Overview Recently, we identified several critical Pwn Request vulnerabilities within GitHub Actions used by the Rspack repository. These vulnerabilities could allow an external attacker to submit a malicious pull request, without the requirement of being a prior contributor to the repository, and compromise the following secrets: NPM Deployment Token Compromise: Exploitation of the Pwn Request […]

The post Compromising ByteDance’s Rspack using GitHub Actions Vulnerabilities appeared first on Praetorian.

The post Compromising ByteDance’s Rspack using GitHub Actions Vulnerabilities appeared first on Security Boulevard.

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution. The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:

• CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
• CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
• CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners. [caption id="attachment_73896" align="alignnone" width="1128"] Source: cisecurity.org[/caption]

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

CISA instructs federal agencies to mitigate CVE-2024-1086, a Linux kernel flaw leading to privilege escalation.

The post CISA Warns of Exploited Linux Kernel Vulnerability appeared first on SecurityWeek.

We are in an age when cybercriminals routinely steal credentials, and with so few organizations limiting privileges cloud security issues are rife.

The post Analysis Uncovers Raft of Identity Issues in the Cloud appeared first on Security Boulevard.

Malicious campaign exploits high-severity XSS flaws in three WordPress plugins to backdoor websites.

The post Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors appeared first on SecurityWeek.

NIST is receiving support to get the NVD and CVE processing back on track within the next few months.

The post NIST Getting Outside Help for National Vulnerability Database appeared first on SecurityWeek.

Multiple vulnerabilities have recently been discovered in Fortinet FortiSIEM, raising concerns over potential remote code execution exploits. FortiSIEM, renowned for its real-time infrastructure and user awareness capabilities facilitating precise threat detection, analysis, and reporting, faces significant risks due to this FortiSIEM vulnerability. The identified vulnerabilities, if successfully exploited, could grant remote attackers the ability to execute code within the context of the affected service account. This could lead to a range of malicious activities, including the installation of unauthorized programs, manipulation of data, or even the creation of new accounts with extensive user rights. 

Understanding the Fortinet FortiSIEM Vulnerability

The severity of the Fortinet FortiSIEM vulnerability varies based on the privileges associated with the compromised service account, with administrative accounts posing the highest risk. According to SingCERT, proof of concept exploits are already available for CVE-2024-23108 and CVE-2023-34992, indicating an immediate threat to vulnerable systems. Fortinet FortiSIEM versions 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.2 are all affected by the vulnerabilities.  The risks associated with these vulnerabilities vary across different sectors, with large and medium government entities and businesses facing high risks, while small government entities and businesses face a medium level of risk. Home users, however, are considered to have a low-risk exposure.

Technical Analysis of FortiSIEM Vulnerability

Technical analysis of these FortiSIEM vulnerabilities reveals that the flaw primarily exploits the execution tactic, specifically targeting the Command and Scripting Interpreter technique. Multiple instances of improper neutralization of special elements used in OS Command have been identified in the FortiSIEM supervisor. These vulnerabilities could be exploited by remote, unauthenticated attackers via specially crafted API requests. To mitigate the risks associated with these FortiSIEM vulnerabilities, it is recommended to promptly apply patches provided by FortiNet after thorough testing. Other measures, include establishing and maintaining a documented vulnerability management process for enterprise assets, performing regular automated application updates, enforcing network-based URL filters to limit access to potentially malicious websites, implementing the Principle of Least Privilege for privileged account management, blocking unauthorized code execution through application control, and script blocking, establishing and maintaining a secure configuration process for enterprise assets and software, and address penetration test findings according to the enterprise's remediation policy. By adhering to these recommendations, organizations can effectively mitigate the vulnerabilities in Fortinet FortiSIEM, safeguarding their systems against potential remote code execution exploits. Stakeholders must prioritize these actions to ensure the security and integrity of their IT infrastructure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The post Weighing the Risk: The Cost of Skipping Pen Tests appeared first on Digital Defense.

The post Weighing the Risk: The Cost of Skipping Pen Tests appeared first on Security Boulevard.

The funding cutbacks announced in February have continued to hobble NIST’s ability to keep the government’s National Vulnerabilities Database (NVD) up to date, with one cybersecurity company finding that more than 93% of the flaws added have not been analyzed or enhanced, a problem that will make organizations less safe. “With the recent slowdown of..

The post NIST Struggles with NVD Backlog as 93% of Flaws Remain Unanalyzed appeared first on Security Boulevard.

Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution.

The post Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution appeared first on SecurityWeek.

Sonatype has discovered 'pytoileur', a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long "Cool package" campaign.

The post PyPI crypto-stealer targets Windows users, revives malware campaign appeared first on Security Boulevard.

For over two decades, Google search rankings have functioned as the internet's invisible puppeteer, dictating which websites rise to the top of search results and influencing the online landscape in profound ways. SEO professionals have tirelessly analyzed Google's every move, piecing together cryptic clues to optimize websites for coveted top rankings. But the inner workings of this algorithmic behemoth have largely remained a mystery – until now. A recent massive leak of internal Google documents has sent shockwaves through the SEO community and beyond. The trove, titled "Google API Content Warehouse" and exceeding 2,500 pages with 14,014 attributes, offers an unprecedented look at Google's search API and the intricate web of factors that influence search results. [caption id="attachment_72485" align="aligncenter" width="406"] Source: X[/caption] Google has now pulled down its documentation, which specified the parameters that the company has been using for generating and ranking Search results, after accidentally publishing it on GitHub. The American technology giant published the “Google API Content Warehouse” documentation on the GitHub platform on March 27, 2024, and pulled it back on May 7. An anonymous source, who has now revealed himself as Erfan Azimi, CEO and director of SEO for digital marketing agency EA Eagle Digital, had shared the leak with SEO veteran Rand Fishkin. It promises to be a potential goldmine of information. However, Fishkin cautioned that it's not a straightforward recipe for guaranteed SEO success. “The sheer volume of information, with some components potentially outdated, presents a complex puzzle for SEO professionals to decipher,” he cautioned. While the documents’ leak shed light on what Google might consider, they don't reveal the specific ranking hierarchy. This missing piece makes it difficult to prioritize optimization efforts and leaves room for interpretation. The leak has also ignited debate regarding Google's past pronouncements on SEO.  Fishkin suggests discrepancies between the leaked documents and previous statements from Google employees, particularly concerning "domain authority" – a website's overall ranking power. The documents seem to suggest that domain authority carries more weight than Google has publicly acknowledged. Google, as of yet, has maintained a stony silence regarding the leak's authenticity. This lack of response has fueled speculation within the SEO community. However, it's important to consider the leak within the context of Google's recent algorithmic update prioritizing "helpful content." This update reflects Google's ongoing battle against manipulative SEO tactics and its commitment to elevating content that genuinely serves user needs.

Potential Implications of the Google Search Ranking Leak

The ramifications of the leak extend far beyond the realm of SEO. Here are some key areas potentially impacted: Transparency and Trust: The leak raises questions about Google's transparency regarding its search algorithms. Inconsistent messaging between leaked documents and public statements can erode trust with website owners and content creators. Evolving Search Landscape: The leaked documents offer valuable insights into Google's current approach to search ranking. However, search algorithms are constantly evolving, and the information may not hold true for extended periods. The Future of SEO: While the leak provides a valuable snapshot, it shouldn't be misconstrued as a definitive SEO guide. SEO professionals still need to adapt to Google's ongoing algorithmic changes and prioritize creating high-quality content that resonates with users.

Industry Buzzing with Reactions on Social Media over Google Search Algorithm

There have been multiple reactions from stakeholders on social media over the leak. Rand Fishkin declared the leak the biggest ever on the mysteries of Google ranking algorithms: “In the last quarter century, no leak of this magnitude or detail has ever been reported from Google’s search division. If you're in SEO, you should probably see this.” [caption id="attachment_72507" align="aligncenter" width="723"] Source: X[/caption] iPullRank founder and CEO Mic King has acknowledged the leak as a newsworthy event but advises caution. He suggested that the leaked documents might be incomplete or outdated and may not reveal the entire picture of Google's ranking factors. He also suggested that website owners shouldn't drastically alter their SEO strategies based solely on this leak. “This leak is another indication that you should be taking in the inputs and experimenting with them to see what will work for your website. It’s not enough to look at anecdotal reviews of things and assume that’s how Google works. If your organization does not have an experimentation plan for SEO, now is a good time to start one,” he said. [caption id="attachment_72525" align="alignnone" width="741"] Source: X[/caption] SEO Consultant Aleyda Solis has raised concerns about the leak's potential to erode trust between Google and website owners. She said that transparency was a major concern in SEO, and if there were discrepancies between what Google said and what the leaked documents revealed, it could damage trust.   [caption id="attachment_72531" align="alignnone" width="678"] Source: X[/caption]

Google Yet to React to Document Leak

Even though this leaked data reveals the factors that Google Search might consider when ranking search results, it doesn't reveal how important each factor is or how much "weight" it carries in the final ranking decision. The data could be helpful for SEO professionals who constantly adapt their strategies to keep pace with Google Search's ranking changes and strive for higher rankings. Upon reviewing these documents, many stakeholders claimed to have found discrepancies between what Google has publicly stated about how Search works and what the leaked information suggests. Google has not yet issued a public statement regarding the leak. The company announced its most recent major Search update in March, focusing on surfacing more authentic content that is demonstrably "helpful." This update involved modifications to Google's core ranking systems to identify pages that were "created for search engines instead of people." Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Netflix has paid out more than $1 million for vulnerabilities found in its products since the launch of its bug bounty program in 2016.

The post Netflix Paid Out Over $1 Million via Bug Bounty Program appeared first on SecurityWeek.

Source: www.proofpoint.com – Author: 1 Top insights for IT pros From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides. Size matters, at least when it comes to cybersecurity. That’s according to Ryan Kalember, chief […]

La entrada Identity vulnerabilities a concern at Microsoft, outside researcher claims – Source: www.proofpoint.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

OpenAI has a new Safety and Security Committee in place fewer than two weeks after disbanding its “superalignment” team, a year-old unit that was tasked with focusing on the long-term effects of AI.

The post OpenAI Launches Security Committee Amid Ongoing Criticism appeared first on Security Boulevard.

Cyber attack tactics are evolving, according to a new report, from advanced campaigns to exploiting weaknesses, and cybersecurity teams should be optimally employed.

The post HP Report Surfaces Shifts in Cyber Attack Tactics appeared first on Security Boulevard.

Check Point researchers have observed a surge in threat actor groups targeting remote-access VPN environments as an entry point for gaining access to enterprise networks. In response to these threats, Check Point has been monitoring unauthorized access attempts on Check Point VPNs and has released a preventative solution to address the issue. While the researchers suggested that the issue is broader than Check Point VPNs, the fix applies solely to Check Point environments.

Identification of Unauthorized Access Attempts to Check Point VPN

On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as:

• Reviewing and disabling unused local accounts.
• Implementing an additional layer of authentication, such as certificates, to password-only accounts.
• Deploying additional solutions on Security Gateways to automatically block unauthorized access.
• Contacting the Check Point technical support team or a local representative for additional guidance and assistance.

In case of suspected unauthorized access attempts, Check Point researchers recommend that organizations analyze all remote access connections of local accounts with password-only authentication, monitor connection logs from the past 3 months, and verify the familiarity of user details, time, source IP address, client name, OS name, and application based on configured users and business needs. Check Point has also released a hotfix to prevent users with password-only authentication from connecting to Security Gateways. After implementation, password-only authentication methods for local accounts will be prevented from logging into the Check Point Remote Access VPN. If any connections or users are not validated, invoking the incident response playbook or contacting Check Point Support or a local Check Point representative is advised. The company stated that it witnessed the compromise of several VPN solutions, including those of various cybersecurity vendors.

Implementing Check Point VPN Hotfix

Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In a recent disclosure by ONEKEY Research Lab, a critical vulnerability in the TP-Link Archer C5400X gaming router was exposed, leading to remote command execution. The TP-Link Archer C5400X is a gaming router, with integrated malware defense, and has compatibility with Alexa voice commands and IFTTT applets. This TP-Link Archer C5400X vulnerability, tracked as CVE-2024-5035, was rooted in command injection, a format string vulnerability, and buffer overflows within components such as rftest and libshared.  The vulnerability, known to affect versions before 1_1.1.7, posed a grave risk to users, potentially allowing malicious actors to execute arbitrary commands remotely with elevated privileges. While the format string vulnerability requires specific conditions for exploitation, the focus of this revelation centered around the rftest binary, integral to the device's wireless functionality. In the patch update by TP-Link, the Archer C5400X vulnerability has been fixed in version 1_1.1.7.

The Timeline of TP-Link Archer C5400X Vulnerability Exposure

According to ONEKEY Research Lab, the TP-Link Archer C5400X vulnerability was initially reported on February 16, 2024, with the submission of a detailed report to TP-Link's PSIRT. Following the report, TP-Link promptly initiated a case on February 19. [caption id="attachment_71171" align="alignnone" width="1096"] Source: ONEKEY[/caption] After collaborative efforts and validation processes, TP-Link shared a beta version of 1.1.7p1 on April 10 for further testing, culminating in the confirmation and release of the patch by ONEKEY on May 27, 2024. The vulnerability exposed a critical flaw in the TP-Link Archer C5400X gaming router, rendering it susceptible to remote command execution. This exploit granted unauthorized users the ability to execute arbitrary commands on the device, posing security risks to users' data and network integrity. “It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices”, said OneKey in the advisory. 

Understanding the TP-Link Archer C5400X Vulnerability

[caption id="attachment_71174" align="alignnone" width="822"] Source: TP-Link[/caption] Central to this TP-Link Archer C5400X vulnerability is the rftest binary, launched during the device's initialization sequence. This binary, responsible for wireless interface self-assessment, inadvertently exposes a network service vulnerable to unauthenticated command injection. Attackers can leverage this vulnerability to remotely execute commands with elevated privileges, potentially compromising the device and its connected network. To mitigate the risk posed by this vulnerability, users are strongly advised to upgrade their devices to version 1_1.1.7. TP-Link has implemented fixes to prevent command injection through shell meta-characters, thereby enhancing the security posture of affected devices. However, users must remain vigilant and proactive in ensuring their devices are up to date with the latest firmware releases to safeguard against emerging threats.

Exposing Recent Vulnerabilities in Routers

The TP-Link Archer C5400X router vulnerability is just one of the cases where a flaw was exploited without a third-party breach. Previously, CISA flagged two end-of-life D-Link routers, adding them to their Known Exploited Vulnerabilities catalog.  The router vulnerabilities, CVE-2014-100005 and CVE-2021-40655, affected three main products, DIR-600, DIR-605, and DIR-605L. Exploitation of these vulnerabilities allowed unauthorized configuration changes and the theft of usernames and passwords.  The Cyber Security Agency of Singapore also stressed these two vulnerabilities, stating that the mitigation strategy to avoid exploitation is to “retire and replace their devices with products that are supported by the manufacturer.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In recent cybersecurity news, Google has swiftly addressed a critical security concern by releasing an emergency update for its Chrome browser. This update targets the third zero-day vulnerability detected in less than a week. Let’s have a look at the details of this Google Chrome zero-day patch and understand its implications for user safety.   […]

The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on TuxCare.

