The flaw (tracked as CVE-2021-29256) is a use-after-free weakness that can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory.

"A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information," Arm's advisory reads.

"This issue is fixed in Bifrost and Valhall GPU Kernel Driver r30p0 and fixed in Midgard Kernel Driver r31p0 release. Users are recommended to upgrade if they are impacted by this issue."

With this month's security updates for the Android operating system, Google patched two more security flaws tagged as being exploited in attacks.

CVE-2023-26083 is a medium-severity memory leak flaw in the Arm Mali GPU driver leveraged in December 2022 as part of an exploit chain that delivered spyware to Samsung devices.

A third vulnerability, tracked as CVE-2023-2136 and rated as critical severity, is an integer overflow bug found in Google's Skia, an open-source multi-platform 2D graphics library. Notably, Skia is used with the Google Chrome web browser, where it was addressed in April as a zero-day bug.

Federal agencies ordered to secure Android devices within 3 weeks

U.S. Federal Civilian Executive Branch Agencies (FCEB) have been given until July 28th to secure their devices against attacks targeting the CVE-2021-29256 vulnerability added to CISA's list of Known Exploited Vulnerabilities today.

According to the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are bound to thoroughly assess and address any security flaws outlined in CISA's KEV catalog.

Although the catalog primarily focuses on U.S. federal agencies, it's also strongly recommended that private companies prioritize and patch all vulnerabilities listed in CISA's catalog.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.

Earlier this week, the cybersecurity agency warned that attackers behind the TrueBot malware operation exploit a critical remote code execution (RCE) vulnerability in the Netwrix Auditor software for initial access to targets' networks.

One week earlier, CISA also warned of distributed denial-of-service (DDoS) attacks targeting U.S. organizations across multiple industry sectors.

Source

While thirty-seven RCE bugs were fixed, Microsoft only rated nine as 'Critical.' However, one of the RCE flaws remains unpatched and is actively exploited in attacks seen by numerous cybersecurity firms.

The number of bugs in each vulnerability category is listed below:

• 33 Elevation of Privilege Vulnerabilities
• 13 Security Feature Bypass Vulnerabilities
• 37 Remote Code Execution Vulnerabilities
• 19 Information Disclosure Vulnerabilities
• 22 Denial of Service Vulnerabilities
• 7 Spoofing Vulnerabilities

Microsoft has not fixed any Microsoft Edge vulnerabilities in July at this time.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5028185 cumulative update and Windows 10 KB5028168 and KB5028166 updates released.

Six actively exploited vulnerabilities

This month's Patch Tuesday fixes six zero-day vulnerabilities, with all of them exploited in attacks and one of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The six actively exploited zero-day vulnerabilities in today's updates are:

Recent updates from other companies

Other vendors who released updates or advisories in July 2023 include:

• AMD releases Adrenalin 23.7.1 WHQL driver for Windows
• Apple released Rapid Security Response (RSR) updates to fix an actively exploited WebKit vulnerability. However, Apple soon pulled the update after it broke sites using user agent matching, which changed in the update.
• Cisco released security updates for Cisco DUO, Webex, Secure Email Gateway, Cisco Nexus 9000 Series Fabric Switches, and more.
• Google released the Android July 2023 updates to fix actively exploited vulnerabilities.
• A Linux vulnerability known as 'StackRot' allows privilege escalation.
• Microsoft released the July Windows Subsystem for Android updates.
• MOVEit released security updates that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities.
• SAP has released its July 2023 Patch Day updates.
• VMware released VMware SD-WAN updates to fix an authentication bypass vulnerability.

The July 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the July 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Source

Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity attacks without requiring user interaction.

Successful exploitation could lead to a total loss of confidentiality, availability, and integrity, allowing the attackers to access sensitive information, turn off system protection, and deny access to the compromised system.

"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," Redmond said today.

"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

While the flaw is not yet addressed, Microsoft says it will provide customers with patches via the monthly release process or an out-of-band security update.

Mitigation measures available

Until CVE-2023-36884 patches are available, Microsoft says customers using Defender for Office and those who have enabled the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected against phishing attacks attempting to exploit the bug.

Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1:

• Excel.exe
• Graph.exe
• MSAccess.exe
• MSPub.exe
• PowerPoint.exe
• Visio.exe
• WinProj.exe
• WinWord.exe
• Wordpad.exe

However, it's important to note that setting this registry key to block exploitation attempts, may also impact some Microsoft Office functionality linked to the applications listed above.

Exploited in attacks targeting NATO Summit attendees

In a separate blog post, the company says the CVE-2023-36884 bug was exploited in recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.

As documented in reports published by Ukraine's Computer Emergency Response Team (CERT-UA) and researchers with BlackBerry's intelligence team, the attackers used malicious documents impersonating the Ukrainian World Congress organization to install malware payloads, including the MagicSpell loader and the RomCom backdoor.

"If successfully exploited, it allows an attacker to conduct a remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability," BlackBerry security researchers said.

"This is achieved by leveraging the specially crafted document to execute a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution."

"The actor's latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom," Microsoft also said on Tuesday.

RomCom's links to ransomware

RomCom is a Russian-based cybercriminal group (also tracked as Storm-0978) known for engaging in ransomware and extortion attacks alongside campaigns focused on stealing credentials, likely aimed at supporting intelligence operations, according to Redmond.

The gang was previously linked to the Industrial Spy ransomware operation, which has now switched to ransomware called Underground [VirusTotal].

Underground ransom note (BleepingComputer)

 

In May 2022, while investigating the TOX ID and email address in an Industrial Spy ransom note, MalwareHunterTeam uncovered a peculiar association with the Cuba ransomware operation.

