The North Korean fake IT workers have infiltrated businesses in China, Russia, and other countries aside from the US.
The post North Korea Deploying Fake IT Workers in China, Russia, Other Countries appeared first on SecurityWeek.
SecurityWeek – Read More
The United States has reaffirmed its commitment to nurturing a prosperous, secure, and sovereign Southeast Asia, anchored by the principles of self-determination, free trade, and mutual respect. Guided by ASEAN centrality, the U.S. Department of Defense revealed a comprehensive vision aimed at enhancing regional cooperation and supporting defense capacities in the face of evolving global challenges.
This strategic initiative emphasizes the United States’ long-standing partnership with Southeast Asia, promoting stability, sovereignty, and prosperity across the Indo-Pacific.
The vision statement comes at a critical time, reflecting the U.S.’s strategic alignment with ASEAN’s principles outlined in its Outlook on the Indo-Pacific. With the 15th anniversary of the ASEAN Defense Ministers’ Meeting-Plus (ADMM-Plus) approaching in 2025, the United States seeks to further deepen its ties with ASEAN member states by building capabilities in domain awareness, cyber defense, maritime security, and defense industrial capacity.
Here’s a detailed look at the U.S. Department of Defense’s key lines of effort and its broader implications for the Southeast Asian region:
At the heart of the U.S. vision is the goal of empowering ASEAN nations to safeguard their sovereignty against external coercion and illegal intrusions. By supporting enhanced domain awareness and defense capabilities, the U.S. aims to enable Southeast Asian countries to detect, respond to, and deter threats across air, maritime, cyber, and information domains.
These initiatives align closely with ASEAN’s Outlook on the Indo-Pacific, reinforcing a rules-based order and advancing collective resilience against emerging security threats.
The U.S. has had a longstanding relationship with ASEAN, dating back to the inaugural ASEAN Defense Ministers’ Meeting-Plus (ADMM-Plus) in 2010. Former U.S. Defense Secretary Robert Gates’ attendance at the meeting symbolized Washington’s commitment to engaging with ASEAN nations on defense and security. Since then, every U.S. Secretary of Defense has supported the forum, emphasizing its importance in addressing shared security challenges.
As the ADMM-Plus approaches its 15th anniversary in 2025, the U.S. aims to solidify these ties further. The alignment between the U.S. Indo-Pacific Strategy and ASEAN’s own Outlook on the Indo-Pacific reinforces mutual objectives, such as promoting transparency, good governance, and adherence to international law. These shared principles serve as the foundation for the U.S.’s renewed defense cooperation strategy.
The U.S. has made significant investments in strengthening the defense capabilities of Southeast Asian nations. Key milestones include:
These efforts demonstrate a strong commitment to empowering Southeast Asia to address emerging challenges independently while fostering collaboration with the U.S. and other allies.
To advance regional security, the U.S. has outlined six primary focus areas:
The U.S. is working to enhance regional capacity in the air, maritime, and cyberspace domains. Specific initiatives include:
The U.S. will expand its annual exercises, including Balikatan, Cobra Gold, And Super Garuda Shield, to improve partner readiness and interoperability. Plans are underway for a second ASEAN-U.S. maritime exercise in 2025, further cementing multilateral cooperation.
Programs like the Emerging Defense Leaders’ Program and longstanding International Military Education and Training (IMET) courses will continue to nurture the next generation of Southeast Asian defense professionals. The State Partnership Program also fosters enduring relationships between U.S. states and ASEAN nations.
The U.S. aims to support the region’s defense industrial growth through academic collaborations, science and technology demonstrations, and investment opportunities. These efforts seek to create a more integrated defense ecosystem, fostering resilience and innovation.
Through initiatives like the ADMM-Plus Expert Working Groups (EWGs), the U.S. supports ASEAN’s institutional growth. Recent efforts include co-chairing the Military Medicine EWG alongside Indonesia, with a focus on Women, Peace, and Security principles.
