Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the applications. Depending on the privileges associated with the applications, an attacker could view, change, or delete data. If these applications have been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if they were configured with administrative rights.
Monthly Archives: May 2022
DSA-5148 chromium – security update
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
DSA-5147 dpkg – security update
Max Justicz reported a directory traversal vulnerability in
Dpkg::Source::Archive in dpkg, the Debian package management system.
This affects extracting untrusted source packages in the v2 and v3
source package formats that include a debian.tar.
Why You Need to Get a Family Technology Agreement Happening
There were multiple times during my digital parenting journey when I would have loved to put my head in the sand. Pretend that life was easy and that my kids weren’t going to grow up and want devices and to join social media. But I didn’t. I couldn’t. With four kids who had technology running through their veins, I had no choice but to embrace it.
It’s All About Phones
While many kids will first experience the internet from a family laptop or via their parent’s phone at a coffee shop (we’ve all done it), it’s when they get these devices into their hot little hands unsupervised a few years down the track that the real show starts. And that’s usually when they get access to a phone. Research from our eSafety Office shows that just under half of Aussie kids between 6 and 13 use a smartphone with about 1/3 owning their own device.
And while we can all wax lyrical about the good old days when we used payphones and how great it would be if our kids didn’t have smartphones, we need to keep it real. Technology is not going anywhere so the best thing we can to accept it’s here, educates our kids about how to use it safely and introduce boundaries and rules to ensure they are as safe as possible.
So, without further ado, let me introduce you to the concept of a family technology contract – a great way to manage your kids and their tech use.
What Is a Family Technology Contract?
I like to think of a tech agreement as a clear outline of your expectations of your kids’ digital behavior – any behavior that occurs while using a device should be included in the agreement and yes, include TV here too! Now, before we progress, I have to share one key tip – don’t even think of putting together an agreement like this when tensions are high, or a heated argument is still in place – it will never work. Only talk about this or start working on it when you are in a calm and serene headspace.
The most important thing is to have an agreement that is suitable for your kids’ ages and maturity and one that works for your family’s schedule. There’s no point making your 5-year-old sign an agreement that limits their time on Instagram when they’re probably quite happy visiting only the online sites that you have ‘bookmarked’ for them. And if your kids have a super busy schedule then you might want to include a rule that means there is no ‘leisure screen time’ (eg TV/movie viewing) till all homework is complete.
How Old Do My Kids Need To Be?
While it’s entirely based on your kids’ interests and tech usage, I think 3 is a good age to start with a basic agreement. That’s when they start understanding rules. And how old is too old for a tech contract, I hear you ask? Well, I acknowledge that introducing new rules and boundaries when your kids are well into their teens may be difficult however if things feel out of control and you are concerned about their mental health and less than ideal digital habits then it may also be exactly what you all need!
What Should An Agreement Include?
Keeping an agreement age-appropriate and relevant is essential. You may also want to keep it simple and focus on a few key things, such as:
Be kind online always
Never share passwords with your friends
Always tell an adult if you see anything that upsets or scares you
But it can include so much more. Here are some items you may choose to include in your own personalized version. Think of this list as a shopping list. Simply, pick & choose what works for the ages of your kids and your family’s structure.
Time Limits/Device Usage
I will ask permission before I use my device (younger children).
I can use the internet/my devices/TV for __ hours a day after school.
I can’t use my devices past __ pm in the evening.
When I am not using my device, I will place it ___________.
I will place my device in the family charging zone overnight. (This could be on the kitchen bench in a study, whatever works for your family)
Responsibility
I understand that any internet-enabled device (eg smartphone and laptop) can give me access to many things that may not be suitable for my age. I will use my devices safely and avoid clicking on any appropriate sites. (You could choose to list sites your kids can’t visit however this maybe, in fact, give them ideas! You choose what works best).
I understand that it is my responsibility to protect my personal information and not share it freely online. This includes my name, family details, school, telephone numbers, and address.
I will keep my password private and not share it with anyone outside my family.
I understand that not everything is as it seems online and that being safe (and savvy) online means thinking critically and questioning whether it is true.
I will not use a credit card online without permission from my parents.
I will close down pop-up or banner ads and not click on them.
Safety
I will not share my location while using my devices.
I will allow my parents to adjust the privacy settings on this device and monitor my activity. I understand that this is for my own safety. If older: I will ensure privacy settings are always on and set to the highest level for every social media platform I use.
If anyone pressures me or makes me feel uncomfortable, I will stop talking to them and tell a family member or trusted adult.
I understand that people are not always who they say they are online.
I will not talk to anyone online who I don’t know in real life.
I will not meet up with anyone I first met online without permission from my parents.
Online Behaviour
Being kind and respectful online is essential.
I will only talk to people I know in real life when I am online (ideally, we’d want all our kids to agree to this but in reality, older teens won’t cop this. So, this is more suitable for younger kids)
I will not be hurtful or mean to others on social media. This includes messaging, commenting, posting, liking, and sharing mean or hateful content.