The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on Security Boulevard.

Privilege escalation is a critical security issue in Linux systems, potentially leading to full system compromise. The Dirty COW and Dirty Pipe vulnerabilities are popular examples of privilege escalation vulnerabilities in the Linux kernel. Modernize your Linux patching approach with an automated and rebootless patching solution, KernelCare Enterprise. Like any complex software, the Linux kernel […]

The post Understanding and Mitigating Privilege Escalation Vulnerabilities in the Linux Kernel appeared first on TuxCare.

The post Understanding and Mitigating Privilege Escalation Vulnerabilities in the Linux Kernel appeared first on Security Boulevard.

Soon after an independent researcher exposed a vulnerability in the commercial-grade pcTattletale spyware tool that could compromise recordings, the tool’s website was hacked and defaced. The hacker claimed to have accessed at least 17TB of victim screenshots and other sensitive data, viewing the site's hacking as a personal challenge after a researcher's limited disclosure to prevent exploitation of the flaw by bad actors. Amazon promptly placed an official lock on the site's AWS infrastructure following the hacking incident. The pcTattletale spyware's flawed architecture and its discovery demonstrate the inherent vulnerabilities present in common spyware applications, potentially impacting not just individuals but entire organizations and families.

pcTattletale Spyware Vulnerabilities and Poor-Data Handling Practices

The pcTattletale spyware tool offered a live feed of screenshots from the victim's device as its primary feature, alongside typical spyware functionalities like location tracking. However, this extensive monitoring feature backed on poor infrastructure and data-handling practices has also been its downfall, with data breaches exposing private data of targets. First, a 2021 data breach incident demonstrated Individual Directory Override (IDOR) vulnerabilities in the spyware tool's domain infrastructure, potentially allowing access to sensitive data through guessable Amazon S3 URLs. Last week, researcher Eric Daigle uncovered an API bug that also potentially allowed access to sensitive data across registered devices. This vulnerability allowed unauthorized users to access private information in the form of comprehensive screen recordings. A subsequent hack then exposed pcTattletale's backend to the public, revealing an astonishing disregard for secure practices. The hacker discovered that the spyware shipped with hardcoded AWS credentials, accessible via a hidden webshell, potentially enabling years of undetected data exfiltration. This oversight, remarkable for its simplicity and duration, underscores a major failure in the handling of user data.

pcTattletale Spyware Latest Hack

The hacker defaced pcTattletale's official site, replacing it with a writeup of the operation and links to compromised data obtained from the site's AWS infrastructure. The vastness of the data stored by pcTattletale was found to be overwhelming, with the hacker reporting their discovery of over 17 terabytes of victim device screenshots from more than 10,000 devices, some dating back to 2018. Although the released data dump did not include these screenshots, it reportedly contained database dumps, full webroot files for the stalkerware service, and other S3 bucket contents, exposing years of sensitive information.   [caption id="attachment_70264" align="alignnone" width="2230"] Source: archive.org[/caption] The breach also uncovered a simple webshell hidden since at least December 2011 in the spyware's backend code. This backdoor allowed for arbitrary PHP code execution through the use of cookies, raising questions about its origin—whether it was placed by pcTattletale itself as a backdoor or a threat actor. The hacker later updated the defaced site to share a video, claiming it as footage of the pcTattletale's founder attempts to restore the site. It took over 20 hours for the defaced website to be taken down, with the pcTattletale’s service continuing to send screenshots to the S3 bucket until Amazon officially locked down the spyware service's AWS account. [caption id="attachment_70324" align="alignnone" width="1206"] Source: ericdaigle.ca[/caption] Following the official lockdown of the site's AWS infrastucture, security researcher Eric Daigle, expanded his earlier limited disclosure with step-by-step exploit of the stated flaw. He noted that while the site's attacker exploited an unrelated flaw, it was about as equally trivial in it's complexity.

Victims Affected by pcTattletale Spyware Data Leak

The pcTattletale data leak is particularly alarming as several organizations employed the tool to monitor employees and clients, exposing confidential information across various sectors, such as banks, law firms, educational institutes, healthcare providers, and even government agencies. Notable instances of victims affected by the data breach as stated by security researcher maia crimew who explored the incident and shared data in a blog article, include:

• Hotels leaking guest information such as personal data and credit card details.
• Law firms exposing lawyer-client communications and client bank-routing information
• A bank revealing confidential client data
• Educational institutes such as schools and childcare centers monitoring employees or students, revealing personal data.
• Healthcare providers exposing patient information.
• Palestinian government agency employee monitored.
• The HR department of a Boeing supplier revealing personal information of employees .
• Tech companies secretly installing pcTattletale on employee devices suspected of wrongdoing, exposing internal systems and source code.
• A bug bounty hunter who installed the software for pentesting, then immediately tried to uninstall it.

Concerningly, the spyware was also offered as a way for parents and spouses to maintain tabs over their children and partners respectively, potentially exposing this information in the resulting breach. [caption id="attachment_70278" align="alignnone" width="1920"] Source: maia.crimew.gay[/caption] Given the wide range of affected companies and the significant security lapses, security researcher maia crimew noted that pcTattletale could face severe repercussions, possibly leading to a cessation of its operations as the Federal Trade Commission (FTC) had previously ordered other US stalkerware developers to cease operations following breaches, with pcTattletale’s case poised for similar consequences. The widespread misuse and systemic security failures of pcTattletale highlight the dangers inherent in stalkerware software and services, as well as the urgent need for stringent regulatory oversight and robust security measures over these tools to protect the data and privacy of individuals and organizations. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Cyber Security Agency of Singapore has issued a critical alert concerning vulnerabilities in several WordPress plugins, highlighting the urgency for users to take immediate action. These WordPress plugin vulnerabilities, deemed critical, pose significant risks to website security, potentially allowing unauthorized access and exploitation by malicious actors. Security updates have been promptly released to address these critical vulnerabilities in multiple WordPress plugins. SingCERT has reported 9 critical WordPress plugin vulnerabilities and has shared the mitigation strategies to avoid exploration by threat actors. 

SingCERT Flagged Multiple WordPress Plugin Vulnerabilities

SingCERT flagged these critical WordPress vulnerabilities, including those allowing arbitrary file uploads and SQL injection. These vulnerabilities are as follows: 

WordPress Copymatic 

AI Content Writer & Generator: Exploitation of this vulnerability (CVE-2024-31351) could enable an unauthenticated attacker to upload arbitrary files to a website, potentially compromising its integrity. The severity of this vulnerability is highlighted by its maximum CVSSv3.1 score of 10 out of 10, affecting plugin versions prior to 1.7.

Pie Register 

Social Sites Login (Add on): Identified with CVE-2024-4544, this plugin vulnerability allows for authentication bypass, potentially enabling unauthorized access to user accounts. With a CVSSv3.1 score of 9.8 out of 10, versions of the plugin before 1.7.8 are affected.

Hash Form Drag & Drop Form Builder

The Hash Form Drag & Drop Form Builder vulnerability (CVE-2024-5084) permits unauthenticated attackers to upload arbitrary files, facilitating remote code execution on affected sites. Its severity, rated 9.8 out of 10, affects versions of the plugin before 1.1.1.

Country State City Dropdown CF7 Plugin

The vulnerability (CVE-2024-3495) identified in this plugin allows for SQL injection, potentially compromising sensitive data stored in the website's database. The vulnerability is rated at 9.8 out of 10 and versions before 2.7.3 are affected.

WPZOOM Addons for Elementor (Templates, Widgets)

This vulnerability (CVE-2024-5147) enables unauthenticated attackers to upload and execute arbitrary files on the server, posing a severe threat to website security. Versions of the plugin before 1.1.38 are vulnerable, with a CVSSv3.1 score of 9.8 out of 10.

Business Directory Plugin

Easy Listing Directories: Vulnerable to SQL injection (CVE-2024-4443), this plugin allows unauthenticated attackers to extract sensitive information from the website's database. With a CVSSv3.1 score of 9.8 out of 10, versions before 6.4.3 are at risk.

UserPro Plugin

This vulnerability (CVE-2024-35700) enables attackers to escalate privileges, potentially gaining full control of the affected website. Versions of the plugin before 5.1.9 are affected, with a CVSSv3.1 score of 9.8 out of 10.

Fluent Forms Contact Form Plugin

Vulnerable versions of this plugin (CVE-2024-2771) permit privilege escalation, posing significant risks to website security. The versions prior to 5.1.17 are affected, with a CVSSv3.1 score of 9.8 out of 10. It's worth noting that this vulnerability is actively exploited.

Web Directory Free Plugin

This plugin vulnerability (CVE-2024-3552) allows unauthenticated attackers to interact directly with the website's database through SQL injection, potentially leading to data theft. Versions before 1.7.0 are affected, with a CVSSv3.1 score of 9.3 out of 10.

Mitigation Strategies for WordPress Vulnerabilities

Users and administrators using the affected versions of these WordPress plugins are strongly advised to update to the latest versions immediately to mitigate these vulnerabilities and safeguard their websites against potential exploitation. For further details and guidance on mitigation for these WordPress plugin vulnerabilities, users can refer to the respective plugin documentation and updates provided by the developers. Additionally, employing security measures such as virtual patching can provide interim protection while awaiting updates. Ensuring the security of WordPress websites requires proactive measures, including regular updates and monitoring for vulnerabilities. By staying informed and promptly addressing security concerns, website owners can effectively protect their online assets from potential threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Views: 0Source: www.securityweek.com – Author: Ionut Arghire Thousands of computers are at risk of complete takeover after hackers added a backdoor to the installer for the Justice AV Solutions (JAVS) Viewer software, Rapid7 warned in an advisory. According to Rapid7, the hackers injected a backdoor in the JAVS Viewer v8.3.7 installer that is being distributed […]

La entrada JAVS Courtroom Audio-Visual Software Installer Serves Backdoor – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Views: 0Source: www.securityweek.com – Author: Ionut Arghire Google on Thursday rolled out a fresh Chrome update to address another exploited vulnerability in the popular web browser, the fourth zero-day to be patched in two weeks. Tracked as CVE-2024-5274, the high-severity flaw is described as a type confusion in the V8 JavaScript and WebAssembly engine. “Google […]

La entrada Google Patches Fourth Chrome Zero-Day in Two Weeks – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Inglorious Basta(rds): 16 days on, huge hospital system continues to be paralyzed by ransomware—and patient safety is at risk.

