As organizations start deploying advanced monitoring capabilities to protect their production environment from cyber attacks, attackers are finding it increasingly difficult to break in and compromise systems. As a result, they are now leveraging alternate approaches to infiltrate systems by secretly injecting malware into the software supply chain. This illicit code allows them to turn a software component into a Trojan horse of sorts, resulting in software infected with malicious code which allows cyber criminals to open the "doors to the kingdom" from the inside.A recent report from BlackBe

As organizations start deploying advanced monitoring capabilities to protect their production environment from cyber attacks, attackers are finding it increasingly difficult to break in and compromise systems. As a result, they are now leveraging alternate approaches to infiltrate systems by secretly injecting malware into the software supply chain. This illicit code allows them to turn a software component into a Trojan horse of sorts, resulting in software infected with malicious code which allows cyber criminals to open the "doors to the kingdom" from the inside.

A recent report from BlackBerry estimated that the majority (74%) of companies surveyed have experienced a software supply chain attack in the last 12 months. This high number underscores the need for enhanced software supply chain protections since third-party software suppliers and some open source libraries and frameworks may not have the same security measures.

DevSecOps methodology integrates security practices into the DevOps process so security practices are embedded throughout the entire software development lifecycle. Unlike traditional approaches where security is added towards the end of the development process, DevSecOps incorporates security from the very beginning and automates various aspects to help streamline the development process.

An end-to-end solution across the entire supply chain is highly recommended. This system should trust nothing, examine all source code, prepare Supply chain Levels for Software Artifacts (SLSAs), provide audit and scanning capabilities and manage the Software Bill of Material (SBOM) for both custom and third-party software artifacts.

**Red Hat Trusted Software Supply Chain** provides a zero trust architecture and provides a solid foundation for DevSecOps, helping shift security to the left to catch known vulnerabilities earlier in the development life cycle. Let's go through each component to see how they work together to help bring development, infosec and operations teams together.

**Red Hat Trusted Application Pipeline**

**Trusted Application Pipeline** provides integrated software templates that help enable secure software development through artifact signatures, attestations, SBOMs and build provenance verification. These security-focused software templates not only standardize but also speed up the adoption of security measures across different stages of software development, enhancing trust and transparency from the outset. Trusted Application Pipeline includes the following three key products.

**Red Hat Developer Hub**

**Red Hat Developer Hub** is an enterprise platform for building developer portals and golden paths and provides a single pane of glass to help increase engineering productivity, and provide guardrails for cloud-native development and a real-time view of application and infrastructure health and security. Built on the open source Backstage project, it helps streamline development through a unified platform that reduces cognitive load and frustration for developers. Try Red Hat Developer Hub today.

**Red Hat Trusted Artifact Signer**

**Trusted Artifact Signer** is built on the open source Sigstore project, and provides a transparent, auditable and cryptographically enhanced signing and verification system. Trusted Artifact Signer supports keyless and key-based signing, and provides simplified operator installation and an immutable audit trail. It also includes Enterprise Contract, enabling the automatic verification of supply chain integrity, provenance authentication and SLSA enforcement.

**Red Hat Trusted Profile Analyzer**

**Trusted Profile Analyzer** provides developers, security teams and platform engineers visibility and actionable insights into the risk profile of their software supply chain. It does this across the entire software development life cycle using application SBOM and VEX (Vulnerability Exploitability eXchange) and open source dependencies risk profiles. This information can help lower the risk of a supply chain breach.

**Red Hat OpenShift Platform Plus**

**OpenShift Platform Plus** is a unified platform that combines multicluster security, cluster management and compliance, registry scanning and data management capabilities with Red Hat OpenShift. Learn how OpenShift Platform Plus meets the zero trust requirements in 10 ways.

OpenShift Platform Plus includes the following components.

**Red Hat OpenShift**

**OpenShift** is the industry’s leading hybrid cloud application platform powered by Kubernetes, bringing together a comprehensive set of tools and services that help streamline the entire application lifecycle, from development to delivery to management of app workloads.

