Gentoo Linux Security Advisory 202309-3 - Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could result in remote code execution. Versions greater than or equal to 10.01.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GPL Ghostscript: Multiple Vulnerabilities  
     Date: September 17, 2023  
     Bugs: #904245, #910294  
       ID: 202309-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in GPL Ghostscript, the  
worst of which could result in remote code execution.

Background  
==========

Ghostscript is an interpreter for the PostScript language and for PDF.

Affected packages  
=================

Package                   Vulnerable    Unaffected  
------------------------  ------------  ------------  
app-text/ghostscript-gpl  < 10.01.2     >= 10.01.2

Description  
===========

Multiple vulnerabilities have been discovered in GPL Ghostscript. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GPL Ghostscript users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.01.2"

References  
==========

[ 1 ] CVE-2022-2085  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2085  
[ 2 ] CVE-2023-28879  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28879  
[ 3 ] CVE-2023-36664  
      https://nvd.nist.gov/vuln/detail/CVE-2023-36664

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-03

Gentoo Linux Security Advisory 202309-2 - Multiple vulnerabilities have been found in Wireshark, the worst of which could result in denial of service. Versions greater than or equal to 4.0.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Wireshark: Multiple Vulnerabilities  
     Date: September 17, 2023  
     Bugs: #878421, #899548, #904248, #907133  
       ID: 202309-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Wireshark, the worst of  
which could result in denial of service.

Background  
==========

Wireshark is a versatile network protocol analyzer.

Affected packages  
=================

Package                 Vulnerable    Unaffected  
----------------------  ------------  ------------  
net-analyzer/wireshark  < 4.0.6       >= 4.0.6

Description  
===========

Multiple vulnerabilities have been discovered in Wireshark. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Wireshark users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-4.0.6"

References  
==========

[ 1 ] CVE-2022-3725  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3725  
[ 2 ] CVE-2023-0666  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0666  
[ 3 ] CVE-2023-0667  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0667  
[ 4 ] CVE-2023-0668  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0668  
[ 5 ] CVE-2023-1161  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1161  
[ 6 ] CVE-2023-1992  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1992  
[ 7 ] CVE-2023-1993  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1993  
[ 8 ] CVE-2023-1994  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1994  
[ 9 ] CVE-2023-2854  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2854  
[ 10 ] CVE-2023-2855  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2855  
[ 11 ] CVE-2023-2856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2856  
[ 12 ] CVE-2023-2857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2857  
[ 13 ] CVE-2023-2858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2858  
[ 14 ] CVE-2023-2879  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2879  
[ 15 ] CVE-2023-2952  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2952  
[ 16 ] WNPA-SEC-2022-07  
[ 17 ] WNPA-SEC-2023-08  
[ 18 ] WNPA-SEC-2023-09  
[ 19 ] WNPA-SEC-2023-10  
[ 20 ] WNPA-SEC-2023-11

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-02

Apple Security Advisory 2023-09-11-3 - macOS Big Sur 11.7.10 addresses buffer overflow and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-11-3 macOS Big Sur 11.7.10

macOS Big Sur 11.7.10 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213915.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

ImageIO  
Available for: macOS Big Sur  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk  
School

macOS Big Sur 11.7.10 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3MACgkQX+5d1TXa  
IvqNSg//bbzgVN2E8yAjEnjXK08rQlR7TmCxvDCa9s2GI3hPYb881pMDz2kG4ntu  
C8MaKgYwQ8f6DKowxL2bJAXz9p48tzfHEcxVVCW3vwel0MrstLQRllrv4GrRrU2T  
/kkOWs4WZPQYMuvf+j08+KlGOWwPdhxNBlkzoZKe1Sq0DKFOBhdwnBfUsQgREMK+  
zFz7iVYHKCgAs8hQwOA7mmxa7W42PO5XuBh2d4bxsjiV+63Z4vIhy3uiXrqGDolT  
pOLsOXpRaLxDeVTi7/AKBJcR+ScC/wTinCBaFuELqQsXeYVKJeLl901MYa54VZtf  
6x+7c/QOKf8LUQR58VH9uB1cRGaC4rI0GfGBMZAR3C1xhM0TRzHuH6HOsBK2ZQva  
OprPGZ8aNb1XhuuZeYYxNnXOtmto8V8ZynBzjoPv5P3BeaBgRbpOnlIsamSTQUeb  
BSLnKQ6MbDbrGBQHcqKhdYyL65EzXGfoYgLbKG+FdzoaTdJ8EO+FXum6smPcHEvm  
uzHkCQvYPZ6ZpeGQ3OPrD0mqTrqdI5JwdM1Qj3ks5srGHH8UYK1k1TQx5kK/5MX1  
1ASkIhexyGtDS3DNVWOaDniRXA6bMNrJCNQC7PU5O1Py0kR1gITB9WAP+LOQ4PBF  
Of9Y2FxFxHMYJ40gHwa5e/mo4Sf5fvnr9WUU9/34VC5f+tTI47M=  
=bfbZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-11-3

