The ABB BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'host' HTTP GET parameter called by networkDiagAjax.php script.

ABB Cylon Aspect 3.07.00 (networkDiagAjax.php) Remote Code Execution

Leaders in professional athletics lament the realities and risks of growth in connected stadium environments, social networks, and legalized gambling.

Source: Robert Landau via Alamy Stock Photo

Professional sporting events have long been prime targets for violent attacks and terrorism, given their vast audiences. In recent years, these events have become targets of cyberattacks as adversaries exploit venue operations to disrupt events, abuse payment systems for fraud, breach networks to steal data, and take advantage of how athletes interact with fans.

While game time is pivotal, there are many other vulnerabilities to which sports franchise operators and event organizers must apply resources, including a growing and increasingly fragmented ecosystem of stakeholders like broadcast and streaming partners, ticket distributors, and legalized gambling platforms.

"We've done pretty well so far," said Betsy Cooper, director of the Aspen Institute tech policy hub, during a panel at the 2024 Aspen Cyber Summit in Washington, DC. Despite the expanded threat, operators of major franchises, leagues, and international events (such as the Olympic games in Paris) believe their proactiveness has prevented devastating events that other industries have faced.

**1\. Athletes Need More Training**

Athletes are increasingly relying on social media and technology platforms to engage with fans and develop their brand. "I represent a lot of athletes, and a lot of them depend heavily on social media to build their brand and build their audience," Jaia Thomas — founder of Diverse Representation, a group of African American agents, attorneys, managers, PR reps, and financial advisors for athletes and entertainers — said during the panel discussion. "A lot of mistakes happen along the way, and they're not always the most tech-savvy people."

These athletes are also quite young and may be unaware that using these platforms exposes them to potential ransomware attacks or increased risks of being doxxed. "You're talking about kids, for the most part, that make up these teams, and the education piece needs to be strengthened," Eric Tysarczyk, senior vice president of the National Hockey League, said on the panel.

**2\. Event Attendees Are Vulnerable**

Now that most events only accept e-tickets, almost all attendees have phones with them. The NHL says fans need to take precautions with their mobile devices.

"Imagine if everyone that was in that arena is walking around with all their personal data taped to their back on a piece of paper, and how attractive that arena would be to a malicious actor to get in and just start cultivating all that data," Tysarczyk said.

**3\. Partnerships Are Critical for Major Events**

Reynold Hoover, the CEO of Los Angeles 2028 Olympic & Paralympic Games, told panel attendees that one of the reasons there were no disruptive cyberattacks during the Summer Olympics in Paris was due to information sharing across law enforcement and partners. The most notable activity leading up to the games was influence campaigns waged by Russian threat actors. "The Russians were very active in Paris, trying to disrupt," said Hoover, a former Army and National Guard lieutenant general with a background in military intelligence.

The Los Angeles Olympic Games in 2028 is expected to draw as many as 15 million visitors, 15,000 athletes, and 25,000 broadcasters across 800 different sporting events. Hoover said the committee is preparing for threat actors ranging from "goobers in their basements trying to do something stupid, all the way to nation-state actors."

The Los Angeles 2028 committee has partnered with the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the Federal Communications Commission, among other US agencies.

"We cannot do it alone," Hoover said. "It requires a public-private partnership and open and honest information sharing."

**4\. New Streaming Models Create New Challenges**

As all the major leagues expand their broadcast distribution rights to streaming providers, they can reach new audiences and gain new revenues. However, an attack that even briefly interrupts a broadcast could be costly in terms of lost advertising revenue, Tysarczyk said. "We're putting a lot of faith in those third-party operating techniques and what their cyber protections are," he said.

**5\. Legal Sports Betting Puts Premium on Inside Data**

Further, now that sports gambling is now legal in 38 US states, including Washington, DC, and Puerto Rico, stealing data is more lucrative for threat actors than ever. Non-public information, including health records and other proprietary statistics, is especially valuable. "\[It's\] the data that people use to develop trends and see where the wagers go and things like that," Tysarczyk said.

**6\. Expanded Partnerships Require Advanced Data Protection**

A broader ecosystem that shares increasing amounts of data needs to ensure that information is air-gapped, which was the focus in Paris this summer, Hoover said. "It really requires a partnership effort, and it was an all-hands-on-deck effort in Paris to defend the networks," he said. "It's a closed network, and so we are very concerned about the integrity of the sport, the safety of our athletes, and the safety of our fans that attend, and making sure that we can protect the data and keep that inbound and the right people are getting the right data."

