Google on Thursday outlined a set of initiatives aimed at improving the vulnerability management ecosystem and establishing greater transparency measures around exploitation.
"While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they're known and fixed, which is the real story," the company said in an announcement. "Those risks span everything from

Google on Thursday outlined a set of initiatives aimed at improving the vulnerability management ecosystem and establishing greater transparency measures around exploitation.

"While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they're known and fixed, which is the real story," the company said in an announcement. "Those risks span everything from lag time in OEM adoption, patch testing pain points, end user update issues and more."

Security threats also stem from incomplete patches applied by vendors, with a chunk of the zero-days exploited in the wild turning out to be variants of previously patched vulnerabilities.

Mitigating such risks requires addressing the root cause of the vulnerabilities and prioritizing modern secure software development practices to eliminate entire classes of threats and block potential attack avenues.

Taking these factors into consideration, Google said it's forming a Hacking Policy Council to "ensure new policies and regulations support best practices for vulnerability management and disclosure."

The company further emphasized that it's committing to publicly disclose incidents when it finds evidence of active exploitation of vulnerabilities across its product portfolio.

Lastly, the tech giant said it's instituting a Security Research Legal Defense Fund to provide seed funding for legal representation for individuals engaging in good-faith research to find and report vulnerabilities in a manner that advances cybersecurity.

Google's latest security push speaks to the need for looking beyond zero-days by making exploitation difficult in the first place, driving patch adoption for known vulnerabilities in a timely manner, setting up policies to address product life cycles, and making users aware when products are actively exploited.

It also serves to highlight the importance of applying secure-by-design principles during all phases of the software development lifecycle.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

The disclosure comes as Google launched a free API service called deps.dev API in a bid to secure the software supply chain by providing access to security metadata and dependency information for over 50 million versions of five million open source packages found on the Go, Maven, PyPI, npm, and Cargo repositories.

In a related development, Google's cloud division has also announced the general availability of the Assured Open Source Software (Assured OSS) service for Java and Python ecosystems.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Launches New Cybersecurity Initiatives to Strengthen Vulnerability Management

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Categories: Ransomware
Categories: Threat Intelligence
Cl0p was the most used ransomware in March 2023, dethroning the usual frontrunner LockBit, after breaching over 104 organizations with a zero-day vulnerability.



(Read more...)




The post Ransomware review: April 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In a surprising turn of events for the ransomware landscape, Cl0p has emerged as the most used ransomware in March 2023, dethroning the usual frontrunner, LockBit. Indeed, while LockBit was still used in 93 successful attacks last month, it couldn't quite match the sheer force of Cl0p's sudden resurgence.

Contributing to Cl0p's rise to the number one spot was its extensive GoAnywhere campaign. The group successfully breached over 104 organizations by taking advantage of a zero-day vulnerability in the widely-used managed file transfer software, GoAnywhere MFT.

March has also seen some intriguing activity from other ransomware gangs like DarkPower, which appeared to be turning on and off throughout the month, as well as BianLian, which has shifted its focus from encrypting files altogether to pure data-leak extortion.

Known ransomware attacks by gang, March 2023

Known ransomware attacks by country, March 2023

Known ransomware attacks by industry sector, March 2023

Fortra, the company behind GoAnywhere MFT, released an emergency patch (7.1.2) for the vulnerability in early February—but by then, Cl0p had already used it to break into a myriad of networks and deploy ransomware.

Recent research by Malwarebytes highlighted the bias that ransomware gangs have for attacking English-speaking countries, and the Cl0p campaign follows the same trend. Between them, the Anglosphere countries of the USA, Canada, UK, and Australia accounted for 69% of known Cl0p attacks, with Canada and Australia suffering more attacks than countries with bigger populations and economies, like Germany and France.

Known ransomware attacks by Cl0p, March 2023

Cl0p's ability to exploit a zero-day to such effect is akin only in recent memory to the Kaseya VSA ransomware incident in July 2022. The Kaseya attack involved a malicious auto-update that pushed the REvil ransomware onto victims' machines, primarily targeting Managed Service Providers (MSPs), causing widespread downtime for over 1,000 companies.

