Hacktivists love to target financial services companies, and their attacks are growing both larger and longer.

Source: Daniren via Alamy Stock Photo

Financial services organizations have faced nearly twice as many distributed denial of service (DDoS) attacks this year as any other industry, thanks in part to a rise in hacktivism.

According to a new report from Akamai, between Jan. 1 and June 30, there were nearly 3,000 Layer 3 and 4 DDoS attack events in the financial services sector (Layer 3 and 4 attacks occur at the network and transport layers of Internet communication). The next most-targeted industries — gaming, then high tech, then manufacturing — suffered around 1,000 to 1,500 events each.

A number of factors contribute to the sheer scale of the threat, experts say, including a general rise in DDoS across the board, a surge in hacktivist activity in association with high-profile geopolitical conflicts, emerging threats to application programming interfaces (APIs), and more.

And at the end of the day, it's just easy. "They don't have to find a vulnerability. They don't have to find that gap in your armor. They can just literally sit there and hit a button," says Richard Hummel, director of threat intelligence for Netscout.

**Hacktivism Drives DDoS**

On July 15, beginning at 10:05 a.m. local time, the full weight of a globally distributed botnet was turned against a major financial services company in Israel.

The vectors of attack were numerous: UDP flooding, UDP fragmentation, DNS reflection, PUSH and ACK floods, and more. At its peak, the flood of data registered at 789GB per second — equivalent to millions of documents, or hundreds of thousands of photos, streaming in with each passing moment.

The peak of the event lasted until around 1 p.m. local time, but activity persisted for around 24 hours. "This attack was very exceptional in terms of total duration," Akamai researchers wrote, after helping abate the attack. "This requires significant resources and is an indication of a very sophisticated aggressor."

Remarkably, despite that aggressor dedicating so much power to one attack, a number of other Israeli financial institutions experienced outages that same day, in what researchers assessed was likely a politically motivated campaign.

It wasn't the only politically motivated DDoS campaign that happened around this time, nor was it the worst. Those Israeli companies might have considered themselves lucky compared to a UAE bank, whose website was attacked by the pro-Palestinian group BlackMeta (aka DarkMeta). In a six-day romp, the group sent 10 waves of Web requests lasting between four and 20 hours each, averaging 4.5 million per second and peaking at 14.7 million.

DDoS has surged in correlation with the wars in Gaza and Ukraine, Akamai says, particularly against European banks with connections to Ukraine. Even if a financial institution doesn't consider itself political in any way, they nonetheless serve as a useful punching bag for hackers to achieve their dogmatic goals.

**Why Hacktivists Target Finserv**

Being so central to, and interconnected with, wider society, attacks against finance tend to cause more harm and panic than those against other industries.

Plus, more so than in the US, "in European countries or Asian countries, oftentimes government and finance go hand-in-hand, so you will often see that adversaries will walk the stack of what they perceive as government-affiliated," Hummel explains.

As an example, he points to Moldova, a country with manifold conflicts with Russia. "Moldova has been hammered over and over for the past six, seven months now by NoName057 and various other groups. They started with government targets, but then they started looking at finance, at commercial banking, education, public transportation. It's a natural extension."

And as if DDoS weren't already easy enough, in Europe, it's become easier in recent years thanks to Payment Services Directive 2 (PSD2), which came into effect in January 2016. Among other things, the European Union (EU) directive required that financial services providers offer open APIs to third-party services.

PSD2 was designed to better integrate the EU payments market but, Akamai points out, it also widened the surface through which attackers could attack affected companies. APIs offer yet another opening for more sophisticated, application-layer DDoS attacks, particularly when they're poorly accounted for.

"What we're finding is that many financial institutions don't know the expanse of their API ecosystem," says Cheryl Chiodi, industry strategy manager for financial services at Akamai. "There could be developers that were working on a project and left what we call a 'rogue' API, or 'shadow' APIs that are connected to the network but aren't really doing anything. And the cybercriminal can find those entry points and use them to do their infiltration of the network."

In its report, Akamai noted "sharp increases" in DDoS attacks targeting APIs. For this reason, Chiodi urges financial services companies to perform API discovery. "That then opens up the aperture, the visibility, so that you know what the API ecosystem \[in your organization\] is in the first place," she says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs

Attackers could have exploited a dependency confusion vulnerability affecting various Google Cloud services to execute a sprawling supply chain attack via just one malicious Python code package.

