The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

Source: John Williams RF via Alamy Stock Photo

Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious activity.

The flaw, tracked as CVE-2023-49103 and disclosed by ownCloud on Nov. 21, earned the top score of 10 out of 10 on the CVSS severity rating due to its ease of exploitation. It arises from a flaw in the "graphapi" app used in ownCloud, a file server and collaboration platform that enables secure storage, sharing, and synchronization of commonly sensitive files.

Researchers from GreyNoise observed what they characterized as "mass exploitation" of the flaw in the wild starting as early as Nov. 25, with at least 40 unique IP addresses seen trying to exploit the flaw so far, according to the current data shown on its tracker.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, characterized the initial exploitation observed by GreyNoise as attackers "pretty much spraying it across the Internet to see what hits," in an online discussion on Tuesday.

The Shadowserver Foundation also is tracking exploitation of the flaw, having observed more than 11,000 exposed instances, with most of those located in Germany, the US, France, and Russia.

The app affected by the flaw is present in ownCloud versions 0.2.0 to 0.3.0. "This app utilizes a third-party library that will reveal sensitive PHP environment configurations, including passwords and keys," Thorpe wrote in the post.

It's important to note that only by patching can those affected mitigate the issue, as even disabling the app does not entirely resolve it, according to GreyNoise. The flaw affects both containerized and non-containerized ownCloud instances, although Docker containers from before February 2023 are not vulnerable to the credential disclosure, the researchers noted.

Moreover, the vulnerability is just one of three that ownCloud revealed last week, all of which allow attackers to breach data in deployments of the platform, the researchers noted. The other two are an authentication bypass flaw tracked as CVE-2023-49105 and a critical flaw related to the oauth2 app tracked as CVE-2023-49104.

"Organizations using ownCloud should address these vulnerabilities immediately," GreyNoise recommended.

**Top CVSS Rating**

OwnCloud is used by nearly 1 million organizations worldwide to manage and share data through a self-hosted platform, replacing the use of online services such as Dropbox to share files throughout an organization. Theoretically this makes enterprise file transfers more secure than sending them over a public cloud, except of course if the deployment of ownCloud is being exploited.

That's the current case of the critical flaw in graphapi, which relies on a third-party library that provides a URL which, when accessed, reveals the configuration details of the PHP environment, according to ownCloud.

These details include all the environment variables of the Web server, which in containerized deployments "may include sensitive data such as the ownCloud admin password, mail server credentials, and license key," according to ownCloud.

In its fix, ownCloud deleted the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabled the phpinfo function docker-containers to remedy the flaw. The company also plans to harden various aspects in future core releases to mitigate similar vulnerabilities.

In addition to applying the fix, ownCloud also recommended that companies change the following secrets in their deployments: ownCloud admin password, mail server credentials, database credentials, and object-Store/S3 access-key.

**Other Flaws to Consider**

While not quite as severe as the graphapi flaw, the two other flaws recently discovered by ownCloud also are rated as critical and deserve attention, the company said.

CVE-2023-49105, rated as 9.8 on the CVSS, allows for attackers to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing key configured, which is the platform's default configuration.

The flaw affects the ownCloud "core" app versions 10.6.0 – 10.13.0 and can be fixed by denying the use of pre-signed URLs if no signing key is configured for the owner of the files.

CVE-2023-49104, meanwhile, affects the ownCloud oauth2 app versions before 0.6.1 and allows someone to pass in a specially crafted redirect URL that bypasses the validation code. This, in turn, allows the attacker to redirect callbacks to an attacker-controlled top-level domain.

The flaw is rated as 9 on the CVSS and can be mitigated by hardening the validation code in the oauth2 app. A workaround that also fixes the flaw is to disable the "Allow Subdomains" option, according to ownCloud.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

Guy Tytunovich, founder and CEO of CHEQ, says the days of a one-size-fits-all consent strategy are gone. Consider a two-pronged approach and use smart consent management technology to adapt to differing regulations.

Source: Formatoriginal via Alamy Stock Photo

COMMENTARY

Five years since the European Union's General Data Protection Regulation (GDPR) took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act (CPRA).

Businesses weren't ready for GDPR, and many still aren't. So, what now?

**The Consent-Compliance Gap: How Businesses Are Falling Short**

Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. The issue isn't just understanding the law but also enforcing it effectively. Many companies assume that simply using consent banners or consent management platforms (CMPs) ensures compliance. But all too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement.