He observed that an Industrial Spy ransomware sample generated a ransom note featuring an identical TOX ID and email address as used by Cuba, as well as links to Cuba's data leak site.

However, instead of directing users to the Industrial Spy data leak site, the provided link led to Cuba Ransomware's Tor site. Additionally, the ransom note used the same file name, !! READ ME !!.txt, just as previously identified Cuba ransom notes.

Source

Security researchers at Sophos, Trend Micro and Cisco informed Microsoft about malware in signed drivers in February 2023. The researchers discovered that drivers "certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity".

The researchers identified 133 different drivers, the majority certified, by multiple developer accounts and reported their findings to Microsoft. Some of the signed drivers date back to April 2021 according to Sophos.

Microsoft is blocking the malicious drivers and has closed the responsible developer accounts. The drivers have been put on the Windows Driver.STL revocation list; this list prevents them from being loaded on Windows devices. The revocation list ships with Windows and is updated regularly via Windows Update. Microsoft notes that the list is not part of Windows and that it can't be disabled, removed or manipulated.

Windows administrators should make sure that the latest Windows updates are installed and that third-party security software is up to date as well. Administrators should run offline scans on their devices to detect malicious drivers that were installed before March 2, 2023. Sophos has published hashes of the malicious drivers on GitHub.

Other Microsoft services, including Microsoft 365, Azure or Xbox are not affected by the issue according to Microsoft's advisory.

Microsoft introduced a policy in Windows 10 version 1607 that required a valid digital signature for kernel drivers. Windows systems with Secure Boot enabled load only these drivers and refuse to load any drivers not digitally signed.

Sophos notes that several of the digital certificates appear to have their origin in China, which it bases on the company names associated with the certificates.

Sophos researchers discovered two main types of drivers. Some fell into the "Endpoint protection killer" category, which were similar to maliciously signed drivers discovered in 2022. Others had rootkit-like capabilities and were designed to run silently in the background.

These drivers could only be installed by accounts with elevated rights. The rootkit drivers had network monitoring capabilities using the Windows Filtering Platform. It allowed the malicious actor to monitor incoming and outgoing Internet traffic.

At least some of the rootkits belong to known Windows rootkit families according to Sophos' analysis and many included command-and-control server functionality, which gave the malicious actor even more control over infected devices.

All malicious drivers that Sophos reported to Microsoft have been invalidated and revoked by Microsoft as of July 11, 2023. Microsoft Defender 1.391.3822.0 and newer versions of the built-in security tool detect the malicious drivers as well.

Source

Yesterday, Apple published a new Rapid Security Response update for iOS 16, iPadOS 16, and macOS Ventura to patch yet another actively exploited WebKit code execution bug. But shortly after installation, users began having issues accessing certain websites, and Apple has apparently pulled the update to fix the problem.

 

According to MacRumors, affected sites include Facebook, Instagram, WhatsApp, and Zoom, which began showing warning messages about not being supported following the update.

 

Luckily for anyone who has installed it, Rapid Security Response updates can be removed just as quickly as they were installed; on iOS, navigate to the About page in the Settings app, tap on your iOS version, and then tap “Remove Security Response.”

 

The benefit of Rapid Security Response updates is that they’re small in size and quick to install. The updates Apple has released so far have required a restart on my devices, but total downtime was much less than it was for a typical software update. This is because Apple has stored many Safari and WebKit components outside of the main Signed System Volume (SSV), a tamper-proof read-only volume for most system files that must be mounted separately, patched, and re-sealed every time most system updates are installed.

 

The downside of Rapid Security Response updates is that they may not be tested as thoroughly as some system updates; Apple is currently on its fifth developer betas of iOS 16.6 and macOS 13.5, and both updates have been in testing since mid-May. Though you’ll typically want to install them quickly because the bugs they’re patching tend to be severe, you may occasionally run into problems.

 

WebKit vulnerabilities in iOS tend to be especially severe since any app that wants to render web content needs to use a webview powered by the built-in WebKit engine used by Safari. This includes third-party browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, which can’t use their own native rendering engines on iOS or iPadOS the way they can on macOS, Windows, or other platforms. Apple has long maintained that this restriction improves security on the platform.

 

Apple announced the Rapid Security Response feature as part of iOS 16 and macOS Ventura last June but didn't actually start using the feature publicly until a couple of months ago. When contacted for comment, an Apple spokesperson pointed us to this support document, which says that new iOS/iPadOS 16.5.1 (b) and macOS 13.4.1 (b) Rapid Security Response updates will be available to resolve the issues soon.

 

Source

I've been espousing this hot take on Linux for a very long time. It seems, however, that the phrase "there's no time like the present" is more apropos today than it has ever been.

Threats to security and privacy seem to never abate. They are constant and they grow more widespread and effective with every passing attack. Bad actors are savvy and know the best ways to hit you. One of the reasons for this threat is because, most likely, you use Windows as your primary desktop and laptop operating system.

Before you start to get upset, this isn't another one of those articles that trashes Windows as a launching point. I'm not going to tell you how awful Microsoft Windows is. I'm not even going to mention how easy it is for ne'er-do-wells to use your operating system against you for the purpose of either stealing or ransoming your data.

Instead, my goal is to explain the problems with Windows in a way that makes sense to anyone, regardless of how much knowledge they have of computers, IT, and technology as a whole.

Imagine that you play on a sports team. It doesn't matter what team or what sport. For a very long time, your team has been absolutely dominant.

Eventually, however, other teams start beating you. Next thing you know, every team has your number. How did this happen?