Source: Aleksia via Alamy Stock Photo

Google has patched a flaw in its Google Cloud Platform (GCP) that attackers could have exploited to execute a supply chain attack on millions of customer cloud servers, simply by deploying a single malicious code package.

Researchers from Tenable discovered the remote code execution (RCE) vulnerability, dubbed "CloudImposer," that attackers could have used to hijack an internal software dependency affecting GCP services, they revealed in analysis published Sept. 16.

Specifically, the flaw was found in GCP's Cloud Composer service for orchestrating software pipelines, but it also affected the Google services App Engine and Cloud Function. The flaw created a scenario called a dependency confusion, a technique discovered several years ago but widely misunderstood even by cloud platform providers, according to Tenable.

A dependency confusion attack, first discovered by security researcher Alex Birsan in 2021, starts when an attacker creates a malicious software package, gives it the same name as a legitimate internal package, and publishes it to a public repository.

"When a developer's system or build process mistakenly pulls the malicious package instead of the intended internal one, the attacker gains access to the system," Tenable senior security researcher Liv Matan explained in the analysis. "This attack exploits the trust developers place in package management systems and can lead to unauthorized code execution or data breaches."

He added: "There’s a surprising and concerning lack of awareness about it and about how to prevent \[dependency confusion\], even among leading tech vendors like Google. And unfortunately, this type of dependency can be exploited to execute supply chain attacks in the cloud that "are exponentially more harmful than on-premises."

"For example, one malicious package in a cloud service can be deployed to — and harm — millions of users," Matan observed. In essence, then, one single faulty command in GCP could potentially have created a ripple affect across myriad cloud deployments, giving attackers access to customers' enterprise cloud environments.

Tenable's findings were first presented in a session by Matan at Black Hat USA in August called "The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)," — one a Dark Reading expert advised not to miss at the conference. However, he published his full analysis on Tenable's blog only this week.

**Risky Documentation Leads to Flaw**

The first sign of the flaw was Google documentation regarding GCP and the Python Software Foundation that introduced the possibility of dependency confusion in cloud deployments, according to Tenable. The researchers dug further and found that Google itself applied the same risky implementation advice to GCP, introducing the flaw.

Specifically, Google advised users who want to use private Python packages in the GCP services App Engine, Cloud Function and Cloud Composer services to use what's called the "--extra-index-url" argument.

"This argument looks for the public registry (PyPI) in addition to the specified private registry from which the application or user intends to install the private dependency," Matan explained. "This behavior opens the door for attackers to carry out a dependency confusion attack."

The researchers inferred that there are "numerous GCP customers" who followed Google's risky guidance, as well as ultimately discovered that Google itself took its own advice when installing private packages in their own internal services.

Specifically, Tenable researchers found that Google used the risky --extra-index-url argument to install a private code package missing from the public registry in a way "that allows attackers to upload a malicious package to the public registry, and take over the pipeline," Matan wrote.

**Google Fix & Other Mitigations**

The researchers responsibly disclosed both the documentation and the CloudImposer RCE vulnerability to Google, which promptly responded and took action, according to Tenable. Specifically, Google fixed the vulnerable script in Google Cloud Composer that was utilizing the --extra-index-url argument when installing a private package from a private registry.

The company also inspected the checksum of vulnerable package instances and notified Tenable that, as far as Google knows, there is no evidence that the CloudImposer was ever exploited, Matan noted.

Google also acknowledged that while the exploit code that Tenable developed ran in Google's internal servers, it's likely that it would not have run in customers' environments because it wouldn't pass the integration tests.

Further, the company fixed the risky documentation, now recommending that GCP customers use the --index-url argument instead of the --extra-index-url argument, and the tech giant has adopted Tenable's suggestion to recommend that GCP customers use the GCP Artifact Registry's virtual repository to safely control the Python package manager search order, Matan noted.

GCP customers should analyze their environments for their package installation process to prevent breaches, specifically searching for the use of the --extra-index-url argument in Python to ensure they are not vulnerable to a dependency confusion attack.

Matan concluded: "A combination of responsible security practices by both cloud providers and cloud customers can mitigate many risks associated with cloud supply chain attacks."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'CloudImposer' Flaw in Google Cloud Affected Millions of Servers

Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud.
Clipper malware, also called ClipBankers, is a type of malware that Microsoft calls cryware, which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including

Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud.

