This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered...

_This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes_

Malwarebytes recently uncovered a widespread cyberattack—referred to here as the “zqxq” campaign as it closely mirrors NDSW/NDSX-style malware behavior—that compromised GroupGreeting\[.\]com, a popular platform used by major enterprises to send digital greeting cards.  

Upon learning of the attack, GroupGreeting quickly responded and resolved the threat.

This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting\[.\]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year’s.  

According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors. 

****Explaining the “zqxq” malware****

Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can “inject” pieces of JavaScript into a website that are not approved by the site’s developers. 

At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis. 

Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns: 

*   **Token generation and redirection**. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links. 

*   **Conditional checks and evasion**. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts. 

*   **Remote payload retrieval**. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations. 

****Overlap with NDSW/NDSX and TDS Parrot campaigns** **

Though Malwarebytes recently discovered the attack on GroupGreeting\[.\]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both “NDSW/NDSX” and “TDS Parrot.” 

According to security researchers from Sucuri, who label these attacks under the “NDSW/NDSX” moniker, this campaign accounted for 43,106 detections in 2024. Similar research was published by Unit 42, which refers to the campaign as “TDS Parrot.”  

From these analyses, we can identify the following parallels to known **NDSW/NDSX** or **TDS Parrot** malware campaigns: 

*   **Obfuscated redirect scripts**. Much like NDSW/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats. 

*   **Traffic Distribution System behavior**. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates. 

*   **Large-scale website infections**. Both NDSW/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach—possibly automated—that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors. 

****Analysis of the breach and why GroupGreeting was a prime target** **

Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why: 

*   **High-profile site**. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable. 

*   **Seasonal traffic spikes**. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware. 

*   **Sophisticated persistence**. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur. 

*   **Potential consequences**. Once the malware activates in a user’s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages—designed to steal credentials—to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or “tokenized” URLs, making it difficult for basic blocklists to keep pace. 

*   **Timely patching and updates**. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates. 

*   **File integrity checks**. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action. 

*   **User training**. Educate users on potential risks and signs of compromise—even “safe” or well-known websites can be hijacked. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 GroupGreeting e-card site attacked in “zqxq” campaign  

SUMMARY Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains.…

****SUMMARY****

*   **Cybersecurity firm watchTowr discovered over 4,000 active hacker backdoors relying on expired domain names.**

*   **These backdoors are pre-existing entry points on already compromised systems, allowing new actors to exploit previous breaches.**

*   **By registering these expired domains, watchTowr observed compromised systems “phoning home,” including government hosts in multiple countries.**

*   **The research highlights a concerning trend of attackers exploiting abandoned backdoors left by other hackers, creating a “hacking-on-autopilot” scenario.**

*   **Many older web shells, tools used for remote access, contain built-in mechanisms that unintentionally expose compromised systems through callbacks to now-expired domains.**

Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains. These backdoors, hidden in compromised systems worldwide, have exposed a huge network of vulnerable government and educational institutions.

The investigation began when watchTowr registered over 40 expired domains, previously used by hackers, and set up logging servers to track incoming requests. The team collected 300MB of data, revealing a network of compromised hosts, including government-owned systems in Bangladesh, China, Nigeria, and more.

The researchers discovered that hackers had been using these abandoned backdoors to gain access to thousands of systems, without investing effort in identifying and compromising them. This technique has been termed by researchers as a _“mass-hacking-on-autopilot”_ approach, allowing hackers to commandeer and control compromised hosts, potentially leading to devastating consequences.

One notable example, according to watchTowr’s technical report shared with Hackread.com, is a backdoor linked to the Lazarus Group, a notorious hacking collective associated with North Korea. The researchers found over 3,900 unique compromised domains using this backdoor, which was designed to load a .gif image from the logging server, leaking the location of the compromised system.

**Simple Explanation**

To understand this better, consider the concept of a “web shell.” These are essentially small snippets of code secretly placed on a web server after a successful breach. They act as remote control panels, allowing attackers to execute commands, manage files, and even deploy further malicious tools.

Historically, these web shells often included mechanisms that “phoned home” to a specific domain or server controlled by the attacker. When that domain expires and is re-registered by someone else, those “phone calls” are now answered by an unexpected recipient.