Because your team was so dominant for so long, other teams got wise and started intensely studying the film of your wins to finally understand every play in your playbook. And because there was no need for you to fix something that wasn't broken, you continued playing those plays until, one fateful night, some bad actor (from another team) got their hands on your playbook to confirm what everyone else was starting to learn…your team had weaknesses that could be exploited.

Essentially, your team was hacked. Now, you're always on the defensive, having to scramble to come up with other plays to get back in the game.

And that's kind of what's happened to Windows over the years -- hackers know it so well because everyone has used it for so long. The proprietary operating system became so dominant that it developed a massive target on its back that is still "in play."

Linux, on the other hand, has not had a target on its back for decades and that different position has helped to lend it a level of security Microsoft cannot compete with.

What's more, I can think of at least four other primary reasons why Linux has been more secure than Windows, which are:

• User permissions: Linux has a much more structured and sane permissions system

• Software installation: With Windows, you can find .exe and .msi files all over the net, many of them carrying a malicious payload. With Linux, you generally are installing from your distributions package manager, which is more secure

• Open source: By design, the Linux code has been -- and can be -- vetted by thousands of software engineers

• Frequency of updates: Linux updates not only happen regularly, but when a vulnerability is discovered, it's fixed immediately

I've been using Linux for alost three decades and I've had only one instance where a machine was hacked -- and that was a small business server that was also being used as a desktop (it was the only option for that business at the time).

That incident was also almost 20 years ago and I was doing some things with Linux that weren't exactly in the best interest of security, such as using the same machine as a mail server and an HTTP server while not using the firewall properly. That issue was totally on me, and I did finally fix the problem before any data was stolen.

Had I been using Windows for that same purpose, the chances are pretty good that the second I discover the problem, it would have been too late.

As far as the desktop is concerned, I've not once had a security issue: no viruses, malware, ransomware, trojans…nothing. For the most part, my life with Linux on the desktop has been trouble- and worry-free since 1997.

The big question for me is why are so many people continuing to use the Windows operating system when a much more secure, user-friendly, and future-proof operating system exists? Even better, that alternative OS can be had for free, can be installed on older hardware, performs like a champ, and has thousands upon thousands of free applications available to install.

If the thought of using a much more secure, reliable desktop sounds like the smart move to you, I would suggest you start by reading through this post about the various Ubuntu flavors to see if one appeals. Otherwise, your search for user-friendly Linux distributions should start with one of the following:

•     Ubuntu

•     Linux Mint

•     Zorin OS

•     elementary OS

Any one of the above distributions will not only keep you more secure, but will keep you productive and entertained for years to come (without having to upgrade your hardware). Enjoy!

Source

The vulnerability, identified as CVE-2023-37450, was reported by an anonymous security researcher. According to Apple's advisories for iOS and macOS, the company knows the issue is being actively exploited.

The recently discovered vulnerability resides in WebKit, which is used by Apple, Mozilla and Google in iOS, and can be exploited by tricking users into visiting web pages containing specially crafted content. This exploit could allow attackers to execute arbitrary code on targeted devices, potentially compromising users' privacy and security.

They deliver important security improvements between software updates... They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist "in the wild."

Apple highlighted that New Rapid Security Responses are delivered only for the latest iOS, iPadOS, and macOS versions, starting with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1. To secure data and protect against attacks, it strongly recommends that users apply the RSR patches.

RSR patches have been introduced as compact updates that address security issues between major software updates on its OSes. They provide critical security fixes to help users address emerging threats on time.

In some instances, Apple may give out-of-band security updates to address vulnerabilities actively exploited by hackers.

iPhone or iPad: Go to Settings > General > Software Update > Automatic Updates, then make sure that "Security Responses & System Files" is turned on.

Mac: Choose the Apple menu > System Settings. Click General in the sidebar, then click Software Update on the right. Click the Show Details button next to Automatic Updates, then make sure that "Install Security Responses and System Files" is turned on.

You can check more details about a specific Rapid Security Response in the Apple security patch notes.

Source

Razer is a popular American-Singaporean tech firm focusing on gaming hardware, selling high-quality peripherals, powerful laptops, and apparel.

The company also sells services that give registered account holders access to extensive game collections, special in-game item offers, exclusive rewards, and more through its Razer Gold payment system.

Information about a potential data breach at the company emerged on Saturday, when someone posted on a hacker forum that they had stolen the source code, database, encryption keys, and backend access logins for Razer.com, the company's main website.

The user offered to sell that data for $100,000 worth of Monero (XMR) cryptocurrency and urged interested individuals to contact him directly to close the deal.

The publisher of the post has not set any limitations or exclusivity, meaning anyone willing to pay the requested amount would get the entire data set.

The screenshots posted as proof of the breach show file lists and trees, email addresses, source code allegedly for anti-cheat and reward systems, API details, Razer Gold balances, and more.

Cybersecurity analysts at FalconFeedsio spotted the announcement on the hacker forum and shared with the public. Replying to the tweet, Razer said that it was looking into the potential incident by starting an investigation.

BleepingComputer has contacted Razer to ask about the validity of the data samples the posted on the hacker forum but we have not received a response at publishing time.

However, we have been able to confirm that the leaked accounts are valid and belong to legitimate users on the website.

Also, BleepingComputer has found that Razer has reset all member accounts, invalidating their active sessions and requesting them to reset their passwords.

Researcher Bob Diachenko discovered in 2020 an unprotected Razer database containing full names, email addresses, phone numbers, customer IDs, order details, and billing and shipping addresses of 100,000 customers.

The database was exposed between August 18, 2020 and September 9, 2020, but it is unclear if anyone apart from the researcher ever accessed or copied Razer’s data.