Clipper malware, also called **ClipBankers**, is a type of malware that Microsoft calls cryware, which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including replacing cryptocurrency addresses with those under an attacker's control.

In doing so, digital asset transfers initiated on a compromised system are routed to a rogue wallet instead of the intended destination address.

"In clipping and switching, a cryware monitors the contents of a user's clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address," the tech giant noted way back in 2022. "If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipboard with the attacker's address."

Binance, in an advisory issued on September 13, 2024, said it has been tracking a widespread malware threat that intercepts data stored in the clipboard with an aim to swap out cryptocurrency wallet addresses.

"The issue has seen a notable spike in activity, particularly on August 27, 2024, leading to significant financial losses for affected users," the exchange said. "The malware is often distributed through unofficial apps and plugins, especially on Android and web apps, but iOS users should also remain vigilant."

There is evidence to suggest that these malicious apps are inadvertently installed by users when searching for software in their native languages or through unofficial channels, primarily due to restrictions in their countries.

The company also said it's taking steps to blocklist the attacker addresses to prevent further fraudulent transactions, and that it has notified affected users, advising them to check for signs of suspicious software or plugins.

Besides urging users to refrain from downloading software from unofficial sources, Binance is calling for exercising caution when it comes to installing apps and plugins and ensuring they are authentic.

Blockchain analytics firm Chainalysis revealed last month that aggregate illicit activity on-chain has dropped by nearly 20% year-to-date, although stolen funds inflows nearly doubled from $857 million to $1.58 billion.

"Scammers for the most part continue to pivot away from broad-based ponzi schemes to more targeted campaigns like pig butchering, work from home scams, drainers, or address poisoning," it said, adding it observed a "rise in the use of Chinese language marketplaces and laundering networks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users

SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution.
The vulnerability, tracked as CVE-2024-28991, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data. 
"SolarWinds Access Rights

Software Security / Data Protection

SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution.

The vulnerability, tracked as **CVE-2024-28991**, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data.

"SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability," the company said in an advisory. "If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution."

Security researcher Piotr Bazydlo of the Trend Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw on May 24, 2024.

The ZDI, which has assigned the shortcoming a CVSS score of 9.9, said it exists within a class called JsonSerializationBinder and stems from a lack of proper validation of user-supplied data, thus exposing ARM devices to a deserialization vulnerability that could then be abused to execute arbitrary code.

"Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," the ZDI said.

Also addressed by SolarWinds is a medium-severity flaw in ARM (CVE-2024-28990, CVSS score: 6.3) that exposed a hard-coded credential which, if successfully exploited, could allow unauthorized access to the RabbitMQ management console.

Both the issues have been patched in ARM version 2024.3.1. Although there is currently no evidence of active exploitation of the vulnerabilities, users are recommended to update to the latest version as soon as possible to safeguard against potential threats.

The development comes as D-Link has resolved three critical vulnerabilities affecting DIR-X4860, DIR-X5460, and COVR-X1870 routers (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, CVSS scores: 9.8) that could enable remote execution of arbitrary code and system commands.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Source: Anucha Cheechang via Shutterstock

Microsoft has recategorized a bug that the company fixed in this month's Patch Tuesday update as a zero-day vulnerability, which the "Void Banshee" advanced persistent threat group has been exploiting since before July.

The bug, identified as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and it's one of two very similar issues that Void Banshee is using in its attacks.

**Affects All Supported Windows Versions**

The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work.

Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the company's advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw "as part of an attack chain \[related\] to CVE-2024-38112," a MSHTML platform spoofing vulnerability that the company patched in July 2024.

"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft said in its updated advisory.

The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsoft's Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendor's mitigations for it.

CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research, which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw.

Trend Micro's Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

**A Two-Bug Microsoft Attack Chain**

According to Microsoft's updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws.

Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. "This landing page contains an <iframe> which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461" to make the file appear to be a PDF to the victim, he says.

Girnus says ZDI was aware that the attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. "We however reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft," he says.

In its July report on Void Banshee exploiting CVE-2024-38112, Trend Micro said the flaw is a prime example of how organizations can get tripped up by "unsupported Windows relics" such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. The attack surface is significant, too: A study that Sevco conducted of 500,000 Windows 10 and Windows 11 systems in the immediate aftermath of Microsoft's disclosure of CVE-2024-38112 showed that more than 10% are missing any kind of endpoint protection control and nearly 9% are missing controls for patch management, leaving them completely blind to threats.

