Cropped screenshots on affected software leave behind image data that can be recovered, potentially revealing uncropped screenshot context.
Google Pixel’s Markup tool (CVE-2023-21036, a.k.a. Acropalypse) was discovered in January 2023 and was patched on March 13, 2023.
Separate but similar vulnerability in Microsoft Snipping Tool and Snip & Sketch discovered on March 21, 2023.
Google Pixel’s Markup Tool (Pixel 3 – Pixel 7 Pro)
Microsoft Snipping Tool on Windows 11, Microsoft Snip & Sketch on Windows 10 
Google Pixel Markup Tool – March 2023 Android Security Update . It should be noted that any picture cropped by the unpatched Markup tool in the last 5 years was vulnerable. This patch does not retroactively go through old photos to fix the issue. However, 3rd party tools are available to identify and sanitize vulnerable images .
Windows Snipping Tool – Microsoft is actively testing a patched version of the Windows 11 software and has made a version available to Windows Insiders in the Canary channel (early release & testing builds) in the Microsoft Store as of March 23 . It is anticipated that a formal patch will be released in the near future.
Acropalypse (CVE-2023-21036) – The Acropalypse bug was initially reported to Google in January 2023 and was fixed in the monthly security update released on March 13, 2023. The vulnerability stems from the fact that when an image is cropped using the Markup tool, all of the data from the original image is not deleted and simply resides at the tail of the file .
There are two parts for this vulnerability to work. The first part is that the PNG image needs to be compressed in a certain way . The second part is that the original file must be larger than the cropped image that is saved over it. As shown in the visual below, this is because the original image’s size is not updated, and the newly saved image only overwrites a part of that file.
Using proof-of-concept code such as the Acropalypse app website , vulnerable images can be uploaded, and any retrievable data from the original image file can be recovered.
After the Acropalypse vulnerability became public, security researchers began looking to see if other software behaved in a similar way. On March 21, David Buchanan tweeted his discovery  that the Windows 11 Snipping Tool is also vulnerable. While this and the Acropalypse bug are separate vulnerabilities, the idea behind the issue is generally the same. Using this software, any image that is saved, cropped, and then saved again (over the original image) is vulnerable.
PacketWatch has recommendations and best practices to mitigate potentially sensitive data exposure:
Ensure Pixel devices are fully up-to-date with the latest security patch.
Ensure systems and software receive regular patching.
Conduct a review to determine if these vulnerable tools were used for business processes.
As a best practice, avoid capturing or saving sensitive data in unapproved formats such as an image.
Microsoft released a patch in February regarding a vulnerability with a CVSS score of 9.8, just shy of the maximum of 10. This low-complexity exploit was found and reported to Microsoft by the Ukrainian Computer Emergency Response Team (CERT).
While the Microsoft Security Response Center (MSRC) page states that there is no currently released proof-of-concept (POC) code, security researchers have already figured out how to leverage this exploit. For example, in an article by MDSec on the same day as the announcement, a red teamer built a full POC detailing how the exploit works.
This was originally seen being leveraged by Russian threat actors as early as April 2022. With the publicity of the CVE and ease of exploitation, PacketWatch has high confidence that this will be actively exploited in the coming weeks. PacketWatch already monitors for indicators of compromise (IOCs) by checking for suspicious outbound SMB traffic and is currently advising to both patch Outlook and review firewall policies for current clients.
In emails with tasks or calendar events that have due dates, the sender can specify when it becomes overdue, playing a default or custom sound. The exploit itself relies on that property, where the attacker instead replaces the reminder sound with a malicious UNC path. This triggers the Outlook client to send NTLM hashes over SMB to a destination controlled by the attacker. Once completed, the attacker can then leverage those credentials using an NTLM Relay attack, also known as a Pass-the-Hash attack.
A patch for affected Outlook clients is already available by Microsoft. Proactively, PacketWatch recommends reviewing what protocols and ports can communicate externally to the environment. Microsoft has also released a detection script that can reveal previous exploitation attempts.
THREAT ACTORS LEVERAGING EXPLOITS SEEN IN WILD SINCE DECEMBER
CVE-2021-39144 – VMware Cloud Foundation XStream Remote Code Execution Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has added another VMware vulnerability (CVE-2021-39144) to their growing list of vulnerabilities that they have observed threat actors exploiting in the wild. Exploitation only requires network access to the NSX-v Manager appliance, and successful exploitation will give root privileges (full control) of the NSX-v Manager. This exploit is lower complexity with available POC code, and vulnerable systems only need to be network accessible to any compromised machines, or web accessible, with no additional requirements such as valid credentials.
All versions of VMware NSX Data Center for vSphere (NSX-v) Manager 6.4.14 are affected by the vulnerability. Because these are observed being actively exploited, it is important to ensure that relevant VMware products are fully patched. Additional information is available in the VMware article linked below. Proof of concept (POC) code is currently available, giving both security professionals and threat actors easy methods to find vulnerable systems. The NIST link below has references to available exploit code.
