The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Mobile Cyberattacks Soar, Especially Against Android Users

Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes.

Vendor: Sophos

Product: Sophos Web Appliance

Version affected: 4.1.1-0.9

This worked also on the latest v4.3.9.1 version (as of 05 Jan 2020) I used Firefox Browser, 71.1(64-bit) on Windows 10.

**Product description:**

The Sophos Web Appliance is designed to function as a web proxy that provides HTTP security at. the gateway. Potentially risky content is scanned for various forms of malware.

“Sophos Web Appliance (SWA) and Sophos Management Appliance (SMA) will reach End of Life (EOL) on 20 July 2023. When this happens, the products will continue to pass traffic but will no longer receive security or software updates. Cloud services with functions such as support services and LiveConnect will be turned off.”

*   CVE ID: CVE-2023-33336
*   CWE ID: CWE-79

**Proof of Concept:**

Reflected cross-site scripting (XSS) vulnerability was discovered in the product.

It was possible to inject malicious code and input was successfully reflected between doubles quotes. It’s a systemic XSS, which definitely increases risk compared to standard XSS.

Vulnerable input section was possible to set to: status reports configuration

The following Proof of Concept (PoC) demonstrates the attack as well as displaying evidence of the script payload being returned in the response.

    Sample GET request:
    https://10.0.0.17/index.php?c=trend_suspect&period=0&section=reports" onmouseover%3dprompt(1) bad%3d"&STYLE=34f6ad4ed0b9f19a094041a234feb5e3

Authenticated reflected XSS with the privileges of admin user. Sophos Virtual Web Appliance used to demonstrate the vulnerability was the latest available from Sophos trials website.

**References:**

1.  https://www.owasp.org/index.php/Cross-site\_Scripting\_(XSS)
2.  https://support.sophos.com/support/s/article/KB-000039441?language=en\_US
3.  https://docs.sophos.com/nsg/swa/help/en-us/nsg/swa/concepts/AboutYourAppliance.html

CVE-2023-33336: Cross-site scripting (XSS) in Sophos Web Appliance - 4.1.1-0.9

libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.

Skip to content

**Get started with Code Suggestions, available for free during the beta period.**

Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.

*   libtiff
*   libtiff
*   Issues
*   #520

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
    TIFFAdvanceDirectory: Error fetching directory count.
    loadImage: Image lacks Photometric interpretation tag.
    Fax4Decode: Uncompressed data (not supported) at line 0 of strip 0 (x 10).
    
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop  -Z 12:50,12:9…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ==3490861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb40a368a45 at pc 0x7fb40d6e7f3d bp 0x7ffca5726e70 sp 0x7ffca5726618
    WRITE of size 296067 at 0x7fb40a368a45 thread T0
        #0 0x7fb40d6e7f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x7fb40d614fb7 in _TIFFmemset /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:341
        #2 0x560accbdb18a in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8499
        #3 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x560accbb4b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x7fb40a368a45 is located 0 bytes to the right of 148037-byte region [0x7fb40a344800,0x7fb40a368a45)
    allocated by thread T0 here:
        #0 0x7fb40d78d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fb40d614f03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x560accbb4d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x560accbe005e in rotateImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:9605
        #4 0x560accbdb9f3 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8566
        #5 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #6 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff7014650f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff701465140: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
      0x0ff701465150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3490861==ABORTING

**poc**

poc

CVE-2023-25433: heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV) (#520) · Issues · libtiff / libtiff · GitLab

Key findings from the research also show three of the four new malware threats on this quarter's top-ten list originated in China and Russia, living-off-the-land attacks on the rise, and more.

**SEATTLE – June 28, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q1 2023. Key findings from the data show phishers leveraging browser-based social engineering strategies, new malware with ties to nation states, high amounts of zero day malware, living-off-the-land attacks on the rise, and more. This edition of the report also features a new, dedicated section for the Threat Lab team’s quarterly ransomware tracking and analysis.

"Organizations need to pay more active, ongoing attention to the existing security solutions and strategies their businesses rely on to stay protected against increasingly sophisticated threats," said Corey Nachreiner, chief security officer at WatchGuard. "The top themes and corresponding best practices our Threat Lab have outlined for this report strongly emphasize layered malware defenses to combat living-off-the-land attacks, which can be done simply and effectively with a platform for unified security run by dedicated managed service providers."

