Monthly Archives: September 2023

Security

Simple Netcat Backdoor in Python Script, (Sat, Sep 30th)

Leave a comment
This post was originally published on this site

Why reinvent the wheel? We are all lazy and, if we have a tool that offers some interesting capabilities, why not use it? I spotted a simple maliciouis Python script targeting Windows hosts. The file (SHA256:d706d94981bc53ab1458519f224b9602152325fc2a18f3df9d9da8f562b99044) is flagged by 16 antivirus products on VirusTotal[1]. Nothing very exciting with the script, it's a bot that uses a Discord channel for C2 communications. 

Security

Are You Still Storing Passwords In Plain Text Files?, (Fri, Sep 29th)

Leave a comment
This post was originally published on this site

"Infostealer" malware have been in the wild for a long time now. Once the computer's victim is infected, the goal is to steal "juicy" information like passwords, cookies, screenshots, keystrokes, and more. Yesterday, I spotted an interesting sample. It's delivered through an FTP connection. The file (SHA256:2bf9a44bd546e0fd1448521669136220dc49146b0f3a5cd7863698ac79b5e778) is unknown on VirusTotal.

AWS

Amazon Bedrock Is Now Generally Available – Build and Scale Generative AI Applications with Foundation Models

Leave a comment
This post was originally published on this site

This April, we announced Amazon Bedrock as part of a set of new tools for building with generative AI on AWS. Amazon Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies, including AI21 Labs, Anthropic, Cohere, Stability AI, and Amazon, along with a broad set of capabilities to build generative AI applications, simplifying the development while maintaining privacy and security.

Today, I’m happy to announce that Amazon Bedrock is now generally available! I’m also excited to share that Meta’s Llama 2 13B and 70B parameter models will soon be available on Amazon Bedrock.

Amazon Bedrock

Amazon Bedrock’s comprehensive capabilities help you experiment with a variety of top FMs, customize them privately with your data using techniques such as fine-tuning and retrieval-augmented generation (RAG), and create managed agents that perform complex business tasks—all without writing any code. Check out my previous posts to learn more about agents for Amazon Bedrock and how to connect FMs to your company’s data sources.

Note that some capabilities, such as agents for Amazon Bedrock, including knowledge bases, continue to be available in preview. I’ll share more details on what capabilities continue to be available in preview towards the end of this blog post.

Since Amazon Bedrock is serverless, you don’t have to manage any infrastructure, and you can securely integrate and deploy generative AI capabilities into your applications using the AWS services you are already familiar with.

Amazon Bedrock is integrated with Amazon CloudWatch and AWS CloudTrail to support your monitoring and governance needs. You can use CloudWatch to track usage metrics and build customized dashboards for audit purposes. With CloudTrail, you can monitor API activity and troubleshoot issues as you integrate other systems into your generative AI applications. Amazon Bedrock also allows you to build applications that are in compliance with the GDPR and you can use Amazon Bedrock to run sensitive workloads regulated under the U.S. Health Insurance Portability and Accountability Act (HIPAA).

Get Started with Amazon Bedrock
You can access available FMs in Amazon Bedrock through the AWS Management Console, AWS SDKs, and open-source frameworks such as LangChain.

In the Amazon Bedrock console, you can browse FMs and explore and load example use cases and prompts for each model. First, you need to enable access to the models. In the console, select Model access in the left navigation pane and enable the models you would like to access. Once model access is enabled, you can try out different models and inference configuration settings to find a model that fits your use case.

For example, here’s a contract entity extraction use case example using Cohere’s Command model:

Amazon Bedrock

The example shows a prompt with a sample response, the inference configuration parameter settings for the example, and the API request that runs the example. If you select Open in Playground, you can explore the model and use case further in an interactive console experience.

Amazon Bedrock offers chat, text, and image model playgrounds. In the chat playground, you can experiment with various FMs using a conversational chat interface. The following example uses Anthropic’s Claude model:

Amazon Bedrock

As you evaluate different models, you should try various prompt engineering techniques and inference configuration parameters. Prompt engineering is a new and exciting skill focused on how to better understand and apply FMs to your tasks and use cases. Effective prompt engineering is about crafting the perfect query to get the most out of FMs and obtain proper and precise responses. In general, prompts should be simple, straightforward, and avoid ambiguity. You can also provide examples in the prompt or encourage the model to reason through more complex tasks.

Inference configuration parameters influence the response generated by the model. Parameters such as Temperature, Top P, and Top K give you control over the randomness and diversity, and Maximum Length or Max Tokens control the length of model responses. Note that each model exposes a different but often overlapping set of inference parameters. These parameters are either named the same between models or similar enough to reason through when you try out different models.

We discuss effective prompt engineering techniques and inference configuration parameters in more detail in week 1 of the Generative AI with Large Language Models on-demand course, developed by AWS in collaboration with DeepLearning.AI. You can also check the Amazon Bedrock documentation and the model provider’s respective documentation for additional tips.