The post Black Basta Ascension Attack Redux — can Patients Die of Ransomware? appeared first on Security Boulevard.

Backdoored JAVS courtroom recording and management software installer puts thousands at risk of complete takeover.

The post JAVS Courtroom Audio-Visual Software Installer Serves Backdoor appeared first on SecurityWeek.

Source: securityboulevard.com – Author: Alibha CISOs require a central hub for visualizing critical security data. Strobes RBVM empowers you to construct impactful CISO dashboards, transforming complex information into actionable insights. This guide equips you with the knowledge to leverage Strobes RBVM’s features and craft exceptional dashboards that surpass industry standards. Why Strobes RBVM is Ideal […]

La entrada Customized Vulnerability Management Dashboard for CISOs – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

CISOs require a central hub for visualizing critical security data. Strobes RBVM empowers you to construct impactful CISO dashboards, transforming complex information into actionable insights. This guide equips you with...

The post Customized Vulnerability Management Dashboard for CISOs appeared first on Strobes Security.

The post Customized Vulnerability Management Dashboard for CISOs appeared first on Security Boulevard.

Exploited in the wild, Chrome vulnerability CVE-2024-5274 is a high-severity flaw described as a type confusion in the V8 JavaScript and WebAssembly engine.

The post Google Patches Fourth Chrome Zero-Day in Two Weeks appeared first on SecurityWeek.

Attackers are getting more sophisticated, better armed, and faster. Nothing in Rapid7's 2024 Attack Intelligence Report suggests that this will change.

The post Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report appeared first on SecurityWeek.

Veeam Backup Enterprise Manager update resolves multiple vulnerabilities, including a critical authentication bypass.

The post Critical Veeam Vulnerability Leads to Authentication Bypass appeared first on SecurityWeek.

Critical vulnerability in GitHub Enterprise Server allows unauthenticated attackers to obtain administrative privileges.

The post Critical Authentication Bypass Resolved in GitHub Enterprise Server appeared first on SecurityWeek.

Ivanti has released product updates to resolve multiple vulnerabilities, including critical code execution flaws in Endpoint Manager.

The post Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager appeared first on SecurityWeek.

Google released a Chrome 125 update to resolve four high-severity vulnerabilities reported by external researchers.

The post Chrome 125 Update Patches High-Severity Vulnerabilities appeared first on SecurityWeek.

Veeam, a leading provider of data management solutions, issued a critical warning to its customers regarding a vulnerability discovered in its Backup Enterprise Manager (VBEM) platform. Tracked as CVE-2024-29849, this Veeam vulnerability allows unauthorized attackers access to any account through the VBEM system. VBEM serves as a vital web-based tool for administrators, offering a centralized platform to manage Veeam Backup and Replication installations. It streamlines backup operations and facilitates restoration tasks across extensive backup infrastructures and organizational deployments.

Understanding the Veeam Vulnerability List

According to the official report, VBEM is not activated by default, meaning not all environments are vulnerable to exploits targeting CVE-2024-29849. However, Veeam has rated this vulnerability with a CVSS base score of 9.8, depending on the severity of its exploitability. Alongside CVE-2024-29849, several other vulnerabilities have been identified in VBEM, including CVE-2024-29850, CVE-2024-29851, and CVE-2024-29852. These vulnerabilities vary in severity, with some allowing account takeovers and unauthorized access to sensitive data. To address these security concerns, Veeam released a fix in its Veeam Backup Enterprise Manager version 12.1.2.172. This updated version is packaged with Veeam Backup and Replication 12.1.2 (build 12.1.2.172), providing a comprehensive solution to mitigate the identified vulnerabilities.

Mitigation Against the Veeam Vulnerabilities

Although immediate patching is recommended but for customers unable to so, Veeam recommends halting the VBEM software and disabling specific services associated with it. This temporary workaround helps minimize the risk of exploitation until the system is fully patched. When uninstalling Veeam Backup Enterprise Manager, only the application is removed, leaving the configuration database and stored data intact. Reinstallation is easy with preconfigured settings, but manual deletion of the database is recommended if it won't be reused.  Following are the steps to uninstall VBEM:

• From the Control Panel, navigate to Programs and Features.
• Find Veeam Backup and Replication, right-click, and select Uninstall.
• Ensure the checkbox next to Veeam Backup Enterprise Manager is selected, then click Remove.

