Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8232.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.17.2 packages and security update  
Advisory ID:        RHSA-2024:8232-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8232  
Issue date:         2024-10-23  
Revision:           03  
CVE Names:          CVE-2024-5569  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.2. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8229

Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip  
file in jaraco/zipp (CVE-2024-5569)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

CVEs:

CVE-2024-5569

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2296413  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529

Red Hat Security Advisory 2024-8232-03

Red Hat Security Advisory 2024-8229-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8229.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.17.2 bug fix and security update  
Advisory ID:        RHSA-2024:8229-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8229  
Issue date:         2024-10-23  
Revision:           03  
CVE Names:          CVE-2024-28180  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.  
Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)  
* openstack-ironic: Lack of checksum validation on images (CVE-2024-47211)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

Solution:

CVEs:

CVE-2024-28180

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2315010  
https://issues.redhat.com/browse/OCPBUGS-36453  
https://issues.redhat.com/browse/OCPBUGS-38116  
https://issues.redhat.com/browse/OCPBUGS-41552  
https://issues.redhat.com/browse/OCPBUGS-42176  
https://issues.redhat.com/browse/OCPBUGS-42349  
https://issues.redhat.com/browse/OCPBUGS-42607  
https://issues.redhat.com/browse/OCPBUGS-42716  
https://issues.redhat.com/browse/OCPBUGS-42784  
https://issues.redhat.com/browse/OCPBUGS-42803  
https://issues.redhat.com/browse/OCPBUGS-42806  
https://issues.redhat.com/browse/OCPBUGS-42839  
https://issues.redhat.com/browse/OCPBUGS-42842  
https://issues.redhat.com/browse/OCPBUGS-42953  
https://issues.redhat.com/browse/OCPBUGS-42954  
https://issues.redhat.com/browse/OCPBUGS-42958  
https://issues.redhat.com/browse/OCPBUGS-42974  
https://issues.redhat.com/browse/OCPBUGS-42996  
https://issues.redhat.com/browse/OCPBUGS-42997  
https://issues.redhat.com/browse/OCPBUGS-43009  
https://issues.redhat.com/browse/OCPBUGS-43051  
https://issues.redhat.com/browse/OCPBUGS-43069  
https://issues.redhat.com/browse/OCPBUGS-43112  
https://issues.redhat.com/browse/OCPBUGS-43227  
https://issues.redhat.com/browse/OCPBUGS-43312  
https://issues.redhat.com/browse/OCPBUGS-43321

Red Hat Security Advisory 2024-8229-03

Red Hat Security Advisory 2024-8228-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8228.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Low: OpenShift Container Platform 4.17.2 security and extras update  
Advisory ID:        RHSA-2024:8228-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8228  
Issue date:         2024-10-22  
Revision:           03  
CVE Names:          CVE-2023-37920  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.2. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8229

Security Fix(es):

* python-certifi: Removal of e-Tugra root certificate (CVE-2023-37920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

CVEs:

CVE-2023-37920

References:

https://access.redhat.com/security/updates/classification/#low  
https://bugzilla.redhat.com/show_bug.cgi?id=2226586

Red Hat Security Advisory 2024-8228-03

Red Hat Security Advisory 2024-6341-03 - Kube Descheduler Operator for Red Hat OpenShift 5.1.0 for RHEL 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_6341.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Kube Descheduler Operator for Red Hat OpenShift 5.1.0 for RHEL 9  
Advisory ID:        RHSA-2024:6341-03  
Product:            Kube Descheduler Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:6341  
Issue date:         2024-10-23  
Revision:           03  
CVE Names:          CVE-2024-24788  
====================================================================

Summary: 

Kube Descheduler Operator for Red Hat OpenShift 5.1.0 for RHEL 9

Description:

The Kube Descheduler Operator for Red Hat OpenShift is an optional  
operator that deploys the descheduler, which is responsible for  
evicting pods based on certain strategies.

Security Fix(es):

* golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)  
* golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)  
* net/http: Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791)

Solution:

CVEs:

CVE-2024-24788

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2279814  
https://bugzilla.redhat.com/show_bug.cgi?id=2292787  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://issues.redhat.com/browse/OCPBUGS-11891  
https://issues.redhat.com/browse/OCPBUGS-41860

Red Hat Security Advisory 2024-6341-03

The longer we avoid reform, the further behind we'll fall in AI innovation — and the more vulnerable we'll be.