Next, let’s see how you can interact with Amazon Bedrock via APIs.

Using the Amazon Bedrock API
Working with Amazon Bedrock is as simple as selecting an FM for your use case and then making a few API calls. In the following code examples, I’ll use the AWS SDK for Python (Boto3) to interact with Amazon Bedrock.

List Available Foundation Models
First, let’s set up the boto3 client and then use list_foundation_models() to see the most up-to-date list of available FMs:

import boto3
import json

bedrock = boto3.client(
    service_name='bedrock', 
    region_name='us-east-1'
)

bedrock.list_foundation_models()

Run Inference Using Amazon Bedrock’s InvokeModel API
Next, let’s perform an inference request using Amazon Bedrock’s InvokeModel API and boto3 runtime client. The runtime client manages the data plane APIs, including the InvokeModel API.

Amazon Bedrock

The InvokeModel API expects the following parameters:

{
    "modelId": <MODEL_ID>,
    "contentType": "application/json",
    "accept": "application/json",
    "body": <BODY>
}

The modelId parameter identifies the FM you want to use. The request body is a JSON string containing the prompt for your task, together with any inference configuration parameters. Note that the prompt format will vary based on the selected model provider and FM. The contentType and accept parameters define the MIME type of the data in the request body and response and default to application/json. For more information on the latest models, InvokeModel API parameters, and prompt formats, see the Amazon Bedrock documentation.

Example: Text Generation Using AI21 Lab’s Jurassic-2 Model
Here is a text generation example using AI21 Lab’s Jurassic-2 Ultra model. I’ll ask the model to tell me a knock-knock joke—my version of a Hello World.

bedrock_runtime = boto3.client(
    service_name='bedrock-runtime', 
    region_name='us-east-1'
)

modelId = 'ai21.j2-ultra-v1' 
accept = 'application/json'
contentType = 'application/json'

body = json.dumps(
    {"prompt": "Knock, knock!", 
     "maxTokens": 200,
     "temperature": 0.7,
     "topP": 1,
    }
)

response = bedrock_runtime.invoke_model(
    body=body, 
	modelId=modelId, 
	accept=accept, 
	contentType=contentType
)

response_body = json.loads(response.get('body').read())

Here’s the response:

outputText = response_body.get('completions')[0].get('data').get('text')
print(outputText)

Who's there? 
Boo! 
Boo who? 
Don't cry, it's just a joke!

You can also use the InvokeModel API to interact with embedding models.

Example: Create Text Embeddings Using Amazon’s Titan Embeddings Model
Text embedding models translate text inputs, such as words, phrases, or possibly large units of text, into numerical representations, known as embedding vectors. Embedding vectors capture the semantic meaning of the text in a high-dimension vector space and are useful for applications such as personalization or search. In the following example, I’m using the Amazon Titan Embeddings model to create an embedding vector.

prompt = "Knock-knock jokes are hilarious."

body = json.dumps({
    "inputText": prompt,
})

model_id = 'amazon.titan-embed-g1-text-02'
accept = 'application/json' 
content_type = 'application/json'

response = bedrock_runtime.invoke_model(
    body=body, 
    modelId=model_id, 
    accept=accept, 
    contentType=content_type
)

response_body = json.loads(response['body'].read())
embedding = response_body.get('embedding')

The embedding vector (shortened) will look similar to this:

[0.82421875, -0.6953125, -0.115722656, 0.87890625, 0.05883789, -0.020385742, 0.32421875, -0.00078201294, -0.40234375, 0.44140625, ...]

Note that Amazon Titan Embeddings is available today. The Amazon Titan Text family of models for text generation continues to be available in limited preview.

Run Inference Using Amazon Bedrock’s InvokeModelWithResponseStream API
The InvokeModel API request is synchronous and waits for the entire output to be generated by the model. For models that support streaming responses, Bedrock also offers an InvokeModelWithResponseStream API that lets you invoke the specified model to run inference using the provided input but streams the response as the model generates the output.

Amazon Bedrock

Streaming responses are particularly useful for responsive chat interfaces to keep the user engaged in an interactive application. Here is a Python code example using Amazon Bedrock’s InvokeModelWithResponseStream API:

response = bedrock_runtime.invoke_model_with_response_stream(
    modelId=modelId, 
    body=body)

stream = response.get('body')
if stream:
    for event in stream:
        chunk=event.get('chunk')
        if chunk:
            print(json.loads(chunk.get('bytes').decode))

Data Privacy and Network Security
With Amazon Bedrock, you are in control of your data, and all your inputs and customizations remain private to your AWS account. Your data, such as prompts, completions, and fine-tuned models, is not used for service improvement. Also, the data is never shared with third-party model providers.

Your data remains in the Region where the API call is processed. All data is encrypted in transit with a minimum of TLS 1.2 encryption. Data at rest is encrypted with AES-256 using AWS KMS managed data encryption keys. You can also use your own keys (customer managed keys) to encrypt the data.

