FISA

  As part of  Checkmarx's mission  to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy) [1] , it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment. Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience  [2]  is one website that allows registered u...

  Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices. Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million. Two recent flaws tracked as CVE-2023-32629 and CVE-2023-2640 discovered by Wiz's researchers S. Tzadik and S. Tamari were recently introduced into the operating system, impacting roughly 40% of Ubuntu's userbase. CVE-2023-2640  is a high-severity (CVSS v3 score: 7.8) vulnerability in the Ubuntu Linux kernel caused by inadequate permission checks allowing a local attacker to gain elevated privileges. CVE-2023-32629  is a medium-severity (CVSS v3 score: 5.4) flaw in the Linux kernel memory management subsystem, where a race condition when accessing VMAs may lead to use-after-free, allowing a local attacker to perform arbitrary code...

In early February 2023, a new ransomware strain quietly made its way up the ranks. Earmarked Dark Power, the NIM-written ransomware leverages an advanced block cipher technique to bypass detection, stop system-critical services, and, finally to encrypt the victim’s file. In this article, we are going to deep-dive into Dark Power Ransomware, by taking a closer look at TTPs (i.e., Tactics, Techniques, and Procedures), post-infection action(s) on object, targeting discrimination (or the lack of), and more. Dissecting the Dark Power Ransomware From a historical perspective, the Dark Power ransomware’s origins can be traced back to early 2020 when it was just a small blip on the security specialists’ radar. The analysis performed on the sample revealed a very crude, yet effective  file encryption  and ransoming mechanism – Dark Power’s first iteration would have employed an encryption technique that randomly generated a (victim) unique 64-character ASCII string, later to be used in...

                     The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023. BlueBravo, also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia's Foreign Intelligence Service (SVR), and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts. To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations...