Users of Chrome should ensure they’re running the latest version to patch an integer overflow in the Skia graphics library.
Google has announced an important update for Chrome to help fend off a zero-day. The update fixes several issues, and readers are advised to ensure they’re using the latest version of the browser.
Mitigation
If you’re using Chrome on Mac, Windows, or Linux, you need to update as soon as you possibly can. If you’re using a standard Chrome setup then updates should be applied automatically. However, this won’t happen if you never close your browser, or if the update is blocked by something like a fault in an installed extension.
It’s always good to check, especially when something bad is floating around potentially helping to compromise devices. One easy way to do this is navigate to chrome://settings/help or clicking Settings > About Chrome.
Chrome will notify you of the version you’re on and if there’s an update available. Once you’ve downloaded the update, reload the browser and everything should be good to go. If everything has worked as it should, your version should in theory be running the latest version. At the time of writing the most recent update being offered is now 112.0.5615.138.
This will fix eight vulnerabilities, although the update is only currently available for both Mac and Windows. The Linux version is still being worked on.
Vulnerability
The exploit page for CVE-2023-2136 has few details available, as is the usual pattern followed by Google when something like this happens. Details are generally held back to give people time to patch, without offering any clues to cybercriminals about how they might exploit the vulnerability. So far, the only information we have is:
Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program.
Skia is a graphics library (a set of reusable code) used by Google Chrome. In this case the error allows an attacker to escape the shackles of Chrome’s “sandbox”, a security feature that should prevent malicious code from affecting the system that Chrome is running on.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
The Pixel Tablet is due to make an appearance at Google I/O in May, but prior to that, a new leak is showing off what the device looks like in a previously unknown color – Coral. Earlier this month it was rumored that the Pixel Tablet would have four color options.
At the time of that report though, only two of the colors were known. This included a green color and a beige color. These were at the time, the two colors of the tablet that had been seen in official marketing materials. Now though, it looks like Google has shown off the Coral model at Milan Design Week. Spotted by 9To5Google, user saori_vj on Instagram has shared video footage of the event. Where tables of Google hardware products lay strewn about next to each other, matched up by color.
The coral color for the Pixel Tablet is fairly subtle
As you can see in the images, the Coral (it’s unclear if this is the official color name) color of the Pixel Tablet has a much more subtle, muted hue than some of the other products in that colorway. Google’s Coral Pixel Buds for example, are very bright with a darker, more vibrant hue.
Whereas the tablet is lighter and less pronounced. With the coral/pink tablet now shown off, that leaves just one color that hasn’t made an appearance. Which should show up at Google’s developer conference next month. Though judging by the other products on the table which are grouped up by similar colors, the fourth Pixel Tablet could come in a sort of yellow hue.
It seems pretty clear that Google is looking to keep a certain color theme here. With the design of its current products matching up with what has already been displayed. So although it hasn’t been confirmed yet, the fourth Pixel Tablet color seems likely to match the colors of something Google already sells.
It’s no secret that the US government’s ban on conducting business with Huawei prompted many companies to cancel their deals and withdraw their operations. However, Seagate has recently found itself in trouble with the US Department of Commerce for allegedly selling over 7 million hard drives to Huawei, thus violating the US sanctions. As a result, the department has ordered Seagate to pay a fine of $300 million.
According to the Commerce Department, Seagate continued selling hard drives to Huawei between August 2020 and September 2021, despite Western Digital and Toshiba, its primary competitors, stopping their dealings with Huawei in response to the foreign direct product rule. Moreover, the company further violated regulations by signing a three-year strategic agreement with Huawei, becoming its sole source of hard drives.
“Today’s action is the consequence: the largest standalone administrative resolution in our agency’s history,” said Assistant Secretary for Export Enforcement Matthew S. Axelrod.
In addition to the $300 million fine, which Seagate will pay in $15 million increments over five years, the company will also undergo three audits of its compliance program and have its export privileges suspended for five years.
Seagate’s response
In a statement, Seagate CEO Dave Mosley acknowledged the settlement and stated that they settled because they felt it was the best course of action, despite believing they had complied with all relevant export control laws at the time of the sales.
“We believe entering this agreement with BIS and resolving this matter is in the best interest of Seagate, our customers and our shareholders,” said CEO Dave Mosley.
This penalty serves as a reminder of complying with export control laws and regulations, especially when dealing with the US and China and their respective trade blacklist companies. Organizations must ensure they are aware of and adhere to all relevant export control laws to avoid hefty fines or potential export bans.