“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like \[CVE-2024-43461\]," says Greg Fitzgerald, co-founder of Sevco. "It's critical for enterprises to take the first step of patching this vulnerability, but it can't stop there."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Void Banshee' Exploits Second Microsoft Zero-Day

The sanctions are unlikely to affect the growing network of criminals who lure victims into working for cybercrime sweat shops around the world.

Source: Feng Yu via Alamy Stock Photo

Cambodian business tycoon and senator Ly Yong Phat, along with the business conglomerate he runs and O‑Smach Resort, have been sanctioned for using forced labor to run a center perpetuating cryptocurrency scams.

According to a report from the US Treasury Department's Office of Foreign Assets Control (OFAC), workers from countries including China, India, Thailand, and Vietnam have been lured to the O-Smach resort under the pretense of legitimate work.

Upon arrival, their passports are confiscated, and victims are forced to work up to 15-hour days perpetuating online scams.

"People who called for help reported being beaten, abused with electric shocks, made to pay a hefty ransom, or threatened with being sold to other online scam gangs," the report noted. "There have been two reports of victims jumping to their death from buildings within O‑Smach Resort." 

As a result of the sanctions, which designate the L.Y.P. Group conglomerate, O-Smach, and three other hotels as being "directly or indirectly engaged in, serious human rights abuse," Ly's properties and interests are blocked and any transactions must be reported to OFAC.

US citizens, financial institutions, and businesses that deal with L.Y.P. could themselves face sanctions.

**Cyber Scam Forced-Labor Rings Difficult to Root Out**

Stephen Kowski, field chief technology officer at SlashNext Email Security+, says sanctions send a "strong message" that the international community is acting against human trafficking and forced labor in cybersecurity scams.

"However, their effectiveness will ultimately depend on rigorous enforcement and cooperation from other countries and financial institutions, particularly given the endemic corruption that has hindered previous investigations," he says.

He added that the phenomenon is challenging to combat due to its transnational nature, the use of sophisticated technology, and the involvement of corrupt officials.

"Cyber-scam operations often exploit jurisdictional gaps and rapidly evolve their tactics to evade detection, while victims are isolated and coerced, making it difficult for authorities to identify and rescue them," Kowski explains.

Robert Duncan, security strategist at Netcraft, says that while the US sanctions will affect Ly's business dealings in the US, it is unlikely to turn the tide by itself on the problem of scams emanating from that corner of the world.

From his perspective, cross-border cooperation is truly essential — the victim is often in the developed world, and the scammer is not.

"However, others throughout the world are often involved in these scams, including those enabling money laundering through cryptocurrencies or mule bank accounts in the same jurisdiction as the victim — not just in Southeast Asia," Duncan adds.

**Southeast Asia Teeming With Cyber Trafficking**

Southeast Asia is a global hotspot for forced-labor camps running cyber scams akin to the ones run by L.Y.P.

It's an issue that has also caught the attention of the United Nations, which estimates that 100,000 people in Cambodia alone are being forced to work for cybercrime syndicates.

International law enforcement agencies including Interpol have been working on multiple cases involving human trafficking run by cyber-fraud operators, with a recent five-month investigation leading to the arrest of 281 perpetrators.

The scale of the problem prompted the FBI to issue a warning in May 2023 to US citizens traveling or living in Southeast Asia to be aware of scam advertisements posing as legitimate work offers.

In February, Myanmar authorities handed over 10 suspects to China who were accused of running cyber-fraud and money-laundering operations in Myanmar.

John Bambenek, president at Bambenek Consulting, notes that while sanctions might seem toothless overall, for someone with the level of assets that Ly has, they can be very problematic.

"There are only a few places that handle that kind of wealth, and if any mistakes are made, the assets can be frozen or seized by regulators," he explains. "That said, it's a consolation prize from the sanction that really needs to be levied — a jail cell."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cambodian Tycoon Sanctioned for Forced Cyber Labor, Trafficking

Three days after Ivanti published an advisory about the high-severity vulnerability CVE-2024-8190, threat actors began to abuse the flaw.

Source: NicoElNino via Alamy Stock Photo

Just days after Ivanti released an advisory regarding a high-severity vulnerability in its Cloud Service Appliance (CSA), the company is alerting customers that the flaw is now being exploited in the wild. 

