Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit.

**SQL injection in funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

GHSA-5g66-93qv-565j: SQL injection in funadmin

Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield.

GHSA-9gw3-qr2f-3vg5: SQL injection in funadmin

Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service (DOS).

**Logic flaw in Funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

GHSA-r9v5-q97m-rj5g: Logic flaw in Funadmin

The networking company found liable for illegally gathering user data for targeted advertising by the Irish Data Protection Commission.

Source: Iain Masterton via Alamy Stock Photo

LinkedIn earned itself a €310 million ($335 million) fine by European Union regulators on Oct. 24 for its violations of the General Data Protection Regulation (GDPR) data privacy rules.

Ireland's Data Protection Commission (DPC) cited concerns regarding the lawfulness, fairness, and transparency of personal data processing for the professional networking site's advertising purposes.

As LinkedIn's lead privacy regulator, the DPC reported that it carried out an investigation and found that LinkedIn did not have lawful basis to be compiling data to target its users with ads, ultimately breaching GDPR. This investigation was launched following a complaint initially made by the French Data Protection Authority.

"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members)," according to a DPC press release. "The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million."

LinkedIn asserts that it believes it has been in compliance with the rules but acknowledges that it will work to ensure its ad practices meet the requirements.

**About the Author**

LinkedIn Hit With $335M Fine for Data Privacy Violations

Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.

Source: Design Pics Inc via Alamy Stock Photo

Russia's premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft's codebase and political targets across Europe, Africa, and beyond.

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" says Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations."

Along these same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from government, military, and private sector targets in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across "a wide geography."

That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that "the one thing that does kind of stray from the path would be its broad targeting, versus \[its typical more\] narrowly focused attacks."

**AWS and Microsoft**

The campaign, which dates back to August, was carried out using malicious domain names designed to seem like they were associated with Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services, and how to implement zero trust architecture.

Despite the masquerade, AWS itself reported that the attackers weren't after Amazon, or its customers' AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection \[upfront\],'" Narang says.

Launching one of these malicious attachments would have immediately triggered an outgoing RDP connection to an APT29 server. But that wasn't all: The files also contained a number of other malicious parameters, such that when a connection was made, the attacker was given access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, with the added ability to run custom malicious scripts.

**Block RDP**

APT29 may not have used any legitimate AWS domains, but Amazon still managed to interrupt the campaign by seizing the group's malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not just monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider Web through the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. "First and foremost, don't allow RDP files to be received. You can block them at your email gateway. That's going to kneecap this whole thing," he says.

AWS declined to provide further comment for this story. Dark Reading has also reached out to Microsoft for its perspective.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Russia's APT29 Mimics AWS Domains to Steal Windows Credentials

Four companies — Avaya, Check Point, Mimecast, and Unisys — have been charged by the SEC for misleading disclosures in the aftermath of the 2020 SolarWinds compromise.

Source: Ascannio via Alamy Stock Photo

The initial attack might be years old, but regulators at the Securities and Exchange Commission (SEC) are still sifting through the details of the 2020 SolarWinds breach. This week, the SEC announced it has charged four companies for what the agency determined was an intentional effort to minimize the impact of the hack to their systems.

Unisys was dealt the largest civil penalty — $4 million — for its disclosure practices, as well as for controls violations.

"The SEC's order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data," the SEC announcement of the fines read. "The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls."

Unisys has not responded to Dark Reading's request for comment.

Avaya Holdings Corp. agreed to pay $1 million for its statements that admitted a threat actor has accessed what the company characterized at the time as a "limited number" of company email messages, but failed to mention the company was also aware that 145 files in its cloud environment were also compromised, according to the SEC.

Avaya, similarly to the other fined companies, said in its statement the company is glad to put this issue to rest.

"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls," according to a statement from Avaya provided to Dark Reading. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Check Point was intentionally vague in its disclosures, according to the SEC, which fined the software company $995,000. Check Point's statement maintains the company acted earnestly but is glad to move on.

"The SEC's announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 SolarWinds Orion cyber vulnerability and the question of whether this should have been reported in Check Point's 2021 20-F Annual Report filing," the Check Point statement read. "As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world."

The SEC dealt the lightest penalty to Mimecast, which will pay $990,000, for "failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed," the SEC said.

Mimecast said in a statement that the company acted transparently, adding that it is no longer a publicly traded company under SEC jurisdiction, but nonetheless will continue to comply with the SEC enforcement.

"In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," the Mimecast statement read. "We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers."

**SEC Trying to Deter Vague Data Breach Disclosures**

The intention of the charges and subsequent fines is to deter other companies from taking the same "half-truth" communications approach following a breach, the SEC explained.

