Operation Overload pushes dressed up Russian state propaganda with the aim of flooding the US with election disinformation.

Source: Jozef Polc via Alamy Stock Photo

In the final days of the 2024 US election season, Russian state-backed actors are pushing enormous amounts of fake news disguised as information from reputable news outlets with the intention of flooding the American news ecosphere with enough garbage to influence who eventually wins the White House.

The Kremlin's full-scale propaganda push, named Operation Overload by researchers at Recorded Future who uncovered the effort, is pretty basic: influence the outcome of the US election by overwhelming already thread-bare newsroom resources. If the handful of journalists and trusted news sources left standing in the US are endlessly deploying scarce investigative resources to chase down fake news, there are fewer journalists left to debunk the junk.

It's an effective tactic that has been used by Operation Overload before. The Russian state-backed group honed its fake news skills with similar campaigns in France recently, Recorded Future pointed out in its report.

"Previously attempting to undermine the 2024 French elections and the Paris Olympics, the operation is now shifting its focus to the 2024 US presidential election," the report warned. "It involves creating fake news sites, false fact-checking resources, and AI-generated audio that mimics legitimate media outlets."

The group also adds branding and logos that make the disinformation look like it's from a trusted US news organization, making it difficult for consumers to know what's real and what isn't.

**Taking Aim at Tim Walz**

Most recently, the Russian fake news farm has been pushing disinformation against vice presidential candidate Tim Walz.

"Based on newly available intelligence, for example, the IC assesses that Russian influence actors manufactured and amplified inauthentic content claiming illegal activity committed by the Democratic vice-presidential candidate during his earlier career," an alert from the office of the director of national intelligence warned on Tuesday.

Besides fake news doctored up to look like legitimate reports, AI-generated content, and flooding media with propaganda to fact check, the effort relies heavily on automated social media posts to continuously pump out bad information, Recorded Future said.

It's on Elon Musk's X platform where many of the Operation Overload disinformation gets a lot of traction. Three separate false narratives being pushed by the Russian troll farm against Walz in recent days were traced back to X accounts by CBS News.

In the days to come, Recorded Future warned Operation Overload will continue to push three distinct varieties of disinformation aimed at influencing the outcome of the US election: stoking political violence, targeting candidates, and vilifying Ukrainians as well as the LGBTQIA+ community.

"The operation seeks to directly inject influence content into mainstream discussion of contentious political issues, eroding public trust in the democratic process, provoking US domestic concerns of political violence and 'civil war,' and exploiting existing social divisions," the report explained.

Russian Trolls Pose as Reputable Media to Sow US Election Chaos

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

Source: Ascannio via Alamy Stock Photo

A high-severity flaw in Microsoft SharePoint, tracked as CVE-2024-38094, is under active exploit.

The bug is a deserialization vulnerability, which is often used as attack vectors by malicious cyber actors and poses a serious threat to federal enterprises. If successfully exploited, it could give threat actors remote code execution capabilities. The vulnerability has earned a CVSS score of 7.2 out of 10.

"An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft reported in an alert. 

Patches for the flaw were released in July as part of a series of Patch Tuesday updates, and it has since been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

The risk of potential continued exploitation of the vulnerability is further heightened due to the fact that a proof-of-concept is now available on GitHub for public viewing.

No additional details about how the vulnerability is being actively exploited have been shared, but due to these developments, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes by Nov. 12.

**About the Author**

Microsoft SharePoint Vuln Is Under Active Exploit

Popular titles on both Google Play and Apple's App Store include hardcoded and unencrypted AWS and Azure credentials in their codebases or binaries, making them vulnerable to misuse by threat actors.

Source: Aleksia via Alamy Stock Photo

Several widely used mobile apps, some with millions of downloads, expose hardcoded and unencrypted credentials to cloud services within their code bases, researchers from Symantec have found. This potentially allows anyone with access to the app’s binary or source code to extract the credentials to exploit cloud infrastructure for misuse.

Popular apps for both Android and iPhone devices include credentials for either Amazon Web Services (AWS) and Microsoft Azure Blog Storage within their code, Symantec revealed in a blog post this week. And they're found on each device platform’s respective official mobile app store: Google Play and Apple's App Store.