The successful use of zero-day vulnerabilities by ransomware gangs like Cl0p and REvil is, thankfully, relatively rare. However, when it happens it can be devastating. Ransomware gangs are always looking for new tactics to help them maximize the impact of their attacks and, rare or not, we should all be concerned about the example Cl0p has set for weaponizing a newly discovered vulnerability and exploiting it before a patch is released or applied.

Known Cl0p victims include Rubrik, Hatch Bank and Community Health Systems (CHS).

Cl0p wasn’t the only gang we saw last month experiencing an unexpected surge in activity.

**BlackBasta and LockBit**

In January 2023, we noted a complete absence of activity from BlackBasta, a group which up to that point had usually ranked highly on our monthly charts. That trend continued into February, but in March it returned with a vengeance with over 40 known victims. It’s hard to tell why BlackBasta went underground for two months only to eventually burst back onto the scene, but it's possible that the group was working on developing new attack techniques or evading detection. Other possibilities are a sudden change in leadership, that the group wanted to lay low to avoid the attention of law enforcement, or it simply wanted a break. This kind of thing isn't unusual and the group's sudden re-emergence highlights the unpredictable nature of ransomware gangs and the need for constantly monitoring the latest threat intelligence. Just because a group is gone today doesn't mean it won't be back tomorrow.

Meanwhile, LockBit’s activity in March was headlined by a major ransomware attack on Essendant, a US-based distributor of office products. This attack, which is said to have begun on or around March 6, created severe ramifications for the organization, disrupting freight carrier pickups, online orders, and access to customer support.

In other LockBit news, a CISA advisory on LockBit 3.0 ransomware was released on March 16, 2023. LockBit 3.0, also called LockBit Black, was discovered in June 2022. While many of LockBit 3.0’s TTPs remain consistent with previous versions, the advisory sheds light on the updated and enhanced features in LockBit 3.0. These improvements include more advanced detection evasion methods and customization options that enable affiliates to modify the ransomware's behavior according to their requirements, making the ransomware harder to detect and counter.

**Dark Power**

March saw the rise of Dark Power, a new ransomware group that tallied 10 victims. Dark Power’s ransomware is interesting in that it is written in the relatively obscure Nim programming language.

Dark Power's approach to ransomware, despite being relatively basic, manages to create unique encryption keys for each targeted machine, making it difficult to develop a generic decryption tool. The ransomware effectively stops services and terminates processes, ensuring the encryption process is unhindered. It also clears logs, making it harder for analysts to investigate an attack.

The effectiveness of Dark Power ransomware underlines the fact that attackers do not always need advanced, novel techniques to succeed. A basic approach, executed well and combined with an adaptable programming language, can prove to be just as effective.

**BianLian**

BianLian, a ransomware gang that first appeared in July 2022 and has consistently hovered near the top of our monthly charts, has shifted its focus from encrypting files to data-leaks. The group's shift in focus can be attributed to the release of a decryption tool by Avast, which made encrypting files less effective for BianLian. Consequently, the group now focuses on threatening to leak stolen data to extort payments from victims instead.

BianLian's shift toward data-leak extortion demonstrates that RaaS gangs can be highly adaptable to changing circumstances, such as the emergence of decryption tools that undermine encryption-based ransomware. This strategic shift allows them to maintain a steady income stream, even as traditional methods lose their effectiveness.

As organizations face the daunting prospect of sensitive data leaks or security breach exposure, they are more likely to pay ransoms to avoid legal, financial, and reputational repercussions. Furthermore, the lingering threat of leaked data, even after recovering encrypted files, makes it harder for victims to resist paying ransoms. 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: April 2023

Adobe Digital Editions version 4.5.11.187303 (and earlier) is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Digital Editions | APSB23-04

Bulletin ID

Date Published

Priority

APSB23-04

April 11, 2023    

3

**Summary**

Adobe has released a security update for Adobe Digital Editions. This update resolves one critical vulnerability that could result in arbitrary code execution.     

