I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate’s degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting *another* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

The one big thing 

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

Why do I care? 

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website’s ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company’s online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

So now what? 

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

Top security headlines of the week 

A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals. An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect. A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts. Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

Can’t get enough Talos? 

The 2024 Threat Landscape State of Play Vulnerability in Tencent WeChat custom browser could lead to remote code execution Watch our new documentary, “The Light We Keep: A Project PowerUp Story” Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

Upcoming events where you can find Talos 

LABScon (Sept. 18 – 21)  

Scottsdale, Arizona 

VB2024 (Oct. 2 – 4) 

Dublin, Ireland 

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: RF.Talos.80 

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66 
MD5: 8b84d61bf3ffec822e2daf4a3665308c 
Typical Filename: RemComSvc.exe 
Claimed Product: N/A 
Detection Name: W32.3A2EA65FAE-95.SBX.TG 

SHA 256: 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c 
MD5: fab8aabfdabe44c9a1ffa779fda207db 
Typical Filename: ACenter.exe 
Claimed Product: Aranda AGENT 
Detection Name: Win.Trojan.Generic::tg.talos  

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 
MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 
Typical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir 
Claimed Product: N/A 
Detection Name: Win.Dropper.Scar::1201 

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf 
MD5: 2cfc15cb15acc1ff2b2da65c790d7551 
Typical Filename: rcx4d83.tmp 
Claimed Product: N/A   
Detection Name: Win.Dropper.Pykspa::tpd 

Cisco Talos Blog – ​Read More

What would prompt someone to sign in to their work email account on the spot? That’s right, a warning about a hack. The first impulse of a responsible employee who receives such a security alert is to find out what happened, change their password, and maybe even notify others who may have been affected. But that knee-jerk reaction is in fact a reason NOT to act immediately, but rather take a deep breath and triple-check everything. Here’s why.

Phishing email

The email that kicks off this phishing attack we recently encountered pretends to be a notification from Office 365, and it does a pretty good job.

Sure, perfect it ain’t: the Microsoft logo is too big and looks odd without the company name; notifications of this kind usually have the Office 365 logo; and the alert itself is a bit muddled. In the second line, for example, it mentions that someone created a “forwarding/redirect rule”, but the “Details” line specifies that this alert was triggered because someone gained “access to read your user’s email”. These details will stand out to the user who gets a lot of Office 365 notifications – but most users don’t.

What should really catch even the untrained eye is the sender’s address. Genuine Office 365 notifications signed “The Office 365 Team” come from, yes, Microsoft’s email servers, not from an administrator on an unrelated domain.

The “Severity” line also looks odd: “Informational” notifications usually don’t require any user action.

DIY redirect

Concerned recipients scared into clicking the “View alert details” link are taken to a page that mimics a broken redirect.

In fact, a cursory check of the browser address bar, or even the name of the tab, clearly shows that this page is hosted in the Google Docs cloud. To be precise, it’s a single-slide presentation with a link. The purpose behind it is that the initial phishing email contains only a link to docs.google.com, which has a positive reputation in the eyes of most anti-phishing engines. Recipients are invited to follow the link because automating a redirect from a presentation slide is simply impossible, and the attackers need some way to lure them to the phishing site; the victim is asked to walk into the trap themselves.

These are all clear signs of phishing that you need to watch out for every time you follow a link in a corporate email. The finale isn’t hard to guess: a simple page for harvesting Office 365 credentials. The address gives it away, of course.

How to protect employees from phishing

We recommend regular training for employees in the art of spotting the latest cybercriminal tricks (for example, by showing them our posts dedicated to signs of phishing). It’s even better to use a dedicated platform to raise cybersecurity awareness throughout the company.

And to make extra sure, provide corporate users with multi-layered anti-phishing protection capable of both filtering out bulk emails at the mail gateway level and blocking redirects to dangerous web pages using security solutions on a workstation.

Kaspersky official blog – ​Read More

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. 

Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

Microsoft AllJoyn API information disclosure vulnerability 

 
The AllJoyn API in some versions of the Microsoft Windows operating system contains an information disclosure vulnerability. 

TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. 

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. 

Microsoft fixed this issue as part of its monthly security update on Tuesday. For more on Patch Tuesday, read Talos’ blog here. 