"This dangerous practice means that anyone with access to the app's binary or source code could potentially extract these credentials and misuse them to manipulate or exfiltrate data, leading to severe security breaches," Symantec engineers wrote in the post.

Further, the "widespread nature" of the vulnerabilities across apps for both iOS and Android platforms "underscores the urgent need for a shift towards more secure development practices" when it comes to mobile applications, they added.

Symantec’s research zeroed in on a number of widely distributed mobile applications that included either AWS or Azure credentials in their codebases. In terms of the former, both Android and iOS apps are guilty of credential exposure, while several Android apps expose Azure storage credentials.

Related:SoftwareOne Launches Cloud Competency Centre in Malaysia

For example, an app called The Pic Stitch: Collage Maker found on the Google Play store contains hardcoded AWS production credentials — including the production Amazon S3 bucket name, the read and write access keys, and secret keys — in its codebase, the researchers found. It also reveals staging credentials in some cases.

**iOS Apps With Serious Security Risks**

Meanwhile, three iOS apps examined by Symantec also were found to expose AWS credentials. One called Crumbl, which has more than 3.9 million user ratings and is ranked No. 5 in the Food & Drink category on the Apple App Store, initializes an AWSStaticCredentialsProvider with plaintext credentials. The credentials, which are used to configure AWS services, include both an access key and secret key.

Furthermore, the app also includes another "significant security oversight" by including a WebSocket Secure (WSS) endpoint within its code. This endpoint, part of the Amazon API URL, is hardcoded with an API Gateway that directly connects to the Internet of Things services on AWS.

"Exposing such URLs alongside static credentials makes it easier for attackers to potentially intercept or manipulate communications, leading to unauthorized access to the associated AWS resources," the engineers wrote. Thus, this vulnerable configuration, without proper encryption or obfuscation, "presents a serious risk to the integrity of the application and its backend infrastructure," they noted.

Related:Unmanaged Cloud Credentials Pose Risk to Half of Orgs

Two other iOS apps with hundreds of thousands of App Store ratings also expose AWS credentials by hardcoding them directly within their code; the apps are Eureka: Earn Money for Surveys and Videoshop – Video Editor.

The former allocates an INMAWSCredentials object and initializes it with the access key and secret key, both stored in plaintext and which can be used to log events to AWS, "exposing critical cloud resources to potential attacks," the engineers said.

The latter directly embeds unencrypted AWS credentials in the \[VSAppDelegate setupS3\] method, which means anyone with access to the app's binary could easily extract them. This would give them unauthorized access to the associated S3 buckets and potentially lead to data theft or manipulation.

**Android Apps Expose Azure Credentials**

Similarly, three Android applications expose credentials to Microsoft Azure Blob Storage directly, via either their binaries or codebases, Symantec found.

Related:Cisco Disables DevHub Access After Security Breach

An Indian ride-sharing app, Meru Cabs — which has more than 5 million downloads on Google Play — includes hardcoded Azure credentials within its UploadLogs service by embedding a connection string that includes an account key. "This connection string is used to manage log uploads, exposing critical cloud storage resources to potential abuse," the engineers wrote.

Sulekha Business, another Android app with more than 500,000 downloads, embeds multiple hardcoded Azure credentials used for various purposes — such as adding posts, handling invoices, and storing user profiles — across its codebase.

A third Android app that also has more than 500,000 downloads, ReSound Tinnitus Relief, also hardcodes Azure Blob Storage credentials for managing various assets and sound files, the exposure of which could lead to unauthorized access and data breaches.

**Mitigation Begins With App Development**

Symantec’s findings come a day after the release of a report by Datadog that found that unmanaged credentials that live for too long on a cloud-based network posed a security risk to half of organizations. Indeed, any inadvertent disclosure of credentials to cloud services exposes any organization with network infrastructure, software, or other assets running on them to significant risk, according to Symantec.