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

6 Cybersecurity Headaches Sports Organizations Have to Worry About

The RISC-V chip architecture is gaining popularity worldwide, but the fact that it is easy to modify the processor design means it is also easy to introduce hard-to-patch vulnerabilities in the chips.

Source: Science Photo Library via Alamy Stock Photo

An emerging chip architecture gaining traction in smartphones, automotive technologies, and other electronics may find adoption stymied by security concerns.

Using x86 and ARM processors for hardware development can get expensive because of royalties that have to be paid to the owners (Intel and Arm). RISC-V is an instruction set on which customers can personalize silicon chips to meet their needs, much like how Lego blocks are put together. RISC-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

RISC-V is drawing interest among companies in the auto, critical infrastructure, and industrial sectors. For example, NASA is creating chips based on RISC-V that it intends to use in its space programs. Omdia estimates RISC-V shipments could tally 17 billion processors in 2030, improving 50% every year starting in 2024.

"46% of those processors are expected to be found in industrial applications, although the biggest growth over the forecast period will come in the automotive segment," Omdia said.

**Vulnerabilities in Designs**

RISC-V's open-source ethos is its biggest advantage, but also a liability: bad actors could introduce backdoors in the chip designs. Vulnerabilities in RISC-V chips used in automotive technology or critical infrastructure could be disastrous.

At Black Hat USA in August, researchers disclosed Ghostwrite, which allows users to bypass memory protection and access privileged memory in a RISC-V chip design called Xuantie C910. The Xuantie C910, designed by T-Head, a subsidiary of China-based Alibaba Group, received a lot of publicity when it was launched three years ago. It was one of the earliest RISC-V processors with a vector extension, which helps CPUs run demanding applications that include AI.

The vulnerability is particularly concerning because it affects the chip's proprietary vector extension, which wasn't properly implemented, says Fabian Thomas, a researcher in the group at CISPA Helmholtz Center for Information Security that discovered GhostWrite. Chip makers can patch the C910 by disabling the vector extension, but it will still be difficult to implement.

"People bought it and built 64-core machines because of that, and now we have to tell them to disable it," Thomas says.

**Shared Designs, Hard to Patch**

The issue is not in the RISC-V architecture itself, but in a faulty silicon implementation. Chip designers are enthusiastic about sharing RISC-V designs, but this means that designs with vulnerabilities may potentially be replicated and used in various areas. Resulting devices could be vulnerable to attack, and may be difficult to patch with microcode updates.

"The digital transformation happening in these sectors means they're all connected now, creating potential to exploit across all these very safety-critical systems," says Margaret Schmitt, a hardware security consultant.

It's already difficult to fix hardware vulnerabilities with firmware updates. The open nature of this chip architecture means it will be difficult to fix them in the field. "The silicon vulnerability is worse because you can't really fix them in the field in many cases... if it connects to critical infrastructure, this could be seen forever," says Alex Matrosov, CEO at Binarly.io.

There are hundreds of RISC-V designs available on GitHub to pick up, but security teams need to consider the risks of winding up with malicious chip designs with backdoors. "This is similar to open-source software projects where people \[make\] changes, saying 'I'm making it better,' but it's actually a backdoor or malware," Schmitt says.

The concern is especially heightened as the RISC-V architecture has become a priority for Russia and China, which are investing heavily in the technology to build homegrown chips. China and Russia ramped up RISC-V adoption after the U.S. banned the export of advanced chips to these countries amid trade and political hostilities.

The U.S. government has already talked about limiting RISC-V access to China, though that may be hard to do as the architecture is open source.

"You're seeing a potential basis for China to use this, a potential for unintended or intentionally added weaknesses to be a serious concern," says Schmitt.

**Working With Security Partners**

Organizations working with RISC-V chips on a shoestring budget may make the decision to sacrifice security, says Mike Eftimakis, vice president of strategy and ecosystem at Codasip, a software company.

"To be able to find a bug, you have to have the infrastructure behind you. It's very expensive and requires specialized knowledge, so it naturally shrinks the base of people who could potentially help with the verification of these devices," Eftimakis says.