Older web shells, like the infamous “r57shell” and “c99shell,” while outdated, still appear to be in use. Interestingly, some of these older shells even contained built-in backdoors _for the shell’s creator_. This meant that even if the initial attacker secured their access with a password, the original author could still gain entry using a secret “master key.” This highlights a history of the hacking community itself having a somewhat chaotic approach to security.

In one example, researchers observed a web shell constantly sending the login credentials (in plain text!) to a domain that watchTowr now controlled. The attacker believed they had secured their access, but the very tool they were using was betraying them.

One of the sites with a live Shell – This time it is a c99shell (Via watchTowr)

The report also highlights the vulnerability of government institutions, with compromised systems found in the Federal High Court of Nigeria and other government entities. The researchers emphasize that these findings demonstrate the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

****Dangerous Situation****

The watchTowr team warns that problems like this will persist, with consequences for software updates, cloud infrastructure, and SSLVPN appliances. The report also highlights that even attackers can make mistakes, as demonstrated by another research from researchers at vpnMentor. They identified high-profile groups, such as ShinyHunters and Nemesis, that exploited AWS buckets to steal over 2 terabytes of sensitive data. In the process, these groups inadvertently exposed their own S3 buckets.

The good news is that The Shadowserver Foundation has agreed to take ownership of the implicated domains and sinkhole them, preventing further exploitation. The watchTowr team’s research serves as a crucial reminder of the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

1.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
2.  **Controller flaws let hackers physically damage moving bridges**
3.  **US and Europe Account for 73% of Global Exposed ICS Systems**
4.  **Thousands of Exposed ICSs in US and UK Threaten Water Supplies**
5.  **“Revolver Rabbit” Hacker Uses RDGA to Register 500,000 Domains**

Thousands of Live Hacker Backdoors Found in Expired Domains

As SaaS providers race to integrate AI into their product offerings to stay competitive and relevant, a new challenge has emerged in the world of AI: shadow AI. 
Shadow AI refers to the unauthorized use of AI tools and copilots at organizations. For example, a developer using ChatGPT to assist with writing code, a salesperson downloading an AI-powered meeting transcription tool, or a

Product Review: How Reco Discovers Shadow AI in SaaS

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-7w6r-748w-mh52: pgAdmin has Incorrect Default Permissions

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

GHSA-q8fg-cp3q-5jwm: Mattermost Incorrect Authorization vulnerability

The country awaits implementation guidelines for a framework that gives Indians greater autonomy and security over their personal data — and recognizes a right to personal privacy.

Source: Wavebreakmedia Ltd IFE-240405\_3 via Alamy Stock Photo

The government of India has drafted rules that will define how companies inside and outside of the country must handle its citizens' data privacy.

A year and a half ago, India enacted its first ever comprehensive national data protection law: the Digital Personal Data Protection (DPDP) Act. The act defined key privacy rights for Indian citizens — to access, update, correct, challenge, port, and erase their data, plus additional safeguards for children's data — and various obligations of data stewards to secure user data, maintain its accuracy, limit how it's used, and more.

Organizations have not yet been forced to adjust their data trafficking practices, as the act was waiting on a set of clearly defined rules of implementation. On Jan. 3, India's Ministry of Electronics and Information Technology (MeitY) released those draft rules, designed to operationalize DPDP. In 22 provisions and seven schedules, the DPDP Rules provide businesses with a framework for complying with the act once the government begins to enforce it.

For years leading up to this point, "As the digital infrastructure in India has grown exponentially, the absence of safety mechanisms for individuals has left citizens vulnerable," says Pankit Desai, CEO and co-founder of Sequretek. That makes DPDP "a landmark regulation, long overdue. It's not just a regulatory framework — it is a signal of India's readiness to prioritize citizen welfare in the digital age."

**India's Long Road to Data Privacy**

In 1941, Khrarak Singh, a citizen of India's northern state of Uttar Pradesh, was tried for gang robbery (dacoity). He was let off thanks to an absence of evidence, but police kept an eye on him nonetheless. They visited his home at night, kept tabs on his movements, and monitored various aspects of his personal life: his employment, social life, and habits, for example.

