All across the Asia-Pacific region, large and diverse marketplaces for AI cybercrime tools have developed, with deepfakes proving most popular.

Source: dpa picture alliance via Alamy Stock Photo

Artificial intelligence-powered cyberattacks are rising exponentially in the Asia-Pacific region, particularly those involving deepfakes.

The United Nations Office on Drugs and Crime (UNODC) tracked a panoply of AI threats in its new report covering cybercrime in Southeast Asia. Cybercrime gangs have been using generative AI (GenAI) to create phishing messages in multiple languages, chatbots that manipulate victims, social media disinformation en masse, and fake documents for bypassing know-your-customer (KYC) checks. They've been using it to power polymorphic malware capable of evading security software, and to identify ideal targets, among other nefarious activities.

The standout threat, though, is deepfakes. From February to June 2024, UNODC tracked a 600% increase in mentions of deepfakes in cybercriminal Telegram channels and underground forums. And that's above and beyond the heavy activity from 2023, when deepfake crimes rose more than 1,500% compared with the year prior, and face swap injections rose 704% in the second half of the year compared with the first.

**Deepfake Attacks Proliferate**

Cybersecurity leaders in the Asia-Pacific are, like those around the world, anticipating a wave of AI-driven cyber troubles. In an Asia-focused Cloudflare survey published on Oct. 9, 50% of respondents said they expect AI will be used to crack passwords and encryption, 47% expect it will boost phishing and social engineering, 44% think it will boost distributed denial-of-service (DDoS) attacks too, and 40% see it being used to create deepfakes and support privacy breaches.

Most, if not all, of those concerns, though, are no longer theoretical, as some organizations can attest.

In January, for example, an employee at the Hong Kong office of Arup, a British engineering firm, received an email purporting to come from the company's chief financial officer (CFO) in London. The CFO instructed the employee to conduct a secret financial transaction. The employee later joined a videoconference with the CFO and other participants purporting to be from senior management, all of whom were, in fact, deepfakes. The result: In May, Arup reported losing 200 million Hong Kong dollars ($25.6 million).

Deepfakes of major political figures have spread widely, like the fake video and audio recordings of Singapore's prime minister and deputy prime minister in December 2023, and the fake video this past July showing a Southeast Asian head of state with illicit drugs. In Thailand, a female police officer was deepfaked in a campaign tricking victims into thinking they were speaking with actual law enforcement.

According to UNODC, half of all deepfake crimes reported in Asia in 2023 came from Vietnam (25.3%) and Japan (23.4%), but the most rapid rise in cases came from the Philippines, which experienced 4,500% more in 2023 than 2022.

It's all underpinned by a large ecosystem of malicious developers and buyers, on Telegram and in even shadier corners of the Deep Web. UNODC identified more than 10 deepfake software vendors that specifically serve cybercriminal groups in Southeast Asia. Their offerings sport the latest and greatest in deepfake tech, like Google's MediaPipe Face Landmarker — which captures detailed facial expressions in real time — the You Only Look Once v5 (YOLOv5) object detection model, and much more.

**Why Asia Suffers**

Though AI-driven cybercrime threatens organizations in every part of the world, it enjoys some particular advantages in Asia.

"Southeast Asia is very densely populated, and a large portion of the population doesn't know English, or English is not their first language," notes Shashank Shekhar, managing editor at India-based CloudSEK. The typical signs that might indicate a scam to a native English speaker might not translate to a non-native speaker. Besides that, he notes, "A lot of people are unemployed, looking for jobs, looking for opportunity."

Desperation has the effect of lowering victims' defenses. "There are some kinds of scams which only work well in this part of the world," says CloudSEK threat researcher Anirudh Batra. "Simpler scams are particularly prevalent because of the poverty that this region of the world has seen."

In the face of intractable socioeconomic forces, those old, tired lines about cyber education and hygiene may not feel like enough. Instead, cybercriminals will need to be stymied at the source: in those underground forums and channels where they trade their deepfake tools and cryptocurrency winnings. It's been done before.

"It's possible by collaborating: different countries coming together, sharing intelligence," Batra says. Though he warns, "Unless these guys are caught, another forum will come up tomorrow. It becomes really difficult to stop them, because the threat actors know that all three letter agencies are looking at the forums — everybody's crawling everything. So they keep a lot of backups. At any point of time, if \[their assets are\] seized, they'll start again with the mirror."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

AI-Powered Cybercrime Cartels on the Rise in Asia

Global Signal Exchange will act as a global clearing house for online scams and fraud signals.

