Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Look Alike Accounts Used in Ukraine Donation Scam impersonating Olena Zelenska

Published: 2022-03-14
Last Updated: 2022-03-15 00:55:04 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Earlier, I saw the following account being flagged on Twitter:

The account attempts to impersonate Olena Zelenska, the first lady of Ukraine. Mrs. Zelenska has a legitimate, private account (https://twitter.com/OlenaZelenska34). So what is the difference between:

https://twitter.com/OlenaZelenska34 and
https://twitter.com/OlenaZeIenska34 ?

If you look closely: The fake account uses an upper case I (I) instead of the lower case L (l). The characters are visually identical. So no fancy Unicode is required for this. Luckily, at least the bitcoin address has not yet received any funds. I flagged the fake account, but it appears to be still available so far.

Like the email scam we saw earlier, cryptocurrency donations have been popular even for legitimate causes in this war. Be very careful. For Twitter: Even legitimate and verified accounts have been taken over in the past. You need to be a bit like an excellent old journalist and only trust information that you receive from different independent and trusted sources. It took me a moment to figure out which one was fake in the above example. There are plenty of other look-alike accounts. Some appear to be from people who have similar names. Others consider themselves "Fan Accounts" and clearly state that they are not affiliated with the actual person. The fake account currently shows as #4 if you search for "Olena Zelenska" on Twitter. 

 

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)

Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more

Published: 2022-03-14
Last Updated: 2022-03-14 19:44:27 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

 

Apple today released one of its massive "surprise" updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems.

It should be noted that Python 2 was removed from MacOS 12.3. This may still be needed by some third-party applications and you should check with the respective vendor for plans to update to Python 3. Python 2 support officially ended January 1st, 2020, but many applications still need it.

Kernel extensions used by Dropbox Desktop Application and Microsoft OneDrive have also been removed (however, these tools may still work).

And finally, PostScript files can no longer be viewed inline.

For more details, see Apple's security update page: https://support.apple.com/en-us/HT201222

and the developer release notes for macOS: https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes 

[I may tweak the table below a bit more. But wanted to get this out to give some initial guidance. Feedback welcome. ]

 

CatalinaBigSurMontereytvOSiOS/iPadOSwatchOS
CVE-2022-22631 [important] AppleGraphicsControl
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to gain elevated privileges
xxx
CVE-2022-22648 [important] AppleScript
This issue was addressed with improved checks.
An application may be able to read restricted memory
xxx
CVE-2022-22627 [important] AppleScript
An out-of-bounds read was addressed with improved bounds checking.
Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
xxx
CVE-2022-22626 [important] AppleScript
An out-of-bounds read was addressed with improved bounds checking.
Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
xxx
CVE-2022-22625 [important] AppleScript
An out-of-bounds read was addressed with improved input validation.
Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
xxx
CVE-2022-22597 [critical] AppleScript
A memory corruption issue was addressed with improved validation.
Processing a maliciously crafted file may lead to arbitrary code execution
xxx
CVE-2022-22616 [important] Safari Downloads
This issue was addressed with improved checks.
A maliciously crafted ZIP archive may bypass Gatekeeper checks
xxx
CVE-2022-22661 [important] Intel Graphics Driver
A type confusion issue was addressed with improved state handling.
An application may be able to execute arbitrary code with kernel privileges
xxx
CVE-2022-22613 [important] Kernel
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
xxxxxx
CVE-2022-22615 [important] Kernel
A use after free issue was addressed with improved memory management.
An application may be able to execute arbitrary code with kernel privileges
xxxxxx
CVE-2022-22614 [important] Kernel
A use after free issue was addressed with improved memory management.
An application may be able to execute arbitrary code with kernel privileges
xxxxxx
CVE-2022-22638 [important] Kernel
A null pointer dereference was addressed with improved validation.
An attacker in a privileged position may be able to perform a denial of service attack
xxxxxx
CVE-2022-22647 [critical] Login Window
This issue was addressed with improved checks.
A person with access to a Mac may be able to bypass Login Window
xxx
CVE-2022-22656 [other] LoginWindow
An authentication issue was addressed with improved state management.
A local attacker may be able to view the previous logged in user?s desktop from the fast user switching screen
xxx
CVE-2022-22617 [important] PackageKit
A logic issue was addressed with improved state management.
An application may be able to gain elevated privileges
xxx
CVE-2022-22650 [important] QuickTime Player
This issue was addressed with improved checks.
A plug-in may be able to inherit the application's permissions and access user data
xxx
WebKit Bugzilla [important] WebKit
A logic issue was addressed with improved state management.
A malicious website may cause unexpected cross-origin behavior
xxxxxx
CVE-2022-22582 [important] xar
A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.
A local user may be able to write arbitrary files
xxx
CVE-2022-22633 [critical] Accelerate Framework
A memory corruption issue was addressed with improved state management.
Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
xxxx
CVE-2022-22632 [important] Kernel
A logic issue was addressed with improved state management.
A malicious application may be able to elevate privileges
xxxxx
CVE-2022-22599 [other] Siri