Apple Security Advisory 2023-09-11-2 - macOS Monterey 12.6.9 addresses buffer overflow and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-11-2 macOS Monterey 12.6.9

macOS Monterey 12.6.9 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213914.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

ImageIO  
Available for: macOS Monterey  
Impact: Processing a maliciously crafted image may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2023-41064: The Citizen Lab at The University of Torontoʼs Munk  
School

macOS Monterey 12.6.9 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3IACgkQX+5d1TXa  
IvrzPg//a+Al1VjRmASSN1lWptcH3EN4AcviKdzPAcl3Wtlh/28UFzIuMkgyH7B/  
e0VUEgqo+4RqyYVfmWTZJBQ9J0otX3M+wG9XRVt3VlgwStqQ9+sjK1nRIMKq3YO6  
KMVM9TggVAqEQOOTvdPhsb439RoP2q8kAiQnxw0r/CqzWkPnLvDTdLGWW5WO4G2Q  
tFv7z2nV4aPsmZWDwsfc4S8UyrAP+57iBLpegwD6kLaLiRFOm4ZS/bPmWYck0HDK  
qojdx6gJ3fYVCoMexiJuBLpJWdCA582f8SfsgYj1/pIwmTC2Vu5HZz3FxF6ULAuY  
rbmcZO2zA9w30XgjPDtWQ3l00mVi8Pnod4gDD0bN2aYuDtTXWQ7U/zmkT65kDLPO  
uQCZmBAeRLaaUnBlmGRpHBe7zqLlUTU+AcjzRwcXs7WnEuZ59WVCkMlQIELmAx2m  
/2jEcMMBe9GNnxEcSa7N0HBbuPHrakC5JA4u63SYeb2NHe9i5PPlwQvRHJJ+Atps  
LpsqgdSNk0LmLgldzglIVdhoRBo6F3i1BuIeof0STBLgl3AM1jJJWeL0wPv5RV95  
eIN+Uvs7ni1OUZUq0Io7vAg1alyZAv6TZEz8venYA0J+2WxFVu/jOaOxwGJUyzQf  
7fblA7wBfxZ+TdZKzaU6OUCoJP/g/gDWzrBG+0EJGH9dcxJP8no=  
=I1tR  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-11-2

Apple Security Advisory 2023-09-11-1 - iOS 15.7.9 and iPadOS 15.7.9 addresses buffer overflow and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-11-1 iOS 15.7.9 and iPadOS 15.7.9iOS 15.7.9 and iPadOS 15.7.9 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213913.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.ImageIOAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE(1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch(7th generation)Impact: Processing a maliciously crafted image may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited.Description: A buffer overflow issue was addressed with improved memoryhandling.CVE-2023-41064: The Citizen Lab at The University of Torontoʼs MunkSchoolThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.9 and iPadOS 15.7.9".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmT/m3IACgkQX+5d1TXaIvq6Ww//WB9pTBOCCs5nm4b199CRT+zde3vODQd70Jk6hux40O+XnoObqqpB3ZxDeiklegUOLEbGhgKqHyLMWxDUXCx0FaQMx2EzzwfRkYGSRnreDnFLd1V50mC4kWukw711Y6ZEdwrV9DhK0/M/3lzbhOMt4lLrPYeb4i2LJ/zFsqVTW8lrLqITkA3RapnsMtMH/zXzL5PYmNMP8Vbjudb+9T0LQ5+WEh4JvGheVnxe/X7Ijqv+v5MUUbp6U31jxvTrhcKKsOqSgJrBTxoE+AICD7uEFNpcdxXo+yFOfFP7F//iXVWGYGpjb/xmmxiWZGFKhQkuM1wk9tCLZEhQYVRplKAtxTTEzoXfdCLWbHn6drxX2oFA+BThwnInUO2zAGcy2MOoPK9F+JZPheMGdE9ZJa/B8s/Vtim1KL6nQukVXpqtC77RQHo2c5IeDQBSnzhdxLxAL2qqENLt/rrY3tQvvPt5aithjJ4y4wwSUeeavcEqyHbum2XavwmK7YpHiGRdb76wQFd7gISPlgEuDW9mK8bsrNOUk9UDu6EgXrIGgjpvT/YSd779UgxcTUusBfWigHBgtvXF8ju5QrECxNSSRz/Byh+j7Pbf6iVMrvU9TyIJrhIhtHNWMx1fwQVp+eIp5LLjSc1OM0swUL1qtsgXlxcVLkMc0HmFd1BVQRi1g5Pdyp0==+8rR-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-11-1

A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency.
The malicious cyber activity has been codenamed AMBERSQUID by cloud and container security firm Sysdig.
"The AMBERSQUID operation was able to exploit cloud services without triggering the AWS

Cloud Security / Cryptocurrecy

A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency.