Among its most notable findings, the Q1 2023 Internet Security Report reveals:

*   **New browser-based social engineering trends –** Now that web browsers have more protections preventing pop-up abuse, attackers have pivoted to using the browser notifications features to force similar types of interactions. Also of note from this quarter’s top malicious domains list is a new destination involving SEO-poisoning activity.
*   **Threat actors from China and Russia behind 75% of new threats in the Q1 Top 10 list –** Three of the four new threats that debuted on our top ten malware list this quarter have strong ties to nation states, although this doesn’t necessarily mean those malicious actors are in fact state-_sponsored_. One example from WatchGuard’s latest report is the Zusy malware family, which shows up for the first time in the top 10 malware list this quarter. One Zusy sample the Threat Lab found targets China’s population with adware that installs a compromised browser; the browser is then used to hijack the system’s Windows settings and as the default browser.
*   **Persistence of attacks against Office products, End-of-Life (EOL) Microsoft ISA Firewall –** Threat Lab analysts continue to see document-based threats targeting Office products in the most widespread malware list this quarter. On the network side, the team also noticed exploits against Microsoft’s now-discontinued firewall, the Internet Security and Acceleration (ISA) Server, getting a relatively high number of hits. Considering this product has long been discontinued and without updates, it is surprising to see attackers targeting it.
*   **Living-off-the-land attacks on the rise –** The ViperSoftX malware reviewed in the Q1 DNS analysis is the latest example of malware leveraging the built-in tools that come with operating systems to complete their objectives. The continued appearance of Microsoft Office- and PowerShell-based malware in these reports quarter after quarter underscores the importance of endpoint protection that can differentiate legitimate and malicious use of popular tools like PowerShell.
*   **Malware droppers targeting Linux-based systems –** One of the new top malware detections by volume in Q1 was a malware dropper aimed at Linux-based systems. A stark reminder that just because Windows is king in the enterprise space, this doesn’t mean organizations can afford to turn a blind eye to Linux and macOS. Be sure to include non-Windows machines when rolling out Endpoint Detection and Response (EDR) to maintain full coverage of your environment.
*   **Zero day malware accounting for the majority of detections –** This quarter saw 70% of detections coming from zero day malware over unencrypted web traffic, and a whopping 93% of detections from zero day malware from encrypted web traffic. Zero day malware can infect IoT devices, misconfigured servers, and other devices that don’t use robust host-based defenses like WatchGuard EPDR (Endpoint Protection Detection and Response).  
*   **New insights based on ransomware tracking data –** In Q1 2023, the Threat Lab tallied 852 victims published to extortion sites and discovered 51 new ransomware variants. These ransomware groups continue to publish victims at an alarmingly high rate; some are well-known organizations and companies in the Fortune 500. (Stay tuned for more ransomware tracking trends and analysis as part of WatchGuard’s quarterly Threat Lab research in future reports!)

Consistent with WatchGuard’s Unified Security Platform® approach and the WatchGuard Threat Lab’s previous quarterly research updates, the data analyzed in this quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products whose owners have opted to share in direct support of WatchGuard’s research efforts.   
New for this Q1 2023 analysis, the Threat Lab team has updated the methods used to normalize, analyze, and present the report findings. While previous quarterly research results have primarily been presented in the aggregate (as global total volumes), this quarter and going forward the network security results will be presented as “per device” averages for all reporting network appliances. The full report includes additional detail around this evolution and the rationale behind the updated methodology, as well as details on additional malware, network, and ransomware trends from Q1 2023, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.

For a more in-depth view of WatchGuard’s research, read the complete Q1 2023 Internet Security Report here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

_WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other marks are property of their respective owners._

WatchGuard Threat Lab Report Reveals New Browser-Based Social Engineering Trends

Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.

**Paceart Optima System Application Security Update**

**Summary**

Medtronic has identified a vulnerability in an optional messaging feature in the Paceart Optima cardiac device data workflow system. This feature is not configured by default, and it cannot be exploited unless enabled. As a precautionary measure, Medtronic is notifying customers that if exploited, this vulnerability could result in a healthcare delivery organization’s Paceart Optima system’s cardiac device data being deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration.