The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. They may require different technical capabilities, such as real-time preference enforcement or the recognition of global opt-out preference signals. For example, the GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances.

This leads to the consent-compliance gap. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law.

**It's About to Get More Complicated**

In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law, and China's Personal Information Protection Law (PIPL). Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation.

In 2023 alone, four US privacy laws entered enforcement including The Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). CPRA, an updated version of the CCPA, also entered partial enforcement this year. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas.

These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated.

Here's where things get tricky. GDPR requires clear, affirmative consent. But the CPRA, CPA, and CTDPA don't necessarily need that "yes" from users before collecting data. Instead, it's enough to offer users an easy way to say "no." This "opt-out" model changes the game and makes crafting a one-size-fits-all consent strategy near impossible.

What does this mean for businesses that operate in multiple locations? They need to play by the toughest rules — the GDPR's "opt-in" — while also offering California users the "opt-out" choice. And let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow.

This situation calls for a two-pronged solution. On the technical side, businesses need smart consent management technology that can adapt to different regulations. It should be able to serve specific consent banners based on user location, catering to the unique requirements of each region.

On the organizational side, there's a need for constant vigilance and updating. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly.

In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws.

**Compliance Is a Constant Effort in an Evolving Global Privacy Landscape**

For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. Today, that approach won't cut it.

As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million (US$786 million) judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties.

Meanwhile, consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships.

But to gain that trust, privacy and consent management cannot be a "set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals. Five years on, GDPR plays a key role in shaping this landscape, but it's just one piece of an increasingly complex puzzle.

**About the Author(s)**

Founder & CEO, CHEQ

Guy Tytunovich is the founder and CEO of CHEQ, the leader in Go-to-Market Security. Guy is a veteran of the Israeli Military cybersecurity and intelligence units and a founder of numerous tech companies in the space.

Thought GDPR Compliance Was Hard? Buckle Up

Organizations from the Middle East and Africa have typically escaped public ransoms, but that's changing amid heightened geopolitical conflicts and digitalization initiatives.

Source: Jne Valokuvaus via Shutterstock

Cybercrime — and especially ransomware — traditionally have had an uneven impact across the Middle East and Africa (ME&A), yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions.

South Africa saw a significant surge in attacks, with 78% of companies hit by ransomware in 2023, compared to 51% in 2022, according to the State of Ransomware 2023 report published by Sophos earlier this year.

However, the United Arab Emirates (UAE), for example, saw 70% fewer ransomware attacks in 2022, compared to the previous year, following greater international cooperation, according to statements by UAE government officials.

Cyber operations, including ransomware, will likely expand, as the ongoing conflict between Israel and Palestinians raises tensions in the region, much in the same way that Russia's invasion of Ukraine spurred greater attacks, says Jens Monrad, head of threat intelligence for the Europe, ME&A region at Google Mandiant.

"Cyber is now playing a role in any sort of geopolitical conflict, because it's a domain that ... comes with less cost and brings uncertainty, in terms of attribution," he says, adding that activity will likely continue to escalate. "We haven't really figured out how to draw a clear red line in the cyber domain. The line keeps being pushed, rather than somebody saying, now you've crossed the line."

Ransomware data continues to be scarce in the region. In its Digital Defense Report 2023, Microsoft noted that the top four ransomware families — Magniber, Lockbit, Hive, and Blackcat — accounted for two-thirds (65%) of all ransomware encounters and, of the four groups, only a single one, Blackcat, had extensive targets in a ME&A nation — in this case, Israel, which ranked fifth in that malware's targeted regions.

Two-thirds of attacks target Israel, the UAE, Saudi Arabia, or Jordan. Source: Microsoft Digital Defense Report 2023

The trend in the more general category of cyberattacks is clearer: two-thirds of cyberattacks in ME&A targeted either Israel, United Arab Emirates, Saudi Arabia, or Jordan, according to Microsoft's data collected prior to the current Israeli-Palestinian conflict. More than half of the attacks (52%) targeting the region focused on the education, government, information technology, and communications sectors — typical espionage targets.