You can configure your AWS account and virtual private cloud (VPC) to use Amazon VPC endpoints (built on AWS PrivateLink) to securely connect to Amazon Bedrock over the AWS network. This allows for secure and private connectivity between your applications running in a VPC and Amazon Bedrock.

Governance and Monitoring
Amazon Bedrock integrates with IAM to help you manage permissions for Amazon Bedrock. Such permissions include access to specific models, playground, or features within Amazon Bedrock. All AWS-managed service API activity, including Amazon Bedrock activity, is logged to CloudTrail within your account.

Amazon Bedrock emits data points to CloudWatch using the AWS/Bedrock namespace to track common metrics such as InputTokenCount, OutputTokenCount, InvocationLatency, and (number of) Invocations. You can filter results and get statistics for a specific model by specifying the model ID dimension when you search for metrics. This near real-time insight helps you track usage and cost (input and output token count) and troubleshoot performance issues (invocation latency and number of invocations) as you start building generative AI applications with Amazon Bedrock.

Billing and Pricing Models
Here are a couple of things around billing and pricing models to keep in mind when using Amazon Bedrock:

Billing – Text generation models are billed per processed input tokens and per generated output tokens. Text embedding models are billed per processed input tokens. Image generation models are billed per generated image.

Pricing Models – Amazon Bedrock offers two pricing models, on-demand and provisioned throughput. On-demand pricing allows you to use FMs on a pay-as-you-go basis without having to make any time-based term commitments. Provisioned throughput is primarily designed for large, consistent inference workloads that need guaranteed throughput in exchange for a term commitment. Here, you specify the number of model units of a particular FM to meet your application’s performance requirements as defined by the maximum number of input and output tokens processed per minute. For detailed pricing information, see Amazon Bedrock Pricing.

Now Available
Amazon Bedrock is available today in AWS Regions US East (N. Virginia) and US West (Oregon). To learn more, visit Amazon Bedrock, check the Amazon Bedrock documentation, explore the generative AI space at community.aws, and get hands-on with the Amazon Bedrock workshop. You can send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS contacts.

(Available in Preview) The Amazon Titan Text family of text generation models, Stability AI’s Stable Diffusion XL image generation model, and agents for Amazon Bedrock, including knowledge bases, continue to be available in preview. Reach out through your usual AWS contacts if you’d like access.

(Coming Soon) The Llama 2 13B and 70B parameter models by Meta will soon be available via Amazon Bedrock’s fully managed API for inference and fine-tuning.

Start building generative AI applications with Amazon Bedrock, today!

— Antje

Security

IPv4 Addresses in Little Endian Decimal Format, (Thu, Sep 28th)

Leave a comment
This post was originally published on this site

If you look at the XML EventData of Windows events like 1002 (DHCP error), you will see something like this:

Address1 and Address2 are IPv4 addresses represented as a decimal integer. This can be decoded with many tools, let's try CyberChef:

With this recipe.

The decoded IPv4 address is 4.1.168.192, which is 192.168.1.4 reversed.

That's because CyberChef assumes that the 4 bytes are encoded in big endian format (most significant byte comes first), because that is the "standard for data on the wire".

But in XML eventdata, it is encoded in little endian format (the least significant byte comes first, the opposite of big endian).

With CyberChef, one can find different solutions (recipes) to this problem. Here is one I'm using:

Here is the recipe.

I use one Change IP Format operation to convert the decimal number to hexadecimal, then a Swapp Endianness operation to swap the 4 bytes, and then another Change IP Format operation to display the IPv4 address in dotted decimal format.

If you have better solutions, please post your recipes.

I also have a very short recipe, but some might say I'm cheating … :-p

I extended the Change IP Format operation with a Decimal (Little Endian) format:

I actually have a PR for this that I should follow up on.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS

Amazon MSK Introduces Managed Data Delivery from Apache Kafka to Your Data Lake

Leave a comment
This post was originally published on this site

I’m excited to announce today a new capability of Amazon Managed Streaming for Apache Kafka (Amazon MSK) that allows you to continuously load data from an Apache Kafka cluster to Amazon Simple Storage Service (Amazon S3). We use Amazon Kinesis Data Firehose—an extract, transform, and load (ETL) service—to read data from a Kafka topic, transform the records, and write them to an Amazon S3 destination. Kinesis Data Firehose is entirely managed and you can configure it with just a few clicks in the console. No code or infrastructure is needed.

Kafka is commonly used for building real-time data pipelines that reliably move massive amounts of data between systems or applications. It provides a highly scalable and fault-tolerant publish-subscribe messaging system. Many AWS customers have adopted Kafka to capture streaming data such as click-stream events, transactions, IoT events, and application and machine logs, and have applications that perform real-time analytics, run continuous transformations, and distribute this data to data lakes and databases in real time.

However, deploying Kafka clusters is not without challenges.

