FEDORA-2022-d98633f466
Packages in this update:
thunderbird-102.3.1-1.fc37
Update description:
Update to 102.3.1
https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/
https://www.thunderbird.net/en-US/thunderbird/102.3.1/releasenotes/
thunderbird-102.3.1-1.fc37
Update to 102.3.1
https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/
https://www.thunderbird.net/en-US/thunderbird/102.3.1/releasenotes/
thunderbird-102.3.1-1.fc35
Update to 102.3.1
https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/
https://www.thunderbird.net/en-US/thunderbird/102.3.1/releasenotes/
Update to 102.3.0 ;
https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/ ;
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
FortiGuard Labs is aware of a new variant of modular malware “Kaiji” targeting Windows and Linux machines and devices belonging to both consumers and enterprises in Europe. Dubbed “Chaos”, the malware connects to command and control (C2) servers and performs various activities including launching Distributed Denial of Service (DDoS) attacks and mining crypto currencies.Why is this Significant?This is significant because the Chaos malware targets both consumers and enterprises in Europe by exploiting various vulnerabilities. Infected machines will join a botnet which are then used for malicious activities such as DDoS attacks and cryptocurrency mining.What is Chaos Malware?Chaos is a Go-based modular malware for Windows and Linux and is allegedly an updated version of Kaiji malware. Chaos malware connects to C2 servers and receives remote commands as well as modules for additional functionality. According to security vendor Black Lotus Labs, Chaos is primarily used for DDoS attacks and cryptocurrency mining. It is also designed to spread to other systems through SSH and exploitation of various vulnerabilities.It is important to note that ransomware with a similar name exists (Chaos ransomware), but they are completely unrelated.What Vulnerabilities Does Chaos Exploit for Propagation?The following vulnerabilities were exploited by Chaos malware according to Black Lotus Labs:Command Execution vulnerability in Huawei HG532 Router (CVE-2017-17215)Command Injection Vulnerability in Zyxel firewalls (CVE-2022-30525)Note – that since Chaos is a modular malware and receives remote commands, it may exploit other vulnerabilities including Authentication Bypass Vulnerability in F5 BIG-IP (CVE-2022-1388).Have Vendors Released Patches for CVE-2017-17215, CVE-2022-30525 and CVE-2022-1388?Patches are available for CVE-2022-30525 and CVE-2022-1388. We are currently unaware of any vendor supplied patches for CVE-2017-17215.What is the Status of Protection?FortiGuard Labs will detect Chaos DDoS malware with the following AV signatures:Linux/Kaiji.C!trW32/Ransom_Foreign.R002C0WG222W32/PossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Chaos malware:Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.
If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.
Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).
Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.
Maryann’s profile says she’s from Tupelo, Miss., and includes a quaint description of how she became a self-described “old-school geek.”
“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.
However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.
Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:
Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.
“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures.”
Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.
Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
None of the profiles listed here responded to requests for comment (or to become a connection).
In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.
“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”
LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.
“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.
Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.
“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”
A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cybersecurity company Zscaler.
Around 40% of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organizations, with different levels of experience and specializations in different areas of information security. The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
python-oauthlib-3.2.1-1.fc37
Update spec file and sources for 3.2.1
Fixes CVE-2022-36087
A 40-year-old man could face up to 10 years in prison, after admitting in a US District Court to sabotaging his former employer’s computer systems.
Read more in my article on the Tripwire State of Security blog.
The tool was written in Chinese and seemed China-based due to its C2 infrastructure