From the data samples leaked this time it appears that the information is more recent, dating to at least December 2022, so the two incidents are most likely unrelated..

Source

Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.

Today, Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.

Faking a Windows update

‘Big Head’ ransomware is a .NET binary that installs three AES-encrypted files on the target system: one is used to propagate the malware, another is for Telegram bot communication, and the third encrypts files and can also show the user a fake Windows update.

On execution, the ransomware also performs actions such as creating a registry autorun key, overwriting existing files if needed, setting system file attributes, and disabling the Task Manager.

Each victim is assigned a unique ID that’s either retrieved from the %appdata%\ID directory or it is generated using a random 40-character string.

The ransomware deletes shadow copies to prevent easy system restoration before encrypting the targeted files and appending a “.poop” extension to their filenames.

Also, Big Head will terminate the following processes to prevent tampering with the encryption process and to free up data that the malware should lock.

The Windows, Recycle Bin, Program Files, Temp, Program Data, Microsoft, and App Data directories are skipped from encryption to avoid rendering the system unusable.

Trend Micro has found that the ransomware checks if it runs on a virtual box, looks for the system language, and only proceeds to the encryption if it’s not set on that of a country member of the Commonwealth of Independent States (former Soviet states).

During the encryption, the ransomware displays a screen that purports to be a legitimate Windows update.

After the encryption process completes, the following ransom is dropped on multiple directories, and the victim’s wallpaper is also changed to alert of the infection.

Other variants

Trend Micro also analyzed two more Big Head variants, highlighting some key differences compared to the standard version of the ransomware.

The second variant maintains ransomware capabilities but also incorporates stealer behavior with functions to collect and exfiltrate sensitive data from the victim system.

The data that this version of Big Head can steal include browsing history, list of directories, installed drivers, running processes, product key, and active networks, and it can also capture screenshots.

The third variant, discovered by Trend Micro, features a file infector identified as “Neshta,” which inserts malicious code into executables on the breached system.

Although the exact purpose of this is unclear, Trend Micro’s analysts speculate that it could be to evade detection that relies on signature-based mechanisms.

Notably, this variant uses a different ransom note and wallpaper from the other two, yet it is still tied to the same threat actor.

Conclusion

Trend Micro comments that Big Head is not a sophisticated ransomware strain, its encryption methods are pretty standard, and its evasion techniques are easy to detect.

Nevertheless, it appears to focus on consumers who can be fooled with easy tricks (e.g. fake Windows update) or they have difficulty understanding the safeguards necessary to steer away from cybersecurity risks.

The multiple variants in circulation suggest that the creators of Big Head are continuously developing and refining the malware, experimenting with various approaches to see what works best.

Source

Source

Source

Source

In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics the firms were breaching European Union's General Data Protection Regulation (GDPR).

Specifically, the companies were in violation of the GDPR Article 46(1), which forbids the transfer of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.

The United States has been deemed as a risky location for the storage of data of European users, as per the July 2020 "Schrems II" judgment, where the Court of Justice of the European Union (CJEU) ruled that any data transfers to the U.S. in the context of the then-existing mechanism, "Privacy Shield," were illegal.

This violation is the same for which the Irish Data Protection Commission (DPC) fined Meta $1.3 billion for transferring EU-based user data to servers in the U.S.

IMY, following the submission of a relevant complaint by the Austrian digital rights organization None of Your Business (NOYB), carried out audits to determine the type of data the Google Analytics tool sends in the U.S. and concluded that it constitutes personal information.

The audits concerned a version of the Google Analytics tool from August 14, 2020.

"IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," states.

The four companies that have been reprimanded are:

• Tele2 SA (tele2.se) – Administrative fine of 12,000,000 SEK
• CDON AB (cdon.fi) – Call for GDPR compliance and an administrative fine of 300,000 SEK
• Coop SA (coop.se) – Call for GDPR compliance
• Dagens Industri (di.se) – Call for GDPR compliance

Tele2 SA - a telecommunications and internet service provider in Sweden, has recently decided to stop using Google Analytics on its own initiative.

The other three organizations are ordered to stop using Google Analytics and to implement adequate data protection measures no later than one month after IMY's decision, which was announced on June 30, 2023.

The use of Google Analytics has been deemed non-GDPR-compliant again in the past by the data protection authorities in Austria, France, and Italy.

However, IMY's decision to impose financial penalties on the violators makes this the first of its kind.

These decisions also serve as guidance for the whole industry, and other companies using Google Analytics may decide to adjust their strategy to comply with the rules and regulations in the EU.

Source

A patch is available for the affected stable kernels since July 1st and full details about the issue along with a complete exploit code are expected by the end of the month.

Security researcher Ruihan Li discovered and reported the vulnerability. He explains in a post today that it affects the kernel's memory management subsystem, a component in charge with implementing the virtual memory and demand paging, memory allocation for the kernel's needs and the user space programs, as well as mapping files into the processes' address space.

StackRot impacts all kernel configurations on Linux versions 6.1 through 6.4.

Although Li sent the vulnerability report on June 15th, creating a fix took almost two weeks due to its complexity, and Linus Torvalds led the effort.

"On June 28th, during the merge window for Linux kernel 5.5, the fix was merged into Linus' tree. Linus provided a comprehensive merge message to elucidate the patch series from a technical perspective. These patches were subsequently backported to stable kernels (6.1.37, 6.3.11, and 6.4.1), effectively resolving the "Stack Rot" bug on July 1st," the researcher clarified.

StackRot details

StackRot arises from the Linux kernel's handling of stack expansion within its memory management subsystem, tied to managing virtual memory areas (VMAs).