**Regional Conflicts Spur Cyberattacks**

Surges in cyberattacks typically follow geopolitical conflict. The ME&A is experiencing that trend as well: Attacks conducted by Iran-linked actors, for example, focused on Israel between July 2022 and June 2023, a shift from the previous 12 months in which Iranian actors focused on the United States. The shift followed a highly sophisticated campaign of cyberattacks in 2021 and 2022 by an Israel-linked group, dubbed Predatory Sparrow, which had targeted Iran's critical infrastructure, including steel factories, state broadcasters, gas stations, and trains, Microsoft stated in its report.

"Iran's cyber-enabled influence operations have pushed narratives that seek to bolster Palestinian resistance, sow panic among Israeli citizens, foment Shi'ite unrest in Gulf Arab countries, and counter the normalization of Arab-Israeli ties," Microsoft stated in the report. "While specific narratives varied, the underlying goal was often the same. Tehran likely sought to retaliate against what it perceived were efforts by foreign actors to foment unrest in Iran."

Some of Iran's claimed attacks, however, have been exaggerated, according to Microsoft. And, while Iran-linked groups are some of the most active, the Palestinian-linked Molerats group recently used an improved downloader as part of its initial access operations.

Russian interests in ME&A may have a dampening effect on ransomware activity, since many ransomware groups operate out of Russia, says Mandiant's Monrad.

"I think it's a fair argument to say that these groups are also carefully vetting their victims to ensure that they don't endanger or put themselves at risk," he says. "If they engage in extortion schemes in countries where there are stronger diplomatic and trade relations ... you could potentially expect a political response to \[the victims\] asking Russia to do something."

**Manage Devices, Basic Hygiene**

Overall, companies in the region need to improve their cybersecurity maturity, says Brian Honan, CEO of BH Consulting, an independent cybersecurity and data-protection consulting firm based in Dublin that has clients in the Middle East.

"Where the Middle Eastern area struggles is their cybersecurity may not be as mature or have as much investment as in other regions," he says. "Many of the bigger organizations will have good cybersecurity in place, but in general, \[they are\] more vulnerable than their western counterparts."

Overall, 65% of CISOs in the Kingdom of Saudi Arabia and 47% in the UAE had a material loss of sensitive information in the past 12 months, according to the 2023 Voice of the CISO report published by security firm Proofpoint earlier this year.

Companies in the ME&A region are aiming to improve, however. Attacks on connected devices and cloud-related threats are the top cyberthreats for companies in the Middle East, according to a regional survey conducted for PricewaterhouseCoopers' Digital Trust Insights 2024 report. The worries are leading more than three-quarters of firms (77%) to increase their cyber budgets in 2024, according to the consultancy.

"Increasing digitization means companies are exposed to new digital vulnerabilities, making an effective approach to cybersecurity and digital trust more important than ever," PwC stated in the report, adding: "Middle East respondents revealed that loss of revenue — in terms of lost contracts, lost business opportunities — was the top concern for the outcomes of potential cyber attack in the next 12 months."

Companies still have to strive to do the cybersecurity basics. More than 80% of all compromised started with an unmanaged devices, Microsoft stated in its Digital Defense Report 2023.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Ransomware Could Surge in the Middle East & Africa

In a rare instance of an overseas arrest of ransomware perpetrators, four other high-profile gang members were also seized.

Source: ADragan via Shutterstock

European cyber police last week arrested a 32-year-old suspect they believe to be the leader of a Ukrainian ransomware affiliate gang.

According to Europol, authorities searched 30 properties in Kyiv, Cherkasy, Rivne, and Vinnytsia before locating the suspect. More than 20 investigators from a variety of countries were in Kyiv to assist with the operations. Authorities also seized four other individuals from locations across the country, as well as "technological devices." These suspects, whose nationalities weren't released, were identified after 12 other individuals were arrested in Ukraine and Switzerland in 2021. 

This particular ransomware gang, which doesn't have a specific moniker, is suspected of extorting hundreds of millions of euros from victims in 71 countries and encrypting more than a thousand servers worldwide. The group is known for targeting large corporations, and has deployed LockerGoga, MegaCortex, Hive, and Dharma ransomware to perform its attacks. 

According to a spokesperson, more details will be released later, as the operation is ongoing and more arrests will be made in the future.

**About the Author(s)**

Ringleader of Prolific Ransomware Gang Arrested in Ukraine

Dropping the ball on chemical security has precipitated "a national security gap too great to ignore," CISA warns.

Source: TTstudio via Alamy Stock Photo

CISA warned this week that facilities maintaining dangerous chemicals across the US are no longer receiving adequate security support.