A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen
xxxx
CVE-2022-22669 [important] AMD
A use after free issue was addressed with improved memory management.
An application may be able to execute arbitrary code with kernel privileges
x
CVE-2022-22665 [important] AppKit
A logic issue was addressed with improved validation.
A malicious application may be able to gain root privileges
x
CVE-2021-22946 [other] curl
Multiple issues were addressed by updating to curl version 7.79.1.
Multiple issues in curl
x
CVE-2021-22947 [other] curl
Multiple issues were addressed by updating to curl version 7.79.1.
Multiple issues in curl
x
CVE-2021-22945 [other] curl
Multiple issues were addressed by updating to curl version 7.79.1.
Multiple issues in curl
x
CVE-2022-22623 [other] curl
Multiple issues were addressed by updating to curl version 7.79.1.
Multiple issues in curl
x
CVE-2022-22643 [important] FaceTime
This issue was addressed with improved checks.
A user may send audio and video in a FaceTime call without knowing that they have done so
xx
CVE-2022-22611 [critical] ImageIO
An out-of-bounds read was addressed with improved input validation.
Processing a maliciously crafted image may lead to arbitrary code execution
xxxx
CVE-2022-22612 [critical] ImageIO
A memory consumption issue was addressed with improved memory handling.
Processing a maliciously crafted image may lead to heap corruption
xxxx
CVE-2022-22641 [important] IOGPUFamily
A use after free issue was addressed with improved memory management.
An application may be able to gain elevated privileges
xxx
CVE-2022-22640 [important] Kernel
A memory corruption issue was addressed with improved validation.
An application may be able to execute arbitrary code with kernel privileges
xxxx
CVE-2021-36976 [other] libarchive
Multiple memory corruption issues existed in libarchive. These issues were addressed with improved input validation.
Multiple issues in libarchive
xxx
CVE-2022-22657 [other] GarageBand MIDI
A memory initialization issue was addressed with improved memory handling.
Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution
x
CVE-2022-22664 [other] GarageBand MIDI
An out-of-bounds read was addressed with improved bounds checking.
Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution
x
CVE-2022-22644 [other] NSSpellChecker
A privacy issue existed in the handling of Contact cards. This was addressed with improved state management.
A malicious application may be able to access information about a user's contacts
x
CVE-2022-22609 [other] Preferences
The issue was addressed with additional permissions checks.
A malicious application may be able to read other applications' settings
xxxx
CVE-2022-22600 [other] Sandbox
The issue was addressed with improved permissions logic.
A malicious application may be able to bypass certain Privacy preferences
xxxx
CVE-2022-22651 [other] SMB
An out-of-bounds write issue was addressed with improved bounds checking.
A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
x
CVE-2022-22639 [important] SoftwareUpdate
A logic issue was addressed with improved state management.
An application may be able to gain elevated privileges
xx
CVE-2022-22660 [other] System Preferences
This issue was addressed with a new entitlement.
An app may be able to spoof system notifications and UI
x
CVE-2022-22621 [other] UIKit
This issue was addressed with improved checks.
A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions
xxxx
CVE-2021-4136 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-4166 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-4173 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-4187 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-4192 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-4193 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-46059 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2022-0128 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2022-0156 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2022-0158 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x
CVE-2021-30918 [other] VoiceOver
A lock screen issue was addressed with improved state management.
A user may be able to view restricted content from the lock screen
x
CVE-2022-22668 [important] Wi-Fi
A logic issue was addressed with improved restrictions.
A malicious application may be able to leak sensitive user information
xx
CVE-2022-22666 [critical] AppleAVD
A memory corruption issue was addressed with improved validation.
Processing a maliciously crafted image may lead to heap corruption
xxx
CVE-2022-22634 [important] AVEVideoEncoder
A buffer overflow was addressed with improved bounds checking.
A malicious application may be able to execute arbitrary code with kernel privileges
xx
CVE-2022-22635 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to gain elevated privileges
xx
CVE-2022-22636 [important] AVEVideoEncoder
An out-of-bounds write issue was addressed with improved bounds checking.
An application may be able to execute arbitrary code with kernel privileges
xx
CVE-2022-22670 [other] MediaRemote
An access issue was addressed with improved access restrictions.
A malicious application may be able to identify what other applications a user has installed
xxx
CVE-2022-22596 [important] Kernel
A memory corruption issue was addressed with improved validation.
An application may be able to execute arbitrary code with kernel privileges
xx
CVE-2022-22618 [other] Phone
This issue was addressed with improved checks.
A user may be able to bypass the Emergency SOS passcode prompt
xx
CVE-2022-22654 [other] Safari
A user interface issue was addressed.
Visiting a malicious website may lead to address bar spoofing
x
WebKit Bugzilla 233172 CVE-2022-22624 [critical] WebKit
A use after free issue was addressed with improved memory management.
Processing maliciously crafted web content may lead to arbitrary code execution
x
CVE-2022-22652 [other] Cellular
The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel.
A person with physical access may be able to view and modify the carrier account information and settings from the lock screen
x
CVE-2022-22598 [other] CoreMedia
An issue with app access to camera metadata was addressed with improved logic.
An app may be able to learn information about the current camera view before being granted camera access
x
CVE-2022-22642 [other] FaceTime
This issue was addressed with improved checks.
A user may be able to bypass the Emergency SOS passcode prompt
x
CVE-2022-22667 [important] GPU Drivers
A use after free issue was addressed with improved memory management.
An application may be able to execute arbitrary code with kernel privileges
x
CVE-2022-22653 [important] iTunes
A logic issue was addressed with improved restrictions.
A malicious website may be able to access information about the user and their devices
x
CVE-2022-22622 [other] Markup
This issue was addressed with improved checks.
A person with physical access to an iOS device may be able to see sensitive information via keyboard suggestions
x
CVE-2022-22659 [important] NetworkExtension
A logic issue was addressed with improved state management.
An attacker in a privileged network position may be able to leak sensitive user information
x
CVE-2022-22671 [important] VoiceOver
An authentication issue was addressed with improved state management.
A person with physical access to an iOS device may be able to access photos from the lock screen
x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)