Veeam also emphasized the importance of regular vulnerability testing, particularly against actively supported versions of Veeam Backup & Replication. By staying vigilant and proactive in addressing security vulnerabilities, organizations can enhance their overall cybersecurity posture and safeguard against potential threats. It's worth noting that additional vulnerabilities have been reported in Veeam products, such as the Veeam Service Provider Console (VSPC) server and Veeam Recovery Orchestrator. These vulnerabilities, including CVE-2024-29212 and CVE-2024-22022, highlight the importance of ongoing security assessments and prompt patching to mitigate potential risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Legacy systems are attractive targets to bad actors because outdated components often mean that security vulnerabilities remain unpatched, offering exploitable footholds. “End of life” does not mean “end of vulnerability.”

The post Legacy Systems: Learning From Past Mistakes appeared first on Security Boulevard.

QNAP rolls out patches for multiple vulnerabilities after proof-of-concept exploit published for a remote code execution vulnerability.

The post QNAP Rushes Patch for Code Execution Flaw in NAS Devices appeared first on SecurityWeek.

Communications hijacking, also known as “conversation hijacking,” has emerged as a significant threat to organizations worldwide. This form of cyberattack involves unauthorized interception or redirection of communication channels, leading to data breaches, financial loss, and damage to an organization’s reputation. Real-time incident response is a critical strategy in mitigating the risks associated with conversation hijacking […]

The post The Role of Real-Time Incident Response in Mitigating Conversation Hijacking Attacks appeared first on BlackCloak | Protect Your Digital Life™.

The post The Role of Real-Time Incident Response in Mitigating Conversation Hijacking Attacks appeared first on Security Boulevard.

CISA has added CVE-2023-43208, an unauthenticated remote code execution vulnerability, to its KEV catalog. 

The post CISA Warns of Attacks Exploiting NextGen Healthcare Mirth Connect Flaw appeared first on SecurityWeek.

Several vulnerabilities have been discovered in the Linux kernel that could lead to privilege escalation, denial of service, or information leaks. The Ubuntu security team has addressed these issues in the latest Ubuntu security updates for multiple releases. In this article, we will explore some of the vulnerabilities fixed and learn how to apply updates […]

The post Latest Ubuntu Security Updates: Fixing Linux Kernel Vulnerabilities appeared first on TuxCare.

The post Latest Ubuntu Security Updates: Fixing Linux Kernel Vulnerabilities appeared first on Security Boulevard.

In recent developments concerning WordPress security, a significant vulnerability has come to light in the widely used LiteSpeed Cache plugin. This LiteSpeed cache bug, labeled CVE-2023-40000, poses a substantial risk to WordPress site owners, as it allows threat actors to exploit websites, gaining unauthorized access and control. Let’s delve into the details of this vulnerability, […]

The post LiteSpeed Cache Bug Exploit For Control Of WordPress Sites appeared first on TuxCare.

The post LiteSpeed Cache Bug Exploit For Control Of WordPress Sites appeared first on Security Boulevard.

According to a new market research report published by Global Market Estimates, the global continuous threat exposure management (CTEM) market is projected to grow at a CAGR of 10.1% from...

The post Key CTEM metrics: How to Measure the Effectiveness of Your Continuous Threat Exposure Management Program? appeared first on Strobes Security.

The post Key CTEM metrics: How to Measure the Effectiveness of Your Continuous Threat Exposure Management Program? appeared first on Security Boulevard.

Linguistic Lumberjack (CVE-2024-4323) is a critical vulnerability in the Fluent Bit logging utility that can allow DoS, information disclosure and possibly RCE.

The post Vulnerability Found in Fluent Bit Utility Used by Major Cloud, Tech Companies appeared first on SecurityWeek.

In episode 330 Tom, Scott, and Kevin discuss the new features for iPhones and Android phones designed to warn users about secret trackers, possibly aiding in identifying stalkers. The hosts discuss Apple and Google’s collaboration on a technology called DOLT (Detecting Unwanted Location Trackers), aiming to improve user privacy by detecting Bluetooth trackers like Tiles […]

The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Shared Security Podcast.

The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Security Boulevard.

💾

It took two brothers who went to MIT months to plan how they were going to steal, launder and hide millions of dollars in cryptocurrency -- and only 12 seconds to actually pull off the heist.

The post Brothers Indicted for Stealing $25 Million of Ethereum in 12 Seconds appeared first on Security Boulevard.

CISA has added two vulnerabilities in discontinued D-Link products to its KEV catalog, including a decade-old flaw.

The post CISA Warns of Exploited Vulnerabilities in EOL D-Link Products appeared first on SecurityWeek.

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its known exploited vulnerabilities catalog to include three new entries, including flaws within D-Link routers and Google Chromium.  According to a post shared by CISA, among the listed vulnerabilities, one affects D-Link routers, a common target for cyberattacks. The CVE-2014-100005 is related to the D-Link DIR-600 router series, specifically revolving around Cross-Site Request Forgery (CSRF) concerns. 

CISA Adds Three Known Exploited Vulnerabilities

Exploiting the D-Link router vulnerability, malicious actors can hijack administrative privileges, allowing them to execute unauthorized actions remotely.  Another D-Link router vulnerability listed is CVE-2021-40655, affecting the DIR-605 model. This flaw enables attackers to obtain sensitive information like usernames and passwords through forged requests, posing a significant risk to affected users. Additionally, CISA's catalog includes the CVE-2024-4761, concerning Google Chromium's V8 engine. This Chromium vulnerability, marked with a severity rating of 'High,' involves an out-of-bounds memory write issue. Exploiting this flaw, remote attackers can execute malicious code via crafted HTML pages, potentially compromising user data and system integrity.