Compared with such industries as energy, water, and telecoms, cybersecurity professionals tend to be less au courant with the chemicals sector, despite the physical and cybersecurity threats it faces.

CISA used to plug that gap with its Chemical Facility Anti-Terrorism Standards (CFATS). In CISA's own words, CFATS "identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists." But on July 28, Congress allowed the statutory authority of the CFATS program to expire.

Yesterday, in a blog marking the fourth monthiversary of that decision, CISA associate director for chemical security Kelly Murray warned that "the absence of the CFATS program is a national security gap too great to ignore," likely leading to security gaps, unsafe conditions, and possibly even access by a terrorist.

**Terrorist Threats to the Chemicals Industry**

There are four primary pillars to CFATS, each with an important security function.

Firstly, CISA has screened over 40,000 chemical facilities through the program, identifying 3,200 of them as high-risk. With four months of downtime, the agency estimates that at least 200 new facilities have likely acquired dangerous chemicals, and that "facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation."

Equally, through CFATS, CISA worked with facilities to identify risks to them and their surroundings, and develop cyber and physical safety plans to mitigate those risks, improving their security postures by around 60%. As Murray explained, approximately one third of CISA's site visits historically tended to reveal security gaps, thus "we can safely estimate that hundreds of security gaps have gone unidentified since July."

Perhaps most importantly, chemical facilities used CFATS to run personnel against a Terrorist Screening Database. CISA used to vet an average of 9,000 names per month, flagging in all more than 10 individuals with terrorist ties. At these rates, Murray estimated, its missed screenings "likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months."

Lastly, CFATS was designed to help the chemical industry stay ahead of the evolving threat landscape, both from a physical and cyber standpoint. "Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS," Murray explained, though now no longer.

Murray ended the letter with a call to Congress to reinstate CFATS. "This is a resolution we cannot afford to break," she concluded.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CISA to Congress: US Under Threat of Chemical Attacks

Anyscale has dismissed the vulnerabilities as non-issues, according to researchers who reported the bugs to the company.

Source: Ken stocker via Shutterstock

Organizations using Ray, the open source framework for scaling artificial intelligence and machine learning workloads, are exposed to attacks via a trio of as yet unpatched vulnerabilities in the technology, researchers said this week.

**Potentially Heavy Damage**

The vulnerabilities give attackers a way to, among other things, gain operating system access to all nodes in a Ray cluster, enable remote code execution, and escalate privileges. The flaws present a threat to organizations that expose their Ray instances to the Internet or even a local network.

Researchers from Bishop Fox discovered the vulnerabilities and reported them to Anyscale — which sells a fully managed version of the technology — in August. Researchers from security vendor Protect AI also privately reported two of the same vulnerabilities to Anyscale previously.

But so far, Anyscale has not addressed the flaws, says Berenice Flores Garcia, senior security consultant at Bishop Fox. "Their position is that the vulnerabilities are irrelevant because Ray is not intended for use outside of a strictly controlled network environment and claims to have this stated in their documentation," Garcia says.

Anyscale did not immediately respond to a Dark Reading request for comment.

Ray is a technology that organizations can use to distribute the execution of complex, infrastructure-intensive AI and machine learning workloads. Many large organizations (including OpenAI, Spotify, Uber, Netflix, and Instacart) currently use the technology for building scalable new AI and machine learning applications. Amazon's AWS has integrated Ray into many of its cloud services and has positioned it as technology that organizations can use to accelerate the scaling of AI and ML apps.

**Easy to Find and Exploit**

The vulnerabilities that Bishop Fox reported to Anyscale pertain to improper authentication and input validation in Ray Dashboard, Ray Client, and potentially other components. The vulnerabilities affect Ray versions 2.6.3 and 2.8.0 and allow attackers a way to obtain any data, scripts, or files stored in a Ray cluster. "If the Ray framework is installed in the cloud (i.e., AWS), it is possible to retrieve highly privileged IAM credentials that allow privilege escalation," Bishop Fox said in its report.

The three vulnerabilities that Bishop Fox reported to Anyscale are CVE-2023-48023, a remote code execution (RCE) vulnerability tied to missing authentication for a critical function; CVE-2023-48022, a server-side request forgery vulnerability in the Ray Dashboard API that enables RCE; and CVE-2023-6021, an insecure input validation error that also enables a remote attacker to execute malicious code on an affected system.