**Red Hat Quay**

**Quay** is a security-focused and scalable platform for managing content across globally distributed datacenter and cloud environments. It provides a private container registry that stores, builds and deploys containerized software and scans container images for known vulnerabilities.

**Red Hat Advanced Cluster Management for Kubernetes**

**Advanced Cluster Management for Kubernetes** is a multicluster management solution that provides automated and built-in security policy-driven configuration and observability across your entire hybrid cloud environment, including on-prem, cloud and edge. Advanced Cluster Management for Kubernetes simplifies compliance, monitoring and consistency.

**Red Hat Advanced Cluster Security for Kubernetes**

**Advanced Cluster Security for Kubernetes** is a Kubernetes-native security solution that provides security guardrails with minimal impact on developer velocity. It addresses six key use cases including vulnerability management, configuration management, risk profiling, network isolation, industry compliance and run-time threat detection.

Learn more about Red Hat Trusted Software Supply Chain

Strengthen DevSecOps with Red Hat Trusted Software Supply Chain

The ABB BMS/BAS controller suffers from an unauthenticated log information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose the webserver's log file containing system information running on the device.

ABB Cylon Aspect 3.08.01 (logCriticalLookup.php) Unauthenticated Log Disclosure

ABB Cylon Aspect 3.08.01 (throttledLog.php) Unauthenticated Log Disclosure

If exploited, bad actors can execute arbitrary code while evading detection thanks to a renamed process.

Source: B Christopher via Alamy Stock Photo

A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in Samsung's mobile processors and is being used in an exploit chain for arbitrary code execution.

The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.

A National Institute of Standards and Technology (NIST) advisory on the bug describes it as "an issue \[that\] was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920." A use-after-free bug in the mobile processor ultimately leads to privilege escalation, the agency added.

Google researcher Xingyu Jin was credited with reporting the flaw earlier this year, and Google TAG researcher Clement Lecigne warned that an exploit exists in the wild.

"This zero-day exploit is part of an EoP chain," Jin and Lecigne noted. "The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to '\[email protected\]', probably for anti-forensic purposes."

**About the Author**

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

The vulnerability affects all versions prior to v0.68.0 and highlights the risks organizations assume when consuming open source software and code.

Source: adison pangchai via Shutterstock

Organizations using Open Policy Agent (OPA) for Windows should consider updating to v0.68.0 or later to protect against an authentication hash leakage vulnerability identified in all earlier versions of the open source policy enforcement engine.

The vulnerability designated the identifier CVE-2024-8260, stems from improper input validation, and allows attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. This can result in credential leakage and the potential exposure of sensitive system information.

**Enabling Credential Leaks**

"Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash — or in lay terms, the credentials — of the user currently logged into the Windows device running the OPA application," said researchers at Tenable, who discovered the bug and issued a report this week. "Post-exploitation, the attacker could relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password."

Many organizations use OPA for Windows to implement and enforce authorization and resource access policies across their software stack, including cloud native applications, microservices, and APIs. The technology gives organizations a way to ensure consistent policy automation and compliance across mixed Linux and Windows environments.

The vulnerability that Tenable discovered essentially allows attackers to force a vulnerable system to authenticate to an attacker's server and thereby share user credentials in the process. The problem had to do with older versions of OPA for Windows not properly verifying the kind of files it received. Ordinarily, OPA should only use what are known as Rego files for rules and policies around decision making. What Tenable discovered was that because of improper validation, an attacker could pass an arbitrary SMB share instead of a Rego file to the OPA Command Line Interface or one of its Go library functions. An attacker could inject a path to their own server in the SMB share and force the system running the vulnerable OPA instance to authenticate to it.