If I feel like I am being harassed or bullied online, I will tell a trusted adult.
I will ask permission before I share pictures or videos of my friends.
I will not share any content that is too revealing. This includes posting or sending inappropriate photos or messages.
Smartphone Usage
I will ensure my mobile phone stays in its protective case at all times. If it or the screen protector cracks or breaks, I will tell my parents.
I will not use my phone when at school unless ___________________________.
These places are no-phone zones:
Our family does not use our phones during dinner.
I will shut off my phone at __ pm and it will not be turned back on until ___ am. (You could also add here – after breakfast and/or until I am ready for school.
I will get permission from my parents before I download any apps on my smartphone – this includes games.
Gaming
I can play games that are rated: _____. (Ratings on games range from G, PG, M, MA15+ to R here in Australia). Please do your research here and work out what’s suitable for your kids. Check out the Australian Classification Board’s latest ratings for games to help make your decision.
Video games that I am not allowed to play at my home, or anyone else’s home include: (list what games are off-limits)
I will ensure my privacy settings are set to the highest level.
I will not talk to people I don’t know in real life while gaming.
Consequences
I understand that access to my devices is a privilege and breaking this agreement will lead to the following consequences: (list what you feel is appropriate)
Formalizing The Agreement
I would have all parties sign and date the agreement: both parents and kids. You may choose to keep a copy on the fridge? Again, whatever works for your situation.
So, if you are feeling like this digital parenting thing is getting the better of you, please consider introducing an agreement. For decades, parenting experts have written about the virtues of establishing clear boundaries for our kids and in my opinion, a tailored family tech agreement absolutely does that!
Good luck!!
Alex x
The post Why You Need to Get a Family Technology Agreement Happening appeared first on McAfee Blog.
Cobalt Strike Delivered Through Fake Proof-of-Concept Code
FortiGuard Labs is aware of a report that a Cobalt Strike beacon was attempted to be delivered through a couple of fake Proof-of-Concept (POC) codes hosted on GitHub. The files pretend to be POCs for CVE-2022-26809 and CVE-2022-24500. They have already been removed from GitHub.Why is this Significant?This is significant because the attack targeted researchers, pen testers and infosec teams in organizations to deliver Cobalt Strike beacons, which will most likely be used to deliver malware such as ransomware.What is CVE-2022-26809?CVE-2022-26809 is a remote procedure call runtime remote code execution vulnerability that affects wide variety of Windows OS that includes Windows 7, 8, 10, 11, Windows Server 2008, 2012, 2016, 2019 and 2022. Assigned a CVSS score of 9.8, successfully exploiting the vulnerability allows an attacker to execute remote code with high privileges on a vulnerable system, leading to a full compromise. The vulnerability was patched as part of Patch Tuesday April 2022.FortiGuard Labs previously released Threat Signal on CVE-2022-26809. See the Appendix for a link to “Microsoft Released Advisory on a Critical Remote Code Execution Vulnerability in RPC (CVE-2022-26809)”.What is CVE-2022-24500?CVE-2022-24500 is a Windows SMB remote code execution vulnerability that affects Windows 7, 8, 10, 11 and Windows Server 2008, 2012, 2019 and 2022. The vulnerability has a CVSS score of 8.8, and was patched as part of Patch Tuesday April 2022.The Microsoft advisory states that “For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message”.What is Status of Coverage?FortiGuard Labs detect the fake POCs with the following AV coverage:PossibleThreatAll network IOC’s are blocked by the WebFiltering client.
New ArguePatch Variant Attacks Ukraine
FortiGuard Labs is aware of a report that a new variant of ArguePatch malware was used in an attack against Ukraine. This ArguePatch variant includes a feature to set up a schedules task in order to perform a specific action at a specified time.Why is this Significant?This is significant because the new variant of ArguePatch malware now has a feature to perform a specific action at a specified time without setting up a scheduled task. This provides more stealthiness to the malware which allows it to stay under the radar until it actually starts to carry out a next stage action.What is ArguePatch?ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software.FortiGuard Labs previously released Threat Signals on CaddyWiper and Industroyer2. See the Appendix for links to “Additional Wiper Malware Deployed in Ukraine #CaddyWiper” and “Industroyer2 Discovered Attacking Critical Ukrainian Verticals”.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known variants of ArguePatch:W32/Agent.AECG!trW32/PossibleThreat
USN-5444-1: Linux kernel vulnerability
Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code.