Hardware security experts recommended going to established RISC-V companies with solid security processes, a strong customer base, and a good track record of designing chips. One example is Santa Clara, Calif.-based SiFive, which handles security analysis and rigorous compliance testing in its cores. The company has a large customer base that includes Google and NASA, a spokesman said in an email.

Another RISC-V company, Cupertino, Calif-based Ventana Micro Systems, uses the Caliptra specification to put security features directly in computing chips. Caliptra was developed by the Open Compute Project, a coalition which includes Google, Microsoft, AMD, and Nvidia.

Ventana Micro leaders have extensive experience working with x86 and ARM architectures, and are using that experience to secure RISC-V chips. "We applied these learnings during our ground-up development and have many patented features targeted at making our microarchitecture resilient to attacks," a company spokesperson said in an email.

**About the Author**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Security Concerns Plague Emerging Chip Architecture

A water treatment facility in a small city took serious precautions to prevent any bad outcomes from a hazy cyber incident.

Source: Dmitry Kaminsky via Alamy Stock Photo

The water treatment facility for a small city in Kansas experienced a "cybersecurity incident" on the morning of Sept. 22.

Arkansas City — population 12,000, a two-hour drive north of Oklahoma City — sits at the junction of the Walnut and Arkansas Rivers, the latter of which supplies the town's drinking water. A notice from the city's Environmental Services Administration revealed that on Sept. 22, its treatment facility experienced a "cybersecurity incident." Authorities were contacted and precautionary measures taken. Most notably, the facility moved to fully manual operations — a temporary decision made "out of caution," according to city manager Randy Frazer in the notice.

"Despite the incident, the water supply remains completely safe, and there has been no disruption to service," Frazer wrote. "Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period."

The administration added that "Cybersecurity experts and government authorities are working to resolve the situation and return the facility to normal operations. Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents."

Dark Reading has reached out to Arkansas City for more information about the incident. In lieu of details, Shawn Waldman, CEO and founder of Secure Cyber, points out that a switch to manual operations could indicate some degree of seriousness.

"In a breach that we investigated last November, we actually never went to manual mode," he recalls. "We were able to isolate the human-machine interfaces (HMIs) and keep the Russian malware contained, and we let the plant operate as normal. There's a lot of strain on employees when you put a plant in manual mode. That's the last case scenario — you don't want to go into manual mode unless you have to."

**The Problem With State-of-the-Art Systems**

Industrial control systems have long struggled to match old, legacy equipment to the demands of modern day cybersecurity.

Less often spoken of is the opposite problem: newer facilities designed with greater connectivity in mind, which introduce attack surfaces that the dinosaur, often analog machines, didn't have.

The new 5.4 million-gallon-per-day water treatment facility in Arkansas City opened in February 2018. It cost $22 million to build, and sports "advanced technology" estimated to save the city up to 20% on operational and maintenance costs. The exact nature of its cybersecurity posture is unknown. 

"Just because a city comes out and says: 'We just upgraded everything, and it's all new, and we should be good' — well, that's great, but what about cybersecurity?" asks Waldman. "Some cities are not making a proper investment into securing their critical infrastructure.

"My city did that exact thing: I know for a fact that they did not upgrade cybersecurity, but they spent around $14 million or more to upgrade all the infrastructure."

To ensure that cities don't leave security out of their budgets, Waldman says, "The EPA and Congress need to step up and get that new EPA standard for cybersecurity passed. They tried to do it before, and then they got sued. And what did we give up? Weeks after that, Iran launched a bunch of attacks on the water systems in the United States. Because, big surprise, Iran reads the US news."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Kansas Water Plant Pivots to Analog After Cyber Event

The encrypted messaging service said it will share users' IP addresses and phone numbers with authorities when requested.

Source: Geoff Smith via Alamy Stock Photo

Telegram will hand over user information, such as phone numbers and IP addresses, to authorities in order to limit the criminal activity that occurs on the platform, the company said in an update to its privacy policies.

"If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities," said Telegram in its user privacy policy.

This recent change in policy comes after Telegram CEO Pavel Durov was arrested and indicted in France after being held liable for the behavior of users on the platform.

This set off speculation of whether this would change the way Telegram has become a harbor for threat actors to communicate with one another, sell stolen data, and distribute malware, among other things. Initial signs pointed to things remaining the same, however, this update indicates a new era for the messaging app.