Importance of Catalog Vulnerabilities

These exploited vulnerabilities, once exploited, can lead to severe consequences, making them prime targets for cybercriminals. Notably, these entries are part of CISA's ongoing effort to maintain an updated list of significant threats facing federal networks. The known exploited vulnerabilities catalog aligns with Binding Operational Directive (BOD) 22-01, aimed at mitigating risks within the federal enterprise.  While BOD 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, CISA emphasizes the importance of all organizations prioritizing vulnerability remediation.  By promptly addressing cataloged vulnerabilities, organizations can bolster their cybersecurity posture and reduce the risk of successful cyberattacks.

The Exploited Vulnerability Dilemma 

According to Bitsight's analysis, global companies struggle to address critical vulnerabilities promptly. The report draws from data from 1.4 million organizations, revealing that critical vulnerabilities take an average of 4.5 months to remediate, with over 60% unresolved past CISA's deadlines.  Despite their prevalence, known exploited vulnerabilities (KEVs) remain a challenge for organizations. Derek Vadala, Chief Risk Officer at Bitsight, urges prioritization of vulnerability remediation, citing an average resolution time of 4.5 months for critical KEVs. Ransomware vulnerabilities, constituting 20% of the KEV catalog, prompt remediation efforts 2.5 times faster than non-ransomware KEVs.  While federal agencies fare better in meeting CISA's deadlines, technology companies face the highest exposure to critical KEVs, with a faster remediation turnaround of 93 days. Roland Cloutier, a Bitsight advisor, stresses the need for enhanced vulnerability management, citing organizational challenges in assigning responsibility and ensuring visibility.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Norwegian National Cyber Security Centre (NCSC) has issued an recommendation advising organizations for the replacement of SSLVPN and WebVPN solutions with more secure alternatives, due to the repeated exploitation of vulnerabilities in edge network devices in the past that allowed attackers to breach corporate networks. The National Cyber Security Centre (NCSC), a sub-division of the Norwegian Security Authority functions as Norway's primary liaison for coordinating national efforts to prevent, detect, and respond to cyber attacks, as well as providing strategic guidance and technical support to enhance the overall cyber security posture of the country. This includes conducting risk assessments, disseminating threat intelligence, and promoting best practices in both the public and private sector. The NCSC's guidance is aimed at enhancing the security posture of organizations, particularly those within critical infrastructure sectors, by advocating for the transition to more robust and secure remote access protocols.

Replacement of SSLVPN and WebVPN With Secure Alternatives

The NCSC's recommendation is underpinned by the recognition that SSL VPN and WebVPN, while providing secure remote access over the internet via SSL/TLS protocols, have been repeatedly targeted due to inherent vulnerabilities. These solutions create an "encryption tunnel" to secure the connection between the user's device and the VPN server. However, the exploitation of these vulnerabilities by malicious actors has led the NCSC to advise organizations to migrate to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2). IPsec with IKEv2 is the NCSC's recommended alternative for secure remote access. This protocol encrypts and authenticates each packet of data, using keys that are refreshed periodically. Despite acknowledging that no protocol is entirely free of flaws, the NCSC believes that IPsec with IKEv2 significantly reduces the attack surface for secure remote access incidents, especially due to its reduced tolerance for configuration errors compared to SSLVPN. The NCSC emphasizes the importance of initiating the transition process without delay. Organizations subject to the Safety Act or classified as critical infrastructure are encouraged to complete the transition by the end of 2024, with all other organizations urged to finalize the switch by 2025. The recommendation to adopt IPsec over other protocols is not unique to Norway; other countries, including the USA and the UK, have also endorsed similar guidelines, underscoring the global consensus on the enhanced security offered by IPsec with IKEv2. As a preventative measure, the NCSC also recommended the use of 5G from mobile or mobile broadband as an alternative in locations where it was not possible to implement an IPsec connection.

Recommendation Follows Earlier Notice About Exploitation

Last month, the Norwegian National Cyber Security Centre had issued a notice about a targeted attack campaign against SSLVPN products in which attackers exploited multiple zero-day vulnerabilities in Cisco ASA VPN used to power critical infrastructure facilities. The campaign had been observed since November 2023. This notice intended primarily towards critical infrastructure businesses warned that while the entry vector in the campaign was unknown, the presence of at least one or more zero-day vulnerabilities potentially allowed external attackers under certain conditions to bypass authentication, intrude devices and and grant themselves administrative privileges. The notice shared several recommendations to protect against the attacks such as blocking access to services from insecure infrastructure such as anonymization services (VPN providers and Tor exit nodes) and VPS providers. Cisco released important security updates to address these vulnerabilities. The earlier notice also recommended that businesses switch from from the SSLVPN/clientless VPN product category to IPsec with IKEv2, due to the presence of critical vulnerabilities in such VPN products, regardless of the VPN provider. The NCSC recommends businesses in need of assistance to contact their sector CERT or MSSP. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.