"This can result in credential leaks or the execution of malicious logic, posing serious risks to system integrity and security," Tenable said. An adversary that obtains a NTLM hash by exploiting CVE-2024-8260 could use the hash in a variety of ways, including authenticating to other systems and services, moving laterally, connecting to file shares, and attempting to extract the password.

NTLM (New Technology LAN Manager) is a suite of authentication protocols from Microsoft that many organizations use to enable single sign-on to enterprise applications and services. Attackers have often exploited NTLM in so-called pass-the-hash attacks and NTLM relay attacks, where they essentially reuse a captured hash to authenticate to different applications and services without actually knowing the password.

**A Reminder of Open Source Risks**

Tenable described the vulnerability it discovered as highlighting the risks organizations assume when consuming open source software and code. In research that Black Duck described in its "2024 Open Source Security and Risk Analysis Report," the vendor found some 96% of code bases it reviewed to contain open source components. On average, 77% of all code in these codebases originated from open source. Some 84% codebases that underwent a risk assessment contained one or more security vulnerabilities and 74% had high-risk vulnerabilities like Log4Shel and XZ Utils in them. A surprising 14% of the code bases that Black Duck assessed had unpatched open source vulnerabilities in them that were 10 or more years old.

"As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface," said Ari Eitan, director of Tenable Cloud Security Research, in a statement. "This vulnerability discovery underscores the need for collaboration between security and engineering teams to mitigate such risks."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

OPA for Windows Vulnerability Exposes NTLM Hashes

Cybersecurity is not "one size fits all." Employers, recruiters, and managers need to embrace neurodiversity through inclusive hiring practices, tailored training programs, and adaptive management styles.

Source: Tomertu via Adobe Stock Photo

Megan Roddie-Fonseca, a senior security engineer at Datadog, recalls a pivotal moment during her job interview that swayed her decision to join the company.

"During the interview process, the manager asked me, 'How can I manage you? What's your ideal way of working?'" Roddie-Fonseca says. "'What can I do in order to make you the employee that you need to be and that you want to be?'"

For Roddie-Fonseca, a neurodivergent individual, this willingness to adapt management styles based on individual needs was a key factor in her decision to accept Datadog's offer.

"That's a big thing for me, instead of a manager saying, 'This is my management style,'" she says, noting that a tailored management approach can create an environment where neurodiverse workers feel understood and supported.

Roddie-Fonseca was diagnosed with autism when she was 12 years old and with ADHD later in life. While she has personally had overall positive experiences in the cybersecurity industry, she's also aware — by networking with other neurodivergent individuals — of the challenges that many face in their careers.

Neurodiversity includes individuals with conditions such as autism, ADHD, and dyslexia. While neurodivergent individuals can bring a wealth of unique skills to the workplace, they often face unnecessary challenges in the hiring process, training, and overall workplace environment.

**Align the Interview With the Job**

One issue is the current structure of the hiring process in many organizations. Rigid interviews, vague expectations, and unaccommodating environments can create barriers for neurodivergent candidates. Roddie-Fonseca says that typical interview setups, where candidates sit in front of a hiring manager or panel to answer rapid-fire questions, are not designed for those who may struggle with social anxiety or sensory-processing issues.

"Sitting in a room answering questions, especially when you're seeking a job that is going to have less social interaction, is not the way to do it," she says. "When it comes to showing my skill set, I'm going to be doing that on a computer, in an environment I'm comfortable with."

Performance-based interviews, where candidates demonstrate their skills in a simulated work environment, are a better alternative. Dr. Jodi Asbell-Clarke, a senior researcher in neurodiversity in STEM education at the nonprofit TERC and author of Reaching and Teaching Neurodivergent Learners in STEM, says it is essential to allow candidates to show their abilities under conditions they’re comfortable with.

“Many neurodivergent employees I have spoken with tell me they are at their best when they have time and mental space to solve a problem on their own, in their own way, and then bring it back to the team,” she says.

Rather than focusing on quick thinking under pressure, performance-based assessments allow candidates to demonstrate their problem-solving talents without the added stress of rigid, high-pressure conditions.