Specifically, the weak spot is in "maple tree," a new data structure system for VMAs introduced in Linux kernel 6.1 that replaced the "red-black trees" and relied on the read-copy-update (RCU) mechanism.

The vulnerability is a use-after-free (UAF) problem stemming from the way stack expansion was handled, because the maple tree could replace a node without obtaining the memory management (MM) write lock.

As the Linux kernel expands the stack and removes the gap between VMAs, a new node is created in the "maple tree," and the old one is marked for deletion after current reads finish due to the maple tree's RCU safety.

However, during the RCU grace period, a use-after-free issue may occur when a process accesses the old node, thus creating an exploitable context for elevating privileges.

Exploit coming

Ruihan Li notes that exploiting StackRot is a challenging task and that CVE-2023-3269 may be the first example of a theoretically exploitable use-after-free-by-RCU (UAFBR) vulnerability.

However, the researcher announced plans to disclose the complete technical details about StackRot and a proof-of-concept (PoC) exploit by the end of July.

Linux kernel 6.1 has been approved as the long-term support (LTS) version since February. However, not all major Linux distributions have adopted it.

For instance, Ubuntu 22.04.2 LTS (Jammy Jellyfish), whose standard support ends in April 2027, ships with Linux kernel version 5.19. On the other hand, Debian 12 (Bookworm) comes with Linux kernel 6.1.

A complete list of Linux distributions using kernel version 6.1 or higher is available from DistroWatch.

Users should check the kernel version their Linux distro runs on and choose one that is not affected by StackRot or an updated release that contains the fix.

Source

The bug (tracked as CVE-2022-31199) impacts the Netwrix Auditor server and the agents installed on monitored network systems and enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges.

TrueBot is a malware downloader linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022.

After installing TrueBot on breached networks, the attackers install the FlawedGrace Remote Access Trojan (RAT), also linked to the TA505 group, which allows them to escalate privileges and establish persistence on the hacked systems.

Hours after the initial breach, they will also deploy Cobalt Strike beacons that could later be used for various post-exploitation tasks, including data theft and dropping further malware payloads such as ransomware.

"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies said in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.

"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada."

Based on the nature of Truebot operations observed so far, the primary goal of threat actors behind Truebot is to steal sensitive information from compromised systems for financial gain.

Security teams are advised to hunt for signs of malicious activity pointing to a Truebot infection using the guidelines shared in today's joint advisory.

If they detect any indicators of compromise (IOCs) within their organization's network, they should immediately implement mitigation and incident response measures outlined in the advisory and report the incident to CISA or the FBI.

If your organization uses Netwrix's IT system auditing software, you should apply patches to address the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5.

Using phishing-resistant multifactor authentication (MFA) for all staff and services to block access to access critical systems is also a good way to stop such attacks in their tracks.

Netwrix says its products are being used by over 13,000 organizations worldwide, including high-profile ones like Airbus, Allianz, UK's NHS, and Virgin.

Source

The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.

Despite being reported to Google, the two apps continue to be available in Google Play at the time of publishing.

Malicious apps still in Google Play (BleepingComputer)

 

File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as  "com.file.box.master.gkd."

The two apps were discovered by the behavioral analysis engine from mobile security solutions company Pradeo and their description states that they do not collect any user data from the device on the Data Safety section of their Google Play entry.

Data collection declaration on Google Play (BleepingComputer)

 

However, Pradeo found that the mobile apps exfiltrate the following data from the device:

• Users' contact list from on-device memory, connected email accounts, and social networks.
• Pictures, audio, and video that are managed or recovered from within the applications.
• Real-time user location
• Mobile country code
• Network provider name
• Network code of the SIM provider
• Operating system version number
• Device brand and model

While the apps might have a legitimate reason to collect some of the above to ensure good performance and compatibility, much of the collected data is not necessary for file management or data recovery functions. To make matters worse, this data is collected secretly and without gaining the user's consent.

Pradeo adds that the two apps hide their home screen icons to make it more difficult to find and remove them. They can also abuse the permissions the user approves during installation to restart the device and launch in the background.

It is likely that the publisher used emulators or install farms to bloat popularity and make their products appear more trustworthy, Pradeo speculates.

This theory is supported by the fact that the number of user reviews on the Play store is way too small compared to the reported userbase.

It is always recommended to check user reviews before installing an app, pay attention to the requested permissions during app installation, and only trust software published by reputable developers.

Update 7/6/23 5:51 PM ET: Google shared the following statement with BleepingComputer and said that they removed the apps from Google Play.

"These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play."

Source

The company's investigation was sparked by the discovery of the PDF Toolbox plugin, which allowed users to view any page and have any code placed on it. Additional investigations turned up a total of 34 harmful extensions, each of which was advertised as performing a particular function.

Although the browser add-ons have already been taken down from the Chrome Web Store, Kaspersky is quick to stress that users should check the list of suspicious add-ons and take any harmful ones off their devices because they will still be present. Here is the full list of extensions:

• Autoskip for Youtube
• Soundboost
• Crystal Adblock
• Brisk VPN
• Clipboard Helper
• Maxi Refresher
• Quick Translation
• Easyview Reader view
• PDF Toolbox
• Epsilon Ad blocker
• Craft Cursors
• Alfablocker ad blocker
• Zoom Plus
• Base Image Downloader
• Clickish fun cursors
• Cursor-A custom cursor
• Amazing Dark Mode
• Maximum Color Changer for Youtube
• Awesome Auto Refresh
• Venus Adblock
• Adblock Dragon
• Readl Reader mode
• Volume Frenzy
• Image download center
• Font Customizer
• Easy Undo Closed Tabs
• Screence screen recorder
• OneCleaner
• Repeat button
• Leap Video Downloader
• Tap Image Downloader
• Qspeed Video Speed Controller
• HyperVolume
• Light picture-in-picture

Kaspersky

Palant found an "additional functionality"

"It all began when cybersecurity researcher Vladimir Palant found an extension called PDF Toolbox containing suspicious code in the Chrome Web Store. At first glance, it was a perfectly respectable plugin for converting Office documents and performing other simple operations with PDF files," said Kaspersky in the blog post.

"PDF Toolbox boasted an impressive user base and good reviews, with close to two million downloads and an average score of 4.2. However, inside this extension interesting “additional functionality” was discovered: the plugin accessed a serasearchtop[.]com site, from where it loaded arbitrary code on all pages viewed by the user," it continued.

According to the blog post, Palant found "a couple dozen" extensions on the Chrome Web Store accessing the same server. All these extensions had over 87 million downloads.

Source

The company said that since May with the release of Edge 113, it has also been showing the first notification request from unfamiliar sites quietly with a subtle message in the address bar. Since making the change, the company has seen a significant decrease in the number of customers reporting notification issues.

On websites that Microsoft has not explicitly banned notifications on, users will still be allowed to see notifications if they’ve already accepted them. If you visit a website regularly, you’ll also be able to accept notifications from the website too.

If it’s your first time on the website and Microsoft Edge silenced the notification prompt, just look in the URL bar for a bell icon with a red cross. If you tap this, you will see an option to allow notifications on the website and another to manage notifications.

For Enterprise admins, Microsoft has added an option to configure a whitelist to ensure that internal applications can request notification access without a problem.

Justifying these steps, Microsoft said that spammy notifications can be “unsettling” and some users do not know how to remove notification access afterwards. In previous research, the company has found that three in five users have found them unsettling and that 12% have felt some kind of negative impact.

Microsoft said that it’s keen to learn more about your experience with spammy notifications in Edge. If you want to give your feedback, Microsoft requests you do that by going to Menu > Help and feedback > Send feedback.

Let us know in the comments if you’ve noticed a reduction in unwanted notifications since May.

Source

“There are indications that the following [vulnerabilities] may be under limited, targeted exploitation,” reads Google’s bulletin, highlighting CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136.

CVE-2023-26083 is a medium-severity memory leak flaw in the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, which was leveraged in an exploit chain that delivered spyware to Samsung devices in December 2022.

The vulnerability was deemed sufficiently severe to trigger a CISA order for federal agencies to patch it in April 2023.

CVE-2021-29256 is a high-severity (CVSS v3.1: 8.8) unprivileged information disclosure and root privilege escalation flaw also impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.

The third vulnerability is a critical-severity one with a score of 9.6 out of 10, identified as CVE-2023-2136. It is an integer overflow bug in Skia, Google’s open-source multi-platform 2D graphics library that is also used in Chrome, where it was fixed in April.

The most severe of the security problems that Google fixed this month is CVE-2023-21250, a critical vulnerability in Android’s System component that impacts Android versions 11, 12, and 13.

Exploiting CVE-2023-21250 could lead to remote code execution with no user interaction or additional execution privileges, Google says without providing extra details.

The update follows the standard system of releasing two patch levels, one (2023-07-01) for core Android components (framework) and a second (2023-07-05) for kernel and closed source components, allowing device manufacturers to selectively apply what concerns their models’ hardware.

Those getting the first patch level receive the current month’s framework updates and both levels of the previous month, in this case, June 2023.

Users who see the second patch level on their update screen get all the above, plus the July 2023 vendor and kernel patches.

This month’s Android security update covers Android versions 11, 12, and 13, but depending on the scope of the addressed vulnerabilities, they may impact older OS versions that are no longer supported.

In those cases, replacing your device with a newer model or installing a third-party Android distribution that implements security updates for older devices, albeit at a delay, would be advisable.

Source

These systems are used for remote performance monitoring, troubleshooting, system optimization, and other functions to allow remote management of renewable energy production units.

Sensitive info exposed

Cyble’s threat analysts scanned the web for internet-exposed PV utilities and found 134,634 products from various vendors, which include Solar-Log, Danfoss Solar Web Server, SolarView Contec, SMA Sunny Webbox, SMA Cluster Controller, SMA Power Reducer Box, Kaco New Energy & Web, Fronis Datamanager, Saj Solar Inverter, and ABB Solar Inverter Web GUI.

It is important to note that the exposed assets are not necessarily vulnerable or misconfigured in a way that allows attackers to interact with them.

However, Cyble’s research shows that unauthenticated visitors can glean information, including settings, that could be used to mount an attack.

The report also highlights that vulnerabilities have been found and reported for the products above and there is proof of concept (PoC) exploit code available for several of them, which increases the likelihood of attacks against the systems running an older firmware version.

Even when PV control systems are adequately secured, Cyble points out the risk of information-stealing malware that can collect logins for these tools.

Active exploitation

Exploiting vulnerabilities in the PV systems that Cyble found exposed online has happened recently, with hackers scanning the web for vulnerable devices to add them to botnets.

For example, CVE-2022-29303, an unauthenticated remote command injection vulnerability impacting Contec’s SolarView system was used by a relatively new Mirai variant looking for fresh systems to grow its distributed denial-of-service (DDoS) power.

Cyble’s scans found 7,309 internet-exposed SolarView devices globally, while another report from VulnCheck today discovered 425 instances of Contec’s SolarView that use a vulnerable firmware version.

VulnCheck’s report also highlights another recently-discovered unauthenticated remote code execution bug impacting the same product, tracked as CVE-2023-23333, for which multiple exploits exist in the public space.