The U.S. will collaborate with ASEAN nations to address the impacts of climate change on defense readiness. Workshops and technical demonstrations will provide member states with tools to enhance resilience and mitigate climate-related risks.
The U.S. supports ASEAN’s decision to admit Timor-Leste as its eleventh member and is committed to including the nation in its defense capacity-building initiatives. Assistance programs will focus on helping Timor-Leste meet accession milestones and integrate seamlessly into ASEAN’s security framework.
The U.S.’s enhanced engagement in Southeast Asia comes against the backdrop of intensifying competition with China. By investing in defense capabilities, the U.S. seeks to counter coercive actions and illegal intrusions, particularly in contested maritime zones like the South China Sea. Additionally, the emphasis on cybersecurity reflects growing concerns over state-sponsored cyberattacks in the region.
However, the success of these initiatives hinges on ASEAN’s ability to maintain unity and speak with a collective voice on key issues. The U.S. vision aligns closely with ASEAN’s Outlook on the Indo-Pacific, but implementing these programs will require careful navigation of regional sensitivities and power dynamics.
The U.S. Department of Defense’s vision for Southeast Asia represents a strategic blend of historical ties, vigorous investments, and a forward-looking approach to regional security. By prioritizing sovereignty, transparency, and mutual respect, the U.S. aims to empower ASEAN nations to address shared challenges while fostering a stable and prosperous Indo-Pacific.
As the U.S. deepens its partnerships with ASEAN, its success will be measured not only in terms of defense capacity but also in its ability to uphold a rules-based international order that benefits the broader region.
The post ASEAN at the Forefront: U.S. Outlines New Defense Vision for Regional Stability appeared first on Cyble.
Blog – Cyble – Read More
Cyble Research and Intelligence Labs (CRIL) analyzed 25 vulnerabilities between November 13 and November 19, 2024, identifying several high-priority threats that security teams must address. This blog also highlights 10 exploit discussions on underground forums, increasing the urgency to patch.
Key vulnerabilities include issues in Apple’s macOS, VMware vCenter, and Zyxel devices, with observed exploitation activity. Apple’s zero-day vulnerabilities (CVE-2024-44308 and CVE-2024-44309) and VMware’s critical vulnerabilities (CVE-2024-38812 and CVE-2024-38813) have particularly raised concerns among cybersecurity experts.
Additionally, researchers observed active discussions of proof-of-concept (PoC) exploits for D-Link, Fortinet, and Palo Alto Networks products on dark web forums, raising the likelihood of broader exploitation.
Below are the critical vulnerabilities and exploit highlights.
Cyble researchers emphasized these vulnerabilities as high-priority fixes:
Cyble’s research uncovered multiple exploit discussions and PoCs shared on underground forums and Telegram channels:
To address these vulnerabilities and mitigate potential risks, CRIL recommends the following steps:
The vulnerabilities discussed in this report call for improved and robust cybersecurity practices. With active exploitation of critical flaws like Apple’s zero-days and VMware’s vCenter vulnerabilities, organizations must act swiftly to patch, monitor, and secure their environments. Proactive measures are essential to mitigate risks and protect sensitive systems from escalating cyber threats.
The post Weekly IT Vulnerability Report: Critical Exploits Highlighted in This Week’s Analysis appeared first on Cyble.
Blog – Cyble – Read More
By Philippe Laulheret
ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.
Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:
This research project was also presented at both HITCON and Hexacon. A recording of the latter’s presentation is embedded at the end of this article.