Google’s Android Developers Blog announced yesterday (via AndroidPolice) an interesting new feature for Android users with a device running Android 7.0 or later. If an app they are using crashes in the foreground (as opposed to when it is running in the background) and a more stable version of the app is available, the Play Store will prompt them to update the app. Google notes that from a developer’s point of view, this will reduce the app’s “user-perceived crash rate.”
Developers and users don’t have to do anything to enable the prompt as it is enabled automatically when Google Play determines that a newer version of an app that has crashed has a lower crash rate based on valid stats. You might ask, how will the app send a prompt if it has crashed? The answer is simple. Since the notice is coming from the Play Store and not the app, the prompt will appear even if the app crashes on startup.
The notification shows the name of the app and the size of the update. The message states, “The app stopped working, but the latest update for the app may fix the issue. Install the update and then open the app again. If you want to update later, go to Manage apps & device in Google Play.” There are two buttons that can be pressed. The white one on the left says “No thanks,” while the green one on the right says “Update.”
Android users with an app that crashes in the foreground will receive a prompt to update the app to the latest stable version
Google says that it takes three things into account which it adjusts over time in order to help developers make sure that their apps are delivering the best possible experience to its users. Those three thresholds include:
User activity level of an app version according to Vitals to ensure we have statistical relevance.
Foreground crash rate of an app version and of its newer version.
Number of times a prompt can be shown for each version of your app on a device, if the user doesn’t choose to update.
That last threshold would seem to indicate that it will be up a developer to determine how often a user of one of his/her apps will be prompted to update to the latest version of said app. Most Android users, we would surmise, might need to be told just once to update and it will be done right away. Apparently, not all users are determined to be running the most recent, stable, and usually the best version of the apps they employ and enjoy.
A new hacking tool, AuKill, disables Endpoint Detection & Response (EDR) software for threat actors to launch BYOD attacks by deploying backdoors and ransomware on targeted systems.
Sophos researchers witnessed the usage of AuKill in two incidents where an adversary first deployed Medusa Locker ransomware and another instance where the attacker installed LockBit ransomware after using the EDR killer on an already compromised system.
While the threat actors use validly signed drivers with kernel privileges to disable security solutions and seize control of victims’ devices in these attacks.
Technical Analysis
AuKill malware deploys a malicious variant of Windows driver (procexp[.]sys) next to Microsoft’s Process Explorer v16.32, a widely-used tool for gathering data on active Windows processes.
To gain privileges, it verifies if it is already operating with SYSTEM privileges. If not, it emulates the TrustedInstaller Windows Modules Installer service to elevate to the SYSTEM level.
AuKill starts multiple threads to repeatedly scan and terminate security processes and services to deactivate security software.
AuKill relies on a Process Explorer driver on compromised devices and systems to disable security solutions like Backstab.
So, they both have many similarities; the only difference is that AuKill is not an open-source tool, unlike Backstab.
Sophos X-Ops identified the LockBit gang using Backstab in at least one attack during their investigation of LockBit 3.0 (LockBit Black).
The malware uses a simple arithmetic calculation to validate the password or key.
It calculates the decimal value of each character’s ASCII code, doubles it, adds it to the next character’s value, and repeats the process.
Moreover, to disable EDR components, the following functions are used:-
Terminate Via Procexp
Terminate Forcefully
Disable Services
Unload Drivers
AuKill Timeline
Since the start of 2023, the tool has been used in three ransomware incidents to disable target protection and execute the ransomware.
After using the tool, attackers deployed the Medusa Locker ransomware in January and February. Similarly, in February, an attacker deployed Lockbit ransomware immediately after using AuKill.
Sophos researchers gathered six distinct versions and monitored their functional alterations over three months.
For easy identification, cybersecurity researchers at Sophos have labeled the earliest iteration of the malware as AuKill V1, while the latest version is AuKill V6.
They have a function that regularly inspects EDR processes and services to prevent revived processes from running.
Recommendations
Here below we have mentioned all the recommendations below:-
Make sure your endpoint security product has tamper protection implemented.
Ensure that your Windows security roles are correctly configured.
Make sure your system is always up-to-date.
Besides your OS, regularly verify for updates to your computer’s applications and tools.
Consider removing outdated tools that are no longer necessary or used.
Having a vulnerable driver on the system may also allow legitimate driver abuse.
Ensure an effective vulnerability management program to prevent legitimate driver abuse.
Instead of using his time and military training for good, 21-year-old Josiah Garcia decided to become a hired gun—and failed in an epic way.
A member of the Air National Guard is facing federal charges after applying for a job online as an assassin. According to a Justice Department press release, Josiah Ernesto Garcia from Hermitage, Tennessee, was arrested by an undercover federal agent at a park on April 12, 2023.
The FBI affidavit says Garcia was looking for a good-paying job to support his family. He reportedly told the undercover agent:
“Im [sic] looking for a job, that pays well, related to my military experience (Shooting and Killing the marked target) so I can support my kid on the way. What can I say, I enjoy doing what I do, so if I can find a job that is similar to it, (such as this one) put me in coach!”
He is alleged to have started looking for “contract mercenary jobs” in mid-February, eventually coming across RentAHitman.com, a website for a cybersecurity startup that later turned into a parody site, after receiving inquiries about murder-for-hire services. The site contains false testimonials, a form where people can request hit services, and a career inquiry page for anyone wanting to apply as a hired killer.
Completely missing numerous red flags, Garcia reportedly applied to become a hitman. He then made several follow-up messages to the site’s administrator, and provided his identification documents and a resume that indicated he had been in the Air National Guard since 2021, where he reportedly earned the nickname “Reaper” for his excellent marksmanship.
The FBI eventually intervened and set up a sting to capture Garcia. An undercover agent disguised as a recruiter offered Garcia a hit on an individual for $5,000. They meet at a park, and the agent handed Garcia information about a fictitious target that included photographs, fake information, and a downpayment of $2,500.
“Defendant met with an FBI undercover agent and participated in detailed discussions expressing his interest in torturing and killing people for money,” the affidavit says. “After being offered many opportunities to withdraw from the employment offer, [D]efendant accepted payment to kill a person.”
After receiving the packet and the money, Garcia asked the agent if he needed to provide a photo of the dead body. He was swiftly arrested and charged with “the use of interstate facilities in the commission of murder-for-hire.” Subsequently, the FBI searched Garcia’s home and recovered his AR-15 rifle.
After waiving his Miranda rights, Garcia reportedly told investigators “he had second thoughts about the hitman job and changed his mind,” after getting a job offer from Vanderbilt University Medical Center. The affidavit says that “Garcia stated that he was meeting the UCE [undercover employee] to tell him he had changed his mind and did not want to do this kind of work. Garcia stated that he was going to call the UCE when he got to his car and leave the money on the curb for the UCE to pick up.”
According to the charge, Garcia faces up to 10 years in prison if convicted.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
The Xiaomi 13 Ultra launched quite recently, and we’ve already compared it to its ‘Pro’ sibling. Well, it’s time for another comparison, but this time around with another ‘Ultra’ phone. We’ll compare the Samsung Galaxy S23 Ultra vs Xiaomi 13 Ultra. These two phones are not that similar, actually. They do share some specs, but for the most part, they’re quite different. Even the in-hand feel is considerably different.
We’ll first list their specifications, and following that, we’ll compare their designs, displays, performance, battery life, cameras, and audio performance. Both of these phones have a lot to offer, but they do it in different ways, basically. Before we begin, do note that only the Chinese Xiaomi 13 Ultra variant launched thus far, so that’s the model that we’ve been able to check out. That being said, let’s get started.
Specs
Samsung Galaxy S23 Ultra
Xiaomi 13 Ultra
Screen size
6.8-inch QHD+ Dynamic AMOLED 2X display (curved, 120Hz adaptive refresh rate, LTPO, down to 1Hz, 1,750 nits peak brightness)
Samsung Galaxy S23 Ultra vs Xiaomi 13 Ultra: Design
The Samsung Galaxy S23 Ultra and Xiaomi 13 Ultra do look quite different. The Galaxy S23 Ultra is flat at the top and bottom, but its left and right sides are heavily curved. The Xiaomi 13 Ultra frame is flattish all around, but its corners are rounded, unlike the ones on the Galaxy S23 Ultra. The Xiaomi 13 Ultra’s front and back sides do curve into the frame. It has vegan leather on the back, which does not curve to the sides, actually. It’s positioned higher in the upper portion of the phone’s back due to the camera bump, and it does not go all the way to the sides. It’s actually a different approach than any other we’ve seen thus far.
The Galaxy S23 Ultra, on the other hand, has glass on the back, which goes all the way to the frame on the sides. It’s a seamless transition. The Galaxy S23 Ultra is much more slippery than the Xiaomi 13 Ultra, due to the way it’s built, and due to the materials used. Both phones have curved displays, and a centered display camera hole. The bezels are quite thin on both, while the physical buttons are located on the right-hand side.