Healthcare delivery organizations should work with Medtronic Paceart technical support to install an update to the Paceart Optima application to eliminate this vulnerability from the Paceart Application Server. This security bulletin also includes immediate, temporary steps for a healthcare delivery organization to take to prevent the exploitation of this vulnerability.

**Products impacted**

Paceart Optima™ is a software application that runs on a healthcare delivery organization’s Windows server. The application collects, stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows. The Paceart Optima product consists of multiple components that work together to deliver product functionality. This vulnerability impacts the Application Server component.

Versions affected:

*   Paceart Optima application versions 1.11 and earlier 

**Vulnerability Overview**

**At this time, Medtronic has not observed any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to this issue.**

During routine monitoring, Medtronic identified a vulnerability in the optional Paceart Messaging Service within the Paceart Optima system, specifically in the Paceart Messaging Service’s implementation of the Microsoft Message Queuing Protocol. The Paceart Messaging Service enables healthcare delivery organizations to send fax, email, and pager messages within the Paceart Optima system.

If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform Remote Code Execution (RCE) and/or Denial of Service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. RCE could result in the Paceart Optima system’s cardiac device data being deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration. A DoS attack could cause the Paceart Optima system to become slow or unresponsive.

The vulnerability is present in Paceart Optima system versions 1.11 and earlier.

**Recommended Actions****Immediate Mitigation Actions:**

_If you have a combined Application and Integration Server, contact Medtronic Paceart Optima system technical support for immediate mitigation actions. All other configurations, follow the steps below._

The vulnerable code will still be present in the application, but will no longer be exploitable.

Step 1: Manually disable the Paceart Messaging Service on the Application Server. 

1.  Open the ‘Windows Services’ application
2.  Find the ‘Paceart Messaging Service’
3.  Right-click the ‘Paceart Messaging Service’ and select ‘Properties’
4.  Select ‘Stop’ to stop running the service and change the startup type to ‘Disabled’
5.  Select ‘Apply’

Step 2: Manually disable message queuing on the Application Server. 

1.  Open server manager
2.  Select ‘Add roles and features’
3.  Select ‘Start the Remove Roles and Features Wizard’
4.  Before you begin – next
5.  Server selection – next
6.  Server roles – next
7.  Features section – take action. Select the black box next to Message Queuing
8.  When the window pops up select ‘Remove Features’ button
9.  Select ‘next’
10.  Confirmation – select ‘Remove’

As long as the Paceart Messaging Service remains disabled, the vulnerability will remain mitigated.

**Long-term Remediation Action:**

For a complete mitigation on the Application Server, update the Paceart Optima system to version 1.12. This update removes the Paceart Messaging Service function and fully remediates the vulnerability on the Application Server. To schedule an update, please reach out to dl.paceartupdate@medtronic.com.

If you are a patient and are concerned about care delivery associated with the Paceart Optima system, please consult your care provider.

**For more information:**

Contact for more support: Medtronic Paceart Optima system technical support  
1-800-PACEART (722-3278)

**Additional Details:**

Cybersecurity professionals may find the following technical information useful for tracking and risk rating purposes:

\-       The vulnerability has been assigned a CVE number, CVE-2023-31222 

\-       The CVSS score for this vulnerability is 9.8.

**Definitions:**

_**Remote Code Execution**_ – Remote code execution (RCE) is a type of security vulnerability that allows attackers to run arbitrary code on a remote machine if connected to it.

_**Denial of Service Attack**_ - A DoS is a type of cyberattack that is meant to shut down a machine, function or network, making it inaccessible to its intended users by consuming available resources with invalid activity. The most common DoS technique is to send invalid network requests that consume available network resources of an online service.

**_Exploit_ \-**An exploit is a program or methodology created to take advantage of a vulnerability in a system or product to gain unauthorized access or negatively affect proper operation.

**_Vulnerability_ –** A vulnerability is a weakness in systems, software or products that compromises security. A vulnerability allows people to perform bad actions on those same systems, software and products.

CVE-2023-31222: Paceart Optima System

A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Newbie Akira Ransomware Builds Momentum With Linux Shift

Categories: Business
#1 in Endpoint Protection, #1 ROI for Endpoint Management, #1 for EDR implementation.



(Read more...)




