ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 13 Apr 2023 13:33:56 -0500
From: Mark Esler <mark.esler@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: ncurses fixes upstream

On 4/12/23 15:40, Jonathan Bar Or (JBO) wrote:

> Hello oss-security,
>
> Our team has worked with the maintainer of the ncurses library (used by several software packages in Linux) to fix several memory corruption vulnerabilities.
> They are now fixed at commit 20230408 - see details here (https://invisible-island.net/ncurses/NEWS.html#index-t20230408)
> A CVE was assigned (CVE-2023-29491) - it's still under a "reserved" status.
>
> How can we ensure those fixes get deployed upstream, in major Linux distributions?

(distros maintain "downstream" versions of the ncurses "upstream")

Ideally, a security patch should only include security relevant changes. 
If a bunch of a documentation or miscellaneous changes are added, it 
makes backporting difficult (i.e., the non-security relevant changes may 
not be desired or cause the patch to not apply cleanly to old versions 
of ncurses). The upstream patch is already made, but that's what I'd 
recommend for future patches. If there's a regression as Alice suggests, 
that might be a good opportunity to redo the patch format.

http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56

When you publish the CVE json5, you can references the patch URL and 
relevant bug discussions to help downstream. Including the CVE number in 
the patch commit is also quite helpful.

Thank you!

> We've reached out to Arch, RedHat, Canonical and other popular distros independently.
Which email did you contact Canonical with? I cannot find anything 
recent for ncurses on security@...ntu.com
>
> Thanks!
>                               JBO
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-29491: security - Re: ncurses fixes upstream

** UNSUPPORTED WHEN ASSIGNED ** The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

    # Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting# Date: January 29, 2021# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1408# Version: 2.0# Tested On: Windows 10# CVE: CVE-2023-27890Description:This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.Proof of Concept:– As a regular user go to User CP -> Edit Profile– Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script>– Request your data via User CP -> DSGVO data request– Login as admin you will be notified a user wants their data– When generating the users data their payload will execute

CVE-2023-27890: MyBB Export User 2.0 Cross Site Scripting ≈ Packet Storm

By Owais Sultan
If you encounter a “No signal” issue on your monitor despite your computer being powered on, and you…
This is a post from HackRead.com Read the original post: Troubleshooting No Signal Monitor Issue: Steps to Get Computer Display Back

If you encounter a “No signal” issue on your monitor despite your computer being powered on, and you receive messages such as “No signal detected,” “Check signal cable,” or “No input signal,” regardless of the type of connection (HDMI, VGA, Display Port, DVI), this article will provide you with some simple solutions to help you restore your computer display.

****The Root of the Issue****

If your computer doesn’t turn on when indicator lights are on or turn on when they are off, there could be several reasons. You may encounter three different error messages on your monitor screen that can help identify the issue.

⚠️ No input signal

⚠️ Check signal cable

⚠️ No signal detected

All these notifications indicate that the input is not receiving the supported video signal, and the underlying reason is the same. However, the specific alerts may vary depending on your monitor.

Regardless, it’s important to take your time before sending your computer for repair, as various factors such as the power supply, motherboard, cable, or battery can affect the performance of your equipment.

To troubleshoot and potentially fix the issue, you can take specific steps to identify the cause of the malfunction and attempt to resolve it on your own. Alternatively, you can seek assistance from experts at consulting service Howly for an easier solution. If you prefer to tackle the problem independently, the following information will be helpful.

****Essential Ways to Solve the Problem****

It’s important to start by considering the simple and common causes of the problem, along with their corresponding solution methods. It’s crucial not to skip any point, even if you believe everything is okay with it.

*   Make sure to check if the cable connecting the monitor or PC video card is securely connected and not disconnected. Sometimes, accidental impacts or movements can loosen the cable.
*   If you have recently upgraded your monitor or video card and connected it using an adapter or cable with different interfaces (e.g., Display Port to HDMI, HDMI to VGA/DVI), keep in mind that these cables or adapters can sometimes be the source of problems. Some of them are unidirectional, and others may only work with specific equipment (e.g., video cards that support analogue output via HDMI).