Telegram will also update its search feature to remove problematic content from its search results. And it will implement a system to allow users to report illegal search terms through an @SearchReport bot that will be reviewed by human moderators.

**About the Author**

Telegram to Share User Info With Law Enforcement in Policy Shift

The security vulnerabilities could lead to everything from gas spills to operations data disclosure, affecting gas stations, airports, military bases, and other hypersensitive locations.

Source: Bax Walker via Alamy Stock Photo

Multiple critical security vulnerabilities in automatic tank gauge (ATG) systems, some unpatched, threaten critical infrastructure facilities with disruption and physical damage, researchers are warning.

ATGs are sensor systems that monitor and manage fuel storage tanks to ensure that fill levels aren't too low or too high, to see that leaks are detected in real-time, and to manage inventory. ATGs can be found where you'd expect them to be, like at gas stations and airports, but also in less obvious installations.

"In the US, for example, we were told that you are required by law to have an ATG system installed in any fuel tank of a certain size," Pedro Umbelino, principal research scientist at Bitsight's TRACE unit, explains to Dark Reading. "Gas stations are the largest and most obvious use case, but the second largest use case for ATGs are critical facilities that require large backup generators — you often see these in facilities like hospitals, military installations and airports."

Worryingly, most of the newly discovered vulnerabilities allow for an attacker to have full control of an ATG as an administrator. And according to Umbelino, the 11 bugs across six ATG systems from five different vendors can thus open the door to a gamut of nefarious activities, ranging from making fueling unavailable to wreaking environmental havoc.

Related:Kansas Water Plant Pivots to Analog After Cyber Event

"What's even more concerning is that, besides multiple warnings in the past, thousands of ATGs are still currently online and directly accessible over the Internet, making them prime targets for cyberattacks, especially in sabotage or cyberwarfare scenarios," Umbelino said in an analysis released on Sept. 24.

The bugs were discovered six months ago, with Bitsight, the US Cybersecurity and Infrastructure Security Agency (CISA), and the affected vendors working in tandem to mitigate the problems. As a result of those efforts, "Maglink and Franklin have released patches," Umbelino says. "The affected OPW product has been EOL'd \[end of life\] and is no longer being supported by the vendor, so they will not be releasing a patch. Proteus and Alisonic have not engaged with us or with CISA as part of the disclosure process, so it's unclear to us if they’ve released or are working on a mitigation plan."

Patching isn't where the remediation needs stop, though.

"Even for devices that have had patches issued, my top recommendation is to disconnect these devices from the public Internet," Umbelino says. "Most of them were never designed to be connected in the way they are today, so they weren't built with the level of security that is required for Internet-connected devices. They're being used in ways that vendors hadn't initially intended, and that's what is at the core of these vulnerabilities. Taking them off the public Internet is the only true solution."

Related:Concerns Over Supply Chain Attacks on US Seaports Grow

**Major Cyber-Risk From ATG Tampering**

ATGs not only automatically measure and record the level, volume, and temperature of products in storage tanks, but they're usually connected to sirens, emergency shutoff valves, ventilation systems, and peripherals like fuel dispensers.

"Part of what makes these devices attractive to security researchers, or a malicious actor for that matter, is the potential ability to control physical processes that could lead to disastrous consequences if they are abused in unintended ways," Umbelino noted.

As Umbelino explained, "We found vanilla reflected cross-site scripting (XSS). The authentication bypasses were direct path access. The command injections lacked filtering. There were hardcoded administrator credentials. The arbitrary file read was a direct path traversal access, yielding admin credentials. The SQL injection could be exploited aided by full SQL error logs."

The vulnerabilities are as follows:

Related:Name That Toon: Tug of War

Source: Bitsight TRACE.

As an example of those consequences, attackers could exploit the bugs to change the amount of liquid a tank is capable of taking on, while also tampering with overflow alarms. The result could be an undetected tank overflow, which could cause gas spills and environmental chaos.

And as Umbelino explained in the post, "The most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it. In our research, we've shown that an attacker can gain access to a device and drive the relays at very fast speeds, causing permanent damage to them."