The differences are easily noticeable when you flip them over too. The Galaxy S23 Ultra does not have a camera island, unlike the Xiaomi 13 Ultra. Every single camera protrudes directly from the backplate on the Galaxy S23 Ultra. These are two completely different approaches to design.
They are quite similar when it comes to height, but the Galaxy S23 Ultra is quite a bit wider. They’re very similar in the thickness department too, but Samsung’s flagship is a bit thinner, and also slightly heavier. They both do feel hefty in the hand, but also premium at the same time. They’re both also IP68 certified for water and dust resistance.
Samsung Galaxy S23 Ultra vs Xiaomi 13 Ultra: Display
The Galaxy S23 Ultra features a 6.8-inch QHD+ (3088 x 1080) Dynamic AMOLED 2X display. This panel is curved, and it supports an adaptive refresh rate (1-120Hz). HDR10+ is supported, while the display can get up to 1,750 nits of peak brightness. The Gorilla Glass Victus 2 protects this display, in case you were wondering.
Samsung Galaxy S23 Ultra display
The Xiaomi 13 Ultra, on the other hand, also has a curved display. Its panel measures 6.73 inches, and it’s a QHD+ (3200 x 1440) panel as well. It has a different 20:9 aspect ratio, and it’s also an LTPO panel (1-120Hz). This display supports HDR10+ and Dolby Vision, and it gets up to 2,600 nits of brightness at its peak. It’s protected by the Gorilla Glass Victus.
Both of these displays are outstanding, and some of the best in the business. They’re not both made by Samsung, though. The one in the Xiaomi 13 Ultra comes from a collab between China Star and Xiaomi. They both show vivid colors, offer great viewing angles, and touch response also feels really good when you use them. They’re both more than sharp enough, and get immensely bright. You can use either one in direct sunlight with no issues. Chances are you’ll be happy with either one of these displays.
Samsung Galaxy S23 Ultra vs Xiaomi 13 Ultra: Performance
The Galaxy S23 Ultra is fueled by the Snapdragon 8 Gen 2 for Galaxy SoC. The Xiaomi 13 Ultra utilizes the Snapdragon 8 Gen 2 processor. The difference in the two is simply in the clock speed, the ‘for Galaxy’ variant is clocked a bit higher. Both phones offer LPDDR5X RAM, though the Xiaomi 13 Ultra goes up to 16GB, while the Galaxy S23 Ultra is set at 12GB. UFS 4.0 flash storage is utilized by both phones, in every model, actually.
So, they both feature top-of-the-line specs. Do they both offer great performance too? Well, yes, they’re both extremely smooth. That goes for both simple tasks, and more demanding ones. Yes, it goes for gaming too, as both phones can handle the most demanding titles, and not get too warm while doing it. We did not notice any drop off in performance or anything of the sort.
Once again, do note that we’ve been using the Chinese model of the Xiaomi 13 Ultra, as the global one is not yet available. The software is a different story because of it, but we won’t get into that. You’d be better off waiting for the global model, that’s for sure. As far as sheer smoothness in performance is concerned, both of them are outstanding.
Samsung Galaxy S23 Ultra vs Xiaomi 13 Ultra: Battery
Both of these phones include a 5,000mAh battery on the inside. The Galaxy S23 Ultra is one of the best smartphones for battery life we’ve seen, at least as far as high-end smartphones are concerned. We’ve been able to comfortably go over the 10-hour screen-on-time on this phone, and then some. I’m still in my early usage days of the Xiaomi 13 Ultra, but the phone seems to have a really good battery life too. Not to the level of the Galaxy S23 Ultra, though. Also, do note that I had to sideload Google services on the phone, as this is a model made for China.
Having said that, stating specific battery stats is never a good idea. Your mileage will vary either way. Each of us use our phones in different ways, with different apps, and have different signal strengths. I don’t believe that you’ll be disappointed with the battery life on either one of these two phones, though, that’s for sure. Waiting for the Xiaomi 13 Ultra with global software may be a good call, though.
In terms of charging, well, the Xiaomi 13 Ultra definitely outshines the Galaxy S23 Ultra. Xiaomi’s flagship offers 90W wired, 50W wireless, and 10W reverse wireless charging. On top of that, it comes with a 90W charger in the box. The Galaxy S23 Ultra supports 45W wired, 15W wireless, and 4.5W reverse wireless charger. It does not include a charger in the box, though.