A good place to start to mitigate these risks is in the development of applications, where developers should follow best practices for managing sensitive information. They include the use of environment variables to store sensitive credentials so they are loaded at runtime rather than embedded directly in the app's code, according to Symantec.

Developers also should use dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials. If the credentials must be stored in the app, then they should ensure that they use strong encryption algorithms, and decrypt them at runtime as needed.

According to Symantec, another way to protect credentials and also avoid other potential app-development missteps is to integrate automated security-scanning tools into the development pipeline to detect common security flaws early in the development process.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mobile Apps With Millions of Downloads Expose Cloud Credentials

The longer we avoid reform, the further behind we'll fall in AI innovation — and the more vulnerable we'll be.

Stephen Kines, Chief Operations Officer, Goldilock

October 23, 2024

5 Min Read

Source: Jochen Tack via Alamy Stock Photo

COMMENTARY

Artificial intelligence (AI) technology has become virtually inescapable, and its growth has kickstarted a worldwide AI arms race. But where the US was once at the forefront, it's quickly losing ground to countries like China, because its energy grid cannot support the breakneck pace of innovation. To remain a global AI leader, the federal government needs to make the grid more secure and resilient by addressing three compounding issues. 

**Growing Energy Demands**

First, data center electricity consumption is expected to triple, from 2.5% of the US total in 2022 to 7.5% by 2030. That's equivalent to the energy consumption of one-third of all US homes. We need to squeeze more power generation out of the energy grid, or it won't be able to meet the demand of AI. At the same time, the US must show the world that this can be done sustainably as it continues working toward its net-zero goals. 

Acknowledging this necessity, executives from OpenAI, Nvidia, Anthropic, and Google met at the White House recently for a Roundtable on US Leadership in AI Infrastructure. Following the gathering, the administration announced several new actions to accelerate public-private collaboration, including plans to launch a new Task Force on AI Data Center Infrastructure to coordinate policy across government. 

Time will tell if these efforts help achieve the energy usage and data center capacity required by AI. In the meantime, there are other challenges to consider.

**Utilities Are the New Frontlines of the Cyber War**

Countries like Russia, China, and Iran have a long history of infiltrating US businesses to steal proprietary technology and data. Today, critical infrastructure has become a primary target for cyberattacks by nation-states engaged in geopolitical conflict, and the impact this can have on the ability of the US to prevail in the AI arms race is huge.  

I've seen the chaos critical infrastructure attacks can cause firsthand through my participation in NATO's Defense Innovation Accelerator for the North Atlantic (DIANA), which is aiming to "provide companies with the resources, networks, and guidance to develop deep technologies to solve critical defense and security challenges." Energy is at the top of its agenda and was highlighted as one of three challenges in 2023. 

Rogan Shimmin, challenge manager at DIANA, calls attention to the fact that "these threats are compounded by a significant lack of cyber literacy in the energy sector, which is leading to continued investment in insecure legacy infrastructure and is scaring industry players away from adopting proper security measures." 

**Growing Threat of Climate Change and Severe Weather**

Malicious actors and adversaries aren't the only players who can compromise networks. Severe weather and the heightened energy demand that often results during these instances can also take down networks, as we saw during the 2021 Texas grid collapse. Plus, there's the ongoing possibility of another solar flare knocking out grids, like this year's auroral storms. 

If we continue with business as usual, our energy grids will remain vulnerable to both physical and cyberattacks at any time. As we saw with SolarWinds and the Colonial Pipeline attack, the damage can be catastrophic, not just impacting energy supply but putting the US's position on the world stage at risk. 

**Assessing Recent Federal Efforts for Energy Resiliency**

Fortunately, the federal government recognizes that energy resilience is a priority and has taken measures to support this. Announced in May, the Federal Energy Regulatory Commission's (FERC's) Order No. 1920 outlines a smart grid approach that's a crucial step in addressing long-term transmission planning needs. However, its passage has been hamstrung by political debate in an election year when action is urgently needed.  

In the same vein, the White House launched a Federal-State Modern Grid Deployment Initiative with commitments from 21 leading states. The goal is to bring states together with federal entities and power sector stakeholders in support of modern grid technologies to enable next-level capacity and throughput. The initiative was launched in tandem with the US Climate Alliance's announcement of "policy, technical, and analytical assistance to help participating members advance state-level efforts to carry out these commitments." 