The malicious cyber activity has been codenamed **AMBERSQUID** by cloud and container security firm Sysdig.

"The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig security researcher Alessandro Brucato said in a report shared with The Hacker News.

"Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service."

Sysdig said it discovered the campaign following an analysis of 1.7 million images on Docker Hub, attributing it with moderate confidence to Indonesian attackers based on the use of Indonesian language in scripts and usernames.

Some of these images are engineered to execute cryptocurrency miners downloaded from actor-controlled GitHub repositories, while others run shell scripts targeting AWS.

A key characteristic is the abuse of AWS CodeCommit, which is used to host private Git repositories, to "generate a private repository which they then used in different services as a source."

The repository contains the source code of an AWS Amplify app that, in turn, is leveraged by a shell script to create a Amplify web app and ultimately launch the cryptocurrency miner.

The threat actors have also been observed employing shell scripts to perform cryptojacking in AWS Fargate and SageMaker instances, incurring significant compute costs for the victims.

Sysdig estimated that AMBERSQUID could result in losses of more than $10,000 per day if it's scaled to target all AWS regions. A further analysis of the wallet addresses used reveals that the attackers have earned more than $18,300 in revenues to date.

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

This is not the first time Indonesian threat actors have been linked to cryptojacking campaigns. In May 2023, Permiso P0 Labs detailed an actor named GUI-vil which was spotted leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out crypto mining operations.

"While most financially motivated attackers target compute services, such as EC2, it is important to remember that many other services also provide access to compute resources (albeit it more indirectly)," Brucato said.

"It is easy for these services to be overlooked from a security perspective since there is less visibility compared to that available through runtime threat detection."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

When you roll out a security product, you assume it will fulfill its purpose. Unfortunately, however, this often turns out not to be the case. A new report, produced by Osterman Research and commissioned by Silverfort, reveals that MFA (Multi-Factor Authentication) and PAM (Privileged Access Management) solutions are almost never deployed comprehensively enough to provide resilience to identity

Identity Threat / Attack Surface

When you roll out a security product, you assume it will fulfill its purpose. Unfortunately, however, this often turns out not to be the case. A new report, produced by Osterman Research and commissioned by Silverfort, reveals that MFA (Multi-Factor Authentication) and PAM (Privileged Access Management) solutions are almost never deployed comprehensively enough to provide resilience to identity threats. As well, service accounts – which are typically beyond the scope of protection of these controls – are alarmingly exposed to malicious compromise. These findings and many more can be found in **"The State of the Identity Attack Surface: Insights Into Critical Protection Gaps****,"** the first report that analyzes organizational resilience to identity threats.

****What is the "Identity Attack Surface"?****

The identity attack surface is any organizational resource that can be accessed via username and password. The main way that attackers target this attack surface is through the use of compromised user credentials. In this way, the identity attack surface differs substantially from other attack surfaces. When targeting endpoints, for example, attackers have to develop innovative malware and zero-day exploits. But in the world of identity the default attack tool is legitimate usernames and passwords. And with an estimated 24B username-password combinations available on the Dark Web, this means the only work attackers need to do is gain the initial access.

****But I Have MFA and PAM in Place to Prevent Attacks****

Do you, though? According to the report, which summarizes findings from 600 identity security professionals surveyed around the world, the vast majority of organizations have MFA and PAM solutions in place yet remain exposed to attacks. Here's why:

****Less than 7% of organizations have MFA protection for the majority of their critical resources****

One of the questions the survey asked was: What proportion of the following resources and access methods are you currently able to protect with MFA?

*   Desktop logins (e.g. Windows, Mac)
*   VPN and other remote connection methods
*   RDP
*   Command-line remote access (e.g. PowerShell, PsExec)
*   SSH
*   Homegrown and legacy apps
*   IT infrastructure (e.g. management consoles)
*   VDI
*   Virtualization platforms and hypervisors (e.g. VMware, Citrix)
*   Shared network drives
*   OT systems

This graph summarizes the results:

These numbers imply a critical gap, since a resource without MFA is a resource that an adversary can seamlessly access using compromised credentials. Translating this to a real-life scenario, a threat actor using command-line tool that's not protected with MFA – such as PsExec or Remote PowerShell – will encounter no obstacles when moving across a network in order to plant a ransomware payload on multiple machines.

****Only 10.2% of organizations have a fully onboarded PAM solution****

PAM solutions are notorious for long, complex deployments, but how bad is it really? The report reveals the answer: It's bad. Here is an aggregation of respondents' answers to the question "Where are you in your PAM implementation journey?"

As you can see, most organizations are stuck somewhere along their PAM journey, which means at least some of their privileged users are exposed to attacks. And keep in mind that admin users are an attackers' fastest path to your crown jewels. Failing to protect all of them is a risk no organization can afford to ignore.

****78% of organizations can't prevent malicious access with compromised service accounts****

Service accounts are a well-known blind spot. Because these non-human accounts are often highly privileged yet can't be protected by MFA – as well as the fact that they are typically undocumented and thus unmonitored – they are a prime target for adversaries.

Here are the answers to the question, "How confident are you in your ability to prevent attackers from using service accounts for malicious access in your environment?"

Note that the term "medium" here is a bit misleading, since the absence of real-time prevention essentially voids the security value of being able to detect an account's compromise.

****How Well Are You Protecting Your Environment's Identity Attack Surface? Use the Maturity Model****

The report goes beyond pointing out weaknesses and gaps — it offers a useful scoring model that, based on aggregated results across all the identity protection aspects, can reveal your level of resilience to identity threats.

The report found that very few organizations – as low as 6.6% – have a disciplined and implemented identity protection strategy in place. But use this model to answer the same questions and see how your organization stacks up, and also what actions you need to take.

_Ready to see how resilient you are to identity threats? Access the report_ _**here**__**.**_

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Think Your MFA and PAM Solutions Protect You? Think Again

A new analysis of the Android banking trojan known as Hook has revealed that it's based on its predecessor called ERMAC.
"The ERMAC source code was used as a base for Hook," NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week.
"All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also

A new analysis of the Android banking trojan known as Hook has revealed that it's based on its predecessor called ERMAC.

"The ERMAC source code was used as a base for Hook," NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week.

"All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical."

Hook was first documented by ThreatFabric in January 2023, describing it as a "ERMAC fork" that's offered for sale for $7,000 per month. Both the strains are the work of a malware author called DukeEugene.

That said, Hook expands on ERMAC's functionalities with more capabilities, supporting as many as 38 additional commands when compared to the latter.

ERMAC's core features are designed to send SMS messages, display a phishing window on top of a legitimate app, extract a list of installed applications, gather SMS messages, and siphon recovery seed phrases for multiple cryptocurrency wallets.

Hook, on the other hand, goes a step further by streaming the victim's screen and interacting with the user interface to gain complete control over an infected device, capturing photos of the victim using the front facing camera, harvesting cookies related to Google login sessions, and plundering recovery seeds from more crypto wallets.

It can further send an SMS message to multiple phone numbers, effectively propagating the malware to other users.

Regardless of these differences, both Hook and ERMAC can log keystrokes and abuse Android's accessibility services to conduct overlay attacks in order to display content on top of other apps and steal credentials from over 700 apps. The list of apps to target is retrieved on the fly via a request to a remote server.

The malware families are also engineered to monitor for clipboard events and replace the content with an attacker-controlled wallet should the victim copy a legitimate wallet address.

A majority of Hook and ERMAC's command-and-control (C2) servers are located in Russia, followed by the Netherlands, the U.K., the U.S., Germany, France, Korea, and Japan.

As of April 19, 2023, it appears that the Hook project has been shuttered, according to a post shared by DukeEugene, who claimed to be leaving for a "special military operation" and that support for the software would be provided by another actor named RedDragon until the customers' subscription runs out.

Subsequently, on May 11, 2023, the source code for Hook is said to have been sold by RedDragon for $70,000 on an underground forum. The short lifespan of Hook aside, the development has raised the possibility that other threat actors could pick up the work and release new variants in the future.

The disclosure comes as a China-nexus threat actor has been linked to an Android spyware campaign targeting users in South Korea since the beginning of July 2023.

"The malware is distributed through deceptive phishing websites that pose as adult sites but actually deliver the malicious APK file," Cyble said. "Once the malware has infected the victim's machine, it can steal a wide range of sensitive information, including contacts, SMS messages, call logs, images, audio files, screen recordings, and screenshots."