Other bad outcomes include making the systems inaccessible via denial of service (DoS), exposing competitive operations data (delivery dates, pricing, inventory intel, types of alarms, etc.), or the loss of compliance data leading to potential regulatory fines. In a DoS scenario for instance, an attack could "lead to downtime and would usually require human intervention," Umbelino explained in the posting. "In fact, these types of attacks are currently ongoing, with claims of exploitation of at least one brand of devices for which we published a vulnerability on just two weeks ago."

**Critical Infrastructure Under Increasing Cyber Threat**

The critical infrastructure threat landscape continues to be a thorny problem for security practitioners, starting with the fact that ICS systems and the operational technology (OT) that controls them are designed to prioritize reliability and efficiency, not security.

"As a result, they often lack modern protections," Umbelino noted. "In addition ... vendors recently started to integrate them with newer technology to improve efficiency and remote access and this significantly changes their threat model. Of course, there is also a lack of cybersecurity experts that are familiar with ICS systems. It is hard to find vulnerabilities if no one is looking for them."

Threat actors have taken notice: Chinese APTs like Volt Typhoon and others are looking to gain a foothold within physical infrastructure, for operational espionage as well as cultivating the potential for disruptive attacks. Ransomware gangs have their own reasons for targeting ICS, as seen in the infamous Colonial Pipeline cyberattack.

"While not related to the vulnerabilities we found, there is a group consistently claiming ICT/OT disruption in the Ukraine-Russia war, including ATG systems," Umbelino says. "In this tweet, we can see an OPW ATG system being targeted, but they claim to have affected many other ICT/OT devices too, indicating that attackers do see these elements within critical infrastructure as a target."

CISA itself has flagged increased threats to water supply organizations, power plants, manufacturing, telecom carriers, military footprints, and more — attacks that are largely being spearheaded by APTs backed by China, Russia, and Iran.

So far, defenders have headed off catastrophic attacks at the pass, and there's no reason to expect mass gas spills anytime soon, given the complexity and sophistication required to exploit the bugs, but it's important to stay ahead of the risk.

"It’s not just about fixing vulnerabilities, it’s about adopting security practices that make them difficult to exist in the first place," Umbelino explained in the analysis. "And it is not just about the vulnerabilities themselves, it's about their exposure. Organizations need to understand they should not expose these types of critical systems to the public Internet. They need to effectively assess their exposure, understand their current risk and start addressing such issues, regardless of vendors ability to update their systems in a timely fashion."

Security researchers also have an important role to play, he adds, noting that stakeholders should be expanding their ICS focus.

"We should start paying more close attention to these types of systems that control very important parts of our society and that, if abused, can have a physical effect on the world, sometimes catastrophic," Umbelino says. "We need to systematically discover, classify and mitigate the risk of them being openly exposed to the Internet faster than the attackers, and be able to communicate that risk to all affected parties. It is not an easy task."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Critical Automated Tank Gauge Bugs Threaten Critical Infrastructure

### Description
Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.

### Affected Spring Products and Versions
org.springframework:spring-web in versions 

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

### Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a Filter.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2rmj-mq67-h97g: Spring Framework DoS via conditional HTTP request

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.
Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -

Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million

Mobile Security / Malware

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.

Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -

*   Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million downloads
*   Max Browser-Private & Security (com.max.browser) - 1+ million downloads

As of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove the malware. The latest version of the app, 6.3.8.148, was released on September 8, 2024.

It's currently not clear how both the apps were compromised with the malware in the first place, although it's believed that a rogue software developer kit (SDK) for integrating advertising capabilities is the culprit.

Necro (not to be confused with a botnet of the same name) was first discovered by the Russian cybersecurity company in 2019 when it was hidden within a popular document scanning app called CamScanner.

CamScanner later blamed the issue on an advertisement SDK provided by a third-party named AdHub that it said contained a malicious module to retrieve next-stage malware from a remote server, essentially acting as a loader for all kinds of malware onto victim devices.

The new version of the malware is no different, although it packs in obfuscation techniques to evade detection, particularly leveraging steganography to hide payloads.

"The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded," Kaspersky researcher Dmitry Kalinin said.

It can also "open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim's device, and potentially subscribe to paid services."

One of the prominent delivery vehicles for Necro is modded versions of popular apps and games that are hosted on unofficial sites and app stores. Once downloaded, the apps initialize a module named Coral SDK, which, in turn, sends an HTTP POST request to a remote server.