Bishop Fox's report on the three vulnerabilities included details on how an attacker could potentially exploit the flaws to execute arbitrary code.

The vulnerabilities are easy to exploit, and attackers do not require a high level of technical skills to take advantage of them, Garcia says. "An attacker only requires remote access to the vulnerable component ports — ports 8265 and 10001 by default — from the Internet or from a local network," and some basic Python knowledge, she says.

"The vulnerable components are very easy to find if the Ray Dashboard UI is exposed. This is the gate to exploit the three vulnerabilities included in the advisory," she adds. According to Garcia, if the Ray Dashboard is not detected, a more specific fingerprint of the service ports would be required to identify the vulnerable ports. "Once the vulnerable components are identified, they are very easy to exploit following the steps from the advisory," Garcia says.

Bishop Fox's advisory shows how an attacker could exploit the vulnerabilities to obtain a private key and highly privileged credentials from an AWS cloud account where Ray is installed. But the flaws affect all organizations that expose the software to the Internet or local network.

**Controlled Network Environment**

Though Anycase did not respond to Dark Reading, the company's documentation states the need for organizations to deploy Ray clusters in a controlled network environment. "Ray expects to run in a safe network environment and to act upon trusted code," the documentation states. It mentions the need for organizations to ensure that network traffic between Ray components happens in an isolated environment and to have strict network controls and authentication mechanisms when accessing additional services.

"Ray faithfully executes code that is passed to it — Ray doesn’t differentiate between a tuning experiment, a rootkit install, or an S3 bucket inspection," the company noted. "Ray developers are responsible for building their applications with this understanding in mind."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical Vulns Found in Ray Open Source Framework for AI/ML Workloads

Check out our new look — it's crisp, fast, and more reader-friendly.

Source: ronstik via Alamy Stock Photo

Here are some adjectives the Dark Reading team used to describe our revamped site that went live today: Elegant. Slick. Seamless. Clean. Modern.

Change is never easy or comfortable. But the process almost always winds up injecting new life and fresh purpose into your mission, and that's what we've accomplished with Dark Reading's latest look.

The journey to our new look began in August with the quiet rollout of an updated Dark Reading logo that gave our beloved brand a more contemporary design.

Today we've wrapped that logo in a new website platform that improves the overall reader experience, and our hope is that it makes your visit to the site more pleasant, efficient, and productive.

We've streamlined and updated our section names so the site is easier to navigate by topics (check out the Cybersecurity Topics button at the top of the black navigation bar). There's also more context about the type of content that's here, and how to find it on the Dark Reading site.

We enhanced our featured news section at the top of the fold and added a special feed of the latest news from around the globe via Dark Reading Global. As we announced this spring, DR Global initially is focused on the rapidly growing cybersecurity industry in the Middle East and Africa, but stay tuned as we expand our scope to other regions as well.

Scroll further down the homepage and you'll see our Latest News and Commentary sections, packed with our traditional mix of informed, unique, and relevant content. You'll also see a new space titled Deep Reading, which showcases Dark Reading's vast library of digital reports and original research. You can read summaries of our reports as well as download them for free.

Underneath our dedicated features section The Edge, and DR Technology, our section dedicated to cybersecurity technology trends and products, you will find our newest section, DR Global, now with a homepage presence and its own special section within the site.

That's just a quick tour of some of the new features and functions on the updated Dark Reading site. There will be more landing on the site in the coming months as we evolve to match our readers' needs. No matter how much our look changes, we are committed to serving up comprehensive and informed reporting, analysis, and other content that long has set Dark Reading apart as one of the top cybersecurity media sites in the industry.

In the meantime, we want to hear from you on what you think about the site redesign and its features. Drop us an email at \[email protected\] with your feedback — good or bad, we can take it.

**About the Author(s)**

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Dark Reading Debuts Fresh New Site Design

The company's power production remains in operation, and authorities have been notified of the attack.

Source: Brian Guest via Alamy Stock Photo

Holding Slovenske Elektrarne (HSE), a Slovenian power generation company, fell victim to a ransomware attack on Nov. 22 that compromised its systems but didn't disrupt power production.

The company regained control and was able to contain the attack on Nov. 24. 

The National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration were notified of the attack. The power company also worked with third-party experts to mitigate the effects of the attack and prevent the spread of the malware to other critical infrastructure systems in Slovenia. 