The first challenge is to deploy, configure, and maintain the Kafka cluster itself. This is why we released Amazon MSK in May 2019. MSK reduces the work needed to set up, scale, and manage Apache Kafka in production. We take care of the infrastructure, freeing you to focus on your data and applications. The second challenge is to write, deploy, and manage application code that consumes data from Kafka. It typically requires coding connectors using the Kafka Connect framework and then deploying, managing, and maintaining a scalable infrastructure to run the connectors. In addition to the infrastructure, you also must code the data transformation and compression logic, manage the eventual errors, and code the retry logic to ensure no data is lost during the transfer out of Kafka.

Today, we announce the availability of a fully managed solution to deliver data from Amazon MSK to Amazon S3 using Amazon Kinesis Data Firehose. The solution is serverless–there is no server infrastructure to manage–and requires no code. The data transformation and error-handling logic can be configured with a few clicks in the console.

The architecture of the solution is illustrated by the following diagram.

Amazon MSK to Amazon S3 architecture diagram

Amazon MSK is the data source, and Amazon S3 is the data destination while Amazon Kinesis Data Firehose manages the data transfer logic.

When using this new capability, you no longer need to develop code to read your data from Amazon MSK, transform it, and write the resulting records to Amazon S3. Kinesis Data Firehose manages the reading, the transformation and compression, and the write operations to Amazon S3. It also handles the error and retry logic in case something goes wrong. The system delivers the records that can not be processed to the S3 bucket of your choice for manual inspection. The system also manages the infrastructure required to handle the data stream. It will scale out and scale in automatically to adjust to the volume of data to transfer. There are no provisioning or maintenance operations required on your side.

Kinesis Data Firehose delivery streams support both public and private Amazon MSK provisioned or serverless clusters. It also supports cross-account connections to read from an MSK cluster and to write to S3 buckets in different AWS accounts. The Data Firehose delivery stream reads data from your MSK cluster, buffers the data for a configurable threshold size and time, and then writes the buffered data to Amazon S3 as a single file. MSK and Data Firehose must be in the same AWS Region, but Data Firehose can deliver data to Amazon S3 buckets in other Regions.

Kinesis Data Firehose delivery streams can also convert data types. It has built-in transformations to support JSON to Apache Parquet and Apache ORC formats. These are columnar data formats that save space and enable faster queries on Amazon S3. For non-JSON data, you can use AWS Lambda to transform input formats such as CSV, XML, or structured text into JSON before converting the data to Apache Parquet/ORC. Additionally, you can specify data compression formats from Data Firehose, such as GZIP, ZIP, and SNAPPY, before delivering the data to Amazon S3, or you can deliver the data to Amazon S3 in its raw form.

Let’s See How It Works
To get started, I use an AWS account where there’s an Amazon MSK cluster already configured and some applications streaming data to it. To get started and to create your first Amazon MSK cluster, I encourage you to read the tutorial.

Amazon MSK - List of existing clusters

For this demo, I use the console to create and configure the data delivery stream. Alternatively, I can use the AWS Command Line Interface (AWS CLI), AWS SDKs, AWS CloudFormation, or Terraform.

I navigate to the Amazon Kinesis Data Firehose page of the AWS Management Console and then choose Create delivery stream.

Kinesis Data Firehose - Main console page

I select Amazon MSK as a data Source and Amazon S3 as a delivery Destination. For this demo, I want to connect to a private cluster, so I select Private bootstrap brokers under Amazon MSK cluster connectivity.

I need to enter the full ARN of my cluster. Like most people, I cannot remember the ARN, so I choose Browse and select my cluster from the list.

Finally, I enter the cluster Topic name I want this delivery stream to read from.

Configure the delivery stream

After the source is configured, I scroll down the page to configure the data transformation section.

On the Transform and convert records section, I can choose whether I want to provide my own Lambda function to transform records that aren’t in JSON or to transform my source JSON records to one of the two available pre-built destination data formats: Apache Parquet or Apache ORC.

Apache Parquet and ORC formats are more efficient than JSON format to query data from Amazon S3. You can select these destination data formats when your source records are in JSON format. You must also provide a data schema from a table in AWS Glue.

These built-in transformations optimize your Amazon S3 cost and reduce time-to-insights when downstream analytics queries are performed with Amazon Athena, Amazon Redshift Spectrum, or other systems.

Configure the data transformation in the delivery stream

Finally, I enter the name of the destination Amazon S3 bucket. Again, when I cannot remember it, I use the Browse button to let the console guide me through my list of buckets. Optionally, I enter an S3 bucket prefix for the file names. For this demo, I enter aws-news-blog. When I don’t enter a prefix name, Kinesis Data Firehose uses the date and time (in UTC) as the default value.

Under the Buffer hints, compression and encryption section, I can modify the default values for buffering, enable data compression, or select the KMS key to encrypt the data at rest on Amazon S3.