**Is This Enough? Not Really**

These regulations and state-by-state initiatives are a step in the right direction, but they fall short. As the Modern Grid Deployment Initiative alludes, the US must address its energy demands through a level of smart controls, mainly via dynamic line rating (DLR) systems using intelligent sensors and more widely geographically distributed networks. This technology is fundamental to getting more out of networks, and it should be applied to water and other core sectors as well. However, it requires crossing state lines, which is a political hot potato.  

The US must also reduce its attack surface. While DLR and other modern grid technologies can be revolutionary, they exponentially increase the threat of cyberattacks and create new vectors for malicious actors. We have to develop these technologies with a security-first mindset to give utilities a way to stop attacks in their tracks before they can spread, and get back online quickly through better backup and disaster recovery solutions.  

James Appathurai, acting assistant secretary general for innovation, hybrid, and cyber at NATO, argues the ability to disconnect is one of the main security lessons from the Russia-Ukraine war. Upon Russia's first invasion, Ukraine prioritized improving its cyber resilience by building in air gaps through physical network segmentation so its critical infrastructure could be disconnected from the Internet at critical moments. "\[The Internet of Things\] is great, connecting to the Internet for efficiency is great, but you absolutely must build in the worst-case scenario. Being able to run if you are cyberattacked — to air gap, to run on island mode — is very important." 

The federal government needs to acknowledge this urgency and implement regulations that will ensure a more resilient and secure electrical grid. We must push past the partisan divide, as the longer we avoid reform, the further behind we'll fall in AI innovation, and the more vulnerable we'll be. 

**About the Author**

Chief Operations Officer, Goldilock

Stephen Kines is the chief operations officer (COO) and co-founder of Goldilock. He served in the Canadian military and currently represents Goldilock in NATO on the DIANA program. Stephen is also an international corporate lawyer who has been a general counsel for international law firms, as well as ultra-high net worth individuals and families. His expertise is in technology transactions with a positive-ESG impact.

The US Needs a Better Energy Grid to Win the AI Arms Race

Despite a law enforcement sweep last May, the sophisticated downloader malware is re-emerging.

Source: Antony Cooper via Alamy Stock Photo

Just a few months after Europol launched a full-scale disruption effort against malware botnets, one of its primary targets — a downloader malware called Bumblebee — seems to have staged a revival.

The sophisticated piece of malware has been widely used by cybercriminals to break into corporate networks, and its effectiveness is precisely what drew law enforcement's attention. In May, Europol launched full-scale takedowns of a variety of botnets, including IcedID, Trickbot, Smokeloader, SystemBC and Pickabot, as well as Bumblebee. The multipronged effort, dubbed Operation Endgame, was a splashy and highly publicized action to hunt down and stop cybercriminals hiding in their jurisdiction.

In addition to May's botnet bust-up, Operation Endgame added eight Russian nationals to Europe's list of most wanted fugitives for their alleged roles as developers of the Emotet botnet. By mid-June, Operation Endgame made an arrest: a 28-year-old Ukrainian man accused of working as a developer for Russian ransomware groups Conti and LockBit.

**Bumblebee Takes Flight Again**

The botnet was first identified and named by the Google Threat Analysis Group in March 2022. Since its takedown in May, there hadn't been any sign of Bumblebee, until now. Researchers at Netskope found a new instance of Bumblebee being used in combination with a payload not typically associated with the botnet, indicating this is a new iteration of the malware downloader.

Related:Dark Reading News Desk Live From Black Hat USA 2024

"The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee," the Netskope researchers wrote in a recent blog post. "These activities might indicate the resurfacing of Bumblebee in the threat landscape."

Its re-emergence would hardly come as a surprise. Other valuable botnet strains like Emotet have likewise risen from the dead. Though disrupted for a time by law enforcement in 2021, Emotet returned with a vengeance and new functionality.