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.   

Adobe Acrobat Reader annotation object page race condition  

Discovered by KPC. 

Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

TALOS-2024-2011 (CVE-2024-39420) can be executed if an adversary tricks a targeted user into opening a specially crafted PDF file with malicious JavaScript embedded. This JavaScript could then trigger memory corruption due to a race condition.  

Depending on the memory layout of the process this vulnerability affects, it may be possible to abuse this vulnerability for arbitrary read and write access, which could ultimately be abused to achieve arbitrary code execution. 

Cisco Talos Blog – ​Read More

Microsoft disclosed four vulnerabilities that are actively being exploited in the wild as part of its regular Patch Tuesday security update this week in what’s become a regular occurrence for the company’s patches in 2024. 

Two of the zero-day vulnerabilities, CVE-2024-38226 and CVE-2024-38014, exist in the Microsoft Publisher software and Windows Installer, respectively. Last month, Microsoft disclosed six vulnerabilities in its Patch Tuesday that were already being exploited in the wild.  

In all, September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical. In addition to the zero-days disclosed Tuesday, Microsoft also fixed a security issue that had already been publicly disclosed: CVE-2024-38217, a vulnerability in Windows Mark of the Web that could allow an adversary to bypass usual MOTW detection techniques.  

Cisco Talos’ Vulnerability Research team also discovered an information disclosure vulnerability in the AllJoyn API that could allow an adversary to access uninitialized memory. CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.  

The most serious of the issues included in September’s Patch Tuesday is CVE-2024-43491, which has a severity score of 9.8 out of 10. CVE-2024-43491, a remote code execution issue in Windows Update, is considered “more likely” to be exploited, though Microsoft disclosed few details about the nature of this vulnerability. 

There are also four remote code execution vulnerabilities in SharePoint Server that are also considered “more likely” to be exploited: CVE-2024-38018, CVE-2024-38227, CVE-2024-38228 and CVE-2024-43464. 

In the case of the latter three vulnerabilities, an authenticated attacker with Site Owner permissions can inject arbitrary code and execute code in the context of SharePoint Server. However, an attacker only needs to have Site Member permissions to exploit CVE-2024-38018. 

CVE-2024-38226, one of the zero-days disclosed this week, is a security feature bypass vulnerability in Microsoft Publisher that could allow an attacker to bypass the default Microsoft Office macro policies used to block untrusted or malicious files. An adversary could exploit this vulnerability by tricking a user into opening a specially crafted, malicious file in Microsoft Publisher, which could lead to a local attack on the victim’s machine. Macros have been blocked by default on Office software to prevent attackers from hiding malicious code in them.  

Another vulnerability being actively exploited in the wild, CVE-2024-38014, is an issue in Windows Installer that could allow an adversary to gain SYTEM-level privileges. This issue affects Windows 11, version 24H2, which is currently only available on certain Microsoft Copilot+ devices, among other older versions of Windows 10 and 11. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63979 – 63984 and 63987 – 63994. There are also Snort 3 rules 301008 – 301013.

Cisco Talos Blog – ​Read More

Overview

On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.

On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw’s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems.

Cyble Global Sensor Intelligence (CGSI) findings

Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request.

Vulnerability Details

Remote Code Execution

CVE-2024-32113

CVSSv3.1

9.1

Severity

Critical

Vulnerable Software Versions

Apache OFBi versions before 18.12.13

Description

The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory.

Overview of the Exploit

The vulnerability arises from a fragmented state between the application’s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access.

Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment.

Mitigation

CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities.

Recommendations

Following are recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities:

Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195.

Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors.

Apply the principle of least privilege to limit the potential impact of any successful exploitation.

Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints.

Indicators of Compromise

Indicators 
Indicator
Type
Description

185[.]190[.]24[.]111
IPv4
Malicious IP

References

https://nvd.nist.gov/vuln/detail/CVE-2024-32113

https://nvd.nist.gov/vuln/detail/CVE-2024-45195

https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html

https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/

https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/

https://issues.apache.org/jira/browse/OFBIZ-13006

https://github.com//Mr-xn//CVE-2024-32113

The post The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks appeared first on Cyble.

Blog – Cyble – ​Read More