**Supporting Neurodivergent Employees on the Job**

Hiring neurodivergent candidates is just the first step; ensuring they are supported once on the job is equally important. Neurodivergent professionals often thrive in environments where accommodations are made to help them succeed, from flexible working conditions to individualized communication styles.

Universal design principles — where workplace accommodations are made available to everyone, regardless of whether they disclose a neurodivergent condition — can make a big difference, says Liz Green, an occupational therapist and business consultant who specializes in neurodiversity and inclusive design and often works with cybersecurity.

"Neurodivergence is already present in about 20% of the workforce, but not everyone will disclose it. So it's important to have support systems in place that everyone can access," she says.

Creating employee manuals, where workers outline their preferred communication and work styles, is a simple and inclusive solution that can benefit all employees, neurodivergent or not, Green adds.

Once neurodivergent employees are onboarded, providing appropriate training is essential. The traditional approach to training, where all new hires undergo the same program without considering individual learning needs, can leave neurodivergent employees struggling. Asbell-Clarke points out that giving neurodivergent employees space for "autonomy of thought" during training can be beneficial. For example, instead of bombarding new hires with information in a classroom setting, consider self-paced training modules that allow individuals to learn at their own speed.

Meghan Maneval, senior director of product marketing at LogicGate and also a neurodivergent individual, says clear communication — in multiple formats — during both interviewing and training is essential for her.

"Due to my auditory processing disorder, I often rely on written communication to fully process information," she says.

Employers can also create mentorship opportunities, pairing neurodivergent hires with more experienced employees who understand their challenges. These mentors can offer guidance and help them navigate the nuances of company culture and expectations.

**Creating a Culture of Inclusion**

Building an inclusive culture goes beyond just offering accommodations. It requires a shift in mindset across the organization.

"It's a culture shift because a lot of people are afraid to bring up those things because people think they're silly or they'll feel like, you know, they're going to get fired or not be a candidate for hire because they made a request like this," says Roddie-Fonseca.

Green emphasizes the need for open dialogue and the willingness to learn.

"Opening up the conversation is the first step. Silence doesn't help,” she says. By engaging in conversations about neurodiversity, employers can begin to dismantle the biases that prevent neurodivergent individuals from succeeding.

Another key component is establishing employee resource groups (ERGs) for neurodivergent individuals, says Green. These groups can provide a platform for employees to voice their needs and advocate for changes that improve the workplace for everyone.

“The most important thing is bringing forth the voices of the population," Green says. "It's about making an effort to listen and then act on what neurodivergent employees are saying."

An opportunity exists to rethink traditional hiring practices and embrace a more inclusive approach in cybersecurity hiring. As Datadog's Roddie-Fonseca points out, neurodivergent individuals often possess unique problem-solving abilities and strong attention to detail — skills that are highly valuable in technical fields. Yet the current hiring landscape remains inaccessible for many. By adopting flexible, inclusive hiring and training practices, cybersecurity employers can not only tap into the neurodiverse talent pool but also create a more dynamic and innovative workforce.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Breaking Barriers: Making Cybersecurity Accessible for Neurodiverse Professionals

Without DMARC, campaigns remain highly susceptible to phishing, domain spoofing, and impersonation.

Source: Saphiens via Alamy Stock Photo

Nearly 75% of US Senate campaign websites are lacking when it comes to DMARC protections, otherwise known as Domain-based Message Authentication, Reporting, and Conformance safeguards.

DMARC tools are used to prevent phishing and spoofing attacks by ensuring that the domains from which emails are sent get authenticated.

Without these protections, campaign websites are left vulnerable to cyberattacks, a critical issue given that these campaigns are emailing voters, donors, and staff frequently.

This could lead to compromised voter information, donor data, strategic campaign plans, and other sensitive data, furthering a lack of public trust in US elections, an issue that has become increasingly prominent in the past few years. In 2016, Russian state actors tried to influence the presidential election by disrupting the election process and hacking emails. 

According to the study, conducted by Red Sift, campaigns will remain highly susceptible to phishing, domain spoofing, and impersonation attacks without DMARC, ultimately leading to slower campaign operations, leaks in confidential information, and worse.

The report calls for immediate prioritization of DMARC implementation across US Senate and presidential campaigns, and insuring that these implementations are properly configured.

**About the Author**

Most US Political Campaigns Lack DMARC Email Protection

### Impact
During an explicit sign-out, the server session is not fully terminated.


Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-wxw9-6pv9-c3xc: Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out

### Impact
There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode.

### Workarounds
Server-side file validation is available to strip script tags from file's content during the file upload process.



GHSA-5955-cwv4-h7qh: Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice

The 115,000-plus files related to UN Women included detailed financial disclosures from organizations around the world—and personal details and testimonials from vulnerable individuals.

A database containing sensitive, sometimes personal information from the United Nations Trust Fund to End Violence Against Women was openly accessible on the internet, revealing more than 115,000 files related to organizations that partner with or receive funding from UN Women. The documents range from staffing information and contracts to letters and even detailed financial audits about organizations working with vulnerable communities around the world, including under repressive regimes.

Security researcher Jeremiah Fowler discovered the database, which was not password protected or otherwise access controlled, and disclosed the finding to the UN, which secured the database. Such incidents are not uncommon, and many researchers regularly find and disclose examples of exposures to help organizations correct data management mistakes. But Fowler emphasizes that this ubiquity is exactly why it is important to continue to raise awareness about the threat of such misconfigurations. The UN Women database is a prime example of a small error that could create additional risk for women, children, and LGBTQ people living in hostile situations worldwide.

“They're doing great work and helping real people on the ground, but the cybersecurity aspect is still critical,” Fowler tells WIRED. “I've found lots of data before, including from all sorts of government agencies, but these organizations are helping people who are at risk just for being who they are, where they are.”

A spokesperson for UN Women tells WIRED in a statement that the organization appreciates collaboration from cybersecurity researchers and combines any outside findings with its own telemetry and monitoring.

“As per our incident response procedure, containment measures were rapidly put in place and investigative actions are being taken,” the spokesperson said of the database Fowler discovered. “We are in the process of assessing how to communicate with the potential affected persons so that they are aware and alert as well as incorporating the lessons learned to prevent similar incidents in the future.”

The data could expose people in multiple ways. At the organizational level, some of the financial audits include bank account information, but more broadly, the disclosures provide granular detail on where each organization gets its funding and how it budgets. The information also includes breakdowns of operating costs, and details about employees that could be used to map the interconnections between civil society groups in a country or region. Such information is also ripe for abuse in scams since the UN is such a trusted organization, and the exposed data would provide details on internal operations and potentially serve as templates for malicious actors to create legitimate-looking communications that purport to come from the UN.

“You have a list of organizations and details about their staff and activities, and some of the projects I saw had budgets in the millions of dollars,” Fowler says. “If this data fell into the wrong hands or it reached the dark web, you could have scammers or an authoritarian government looking at which organizations are working where, and who they working with, to target them and even find out names of people they've been helping.”

This leads to the other crucial element of the finding: In addition to fueling scams and potentially exposing local organizations, the data could be exploited to directly target at-risk individuals with extortion attempts or even local law enforcement action.

“I saw letters from people who were victims of kidnapping, rape, abuse—people telling their stories probably believing that they will remain anonymous,” Fowler says. “There was a letter from someone who had gotten HIV who was helped out by a foundation, and they told their whole story of how their family and friends had turned on them.”

If the finding spurs infrastructure review and other detections, it could go a long way toward helping UN Women—and the sprawling ecosystem of UN organizations more broadly—to catch any other easy-to-fix errors and prevent potential data breaches.

Tag

#auth