ClipSp is a first-party driver on Microsoft Windows 10 and 11 that is responsible for implementing licensing features and system policies, and as such it is one of the main components of the Client Licensing Platform (CLiP). Little is known about this driver; while most Microsoft drivers and DLLs have publicly available debug symbols, in the case of ClipSp, those were removed from Microsoft’s symbol server. Debug symbols provide function names and other related debug information that can be leveraged by security researchers to infer the intent behind the many functions of a binary; their absence hinders that. Surprisingly, the driver is also obfuscated, a very rare occurrence in Microsoft binaries, likely to deter reverse engineering even further. Limited public research exists, much of which either predates our findings or was released in response to our reports. The latter research also shares symbols from an older version of ClipSp, which could be a useful springboard for anyone wanting to research this driver. The most interesting aspect of this software involves implementing features related to licensing Windows applications from the Windows App store and activation services for Windows itself.
The driver is obfuscated with Warbird, which is Microsoft’s proprietary obfuscator. Luckily, past research comes in handy, and we can adapt to suit our needs. The plan to deobfuscate the driver is to leverage the binary emulation framework Qiling, to emulate the part of the driver responsible for deobfuscating the obfuscated sections, and dump the executable memory range to import it into our favorite reversing tool.
During normal operation, the obfuscation appears as follows:
We can see that a decrypt function is called twice with different parameters, followed by a call to the actual function being deobfuscated and, finally, two calls to re-obfuscate the relevant section.
Using Ida Python, we can track all the references to the decrypt functions (there are actually two distinct functions), and recover their arguments by looking at the instructions that precede the function call where the RCX and RDX registers are being assigned. Per calling conventions, these two registers are the first and second arguments of the function. Then, we can feed this information to our modified Qiling script to emulate the decryption functions and dump the whole deobfuscated binary. Once the driver is deobfuscated, we can start reversing it to understand how Windows communicates with the driver, understand various business logic elements, and look for vulnerabilities.
Usually, drivers either register a device that can be reached from userland or export the functions that are meant to be used by other drivers. In the ClipSp case, things behave slightly differently. The driver exports a “ClipSpInitialize” function that takes a pointer to an array of callback functions that get populated by ClipSp, to then be used by the calling driver to invoke ClipSp functionalities. Grepping for “ClipSpInitialize” throughout the System32 folder shows that the best candidate for using ClipSp is “ntoskrnl.exe”, followed by a handful of filesystem drivers that use a limited amount of ClipSp functions. For the rest of this report, we will focus on how “ntoskrnl” interacts with ClipSp.
Analyzing the cross-references within the Windows’ kernel to ClipSp functions, it becomes clear that, to interact with them, a call to “NtQuerySystemInformation” with the SystemPolicy class is required. Other binaries in the CLiP ecosystem will issue these system calls, while also providing a remote procedure call (RPC) interface to decouple other software from the undocumented API. However, nothing stops us from interacting with the “NtQuerySystemIformation” endpoint directly, which becomes a handy trick to bypass some of the additional checks that are enforced by the intended RPC client library.
Unfortunately for us, looking at how a legitimate binary interacts with the SystemPolicy class, we can see the following (from wlidsvc!DeviceLicenseFunctions::SignHashWithDeviceKey):
This is another layer of obfuscation that encapsulates the data passed over to the API. The idea here is that a network of binary transformations (also known as a Feistel cipher) is used to encrypt the data with the various operations inline in the code (as seen above). Part of the API call will provide the list of operations that were used, and the kernel will call them directly with the appropriate parameters to decrypt the data. As such, the easier approach to dealing with this is to simply rip out both the encryption code and the associated parameters and re-use them in our own invocation of the API. Copying and pasting the decompiler’s output into Visual Studio is a little tedious but usually works fine. Before returning from the syscall, the resulting data is obfuscated in a similar fashion, and, once again, ripping out the data from a working implementation is the most straightforward way to deal with it. Overall, the data format looks as such:
The inner payload (left) is an array of size-value entries that contain the command number that needs to be executed, followed by the Warbird material used to encrypt the reply from the kernel, and finally command-specific data that depends on which ClipSp function is being invoked.