Source: Photo by Photo Boy via Adobe Stock Photo

Google has announced Global Signal Exchange (GSE), a new project to facilitate the collection and sharing of data related to online scams and fraud. While the company is already blocking millions of attempted scams daily across all its products and services, this project will provide organizations with the necessary information they need to identify and block scams.

"We know from experience that fighting scams and the criminal organizations behind them requires strong collaboration among industry, businesses, civil society and governments to combat bad actors and protect users," wrote Amanda Storey, senior director of trust and safety at Google, and Nafis Zebarjadi, product manager of account security at Google, in a post announcing the project. 

Google is partnering with the Global Anti-Scam Alliance (GASA) and DNS Research Federation to launch GSE. The project will benefit from GASA's extensive network of stakeholders and expand on the DNS Research Federation's robust data platform, which already has over 40 million fraud signals. The company is providing the funding to launch GSE and will hold the centralized data engine on Google Cloud, the company said.

Participants will be able to share and ingest signals, while leveraging artificial intelligence to find patterns and match signals. GASA and the DNS Research Federation will manage access for qualifying organizations.

As part of a pilot program, GSE was able to share over 100,000 URLs of bad merchants and receive roughly 1 million signals. The company plans to start by sharing Google Shopping URLs that have already been flagged as scams and then eventually add data from other product areas.

"By joining forces and establishing a centralized platform, GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services," the company said.

Google Launches Data-Sharing Initiative to Fight Fraud

PRESS RELEASE

PITTSBURGH, PA – October 1, 2024 – ForAllSecure, the world's most advanced application security testing company, today announced it is changing its corporate name to Mayhem Security (“Mayhem”), signaling a new era of growth and opportunity aligned with its award-winning Mayhem Application Security platform.

Founded by a team of researchers from Carnegie Mellon, the company’s focus has evolved from research, development, and education to a product company centered around its Mayhem platform that quickly went from a Defense Advanced Research Project Agency (DARPA) Cyber Grand Challenge prototype to an in-demand commercialized AI-driven application security platform. Today, the Mayhem platform has been integrated into thousands of open-source projects, building a library of behavioral tests, identifying new zero-days, and helping defend against software supply chain threats. The name change follows record product achievements, with platform ARR rising 275% year over year and 78% of customers expanding their Mayhem footprint at or before their first subscription renewal.

“ForAllSecure has a long, successful history, from winning the DARPA Grand Challenge to dedicating ourselves to research and innovation in the cybersecurity industry through Mayhem Heroes, hackathons, and consulting,” said David Brumley, CEO of Mayhem. “Our new name and focus mark an important evolution for us as the Mayhem brand becomes synonymous with the platform that is transforming API security testing and has powered our growth. In fact, for several years, it was the majority of our revenue. Our new positioning is a natural next step as we continue the hard work of our dedicated researchers and hackers who will continue to push out innovative research and prototype new ways to defend software.” 

The past year has been a banner year, with the company achieving key innovation milestones. Most notably, Mayhem released Mayhem Dynamic software bill of materials (SBOM), which brings Mayhem’s runtime intelligence to the world of software composition analysis (SCA) and SBOM by looking at an application’s actual behavior to find only real, exploitable vulnerabilities, eliminating triage and investigations, and reducing false positives to increase developer velocity and minimize application risks. Mayhem re-architected its symbolic executor to test and triage 60% faster, released support for Windows-based applications, and launched a beta of automated harnessing for embedded systems. 

Under the name Mayhem Security, the company will continue to collaborate with the government and the industry to advance cybersecurity and revolutionize how organizations approach cybersecurity by automating the process of finding and fixing software vulnerabilities.

For more information, visit https://www.mayhem.security/.

You May Also Like

Introducing Mayhem: ForAllSecure Unveils New Name and Company Focus

PRESS RELEASE

ROCHESTER, N.Y., Oct. 9, 2024 /PRNewswire/ -- CYRISMA, an all-in-one risk management platform, announced its Series A financing today. Led by Blueprint Equity, with participation from SaaS Venture and Golden Ventures, the funding will accelerate CYRISMA's platform development, fuel customer success, and expand sales and marketing initiatives.