The post Top contenders in Endpoint Security revealed: G2 Summer 2023 results appeared first on Malwarebytes Labs.

Navigating the world of endpoint security is challenging, with numerous vendors stoking "Fear, Uncertainty, and Doubt" (FUD) and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Summer 2023 Grid Reports, **Malwarebytes earned 19 "Leader" badges across five endpoint security categories (Antivirus, EDR, Endpoint Management, Endpoint protection platforms, Endpoint protection suites). We also received awards for the #1 spot in Endpoint Protection and the Easiest Setup for EDR, among many others**.

Let's take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

****#1 Endpoint Protection: Highest Rated for Results, Relationship, and More****

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including "Best Results," "Best Support," "Most Implementable," and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “**Best Results**” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

> “Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”

Chris S.

> “Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”

Robert S.

> “I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”

Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “**Best Relationship**” badge by having the highest combination of "Likely to Recommend," “Ease of business,” and “Quality of Support” ratings.

Here's what some of our customers had to say:

> “The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”

Gary P.

> “Highly recommended, and their support team is the best you can ask for!”

Rifaat K.

****Easiest To Use EDR****

Our EDR solution, paired with our Vulnerability and Patch Management (VPM) modules, delivers an impressive return on investment by quickly enhancing your organization's security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the **best estimated ROI (payback period in months) in the enterprise Endpoint Management category, which evaluate products that help users keep track of devices in a system and ensure their software is secure and up to date**.

> “The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”

Ron M.

> “It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”

Tyson B.

**Most Implementable EDR: Seamless Setup and User-Friendly Experience**

On the Enterprise Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

*   Malwarebytes EDR has an Implementation Score several points higher than the industry average.
*   Ease of Setup: Malwarebytes EDR scores several points higher than the industry average in ease of setup.
*   Average User Adoption: Malwarebytes EDR scores several points higher than the industry average in user adoption rate. 

> “The Nebula console is one of the most user-friendly interfaces we've come across. We can't recommend it enough.”

Justin N.

> “Malwarebytes makes it simple to deploy. Additionally, the user interface has minimal impact on the end-user, so its win-win. Support are happy to help when you do hit the occasional bump and the portal is easy to use and very responsive.”

John K.

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

> “Very easy to install and deploy, setup, and configure - for instance - a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings."

Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

****Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense****

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

UPGRADE TO ENTERPRISE-GRADE PROTECTION

Top contenders in Endpoint Security revealed: G2 Summer 2023 results

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK

A previously undocumented Windows-based information stealer called **ThirdEye** has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

A notable trait of the malware is that it uses the string "3rd\_eye" to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it's likely that the malicious activity is aimed at Russian-speaking organizations.

"While this malware is not considered sophisticated, it's designed to steal various information from compromised machines that can be used as stepping-stones for future attacks," Fortinet researchers said, adding the collected data is "valuable for understanding and narrowing down potential targets."

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

"The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim's system performance, and the depletion of valuable system resources," Cyble said.

SeroXen infection chain

Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen's development have also contributed to the creation of ScrubCrypt.

The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.

"Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as 'cheats,' 'hacks,' 'cracks,' and other pieces of software related to gaining a competitive edge," Trend Micro noted in a new analysis of SeroXen.

"The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors' standards."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

A Directory Browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.

**

Future proof your App development

****

Since it's inception in 1992 MCL-Collection with MCL-Designer is brought to market and has been adapted to the constant changing market requirements, MCL principles haven't.  
With the completely new developed MCL-Designer V4 we wanted to offer our customers with a more powerful and easier to use development environment while maintaining the key elements essential to MCL-Collection, including Cross-OS App development capabilities, intuitive what-you-see-is-what-you-get (WYSIWYG) visual app development and testing tools, and easier integration with Back-End systems.

Build your apps once and deploy to multiple mobile platforms including WinCE, WinMOB and Android.