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

On top of that, the malware (APK package name "com.example.middlerankapp") takes advantage of accessibility services to monitor the apps used by the victims and prevent uninstallation.

It also contains a feature that allows the malware to redirect incoming calls to a designated mobile number controlled by the attacker, intercept SMS messages, and incorporate an unfinished keylogging functionality, indicating it's likely in active development.

The connections to China stem from references to Hong Kong in the WHOIS record information for the C2 server as well as the presence of several Chinese language strings, including "中国共产党万岁," in the malware source code, which translates to "Long live the Communist Party of China."

In a related development, Israeli newspaper Haaretz revealed that a domestic spyware company Insanet has developed a product called Sherlock that can infect devices via online advertisements to snoop on targets and collect sensitive data from Android, iOS, and Windows systems.

The system is said to have been sold to a country that's not a democracy, it reported, adding a number of Israeli cyber companies have attempted to develop offensive technology that exploits ads for profiling victims (a term called AdInt or ad intelligence) and distributing spyware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hook: New Android Banking Trojan That Expands on ERMAC's Legacy

A command injection vulnerability exists in RTS VLink Virtual Matrix Software Versions v5 (< 5.7.6) and v6 (< 6.5.0) that allows an attacker to perform arbitrary code execution via the admin web interface.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-893251-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2023-34999
        *   Base Score: 8.4 (High)
*   **Published:** 30 Aug 2023
*   **Last Updated:** 30 Aug 2023

**Summary**

A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack.

Versions v5 (< 5.7.6) and v6 (< 6.5.0) of the RTS VLink Virtual Matrix Software are affected by this vulnerability. Older versions are not affected.

The vulnerability has been uncovered and disclosed responsibly by an external team of researchers.

**Affected Products**

*   RTS VLink Virtual Matrix Software on: Windows
    *   CVE-2023-34999
        *   Version(s): 5.0.0 - 5.7.6 (excluding)
        *   Version(s): 6.0.0 - 6.5.0 (excluding)

**Solution and Mitigations****Solution**

Update the VLink Virtual Matrix Software to version 5.7.6 if you are currently using a v5 version.

Update the VLink Virtual Matrix Software to version 6.5.0 if you are currently using a v6 version.

To ensure the security of your system, we strongly recommend that you update your software to the latest version. Instructions for downloading and updating your system may be found at https://products.rtsintercoms.com/binary/VLink\_Upgrade\_Instructions.pdf

**Mitigations**

If updating is not possible it is strongly advised to change the admin password of the RTS VLink Virtual Matrix Software if it is still set to the default password.

Blocking the web interface ports (80 and 443) of the RTS VLink Virtual Matrix Software in a firewall will prevent the vulnerability from being misused from a remote location.

In all cases it is still strongly advised to perform the update as soon as possible since that will remove the vulnerability.

**Vulnerability Details****CVE-2023-34999**

CVE description: A command injection vulnerability exists in RTS VLink Virtual Matrix Software Versions v5 (< 5.7.6) and v6 (< 6.5.0) that allows an attacker to perform arbitrary code execution via the admin web interface.

*   Problem Type:
    *   CWE-94 Improper Control of Generation of Code (‘Code Injection’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.4 (High)

**Remarks****Security Update Information**

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

**CVSS Scoring**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] VLink Upgrade Instructions: https://products.rtsintercoms.com/binary/VLink\_Upgrade\_Instructions.pdf
*   \[2\] VLink Software version 5.7.6: https://products.rtsintercoms.com/binary/VLink\_Virtual\_Matrix\_v576\_230729.zip
*   \[3\] VLink Software version 6.5.0: https://products.rtsintercoms.com/binary/VLink\_Virtual\_Matrix\_v650\_230811.zip

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   30 Aug 2023: Initial Publication

**Appendix****Material List**

Please find the SAP Number and CTN of the affected products below.

SAP Number

CTN

F.01U.216.945

VLINK-8

F.01U.216.946

VLINK-8UPG

F.01U.264.751

VLINK-2EXP

F.01U.388.141

VLINK-8REDNT

F.01U.388.142

VLINK-1RENTAL

F.01U.388.143

VLINK-2REDNT

F.01U.388.144

VLINK-8SIP

F.01U.388.145

VLINK-2SIP

F.01U.388.146

VLINK-8SIPREDNT

F.01U.388.148

VLINK-2SIPREDNT

F.01U.393.239

VLINK-SVU

F.01U.393.240

VLINK-Lite

F.01U.393.241

VLINK-LiteUPG

F.01U.393.242

VLINK-VIDEO

F.01U.393.243

VLINK-VIDEO I/O

F.01U.393.244

VLINK-REC

F.01U.393.245

VLINK-ENCRYPT

F.01U.396.977

VLINK-8 SPACE

F.01U.396.978

VLINK-2 EXSPACE

CVE-2023-34999: Remote Code Execution in RTS VLink Virtual Matrix

By Waqas
A DDoS attack can cripple your servers. Here's a list of DDoS mitigation companies in 2023, along with a brief overview of the DDoS attacks they have effectively mitigated.
This is a post from HackRead.com Read the original post: 10 Top DDoS Attack Protection and Mitigation Companies in 2023