No ransom has been demanded yet. The attack is believed to be the work of Rhysida ransomware gang, which offers its victims an email address to connect with the threat actors without making any financial demands. It's still unclear if HSE has made contact with Rhysida.

Disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, according to a spokesperson, and HSE officials have claimed that the situation is under control. 

**About the Author(s)**

Slovenian Electrical Utility HSE Suffers Ransomware Attack

Joe Sullivan, spared prison time, weighs in on the lessons learned from the 2016 Uber breach and the import of the SolarWinds CISO case.

Source: MOZCO Mateusz Szymanski via Shutterstock

Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud for failing to alert regulators of a 2016 cybersecurity breach, but Sullivan was spared having to serve any prison time.

Instead, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine. Prosecutors were seeking 15 months of prison time for the charges alleged by the Federal Trade Commission (FTC) that Sullivan failed to report the breach that affected more than 50 million records for customers and Uber drivers.

"I went to my sentencing hearing fully prepared to go to jail with a specific penitentiary area that we were going to request," Sullivan tells Dark Reading. "I had to research all the different federal facilities and figure out which one would be the one that my family would be able to most visit and that I would be the safest. And I had to think about who would take care of my kids and who would pay my bills on my house and manage everything else."

**Joe Sullivan, Post-Uber Breach**

Now that the matter has been decided, Sullivan is free to speak out, and he plans to share his story in a keynote address at Black Hat Europe 2023 on Dec. 7. Sullivan says biting his tongue for over six years wasn't easy. "My lawyers wouldn't let me say a word," Sullivan laments.

"If somebody labels what you're doing a coverup, it's really easy for people to buy into that idea," he says. "For six years, I had to listen to and see my name in the media saying things about me that I knew weren't true. And my kids had to be subjected to everybody they know asking them what they saw about their dad on the news."

In getting the minimum sentence, Sullivan says he was vindicated. "The judge said we did an amazing job on the investigation," he says. "We followed our playbook. What people don't understand is the company had D&O \[directors and officers\] insurance policies. We had a data-breach response policy that designated a specific lawyer we were supposed to call. The team called in that lawyer and called in PR. I looped in the CEO and kept him up-to-date."

**Transparency Is the Most Significant Lesson**

Sullivan says the key mistake he made was not bringing in third-party investigators and counsel to review how his team handled the breach. "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA."

Now, Sullivan advises other CISOs and companies about navigating their responsibilities in disclosing breaches, especially as the new Securities & Exchange Commission (SEC) incident reporting requirements are set to take effect. Sullivan says he welcomes the new regulations. "I think anything that pushes towards more transparency is a good thing," he says. He recalls that when he was on former President Barack Obama's Commission on Enhancing National Cybersecurity, Sullivan was pushing to give companies immunity if they are transparent early on during security incidents.

That hasn't happened until now, according to Sullivan, who says the jury is still out on the new regulations, which will require action starting in December.

"Right now, too many companies think it's not in their best interest to be transparent," Sullivan says. "I think the SEC is trying to change the incentives through sticks rather than carrots. But that's the tool that they have, which is better than nothing."

**SolarWinds Sends Mixed Signals from the SEC**

Meanwhile, the SEC is signaling a zero-tolerance focus when it comes to data beach mishandling, with its recent charge of fraud in the US District Court in the Southern District of New York against SolarWinds Corp. and its CISO Tim Brown, regarding the software supply chain attack on the company's Orion platform in October 2020.

But Sullivan says the SEC's decision to charge SolarWinds and Brown contradicts the agency's approach in rolling out its new disclosure rules just months earlier.

"On the one hand, they are engaged with the community and have set some new expectations, which I think is great because they're trying to set some rules for the road, and they got feedback from the public," Sullivan says. "But if you look at the Solar Winds and Tim Brown enforcement action, you see a very different approach, which is not so collaborative, and a lot of commentators have suggested that maybe they don't seem to fully understand what life is really like doing security inside of a corporation."

It's too early to predict how the case will play out since only the parties involved know what evidence will be presented, Sullivan says. But based on the SEC's charges, he sees similarities to his own situation.

"The government, the FTC in my case, felt that my company wasn't sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn't my job to be the communicator of our security posture or answer any of their questions," Sullivan says. "In fact, I hadn't seen a lot of the documents. And so, their case was about me being held personally responsible for the company's approach to communication. Tim Brown's case is the exact same thing."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Source

DARKReading