This data is then encapsulated into a structure that mostly specifies the number of entries there are in the provided array and the whole thing then gets encrypted. The remaining Warbird data in the righ-most part of the diagram is to instruct the kernel how to decrypt the provided data.
Here’s our best guess at the various available commands:
Most of them call into ClipSp, but a few (especially in the <100 range) may be solely handled by the Windows kernel.
Microsoft provides a tool to test if a piece of code can be run within a low-privilege context called a Less Privileged Application Container (LPAC) sandbox. Using this with our proof of concept, we can confirm that ClipSp’s APIs are actually reachable from an LPAC context. This is particularly interesting as these application containers are usually used to sandbox high-risk targets, such as parsers and browser rendering processes. As such, any elevation of privilege vulnerabilities we could find would likely double as sandbox escapes as well.
Throughout the reversing process, we observed that the license files handled by ClipSp were quite interesting. They are usually obtained silently from Microsoft when interacting with UWP applications (both coming from the App Store and those installed by default, such as Notepad). They can also be used for other purposes, such as Windows activation, hardware binding, and generally providing cryptographic material for various applications.
At first, license files appear to be opaque blobs of data that are installed via the “SpUpdateLicense” command. This can be invoked following the process described above with the command “_id = 100”. Existing licenses are stored in the Windows registry at the following location:
HKLNSYSTEMCurrentControlSetControl{7746D80F-97E0-4E26-9543-26B41FC22F79}
Only the SYSTEM user can access this registry key. From an elevated prompt, the following command can open regedit as SYSTEM:
PsExec64.exe -s -i regedit
The format for these licenses is mostly undocumented, but looking at how they are being parsed is pretty informative. These licenses are in a tag-length-value (TLV) format, where the list of authorized tags is contained in an array of tuples of the form (tag, internal_index) hardcoded inside ClipSp. Upon parsing, a pointer to each valid TLV entry is stored in an array at the location indicated by the internal_index:
Licenses are signed by various signing authorities whose public keys are hardcoded in ClipSp. Verification code looks as such:
The “entry_of_type_24” value is a pointer saved during the parsing of the license and points to its signature. The difference between “entry_of_type_24” and “License_data” is pointer arithmetic used to count the number of bytes from the beginning of the license blob up to its signature.
During the parsing, this looks as such:
If the internal index associated with the entry’s tag is 24, then the processing loop is temporarily exited. A pointer to the signature is saved, and if more data remains, the license processing is resumed.
We can see that this approach is flawed: If there is data after the license’s signature, it will still be parsed but not checked against the signature, effectively enabling an attacker to bypass the signature check of any license as long as they can get one that is already signed with the proper signing authority.
We can cross reference where the license structure and its array of pointers to the TLV data is being used, and what we find is many wrapper functions that return either the length/size of a given entry or the data associated with it. In most cases, this is done in a secure fashion, but there are a few entries that make assumptions on the size of the data provided in the license blob, which leads to a handful of out-of-bound read vulnerabilities. An example of such vulnerabilities can be seen in the following screenshots:
These two functions retrieve either the size of the DeviceID field or its content. However, if the data is formatted in such a way that line 11 is reached (i.e., no entry of type 5 in the license provided) then the data field of entry 18 is used to provide both size and value by dereferencing its pointer, without checking if enough data was provided for that. For instance, if we append a DeviceID entry (type 18) at the end of a valid license blob, but make it so its data field is only one byte long, then the “get_DeviceIDSize” function will read one byte out of bound, as it is expecting two bytes of data. Furthermore, any function that calls “get_DeviceID” will receive a pointer that is pointing one byte past the end of the license file and will likely act on wrong information from the “get_DeviceIDSize” function for further out of bound (OOB)-read problems.