Eventually Singh filed a petition, arguing that the surveillance violated his constitutional rights. On Dec. 18, 1962, six judges of India's Supreme Court ruled that though some of the police tactics amounted to harassment, many of their surveillance measures were legally permissible. Privacy, they argued, was not a fundamental right under the country's constitution.

That remained the case until 2017, after India's government proposed the "Aadhaar" project, giving all citizens identification numbers backed with various demographic and biometric data. Overseeing a challenge to Aadhaar, Chief Justice of India JS Khehar explained, “It is essential for us to determine whether there is a fundamental right to privacy in the Indian Constitution," citing the Kharak Singh case. In August 2017, a nine-judge bench declared that privacy was a right given to India's citizens under its constitution.

Their ruling opened the floodgates to data protection legislation, first and most notably the proposed Personal Data Protection Bill of 2019. However, the bill was proved both expansive and restrictive. The bill covered both personal and non-personal data, but was stringent in mandating that sensitive personal data not leave the borders of the country, yet also lenient in allowing the government to exempt itself for various reasons. Regardless, the bill was withdrawn in August 2022. It was followed in spirit by the more neutral DPDP, which will finally become operational once the latest proposed rules are finalized.

**New Rules of the Road**

The DPDP rules are mostly industry standard: companies must notify customers about the data they collect, and if it's breached, encrypt it at rest and in transit, delete it after three years of inactivity, and so on.

"Most notably, they grant substantial control to the data principal (individual) over their personal data, including the ability to determine when, how, where, and for what purpose their data is used," notes Rama Krishna Gudipati, head of customer success at CloudSEK. "Additionally, the introduction of penalties for non-compliance adds an important layer of accountability." Failing to notify customers of a breach, for example, or betraying obligations around children's data, could cost companies up to INR 200 crore (around $23 million).

Certain provisions are more debatable, though, like the continued exceptions afforded to government agencies. Sequretek's Desai says that "The exemption granted to the government from these rules raises questions about fairness and accountability, especially given the government's significant role as a service provider," says Sequretek's Desai. "India's digital infrastructure is heavily influenced by government-led initiatives, unlike in the West, where private enterprises dominate," making the rule more impactful than it would be in other countries.

The deadline for submitting feedback on the new draft rules is Feb. 18. After the rules are activated, MeitY stated in a Jan. 5 press release, "An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

India Readies Overhauled National Data Privacy Rules

The voluntary program is intended to boost consumer confidence in vulnerable IoT devices, but experts want to see vendors held to a higher standard.

Source: Prisma by Dukas Presseagentur GmbH via Alamy Stock Photo

Yesterday, the White House introduced a cybersecurity labeling program for wireless Internet-connected devices, intended to help Americans make more informed decisions about the products they buy and their security.

As Americans continue to add Internet of Things (IoT) devices to their home networks — everything from baby monitors to security cameras — there are growing concerns about the safety of these devices and their vulnerability to hackers. The goal of this label is to guide consumers to more secure products as well as encourage vendors in their cyber practices.

Known as the "US Cyber Trust Mark," the label has been a long time coming, with the Federal Communications Commission gathering input over the past 18 months. In a bipartisan and unanimous vote, the FCC authorized the program and said 11 vendors will act as label administrators while UL Solutions will serve as the lead administrator.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency," the White House brief read.

**Just Good Intentions?**

Though this new system has good intentions for both consumers and vendors, there are concerns and speculation as to how effective this cybersecurity label will be.

The FCC intends to use QR codes linking to a national registry of certified devices and information about these products, such as how to change the default password, configure the device securely, determine whether updates and patches are automatic and how to access them, and how long the vendor will support device security.

"Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea," Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement. "There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials."

For these reasons alone, he believes that this program is worth supporting. However, he has some reservations.

"The devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary, and only suggestions," Grimes wrote. "I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable."

Part of the reason the program is voluntary is because the FCC believes that "the success of a cybersecurity labeling program will be dependent upon a willing, close partnership and collaboration between the federal government, industry, and other stakeholders" and the record shows "substantial support for a voluntary approach."

**Making Assumptions**

In order to use the US Cyber Trust Mark, manufacturers that meet eligibility criteria must have their products tested by an FCC-recognized and accredited third-party lab to ensure that the program's requirements have been met. After this, they must submit an application to a Cybersecurity Label Administrator with the necessary supporting documents. 