Stephen Kines, Chief Operations Officer, Goldilock

October 23, 2024

5 Min Read

Source: Jochen Tack via Alamy Stock Photo

COMMENTARY

Artificial intelligence (AI) technology has become virtually inescapable, and its growth has kickstarted a worldwide AI arms race. But where the US was once at the forefront, it's quickly losing ground to countries like China, because its energy grid cannot support the breakneck pace of innovation. To remain a global AI leader, the federal government needs to make the grid more secure and resilient by addressing three compounding issues. 

**Growing Energy Demands**

First, data center electricity consumption is expected to triple, from 2.5% of the US total in 2022 to 7.5% by 2030. That's equivalent to the energy consumption of one-third of all US homes. We need to squeeze more power generation out of the energy grid, or it won't be able to meet the demand of AI. At the same time, the US must show the world that this can be done sustainably as it continues working toward its net-zero goals. 

Acknowledging this necessity, executives from OpenAI, Nvidia, Anthropic, and Google met at the White House recently for a Roundtable on US Leadership in AI Infrastructure. Following the gathering, the administration announced several new actions to accelerate public-private collaboration, including plans to launch a new Task Force on AI Data Center Infrastructure to coordinate policy across government. 

Time will tell if these efforts help achieve the energy usage and data center capacity required by AI. In the meantime, there are other challenges to consider.

**Utilities Are the New Frontlines of the Cyber War**

Countries like Russia, China, and Iran have a long history of infiltrating US businesses to steal proprietary technology and data. Today, critical infrastructure has become a primary target for cyberattacks by nation-states engaged in geopolitical conflict, and the impact this can have on the ability of the US to prevail in the AI arms race is huge.  

I've seen the chaos critical infrastructure attacks can cause firsthand through my participation in NATO's Defense Innovation Accelerator for the North Atlantic (DIANA), which is aiming to "provide companies with the resources, networks, and guidance to develop deep technologies to solve critical defense and security challenges." Energy is at the top of its agenda and was highlighted as one of three challenges in 2023. 

Rogan Shimmin, challenge manager at DIANA, calls attention to the fact that "these threats are compounded by a significant lack of cyber literacy in the energy sector, which is leading to continued investment in insecure legacy infrastructure and is scaring industry players away from adopting proper security measures." 

**Growing Threat of Climate Change and Severe Weather**

Malicious actors and adversaries aren't the only players who can compromise networks. Severe weather and the heightened energy demand that often results during these instances can also take down networks, as we saw during the 2021 Texas grid collapse. Plus, there's the ongoing possibility of another solar flare knocking out grids, like this year's auroral storms. 

If we continue with business as usual, our energy grids will remain vulnerable to both physical and cyberattacks at any time. As we saw with SolarWinds and the Colonial Pipeline attack, the damage can be catastrophic, not just impacting energy supply but putting the US's position on the world stage at risk. 

**Assessing Recent Federal Efforts for Energy Resiliency**

Fortunately, the federal government recognizes that energy resilience is a priority and has taken measures to support this. Announced in May, the Federal Energy Regulatory Commission's (FERC's) Order No. 1920 outlines a smart grid approach that's a crucial step in addressing long-term transmission planning needs. However, its passage has been hamstrung by political debate in an election year when action is urgently needed.  

In the same vein, the White House launched a Federal-State Modern Grid Deployment Initiative with commitments from 21 leading states. The goal is to bring states together with federal entities and power sector stakeholders in support of modern grid technologies to enable next-level capacity and throughput. The initiative was launched in tandem with the US Climate Alliance's announcement of "policy, technical, and analytical assistance to help participating members advance state-level efforts to carry out these commitments." 

**Is This Enough? Not Really**

These regulations and state-by-state initiatives are a step in the right direction, but they fall short. As the Modern Grid Deployment Initiative alludes, the US must address its energy demands through a level of smart controls, mainly via dynamic line rating (DLR) systems using intelligent sensors and more widely geographically distributed networks. This technology is fundamental to getting more out of networks, and it should be applied to water and other core sectors as well. However, it requires crossing state lines, which is a political hot potato.  

The US must also reduce its attack surface. While DLR and other modern grid technologies can be revolutionary, they exponentially increase the threat of cyberattacks and create new vectors for malicious actors. We have to develop these technologies with a security-first mindset to give utilities a way to stop attacks in their tracks before they can spread, and get back online quickly through better backup and disaster recovery solutions.  

James Appathurai, acting assistant secretary general for innovation, hybrid, and cyber at NATO, argues the ability to disconnect is one of the main security lessons from the Russia-Ukraine war. Upon Russia's first invasion, Ukraine prioritized improving its cyber resilience by building in air gaps through physical network segmentation so its critical infrastructure could be disconnected from the Internet at critical moments. "\[The Internet of Things\] is great, connecting to the Internet for efficiency is great, but you absolutely must build in the worst-case scenario. Being able to run if you are cyberattacked — to air gap, to run on island mode — is very important." 

The federal government needs to acknowledge this urgency and implement regulations that will ensure a more resilient and secure electrical grid. We must push past the partisan divide, as the longer we avoid reform, the further behind we'll fall in AI innovation, and the more vulnerable we'll be. 

**About the Author**

Chief Operations Officer, Goldilock

Stephen Kines is the chief operations officer (COO) and co-founder of Goldilock. He served in the Canadian military and currently represents Goldilock in NATO on the DIANA program. Stephen is also an international corporate lawyer who has been a general counsel for international law firms, as well as ultra-high net worth individuals and families. His expertise is in technology transactions with a positive-ESG impact.

The US Needs a Better Energy Grid to Win the AI Arms Race

Despite a law enforcement sweep last May, the sophisticated downloader malware is re-emerging.

Source: Antony Cooper via Alamy Stock Photo

Just a few months after Europol launched a full-scale disruption effort against malware botnets, one of its primary targets — a downloader malware called Bumblebee — seems to have staged a revival.

The sophisticated piece of malware has been widely used by cybercriminals to break into corporate networks, and its effectiveness is precisely what drew law enforcement's attention. In May, Europol launched full-scale takedowns of a variety of botnets, including IcedID, Trickbot, Smokeloader, SystemBC and Pickabot, as well as Bumblebee. The multipronged effort, dubbed Operation Endgame, was a splashy and highly publicized action to hunt down and stop cybercriminals hiding in their jurisdiction.

In addition to May's botnet bust-up, Operation Endgame added eight Russian nationals to Europe's list of most wanted fugitives for their alleged roles as developers of the Emotet botnet. By mid-June, Operation Endgame made an arrest: a 28-year-old Ukrainian man accused of working as a developer for Russian ransomware groups Conti and LockBit.

**Bumblebee Takes Flight Again**

The botnet was first identified and named by the Google Threat Analysis Group in March 2022. Since its takedown in May, there hadn't been any sign of Bumblebee, until now. Researchers at Netskope found a new instance of Bumblebee being used in combination with a payload not typically associated with the botnet, indicating this is a new iteration of the malware downloader.

Related:Dark Reading News Desk Live From Black Hat USA 2024

"The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee," the Netskope researchers wrote in a recent blog post. "These activities might indicate the resurfacing of Bumblebee in the threat landscape."

Its re-emergence would hardly come as a surprise. Other valuable botnet strains like Emotet have likewise risen from the dead. Though disrupted for a time by law enforcement in 2021, Emotet returned with a vengeance and new functionality.

Bumblebee is known for spreading through a variety of methods, including phishing, malicious advertising, and SEO poisoning, explains Patrick Tiquet, vice president of security and architecture for Keeper Security.

And Bumblebee's latest attack chain is even more difficult for defenders to spot than previous versions, according to Tamir Passi, senior product director at DoControl. "What makes this version particularly concerning is its sophistication," Passi says. "Instead of the noisy, obvious attacks we've seen before, it's using a stealthier approach that makes it harder to detect. The attackers are leveraging legitimate tools like MSI installers — it's basically hiding in plain sight."

Related:Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Scarier still is what happens after Bumblebee gets inside a corporate network, he adds.

"But here's the real kicker — this isn't just about compromising individual machines," Passi says. "Once attackers gain access, they can potentially harvest credentials and access all sorts of corporate resources, including SaaS applications. Think about it — one successful phishing email could lead to widespread access across your entire cloud environment."

With stakes that high, cybersecurity teams need to rely on a healthy combination of user awareness training, a zero-trust cybersecurity model, strong password security, and more, Tiquet advises.

Law enforcement organizations will continue to do what they can to tamp down the effectiveness of large cybercrime operations, but along with enterprise cybersecurity teams, they are up against formidable, highly motivated adversaries.

