Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal…

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal credentials. The data is being sold for $20,000 on BreachForums, though no customer data was affected. Nokia has not yet commented on the claim.

A notorious hacker known as Intel Broker has announced a data breach involving the telecommunications giant Nokia. Posting on the infamous cybercrime forum BreachForums, Intel Broker claims to have gained unauthorized access to sensitive Nokia information through a third-party contractor linked to Nokia’s internal tool development.

The hacker claims that no customer information was accessed, but they have obtained **critical internal data** from Nokia’s systems, which they’re now selling for $20,000.

**Details of the Breach**

According to Intel Broker’s post, the stolen data includes SSH keys, source code, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded credentials. All of these items could potentially enable further unauthorized access to internal systems or facilitate other types of cyber attacks. In an attempt to validate the breach, Intel Broker also shared a file tree, showcasing various files and folders apparently related to Nokia’s internal operations.

In an exclusive conversation with Hackread.com, Interl Broker said that the stolen data collection is up for sale for $20,000, and he is reaching out to prospective buyers on BreachForums. According to the post, only those with high-ranking status and sufficient reputation on the forum are being encouraged to inquire.

Intel Broker on Breach Forums (Screenshot: Hackread.com)

The hacker claims to have pulled this data from a contractor working closely with Nokia, rather than Nokia’s own systems directly. This method of breaching systems through third-party vendors has become **increasingly common**, as vendors are often granted extensive access to the companies they serve. Cybersecurity experts have long warned about this weak point, advising companies to ensure that security standards extend to their contractors and partners.

**Potential Impact**

While Intel Broker emphasizes that customer data is not included in the breach, the exposure of alleged Nokia’s internal data could still have widespread implications. With access to development environments, source code, and credentials, hackers could potentially tamper with Nokia’s tools or services, or exploit the vulnerabilities in these resources to compromise other systems.

Screenshot from the sample data that Hackread.com analysed

****Nokia’s Response****

At the time of reporting, there has been no official statement from Nokia on this alleged breach. However, Hackread.com has reached out to the company awaiting a response. Stay tuned.

****About Intel Broker****

Intel Broker who is also the owner of Breach Forums is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

1.  **Hacker Leaks Thousands of Nokia Employee Details**
2.  **Nokia Taiwan Hacked, 100,000+ accounts leaked online**
3.  **Cisco Network Breach as Employee’s Google Account was Hacked  
    **

Hackers Claim Access to Nokia Internal Data, Selling for $20,000

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

When you let go of that trapeze, you really want your teammates to be ready to catch you. Send us a cybersecurity-related caption to describe the above scene and our favorite will win its wordsmith a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 27, 2024 deadline:

• Email \[email protected\] with the subject line "Edge November Toon."

• Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Joseph Ayella, a recurring winner, for sending us the winning caption for last month's "And For My Next Trick..." cartoon.

"I call this trick the woman-in-the-middle attack."

Some noteworthy contenders included: "All we could get was half a FTE for security assessments," "And with this SIEM solution, we could cut a half of our SOC analysts," and "I'm glad he's not the hacker." A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Aerialist's Choice

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft.
"Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including

Vulnerability / Cyber Threat

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft.

"Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more," Oligo Security researcher Avi Lumelsky said in a report published last week.

Ollama is an open-source application that allows users to deploy and operate large language models (LLMs) locally on Windows, Linux, and macOS devices. Its project repository on GitHub has been forked 7,600 times to date.

A brief description of the six vulnerabilities is below -

*   **CVE-2024-39719** (CVSS score: 7.5) - A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the server (Fixed in version 0.1.47)
*   **CVE-2024-39720** (CVSS score: 8.2) - An out-of-bounds read vulnerability that could cause the application to crash by means of the /api/create endpoint, resulting in a DoS condition (Fixed in version 0.1.46)
*   **CVE-2024-39721** (CVSS score: 7.5) - A vulnerability that causes resource exhaustion and ultimately a DoS when invoking the /api/create endpoint repeatedly when passing the file "/dev/random" as input (Fixed in version 0.1.34)
*   **CVE-2024-39722** (CVSS score: 7.5) - A path traversal vulnerability in the api/push endpoint that exposes the files existing on the server and the entire directory structure on which Ollama is deployed (Fixed in version 0.1.46)
*   A vulnerability that could lead to model poisoning via the /api/pull endpoint from an untrusted source (No CVE identifier, Unpatched)
*   A vulnerability that could lead to model theft via the /api/push endpoint to an untrusted target (No CVE identifier, Unpatched)

For both unresolved vulnerabilities, the maintainers of Ollama have recommended that users filter which endpoints are exposed to the internet by means of a proxy or a web application firewall.

"Meaning that, by default, not all endpoints should be exposed," Lumelsky said. "That's a dangerous assumption. Not everybody is aware of that, or filters http routing to Ollama. Currently, these endpoints are available through the default port of Ollama as part of every deployment, without any separation or documentation to back it up."

Oligo said it found 9,831 unique internet-facing instances that run Ollama, with a majority of them located in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. One out of four internet-facing servers has been deemed vulnerable to the identified flaws.

The development comes more than four months after cloud security firm Wiz disclosed a severe flaw impacting Ollama (CVE-2024-37032) that could have been exploited to achieve remote code execution.

"Exposing Ollama to the internet without authorization is the equivalent to exposing the docker socket to the public internet, because it can upload files and has model pull and push capabilities (that can be abused by attackers)," Lumelsky noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

The true measure of our cybersecurity prowess lies in our capacity to endure.

Source: Lasse Kristensen via Alamy Stock Photo

COMMENTARY

In July, the industry witnessed one of the largest technology outages in recent history, with estimates of $5.4 billion in damages. When CrowdStrike distributed a Rapid Response Content Channel Update with an exception-handling logic flaw, it opened the door for constructive conversations about automatic updates — when to use them, when not to use them, whether they make us more or less secure. It's time to reflect and ask: What is the cost of our relentless pursuit of innovation, software currency, and speed to market? How can we reprioritize to reestablish the balance in the C-I-A triad?

IT and security teams are under enormous pressure to stay ahead of threats. However, teams must not sacrifice the right checks and balances for speed. The CrowdStrike incident serves as a reminder to the industry that even the most secure and trusted systems can fail, and it's time to revisit how teams test and deploy critical updates.  

**The C-I-A Triad: Rebalancing Priorities**

The C-I-A triad is a foundational pillar of cybersecurity, representing the Confidentiality (security), Integrity (accuracy), and Availability of technology platforms. For too long, the cybersecurity community — vendors and customers alike — have fixated on the C in this triad. However, the C-I-A triad is supposed to represent the full scope of a cybersecurity program. With the main focus on privacy and data security, the industry over emphasized security — and in doing so, added speed to the equation. Teams are now responding faster and deploying updates quicker to stay ahead of emerging threats and day-to-day attacks, but that's leading to mistakes and improper testing.  

Meanwhile, the I and A were relegated to secondary status — even outsourced to other technology teams. Integrity — the accuracy, completeness, and consistency of the ecosystem and underlying data — was compromised in the name of speed. Availability also suffered as the focus shifted to rapid recovery rather than ensuring uptime and reliability, all for the sake of rapid innovation and response to perceived threats.  

If the CrowdStrike event has taught us anything, it is that now is the time for both vendors and customers to recommit themselves to recognizing the integral importance of and essential need to rebalance all three pillars of the C-I-A triad. In doing so, teams can build more resilient systems.  

**The Shift From Software to Critical Infrastructure**

Leaders need to undertake three key shifts to achieve the essential checks and balance systems inherent to the C-I-A triad.  

1\. Transparency: Vendors must be more transparent with their product updates and give customers more control over how updates are applied. Customers should be able to manually update, deploy updates in stages, and remain on a prior stable version as a matter of policy.  

In the case of the CrowdStrike event, the complex update caused the outage. First, the team deployed a configuration file in February. Later, in July, it deployed a Rapid Response Content Update. As part of that update, a configuration content validator, using the prior configuration file, attempted to apply the update, but due to the "logic bug" in the exception handling routines, the staggered update resulted in the infamous "blue screen of death" for many Windows servers and workstations. These channel updates are often a series of staged updates, all occurring at once. How many of CrowdStrike's customers understood this nuance of the update strategy? It's unclear, but they had limited control over the update and were unable to stage it so it could be certified and tested before affecting the entirety of the enterprise.  

2\. Reevaluate vendor testing: Platforms such as CrowdStrike have transformed to become a core component of critical infrastructure. Security vendors frequently push automatic updates to improve security, but this can also mean speeding through the "trust but verify; walk before you run; test test test" cycles. While speed matters, this incident should force teams to take a closer look at how they deploy updates, ensure integrity and availability, and maintain business resiliency.  

IT and security teams must reevaluate overreliance on vendor testing and automatic updates. Even small teams can have the flexibility to choose when to update without incurring substantial overhead. The update is automatic — but the time and place to update can be chosen. Leaders should consider implementing staggered updates, using staging and testing environments to certify and assess the viability and stability of the update. More credence and consideration should be given to the value of updating now versus waiting to give more ability to ensure that the integrity and availability won't be compromised by the update.  

3\. Improve testing environments: Companies must ensure that cybersecurity teams have adequate testing environments available for certifying and testing security updates and implementations. The same diligence given to IT and development teams must be applied to cybersecurity.  

Security is no longer software; it's a foundational component of critical infrastructure. As seen with the CrowdStrike event, banks, transportation, manufacturing, and financial markets can all be devastated by a failure of the security ecosystem. As the industry continues to see convergence of solutions to a few vendors, it's important to make these platforms more resilient.   

The true measure of our cybersecurity prowess lies in our capacity to endure. Teams should embrace those proven patterns of change management that have served us well in the past, but also evolve and expand in scope to accommodate new technology and new potential threats. Vendors must empower customers with greater control and flexibility in how and why they deploy our solutions and updates. Technology and security practitioners, in turn, must use this moment as a clarion call to rethink priorities and recommit to balancing and counterbalancing the security, integrity, and availability drivers that empower our security tools.   

This creates a durable security future, regains and rebuilds essential fiduciary trust, and ensures that teams can rise to every threat while never again falling into complacency, valuing speed and ease at the expense of everything else. 

**About the Author**

CISO, Silverfort

John Paul Cunningham is the CISO of Silverfort. He has a passion for managing security and risk within firms, and has built and led information security, risk management, comprehensive technology organizations, and developed customer-facing organizations built on customer and organizational success. His sphere of influence extends from the board room to the break room, where he brings business and technology together to deliver solutions that propel the organization forward to achieve its goals.

Can Automatic Updates for Critical Infrastructure Be Trusted?

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing…

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing technique bypasses traditional email spam filters by originating from legitimate DocuSign accounts and templates, making detection challenging.

Cybersecurity researchers at automated API security solutions provider, Wallarm, have revealed a new threat exploiting DocuSign APIs to send phishing invoices. The company reports that cybercriminals are employing a new phishing technique that leverages the legitimacy of DocuSign’s platform. By exploiting DocuSign’s APIs, attackers send highly authentic-looking fake invoices that evade traditional email filters.

This clever approach increases the risk for organizations and unsuspecting users, as it capitalizes on the trust associated with reputable platforms, making detection quite challenging.

In its latest blog post shared exclusively with Hackread.com ahead of its publishing on Monday, the modus operandi of these attacks involves the creation of paid DocuSign accounts. These accounts grant attackers the ability to modify templates and utilize APIs for automated document generation and distribution.

By customizing official DocuSign templates to mimic **well-known brands**, such as cybersecurity giant Norton, cybercriminals can create convincing invoices that are difficult to distinguish from legitimate communications. The automation capabilities provided by DocuSign’s APIs enable attackers to efficiently distribute these fraudulent invoices at scale, maximizing their potential impact. It happens because DocuSign’s API-friendly environment allows attackers to customize invoices to match company branding.

Fake Norton invoices (Screenshot via Wallarm)

“These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders,” the **blog post** read.

The consequences of these attacks are major. Victims may e-sign fraudulent invoices, authorizing unauthorized payments. Furthermore, the legitimacy of DocuSign’s platform allows phishing emails to bypass traditional spam filters, increasing the chance of successful delivery. 

****Mitigating and Protection****

To mitigate the risks associated with these attacks, organizations must adopt a multi-faceted approach. Firstly, it is important to verify the authenticity of sender credentials, including email addresses and sender accounts. Implementing strict internal approval processes for financial transactions can also help prevent unauthorized payments.

Additionally, organizations should prioritize **employee awareness training** to educate staff about this increasing threat. By regularly monitoring for irregularities in invoices, such as unexpected charges or unusual requests, organizations can identify and respond to potential threats. Finally, following **DocuSign’s anti-phishing guidelines** can provide additional protection.

1.  **Microsoft Warns of Tax Returns Phishing Scams**
2.  **Blank Images Used to Evade Anti-Malware Checks**
3.  **Scammers using Google Docs exploit in phishing links**
4.  **Microsoft Office Most Exploited Software in Malware Attacks**
5.  **LinkedIn Phishing Scam Steals Gmail Credentials Via Google Docs**

Scammers Use DocuSign API to Evade Spam Filters with Phishing Invoices

As data and usage grow, apps adopt distributed microservices with load balancers for scalability. Monitoring error rates, resource…

As data and usage grow, apps adopt distributed microservices with load balancers for scalability. Monitoring error rates, resource use, and replica health across instances is crucial. Tools like Prometheus aid in ensuring uptime and performance.

As internet users and data proliferate at an unprecedented rate, modern applications and services have surpassed the capabilities of single-server deployments. To accommodate the escalating demands of their expanding user bases, contemporary applications are increasingly adopting a distributed microservices architecture. 

A common pattern for synchronous microservices involves deploying multiple replicas behind a load balancer. Users and client services send requests to the load balancer, which routes each request to one of the available replicas. While this approach enhances scalability and fault tolerance, it introduces monitoring challenges not present in single-node systems.

In a single-node environment, operators can directly observe requests and monitor the health of the node using tools like the Linux top utility. This allows for straightforward scaling decisions and issue detection. However, this methodology does not scale when dealing with microservices comprising hundreds of replicas. 

In this article, we explore various failure modes in distributed microservices and discuss approaches to proactively monitor them, ensuring consistent uptime for upstream users and clients.

****Challenge #1:  Aggregate error and fault rate of the service****

Faults in a microservice can include requests that result in unexpected responses or server-side errors, such as HTTP 5xx response codes. Monitoring these faults is crucial for maintaining the reliability and performance of your service. In a distributed system with multiple replicas, it’s important to aggregate fault metrics across all instances to get a holistic view of the service’s health.

****General Approach to Monitoring Fault Rates****

*   **Metric Emission**: Each service replica should emit metrics related to the response codes it generates. This includes counts of successful responses, client errors (HTTP 4xx), and server errors (HTTP 5xx).
*   **Aggregation**: Collect and aggregate these metrics across all replicas to calculate the overall fault rate of the service. This helps identify systemic issues affecting the service as a whole.
*   **Visualization and Alerting**: Use a monitoring system to visualize fault rates over time and set up alerts that notify operators when fault rates exceed acceptable thresholds.

****Monitoring Fault Rates Using Tools****

Prometheus is a popular open-source monitoring system that can collect and aggregate metrics from your microservice replicas. Prometheus is just one tool that we’ll use as an example, but the general approach is the same. 

**Aggregate Metrics**: Prometheus scrapes the metrics from all replicas and can aggregate them.

Example Prometheus query to get the aggregate rate of HTTP 5xx errors across all replicas:

sum(rate(http_requests_total{code=~"5.."}))

**Drill Down into Faulty Replicas**: To identify which replicas are experiencing the most faults, you can group the metrics by the instance label.

rate(http_requests_total{code=~"5.."}) by (instance)

This shows the rate of 5xx errors per instance over the last five minutes.

**Monitoring Client Errors (HTTP 4xx)**

While HTTP 4xx response codes indicate client-side errors, an unexpected increase might signal issues such as:

*   **API Misuse**: Clients are not using the API correctly.
*   **Documentation Errors**: Incorrect or outdated API documentation leading to improper client requests.
*   **Service Bugs**: Logic errors in the service that misclassify responses.

Monitoring and analyzing these errors can help improve both the service and client integrations.

****Challenge #2:  Resource utilization issues** **

**Importance of Monitoring CPU and Memory Usage**

Monitoring resource utilization metrics like CPU and memory usage is essential for:

*   **Preventing Performance Degradation**: High resource usage can lead to increased response times or service unavailability.
*   **Detecting Memory Leaks**: Gradual increases in memory usage may indicate memory leaks, which can cause crashes.
*   **Scaling Decisions**: Understanding resource usage patterns aids in capacity planning and scaling strategies.

In a distributed environment, resource issues on individual replicas can impact overall service performance, especially if multiple replicas experience issues simultaneously.

****General Approach to Monitoring Resource Utilization****

*   **Per-Replica Metrics**: Each replica should expose its CPU and memory usage metrics.
*   **Aggregated View**: Collect these metrics to analyze resource utilization trends across all replicas.
*   **Thresholds and Alerts**: Define acceptable resource usage thresholds and set up alerts for when these thresholds are breached.

****Monitoring Resource Utilization Using Prometheus****

Tools like Prometheus can collect and aggregate resource utilization metrics from each replica. Again, you can use any monitoring tool of your choice but we’ll use Prometheus as an example. 

**CPU Utilization per Replica**:

rate(process_cpu_seconds_total) by (instance)

This calculates the average CPU usage per instance over the last five minutes.

**Aggregate CPU Utilization**:

Set up alerts to notify operators when resource usage exceeds defined thresholds, enabling proactive mitigation.

****Challenge #3:  Unhealthy replicas****

Hardware faults and crashes are inevitable in large-scale distributed systems. A single replica crashing might not impact the overall service, but simultaneous failures of multiple replicas can compromise service availability.

**General Approach to Monitoring Replica Health**

*   **Health Checks**: Implement regular health checks for each replica to determine its operational status.
*   **Load Balancer Monitoring**: Use the load balancer’s perspective to monitor the health of backend replicas.
*   **Replica Counts**: Keep track of the total number of healthy versus unhealthy replicas.

****Monitoring Unhealthy Replicas from the Load Balancer’s Perspective****

Load balancers often perform periodic health checks on backend replicas and can provide metrics on their status.

Steps to monitor unhealthy replicas:

*   **Enable Health Check Metrics**: Configure the load balancer to expose metrics about the health of each replica.
*   **Collect Metrics**: Use a monitoring system to collect these metrics.
*   **Analyze and Alert**: Monitor the number of unhealthy replicas and set up alerts if the count exceeds a certain threshold.

**Example Using tools like Prometheus**

If your load balancer exposes metrics, you can collect and analyze them.

**Example queries:**

**Count of Healthy Replicas**:

sum(loadbalancer_backend_up{backend="myservice"})

Assuming loadbalancer\_backend\_up is a metric indicating if a backend is up (1) or down (0).

**Identifying Unhealthy Replicas**:

loadbalancer_backend_up{backend="myservice"} == 0

*   This query lists all replicas that are currently down.

**Summary**

Effective monitoring of distributed microservices is vital for ensuring high availability and performance in today’s scalable applications. By aggregating metrics across all service replicas and employing robust monitoring tools, operators can gain deep insights into the system’s health.

Proactive monitoring of error rates, resource utilization, and replica health enables timely detection and resolution of issues, minimizing the impact on end-users. Implementing comprehensive monitoring strategies not only helps maintain service reliability but also contributes to better capacity planning and resource optimization.

As distributed systems continue to grow in complexity, embracing robust monitoring solutions becomes increasingly important. By leveraging both general monitoring principles and specific tools, organizations can enhance their operational capabilities and deliver consistent, high-quality services to their users.

**References**

_Monitoring for Distributed and Microservices Deployments_ – DigitalOcean: https://www.digitalocean.com/community/tutorials/monitoring-for-distributed-and-microservices-deployments

1.  **The Best Ways to Automate SBOM Creation**
2.  **Relevance of CI/CD Practices in IT Software Delivery**
3.  **Building Your First Web Application with Yii Framework**
4.  **Transform Your CAD Workflow with Parametric Modeling**
5.  **Power of Cloud App Development, DevOps for Businesses**
6.  **Efficiency in a Virtualized World: A Deep Dive into Modern IT**

Monitoring Distributed Microservices

Session Fixation vulnerability in Apache Kylin.

This issue affects Apache Kylin: from 2.0.0 through 4.x.

Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-752q-72qc-rc66: Apache Kylin Session Fixation vulnerability

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems (e.g., NTFS). This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-10389

**Safearchive Path Traversal vulnerability**

Moderate severity GitHub Reviewed Published Nov 4, 2024 to the GitHub Advisory Database • Updated Nov 4, 2024

**Package**

gomod github.com/google/safearchive (Go)

**Affected versions**

< 0.0.0-20241025131057-f7ce9d7b6f9c

**Patched versions**

0.0.0-20241025131057-f7ce9d7b6f9c

There exists a Path Traversal vulnerability in Safearchive on Platforms with Case-Insensitive Filesystems (e.g., NTFS). This allows Attackers to Write Arbitrary Files via Archive Extraction containing symbolic links. We recommend upgrading past commit f7ce9d7b6f9c6ecd72d0b0f16216b046e55e44dc

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-10389
*   google/safearchive@f7ce9d7

Published to the GitHub Advisory Database

Nov 4, 2024

GHSA-q3rp-vvm7-j8jg: Safearchive Path Traversal vulnerability

German law enforcement authorities have announced the disruption of a criminal service called dstat[.]cc that made it possible for other threat actors to easily mount distributed denial-of-service (DDoS) attacks.
"The platform made such DDoS attacks accessible to a wide range of users, even those without any in-depth technical skills of their own," the Federal Criminal Police Office (aka

German law enforcement authorities have announced the disruption of a criminal service called dstat\[.\]cc that made it possible for other threat actors to easily mount distributed denial-of-service (DDoS) attacks.

"The platform made such DDoS attacks accessible to a wide range of users, even those without any in-depth technical skills of their own," the Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said.

"The use of stresser services to carry out DDoS attacks has recently become increasingly known in the context of police investigations."

The BKA described dstat\[.\]cc as a platform that offered recommendations and evaluations of stresser services in order to conduct DDoS attacks against websites of interest and render them unresponsive.

According to an alert published by Radware, dstat\[.\]cc offered botnet owners the ability to assess the capacity and capabilities of their DDoS attack services.

"Bot herders use DStat sites to gauge and demonstrate the strength of their botnet, booter, or script against various unprotected and protected targets," the company said.

Dstat\[.\]cc, based on the collected information from demonstration attacks, provides reviews and contact information for the booter services, allowing potential subscribers to compare and find the best service for their malicious intents."

In tandem, two suspects aged 19 and 28 have been arrested from Darmstadt and the Rhein-Lahn districts. They are also accused of providing criminal infrastructure for the trafficking of narcotics in considerable quantities.

Specifically, they are alleged to have advertised and sold designer drugs and liquids made of synthetic cannabinoids on an online platform named "Flight RCS" that was accessible on the clearnet.

The takedown of dstat\[.\]cc is part of an ongoing concerted law enforcement operation dubbed PowerOFF, which has led to the closure of several DDoS-for-hire sites such as digitalstress\[.\]su and Anonymous Sudan in recent months.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

German Police Disrupt DDoS-for-Hire Platform dstat[.]cc; Suspects Arrested

This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)
We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean.

Weekly Recap / Cybersecurity

This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)

We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean. (But don't do that, you need it to read this newsletter!)

The good news? We've got the inside scoop on all the latest drama. Think of this newsletter as your cheat sheet for surviving the digital apocalypse. We'll break down the biggest threats and give you the knowledge to outsmart those pesky hackers. Let's go!

****⚡ Threat of the Week****

**North Korean Hackers Deploy Play Ransomware:** In what's a sign of blurring boundaries between nation-state groups and cybercrime actors, it has emerged that the North Korean state-sponsored hacking crew called **Andariel** likely collaborated with the Play ransomware actors in a digital extortion attack that took place in September 2024. The initial compromise occurred in May 2024. The incident overlaps with an intrusion set that involved targeting three different organizations in the U.S. in August 2024 as part of a likely financially motivated attack.

 **Upgrade Your Cybersecurity Skills with SANS at CDI 2024 + Get a $1,950 Bonus!**

Unlock top-tier cybersecurity training at SANS CDI 2024, December 13-18 in Washington, DC. With over 40 expert-led courses, you'll gain practical skills and a $1,950 bonus, including extended lab access and a GIAC certification attempt when you train in-person! Offer ends November 11.

Boost Your Skills Now!****🔔 Top News****

*   **Chinese Threat Actor Uses Quad7 Botnet for Password Spraying:** A Chinese threat actor tracked by Microsoft as Storm-0940 is leveraging a botnet called Quad7 (aka CovertNetwork-1658) to orchestrate highly evasive password spray attacks. The attacks pave the way for the theft of credentials from multiple Microsoft customers, which are then used for infiltrating networks and conducting post-exploitation activities.
*   **Opera Fixed Bug That Could Have Exposed Sensitive Data:** A fresh browser attack named CrossBarking has been disclosed in the Opera web browser that compromises private application programming interfaces (APIs) to allow unauthorized access to sensitive data. The attack works by using a malicious browser extension to run malicious code in the context of sites with access to those private APIs. These sites include Opera's own sub-domains as well as third-party domains such as Instagram, VK, and Yandex.
*   **Evasive Panda Uses New Tool for Exfiltrating Cloud Data:** The China-linked threat actor known as Evasive Panda infected a government entity and a religious organization in Taiwan with a new post-compromise toolset codenamed CloudScout that allows for stealing data from Google Drive, Gmail, and Outlook. The activity was detected between May 2022 and February 2023.
*   **Operation Magnus Disrupts RedLine and MetaStealer:** A coordinated law enforcement operation led by the Dutch National Police led to the disruption of infrastructure associated with RedLine and MetaStealer malware. The effort led to the shut down of three servers in the Netherlands and the confiscation of two domains. In tandem, one unnamed individual has been arrested and a Russian named Maxim Rudometov has been charged for acting as one of RedLine Stealer's developers and administrators.
*   **Windows Downgrade Allows for Kernel-Level Code Execution:** New research has found that a tool that could be used to rollback an up-to-date Windows software to an older version could also be weaponized to revert a patch for a Driver Signature Enforcement (DSE) bypass and load unsigned kernel drivers, leading to arbitrary code execution at a privileged level. Microsoft said it's developing a security update to mitigate this threat.

****‎️‍🔥 Trending CVEs****

CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060, CVE-2024-45274, CVE-2024-45275, CVE-2024-51774

****📰 Around the Cyber World****

*   **Security Flaws in PTZ Cameras:** Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings. Affected cameras use VHD PTZ camera firmware < 6.3.40, which is found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. The vulnerabilities, tracked as CVE-2024-8956 and CVE-2024-8957, enable threat actors to crack passwords and execute arbitrary operating system commands, leading to device takeover. "An attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information," GreyNoise said. "Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks." PTZOptics has issued firmware updates addressing these flaws.
*   **Multiple Vulnerabilities in OpenText NetIQ iManager:** Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution. The shortcomings were addressed in version 3.2.6.0300 released in April 2024.
*   **Phish 'n' Ships Uses Fake Shops to Steal Credit Card Info:** A "sprawling" fraud scheme dubbed Phish 'n' Ships has been found to drive traffic to a network of fake web shops by infecting legitimate websites with a malicious payload that's responsible for creating bogus product listings and serving these pages in search engine results. Users who click on these phony product links are redirected to a rogue website under the attacker's control, where they are asked to enter their credit card information to complete the purchase. The activity, ongoing since 2019, is said to have infected more than 1,000 websites and built 121 fake web stores in order to deceive consumers. "The threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results," HUMAN said. "The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout. And though the consumer's money will move to the threat actor, the item will never arrive." Phish 'n' Ships has some elements in common with BogusBazaar, another criminal e-commerce network that came to light earlier this year.
*   **Funnull Behind Scam Campaigns and Gambling Sites:** Funnull, the Chinese company that acquired Polyfill\[.\]io JavaScript library earlier this year, has been linked to investment scams, fake trading apps, and suspect gambling networks. The malicious infrastructure cluster has been codenamed Triad Nexus. In July, the company was caught inserting malware into polyfill.js that redirected users to gambling websites. "Prior to the polyfill\[.\]io supply chain campaign, ACB Group – the parent company that owns Funnull's CDN – had a public webpage at 'acb\[.\]bet,' which is currently offline," Silent Push said. "ACB Group claims to own Funnull\[.\]io and several other sports and betting brands."
*   **Security Flaws Fixed in AC charging controllers:** Cybersecurity researchers have discovered multiple security shortcomings in the firmware of Phoenix Contact CHARX SEC-3100 AC charging controllers that could allow a remote unauthenticated attacker to reset the user-app account's password to the default value, upload arbitrary script files, escalate privileges, and execute arbitrary code in the context of root. The

**🔥 **Resources, Guides & Insights********🎥 Expert Webinar****

**Learn LUCR-3's Identity Exploitation Tactics and How to Stop Them —** Join our exclusive webinar with Ian Ahl to uncover LUCR-3's advanced identity-based attack tactics targeting cloud and SaaS environments.

Learn practical strategies to detect and prevent breaches, and protect your organization from these sophisticated threats. Don't miss out—register now and strengthen your defenses.

****🔧 Cybersecurity Tools****

*   **SAIF Risk Assessment** — Google introduces the SAIF Risk Assessment, an essential tool for cybersecurity professionals to enhance AI security practices. With tailored checklists for risks such as Data Poisoning and Prompt Injection, this tool translates complex frameworks into actionable insights and generates instant reports on vulnerabilities in your AI systems, helping you address issues like Model Source Tampering.
*   CVEMap — A new user-friendly tool for navigating the complex world of Common Vulnerabilities and Exposures (CVE). This command-line interface (CLI) tool simplifies the process of exploring various vulnerability databases, allowing you to easily access and manage information about security vulnerabilities.

****🔒 Tip of the Week****

**Essential Mobile Security Practices You Need** — To ensure robust mobile security, prioritize using open-source apps that have been vetted by cybersecurity experts to mitigate hidden threats. Utilize network monitoring tools such as **NetGuard** or **AFWall+** to create custom firewall rules that restrict which apps can access the internet, ensuring only trusted ones are connected. Audit app permissions with advanced permission manager tools that reveal both background and foreground access levels. Set up a DNS resolver like **NextDNS** or **Quad9** to block malicious sites and phishing attempts before they reach your device. For secure browsing, use privacy-centric browsers like **Firefox Focus** or **Brave**, which block trackers and ads by default. Monitor device activity logs with tools like **Syslog Viewer** to identify unauthorized processes or potential data exfiltration. Employ secure app sandboxes, such as **Island** or **Shelter**, to isolate apps that require risky permissions. Opt for apps that have undergone independent security audits and use VPNs configured with **WireGuard** for low-latency, encrypted network connections. Regularly update your firmware to patch vulnerabilities and consider using a mobile OS with security-hardening features, such as **GrapheneOS** or **LineageOS**, to limit your attack surface and guard against common exploits.

****Conclusion****

And that's a wrap on this week's cyber-adventures! Crazy, right? But here's a mind-blowing fact: Did you know that every 39 seconds, there's a new cyberattack somewhere in the world? Stay sharp out there! And if you want to become a true cyber-ninja, check out our website for the latest hacker news. See you next week! 👋

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News