Samsung Galaxy S23 Ultra vs Xiaomi 13 Ultra: Cameras
The two devices have an entirely different approaches to photography. The Galaxy S23 Ultra includes a 200-megapixel main camera, a 12-megapixel ultrawide unit (120-degree FoV), a 10-megapixel telephoto camera (3x optical zoom), and a 10-megapixel periscope telephoto camera (f/4.9 aperture, 10x optical zoom). The Xiaomi 13 Ultra features a 50.3-megapixel main camera (1-inch sensor, f/1.9-f/4.0 variable aperture). In addition to that, it includes a 50-megapixel ultrawide camera (122-degree FoV), a 50-megapixel telephoto unit (3.2x optical zoom), and a 50-megapixel periscope telephoto camera (5x optical, 100x digital zoom).
Xiaomi 13 Ultra rear cameras
We’re still in the middle of testing the Xiaomi 13 Ultra’s camera capabilities, but already have a great idea as to what you’ll get. The approaches to photography are entirely different. The Galaxy S23 Ultra has a lot more aggressive image processing thrown into the mix, which can result in some oversharpening, especially if we’re pixel-peeping. That’s great in some situations. On the flip side, the Xiaomi 13 Ultra will provide you with images that use less sharpening (mainly due to that huge 1-inch camera), and Leica-style photos with pronounced colors.
The Xiaomi 13 Ultra is not afraid to keep images closer to real life, which especially goes for shadows and whatnot. It’s also something you’ll notice in low light. The images look outstanding, but a bit darker than what most of you are used to. The Galaxy S23 Ultra goes the opposite route, it loves to brighten up the shadows. Both do a great job in HDR situations, but once again, different. The natural bokeh from that 1-inch camera sensor will be present, and the phone won’t do much processing in the highlights that are blurred up. The Galaxy S23 Ultra will, like most other phones.
We could talk about the cameras for a long time, but this should give you a good idea. Ultrawide and telephoto cameras are great on both phones, and do a great job of following the main camera when it comes to style and colors. The Xiaomi 13 Ultra does include much larger sensors, and we did slightly prefer the results from both ultrawide and telephoto cameras on the device. They do offer entirely different results, so, it’s a matter of preference. We still need to further test the periscope camera on the Xiaomi 13 Ultra, but it’ll be able to keep up with what the Galaxy S23 Ultra offers. The video recording does seem to be more reliable on the Galaxy S23 Ultra, at least at first glance, though the Xiaomi 13 Ultra is excellent in that aspect too.
Audio
Both devices do feature stereo speakers, and those speakers are actually great on both phones. The Galaxy S23 Ultra’s does get slightly louder, but the difference is not that big. Both sets of speakers are detailed, well-tuned, and even provide some bass.
An audio jack is not included on either phone. You’ll have to use their Type-C ports for wired audio connections. If you prefer a wireless connection, you’ll be glad to know that both phones support Bluetooth 5.3.
Samsung Chairman Lee Jae-yong is reportedly planning to meet with the CEOs of Google, Apple, Amazon, and Microsoft next month. According to the Korean media, the meetings will be part of Lee’s upcoming three-week business tour to the US. The tour could begin as early as this weekend and end in the second week of May.
Samsung Chairman to embark on a lengthy US tour this weekend to meet tech CEOs
Lee’s lengthy business trip to the US will include several meetings and conferences in various parts of the nation. He will begin the tour with a business roundtable of an economic mission for “intergovernmental negotiations related to the US Semiconductor Support Act”. The Samsung chief will inform US government officials of the company’s current semiconductor situation and vision.
Following that meeting, Lee plans to visit its various industry partners in the US. In the first week of May, the Samsung Chairman will visit Verizon and other US telcos to discuss business strategies. The Korean firm has a strong presence in the telecommunications equipment business. It signed a $6.6 billion supply contract with Verizon in 2020. The company is also in talks with T-Mobile for a similar business opportunity.
Lee Jae-yong is then expected to visit the headquarters of Massachusetts-based biotechnology company Moderna. The firm has a close relationship with Samsung’s biotechnology arm Samsung Biologics. The latter helped Moderna in the production of its COVID-19 vaccine a few years back (via Hankyung).
Finally, in the second week of May, Lee will meet with the CEOs of Google, Apple, Amazon, and Microsoft. While Google and Apple compete against Samsung in various businesses, including smartphones, they are also among its biggest customers. The Korean firm supplies displays, semiconductors, and more components to the two rivals. All modern iPhones feature Samsung-made displays, while Google’s Pixels smartphones use Samsung-made Tensor processors.