"The re-emergence of Bumblebee after Operation Endgame demonstrates the adaptability of the group believed to be responsible for its development," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "Despite law enforcement efforts to disrupt their activities, the actors quickly reintroduced Bumblebee, indicating well-prepared contingency plans."

Related:Anonymous Sudan Unmasked as Leader Faces Life in Prison

Bumblebee Malware Is Buzzing Back to Life

Identity security is front, and center given all the recent breaches that include Microsoft, Okta, Cloudflare and Snowflake to name a few. Organizations are starting to realize that a shake-up is needed in terms of the way we approach identity security both from a strategic but also a technology vantage point. 
Identity security is more than just provisioning access 
The conventional view

Identity Security / Data Protection

Identity security is front, and center given all the recent breaches that include Microsoft, Okta, Cloudflare and Snowflake to name a few. Organizations are starting to realize that a shake-up is needed in terms of the way we approach identity security both from a strategic but also a technology vantage point. 

**Identity security is more than just provisioning access**

The conventional view of viewing identity security as primarily concerned with provisioning and de-provisioning access for applications and services, often in a piecemeal manner, is no longer sufficient. This view was reflected as a broad theme in the Permiso Security State of Identity Security Report (2024), which finds that despite growing levels of confidence in the ability to identify security risk, nearly half of organizations (45%) remain "concerned" or "extremely concerned" about their current tools being able to detect and protect against identity security attacks.

The Permiso commissioned survey conducted over the summer, interviewed over 500 IT security and risk practitioners, with direct control or influence over security and risk decision-making. The findings reflect despite growing investment, maturity and confidence in cyber risk mitigation controls, organizations remain concerned in the face of advancing identity threats.

The key insights include:

*   SaaS is seen as the riskiest environment.
*   93% of organizations stated that they can inventory identities across all environments, as well as track keys, tokens, certificates and any modifications that are made to any environment.
*   85% can determine "who is doing what" across fragmented authentication boundaries.
*   45% remain "concerned" or "extremely concerned" about their current tools being able to detect and protect against identity security attacks.
*   45% suffered an identity security incident in the last year, with impersonation attacks the leading threat vector.

**Can you detect rogue identities?**

Despite 86% of organizations stating that they can identify their riskiest identities (human and non-human), nearly half (45%) suffered an identity security incident in the last year, with impersonation attacks the leading threat vector -- revealing that social engineering-based attacks continue to be a pervasive threat to organizations.

When it came to the consequences for those that were breached, targeting sensitive data, which included personally identifiable information (PII) and intellectual property (IP), topped the list for 54% of those that were breached. 46% of organizations stated that the threat actors also escalated privileges and went after their supply chains (45%), both on the vendor and customer side.

**Human identities remain a soft target**

Another interesting finding was human identities are seen as the riskiest, with employees at the top of the list. Contrary to much of the market hype, non-human identities (API keys, OAuth tokens, service accounts) are seen as less risky than their human counterparts.

**Identity security is siloed**

It is not clear that organizations understand what identity security responsibility entails for the hybrid and multi cloud reality. Despite most organizations using on average 2.5 public clouds, the IT team (56%) was singled as being primarily responsible for ensuring the identity security for the organization across multiple environments. This may reflect identity still being seen as limited to access provisioning and deprovisioning. According to Jason Martin, Permiso Co-CEO and Co-Founder, this finding could be explained by "identity security traditionally having fallen under the general responsibilities for IT who are seen as stewards of IT systems, which includes provisioning access and securing identities. Only in a minority of organizations are we seeing the security department as the primary stakeholder for securing identities."

Security budgets also appear to be siloed, with SaaS (87%) and IaaS (81%) environments getting the bulk of security spend vs all environments (46%). From a tooling perspective it appears that the IaaS layer (66%) has seen the bulk of the focus with a combination of cloud native security tools such as AWS GuardDuty and CNAPP solutions being used.

Although it appears that most organizations are "risk aware" to the cyber threats that they face, it is clear we have some way to go concerning having the ability to detect and respond to identity threats as they arise. In fact, being able to detect and prevent credential compromise, account takeover and insider threat was cited as the leading concern for organizations.

**Towards universal identity security**

It's up to all of us, the vendors, organizations and the broader security community to reimagine what is needed from a people, process and technology standpoint to secure the new reality of human and non-human identity as the leading threat vector. In this regard we need to recast identity security from merely provisioning or de-provisioning access to applications and services, to viewing it as a strategic business enabler.