DDoS attack (Distributed Denial of Service attack) is a major threat to businesses of all sizes. They can overwhelm a company’s servers and infrastructure, causing downtime, and making it unavailable to legitimate users. A DDoS attack can also cost a company millions of dollars in lost revenue and productivity.

DDoS mitigation companies offer a variety of solutions to help businesses protect themselves from DDoS attacks. These solutions can include network layer protection, transport layer protection, and application layer protection.

Here is a list of the top 10 DDoS mitigation companies in 2023, along with a brief overview of their services and examples of DDoS attacks they have mitigated:

**1\. Cloudflare**

Cloudflare‘s DDoS mitigation and protection services are designed to protect websites and applications from a wide range of DDoS attacks, including network layer attacks, transport layer attacks, and application layer attacks.

Its services are powered by Cloudflare’s global network, which consists of over 275 data centers in over 100 countries. This allows Cloudflare to filter out malicious traffic before it reaches your website or application.

Cloudflare’s DDoS protection services are also highly scalable. Cloudflare can mitigate even the largest DDoS attacks, without impacting the performance of your website or application.

The company’s services are available in a variety of plans, to meet the needs of businesses of all sizes. Cloudflare also offers a free plan, which includes basic DDoS protection.

Cloudflare has mitigated some of the largest DDoS attacks in history, including a 15.3 million rps (request-per-second) DDoS attack earlier in April 2022 and a 1.3 Tbps attack on GitHub in 2018.

****2\.** Radware**

Radware‘s DDoS protection services are designed to protect networks, data centers, and applications from a wide range of DDoS attacks, including network layer attacks, transport layer attacks, and application layer attacks.

Radware’s DDoS mitigation services are based on a combination of hardware and software solutions. Radware’s hardware appliances are deployed on-premises, while its software solutions can be deployed in the cloud or on-premises.

The company offers a number of key features, including:

*   **Comprehensive protection:** Radware’s DDoS protection services protect against a wide range of DDoS attacks, including new and emerging threats.
*   **High performance:** Radware’s DDoS protection services offer high performance, with minimal impact on legitimate traffic.
*   **Scalability:** Radware’s DDoS protection services can be scaled to meet the needs of businesses of all sizes.
*   **Flexibility:** Radware’s DDoS protection services can be deployed in a variety of environments, including on-premises, cloud, and hybrid environments.

Radware has mitigated DDoS attacks on a variety of high-profile customers, including an 809 Mpps (million packets-per-second) attack on a mainstream bank in Europe in 2020, Bank of America in 2013 and the New York Stock Exchange in 2016.

**3\. Akamai**

  
Akamai offers a range of DDoS protection services that can help businesses defend against sophisticated and well-orchestrated DDoS attacks. Their services are built on dedicated infrastructure and designed to protect internet-facing applications and systems while maintaining fast, highly secure, and always-available DNS.

Akamai’s DDoS protection solutions can be customized to the specifications of web apps and Internet-based services. They offer a holistic DDoS defence with products such as Prolexic, Web Application Protector, Kona Site Defender, and Edge DNS. These solutions provide end-to-end DDoS defence for organizations, ensuring the highest quality of DDoS mitigation to keep applications, data centers, and internet-facing infrastructure protected.

Akamai’s Prolexic is a cloud-based DDoS protection solution that defends data centers and hybrid infrastructures to ensure availability and uptime. It provides comprehensive port and protocol protection against a broad range of DDoS attacks, including high-bandwidth sustained attacks and complex multi-vector attacks.

Akamai has mitigated DDoS attacks on various high-profile customers, including a 2022 attack which peaked at 704.8 million packets per second, Netflix and Amazon. Most recently in March 2023, Akamai managed to mitigate a DDoS attack in Asia that reached 900Gbps.

**4\. AWS Shield**

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. The service was launched in December 2016. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency. With AWS Shield, you can automatically detect and mitigate sophisticated network-level distributed denial of service (DDoS) events.

You can also customize application protection against DDoS risks through integrations with Shield Response Team (SRT) protocol or AWS WAF. AWS Shield offers two different tiers: AWS Shield Standard and AWS Shield Advanced.