Amazon and Microsoft are also among Samsung’s biggest customers. They source most of their memory chip needs from the South Korean behemoth. The market for memory chips has seen a steep decline in recent months, severely affecting Samsung’s profits. Lee Jae-yong would be looking to strengthen its partnerships with two of the world’s top three cloud companies to ensure it stays at the top of the game and is ready to pounce on the opportunity once demand grows.
The South Korean President is also visiting the US next week
As said earlier, Lee is expected to fly to the US as early as this weekend. He reportedly wants to accompany South Korean President Yoon Seok-yeol during the latter’s visit to the US next week. Yoon will be in the US from April 24-29 for a summit with US President Joe Biden. This will be the first US visit by a South Korean leader since Lee Myung-bak in 2011.
Messaging app Telegram has just announced numerous improvements coming to its users in the following days. Shareable chat folder, custom wallpapers, better bots, fast scrolling for attachments, and many other new features and improvements are part of the latest Telegram update.
Starting with the latest version of Telegram, users will be able to share entire chat folders with just one link. It makes it infinitely easier to invite friends to groups, collections of news channels, and more. Not to mention that each chat folder supports multiple invite links allowing access to different chats.
Now you can create custom wallpapers from your favorite photos and color combinations. These can be used in specific chats. Simply use the “Set Wallpaper” setting from the three dots menu on Android or open a profile and tap “Change Wallpaper” from the three dots menu on iOS.
The latest Telegram update brings better bots, the developer announced today. They are now able to host web apps, which can be launched in any chat. Additionally, Telegram revealed that web apps can now support collaboration and multiplayer features for members when launched in a group.
As mentioned earlier, the update makes scrolling for attachments faster, just like Shared Media. Finally, the update brings numerous improvements to various interfaces. For example, the Send When Online interface now requires fewer taps. Also, Telegram users can now create groups without adding members immediately, which comes in handy if they want to set up permissions and pin one or more messages first.
More importantly, in groups of under 100 members that have topics enabled, you’ll now be able to see what time your messages were read by other group members. A much-needed quality-of-life improvement.
If you’re using one of the newest iPhones, you’ll be happy to know that profile pictures in Telegram have a new animation when scrolling on profiles and info pages.
A recent report from CISA (US Cybersecurity and Infrastructure Security Agency) revealed that the APT 28 group was responsible for exploiting Cisco routers with poor maintenance using CVE-2017-6742.
CVE-2017-6742 Attack: Reconnaissance with RCE in Cisco
SNMP (Simple Network Management Protocol) is a networking protocol used by network administrators for monitoring and configuring devices remotely.
From an attacker’s perspective, this protocol can extract sensitive information. If the protocol on a device is vulnerable, it can be used to penetrate the network.
However, CVE-2017-6742 is a remote code execution bug on the SNMP protocol of Cisco routers.
As of June 2017, Cisco released patches along with an advisory that had information on workarounds like access limitation to trusted hosts or disabling SNMP management information.
Along with CISA, the NCSC (UK National Cyber Security Center), the NSA (US National Security Agency), and the Federal Bureau of Investigation (FBI) claims that APT 28 is operated by the General Staff Main Intelligence (GRU) 85th Special Service Centre (GTsSS) Military Intelligence Unit 26155.
As per the report from CISA, APT28 had been using commercial code repositories and post-exploit frameworks for gaining access and deploying malware.
The report states, “As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of Powershell Empire, in addition to Python versions of Empire.”
The report also stated that the APT28 threat actor used this CVE-2017-6742 to exploit SNMP and deploy the malware they use to extract information via TFTP (Trivial File Transfer Protocol).
The malware was also used to enable unauthenticated access through a backdoor. The malware used by this group is Jaguar Tooth Malware.
APT 28 is known to be a highly skilled threat actor, as mentioned by the CISA. The group had names like Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy).
History of Activities by APT28
APT28 was responsible for a cyber attack on the German parliament in 2015, resulting in data theft and disruption of email accounts belonging to the German Members of Parliament and the vice-chancellor.
APT28 also attempted to attack the OPCW (Organisation for the Prohibition of Chemical Weapons) in 2018 to collapse the Chemical Weapon independent analysis by GRU.
Indicators of Compromise
There are multiple Indicators of Compromise for this attack on Cisco routers which can be found on the malware analysis page of Jaguar Tooth malware.
Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved is available in the MITRE ATT&CK section of the Jaguar Tooth MAR.
APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).
Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.