When ready, I choose Create delivery stream. After a few moments, the stream status changes to ✅  available.

Select the destination S3 bucket

Assuming there’s an application streaming data to the cluster I chose as a source, I can now navigate to my S3 bucket and see data appearing in the chosen destination format as Kinesis Data Firehose streams it.

S3 bucket browsers shows the files streamed from MSK

As you see, no code is required to read, transform, and write the records from my Kafka cluster. I also don’t have to manage the underlying infrastructure to run the streaming and transformation logic.

Pricing and Availability.
This new capability is available today in all AWS Regions where Amazon MSK and Kinesis Data Firehose are available.

You pay for the volume of data going out of Amazon MSK, measured in GB per month. The billing system takes into account the exact record size; there is no rounding. As usual, the pricing page has all the details.

I can’t wait to hear about the amount of infrastructure and code you’re going to retire after adopting this new capability. Now go and configure your first data stream between Amazon MSK and Amazon S3 today.

— seb

Security

Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th)

Leave a comment
This post was originally published on this site

As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities. Older MacOS versions received updates addressing these vulnerabilities last week with the MacOS 13.6. When these updates were released, the security content was not made public, but with today's release of macOS 14, Apple revealed the security content of these prior updates.

The table below includes the updates released on September 21st and today (26th). It does not include CVSS scores. My ChatGPT-driven script to calculate them had too many issues with this set of updates to be helpful.

Also note that some of the "Exploited" vulnerabilities receives specific updates not included in this table.

 