If leveraging VMware Cloud Foundation, ensure that it is fully patched.
Proper documentation of critical and sensitive infrastructure products to quickly identify potentially vulnerable systems.
Network segmentation and limited accessibility to VMware/critical infrastructure should be enforced and periodically reviewed.
The information provided in this article is provided “as-is”. It is not finally evaluated intelligence and should be considered raw information that is provided for strictly situational awareness, given what is known at this time.
Preparing for Cyber Threats Related to Tensions in Ukraine
As events continue to deteriorate in Ukraine, the full geopolitical impact remains unclear, especially in the cyber realm. CISA (Cybersecurity and Infrastructure Security Agency) reports that while there are no specific or credible threats to the US at this time, Russia may consider taking retaliatory action in response to sanctions that may impact business and critical infrastructure in the US. Therefore, CISA and the global intelligence community recommend organizations adopt a heightened, vigilant posture and immediately take additional steps to harden defenses and improve resiliency. PacketWatch is providing actionable steps organizations can take to safeguard themselves during this time.
Be prepared for possible disruptions.
Adopt a heightened cyber posture.
Increase organizational readiness and vigilance.
The Russian government has a proven history of escalating and taking actions to destabilize its perceived adversaries outside of their initially targeted country. The Russian government has demonstrated ability to conduct hybrid warfare combining kinetic and cyber elements for maximum disruption. The Russian government may conduct these cyber activities by its military units, through its intelligence organizations or more commonly through sponsored advanced persistent threat (APT) actors.
Historically, these APT actors have used common yet effective tactics to gain initial access to targeted networks including spear phishing, brute-force attacks, and exploits of common vulnerabilities. These APT actors utilize sophisticated tradecraft and advanced cyber capabilities to compromise third-party software and infrastructure and by developing and deploying custom malware. Typically, these actors maintain persistent, undetected, long-term access in a compromised network and cloud environments often using legitimate credentials.
Steps to Take
Based on knowledge of historical TTPs utilized by these APT actors, organizations should take the following steps to increase organizational readiness:
Enhance network monitoring and visibility
Network Egress Points
Monitor network perimeter egress points; examine outbound traffic for signs of anomalous activity (ports, locations, protocols).
Restrict what ports/services can communicate to external resources.
Geo-block where possible but understand limitations and downstream impacts.
Ensure only assets serving specific business purposes are publicly exposed to the internet.
Monitor egress and ingress communication from computer assets in the DMZ.
Internal Network Hardening
Enforce strong segmentation between network zones to contain traffic.
Restrict endpoint-to-endpoint communication.
Monitor east – west traffic for anomalous activity.
Restrict BYOD assets from access to production networks.
Know your assets and what they access; Identify everything
Update your inventory survey of hardware and software assets.
Review your application control list.
Hunt for unmanaged assets.
Validate Security Controls
Focus on updated controls for Endpoint, Server, Cloud security and Access Management.
Harden Identity and Access Management practices
Align and enforce password policies using an applicable framework/standard.
Unprivileged users should not have privileged access, audit access and permissions.
Implement Multi-Factor Authentication (MFA) across all networks, systems, applications, and resources.
Ensure Vulnerabilities are identified and patched
Scan for open vulnerabilities and patch/mitigate as directed.
Update Vendor Solutions, Open-Source Software, and Operating Systems.
Isolate vulnerable legacy systems.
Ensure Proper Logging
Increase levels of logging and ensure proper collection retention — especially on endpoints, servers, network devices and Cloud services.
Review access logs for suspicious activity and impossible logons.
Monitor for abused or malformed access tokens.
Adopt best practices securing cloud services.
Test and plan for improved resiliency
Review / rehearse / test
Continuity of Operations Planning (COOP) plans.
Business Continuity / Disaster Recovery (BC/DR) plans.
Incident Response (IR) plans.
Ensure adequate staffing for longer duration workloads.
Anticipate service disruptions and supply chain impacts.
Establish alternate providers for mission critical services / providers.
Reach out for assistance if needed
Contact experienced security professionals for assistance in testing or implementing the above recommendations.
If you believe you have been impacted already, contact your local FBI field office.
On the morning of February 25th, 2022, the Conti ransomware team sent out a warning on their news page announcing the full support of the Russian government saying:
“The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy. [sic]”
Conti is Ransomware-as-a-Service that has been used against major corporations and government agencies in North America. In typical ransomware attacks, the actors exfiltrate files, encrypt servers and workstations, and demand a ransom payment.
State-sponsored Russian APT actors are extremely proficient at their trade. Experienced security professionals are available to help. Additional resources are also available from CISA, the FBI, NSA, and others. Although this may seem overwhelming, you need to act now to protect your organization. If you need clarification or assistance in adopting any of the recommendations above, please contact us at email@example.com or visit PacketWatch at https://packetwatch.com. A member of our team will follow up with you.
INFORMATION PRODUCT CAVEAT: The information in this product is provided “as-is.” It is not yet finally evaluated intelligence and should be considered raw information that is provided strictly for situational awareness, give what is known at this time.