Systems of this type often face a degree of neglect in terms of maintenance and upgrades, which gives attackers good chances of success when they leverage fairly recent vulnerabilities.

If PV system admins need to expose the interfaces for remote management, they should at least use strong, unique credentials, activate use multi-factor authentication where available, and keep their systems updated. Segregating the equipment to its own network also counts as a good defense.

Source

Almost all malicious traffic that happens on the wider internet is coming from botnets, a new research report published by cybersecurity researchers from Trustwave has claimed.

In their report, Trustwave’s experts wrote that after analyzing “vast amounts” of data from more than 38,000 unique IP addresses, and after obtaining 1,100 unique payloads served in attacks, they found that almost 19% of all recorded web traffic was malicious.

Botnets were responsible for more than 95% of all the malicious traffic that was recorded in the time period. The analysis was done over a six-month period that ended in May this year.

While there are probably dozens, if not hundreds, of different botnets, only a handful stood out as the most active ones. Mirai, Mozi, and Kinsing botnets made up almost all (95%) of the recorded exploit attempts that were run over either HTTP, or HTTPS protocols. These malware families, the researchers further explained, are the most widespread and their main objective is to exploit vulnerabilities in Internet of Things (IoT) devices in order to compromise them and assimilate them into the botnet.

The botnets utilize web shells as they try to exploit vulnerabilities in specific enterprise applications, the researchers concluded. These flaws would give them access to target endpoints, which grants them the ability to conduct further malicious actions. To stay safe, businesses must prioritize “robust security measures”, the researchers argue, which includes regularly applying patches, implementing strong access controls, assessing network security frequently, and keeping an eye on network traffic for anything suspicious.

Analysis: Why does it matter?

Businesses, regardless of their size, location, or industry, have always been an attractive target for cybercriminals. Botnets are one of the most potent weapons in their arsenal, and understanding the threat, how the attackers operate and what their goals are, can help businesses prepare their defenses better and repel future, potentially harmful, attacks.

Botnets, on the other hand, are the staple of every serious threat actor’s operation. They can be used for a wide variety of malicious activity, from Distributed Denial of Service (DDoS) attacks, to cryptocurrency mining, to credentials theft and sensitive data exfiltration. By having access to thousands of internet-connected devices, from computers, laptops, and servers, to smart home appliances, smart meters, and various office equipment, threat actors can send enormous amounts of traffic towards a single entity, clogging the traffic and essentially rendering the service inaccessible.

They can also install cryptominers, also known as cryptojackers, to compromised devices. These malware, of which XMRig is by far the most popular one, “mine” cryptocurrencies by using the device’s computing power, electrical power, and internet bandwidth, and send them to the attackers’ addresses, effectively making profit. The victims are left with unusable computers and an inflated energy bill.

One of the most popular botnets out there is Mirai. First discovered by cybersecurity researchers from FortiGuard back in 2016. Mirai has since grown into a true botnet powerhouse. In its 2022 analysis, HowToGeek said Mirai counted more than 500,000 devices in its botnet. This malware usually targets Linux-powered devices, which mostly means IoT endpoints.

A year after its discovery, in 2017, law enforcement agencies arrested two individuals, who later pleaded guilty for developing and using Mirai. These two were Paras Jha from Fanwood, N.J., who was 21 at the time, and Josiah White, from Washington, Pennsylvania, who was 20 at the time. Despite the arrests, and due to the fact that Mirai’s code survived, other threat actors soon adopted it, which is why Mirai is a formidable threat, even today.

What have others said about bot traffic?

In SC Media’s recent report, it was said that the proportion of human traffic has increased to its lowest level in eight years - a “worrying trend with no signs of stopping.” However, the same report also states that not all bot traffic is bad, as many bots are actually malicious and allow for the internet to function in the way most people are used to, these days.

Still, over the course of the last 12 months, malicious bots became significantly more sophisticated, especially with the introduction of novel tools such as generative AI. “The more sophisticated these bots become, the more difficult they are to stop,” the report states, adding that businesses must act quickly and defend their premises properly. “As bot activity closes in on 50% of all internet traffic, security teams must make mitigating the potential impact of those bots a high priority. Those who fail to act are putting themselves, their customers, and their reputations at risk.”

German outlet B2B Cyber Security says this country has it particularly bad, as last year almost two-thirds of all internet traffic in the country - 68.6% - came from bots, up significantly from the year before (39.6%). Citing analysis from cybersecurity researchers Imperva, the publication says the bot traffic percentage was offset by the proportion of traffic generated by human users at 25.2%, down by a lot compared to 2021 (57.4%).

Source

French police should be allowed to spy on citizens remotely through their phones and other devices if suspected of breaking the law. This is the outcome coming from the July 5 Parliament session that occurred on July 5, which saw the great majority of lawmakers voting in favor of giving authorities new sweeping powers to spy on citizens. Not even the use of security tools like VPN services or encrypted messaging apps would be able to prevent this type of state surveillance once the act becomes law.

As privacy advocates and politicians from both sides of the political spectrum raise concerns over the decision, Justice Minister Éric Dupond-Moretti keeps rejecting allegations that the provision will turn the country into the next Orwellian dystopian nightmare.

France's justice reform bill

"The provisions raise serious concerns over infringements of fundamental liberties," digital rights group La Quadrature du Net already warned in an official statement in May—Le Monde reported.

Now, it looks as if this worrying scenario would soon be a reality with 80 votes in favor and 24 against granting new sweeping powers to law enforcement officers across the country.

Once the measure is enforced, authorities would be able to collect geolocation details of anyone suspected of a crime punishable by at least five years' jail. Laptops, cars, phones, computers, and every connected object device: officers will be allowed to spy on potential criminals by activating their camera, mic, and GPS.