Bumblebee is known for spreading through a variety of methods, including phishing, malicious advertising, and SEO poisoning, explains Patrick Tiquet, vice president of security and architecture for Keeper Security.

And Bumblebee's latest attack chain is even more difficult for defenders to spot than previous versions, according to Tamir Passi, senior product director at DoControl. "What makes this version particularly concerning is its sophistication," Passi says. "Instead of the noisy, obvious attacks we've seen before, it's using a stealthier approach that makes it harder to detect. The attackers are leveraging legitimate tools like MSI installers — it's basically hiding in plain sight."

Related:Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Scarier still is what happens after Bumblebee gets inside a corporate network, he adds.

"But here's the real kicker — this isn't just about compromising individual machines," Passi says. "Once attackers gain access, they can potentially harvest credentials and access all sorts of corporate resources, including SaaS applications. Think about it — one successful phishing email could lead to widespread access across your entire cloud environment."

With stakes that high, cybersecurity teams need to rely on a healthy combination of user awareness training, a zero-trust cybersecurity model, strong password security, and more, Tiquet advises.

Law enforcement organizations will continue to do what they can to tamp down the effectiveness of large cybercrime operations, but along with enterprise cybersecurity teams, they are up against formidable, highly motivated adversaries.

"The re-emergence of Bumblebee after Operation Endgame demonstrates the adaptability of the group believed to be responsible for its development," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "Despite law enforcement efforts to disrupt their activities, the actors quickly reintroduced Bumblebee, indicating well-prepared contingency plans."

Related:Anonymous Sudan Unmasked as Leader Faces Life in Prison

Bumblebee Malware Is Buzzing Back to Life

If exploited, bad actors can execute arbitrary code while evading detection thanks to a renamed process.

Source: B Christopher via Alamy Stock Photo

A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in Samsung's mobile processors and is being used in an exploit chain for arbitrary code execution.

The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.

A National Institute of Standards and Technology (NIST) advisory on the bug describes it as "an issue \[that\] was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920." A use-after-free bug in the mobile processor ultimately leads to privilege escalation, the agency added.

Google researcher Xingyu Jin was credited with reporting the flaw earlier this year, and Google TAG researcher Clement Lecigne warned that an exploit exists in the wild.

"This zero-day exploit is part of an EoP chain," Jin and Lecigne noted. "The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to '\[email protected\]', probably for anti-forensic purposes."

**About the Author**

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

PRESS RELEASE

CHARLOTTE, N.C. and SUNNYVALE, Calif., Oct. 21, 2024 /PRNewswire/ -- Honeywell (NASDAQ: HON) and Google Cloud announced a unique collaboration connecting artificial intelligence (AI) agents with assets, people and processes to accelerate safer, autonomous operations for the industrial sector.

This partnership will bring together the multimodality and natural language capabilities of Gemini on Vertex AI – Google Cloud's AI platform – and the massive data set on Honeywell Forge, a leading Internet of Things (IoT) platform for industrials. This will unleash easy-to-understand, enterprise-wide insights across a multitude of use cases. Honeywell's customers across the industrial sector will benefit from opportunities to reduce maintenance costs, increase operational productivity and upskill employees. The first solutions built with Google Cloud AI will be available to Honeywell's customers in 2025.

"The path to autonomy requires assets working harder, people working smarter and processes working more efficiently," said Vimal Kapur, Chairman and CEO of Honeywell. "By combining Google Cloud's AI technology with our deep domain expertise--including valuable data on our Honeywell Forge platform--customers will receive unparalleled, actionable insights bridging the physical and digital worlds to accelerate autonomous operations, a key driver of Honeywell's growth."

"Our partnership with Honeywell represents a significant step forward in bringing the transformative power of AI to industrial operations," said Thomas Kurian, CEO of Google Cloud. "With Gemini on Vertex AI, combined with Honeywell's industrial data and expertise, we're creating new opportunities to optimize processes, empower workforces and drive meaningful business outcomes for industrial organizations worldwide."

With the mass retirement of workers from the baby boomer generation, the industrial sector faces both labor and skills shortages, and AI can be part of the solution – as a revenue generator, not job eliminator. More than two-thirds (82%) of Industrial AI leaders believe their companies are early adopters of AI, but only 17% have fully launched their initial AI plans, according to Honeywell's 2024 Industrial AI Insights report. This partnership will provide AI agents that augment the existing operations and workforce to help drive AI adoption and enable companies across the sector to benefit from expanding automation.

Honeywell and Google Cloud will co-innovate solutions around:

Purpose-Built, Industrial AI Agents   
Built on Google Cloud's Vertex AI Search and tailored to engineers' specific needs, a new AI-powered agent will help automate tasks and reduce project design cycles, enabling users to focus on driving innovation and delivering exceptional customer experiences.

Additional agents will utilize Google's large language models (LLMs) to help technicians to more quickly resolve maintenance issues (e.g., "How did a unit perform last night?" "How do I replace the input/output module?" or "Why is my system making this sound?"). By leveraging Gemini's multimodality capabilities, users will be able to process various data types such as images, videos, text and sensor readings, which will help its engineers get the answers they need quickly – going beyond simple chat and predictions.

Enhanced Cybersecurity  
Google Threat Intelligence – featuring frontline insight from Mandiant – will be integrated into current Honeywell cybersecurity products, including Global Analysis, Research and Defense (GARD) Threat Intelligence and Secure Media Exchange (SMX), to help enhance threat detection and protect global infrastructure for industrial customers. 

On-the-Edge Device Advances   
Looking ahead, Honeywell will explore using Google's Gemini Nano model to enhance Honeywell edge AI devices' intelligence multiple use cases across verticals, ranging from scanning performance to voice-based guided workflow, maintenance, operational and alarm assist without the need to connect to the internet and cloud. This is the beginning of a new wave of more intelligent devices and solutions, which will be the subject of future Honeywell announcements.

By leveraging AI to enable growth and productivity, the integration of Google Cloud technology also further supports Honeywell's alignment of its portfolio to three compelling megatrends, including automation.

About Honeywell  
Honeywell is an integrated operating company serving a broad range of industries and geographies around the world. Our business is aligned with three powerful megatrends – automation, the future of aviation and energy transition – underpinned by our Honeywell Accelerator operating system and Honeywell Forge IoT platform. As a trusted partner, we help organizations solve the world's toughest, most complex challenges, providing actionable solutions and innovations through our Aerospace Technologies, Industrial Automation, Building Automation and Energy and Sustainability Solutions business segments that help make the world smarter and safer as well as more secure and sustainable. For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

About Google Cloud  
Google Cloud is the new way to the cloud, providing AI, infrastructure, developer, data, security, and collaboration tools built for today and tomorrow. Google Cloud offers a powerful, fully integrated, and optimized AI stack with its own planet-scale infrastructure, custom-built chips, generative AI models, and development platform, as well as AI-powered applications, to help organizations transform. Customers in more than 200 countries and territories turn to Google Cloud as their trusted technology partner.

Honeywell and Google Cloud to Accelerate Auto Operations With AI Agents for the Industrial Sector

The vulnerability affects all versions prior to v0.68.0 and highlights the risks organizations assume when consuming open source software and code.

Source: adison pangchai via Shutterstock

Organizations using Open Policy Agent (OPA) for Windows should consider updating to v0.68.0 or later to protect against an authentication hash leakage vulnerability identified in all earlier versions of the open source policy enforcement engine.

The vulnerability designated the identifier CVE-2024-8260, stems from improper input validation, and allows attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. This can result in credential leakage and the potential exposure of sensitive system information.

**Enabling Credential Leaks**

"Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash — or in lay terms, the credentials — of the user currently logged into the Windows device running the OPA application," said researchers at Tenable, who discovered the bug and issued a report this week. "Post-exploitation, the attacker could relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password."

Many organizations use OPA for Windows to implement and enforce authorization and resource access policies across their software stack, including cloud native applications, microservices, and APIs. The technology gives organizations a way to ensure consistent policy automation and compliance across mixed Linux and Windows environments.