**

*   **MCL-COLLECTION V4****A suite of products to BUILD-DEPLOY-RUN mobile applications**
    
    MCL-Designer, MCL-Loader, MCL-Client
    
    Find our more
    
*   **BE FUTURE PROOF****Build your App ONCE to deploy on multiple os platforms with ease**
    
    MCL-Designer will help you creating cross-os apps from a single project
    
    Find our more
    
*   **INTUITIVE DESIGN ENVIRONMENT****Build Apps efficiently and effectively**
    
    MCL-Designer offers one integrated Development Environment
    
    Find our more
    
*   **DEPLOY MULTI LINGUAL APPS****Maintain only ONE**
    
    See how MCL Designer let's you build Multilingual Apps with it's embedded localization options
    
    Read more
    
*   **EASY STAGING FOR YOUR MOBILE DEVICES USING MCL-LOADER****Utilize MCL-Loader and deploy your mobile apps effectively**
    
    See how MCL Loader can help you in setting up your mobile devices quickly
    
    Read more
    

**  
MCL-Designer V4 is a comprehensive enterprise mobility development solution which allows the rapid prototyping, design, development, testing of cross platform enterprise mobile datacapture applications.  
MCL-Designer, a zero code design environment, allows you to mobilize any datacapture (Barcode/RFID/Voice) business process on almost any mobile platform quickly and easily.**

**  
MCL-Loader offers Out-Of-the Box deployment capabilities for both Windows and Android devices. It let's you synchronize apps, data and other resources with your mobile devices and reduces the complexity of learning how each and every operating system (WinCE/WM/Android) is working.  
Deploying to only one or many devices has never been easier by utilizing MCL-Loader.**

  

**Mix and Match device types best fitting the needs of your mobile workers, seamlessly switch between communication options (WiFi, Ethernet, 3G/4G), and simply decide on how to exchange business data with your back-end systems.  
MCL-Applications will run optimized on industry equipment and will make your devices run at peak performance. You can choose from having your devices connected directly to your back-end systems or benefit from simplified and cost saving data-storage and exchange capabilities offered by MCL-Mobility Platform**

**

Technologies Embedded

**

*   **Barcode Datacapture****MCL supports natively the barcode scanner or imager coming with the mobile computer, bringing the best datacapture solutions to your mobile workers**
    
*   **Mobile Printing****MCL offers natively the possibility to connect mobile printers directly or through the wifi network and print new barcode labels, price tags, and more at the point of activity, bringing the best mobility solutions to your mobile workers**
    
*   **DataFile Sync****MCL offers quick and easy data synchronization with back-end systems. Our secured data transportation mechanisms maintains data integrity regardless of the transportation methods used, including WiFi or 3/4G internet connections**
    
*   **On-Line AND Off-Line****MCL offers native support for out-of-signal (WiFi/3G) situations and batch type of solutions. Your operators can continue their mobile tasks in off-line situations and sync their date once they are back in coverage. Typical batch applications, like inventory control, can be implemented easily with MCL's ready to go local data (on terminal side) and file sync options**
    
*   **RFID****MCL includes all common RFID functionality natively. You can develop apps including RDID which help you bringing the best RDID datacapture solutions to your mobile workers in no time**
    
*   **Signature Capture****MCL can help you bringing the best datacapture solutions to your mobile workers**
    
*   **Voice Recognition****MCL offers embedded voice recognition technologies to help you bringing the most optimized datacapture solutions to your mobile workers**
    
*   **Adaptive Screen Size****MCL allows the same app to run on different screen sizes, helping you bringing the best datacapture solutions to your mobile workers efficiently**
    
*   **GPS****MCL integrates natively the GPS capabilities offered by the device and helps you bringing the best technology solutions to your mobile workers**
    
*   **Database Integration****MCL integrates natively with the most common databases and helps you bringing the best technology solutions to your mobile workers**
    
*   **Wireless Connectivity****MCL offers extensive support for roaming between WiFi and 3G/4G networks seamlessly, bringing the best technology solutions to your mobile workers**
    
*   **Photo Camera****MCL offers native support for the camera capabilities offered by the device and helps you bringing the best technology solutions to your mobile workers**

CVE-2023-34834: MCL-Collection V4

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

/churchcrm/GroupReports.php

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Linux

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.33

**What version of SQL Server are you running?**

5.7.26

**What version of ChurchCRM are you running?**

4.5.3

Description:  
XSS was detected in GroupReports.php, three hidden parameters were found in the code of this page, in which this vulnerability is possible: GroupRole, ReportModel, OnlyCart. A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Impact:  
The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions

Proof of Concept:  
**<script>alert('XSS')</script>**

Tag

#windows