macOS Sonoma 14 Safari 16.6.1 iOS 17.0.1 and iPadOS 17.0.1 iOS 16.7 and iPadOS 16.7 watchOS 10.0.1 watchOS 9.6.3 macOS Ventura 13.6 macOS Monterey 12.7
CVE-2023-40384 [important] Airport
A permissions issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information
x              
CVE-2023-32377 [important] AMD
A buffer overflow issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x              
CVE-2023-38615 [important] AMD
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x              
CVE-2023-40448 [moderate] App Store
The issue was addressed with improved handling of protocols.
A remote attacker may be able to break out of Web Content sandbox
x     x        
CVE-2023-40432 [important] Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x              
CVE-2023-40399 [important] Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory
x              
CVE-2023-40410 [important] Apple Neural Engine
An out-of-bounds read was addressed with improved input validation.
An app may be able to disclose kernel memory
x           x x
CVE-2023-32361 [important] AuthKit
The issue was addressed with improved handling of caches.
An app may be able to access user-sensitive data
x              
CVE-2023-35984 [moderate] Bluetooth
The issue was addressed with improved checks.
An attacker in physical proximity can cause a limited out of bounds write
x              
CVE-2023-40402 [moderate] Bluetooth
A permissions issue was addressed with additional restrictions.
An app may be able to access sensitive user data
x              
CVE-2023-40426 [moderate] Bluetooth
A permissions issue was addressed with additional restrictions.
An app may be able to bypass certain Privacy preferences
x              
CVE-2023-41065 [important] bootp
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to read sensitive location information
x              
CVE-2023-29497 [moderate] Calendar
A privacy issue was addressed with improved handling of temporary files.
An app may be able to access calendar data saved to a temporary directory
x              
CVE-2023-38596 [moderate] CFNetwork
The issue was addressed with improved handling of protocols.
An app may fail to enforce App Transport Security
x              
CVE-2023-40406 [moderate] ColorSync
The issue was addressed with improved checks.
An app may be able to read arbitrary files
x           x x
CVE-2023-40420 [moderate] CoreAnimation
The issue was addressed with improved memory handling.
Processing web content may lead to a denial-of-service
x     x     x x
CVE-2023-40407 [moderate] CUPS
The issue was addressed with improved bounds checks.
A remote attacker may be able to cause a denial-of-service
x              
CVE-2023-32396 [important] Dev Tools
This issue was addressed with improved checks.
An app may be able to gain elevated privileges
x              
CVE-2023-41980 [important] FileProvider
A permissions issue was addressed with additional restrictions.
An app may be able to bypass Privacy preferences
x              
CVE-2023-40395 [moderate] Game Center
The issue was addressed with improved handling of caches.
An app may be able to access contacts
x     x       x
CVE-2023-40391 [important] GPU Drivers
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory
x              
CVE-2023-40441 [moderate] GPU Drivers
A resource exhaustion issue was addressed with improved input validation.
Processing web content may lead to a denial-of-service
x              
CVE-2023-23495 [moderate] iCloud
A permissions issue was addressed with improved redaction of sensitive information.
An app may be able to access sensitive user data
x              
CVE-2023-40434 [moderate] iCloud Photo Library
A configuration issue was addressed with additional restrictions.
An app may be able to access a user's Photos Library
x              
CVE-2023-38586 [moderate] Image Capture
An access issue was addressed with additional sandbox restrictions.
A sandboxed process may be able to circumvent sandbox restrictions
x              
CVE-2023-40436 [moderate] IOAcceleratorFamily
The issue was addressed with improved bounds checks.
An attacker may be able to cause unexpected system termination or read kernel memory
x              
CVE-2023-41995 [important] Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges
x              
CVE-2023-41981 [moderate] Kernel
The issue was addressed with improved memory handling.
An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
x     x     x  
CVE-2023-41984 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x     x     x x
CVE-2023-40429 [moderate] Kernel
A permissions issue was addressed with improved validation.
An app may be able to access sensitive user data
x              
CVE-2023-41067 [important] LaunchServices
A logic issue was addressed with improved checks.
An app may bypass Gatekeeper checks
x              
CVE-2023-40400 [critical] libpcap
This issue was addressed with improved checks.
A remote user may cause an unexpected app termination or arbitrary code execution
x              
CVE-2023-40454 [moderate] libxpc
A permissions issue was addressed with additional restrictions.
An app may be able to delete files for which it does not have permission
x     x     x x
CVE-2023-41073 [moderate] libxpc
An authorization issue was addressed with improved state management.
An app may be able to access protected user data
x     x     x x
CVE-2023-40403 [moderate] libxslt
The issue was addressed with improved memory handling.
Processing web content may disclose sensitive information
x     x     x x
CVE-2023-40427 [important] Maps
The issue was addressed with improved handling of caches.
An app may be able to read sensitive location information
x           x x
CVE-2023-32421 [moderate] Messages
A privacy issue was addressed with improved handling of temporary files.
An app may be able to observe unprotected user data
x              
CVE-2023-41986 [important] Music
The issue was addressed with improved checks.
An app may be able to modify protected parts of the file system
x              
CVE-2023-40455 [moderate] NetFSFramework
A permissions issue was addressed with additional restrictions.
A sandboxed process may be able to circumvent sandbox restrictions
x              
CVE-2023-40386 [moderate] Notes
A privacy issue was addressed with improved handling of temporary files.
An app may be able to access Notes attachments
x              
CVE-2023-37448 [important] Power Management
A lock screen issue was addressed with improved state management.
A user may be able to view restricted content from the lock screen
x              
CVE-2023-41063 [important] Pro Res
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x     x     x  
CVE-2023-40422 [important] QuartzCore
The issue was addressed with improved memory handling.
An app may be able to cause a denial-of-service
x              
CVE-2023-39233 [moderate] Safari
The issue was addressed with improved checks.
Processing web content may disclose sensitive information
x              
CVE-2023-40388 [moderate] Safari
A privacy issue was addressed with improved handling of temporary files.
Safari may save photos to an unprotected location
x              
CVE-2023-35990 [moderate] Safari
The issue was addressed with improved checks.
An app may be able to identify what other apps a user has installed
x     x        
CVE-2023-40417 [moderate] Safari
A window management issue was addressed with improved state management.
Visiting a website that frames malicious content may lead to UI spoofing
x              
CVE-2023-40452 [moderate] Sandbox
The issue was addressed with improved bounds checks.
An app may be able to overwrite arbitrary files
x           x x
CVE-2023-41078 [moderate] Screen Sharing
An authorization issue was addressed with improved state management.
An app may be able to bypass certain Privacy preferences
x              
CVE-2023-41070 [moderate] Share Sheet
A logic issue was addressed with improved checks.
An app may be able to access sensitive data logged when a user shares a link
x     x     x  
CVE-2023-40541 [moderate] Shortcuts
This issue was addressed by adding an additional prompt for user consent.
A shortcut may output sensitive user data without consent
x              
CVE-2023-41079 [important] Shortcuts
The issue was addressed with improved permissions logic.
An app may be able to bypass Privacy preferences
x              
CVE-2023-41968 [moderate] Disk Management
This issue was addressed with improved validation of symlinks.
An app may be able to read arbitrary files
x           x x
CVE-2023-40450 [important] System Preferences
The issue was addressed with improved checks.
An app may bypass Gatekeeper checks
x              
CVE-2023-40424 [important] TCC
The issue was addressed with improved checks.
An app may be able to access user-sensitive data
x              
CVE-2023-39434 [critical] WebKit
A use-after-free issue was addressed with improved memory management.
Processing web content may lead to arbitrary code execution
x              
CVE-2023-41074 [critical] WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution
x              
CVE-2023-35074 [critical] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
x              
CVE-2023-41993 [critical] *** EXPLOITED *** WebKit
The issue was addressed with improved checks.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
x x x x        
CVE-2023-41066 [moderate] Windows Server
An authentication issue was addressed with improved state management.
An app may be able to unexpectedly leak a user's credentials from secure text fields
x              
CVE-2023-41979 [important] XProtectFramework
A race condition was addressed with improved locking.
An app may be able to modify protected parts of the file system
x              
CVE-2023-41992 [moderate] *** EXPLOITED *** Kernel
The issue was addressed with improved checks.
A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
    x x x x x x
CVE-2023-41991 [important] *** EXPLOITED *** Security
A certificate validation issue was addressed.
A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
    x x x x x  
CVE-2023-41232 [important] Biometric Authentication
An out-of-bounds read was addressed with improved bounds checking.
An app may be able to disclose kernel memory
      x     x x
CVE-2023-41068 [important] MobileStorageMounter
An access issue was addressed with improved access restrictions.
A user may be able to elevate privileges
      x        
CVE-2023-40412 [important] Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
            x x
CVE-2023-40409 [important] Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
            x x
CVE-2023-41071 [important] Apple Neural Engine
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges
            x  
CVE-2023-41996 [moderate] Sandbox
The issue was addressed with improved checks.
Apps that fail verification checks may still launch
            x  