CYRISMA accelerates security programs for MSPs by providing a cost-effective, all-in-one solution to identify, prioritize, and remediate vulnerabilities, track compliance requirements, and manage AI security risk.

"In partnering with Blueprint Equity, we are excited to leverage their expertise and resources to further enhance our platform and support our customers," said Liam Downward, co-founder and CPO of CYRISMA. "This investment will allow us to continue delivering an affordable and comprehensive risk management solution, empowering MSPs to protect their clients effectively. Additionally, it enables us to enter into new markets, expanding our reach and increasing brand awareness."

Blueprint Equity's Sheldon Lewis, who will join CYRISMA's Board of Directors, commented, "With the rise of security threats for SMBs, there's been an increasing number of businesses outsourcing their cybersecurity to MSPs. This has accelerated demand in the market for strong, multi-tenant cybersecurity solutions for MSPs to best serve their clients." He added, "We were drawn to the breadth of the CYRISMA platform and their strong customer satisfaction. Oliver Downward, CEO, Liam, and the team have an unparalleled insight into the MSP market, and we're honored to partner with CYRISMA during their next phase of growth."

About CYRISMA 

CYRISMA is an all-in-one risk management platform for Managed Service Providers. With the rise in security threats and demand for cybersecurity services, CYRISMA provides MSPs with an effective, all-in-one solution to manage their cybersecurity initiatives for clients in a multi-tenant platform. To schedule a demo of CYRISMA, please visit https://www.cyrisma.com/.

About Blueprint Equity

Blueprint Equity provides expansion capital to high-growth, capital-efficient enterprise software and technology-enabled services businesses worldwide. Blueprint has $275 million of assets under management and is based in La Jolla, CA. For more information, please visit www.onblueprint.com.

CYRISMA Secures $7M Growth Equity Financing led by Blueprint Equity

PRESS RELEASE

NEW YORK, Oct. 9, 2024 /PRNewswire/ -- OpenGradient, a leading decentralized AI infrastructure company, has raised $8.5M in seed funding. With a mission to accelerate open-source AI, OpenGradient democratizes model ownership, streamlines AI deployment, and enables universal access to AI.

OpenGradient's end-to-end decentralized platform offers scalable AI compute on-chain, ensuring verifiability and attribution while enhancing security for AI deployment and hosting. Its multi-layer technology stack includes an EVM-compatible blockchain with its innovative heterogeneous AI compute architecture (HACA) and a proprietary library of feature-rich tools to support and scale secure AI workflows on-chain.

OpenGradient empowers developers to build and deploy optimized decentralized applications (dApps) with ease. OpenGradient's web portal and SDK allow Web2 developers to leverage its AI stack without the complexities of blockchain while enjoying the security and composability benefits of a decentralized infrastructure.

CEO and Co-Founder, Matthew Wang, said,

"Developers today face significant hurdles when developing secure software for custom AI models, often grappling with developing a variety of complex cryptographic or hardware solutions into their stack. OpenGradient revolutionizes this approach, offering near-instantaneous model deployment and secure inference of AI models in mere seconds."

The $8.5 million seed round included participation from a16z Crypto Startup Accelerator (a16z CSX), SV Angel, Coinbase Ventures, SALT Fund, Symbolic Capital, Foresight Ventures, and angel investors, including Balaji Srinivasan (ex-Coinbase CTO), Illia Polosukhin(NEAR Founder), Sandeep Nailwal (Polygon Founder), and more. OpenGradient is also currently participating in the Fall 2024 a16z CSX program in New York City.

Principal at SV Angel, Mike Liu, said,

"OpenGradient is ushering in a new era for decentralized AI by developing infrastructure to support the next generation of intelligent applications. They've built a truly disruptive tech stack at the intersection of AI and blockchain, and we're excited to support such an innovative and talented team."

The funding will be used to continue building out the decentralized infrastructure, deploying solutions and tools for AI and Web3 developers, and advancing applied ML research to grow the open-source AI ecosystem on blockchain. OpenGradient's testnet is expected to be available to developers in Q4 2024.