Proper solutions to consider are: Try to connect using the same type of ports or at least digital output to digital input. Avoid using adapters or opt for an active signal converter. Consider using the monitor’s original cable without adapters.

*   If you have connected your computer to a second monitor, projector, or TV, turn off your computer, unplug the TV cable from the video card, then turn the computer back on and check if the “No signal detected” or “Check the signal cable” problem is resolved.
*   If your monitor menu has an input source selection option, open the menu and manually select the input signal used.
*   Connect your monitor to another computer or laptop to rule out a problem with the monitor itself or its ports. If there is no signal on the other computer as well, the issue likely lies with the monitor itself.
*   If your computer previously had a discrete video card, but you now connect the monitor to the integrated video output on the motherboard and receive a “No signal” message, it may be due to disabled integrated video in the BIOS, PCI-E video card priority setting in the BIOS, or the processor lacking integrated video.
*   Some older graphics cards may not output a signal to the Display Port before the drivers are loaded during system boot. If you have just assembled a computer with such a video card or are reinstalling the operating system from a USB flash drive, and the monitor is connected via Display Port, there may be no signal.
*   If you have purchased a new monitor with a USB-C/Thunderbolt connection and connected it to a laptop, check the laptop specifications as not all laptops support display output via USB-C. It is recommended to use the “native” cable provided with the monitor, as not all USB-C cables may support video/audio output to the monitor.

****Heavier Artillery****

If the previously mentioned solutions did not work, here are some other possible options to consider, although they may be more complex than the previous ones, they can still be applied at home.

*   If you have integrated video, you can try disconnecting the discrete graphics card and connecting the monitor to the integrated video output to see if that resolves the issue. If it does, possible causes could be: additional power not connected to the discrete video card, hardware problems with the video card, insufficient power from the power supply unit, or issues with the slot where the video card is plugged in.
*   If your computer appears to be working with fans running and indicator lights on, but there is no signal on the monitor, it may not necessarily mean that the computer is fully functional. Issues with the video card, power supply, RAM, or motherboard power connections can prevent the computer from starting and displaying a signal on the monitor.
*   If your computer starts but the monitor shows a POST/BIOS or logo screen followed by a “No signal” or “Signal is out of range” message, there may be an issue with the output settings of your operating system.

One possible solution is to boot into safe mode and use restore points or boot from a USB flash drive with the same version of the OS you have installed, then select “System Restore” on the second screen at the bottom left corner and use the restore points.

In Windows 10, you can access the recovery environment (Windows RE) after two forced shutdowns. Alternatively, you may need to consider reinstalling the operating system.

****Conclusion****

If you haven’t been able to find a solution for the “No signal” monitor issue, you can always seek help from specialists. It’s important to prepare all the necessary information for them, such as the model of your video card and monitor, details about the connection setup, what might have caused the issue, and what troubleshooting steps you have already taken. With this information, the experts will be able to provide a tailored solution for your specific case.

1.  How to Teach Your Child Coding
2.  What to Do If Your Mac Keeps Freezing
3.  How to Create and Manage Groups on iPhone
4.  Top 5 macOS Monterey Issues You Might Need to Fix
5.  How to Hide Tables in SQL Server Management Studio

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Troubleshooting No Signal Monitor Issue: Steps to Get Computer Display Back

Diasoft File Replication Pro 7.5.0 allows attackers to escalate privileges by replacing a legitimate file with a Trojan horse that will be executed as LocalSystem. This occurs because %ProgramFiles%\FileReplicationPro allows Everyone:(F) access.