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

People's Republic of China-Linked Cyber Actors Hide in Router Firmware

Leave a comment
This post was originally published on this site

Executive Summary

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]

Download the PDF version of this report: [PDF, 808 KB]

Technical Details

This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.

Background

Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.

Observable TTPs

BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include:

  • BendyBear [S0574]
  • Bifrose
  • BTSDoor
  • FakeDead (a.k.a. TSCookie) [S0436]
  • Flagpro [S0696]
  • FrontShell (FakeDead’s downloader module)
  • IconDown
  • PLEAD [S0435]
  • SpiderPig
  • SpiderSpring
  • SpiderStack
  • WaterBear [S0579]

BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].

BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]

Pivoting from international subsidiaries

The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].

Maintaining access via stealthy router backdoors

BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.

In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router’s built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.

BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].

Firmware replacement process

BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.

Table 1: File types to compromise the router

File Type

Description

Old Legitimate Firmware

The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader.

Modified Firmware

The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router.

Modified Bootloader

The bootloader allows Modified Firmware to continue evading the router’s security features for persistence across reboots. In some cases, only modified firmware is used.

BlackTech actors use the Cisco router’s CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:

  1. Download old legitimate firmware.
  2. Set the router to load the old legitimate firmware and reboot with the following command(s):

    config t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
    end
    write
    reload
  3. Download the modified bootloader and modified firmware.
  4. Set the router to load the modified firmware with the following command(s):
    conf t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
    end
    write
  5. Load the modified bootloader (the router reboots automatically) with the following command:
    upgrade rom file bootloader
  6. Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field.
Modified bootloader

To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.

Modified firmware

BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.

BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.

To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.

Detection and Mitigation Techniques

In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.

The following are the best mitigation practices to defend against this type of malicious activity:

  • Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.
    Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
  • Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4]
  • Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3]
  • Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5]
  • When there is a concern that a single password has been compromised, change all passwords and keys.[3]
  • Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3]
  • Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3]
  • Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3]

Works Cited

[1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3]    NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4]    NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF 
[5]    Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.

Contact

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov 
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov 
NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.

Appendix: MITRE ATT&CK Techniques

See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.

Table 2: BlackTech ATT&CK Techniques for Enterprise – Resource Development

Technique Title

ID

Use

Obtain Capabilities: Code Signing Certificates

T1588.003

BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.
Table 3: BlackTech ATT&CK Techniques for Enterprise – Initial Access

Technique Title

ID

Use

Initial Access

TA0001

BlackTech actors gain access to victim networks by exploiting routers.

Trusted Relationship

T1199

BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.
Table 4: BlackTech ATT&CK Techniques for Enterprise – Persistence

Technique Title

ID

Use

Persistence

TA0003

BlackTech actors gain persistent access to victims’ networks.

Traffic Signaling

T1205

BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.

Pre-OS Boot: ROMMONkit

T1542.004

BlackTech actors modify router firmware to maintain persistence.
Table 5: BlackTech ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title

ID

Use

Privilege Escalation

TA0004

BlackTech actors gain elevated privileges on a victim’s network.
Table 6: BlackTech ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title

ID

Use

Defense Evasion

TA0005

BlackTech actors configure their tools to evade detection by security software and EDR.

Modify Registry

T1112

BlackTech actors modify the victim’s registry.

Impair Defenses

T1562

BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.

Impair Defenses: Impair Command History Logging

T1562.003

BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.

Modify System Image: Patch System Image

T1601.001

BlackTech actors modify router firmware to evade detection.
Table 7: BlackTech ATT&CK Techniques for Enterprise – Discovery

Technique Title

ID

Use

Discovery

TA0007

BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information.
Table 8: BlackTech ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

BlackTech actors use RDP to move laterally across a victim’s network.

Remote Services: SSH

T1021.004

BlackTech actors use SSH to move laterally across a victim’s network.
Table 9: BlackTech ATT&CK Techniques for Enterprise – Command and Control

Technique Title

ID

Use

Command and Control

TA0011

BlackTech actors compromise and control a victim’s network infrastructure.

Application Layer Protocol: File Transfer Protocols

T1071.002

BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.