**Affected product versions**

**Product**

**Version**

**Platform**

Adobe Digital Editions

4.5.11.187303 and earlier versions  

Windows

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Digital Editions

4.5.11.187658  

Windows

3

Download Page

*   Customers can download the update from the Adobe Digital Editions download page, or utilize the product’s update mechanism when prompted.

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**    

**CVSS vector**   

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-21582  

**Acknowledgments**

Adobe would like to thank the following security researchers for reporting these issues and for working with Adobe to help protect our customers.       

*   Michael DePlante (@izobashi) with Trend Micro Zero Day Initiative - CVE-2023-21582

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-21582: Adobe Security Bulletin

**MOUNTAIN VIEW, Calif., April 11, 2023** – Menlo Security, a leader in browser security, today shared results from the CyberEdge Group’s 10th Annual Cyberthreat Defense Report (CDR). This year’s report, sponsored in part by Menlo Security, highlights the growing importance of browser isolation technologies to combat ransomware and other malicious threats. This continues to be critically important as the research revealed that 78% of ransomware attacks include threats beyond data encryption.

Threat actors know today’s employees spend most of their time working in their web browser, making it both a critical business asset and an attractive attack vector if not properly protected. More than half (51%) of respondents use some form of browser or Internet isolation to protect their organizations, with another 40% planning to deploy this type of technology in the next 12 months. Furthermore, 33% of respondents noted that browser isolation is a key element of their cybersecurity strategy for protecting against sophisticated attacks such as ransomware, phishing and zero-day attacks.

This growing focus on browser security is validated by CDR findings that four in five respondents said that when victimized by ransomware attacks, which are often delivered through the browser, they faced the consequences of multiple threats if they did not pay the ransom. These multi-level attacks included threats to publicly release exfiltrated data (40%), notify customers/media of a data breach (42%) or commit a DDoS attack against the organization (42%).

“Evasive web threats, including Highly Evasive Adaptive Threats (HEAT), often come through the web browser and easily bypass multiple layers of detection in prominent security technology, resulting in malware, compromised credentials, and, many times, ransomware,” said Mark Guntrip, senior director of cybersecurity strategy at Menlo Security. “The CDR shows that the risk of ransomware delivered via a HEAT attack is becoming even more serious, with multiple threats in one payload. Preventing it is critical and browser isolation technologies are a highly effective way to do so.”

This year’s CDR notes browser isolation as an up-and-coming technology that allows employees to perform activities such as accessing websites, opening emails and downloading documents in an isolated environment in the cloud. Because the browser session is isolated, any malware, ransomware or other threats are unable to reach corporate systems, negating the effectiveness of even sophisticated attacks.

“It’s exciting to see browser isolation technologies embraced by CDR respondents, in part because they’re designed to improve security without affecting the end user’s experience at all,” said Steve Piper, founder and CEO of CyberEdge Group. “We think that we’ll all be hearing more about the importance of this type of technology in the future.”

**About the CDR**

In November 2022, 1,200 IT security decision makers and practitioners completed a 27-question online survey. Each participant was employed by a commercial or government entity with a minimum of 500 employees. Participants came from six geographic regions: North America, Europe, Asia Pacific, the Middle East, Latin America, and Africa. The CDR gauges perceptions about cyberthreats and ascertains future plans for improving security and reducing risk. It empowers IT security professionals to benchmark their company’s security posture, operating budget, product investments, and best practices against peers in their industry and geographic region.