MPs from President Macron's ranks pushed for an amendment limiting the reach of these remote spying activities only when "justified by the nature and seriousness of the crime" and "for a strictly proportional duration" that won't be able to exceed six months. Also, those carrying on sensitive professions like doctors, journalists, lawyers, judges, and MPs would be exempt.  

Despite the backlash, Dupond-Moretti appears firm in his view that "people's lives will be saved by the law."

The provision is part of a wider 60-point reform to overhaul France's justice system currently making its way through Parliament.

The plan is to bring up to speed the out-to-date French justice system with those of its EU neighbors. Dupond-Moretti seeks to invest more money, too, for modernization, bigger prisons, and further workforce, hoping to get the budget up to €11 billion by 2027.

Looking at the images coming from last week's clashes between officers and protesters following the killing of Nahel Merzouk, the need for police reform in France is evident.

Yet, new invasive powers to spy on citizens might ultimately have just the ability to divide the nation even further. 

Source

Also:  France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens' Phones.

The company stated:

After installing "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)", you might receive a security notification or warning stating that "Local Security protection is off. Your device may be vulnerable." and once protections are enabled, your Windows device might persistently prompt that a restart is required. Important: This issue affects only "Update for Microsoft Defender Antivirus antimalware platform - KB5007651 (Version 1.0.2302.21002)". All other Windows updates released on March 14, 2023 for affected platforms (KB5023706 and KB5023698), do not cause this issue.

Microsoft provided a workaround for the issue at that time as it was still investigating the bug. After a month passed since then, the company announced that it was able to resolve the issue and the solution was to update to Defender version 1.0.2303.27001.

However, this victory of Microsoft was short-lived as the issue returned, as it never left for some, including one of Neowin forum members kiddingguy. Today, the Windows health dashboard issues section was updated by the tech giant as it claims that the LSA off issue has been finally resolved.

Microsoft says that the Defender version 1.0.2306.10002. Essentially, all you need to do is update to the latest version of Windows Security app via the Windows Update, and the issue should go away. Microsoft writes:

Resolution: This issue was resolved in an update for Windows Security platform antimalware platform KB5007651 (Version 1.0.2306.10002). If you would like to install the update before it is installed automatically, you will need to check for updates.

You can discuss the issue on this thread on our forum. Also, let us know in the comments below if you are still affected by the LSA bug even after applying the update.

Source

AdDuplex allowed Windows and Windows Phone app developers to promote their projects for free using cross-promotion ads. In other words, display ten AdDuplex-powered ads inside your app and get eight impressions of yours for free. The platform was one of the largest independent ad networks on Windows available in more than 200 countries, with more than 5 million ads served daily.

In addition to helping developers promote their apps and games, AdDuplex was a source of monthly stats about Windows and Windows Phone. The platform offered insights into the most popular Windows Phone devices, OS version breakdowns, country-specific data, and more (you can check out the last report from June 2022 here).

According to the blog post, AdDuplex will stop serving cross-promotion and commercial ads on July 17, 2023. After that date, apps using the AdDuplex SDK will continue receiving the "no ad" response so that they can react accordingly and switch to other ad providers (if implemented). AdDuplex also plans to turn off its client area on August 1, 2023, and the company urges developers to download their stats before the end of this month.

At the end of the post, Alan Mendelevich thanked everyone for their support and participation:

I want to express my gratitude to everyone who joined AdDuplex as a cross-promotion or advertising partner, everyone who supported us with media coverage or just good vibes, everyone who collaborated with us at Microsoft, Nokia and other companies in the Windows ecosystem. I hope we made a positive impact on your businesses, careers, and hobbies.

Thank you and I hope we cross paths in the future!

Developers can learn more about the incoming AdDuplex shutdown on the official blog.

Source

The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account.

The feat is possible because the application has client-side protections that can be tricked into treating an external user as an internal one just by changing the ID in the POST request of a message.

Streamlining attacks on Teams

'TeamsPhisher' is a Python-based tool that provides a fully automated attack. It integrates the attack idea of Jumpsec's researchers, techniques developed by Andrea Santese, and authentication and helper functions from Bastian Kanbach's 'TeamsEnum' tool.

"Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets," reads the description from Alex Reid, the developer of the red team utility.

TeamsPhisher first verifies the existence of the target user and their ability to receive external messages, which is a prerequisite for the attack to work.

It then creates a new thread with the target, sends them a message with a Sharepoint attachment link. The thread appears in the sender's Teams interface for (potential) manual interaction.

TeamsPhisher requires users to have a Microsoft Business account (MFA is supported) with a valid Teams and Sharepoint license, which is common for many major companies.

The tool also offers a "preview mode" to help users verify the set target lists and to check the appearance of messages from the recipient's perspective.

Other features and optional arguments in TeamsPhisher could refine the attack. These include sending secure file links that can only be viewed by the intended recipient, specifying a delay between message transmissions to bypass rate limiting, and writing outputs to a log file.

Unsolved problem

The issue that TeamsPhisher exploits is still present and Microsoft told Jumpsec researchers that it did not meet the bar for immediate servicing.

BleepingComputer also reached out to the company last month for a comment about plans to fix the problem but did not receive a response. We reiterated our request for comment from Microsoft but did not receive a reply at publishing time.

Although TeamPhisher was created for authorized red team operations, threat actors can also leverage it to deliver malware to target organizations without setting off alarms.

Until Microsoft decides to take action about this, organizations are strongly advised to disable communications with external tenants if not needed. They can also create an allow-list with trusted domains, which would limit the risk of exploitation.

Source