While AWS Shield Standard protects your application at the edge of the AWS network using Amazon CloudFront, AWS Global Accelerator, and Amazon Route, AWS Shield Advanced provides more powerful protection against DDoS attacks. It inspects traffic in real-time and automatically implements mitigation techniques to avoid negative impacts on performance.

AWS Shield has mitigated DDoS attacks on a variety of high-profile customers, including GitHub and Twitch. In June 2020, AWS Shield managed to mitigate a 2.3 TBPS attack, which was the largest ever DDoS attack at that time.

**5\. Azure DDoS Protection**

Azure DDoS Protection is a managed DDoS protection service offered by Microsoft Azure. It is designed to safeguard applications deployed in a virtual network against distributed denial-of-service (DDoS) attacks.

Azure DDoS Protection provides enhanced DDoS mitigation features that are automatically tuned to help protect your specific Azure resources. The service defends against DDoS attacks at layer 3 and layer 4 network layers. For web applications, protection at layer 7 can be added using a Web Application Firewall (WAF) offering.

Azure DDoS Protection offers two tiers: DDoS Network Protection and DDoS IP Protection. DDoS Network Protection provides enhanced DDoS mitigation features for protecting specific Azure resources in a virtual network. It can be enabled on any new or existing virtual network without requiring any application or resource changes.

On the other hand, DDoS IP Protection follows a pay-per-protected IP model and includes additional value-added services such as DDoS rapid response support, cost protection, and discounts on WAF.

Key features of Azure DDoS Protection include always-on traffic monitoring, adaptive real-time tuning, and DDoS protection analytics, metrics, and alerting. The service monitors your application traffic patterns 24/7 and mitigates detected DDoS attacks automatically. Intelligent traffic profiling learns your application’s traffic over time and adjusts the profile accordingly. Azure DDoS Protection also provides analytics, metrics, and alerting capabilities to help you stay informed about potential threats.

Azure DDoS Protection has mitigated DDoS attacks on various high-profile customers, including Microsoft and Sony. According to the company’s “Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends” report, it also managed to mitigate a 3.47 Tbps attack, and two more attacks above 2.5 Tbps. In October 2021, Microsoft reported on a 2.4 terabit per second (Tbps) DDoS attack in Azure that we successfully mitigated

**6\. Google Cloud Armor**

Google Cloud Armor is a network security service offered by Google Cloud that provides defences against DDoS and application attacks. It offers a rich set of Web Application Firewall (WAF) rules and helps protect workloads behind HTTP/S and TCP/SSL Proxy Load Balancers, Network Load Balancer, using protocol forwarding, or virtual machines (VM) with public IPs. Google Cloud Armor provides enterprise-grade DDoS protection against both Layer 3 and Layer 4 attacks.

It uses a variety of techniques such as rate limiting, scrubbing, and sinkholing to mitigate attacks. In conjunction with the Google Cloud global load balancing infrastructure, Cloud Armor provides always-on DDoS protection from Layer 3 and Layer 4 volumetric and protocol-based attacks.

Google Cloud Armor has mitigated DDoS attacks on a variety of high-profile customers, including Google and Airbnb. In August 2022, the company revealed how it managed to block the largest Layer 7 DDoS attack at 46 million rps aimed at one of its customers.

**7\. Imperva**

Imperva offers a range of DDoS protection services that can help businesses defend against various types of DDoS attacks. Their services are designed to ensure uninterrupted operation and business continuity by securing all your assets at the edge. Imperva’s DDoS protection services provide maximum visibility and optimized performance, allowing you to focus on your core business activities. They offer different protection options for websites, networks, and individual IPs.

Imperva’s DDoS Protection for Websites is an always-on service that immediately mitigates any type or size of DDoS attack targeting web applications. It complements the Imperva cloud web application firewall (WAF), which blocks hacking attempts and attacks by malicious bots.

Imperva’s unique cloud-based DDoS protection services are rapidly deployed with no hardware or software installation or costly, ongoing maintenance. They protect against all types of DDoS attacks, absorbing even multi-gigabyte attacks. Imperva provides a 3-second mitigation SLA against any DDoS attack, ensuring fast response and minimal disruption to service.

Imperva has mitigated DDoS attacks on various high-profile customers, including Visa and MasterCard. According to Imperva’s blog post, the 3 biggest DDoS attacks Imperva mitigated include a Layer 7 Application DDoS Attack measuring over 2.5 million rps in February 2022, a Network DDoS attack with a throughput of 1.02 Tbps in July 2021 and one of the Largest Network DDoS attack of almost 1 Tbps in October 2020.