**About CyberEdge Group**

CyberEdge Group is an award-winning research and marketing consulting firm serving the diverse needs of information security vendors and service providers. Headquartered in Annapolis, Maryland, with 60+ consultants based across North America, CyberEdge works with approximately one in every six IT security vendors. The company’s annual Cyberthreat Defense Report provides information security decision makers and practitioners with practical, unbiased insight into how enterprises and government agencies defend their networks in today’s complex cyberthreat landscape. For more information, visit www.cyber-edge.com. The CyberEdge Group name and logo are trademarks of CyberEdge Group, LLC in the United States and other countries. All other trademarks and service marks are the property of their respective owners.

**About Menlo Security**

Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s patented Isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies, eight of the ten largest global financial services institutions, and large governmental institutions. The company is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JP Morgan Chase. Menlo Security is headquartered in Mountain View, California. For more information, please visit www.menlosecurity.com.

Menlo Security Illustrates Importance of Browser Security as 4 in 5 Ransomware Attacks Include Threats Beyond Data Encryption

**MIAMI****,** **April 12, 2023** **/PRNewswire/ --** Network Assured has reported that data leaks, phishing scams and malware infections attributable to ChatGPT are on the rise. The report tracks the most significant cybersecurity breaches in which ChatGPT has been involved and has found almost two new events of concern each week through March and April 2023.

**March Saw OpenAI's First Major Data Leak**

As many as 1.2% of ChatGPT users during a particular session in March may have had their payment details exposed to the public. While the bug that caused the leak was quickly fixed, the leak's impact on credit card fraud and identity theft may not be known for months.

**3 New ChatGPT-linked Security Events in First Two Weeks of April**

In April alone, the report found: ChatGPT was involved in a major data leak at Samsung, where staff members uploaded sensitive information that included source code from defective equipment and the transcripts of private meetings.

The report also revealed:

*   **A 135% increase in novel phishing attacks:** Hackers are using tools like ChatGPT to create more convincing phishing emails using sophisticated language that matches the target organization.
*   Fake browser **plugins posing as ChatGPT deployed malware to as many as 2,000 people per day** over a 6 day period in March.
*   **Scammers Impersonated OpenAI to promote a fake Defi token** with a phishing email campaign.
*   Dark web forum users are distributing **scripts that allow malicious actors to bypass ChatGPTs illegal content filters** and create new Malware.
*   11% of what company employees paste into ChatGPT during the course of work, was sensitive company information.

**Researchers Use ChatGPT to Create Undetectable Zero Day Virus**

Documenting additional cybersecurity risks, the report highlights the first case of ChatGPT creating a Zero Day virus, with undetectable exfiltration, that successfully passed a virus scan.

The virus was made by a novice developer, using only prompts from ChatGPT. In his worrying conclusion, the developer noted that _"this kind of end to end, very advanced attack has previously been reserved for nation state attackers."_

**A.I. Tools Are Fighting Cybercrime Too**

Fortunately, A.I. tools are also being used to detect and prevent cyberattacks at an increasing rate. The report cites evidence from January 2023 indicating that AI-based security tools stopped over 1.7 million malware attacks within a 90 day period.

To see the complete set of leaks, phishing attempts and malware attacks and cyber risks attributable to ChatGPT, including a full breakdown of the largest healthcare breaches by records stolen, and damage incurred, with full color charts, please see the report here.

**About Network Assured**

Network Assured is a free, independent advisory that helps businesses price cybersecurity services, perform due diligence, and find better vendors. Learn more at www.NetworkAssured.com.

Report Reveals ChatGPT Already Involved in Data Leaks, Phishing Scams & Malware Infections

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB23-24  

**Bulletin ID**

**Date Published**

**Priority**

APSB23-24  

April 11, 2023

3

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, security feature bypass and memory leak.                                   

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

23.001.20093 and earlier versions  

Windows &  macOS

Acrobat Reader DC

Continuous 

23.001.20093 and earlier versions  

Windows & macOS

Acrobat 2020  

Classic 2020             

20.005.30441 and earlier versions  

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.005.30441 and earlier versions  

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.  