About OpenGradient

OpenGradient is a leading decentralized platform unlocking scalable AI compute on-chain, empowering developers to build secure, intelligent, and optimized decentralized applications. We provide on-chain AI model hosting, permissionless composability, secure inference execution, and seamless access to accelerate open-source AI and foster next-gen applications. Headquartered in New York City, the team comprises global talent with deep expertise in AI/ML, blockchain, crypto, and Web3 ecosystem. Learn more at https://opengradient.ai and follow us on X and LinkedIn.

OpenGradient Raises $8.5M to Decentralize AI Infrastructure and Accelerate Secure, Open-Source AI

The tack highlights bad actors' interest in trusted development and collaboration platforms — and their users.

Source: Tada Images via Shutterstock

Trusted and widely used software development and collaboration platforms like GitHub and GitLab have become both targets of and vehicles for a growing range of malicious activity.

The latest manifestations of that trend include a malware distribution campaign involving legitimate GitHub repositories and the availability this week of an exploit for a vulnerability that allows an attacker to gain access as any user of GitLab.

The first is an example of how attackers are exploiting the trusted reputation of platforms like GitHub to try and sneak malware past endpoint detection mechanisms. The GitLab vulnerability, meanwhile, highlights the growing exposure to organizations from exploits that give attackers access to code repositories and exfiltrate secrets and data, modify or inject code into software, and manipulate the CI/CD pipeline.

**Hosting Malware on Trusted GitHub Repos**

Researchers at Cofense this week reported a phishing campaign where a threat actor is attempting to direct targeted victims in the insurance and finance sectors to malware hosted on trusted GitHub repositories. The campaign involves the attacker sending victims tax-themed phishing emails containing a link to a password-protected archive containing Remcos, a remote access Trojan that cybercriminals and state-backed groups alike have used in various cyber-espionage and data theft attacks over the years.

What makes the campaign noteworthy, according to Cofense, is how the threat actor has managed to sneak the archive files containing the Remcos RAT into legitimate GitHub repositories belonging to trusted entities. Examples of such entities include His Majesty’s Revenue & Customs (HMRC), the UK's national tax authority; New Zealand's counterpart, InlandRevenue; and UsTaxes, an open source tax-filing platform.

In each instance, the attacker used GitHub comments to upload a malicious file containing Remcos RAT to the repositories of the respective entities.

Many GitHub repositories allow developers to comment on ongoing and collaborative software projects. The comments can cover a wide range of topics, including proposed code changes, documentation and bug-related issues, task creation clarification requests, task management and progress updates, and merge conflict resolution.

"GitHub comments are useful to a threat actor because malware can be attached to a comment in a GitHub repository without having to upload it to the source code files of that repository," Cofense security researcher Jacob Malimban wrote in a blog post. "This means that any organization's legitimate GitHub repository that allows comments can contain unapproved files outside of the vetted code." Unsanctioned files that someone might submit via GitHub comments end up in a subdirectory that is separate from the one containing the repository's vetted files, Malimban said. What is especially troubling is the fact that the link to the malicious file will continue to work even if the comment itself gets deleted.

**Multiple Incidents**

Other threat actors have noticed the opportunity as well. A recent case in point is the purveyor of the Redline Stealer, who earlier this year was spotted using no less than Microsoft's own GitHub repository to host the information stealing malware. In that campaign — as with the new Remcos RAT attacks that Cofense spotted — the threat actor uploaded the malware as a comment to Microsoft's GitHub vcpkg repository.

Emails with links to domains such as GitHub are effective at skirting secure email gateways because of their trusted reputation. Attackers can, in fact, directly link to their malware in such domains without the need to redirect users to other sites, or without requiring them to use other security bypass techniques like scanning QR codes, Cofense said.

The threat actor behind the new Remcos RAT could easily have targeted victims in other sectors as well. But they likely deliberately kept their focus narrow to test how effective the strategy of hosting malware on the GitHub repositories is before attacking others, Malimban surmised.

**Growing Threat Actor Interest**

Meanwhile, the new exploit for GitLab targets a critical authentication bypass vulnerability (CVE-2024-45409) affecting the Ruby-SAML and OmniAuth-SAML libraries that GitLab uses to enable SAML-based single sign-on. The exploit script gives attackers a way to abuse the vulnerability to access GitLab in the context of any user. The vulnerability affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) below 16.11.10. The flaw is also present in multiple 17.x.x versions of GitLab.