**Current Version  7.5.0**  

Requires new license keys - Contact Support Before Upgrading

**Click here to** **See a video of the features and installation process**

 **Notice:** This upgrade will require new license keys.  You must have a current support and upgrade assurance contract on every licensed machine to upgrade.  Should you attempt to upgrade without a current support contract, it will result in a non working installation!  Be warned that you will not be able to rollback to your old version after attempting an upgrade if you are off contract.   **Contact Support** to check your status or to update your contracts.

File Replication Pro (FRP) has been delivering advanced file replication & synchronization technology to customers worldwide for over 20 years. File Replication Pro provides a reliable, super fast, and cost effective solution to the file sharing and availability needs of companies and organizations of all sizes?including international networks. **See all Features**

Robust features include advanced job scheduling, file delta identification, real time O/S hooks, bit level comparison, web GUI administration, bandwidth throttling and native cross platform support (Windows, Linux, Mac OSX).

**Out of hundreds of FRP customers, here is a collection of business use cases:**

*   Architectural designs **company** syncs its work between offices across the USA
*   FRP makes Cross Platform disaster recovery possible for Australian provider
*   Global translation service uses FRP to replicate files between offices

**More Business Use Cases**

CVE-2023-26918: File Replication Pro- RealTime, Secure, Offsite Backup & File Sync

Adobe Substance 3D Designer version 12.4.0 (and earlier) is affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Substance 3D Designer | APSB23-28

Bulletin ID

Date Published

Priority

APSB23-28

April 11, 2023

3

**Summary**

Adobe has released an update for Adobe Substance 3D Designer.  This update addresses critical vulnerabilities in Adobe Substance 3D Designer. Successful exploitation could lead to arbitrary code execution in the context of the current user.    

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Substance 3D Designer  

12.4.0 and earlier versions   

Windows and macOS   

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.     

Product

Version

Platform

Priority

Availability

Adobe Substance 3D Designer  

12.4.1

Windows and macOS   

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Read (CWE-125)  

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26398  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26409  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26410  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26411  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26412  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26413  

Use After Free (CWE-416)  

Arbitrary code execution  

Critiical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26414  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26415  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26416  

**Acknowledgments:**

Adobe would like to thank the following researchers  for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell working with Trend Micro Zero Day Initiative : CVE-2023-26398, CVE-2023-26409, CVE-2023-26410, CVE-2023-26411, CVE-2023-26412, CVE-2023-26413, CVE-2023-26414, CVE-2023-26415, CVE-2023-26416  
    

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-26416: Adobe Security Bulletin

BlackVue DR750-2CH LTE v.1.012_2022.10.26 does not employ authenticity check for uploaded firmware. This can allow attackers to upload crafted firmware which contains backdoors and enables arbitrary code execution.

Specifications

**Model Name**

**DR750-2CH IR LTE (JP)**

**Channel**

2CH

**Highlights**

Built-in 4G LTE, Sony STARVIS image sensors, Infrared (IR) Interior Camera

**Product Dimensions**

**Front:** Black / Width 137.6 mm x Height 43 mm / 166 g  
**Rear:** Black/Width 67.4 mm x Height 25 mm/26 g

**Rear Camera Connection**

Coaxial cable

**Memory Support**

microSD card up to 256GB

**Recording Modes**

– Normal,  
– Event (Impact Detection / Speed Limit / Manual),  
– Parking Mode (Impact+Region-based Motion Detection, Timelapse+Events)

**Parking Mode**

YES (with accessory)

**Parking Mode Event Voice Notifications**

YES

**Imaging Sensor**

**Front:** Sony STARVIS™ CMOS Sensor (Approx. 2.1MP)  
**Rear:** CMOS Sensor (Approx. 2.1 MP)

**Viewing Angle**

**Front:** Diagonal 139°, Horizontal 116°, Vertical 61°  
**Rear:** : Diagonal 145°, Horizontal 118°, Vertical 59°

**Resolution Frame Rate**

**Front / Rear**  
Full HD (1920×1080) @60fps – Full HD (1920×1080) @30fps  
\* Frame rate may vary during Wi-Fi streaming.