If we look specifically at the case described above where the DeviceIdSize field can be read out of bound, this creates a particularly interesting situation where the expected size of the DeviceID object can change throughout its lifetime if the data immediately adjacent in memory changes in a meaningful way. The first byte of data after the license blob will also be read as the leading byte of the (unsigned short) value defining the size of the DeviceID. Looking at how these two functions are used in ClipSp, we can see that during the installation of a hardware license, the following happens:
We can see multiple calls to the “get_DeviceIDSize” function, with one providing the size field to a memory allocation routine, while another call is used as a parameter to a “memcpy”. If the size field changes in between the two calls, this may lead to an out-of-bounds write vulnerability.
Exploiting a vulnerability like this is far from trivial, as one would have to win a race condition between the two fetches while being able to shape the PagedPool heap in such a way that there’s meaningful data located right after the malicious license blob.
As we have just seen, obfuscated code can hide low hanging fruit, trivial memory corruptions, and simple logic bugs. In the case of ClipSp, this issue is even more serious, as this attack vector may lead to sandbox escapes and potentially significant impact to the compromised user.
As such, this is a reminder for security researchers on the value of taking the less traveled path, even if it begins with a bramble of Feistel functions. And for the software engineers and project managers who decide to leverage obfuscation for their projects, this is also a stark reminder that this approach may hinder normal bug finding processes that would detect trivial bugs early on.
[Please embed video from: https://www.youtube.com/watch?v=9t0Xt40RZEc ]
Cisco Talos Blog – Read More
We hear terms like “state-sponsored attacks” and “critical vulnerabilities” all the time, but what’s really going on behind those words? This week’s cybersecurity news isn’t just about hackers and headlines—it’s about how digital risks shape our lives in ways we might not even realize.
For instance, telecom networks being breached isn’t just about stolen data—it’s about power. Hackers are
The Hacker News – Read More
The SafePay ransomware group claims to have stolen over 1 terabyte of data from vehicle tracking solutions provider Microlise.
The post Microlise Confirms Data Breach as Ransomware Group Steps Forward appeared first on SecurityWeek.
SecurityWeek – Read More
Black Friday 2024 at ANY.RUN is here! As always, we’ve prepared time-limited deals to not only help you save on our tools but also improve collaboration with your colleagues.
Here’s what we have in store for you this time.
Hunter plan is designed for individual users, but it doesn’t mean you have to go it alone. Buy an annual Hunter subscription this Black Friday and receive a complimentary one-year Hunter license for your colleague.
It is perfect for two researchers who want to minimize their expenses on quality malware analysis and get access to our sandbox’s PRO features for the price of just one license.
For security teams, the special Enterprise license bundles offer unbeatable value.
You can buy 5 Enterprise licenses and receive 2 additional ones for free. Go for 10 licenses, and we’ll give you 3 extra ones plus a complimentary Threat Intelligence Lookup basic plan as a gift.
Special offer for current Enterprise users: If you decide to renew your Enterprise subscription for 24 months, we will also provide you with 6 additional months of free service.
We understand that every team has unique needs, so individual packages are also available. Please reach out to us via the Contact Us page to discuss your custom offer and ensure you get the perfect solution for your team.
If you’re a user of ANY.RUN’s TI Lookup or just want to purchase its subscription for the first time, we have great news.
By buying a TI Lookup plan for 100/500/5,000 or more requests, we’ll double your available search requests. So, if you get a subscription with 100/500/5,000 requests/mo, you will receive a total of 200/1,000/10,000 monthly requests.
Our Black Friday special offers kick off on November 25th at 01:00 AM PST (UTC-8) and will run until December 8th, 2024, at 11:59 PM PST (UTC-8). Don’t wait – secure your deal today.
Contact us today to learn more about these Black Friday offers.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Explore all Black Friday 2024 offers →
The post Black Friday 2024 at ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system.
“This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda,” Trellix
The Hacker News – Read More
Russian cyberspy group APT28 conducted a Nearest Neighbor Attack, where it hacked into the building across the street from the victim for a Wi-Fi attack.