The exploit is another sign of the growing researcher and threat actor interest in repositories like GitHub and GitLab and their users. Over the past year there have been multiple instances of attacks targeting repos on GitHub, like one involving cyber-extortion that Chilean cybersecurity firm CronUp reported in June and another involving the use of ghost accounts on GitHub to distribute malware. GitLab users have had their share of security scares to deal with as well, like CVE-2024-45409 and two other recent vulnerabilities (CVE-2024-6385 and CVE-2024-5655) that posed a major threat to the integrity of CI/CD pipelines.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Hackers Hide Remcos RAT in GitHub Repository Comments

PRESS RELEASE

TEL AVIV, Israel, Oct. 09, 2024 (GLOBE NEWSWIRE) -- Pillar Security, a pioneering company in GenAI security solutions, today released the industry’s first "State of Attacks on GenAI" research based on real-world analysis of more than 2,000 AI applications. In sharp contrast to earlier opinion and theoretical risk surveys, this data-driven research is based on Pillar's telemetry data derived from data interactions that occurred in production AI-powered applications over the past three months.

Key findings from the report include:

*   High Success Rate of Data Theft: 90% of successful attacks resulted in the leakage of sensitive data
    
*   Alarming Bypass Rate: 20 percent of jailbreak attack attempts successfully bypassed GenAI application guardrails
    
*   Rapid Attack Execution: Adversaries require an average of just 42 seconds to execute an attack
    
*   Minimal Interaction Needed: Attackers needed only five interactions on average with GenAI applications to complete a successful attack
    
*   Widespread Vulnerabilities: Attacks exploited vulnerabilities at every stage of interaction with GenAI systems, underscoring the critical need for comprehensive security measures
    
*   Increase in Frequency and Complexity: the analyzed attacks reveal a clear increase in both the frequency and complexity of prompt injection attacks, with users employing more sophisticated techniques and making persistent attempts to bypass safeguards as time progresses
    

"The widespread adoption of GenAI in organizations has opened a new frontier in cybersecurity," said Dor Sarig, CEO and co-founder of Pillar Security. "Our report goes beyond theoretical risks and, for the first time, shines a light on the actual attacks occurring in the wild, offering organizations actionable insights to fortify their GenAI security posture."

Highlights among the many other insights in the fact-filled report are:

*   Top Jailbreak Techniques, which include Ignore Previous Instructions--attackers direct AI systems to disregard their initial programming--and Base64 Encoding--malicious prompts encoded to evade security filters
    
*   Primary Attacker Motivations are stealing sensitive data, proprietary business information and PII and circumventing content filters to produce disinformation, hate speech, phishing messages and malicious code, among others
    
*   Curated and detailed list analyzes top attacks observed in real-world production AI apps
    
*   Looking Ahead to 2025, Pillar projects the evolution from chatbots to copilots and autonomous agents, alongside the proliferation of small, locally deployed AI models. This new era of AI adoption democratizes access but further expands attack surfaces, introducing additional security challenges for organizations.
    

"As we move towards AI agents capable of performing complex tasks and making decisions, the security landscape becomes increasingly complex," explained Sarig. "Organizations must prepare for a surge in AI-targeted attacks by implementing tailored red-teaming exercises and adopting a 'secure by design' approach in their GenAI development process."

The report emphasizes the inadequacy of traditional static security measures in the face of evolving AI threats. "Static controls are no longer sufficient in this dynamic AI-enabled world," added Jason Harrison, Pillar Security CRO. "Organizations must invest in AI security solutions capable of anticipating and responding to emerging threats in real-time, while supporting their governance and cyber policies.”

Pillar’s complete research report on the State of Attacks on GenAI is available on their website. 

For more information on AI Security, please visit https://www.pillar.security/resources/buyer-guide.

To schedule a demo, please visit https://www.pillar.security/get-a-demo.

About Pillar Security  
Pillar Security provides a unified platform to secure the entire AI lifecycle from development through production to usage. The platform integrates seamlessly with existing controls and workflows, and provides proprietary risk detection models, comprehensive visibility, adaptive runtime protection, robust governance features and cutting-edge adversarial resistance. Pillar's detection and evaluation engines are continuously optimized by training on large datasets of real-world AI app interactions, providing the highest accuracy and precision of AI-related risks.

You May Also Like

90% of Successful Attacks Seen in the Wild Resulted in Leaked Sensitive Data

The bill is broken up into several pieces, including ransomware reporting and securing smart devices, among other objectives.