Ivanti initially disclosed the vulnerability, tracked as CVE-2024-8190, on Sept. 10, warning customers that it could allow unauthorized access to their devices. With a CVSS score of 7.2 out of 10, the attacker must have administrator-level privileges in order to exploit the vulnerability.

To remediate the bug, Ivanti recommended that users upgrade from Ivanti CSA 4.6 to CSA 5.0. In addition, CSA 4.6 Patch 518 customers can update to Patch 519, however, upgrading to CSA 5.0 remains the best option, the company noted.

On Sept. 13, Ivanti updated its advisory, making its customers aware that it knew of the active exploitation of the vulnerability.

"At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure," said the advisory.

Users should update to the latest version of the appliance as soon as possible.

If users find that they have been compromised before they can apply the recommended patch, according to the company, they can log a case or request a call through the Ivanti Success Portal.

**About the Author**

Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-mmhx-hmjr-r674: DOMPurify allows tampering by prototype pollution

Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload  by executing it in the browsers of targeted users. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users.

GHSA-xmxj-v2q8-8qx6: Concrete CMS Stored XSS in the "Next&Previous Nav" block

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a…

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a cyberattack. The breach includes business documents and financial data, raising cybersecurity concerns for global firms.

The notorious RansomHub ransomware group has leaked 487 gigabytes of data it allegedly stole from Kawasaki Motors Europe (KME). This cyberattack was publicly **disclosed** by Kawasaki last week, though the company emphasized that the attack had not been successful in its aims.

As a preventive measure, Kawasaki temporarily isolated its servers and initiated a thorough “cleansing process” to detect any potential infections. However, despite Kawasaki’s recovery efforts, RansomHub went ahead with the data release. On September 5, 2024, the group listed the stolen information on the dark web, utilizing its official dark web leak sites to dump the data.

As seen by the Hackread.com research team, among the exposed files are critical business documents, including financial information, banking records, dealership details, and internal communications.

A partial list of the leaked data includes directories titled “Dealer Lists,” “Financing Kawasaki,” “COVID,” “Trading Terms,” and more, with timestamps showing activity as recent as early September.

Screenshot from the dark web leak site of the RansomHub Ransomware Group (Screenshot credit: Hackread.com)

**Kawasaki’s Response and Cybersecurity Strategy**

While Kawasaki Motors Europe disclosed the breach to its customers, it appears that the company opted not to engage with the ransom demands. **Jason Soroko**, Senior Fellow at Sectigo, speculated that Kawasaki may have prioritized system restoration over paying the ransom.

He suggested that this decision reflects Kawasaki’s readiness to deal with the potential fallout of a data breach, emphasizing the importance of having strong cybersecurity systems in place to avoid financial damage through ransom payments.

_“_Kawasaki Motors Europe’s official statement claimed they could take the hit with the data versus the financial hit of paying the ransom, however, the RansomHub group released 487 GB of allegedly stolen data. This suggests, but does not prove, Kawasaki chose not to negotiate with the attackers, prioritizing system restoration and data cleansing._“_

Soroko added that Kawasaki’s stance might serve as a model for other companies: instead of negotiating with cybercriminals, businesses should focus on recovery and work to fortify their systems against future attacks.

He also pointed out the need for organizations, especially in the United States, to enhance their cybersecurity infrastructure, prepare for such incidents, and collaborate with government authorities to better handle ransomware threats.

_“_Given RansomHub’s increased activity, US companies should bolster cybersecurity measures, prepare robust incident response plans, and avoid paying ransoms, aligning with government advisories. Staying informed about such threats and collaborating with authorities can mitigate risks and protect sensitive data,_“_ he explained.

**The Role of RansomHub**

RansomHub is a notorious player in cybercrime especially ransomware attacks, having made headlines recently for its involvement in other major breaches. Earlier this month, the group claimed responsibility for **hacking Planned Parenthood** and stealing 93 gigabytes of sensitive data.

This trend of increased activity exposes the growing threat posed by ransomware groups, which often target high-profile organizations in sectors ranging from healthcare to manufacturing.

1.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
2.  **Qilin Ransomware Upgrade: Now Steals Google Chrome Credentials**
3.  **Russian Hackers Hit Mail Servers in Europe for Political, Military Intel**
4.  **Xplain Hack: Play Ransomware Leaks Sensitive Swiss Government Data**
5.  **Hackers hit Europe’s largest healthcare provider with Snake ransomware**

Tag

#auth