnvilEcho capabilities indicate a clear focus on intelligence collection and exfiltration."

Some of its important functions include conducting system reconnaissance, taking screenshots, downloading remote files, and uploading sensitive data over FTP and Dropbox.

"TA453 phishing campaigns \[...\] have consistently reflected IRGC intelligence priorities," Proofpoint researcher Joshua Miller said in a statement shared with The Hacker News.

"This malware deployment attempting to target a prominent Jewish figure likely supports ongoing Iranian cyber efforts against Israeli interests. TA453 is doggedly consistent as a persistent threat against politicians, human rights defenders, dissidents, and academics."

The findings come days after HarfangLab disclosed a new Go-based malware strain referred to as Cyclops that has been possibly developed as a follow-up to another Charming Kitten backdoor codenamed BellaCiao, indicating that the adversary is actively retooling its arsenal in response to public disclosures. Early samples of the malware date back to December 2023.

"It aims at reverse-tunneling a REST API to its command-and-control (C2) server for the purposes of controlling targeted machines," the French cybersecurity company said. "It allows operators to run arbitrary commands, manipulate the target's filesystem, and use the infected machine to pivot into the network."

It's believed that the threat actors used Cyclops to single out a non-profit organization that supports innovation and entrepreneurship in Lebanon, as well as a telecommunication company in Afghanistan. The exact ingress route used for the attacks is presently unknown.

"The choice of Go for the Cyclops malware has a few implications," HarfangLab said. "Firstly, it confirms the popularity of this language among malware developers. Secondly, the initially low number of detections for this sample indicates that Go programs may still represent a challenge for security solutions."

"And finally, it is possible that macOS and Linux variants of Cyclops were also created from the same codebase and that we have yet to find them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sap