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

23.001.20143  

Windows and macOS

3

Release Notes     

Acrobat Reader DC

Continuous

23.001.20143  

Windows and macOS

3

Release Notes     

Acrobat 2020  

Classic 2020             

20.005.30467  

Windows  and macOS    

3

Release Notes     

Acrobat Reader 2020  

Classic 2020   

20.005.30467  

Windows  and macOS   

3

Release Notes   

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26395  

Violation of Secure Design Principles (CWE-657)  

Privilege escalation  

Important

6.6

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L  

CVE-2023-26396  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26397  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical

8.6

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H  

CVE-2023-26405  

Improper Access Control (CWE-284)  

Security feature bypass  

Critical

8.6

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H  

CVE-2023-26406  

Improper Input Validation (CWE-20)  

Arbitrary code execution  

Critical 

8.6

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H  

CVE-2023-26407  

Improper Access Control (CWE-284)  

Security feature bypass  

Critical

8.6

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H  

CVE-2023-26408  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26417  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26418  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26419  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26420  

Integer Underflow (Wrap or Wraparound) (CWE-191)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26421  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26422  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26423  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26424  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26425  

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative - CVE-2023-26417, CVE-2023-26418, CVE-2023-26419, CVE-2023-26420, CVE-2023-26422, CVE-2023-26423,  
    
*   AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa) - CVE-2023-26405, CVE-2023-26406, CVE-2023-26407, CVE-2023-26408  
    
*   Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-26424, CVE-2023-26425, CVE-2023-26421  
    
*   Qingyang Chen of Topsec Alpha Team  CVE-2023-26395  
    
*   Koh M. Nakagawa (tsunekoh) - CVE-2023-26396  
    
*   Kai Lu of Zscaler's ThreatLabz - CVE-2023-26397

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-26425: Adobe Security Bulletin

Adobe Dimension version 3.4.8 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Dimension | APSB23-27

Bulletin ID

Date Published

Priority

APSB23-27

April 11, 2023

3

**Summary**

Adobe has released an update for Adobe Dimension. This update addresses critical and important vulnerabilities in Adobe Dimension including third party dependencies.  Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user.      

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Dimension  

3.4.8 and earlier versions   

Windows and macOS   

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.     

Product

Version

Platform

Priority

Availability

Adobe Dimension  

 3.4.9  

Windows and macOS   

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26372  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26373  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26374  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26375  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26376  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26377  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26378  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26379  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26380  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26381  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26382  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26400  

Out-of-bounds Read (CWE-125)  

Memory leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2023-26401  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26404  

Out-of-bounds Read (CWE-125)  

Memory leak

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2023-26371  

**Updates to Dependencies**

Dependency    

Vulnerability

Impact

Affected Versions

SketchUp  

Access of Uninitialized Pointer (CWE-824)  

Memory Leak  

3.4.8 and earlier versions  

**Acknowledgments:**

Adobe would like to thank the following researchers  for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell working with Trend Micro Zero Day Initiative  - CVE-2023-26372, CVE-2023-26374  
    
*   Michael DePlante (@izobashi) working with Trend Micro Zero Day Initiative -  CVE-2023-26375, CVE-2023-26376, CVE-2023-26377, CVE-2023-26378, CVE-2023-26379, CVE-2023-26380, CVE-2023-26381, CVE-2023-26382, CVE-2023-26400, CVE-2023-26401, CVE-2023-26404  
    
*   Qingyang Chen of Topsec Alpha Team - CVE-2023-26373  
    
*   Mat Powell & Michael DePlante (@izobashi) working with Trend Micro Zero Day Initiative - CVE-2023-26371  
    

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2023-26404: Adobe Security Bulletin

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Microsoft: NSO Group-Like 'QuaDream' Actor Selling Mobile Spyware to Governments

A wide-ranging campaign to inject malicious code into WordPress-run websites has been ongoing for at least five years.

At least 1 million websites that run on WordPress have been infected by a campaign that uses rafts of WordPress plug-in and theme vulnerabilities to inject malicious code into sites, including a hefty number of zero-days.