The post Russian Cyberspies Hacked Building Across Street From Target for Wi-Fi Attack appeared first on SecurityWeek.
SecurityWeek – Read More
In the run-up to any holiday season, scammers get busy. A lot of the time, their actions are rather primitive. Getting ready for Christmas? Expect to be bombarded with fake discounts. Valentine’s Day round the corner? Watch out for fake gifts. Big soccer tournament coming up? There’ll be no shortage of fake tickets.
But the greatest amount of fake stuff appears the week before Black Friday, the day after US Thanksgiving that marks the start of the Christmas period, which is a global sales bonanza for retailers peddling anything from soap to smart TVs — and for scammers too. Today, in the countdown to Black Friday, we look at the latest cybercriminal tricks and ways to counter them.
Every year in late November, this word experiences a popularity spike. And the craze for low prices plays right into the hands of scammers, whose emails, coupons and phishing links merge with the mass of genuine offers.
Let’s look at an example: Walmart — the world’s largest wholesale and retail chain — appears to be offering customers a $750 gift card:
Follow just four simple steps to (not) get a gift card
It’s pretty easy to spot the scam here:
At the very least, the cybercriminals will get the victim’s name and postal address (the goods need to be delivered somewhere, right?), bank card details, plus the money forked out to complete the recommended deal. It’s doubly distressing for said victim: they leak their own data, and are lamenting the $750 that never was; they may even blame Walmart itself.
Scammers are human too and understand how much we all love a freebie. And that makes Black Friday the perfect time for another popular scam: fake giveaways. The prizes are goods that everyone wants. For example, a snazzy iPhone 14. Seems like the scammers here aren’t aware that iPhones 15 and 16 are already with us, as is reliable protection for their owners.
A telltale sign of fraud is a countdown clock next to a pressing call to action
Let’s take a closer look at the screenshot. The cybercriminals, lurking behind a big brand — Amazon — tempt the victim with a whiff of exclusivity (“We are offering great prizes to 10 users”), prompting them to answer four simple questions before the clock ticks down. It might look plausible at first glance, but the catch is always the same: the recipient of the “exclusive” offer must act quickly or risk missing out.
As you’ve already guessed, there’s no iPhone 14 to speak of: the scammers simply scrape what personal data they can and may even ask for some kind of payment via a phishing link. As a result, the victim hands over their personal data and bank details, putting their finances at great risk. Read more about Black Friday scams in our Securelist blogpost.
If you think that no one needs your data or it’s been leaked before (and not just once), this story is for you. Our experts have found lots of ads selling personal data at a discount on the dark web. It’s an effective scheme (for the scammers): they email out bulk phishing in advance, harvest victims’ data, then sell it at a discount to other scammers at the end of November. Black Friday for everyone!
Scammers are happy to give other scammers a 10% discount
All the data is sorted by country and product type: above we see a set of Canadians’ stored-value cards and Italians’ debit cards up for grabs. Admit it, you don’t really want your bank details to be part of a special offer for carders on the dark web.
First of all, we advise taking extra special care during the sales season: carefully read giveaway terms and conditions, check the details with the organizers (not by using the link or phone number in the email, but by visiting the official website) and stay informed of all the latest scams and tricks by following our Kaspersky Daily blog.
We understand that navigating the saturated information-flow is tough when you’re being assailed on all sides by promotions, “exclusive” offers and discounts. That’s why we offer a straightforward solution: put your trust in automation.
The Kaspersky app has a Safe Money feature that shows the current level of protection of your finances — now for Android users, too.
Safe Money in Kaspersky for Android
For unbeatable security, we recommend enabling all protection components on the app’s home screen:
This combination of security features protects you and your finances from the vast majority of scams on Black Friday and beyond. For example, Safe Browsing will stop you from following a phishing link to a scam site to “claim your $750 gift card”; while Safe Messaging will keep cybercriminals at bay in Telegram and other messengers.
Kaspersky official blog – Read More