**Video Codec**

H.264 (AVC)

**Image Quality and Bitrate Front/Rear**

Highest (Extreme): 25+10 Mbps  
Highest: 12+10 Mbps  
High: 10+8 Mbps  
Normal: 8+6 Mbps

**Format Free**

YES (Adaptive)

**Event File Overwrite Protection**

YES (up to 50)

**SD Card Failure Alert**

YES

**Scheduled Reboot**

YES

**Video File Extension**

MP4

**Wi-Fi**

Built-in (802.11n (2.4~2.4835 GHz))

**Cloud Compatible**

YES

**GPS**

Built-in

**Microphone**

Built-in

**Speaker**

Built-in

**Impact Sensor**

3-Axis Acceleration Sensor

**LED Indicators**

**Front:** Recording LED, GPS LED, LTE/Wi-Fi LED, Front Security LED  
**Rear:** Rear Security LED

**Button**

**Wi-Fi button:** turn Wi-Fi ON/OFF.  
**Format button:** format the microSD card (hold until voice prompt, and then hold again).  
**Proximity sensor:** audio recording ON/OFF _or_ Start Manual Event video. Can be deactivated.  
All actions are confirmed by a voice prompt.

**Operation Temperature**

\-20℃ – 70℃ (-4°F – 158°F)

**Storage Temperature**

\-20℃ – 70℃ (-4°F – 158°F)

**High Temp Cut Off**

Approx. 80℃ (176°F)

**Backup Battery**

Built-in supercapacitor

**Input Power**

DC 12V-24V (DC Plug (Ø3.5 x Ø1.35), MAX 1A/12V)

**Power Consumption Hour**

Avg. 410 mA (4.92 W at 12 V, when GPS and Wi-Fi is On)  
Avg. 320 mA (3.84 W at 12 V, when GPS and Wi-Fi is Off)  
Avg. 450 mA (5.4W at 12 V, when GPS and LTE is On)  
\* Approx. 60mA increase in current when IR LEDs are ON.  
\* Actual power consumption may vary depending on use  
conditions and environment.

**Certifications**

**Front:** : RCM, Telec, CE, FCC, PTCRB, ISED, RoHS, WEEE  
**Rear:**CE, FCC, RoHS, WEEE

**Software**

BlackVue Viewer  
\* Windows XP or higher and Mac Yosemite OS X (10.10) or higher

**Application**

BlackVue Application (Android 5.0 or higher, iOS 9.0 or higher)

**Others**

Built-in 4G LTE module compatible with Nano-SIM.  
Frequency Bands: Japan (**JP** version): B1, B3, B18, B19

**LTE**

Built-in (SIM card not included)

CVE-2023-27748: DR750-2CH IR LTE (JP)

By Waqas
Is it a highly dubious claim by the infamous LockBit 3.0 ransomware gang? It looks like it!
This is a post from HackRead.com Read the original post: LockBit 3.0 Posts Dubious Claims of Breaching Darktrace Cybersecurity Firm

**Darktrace, a leading cybersecurity firm renowned for its AI-powered threat detection and response solutions, has swiftly dismissed LockBit 3.0’s statements.**

LockBit 3.0, a notorious ransomware gang known for its high-profile and some time making up attacks, has claimed to have successfully hacked, prominent Cambridge, United Kingdom-based Darktrace cybersecurity company.

The gang announced the breach on its dark web portal, where they posted images of Darktrace’s CEO Poppy Gustafsson that are already publicly available. Although LockBit 3.0 claims to have published the alleged stolen data, clicking the download links on the gang’s website only redirects users to Darktrace’s official website.

Screenshot from LockBit 3.0’s website (Credit: Hackread.com)

Darktrace, on the other hand, has issued a statement acknowledging the claims made by LockBit 3.0, but denying any breaches or malicious activity.