But the way the requirements are written, patching on behalf of the organizations isn't necessarily automatic, indicating that though an organization may have a cyber sticker of approval, it's still the consumer's responsibility to stay up to date with cybersecurity standards.

"So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark," Grimes wrote.

And while the FCC safety mark may indicate a device is designed safely, the US Cyber Trust Mark doesn't necessarily mean the same thing. This leads to consumers seeing the mark and believing they are secure.

"We also must consider whether this trust mark will give consumers a false sense of being 'unhackable' and a false sense of complacency," Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, wrote in an emailed statement. "Even if a smart device has built-in security features, users still have a personal responsibility to do their part by taking extra safety precautions — for example, changing default passwords and updating drivers/software/firmware."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Fed 'Cyber Trust' Label: Good Intentions That Fall Short

PRESS RELEASE

AUSTIN, Texas – January 8, 2025 – CrowdStrike (Nasdaq: CRWD), today announced that the CrowdStrike Falcon® cybersecurity platform achieved Federal Risk and Authorization Management Program (FedRAMP) authorization for three key modules: CrowdStrike Falcon® Next-Gen SIEM, CrowdStrike Falcon® for IT and CrowdStrike Falcon® Data Protection. These modules are available to government entities requiring FedRAMP Moderate authorization, enabling them to secure assets through the CrowdStrike Falcon Platform in GovCloud. With these capabilities, CrowdStrike continues to deliver innovative technology to empower federal, state and local government entities, as well as their supply chains, to detect sophisticated endpoint, identity and cloud-based cyberattacks, while enhancing operational efficiency.

“CrowdStrike delivers deep visibility across managed and unmanaged devices, enabling public sector and private industry to meet critical security mandates,” said Michael Sentonas, president, CrowdStrike. “Today’s federal agencies navigate a complex regulatory landscape – from the comprehensive logging mandates outlined in OMB M-21-31 to the adoption of Zero Trust frameworks to secure identities against advanced threats. FedRAMP authorization allows CrowdStrike to help government agencies streamline operations, secure hybrid environments and reduce costs while staying ahead of today’s most sophisticated adversaries.”

The U.S. government operates in one of the most severe threat environments, requiring comprehensive visibility across complex, distributed networks – including traditional endpoints, cloud environments, identity and SaaS applications. Advanced nation-state adversaries like LIMINAL PANDA exploit trusted relationships and weak security configurations within the federal supply chain, posing a significant risk to national security. To combat these significant threats, CrowdStrike delivers proactive threat detection and critical telemetry, empowering agencies to stop modern, multi-faceted intrusions across multiple domains.

Through the latest modules authorized in GovCloud, CrowdStrike provides comprehensive visibility, enhanced intelligence and advanced threat response to help government entities and their supply chains meet stringent security requirements while reducing complexity and cost. Falcon Next-Gen SIEM, Falcon for IT and Falcon Data Protection offers real-time threat detection, asset visibility, centralized log management and data protection to support compliance efforts and adoption of Zero Trust frameworks across government environments. 

Learn how to enhance Zero Trust coverage across government endpoints, identities and cloud environments on Thursday, January 23 with CrowdStrike. Register for the CrowdCast here. 

Register for Fal.Con Gov 2025 – the must-attend public sector event of the year for mission-critical cybersecurity on February 27 at the Ronald Reagan Building in Washington, DC. 

About CrowdStrike  
CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Achieves FedRAMP Authorization for New Modules

SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-6gf2-ffq8-gcww: GHSL-2024-288: SickChill open redirect in login

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability. Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application’s business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects. A security bulletin describing the […]

**About** **Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability.** Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application’s business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects.

A security bulletin describing the vulnerability was released on December 14. A flaw in file upload logic allows an unauthenticated attacker to perform Path Traversal, upload a malicious file, and, under certain circumstances, perform Remote Code Execution. On December 20, a public exploit for the vulnerability was released. There are reports of exploitation attempts, but no information on successful attacks yet.

The vendor recommends upgrading to version 6.4.0 or higher and migrating applications to the new secure File Upload mechanism.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Tag

#auth