The server subsequently responds with a link to a purported PNG image file hosted on adoss.spinsok\[.\]com, following which the SDK proceeds to extract the main payload – a Base64-encoded Java archive (JAR) file – from it.

Necro's malicious functions are realized through a set of additional modules (aka plugins) that are downloaded from the command-and-control (C2) server, allowing it to perform a wide range of actions on the infected Android device -

*   NProxy - Create a tunnel through the victim's device
*   island - Generate a pseudo-random number that's used as a time interval (in milliseconds) between displays of intrusive ads
*   web - Periodically contact a C2 server and execute arbitrary code with elevated permissions when loading specific links
*   Cube SDK - A helper module that loads other plugins to handle ads in the background
*   Tap - Download arbitrary JavaScript code and a WebView interface from the C2 server that are responsible for covertly loading and viewing ads
*   Happy SDK/Jar SDK - A module that combines NProxy and web modules with some minor differences

The discovery of Happy SDK has raised the possibility that the threat actors behind the campaign are experimenting with a non-modular version as well.

"This suggests that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features," Kalinin said.

Telemetry data gathered by Kaspersky shows that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey accounting for the most number of attacks.

"This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection," Kalinin said.

"The modular architecture gives the Trojan's creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Leverage Cloud App Development and DevOps to boost business agility, scalability, and security. Optimize operations, deploy faster, and…

Leverage Cloud App Development and DevOps to boost business agility, scalability, and security. Optimize operations, deploy faster, and future-proof your business with innovative AI, ML, and IoT integrations.

In the digital age, businesses must remain agile, scalable, and secure to stay competitive. Cloud app development, paired with DevOps, offers the tools and strategies necessary to meet these demands. These technologies enable companies to optimize operations, deploy applications faster, and safeguard their data, making them critical for success in today’s fast-paced marketplace.

****How Cloud App Development Can Future-Proof Your Business****

Cloud app development allows businesses to build scalable, flexible, and cost-effective applications that grow and evolve with their needs. With cloud platforms, businesses can eliminate the limitations of traditional infrastructure, enabling faster deployment and real-time updates. These apps can also be accessed from anywhere, providing businesses with the agility required to operate globally and adapt to changing market conditions.

In addition to scalability and flexibility, cloud app development future-proofs businesses by integrating advanced technologies like artificial intelligence (AI), machine learning (ML), and the Internet of Things (IoT). These integrations allow companies to leverage data-driven insights, automate processes, and enhance customer experiences, setting the foundation for long-term growth and innovation.

****Cloud-Native Development: Building Apps Designed for the Cloud from the Ground Up****

Cloud-native development refers to building applications specifically designed to run in cloud environments. Unlike traditional apps that are migrated to the cloud, cloud-native apps are built with scalability, resilience, and flexibility in mind from the start. This approach takes advantage of cloud features such as microservices architecture, containers, and continuous integration/continuous deployment (CI/CD) pipelines.

Microservices architecture breaks down applications into smaller, independent services that can be developed, deployed, and scaled independently. This results in faster development cycles and more efficient resource management. Containers, such as Docker and Kubernetes, provide an isolated environment for these services, ensuring consistency across different cloud environments. These technologies enable cloud-native apps to be more adaptable, ensuring they can scale rapidly and respond to changes in demand.

****Why Partnering with a Cloud App Development Company is Essential for Business Scalability****

Partnering with a cloud app development company is key to unlocking the full potential of cloud technologies for business scalability. These companies possess in-depth expertise in cloud platforms and tools, ensuring that the applications they develop are customized to meet the unique needs of your business.

A cloud app development company will optimize your application for both performance and scalability, allowing your business to easily expand services, accommodate more users, or integrate new functionalities as needed. Their specialized knowledge helps businesses avoid costly errors and inefficiencies, accelerating time to market and driving sustainable growth. Moreover, these companies provide ongoing support, ensuring that your cloud app stays secure and adapts to evolving technological and business demands.

****The Role of DevOps Services in Accelerating Your Cloud Application Deployment****

DevOps, a combination of development and operations, plays a pivotal role in cloud application deployment by fostering collaboration between development and IT teams. The goal of DevOps is to streamline the development lifecycle, automate processes, and accelerate application delivery. For cloud applications, DevOps services allow businesses to deploy apps faster, improve quality, and reduce downtime.