"Downplaying the extent of a material cybersecurity breach is a bad strategy," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit said in a statement. "In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized."

The lesson companies should take from this SEC enforcement action is that regulators are looking for technically precise disclosures, according to cybersecurity attorney Beth Burgin Waller.

"Companies can no longer rely on generalizations or hypotheticals," she adds. "The challenge for many companies will be thinking of post-ligation risk from all angles including later data breach class actions or customer lawsuits."

This new enterprise cybersecurity terrain will require chief information security officers to work more closely legal teams, Burgin Waller says.

"The SEC is creating tension for many companies post-incident by forcing disclosure of details very early on in an incident investigation that will be cited back to the business in future litigation," she adds. "CISOs need to be prepared to work closely with in-house and outside counsel on SEC cyber-incident materiality determinations, especially in light of the technical precision required of companies in these enforcement announcements."

SEC Fines Companies Millions for Downplaying SolarWinds Breach

Eight months after the breach occurred, Change Healthcare has finally sent out millions of notices of compromised data to affected individuals.

Source: Jim West via Alamy Stock Photo

For the first time since being breached, United Healthcare has admitted to the number of individuals affected by the Change Healthcare ransomware attack — a staggering 100 million people.

The incident occurred in February, yet Change Healthcare didn't send out a notification warning to those impacted until June. In May, Andrew Witty, CEO of UnitedHealth, hinted at the massive scale of the breach, estimating that it was possible a third of all American health data had been compromised in the ransomware attack.

The breach has caused wave after wave of issues and prompted numerous calls for action regarding the state of cybersecurity in the healthcare sector. The ransomware attack was perpetrated at the hands of BlackCat/ALPHV, which Change Healthcare ultimately decided to pay off in order to get its systems back up and running. 

But the breaches didn't stop there. The company faced yet another attack, this time at the hands of RansomHub, which demanded a payment for the 4TB of data it stole, most of it medical records and financial data belonging to US military personnel. RansomHub has threatened to sell the sensitive information to the highest bidder.

After testifying in Congress in May, Change Healthcare revealed it had paid $22 million in ransom to the attackers who compromised its systems in February. It also revealed that the attackers were able to use previously compromised credentials to get into Change Healthcare’s system, which was not protected with multifactor authentication (MFA). Overall, the revelations in the hearing pointed to a lack of security maturity, leading to easy access for the attackers and a breach that caused delays in healthcare services.

"UnitedHealth is a very large, very complex entity from a systems point of view, and the regulatory framework is equally large and complex — considering all the variables and processes involved — the time frame for confirmation seems within reason," Dan Ortega, security strategist at Anomali, wrote in an emailed statement. "However, this doesn't mean that it's acceptable from an operational efficiency or public safety standpoint."

For the 100 million Americans affected by this breach who have received notice of their compromised data, their information that was stolen includes health insurance data; health information such as medical records, prescriptions, test results, images, diagnoses, and more; billing, claims, and financial and banking information; and Social Security numbers, driver's license information, and passport numbers.

UnitedHealth Reveals 100M Compromised in Change Healthcare Breach

Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.

The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-q34m-jh98-gwm2: Werkzeug possible resource exhaustion when parsing file data in forms

On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.

GHSA-f9vj-2wh5-fj8j: Werkzeug safe_join not safe on Windows

A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the `net/netip` package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.

**Critical Vulnerabilities**
Vulnerability: [CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790), `golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses`
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Affected versions: 1.17.1,1.16.2,1.15.5

See screenshot for more details
![Screenshot from 2024-09-18 17-36-37](https://github.com/user-attachments/assets/2e7ad31f-228a-4534-a4aa-b63d4911351d)

Fixed versions: 1.17.2,1.16.3,1.15.6

Release notes:

* https://github.com/crossplane/crossplane/releases/tag/v1.17.2
* https://github.com/crossplane/crossplane/releases/tag/v1.16.3
* https://github.com/crossplane/crossplane/releases/tag/v1.15.6

A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the net/netip package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.

**Critical Vulnerabilities**  
Vulnerability: CVE-2024-24790, golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses  
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Affected versions: 1.17.1,1.16.2,1.15.5

See screenshot for more details  

Fixed versions: 1.17.2,1.16.3,1.15.6

Release notes:

*   https://github.com/crossplane/crossplane/releases/tag/v1.17.2
*   https://github.com/crossplane/crossplane/releases/tag/v1.16.3
*   https://github.com/crossplane/crossplane/releases/tag/v1.15.6

**References**

*   GHSA-7h65-4p22-39j6

Latest News