Curl on Windows

Published: 2022-03-14
Last Updated: 2022-03-14 07:40:07 UTC
by Didier Stevens (Version: 1)
2 comment(s)

It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows.

And since then, we see the occasional malicious script using curl to communicate. Like the one analysed in diary entry "Infostealer in a Batch File".

I sometimes hunt for curl generated traffic (in proxy logs for example) by searching for curl's User Agent String: curl/<version-number>.

The user agent string does not tell you what operating system it is. So you have to distinguish curl requests from Linux machines and Windows machines with other info, like asset information, or TLS fingerprinting (if HTTPS is used), or looking at other traffic from the same IP, ...

And of course, curl can be configured with another User Agent String, using option -A (--user-agent).

But that is not the case in the BAT file that Xavier analysed. The malicious author uses -H options to add JSON headers, but not to change the user agent string:

So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS.

If you are in a corporate environment, there's something else to know about curl on Windows. Although curl has many proxy options, curl is not able to auto detect proxies. In other words, if you run curl on Windows in a network environment that requires the use of a proxy to access the Internet, curl will not communicate with said proxy, unless it is configured explicitly to use a specific proxy (hostname, IP address, port, ...).

And that is the case with the malicious script Xavier wrote about: there are no proxy options in that script, so when curl is executed, it will issue a DNS request for discord[.]com, and if it gets a reply with an IP address, it will connect directly to that IP address.

Although the automatic detection of proxies has been on curl's TODO list for some years now, it is still not implemented. There have been PRs like this one, but it has not been merged into curl's code base.

This means that if an attacker wants to use curl in your corporate environment with proxies, the attacker needs to know the name/ip address of one proxy in your environment and configure that explicitly via curl's proxy options.

If your proxy requires authentitation, curl is capable to do this. Not only with explicit credentials, but also with single-sign-on. At least on Windows with SSPI.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords:
2 comment(s)
Diary Archives