DevOps practices, such as automated testing and continuous integration, enable teams to identify and fix issues early in the development cycle. This reduces the risk of errors during deployment and ensures that applications are consistently reliable. Additionally, infrastructure as code (IaC) tools like Terraform and Ansible allow for the automated provisioning and management of cloud infrastructure, further accelerating the deployment process.

****The Benefits of Integrating DevOps Solutions into Cloud App Development****

Integrating DevOps solutions into cloud app development brings numerous advantages. First and foremost, it enables faster and more frequent releases, allowing businesses to deploy updates and new features quickly. This is especially important in today’s competitive environment, where customer needs and market demands are constantly changing.

DevOps also enhances collaboration between teams, ensuring that development, operations, and quality assurance work together seamlessly. This collaboration leads to fewer bottlenecks, improved efficiency, and more reliable applications. Automation, a key aspect of DevOps, reduces manual tasks, minimizes errors, and improves security by ensuring that every deployment follows best practices and adheres to compliance requirements.

****Cloud App Development: The Foundation for Digital Transformation****

Cloud app development is at the core of digital transformation. It provides businesses with the infrastructure and tools needed to modernize operations, deliver innovative services, and enhance customer experiences. By moving applications to the cloud or building cloud-native apps, businesses gain the flexibility and scalability needed to experiment with new technologies and business models.

Cloud-based apps also enable businesses to access real-time data, making it easier to make informed decisions and respond to market trends. This data can be used to optimize processes, improve customer engagement, and create new revenue streams. For companies embarking on digital transformation, cloud app development is not just an option—it is a necessity.

****Cloud Security: How a Cloud App Development Company Ensures Data Protection****

Security is a top priority for any business operating in the cloud, and cloud app development companies take extensive measures to protect data. They design applications with built-in security features, such as encryption, access controls, and threat detection, to safeguard sensitive information. Moreover, these companies ensure compliance with industry standards and regulations, such as GDPR, HIPAA, and PCI-DSS, to protect businesses from legal and financial risks.

Cloud app development companies also implement automated security testing throughout the development process to identify and mitigate vulnerabilities early. Additionally, they monitor applications continuously to detect potential threats and take proactive measures to prevent breaches. By working with a trusted cloud app development company, businesses can ensure that their applications are not only high-performing but also secure and compliant with industry standards.

****Conclusion****

In conclusion, cloud app development, supported by DevOps practices, is essential for businesses looking to scale, innovate, and stay competitive in the digital age. By partnering with the right cloud app development company and integrating DevOps solutions, businesses can accelerate their digital transformation, improve application deployment, and protect sensitive data, all while staying ahead of the curve in an ever-changing technological landscape.

1.  Best Practices for Cloud Computing Security
2.  How To Safeguard Your Data With Cloud MRP System
3.  Front-End Development Matters for Online Businesses
4.  Evolution of Captive Portal to Cloud Authentication Solutions 
5.  Insights on Google Cloud Backup, Disaster Recovery Service

Harnessing the Power of Cloud App Development and DevOps for Modern Businesses

The money-transfer company is going on day four of its services being suspended.

Source: Alistair Laming via Alamy Stock Photo

MoneyGram's systems and payment services are down due to a "cybersecurity issue," with no clear timeline as to when it will be back up and running once more.

The money-wiring service's in-person and online payment systems have been down since Friday, Sept. 20. The next day, MoneyGram posted on social media platform X, noting that it was experiencing a network outage that was affecting connectivity to its systems. 

"We are working diligently to better understand the nature and scope of the issue," the post said. "We recognize the importance and urgency of this matter to our customers."

On Sept. 23, MoneyGram posted an update to X, informing the public that it has launched an investigation into a cybersecurity issue and confirming that it took its systems offline. It also reported that it was working with third-party cybersecurity experts and coordinating with law enforcement, potentially indicating that the money-transfer company may have been victim to a data breach, though only time will tell.

Either way, as a financial services company, MoneyGram has access to a host of sensitive data, particularly bank accounts and credit card numbers, as well as names, addresses, and usernames and passwords. All of this makes MoneyGram and those it services a potential target for malicious actors and financial fraud or identity theft.

**About the Author**

Latest News