Proxy

T1090

BlackTech actors use compromised routers to proxy traffic.
Security

A new spin on the ZeroFont phishing technique, (Tue, Sep 26th)

Leave a comment
This post was originally published on this site

Last week, I came across an interesting phishing e-mail, in which a text written in a font with zero-pixel size was used in quite a novel way.

The technique of embedding text with zero font size in phishing e-mails to break up text written in normal, visible way, in order to make detection of suspicious messages by automated means more difficult has been with us for quite some time now. In fact, all the way back in 2018, the team at Avanan coined the term “ZeroFont Phishing”[1] for it.

Nevertheless, the “invisible” text in the e-mail which was delivered to our handler e-mail address last Friday did not serve the usual purpose – it wasn’t intended to hinder automated scanners from identifying the message as potentially fraudulent/malicious, but instead to make the message appear more trustworthy to the recipient.

Before we get to how it did this, let us quickly set the stage.

Modern e-mail clients commonly display received e-mail messages in a layout containing two side-by-side windows – one showing the list of received (or sent, drafted, etc.) messages and the other showing the body of a selected message. As you may see in the following image, Microsoft Outlook displays the name of a sender, its subject and the beginning of a text of each message in the left window, as do many other MUAs.

The fact that e-mail clients display the beginning of the text of a message in the listing of folder content is quite important for us.

This is because although the e-mail, to which I alluded, looked like a run-of-the-mill phishing when one looked only at the body of the message…

…the text, which was displayed in the “listing pane” in Outlook for the message, was somewhat unexpected.

This was because instead of the visible beginning of the message (i.e., “Job Offer | Employment Opportunity”), the text “Scanned and secured by Isc®Advanced Threat protection (APT):  9/22/2023T6:42 AM” was displayed in the listing.

As you have undoubtedly already surmised, this was because this text was contained at the beginning of the message and was set to be 0 pixels in size (as well as to be transparent and hidden). You may see this in the following excerpt from the HTML code of the body of the message.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <title> Employment Opportunity 9/22/2023T6:42 AM: Virtual Personal Assistant/Administrative Assistance</title>
 </head>
 <body>
 <span style="mso-hide:all;display:none !important;font-size:0;max-height:0;line-height:0;visibility:hidden;overflow:hidden;opacity:0;color:transparent;height:0;width:0;">
  Scanned and secured by IscAdvanced Threat protection (APT):  9/22/2023T6:42 AM
 </span>
 <FONT size=4>
 <FONT color=#ffffff>
 <FONT color=#000000 size=3 face="Segoe UI"> <P align=left>
 <FONT size=4>
 <FONT color=#ffffff>
 <FONT color=#000000 size=3 face="Segoe UI">
 <FONT color=#ffffff>
  *
 </FONT>
  Job
 <FONT color=#ffffff>
  *
 </FONT>
 Offer |
 <FONT color=#ffffff>
  *
 </FONT>
 Employment
 <FONT color=#ffffff>
  *
 </FONT>
 Opportunity
 <BR>

It seems that Outlook (and likely other MUAs) displays any text which is present at the beginning of a message in the listing view, even if it has zero font size, which can unfortunately be (mis)used in the way we've shown.

While I wouldn’t be surprised if this technique has been used before, this was the first time I came across it. And since I couldn’t find any previous write-ups of it, I decided to share it here.

Although it is a technique with only minor impact, it might still confuse some recipients into believing that a phishing message is trustworthy – especially if the text displayed in the “listing window” was well chosen. It is, in any case, one more small addition to the threat actor toolbox which may be used to create more effective phishing campaigns, and it is therefore certainly good for us – as defenders – to be aware of it…

Furthermore, since it is currently being used “in the wild”, it might not be a bad idea to mention it in any phishing-oriented security awareness courses.

[1] https://www.avanan.com/blog/zerofont-phishing-attack

———–
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Scanning for Laravel – a PHP Framework for Web Artisants, (Sat, Sep 23rd)

Leave a comment
This post was originally published on this site

Today while reviewing my honeypot logs, I noticed an HTTP request for a directory this week I had not noticed before that included Laravel:

  • /laravel
  • /laravel/.env
  • /laravel/.env.example
  • /vendor/laravel/.env
  • /vendor/.env
  • /project/env.example
  • /staging2.env.example
  • /public/.env

This is only a short list of directories these IPs were probing for. After a search across all the logs I have for the past year, the honeypot captured a few times this activity looking for this application. Checking ISC Web Application logs, scanning for Laravel peaked between February and mid April 2023. The last know exploit for this application was for CVE-2021-3129 for a Remote Code Execution (RCE).

Active scanning likely looking for any misconfigured applications.This is a list of the IPs captured in the past 3 months:

[1] https://laravel.com
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3129
[3] https://isc.sans.edu/ipinfo.html?ip=4.17.224.133
[4] https://isc.sans.edu/ipinfo.html?ip=51.222.44.56

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.