The vulnerability that Tenable discovered essentially allows attackers to force a vulnerable system to authenticate to an attacker's server and thereby share user credentials in the process. The problem had to do with older versions of OPA for Windows not properly verifying the kind of files it received. Ordinarily, OPA should only use what are known as Rego files for rules and policies around decision making. What Tenable discovered was that because of improper validation, an attacker could pass an arbitrary SMB share instead of a Rego file to the OPA Command Line Interface or one of its Go library functions. An attacker could inject a path to their own server in the SMB share and force the system running the vulnerable OPA instance to authenticate to it.

"This can result in credential leaks or the execution of malicious logic, posing serious risks to system integrity and security," Tenable said. An adversary that obtains a NTLM hash by exploiting CVE-2024-8260 could use the hash in a variety of ways, including authenticating to other systems and services, moving laterally, connecting to file shares, and attempting to extract the password.

NTLM (New Technology LAN Manager) is a suite of authentication protocols from Microsoft that many organizations use to enable single sign-on to enterprise applications and services. Attackers have often exploited NTLM in so-called pass-the-hash attacks and NTLM relay attacks, where they essentially reuse a captured hash to authenticate to different applications and services without actually knowing the password.

**A Reminder of Open Source Risks**

Tenable described the vulnerability it discovered as highlighting the risks organizations assume when consuming open source software and code. In research that Black Duck described in its "2024 Open Source Security and Risk Analysis Report," the vendor found some 96% of code bases it reviewed to contain open source components. On average, 77% of all code in these codebases originated from open source. Some 84% codebases that underwent a risk assessment contained one or more security vulnerabilities and 74% had high-risk vulnerabilities like Log4Shel and XZ Utils in them. A surprising 14% of the code bases that Black Duck assessed had unpatched open source vulnerabilities in them that were 10 or more years old.

"As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface," said Ari Eitan, director of Tenable Cloud Security Research, in a statement. "This vulnerability discovery underscores the need for collaboration between security and engineering teams to mitigate such risks."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

OPA for Windows Vulnerability Exposes NTLM Hashes

PRESS RELEASE

Kuala Lumpur, Malaysia – 22 Oct. 2024 –  SoftwareOne Holding AG, a leading global software and cloud solutions provider, has launched a SoftwareOne Cloud Competency Centre in collaboration with Amazon Web Services (AWS) in Kuala Lumpur, Malaysia. 

Serving businesses across Southeast Asia, this new centre will provide clients with local expertise and support in AWS cloud services, including generative artificial intelligence (AI) tools Amazon Bedrock, a fully managed service that provides a single API to access and utilise high-performing foundation model from leading AI companies, and Amazon Q, a generative AI-powered assistant for business and developers, to drive digital transformation. By establishing the SoftwareOne Cloud Competency Centre in Malaysia, SoftwareOne further expands its global delivery network across fast-growing technology markets to help local businesses innovate with the latest technology advancements. The SoftwareOne Cloud Competency Centre opening follows AWS’s own recent announcement of cloud infrastructure expansion in Malaysia.  

"As an AWS Premier Tier Services Partner, we are thrilled to continue our collaboration with AWS through the opening of our new SoftwareOne Cloud Competency Centre in Malaysia,” said David Tan, Regional Services Leader, APAC at SoftwareOne. "This is strategically aligned with AWS's commitment to Asia and will make SoftwareOne’s global expertise and resources readily accessible to local clients. Businesses of all types will be able to accelerate their digital journeys more efficiently, benefiting from on-the-ground support in cloud migration, application modernisation, end-user computing, and FinOps.” 

“AWS is committed to enabling global organisations across industries with the world’s most comprehensive and broadly adopted cloud, and AI technologies to innovate, scale, and achieve their business and digital transformation objectives with efficiency and resilience. The recent launch of our AWS Region in Malaysia deepens that resolve,” said Peter Murray, Country Manager, AWS Malaysia. “As a Premier Tier AWS Partner, SoftwareOne is well-positioned to help businesses adopt and optimise their AWS use. Establishing the SoftwareOne Cloud Competency Centre in Malaysia aligns our goals of expanding cloud accessibility and compliance capabilities locally for customers.” 