**8\. F5**

F5 provides a range of DDoS protection services that can help defend your business against application-layer and volumetric attacks. Their services are designed to be flexible and can be deployed in a variety of architectural and operational models, including cloud-based protection, hybrid on-premises defence with on-demand cloud scrubbing, and native application infrastructure form factors. 

F5’s DDoS mitigation solutions are multi-tiered and can defend against multi-vector denial-of-service attacks that target critical infrastructure protocols like DNS and TLS. F5’s DDoS protection services can detect and mitigate large-scale volumetric and targeted application attacks in real time, even defending against attacks that exceed hundreds of gigabits per second. 

F5’s DDoS protection services are backed by the F5 Global Network infrastructure, security tools, and the F5 Security Operations Center (SOC), which is staffed with experts that monitor and protect your business from attack 24/7, 365.

F5 has mitigated DDoS attacks on various high-profile customers, including PayPal and eBay. Although there are hardly any online resources listing the clients F5 has protected from DDoS attacks, in June 2023, MazeBolt named F5 as the preferred remediation vendor for RADAR non-disruptive DDoS testing.

**9\. Nexusguard**

Nexusguard offers a comprehensive DDoS protection platform that defends public-facing websites, applications, APIs, infrastructure, backends, and DNS servers against DDoS attacks of all types and complexities. Their platform is built on the right mix of people, processes, and technology to ensure maximum protection. Nexusguard’s one-stop DDoS protection platform consists of the following components:

1.  **InfraProtect**: Safeguards infrastructure against DDoS attacks.
2.  **Origin Protection (OP)**: Shields networks and systems from threats.
3.  **Application Protection (AP)**: Protects web applications from DDoS attacks.
4.  **Web Application Firewall (WAF)**: Blocks hacking attempts and attacks by malicious bots.
5.  **DNS Protection (DP)**: Ensures 100% availability and efficient resolution of DNS requests for protected domains.

Nexusguard’s DDoS protection services are designed to provide maximum visibility, optimized performance, and uninterrupted operation for businesses. They offer a range of services that can be tailored to meet the specific needs of websites, networks, and individual IPs Nexusguard’s cloud-based DDoS protection services are rapidly deployed without requiring any hardware or software installation or ongoing maintenance. They can absorb even multi-gigabyte attacks and provide a 3-second mitigation SLA to minimize disruption to service.

Nexusguard has mitigated DDoS attacks on a variety of high-profile customers, including the New York Stock Exchange and the Nasdaq. Nexusguard’s whitepaper (PDF) maintained that its services are available around the world, collectively loaded with 1.44Tbps of mitigation capacity.

**10\. Arbor Networks**

Arbor Networks provides a range of DDoS protection services that can help businesses defend against various types of DDoS attacks. Their services are designed to ensure uninterrupted operation and business continuity by securing all your assets at the edge. 

Arbor Networks’ DDoS protection services provide maximum visibility and optimized performance, allowing you to focus on your core business activities. They offer different protection options for websites, networks, and individual IPs.

Arbor Networks’ APS (Arbor Protection System) is an always-on, in-line, intelligently automated DDoS protection solution that provides comprehensive protection from the largest DDoS attacks. It uses hybrid, multi-layer defences to protect against all types of DDoS threats, including cloud-based protection to defend against large, high-volume attacks. 

Arbor Networks’ SP (Security Platform) provides pervasive network visibility and DDoS attack detection. Arbor Networks’ TMS (Threat Management System) provides out-of-path, stateless, surgical mitigation of DDoS attacks as large as 400Gbps.

Arbor Networks has mitigated DDoS attacks on various high-profile customers, including the US Department of Defense and the UK National Security Agency. Arbor is now part of NetScout Systems.

**Bottom Line**

Both big and small businesses should consider implementing a DDoS mitigation service as an integral part of their cybersecurity strategy. While larger enterprises often have dedicated IT resources, smaller businesses are not immune to these threats.

By investing in DDoS mitigation services, businesses of all sizes can proactively defend their digital infrastructure, ensuring uninterrupted online services, safeguarding customer trust, and minimizing potential financial losses in the face of cyberattacks.

Did we miss a company that deserves to be on this list? You can share it in the comment section!

**RELATED ARTICLES**

1.  6 of the Best Crypto Bug Bounty Programs
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  The 10 Best Cybersecurity Companies in the UK
4.  Cybersecurity for Startups: Best Tips and Strategies
5.  Antivirus Software: The Best Deals, Coupons and Discounts
6.  Best-performing cybersecurity firms and their recent developments

Tag

#web