Permiso Security was born to address this challenge, making unified identity security for all identities, across all environments, a reality.

You can access the full report here: https://hero.permiso.io/state-of-identity-security-survey-report-2024

Learn more about how Permiso can help bring this strategy to your organization.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Permiso State of Identity Security 2024: A Shake-up in Identity Security Is Looming Large

A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result

Vulnerability / Threat Intelligence

A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result in remote code execution.

"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft said in an alert for the flaw.

Patches for the security defect were released by Redmond as part of its Patch Tuesday updates for July 2024. The exploitation risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw are available in the public domain.

"The PoC script \[...\] automates authentication to a target SharePoint site using NTLM, creates a specific folder and file, and sends a crafted XML payload to trigger the vulnerability in the SharePoint client API," SOCRadar said.

There are currently no reports about how CVE-2024-38094 is exploited in the wild. In light of in-the-wild abuse, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by November 12, 2024, to secure their networks.

The development comes as Google's Threat Analysis Group (TAG) revealed that a now-patched zero-day vulnerability in Samsung's mobile processors has been weaponized as part of an exploit chain to achieve arbitrary code execution.

Assigned the CVE identifier CVE-2024-44068 (CVSS score of 8.1), it has been addressed as of October 7, 2024, with the South Korean electronics giant characterizing it as a "use-after-free in the mobile processor \[that\] leads to privilege escalation."

While Samsung's terse advisory makes no mention of it having been exploited in the wild, Google TAG researchers Xingyu Jin and Clement Lecigne said a zero-day exploit for the shortcoming is used as part of a privilege escalation chain.

"The actor is able to execute arbitrary code in a privileged cameraserver process," the researchers said. "The exploit also renamed the process name itself to 'vendor.samsung.hardware.camera.provider@3.0-service,' probably for anti-forensic purposes."

The disclosures also follow a new proposal from CISA that puts forth a series of security requirements in order to prevent bulk access to U.S. sensitive personal data or government-related data by countries of concern and covered persons.

In line with the requirements, organizations are expected to remediate known exploited vulnerabilities within 14 calendar days, critical vulnerabilities with no exploit within 15 calendar days, and high-severity vulnerabilities with no exploits within 30 calendar days.

"To ensure and validate that a covered system denies covered persons access to covered data, it is necessary to maintain audit logs of such accesses as well as organizational processes to utilize those logs," the agency said.

"Similarly, it is necessary for an organization to develop identity management processes and systems to establish an understanding of what persons may have access to different data sets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts…

Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts in .jse files. ANY.RUN’s sandbox helps detect and decrypt these threats, enhancing security analysis efficiency.

Cyber attackers constantly innovate new ways to hide their malicious intentions. Recently, cybersecurity researchers at ANY.RUN came across a tactic used by attackers which involves the abuse of encoded JavaScript files. Attackers have been using the Microsoft Script Encoder to disguise harmful scripts within .jse files.

This tactic allows malware to remain hidden within seemingly legitimate scripts, posing a major threat to unsuspecting users and traditional security measures.

****Microsoft Script Encoder Exploited** **

Microsoft originally developed the Script Encoder to help developers obfuscate JavaScript and VBscript while keeping them executable with wscript and similar interpreters. This tool was initially designed to protect source code, but it has also become a valuable resource for malware developers.

By encoding JavaScript into a non-human-readable format, attackers can hide their malicious scripts. The latter can be delivered through phishing campaigns or drive-by-download attacks, where users unknowingly run the malicious script.

This obfuscation technique makes it difficult for traditional security tools to detect hidden threats. However, they can be detected faster with the help of tools, like ANY.RUN’s Script Tracer.

****How to Decrypt Encoded Malicious Scripts****

To view the log of the script execution, run the sample inside ANY.RUN’s sandbox. 

**View analysis session**

After running the sample, you can discover the behaviour of the script in an isolated environment using ANY.RUN’s Script Tracer:

*   **Obtain the length of the encrypted data**

Begin by identifying the length of the encoded portion of the script. While doing this, keep an eye out for the @ symbol, which serves as a key marker in the script. 

Encrypted data after the symbol @ is displayed in ANY.RUN’s sandbox

When you see @, it indicates that the next character has been modified using a specific algorithm.