The SoftwareOne Cloud Competency Centre experts will guide clients in implementing the SoftwareOne Landing Zone for AWS, a comprehensive pre-configured and automated framework that provides a foundation for building a secure, multi-account AWS environment. Featuring cloud infrastructure, policies, and guardrails, including centrally managed services, it is designed to help organisations quickly set up a secure and scalable environment with a consistent set of AWS best practices.  

Leveraging industry-leading infrastructure as code tool Terraform, SoftwareOne’s Landing Zone for AWS gets clients up and running from a zero footprint to AWS workload deployment within days. It also helps clients improve the operational efficiency of their AWS environments with SoftwareOne’s ongoing management and expertise in implementing patching and updates. 

“Our cloud journey involves migrating and modernising complicated and legacy workloads with stringent timelines, and we need a partner who is agile, understands such complex environments and can work closely with our internal team,” said Daniel Anand, Head of Technology Infrastructure and Architecture, Sun Life Malaysia. “SoftwareOne is helping us implement best-in-class solutions tailored to our needs, ensuring a seamless transition to the cloud while maintaining compliance with us in building the detailed business case for board approval and aligning with Sun Life global cloud framework and compliance.” 

“The launch of the regional SoftwareOne Cloud Competency Centre demonstrates SoftwareOne’s continued dedication to empowering digital transformation globally,” said Sean Pope, Global Leader, SoftwareOne Centre of Excellence for AWS. “This Centre will be a cornerstone in our global portfolio development, enhancing our ability to deliver cutting-edge solutions and support to businesses in SEA. The innovations and best practices we establish here will also be pillars upon which to build, benefitting other regions by enhancing our global AWS service offerings.” 

For more information about the SoftwareOne Cloud Competency Centre in SEA and its support of digital transformation initiatives, please visit www.softwareone.com. 

About SoftwareOne  

SoftwareOne is a leading global software and cloud solutions provider that is redefining how organizations build, buy and manage everything in the cloud. By helping clients to migrate and modernize their workloads and applications – and in parallel, to navigate and optimize the resulting software and cloud changes – SoftwareOne unlocks the value of technology. The company’s ~9,300 employees are driven to deliver a portfolio of 7,500 software brands with sales and delivery capabilities in over 60 countries. Headquartered in Switzerland, SoftwareOne is listed on the SIX Swiss Exchange under the ticker symbol SWON. Visit us at www.softwareone.com.

SoftwareOne Launches Cloud Competency Centre in Malaysia

PRESS RELEASE

VIENNA, VA (October 22, 2024) – The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) announced the launch of LinkSECURE, a new program to help mature the cybersecurity capabilities of vendors and address the growing concern of supply chain cybersecurity vulnerabilities.  

The program aims to reduce third-party risk for RH-ISAC member companies by strengthening the cybersecurity of their suppliers. This initiative demonstrates RH-ISAC's commitment to improving cybersecurity across the entire retail and hospitality ecosystem.  

LinkSECURE program participants will work closely with dedicated support managers to implement critical security controls. In addition, the organization will hold virtual meetings, educational sessions on the essentials of cybersecurity, and topical briefings on major sector incidents one-on-one and in group settings. 

A few key points showcasing the significance of the new program include:  

*   Offers a guided path to implementing a prioritized set of safeguards to mitigate the most prevalent cyberattacks  
    

*   Guides these businesses to maturity in their cybersecurity programs 
    

*   Provides users with access to a vast array of RH-ISAC resources relevant to their sectors including threat intelligence, research/reporting, the work of member groups, and resources from partner organizations
    

“The LinkSECURE program is setting a new standard to help our industry become better prepared to combat ever-growing cybersecurity threats,” said Luke Vander Linden, RH-ISAC's Vice President of Membership and Marketing.  

The program will primarily be offered to RH-ISAC's Core Members’ vendors. Should other small to mid-sized retailers be interested, RH-ISAC will consider their participation too. 

For more information on RH-ISAC and the LinkSECURE offering, please visit rhisac.org/linkSECURE.  

ABOUT RH-ISAC 

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org. 

You May Also Like

Source

DARKReading