> **Our security teams have run a full review of our internal systems and can see no evidence of compromise. None of the LockBit social media posts link to any compromised Darktrace data. We will continue to monitor the situation extremely closely, but based on our current investigations we are confident that our systems remain secure and all customer data is fully protected.**
> 
> Darktrace

LockBit 3.0 has a track record of targeting high-profile organizations, such as a SpaceX contractor, and demanding hefty ransoms for the release of encrypted data. Yet, the group has faced allegations of fabricating claims about compromising new victims. For example, in a similar instance last year, LockBit 3.0 claimed to have breached cybersecurity firm Mandiant, which is owned by Google. However, Mandiant swiftly denied and dismissed the gang’s statements.

There has also been confusion regarding whether LockBit 3.0 initially meant Darktrace or DarkTracer, a Singapore-based threat intelligence and OSINT firm, as their victim. However, it is safe to say that neither Darktrace nor DarkTracer has been targeted or impacted by any breach. Read more about this on Twitter.

> The reliability of the RaaS service operated by LockBit ransomware gang seems to have declined. They appear to have become negligent in managing the service, as fake victims and meaningless data have begun to fill the list, which is being left unattended. pic.twitter.com/mfGhH93oYh
> 
> — Fusion Intelligence Center @ DarkTracer (@darktracer\_int) April 12, 2023

****Ransomware, a growing threat****

In recent years, ransomware attacks have become a major cybersecurity challenge, causing significant financial losses and reputational damage to businesses and organizations worldwide.

These attacks often result in data breaches, operational disruptions, and financial extortion, as victims are left with few options other than paying the ransom or facing severe consequences.

As the cybersecurity landscape continues to evolve, organizations must remain vigilant in their efforts to safeguard their systems and data from cyber threats. This includes implementing robust cybersecurity measures, regularly updating and patching systems, and providing comprehensive employee training on cybersecurity best practices.

1.  Hackers infiltrate Western Digital Internal Systems
2.  New Strain of Rorschach Ransomware Hits US Firms
3.  LockBit blames victim for DDoS attack on its website
4.  UK Criminal Records Office Hit by Ransomware Attack
5.  New Cylance Ransomware Targets Linux and Windows

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

LockBit 3.0 Posts Dubious Claims of Breaching Darktrace Cybersecurity Firm

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

File Replication Pro version 7.5.0 suffers from having insecure directory permissions that can allow a local attacker the ability to escalate privileges.

    # Exploit Title: File Replication Pro 7.5.0 - Password disclosure/reset & PrivEsc due Incorrect Access Control# Date: 2023-04-13# Exploit Author: Andrea Intilangelo# Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com# Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe# Version: 7.5.0# Tested on: Windows 10 Pro 22H2 x64# CVE: CVE-2023-26918Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation byreplacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application.C:\Program Files>icacls "c:\Program Files\FileReplicationPro"c:\Program Files\FileReplicationPro Everyone:(F)                                    Everyone:(OI)(CI)(IO)(F)C:\Users\Administrator>sc qc frp[SC] QueryServiceConfig OPERAZIONI RIUSCITENOME_SERVIZIO: frp        TIPO                      : 10  WIN32_OWN_PROCESS        TIPO_AVVIO                : 2   AUTO_START        CONTROLLO_ERRORE          : 1   NORMAL        NOME_PERCORSO_BINARIO     : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp        GRUPPO_ORDINE_CARICAMENTO :        TAG                       : 0        NOME_VISUALIZZATO         : FRPReplicationServer        DIPENDENZE                : Tcpip                                  : Afd        SERVICE_START_NAME : LocalSystemTo exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runswith LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" fullaccess permissions.Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remoteaccess stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encryptinga string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.

File Replication Pro 7.5.0 Insecure Permissions / Privilege Escalation

The Microsoft Windows Kernel has insufficient validation of new registry key names in transacted NtRenameKey.

Tag

#windows