According to research from Sucuri, the campaign, which the firm dubbed "Balada Injector," is not only prolific but also Methuselah-like in its longevity, slamming victim sites with malware since at least 2017. Once injected into the site, the bad code redirects website visitors to a panoply of scam sites, including fake tech support, fraudulent lottery wins, and push notifications asking for Captcha solutions.

Behind the scenes, though, injected scripts search for various files that could contain any sensitive or potentially useful information, such as access log files, error logs, files with debug information, database administration tools, administrator credentials, and more. They also load backdoors into the sites for persistent access and in some cases, site takeover.

While the 1 million stat is the number of sites collectively infected in the last five years, researchers only recently tied all of the activity into one operation. Going forward, the campaign shows no signs of slowing down.

"In 2022 alone, our external website scanner SiteCheck detected this malware over 141,000 times, with more than 67% of websites with blocklisted resources loading scripts from known Balada Injector domains," Sucuri researchers noted in a blog post.

**A Focus on WordPress Plug-in & Theme Vulnerabilities**

The Balada Injector campaign has a few instantly recognizable hallmarks that allowed Sucuri researchers to bring all of the observed activity under one attribution umbrella. These include uploading and leaving multiple backdoors throughout the compromised environment; using a rotating roster of domain names where malicious scripts are hosted on random subdomains; and the spammy redirects.

But perhaps most notably, the operators of Balada Injector make very good use of security vulnerabilities in WordPress plug-ins and themes. These types of modular add-ons to the main WordPress content management system (CMS) allow site admins to add various kinds of functionality, such as polling capability, message board support, or click-to-call integration for e-commerce outfits.

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible," according to the Sucuri analysis. "This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes undisclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures."

In fact, this bug-centric strategy dictates the cadence of the attacks — Sucuri has been tracking fresh waves of activity occurring every couple of weeks, with lulls in between that are "probably utilized for gathering and testing newly reported and zero-day vulnerabilities."

Further, older vulnerabilities are part of the mix as well, with some remaining in use by the campaign for months and years after being patched.

**Targeting the WordPress Ecosystem**

The WordPress landscape is a popular target for cybercriminals of all stripes, helped along by the fact that the plug-in ecosystem is notoriously buggy.

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today," says Casey Ellis, founder and CTO at the Bugcrowd bug bounty platform. "The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs."

iThemes, a firm that tracks plug-in ecosystem flaws on a weekly basis, tallied 37 newly disclosed and patched plug-in vulnerabilities (and one theme vulnerability) for the week of March 15, affecting more than 6 million WordPress sites. It also counted 27 plug-in vulnerabilities (and three theme vulnerabilities) with no patch available yet. And those significant numbers are not unusual.

In all, iThemes identified a total of 1,425 disclosed WordPress plug-in and theme vulnerabilities in 2022 — and in any given week, 20 to 50 individual plug-ins and themes experienced at least one vulnerability, with a monthly average of 121 individual plug-ins and themes that had at least one vulnerability emerge.

iThemes' report also noted that vulnerable WordPress plug-ins and themes are the No. 1 reason WordPress sites get hacked.

"WordPress definitely needs updating on a regular basis, more so if you have a website that has a lot of plug-ins and third-party code, and this is one of many examples where security ends up being just that little bit too difficult for the average user who's also trying to run a business," Ellis notes.

**Protecting Against WordPress Plug-in Insecurity**

In order to protect against Balada Injector and other WordPress threats, organizations should first and foremost ensure that all of their website software is up-to-date, remove unused plug-ins and themes, and utilize a Web application firewall.

Mike Parkin, senior technical engineer at Vulcan Cyber, explains that the ability to add plug-ins easily to WordPress from official download stores (much like the mobile app ecosystem) adds to the security issue, so education for the Web team around the dangers of installing unvetted modules is also a must.

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says.

Even large organizations aren't immune to WordPress security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team," he says. "Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work."

Tag

#zero_day