*   **Substitute values in order**

With the encoded characters identified, begin the substitution process. This step involves replacing each encoded symbol with its corresponding decoded value. To decode each character in the script, follow the instructions in the image below:

Decoding the encoded JavaScript with ANY.RUN’s sandbox

*   **Obtain the decrypted value**

As you decode each character, you will start to uncover the readable form of the script. This step-by-step decoding reveals the underlying commands hidden within the encoded data.

*   **Insert the decrypted bytes into the buffer**

After decoding each character, store the decoded result in a buffer (a temporary space to hold the data). Continue adding decrypted characters until the entire script has been processed.

*   **Use the ord() function for character values**

Take the numeric value of each symbol using the ord() function, then retrieve the corresponding decoded character from the predefined encoding tuple using **PICK\_ENCODING**.

****Analyzing Malicious Scripts in a Safe Environment****

Manually decrypting encoded scripts can be complex and time-consuming. To make the decryption process easier and faster, you can use tools like ANY.RUN’s sandbox. 

It allows you to analyze malware behaviour in a secure environment, giving you the insights you need for detailed analysis.

Sign up for a 14-day free trial for unlimited malware analysis and see how it simplifies the process.

1.  Analysis of Top Infostealers: Redline, Vidar and Formbook
2.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
3.  OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects
4.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats
5.  Visa warns of Baka JavaScript skimmer capable of evading detection

Attackers Use Encoded JavaScript to Deliver Malware

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted…

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted cloud keys. This security flaw could lead to unauthorized access, data breaches, and service disruptions.

Research conducted by cybersecurity experts at Symantec has revealed that popular apps on both Android and iOS platforms contain hardcoded, unencrypted cloud service credentials, putting millions of users’ sensitive data and backend services at risk of unauthorized access and potential data breaches.

The issue comes from developers embedding access and secret keys directly in the app’s code instead of using secure storage methods. This makes it easy for attackers to access sensitive data, steal user information, or disrupt services.

Among the affected Android apps, Pic Stitch: Collage Maker, with over 5 million downloads, and Meru Cabs, Sulekha Business, and ReSound Tinnitus Relief, each with hundreds of thousands of downloads, were found to contain hardcoded AWS and Azure credentials, respectively. These credentials grant access to critical cloud storage and other backend services.

On the iOS side, popular apps like Crumbl (over 3.9 million ratings), Eureka: Earn Money for Surveys (402.1K ratings), and Videoshop – Video Editor (357.9K ratings) were also found to have hardcoded AWS credentials, including access keys and even WebSocket Secure (WSS) endpoints, further simplifying potential attacks.

Eureka IDA code with hardcoded AWS credentials (Via Symantec)

****Full list of impacted apps on iOS and Android****

*   **Crumbl (over 3.9 million ratings)**
*   **Meru Cabs (over 5 million downloads)**
*   **Sulekha Business (over 500,000 downloads)**
*   **Videoshop – Video Editor (over 357,000 ratings)**
*   **ReSound Tinnitus Relief (over 500,000 downloads)**
*   **Pic Stitch: Collage Maker (over 5 million downloads)**
*   **Eureka: Earn Money for Surveys (over 402,000 ratings)**

This issue, found on both Android and iOS, is a serious concern. It could lead to anything from individual data breaches to major service disruptions. Symantec’s findings show the urgent need for developers to follow security best practices.

To mitigate these risks, developers are advised to follow best practices for managing sensitive information within their applications. These include using environment variables, implementing secrets management, encrypting sensitive data, conducting regular code reviews and audits, and automating security scanning.

“This repeated pattern of insecure credential management across multiple apps underscores the critical need for developers to prioritize security in the mobile app development lifecycle,” **said** a Symantec spokesperson.

For users, Symantec advises installing **reputable security software**, downloading apps only from trusted sources, keeping software updated, carefully reviewing app permissions, and regularly backing up important data. These precautions can help mitigate the risks associated with insecure apps while developers work to address these critical vulnerabilities.

1.  Google reveals spyware attack on Android, iOS, and Chrome
2.  Study: Android sends more data to Google than iOS to Apple
3.  Bluetooth Falw Enables Keystroke Injection on Android and iOS
4.  WiFi Flaws Allow Network Traffic Interception on iOS and Android
5.  Instagram iOS, Android app flaw allowed account access to hackers

Latest News