Source: David Coleman | Have Camera Will Travel via Alamy Stock Photo

Australia introduced a new cybersecurity law into parliament, known as the Cyber Security Bill 2024, its first effort to codify security standards for smart devices, ransomware reporting, and coordination of significant cybersecurity incidents. 

The bill calls for creation of a Cyber Incident Review Board to implement post-incident reviews of significant cybersecurity incidents, as well as restrictions on how incident information can be provided to the National Cyber Security Coordinator and shared with other countries.

Under Australia's Security of Critical Infrastructure (SOCI) Act of 2018, the bill will also implement reforms by reinforcing government assistance measures to manage the impact of cyber incidents on critical infrastructure and simplify the information shared between industry and government. 

"We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward," stated Tony Burke, Minister of Home Affairs of Australia, when introducing the bill.

The proposed regulatory framework is part of the country's goal to become a leader in cybersecurity by 2030, an objective that was introduced in 2023 through the Australian Cybersecurity Strategy, an estimated seven-year effort.

**About the Author**

Australia Intros Its First National Cyber Legislation

A stealthy new underground offering uses sophisticated adversary-in-the-middle (AitM) techniques to convincingly serve up "Microsoft" login pages of various kinds, with dynamic enterprise branding.

Source: Matthijs Kuijpers via Alamy Stock Photo

A phishing-as-a-service (PhaaS) kit dubbed Mamba 2FA is targeting Microsoft 365 users using a variety of convincing adversary-in-the-middle (AitM) disguises.

According to the Sekoia Threat Detection & Research (TDR) team, the kit, which goes for $250 per month on underground cybercrime forums, can present a number of faux login pages to unsuspecting users. It can imitate OneDrive, a SharePoint Online secure link, or a generic Microsoft sign-in page; or it can show the user a purported voicemail retrieval link that redirects to a sign-in page after a click.

In all cases, it dynamically reflects enterprise targets' branding, including logos and background image.

According to Sekoia, Mamba 2FA slithers past two-factor authentication (2FA) methods that use one-time codes and app notifications; supports Entra ID, AD FS, third-party SSO providers, and consumer Microsoft accounts; and harvests credentials and cookies that are instantly sent to the attacker via a Telegram bot.

"Mamba 2FA has been advertised on Telegram since at least March," according to a Sekoia analysis this week. "However, according to data from public URL and file analysis sandboxes, the kit has been used in phishing campaigns since November 2023. The operator of the service had a long-standing presence on ICQ until this messaging platform shut down in June 2024, and this may be where Mamba 2FA was primarily sold before shifting to Telegram."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Mamba 2FA Cybercrime Kit Targets Microsoft 365 Users

The security bugs were found susceptible to exploitation in connection to the previously disclosed, critical CVE-2024-8963 vulnerability in the security vendor's Cloud Services Appliance (CSA).

Source: Skorzewiak via Alamy Stock Photo

In the latest wrinkle of what seems to be an ongoing saga of vulnerability concerns, Ivanti is notifying customers of three additional vulnerabilities found in its Cloud Services Appliance (CSA) that are being exploited in the wild.

There is limited exploitation of the vulnerabilities (CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381) according to the vendor, which are being chained individually with a previously disclosed zero-day vulnerability (CVE-2024-8963) found in Ivanti's CSA.

CVE-2024-9379 has a CVSS rating of 6.5 and allows a remote authenticated attacker with privileges to run SQL statements. CVE-2024-9380, with a CVSS score of 7.2, is an operating system command injection vulnerability in Ivanti CSA that can allow a remote authenticated attacker to obtain remote code execution with admin privileges. And lastly, CVE-2024-9381, carrying a CVSS score of 7.2, is a path traversal in Ivanti CSA before version 5.0 and allows a remote authenticated attacker to bypass restrictions with admin privileges.

The bugs were found on systems running CSA 4.6 patch 518 and prior, and there is no evidence of exploitation on any environments running CSA 5.0.

"Ivanti recommends reviewing the CSA for modified or newly added administrative users," said Ivanti in its user recommendations for checking compromised devices. "We also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA. As this is an edge device, Ivanti strongly recommends using a layered approach to security and installing an EDR tool on the CSA."

Should a user suspect that they have been compromised, its recommended they rebuild their CSA with version 5.0.

**About the Author**

Source

DARKReading