CISA Warns VMware Vulnerabilities Exploited in the Wild Leading to Full System Compromise
FortiGuard Labs is aware that the Cybersecurity and Infrastructure Security Agency (CISA) CISA released an advisory on recently patched VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960) being exploited separately and in combination, allowing threat actors to gain full control of the compromised system. Both vulnerabilities affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation and were patched on April 6th, 2022. The advisory also states that CISA expects threat actors to develop exploits for newly patched VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) quickly.Why is this Significant?This is significant because the advisory that CISA released on CVE-2022-22954 and CVE-2022-22960 was prompted by an actual incident which one large organization was compromised by an unidentified threat actor on or around April 12, 2022. According to the advisory, the threat actor “leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems”. The advisory also warns that exploits for another VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) will be developed soon. As such, the patches for the four vulnerabilities or workarounds should be applied as soon as possible.What is CVE-2022-22954, CVE-2022-22960, CVE-2022-22972 and CVE-2022-22973?CVE-2022-22954 is a vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation, which an attacker with network access can trigger a server-side template injection that may result in remote code execution. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.FortiGuard Labs previously released Threat Signal on CVE-2022-22954. See Appendix for a link to “Newly Patched VMware Vulnerability (CVE-2022-22954) Being Exploited in the Wild”.CVE-2022-22960 is a Local Privilege Escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to ‘root’. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.CVE-2022-22972 is an authentication bypass vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, exploitation happens locally as such an attacker is required to have access to the victim’s machine to elevate privileges. The vulnerability has the CVSSv3 base score of 9.8 and is rated critical.CVE-2022-22973 is a Local Privilege Escalation (LPE) vulnerability that affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. As LPE, attacker is required to have local access can escalate privileges to ‘root’. The vulnerability has the CVSSv3 base score of 7.8 and is rated important.Has the Vendor Released Advisories?Yes, VMware released advisories for all four vulnerabilities. See the Appendix for links to “VMSA-2022-0011.1” and “VMSA-2022-0014”.Has the Vendor Released Patches for the Vulnerabilities?VMware released patches for CVE-2022-22954 and CVE-2022-22960 on April 6th, 2022. Patches for CVE-2022-22972 and CVE-2022-22973 were released on May 18th, 2022. What is the Status of Coverage?FortiGuard Labs has released the following IPS signature for CVE-2022-22954:VMware.Workspace.ONE.Access.Catalog.Remote.Code.ExecutionA network IOC for CVE-2022-22954 called out in the CISA advisory is blocked by the WebFiltering client.CVE-2022-22960, CVE-2022-22972, CVE-2022-22973 were privately disclosed as such there currently is no available Proof-of-Concept code. FortiGuard Labs is monitoring the situation closely and will update this Threat Signal when protection becomes available.Any Suggested Mitigation?VMware has provided mitigations for CVE-2022-22954, CVE-2022-22960, CVE-2022-22972. See the Appendix for links to “KB88098” for CVE-2022-22954 and CVE-2022-22960, and “KB88433” for CVE-2022-22972.
Meet BlackByte Ransomware
FortiGuard Labs is aware of a relatively new ransomware family “BlackByte” is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that “multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim’s network. Once the attacker gains a foothold in the victim’s network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim’s network.Files that are encrypted by BlackByte ransomware typically have a “.blackbyte” file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge or special configuration beforehand.Any Other Suggested Mitigation?Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed and updated to protect against attackers establishing a foothold within a network.Also – organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations’ internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.Disconnect vulnerable Exchange servers from the internet until a patch can be applied.
Nerbian RAT Leverages COVID-19 and WHO Themed Emails to Spread
FortiGuard Labs is aware that a new Remote Access Trojan (RAT) called Nerbian RAT was delivered to the targets via COVID-19 and World Health Organization (WHO) themed emails. Nerbian RAT is written in the Go programming language and performs keylogging and screen capture on the compromised machine.Why is this Significant?This is significant because Nerbrian RAT was delivered through emails that leverages COVID-19 and World Health Organization (WHO) themed lures that are still effective today to COVID themed to compel unsuspecting victims to open malicious attachments. The RAT is also capable of stealing sensitive information from the compromised machine through keylogging and screen capture.What is Nerbian RAT?Nerbian RAT is a Remote Access Trojan and is written in the Go programming language. The malware was delivered to the target through COVID-19 and WHO themed emails such as the following:The attached document file contains malicious macros, which downloads a dropper file after macros are enabled. The dropper performs anti-reversing and anti-VM checks before launching Nerbian RAT. The malware has an encrypted configuration file containing information such which Command and Control (C2) servers to connect to and connection intervals, how many times the RAT tries to transfer files and C2 backup domains.The malware performs typical RAT activities such as keylogging and screen capture.How Widespread is the Malware?The malware was reportedly to have been observed in Italy, Spain, and the United Kingdom. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of Nerbian RAT and associated files:VBA/Agent.XSQ!tr.dldrBAT/NerbianRAT.D!trMalicious_Behavior.SBRiskware/ApplicationW32/PossibleThreatPossibleThreat.PALLAS.HAll network IOC’s are blocked by the WebFiltering client.